Towards Coverage Closure: Using GoldMine Assertions for Generating Design Validation Stimulus by Liu, Lingyi et al.
SEPTEMBER 2010 UILU-ENG-10-2206 
CRHC-10-03
TOWARDS COVERAGE CLOSURE: 
USING GOLDMINE ASSERTIONS FOR 
GENERATING DESIGN VALIDATION 
STIMULUS
Lingyi Liu, David Sheridan, William Tuohy, 
Shobha Vasudevan
Coordinated Science Laboratory
1308 West Main Street, Urbana, IL 61801
University o f Illinois at Urbana-Champaign
REPORT DOCUMENTATION PAGE
Fo rm  A ppro ved  
O M B  N O . 0 7 0 4 -0 1 8 8
Public reporting burden for this collection o f in form ation is estim ated to  average 1 hour per response, including the tim e fo r review ing instructions s e a r c h in g ^ ^  
oatherinqand  m aintaining the data needed, and com pleting and review ing the co llection o f information. Send com m ent regarding th is burden estim ate o r any o ther aspect o f this 
collection o f information, including suggestions fo r redudng  this burden, to  W ashington Headquarters Services. D n c M  f ° r
n a v is  H in h w a v  Suite 1204. Arlinaton. V A  2 2 2 0 2 -4 3 0 2 , and to the O ffice o f Managem ent and Budget, Paperwork Reduction P roject (0 7 0 4 -0 1 8 8 ), W ashington, DO  2 00 03 .-----------------------------------------------------
1. AGENCY USE ONLY (Leave blank) 2. REPORT DATE 3. REPORT TYPE AND DATES COVERED
Septem ber, 2010
4. TITLE AND SUBTITLE
T ow ards C overage C losure: U sing  G oldM ine A ssertions fo r G enera ting  D esign 
V alidation  S tim ulus
5. FUNDING NUMBERS
6. AUTHOR(S)
L ingy i Liu, D av id  Sheridan, W illiam  T uohy, S hobha V asudevan
7. PERFORMING ORGANIZATION NAME(S) AND ADDRESS(e5 )“
C oord inated  Science L aborato ry  
U niversity  o f  Illinois 
1308 W. M ain  St.
U rbana, IL 61801
8. PERFORMING ORGANIZATION 
REPORT NUMBER
U IL U -E N G -10-2206 
(C R H C -10-03)
9. SPONSORING/MONITORING AGENCY NAME(S) AND ADDRESS(ES) 10. SPONSORING/MONITORING AGENCY REPORT NUMBER
11. SUPPLEMENTARY NOTES
12a. DISTRIBUTION/AVAILABILITY STATEMENT
A pproved  for public  release ; d istribu tion  un lim ited .
12b. DISTRIBUTION CODE
13. ABSTRACT (Maximum 200 words)
W e present a m ethodology  to  generate  inpu t stim ulus for design  validation  using  G oldM ine, an  au tom atic  assertion  generation  engine 
th a t uses data m in ing  and form al verification . G oldM ine m ines the sim ulation  traces o f  a behav io ra l R eg iste r T ransfer L evel (R T L ) 
des ign  using a decision  tree  based  learn ing  algo rithm  to  p roduce candidate assertions. T hese cand idate  assertions are passed to  a 
fo rm al verification  engine. I f  a  candidate  assertion  is false, a counterexam ple trace is generated . In  th is w ork , w e feed  these 
counterexam ple traces to  iterative ly  refine the  o rig inal sim ulation  trace data. W e in troduce an  increm en ta l decision  tree to  m ine the 
new  traces in each  iteration. T he algo rithm  converges w hen  all the candidate assertions are true. W e p rove tha t our algorithm  w ill 
alw ays converge and capture the  com plete  functionality  o f  an  ou tpu t on  convergence. W e show  th a t our m ethod  alw ays resu lts  in a 
m onoton ic increase in sim ulation  coverage. W e also  p resen t an  ou tpu tcen tric no tion  o f  coverage, and  argue tha t w e can attain  
coverage closure w ith  respect to  th is n o tion  o f  coverage. E xperim enta l resu ltsto  validate  ou r argum ents are p resen ted  on R igel, a 
1000+  core p rocesso r design as w ell as severa l o ther benchm arks.
14. SUBJECT TERMS
D ata  m ining, verification , te s t generation , C overage
15. NUMBER OF PAGES
16. PRICE CODE
17. SECURITY CLASSIFICATION 
OF REPORT
U N C L A SSIFIE D
18. SECURITY CLASSIFICATION 19. SECURITY CLASSIFICATION 20. LIMITATION OF ABSTRACT 
OF THIS PAGE OF ABSTRACT
U N C L A S S IF IE D  U N C L A SS IF IE D  UL
NSN 7540-01-280-5500 Standard Form 298 (Rev. 2-89)Prescribed by ANSI Std. 239-18 
298-102
Towards Coverage Closure: Using GoldMine Assertions 
for Generating Design Validation Stimulus
Lingyi Liu, David Sheridan, William Tuohy, Shobha Vasudevan
Coordinated Science Laboratory,
University of Illinois at Urbana-Champaign 
Urbana, IL 61801
{Iiu187, dsherid3, tuohy2, shobhav}@illinois.edu
ABSTRACT
We present a methodology to generate input stimulus for design 
validation using GoldMine, an automatic assertion generation en­
gine that uses data mining and formal verification. GoldMine mines 
the simulation traces of a behavioral Register Transfer Level (RTL) 
design using a decision tree based learning algorithm to produce 
candidate assertions. These candidate assertions are passed to a 
formal verification engine. If a candidate assertion is false, a coun­
terexample trace is generated. In this work, we feed these coun­
terexample traces to iteratively refine the original simulation trace 
data. We introduce an incremental decision tree to mine the new 
traces in each iteration. The algorithm converges when all the can­
didate assertions are true. We prove that our algorithm will always 
converge and capture the complete functionality of an output on 
convergence. We show that our method always results in a mono­
tonic increase in simulation coverage. We also present an output­
centric notion of coverage, and argue that we can attain coverage 
closure with respect to this notion of coverage. Experimental re­
sults to validate our arguments are presented on Rigel, a 1000+ 
core processor design as well as several other benchmarks.
1. INTRODUCTION
Design verification is a primary source of bottlenecks in the sys­
tem design cycle. Although directed tests capture much of the de­
sired system behavior, they don’t suffice in checking for uninten­
tional erroneous behavior. A phase of random input vector gen­
eration is employed with an intention to capture infrequent or un­
expected design behavior. Due to the practical infeasibility of ex­
haustive simulation, the termination point of random simulation is 
very nebulous. Contemporary industries often use a numeric value 
like a few million simulation cycles before concluding the random 
simulation phase. Evidently, such a methodology is unsystematic 
and inconclusive. Despite multiple coverage metrics, there is no 
assurance that there are no gaping holes in the design behavior. 
Coverage closure, or the process of determining the completeness 
of functional coverage of input vectors is then, one of the most 
daunting challenges of the present day validation environment.
We propose a methodology for attaining coverage closure of de­
sign validation. The methodology is based on GoldMine, an auto­
matic assertion generation tool that was introduced in [16]. Gold- 
Mine uses data mining and formal verification to generate asser­
tions. A Register Transfer Level (RTL) design is simulated and the 
simulation traces are passed as data to GoldMine. GoldMine uses 
decision tree based supervised learning algorithms to mine rules 
from the simulated test data. A decision tree is used to statistically 
infer rules from the data, such that the leaves of the decision tree 
correspond to candidate assertions for a given output. These candi­
date assertions are true of the simulated design inputs, but may not
be true over all possible inputs. In order to determine if a candi­
date assertion is true for all inputs or not, the candidate assertions 
is passed with the design to a formal verification engine. If the 
formal verification passes a candidate assertion, it is a system in­
variant. If not, it generates a counterexample. In [16], we showed 
generation of complex and useful propositional (combinational) as 
well as sequential (temporal) assertions.
In this work, we incorporate feedback from the counterexamples 
generated by GoldMine to refine the simulation data that was used 
to generate assertions. The test data refined by counterexamples is 
now used to run another pass of GoldMine. The counterexamples 
from assertions that fail formal verification are again fed back into 
the input test suite. This iterative refinement continues until a pass 
of GoldMine where all the assertions pass the formal check. The 
test suite that remains at that point, along with the passing asser­
tions, are the output of our method. We introduce a variation on 
the original decision tree data structure that is built incrementally 
with every iteration. An incremental decision tree per output adds 
information from a counterexample for every failed assertion on its 
leaf nodes.
Let us now look at how this counterexample guided automatic 
assertion/test generation process attains coverage closure. Firstly, 
in GoldMine, we stipulate that only 100 per cent confidence candi­
date assertions need to be considered for formal verification. Even 
a single contradicting example in the simulation data is enough to 
discard a candidate assertion. This ensures that a failing assertion 
that produced a counterexample is never reproduced by GoldMine 
in successive iterations. Since every counterexample provides a 
trace through the system and the addition of new variables, the cor­
responding input vector tests for as yet uncovered behavior. Every 
iteration, therefore, increases coverage of the test suite. This re­
sults in a monotonic decrease in the design space uncovered by 
the tests with successive iterations. In stark contrast to random or 
directed testing, where arbitrary long phases of coverage stagna­
tion can occur, our method always makes forward progress with 
respect to test coverage. Secondly, the limiting condition for this 
algorithm to converge is when there are no failing assertions. At 
this point, for every decision tree corresponding to a design out­
put, all the assertions in the leaf nodes are true. This provides a 
deterministic metric of progress for test development. Until all the 
assertions for a given output pass, the test suite can be improved 
upon. Thirdly, our method also provides an alternative notion of 
coverage- one that is output-directed. If all the leaves of a decision 
tree have true assertions, it implies that the (incremental) decision 
tree now captures the complete functionality of that output. The 
decision tree that was predicting design behavior by observing dy­
namic data, has completely captured the output logic function at 
the convergence point. The design functionality with respect to
that output is completely covered in our method for both combina­
tional and sequential designs. We provide a proof intuition for the 
correctness and convergence of our algorithm. Since the decision 
tree extracts information from dynamic, simulation data, it gener­
ates only the reachable state of an output. Unlike static analysis, it 
is not possible to reach illegal or unreachable states in our method. 
At the point of convergence, the input test patterns along with the 
GoldMine assertions represent the validation artifacts required for 
achieving coverage closure. We consider the validation task com­
plete when the entire functionality of all outputs in the design have 
been captured, i.e. all the assertions for the outputs are true.
Our contributions in this paper are as follows.
•  We present a counterexample guided iterative refinement ap­
proach to mine tests using GoldMine, an assertion generation 
tool.
• Our method provides a deterministic metric of progress in 
the test development process through incremental decision 
trees.
• Our method ensures a monotonic increase in the coverage 
of the test suite with every iteration. We do not plateau or 
stagnate with respect to test coverage.
• We prove that for a given output, the incremental decision 
tree will always converge. We also prove that the complete 
functionality of an output will be captured at the point of 
convergence.
• We also introduce an output-directed notion of coverage. The 
tests from our technique will always stimulate only the reach­
able states of the design.
An outline of the paper is as follows. In Section 2, we present the 
background information regarding the tool flow of GoldMine. In 
Section 3, we describe our counterexample guided iterative refine­
ment approach to mine tests. We detail the creation of incremental 
decision trees, the principal artifact in mining the tests. Since the 
treatment of combinational tests is different from sequential tests, 
we present these discussions separately. We outline a proof that 
shows the convergence and completeness of our algorithm in Sec­
tion 4. In Section 5, we argue for coverage closure and forward 
progress of coverage using our technique. Section 6 details an 
example that runs through the entire algorithm. In Section 7, we 
demonstrate experimental evidence of the merit of our approach, 
using RTL designs from Rigel, a 1000+ core processor, as well as 
standard ITC benchmarks.
2. INTRODUCTION TO GOLDMINE
We provide the background on GoldMine required to explain our 
counterexample guided input pattern generation algorithm. Gold- 
Mine combines two diverse technologies- data mining and static 
analysis, to generate assertions automatically. Data mining com­
prises dynamic, statistical techniques that are computationally effi­
cient, but depend heavily on domain information for deriving rele­
vant knowledge from a system. Static analysis of designs (includ­
ing formal verification) captures domain (design) information, but 
suffers from computational complexity issues. Together, these two 
technologies offset each other’s disadvantages. The static analysis 
when used to guide the data mining, gives rise to useful domain 
knowledge, i.e. assertions. 1 shows the architecture of GoldMine. 
It is composed of a Data generator, Static analyzer, A-Miner, For­
mal verifier and A-Val components.
Static Analysis
T emporal/Propositional 
Assertions
Design
Likely System
Data
Traces Assertion s------- ----------
Formal
Assertions
Generator Verification
Designer Feedback
Figure 1: GoldMine architecture
2.1 Data Generator
The data generator phase of GoldMine is used to provide the 
data for the data mining algorithm. For a given RTL design, the 
data is obtained through dynamic simulation traces. The design is 
simulated for a fixed number of cycles ( 10000) using random input 
patterns. Regression tests, if available can also be applied to obtain 
traces.
The sequential behavior of a design is usually expressed in the 
form of temporal assertions. GoldMine is capable of generating 
combinational as well as sequential assertions. We need to provide 
a mining window length, or the duration of time cycles for which 
we want to capture temporal behavior. For instance, if we want to 
consider the following behavior: once a is valid, d will be valid 
two cycles later, the mining window length can be set to 2. All 
generated assertions will span up to 2 cycles, including a ==> 
X X b , which is the assertion of interest. 1
2.2 Static analyzer
The static analyzer extracts domain-specific information about 
the design and passes it to the data mining algorithm. We extract 
the logic cone of influence for every output that we are interested 
in assertions for. The data mining phase (A-miner) is restricted to 
analyzing only the logic cone of any output. This limits the search 
space of the mining algorithm from all the inputs, to the relevant 
variables in the design.
2.3 Decision tree based learning and A-Miner
The data mining phase of GoldMine is called A-miner, for asser­
tion mining. A-Miner uses a decision tree based supervised learn­
ing algorithm to map the simulation trace data into conclusions or 
inferences about the design.
In the decision tree, the data space is locally divided into a se­
quence of recursive splits on the input variables. A decision tree 
is composed of internal nodes and terminal leaves. Each decision 
node implements a "splitting function" with discrete outcomes la­
beling the branches. This hierarchical decision process that divides 
input data space into local regions continues recursively until it 
reaches a leaf. We require only Boolean splits at every decision 
node, since our domain of interest is digital hardware. The exam­
ple in Figure 2 for an output 2 shows the simulation trace data for 
inputs a, b and c.
An error function picks the best splitting variable by computing 
the variance between target output values and the values predicted 
by decision variables. The predicted value on each node is the mean 
of output values, denoted by M  while the error at a node is denoted 
by E  in the example. When the error value become zero, it means 
all output values are identical to the predicted value and the deci­
sion tree exits after reaching such a leaf node. When the error value 
is not zero, the variable with minimum error value is chosen to form 
the next level of decision tree. A candidate assertion is a Boolean
'We use LTL [14] notation for expressing GoldMine assertions. 
We can produce SVA [1] as well as PSL assertions.
2
propositional logic statement computed by following the path from 
the root to the leaf of the tree. In the example, the splitting of input 
space into two groups after decision on variable a leads to E  = 0, 
corresponding to assertion A1. Along the a =  1 branch, another 
split occurs on b. Assertions A2 and A3 are obtained at the leaf 
nodes.
Design function
Figure 2: Decision Tree Building Process and Assertion Gener­
ation
2.4 Formal verifier and A-Val
The candidate assertions inferred by A-miner are based purely on 
statistical correlation metrics like mean and error. We restrict the 
candidate assertions we consider to those with 100% confidence. 
This means that even if a single example in the trace data does not 
subscribe to a rule generated by the tree, the rule will be discarded. 
Despite this strict restriction, A-miner may still infer candidate as­
sertions that are true of the simulation data, but are not true of all 
possible inputs. To identify candidate assertions that are system in­
variants, the design as well as the candidate assertions are passed to 
a formal verification engine. If a candidate assertion passes the for­
mal check, it is a system invariant. Otherwise, the formal verifier 
generates a counterexample trace that shows a violation of the can­
didate assertion. The SMV [12] model checking engine is a part of 
GoldMine, along with a commercial model checker. In the exam­
ple in Figure2, A1 is declared false, while A2 and A3 are declared 
true. In GoldMine, A-val forms the evaluation phase for the asser­
tions, to bridge the gap between the human and machine generated 
assertions.
GoldMine provides a radical, but powerful validation method. 
Through mining the simulation trace, it reports its findings in a hu­
man digestible form (assertion) early on and with minimal manual 
effort. However, in GoldMine, there is no concept of feedback from 
any phase to the data miner. Given that data mining performs very 
effectively when given feedback, in this work we have incorporated 
feedback from the formal verification phase for enhancing the sim­
ulation test data.
3. COUNTEREXAMPLE-BASED
INCREMENTAL DECISION TREES
The decision tree is a structure that captures the design model 
from the perspective of observable behavior. An assertion can be 
false due to two reasons- either some behavior has not been ob­
served by the decision tree due to insufficient data, or some in­
ference has been made erroneously due to selecting a correlated.
Static Analysis
Target RTL
Design Data Traces Decision Formal
G enera to r Tree Building Verification
Likely
T emporal/Propositional 
Assertions _
S im u la tion
C ounterexam ple
Incremental Decision Tree
Validation
Stimulus
Figure 3: Flow of counterexample-based incremental decision 
tree algorithm for generating validation stimulus in GoldMine
but not causal splitting variable. A counterexample trace exposes 
both these situations by introducing scenarios that involve at least 
one new variable. If this new scenario is now included in the in­
put pattern data observed by the decision tree, firstly it prevents the 
generation of the same spurious assertion. Secondly, it guides the 
decision tree to navigate regions of input space that have not been 
considered/observed so far. A beneficial side effect of this process 
is the increase in coverage of the input simulation data steadily with 
every iteration.
In order to disprove an assertion, the new data instance consists 
of all antecedent variables of the assertion and some new additional 
variables. The antecedent variables’ values are also identical to that 
in the false assertion and the implied variable’s value is different 
from that in the false assertion. This characteristic of a counterex­
ample enables a natural way to add it as new data instance to incre­
mentally build a decision tree instead of rebuilding a decision tree 
from scratch every iteration.
In order to keep track of the improvisation of the decision tree for 
a given output, we devised an incremental version of the decision 
tree. The iterative algorithm using GoldMine (depicted in Figure 3) 
incrementally builds a decision tree for an output until it reaches the 
goal of generating only true assertions (no counterexamples). The 
full set of correct assertions, plus the new test patterns created from 
counterexamples during iterations comprise the tangible outputs of 
the algorithm.
In the recursive incremental decision tree algorithm described in 
Figure 4, the parts different from GoldMine (lines 4, 7, 8) are out­
lined. Figure 5 shows the a regular decision tree and an incremental 
version of it.
A decision tree corresponds to a design output. The formal ver­
ification in line 4 is employed to check the correctness of assertion 
whenever a leaf node is reached during the incremental building of 
decision tree. If a candidate assertion is true on design, the algo­
rithm returns as in the regular decision tree. In the example, asser­
tions A1 and A2 generated from original simulation traces are true 
on the design. If the checked assertion is false/spurious, a coun­
terexample is reported by formal verification. A counterexample: 
a =  0, 6 = l , c  =  0 andz = 1 is generated to contradict the 
assertion AO on the decision tree on the left.
The Ctx_simulation() function simulates the input pattern cre­
ated by the counterexample. This lends concrete values to all the 
splitting variables in previous iterations of the decision tree in the 
new simulation run.
Since the counterexample follows the same path as the failed as­
sertion, the decision tree continues splitting when it reaches the leaf 
node corresponding to that false assertion. All other paths of the de­
cision tree are kept unchanged. Due to the new data instance, the 
mean and error values for each node need to be recomputed using 
the Recompute_error() function. The error value of the leaf node
3
New Data Trace
1. lncr_Decision_Tree_Building(TreeNode Node)
2. begin
3. if(Error(Node)==0) begin
4. | if(Formal_verfn(Node.assertion)==true) j
5. return;
6. else begin
7. |Ctx_simulation();
8. ;Recompute_error(Node);
9. end '
10. end
11. Node.left=New_node();
12. Node.right=New_node();
13. Select_splitting_variable();
14. lncr_Decision_Tree_Building(Node.left);
15. lncr_Decision_Tree_Building(Node.right);
16. end
z
Figure 4: Incremental Decision TVee Building Algorithm. The 
dotted lines represent parts that are different from GoldMine’s 
decision tree building approach.
will no longer be equal to zero. In the example, the incremental de­
cision tree continues to split on the leaf node corresponding to false 
assertion AO in the regular decision tree. It can also be observed 
that the mean and error value are recomputed in this iteration on 
the path from the root to the leaf. The algorithm exits when all the 
assertions at the leaf nodes of an incremental tree are true.
3.1 Stimulus Generation for Sequential 
Behavior
During the building of a decision tree, the design should be un­
rolled until the mining window length, as defined in Section 2.1. 
The simulation trace used for assertion mining may have internal 
register state visible. It may be desirable to have assertions form 
a single-cycle flat picture of the design, where assertions on the 
outputs are functions of internal state values and primary inputs. 
Assertions can also be formed for the internal state variables them­
selves, as functions of other state registers and inputs. Such a view 
of the design gives a “next cycle” model, where the assertions de­
scribe internal registers and primary outputs in a similar manner. 
On the other hand, it may be desirable to have temporal assertions 
on the design that capture only input-output behavior over some 
number of cycles.
We can generate assertions of both types with this algorithm, 
based on the mining window length and visible state provided. Al­
though the assertion span sequential behavior over a given length, 
the generated counterexample may be longer than the mining win­
dow length. This may be to expose sequential behavior where an 
intermediate state variable can be driven to a specific value over 
several cycles starting from the primary input. In this case, the in­
cremental decision tree algorithm considers only the variables until 
the farthest back temporal stage, i.e. unrolled until the mining win­
dow length. The concrete values of these variables can be acquired 
through simulation of the counterexample by the data generator. 
The result is a temporal assertion that spans the mining window 
length, bolstered by single-cycle assertions using internal state reg­
isters to describe the behavior. We discuss an example of sequential 
logic coverage in Section 6.
Figure 5: Difference between a regular decision tree and an 
incremental decision tree for an output z and Boolean inputs a, 
b and c. The counterexample trace is included in the bottom 
row of the trace data.
3.2 Final Decision Tree and Unreachable 
States
Our counterexample based incremental decision tree building al­
gorithm is a process of approximation and refinement of an output 
function. If the complete functionality of an output was available to 
the decision tree in the form of simulation data, it would completely 
represent the output function. Such a truth table (or state transition 
relation for sequential designs) would result in a complete decision 
tree. However, such an exhaustive enumeration of input patterns is 
not feasible to obtain as test data. Therefore, the decision tree tries 
to approximately predict the logic function of an output with avail­
able data. Faulty predictions are exposed and used for corrective 
purposes through counterexamples. This makes future predictions 
more accurate. At the point where all the predictions are accurate is 
where all the assertions of the decision tree are true. At this point of 
convergence, this final decision tree represents the complete func­
tionality of an output in the design. The input patterns required 
to generate such a final decision tree are sufficient for completely 
covering the functionality of that output.
It is important to note that final decision trees include only the le­
gal, reachable states of the design. This is a subset of the state space 
that is obtained by statically enumerating input combinational or 
sequential patterns. Static traversal of states does not account for 
illegal inputs or dynamically unreachable state. However, since the 
decision trees are constructed out of dynamic simulation data, it 
only observes the behavior that is executable, thereby eliminating 
unreachable states. For sequential logic, the algorithm captures the 
behavior in the assertions for a given length. The constraints on 
register variables from previous cycles are also captured by the de­
cision tree. Although the assertions are captured for only a bounded 
number of cycles, the formal verification ensures that the temporal 
assertions will exclude unreachable or illegal states in the design. 
This means that the input test patterns that generate a final decision 
tree comprise exactly the necessary stimulus to capture the output 
logic. There are no superfluous patterns that reach illegal state in 
our methodology.
When all the assertions generated from the decision tree are true, 
either all expressions for an output are completely covered or the
4
uncovered logic in the design will be redundant logic.
4. ALGORITHM COMPLETENESS AND 
CONVERGENCE ANALYSIS
In this section, we prove that our counterexample based test gen­
eration algorithm converges and at the point of convergence for any 
output, the corresponding decision tree for that output represents 
the complete functionality of that output.
We present some definitions that are required for proving the 
mentioned claims. Let us consider an RTL design whose state tran­
sition graph (Kripke structure [12]) model is depicted by M. We 
will use M  synonymously for the design as well its model. Let 
there be N  inputs in M. An input pattern is a unique assignment 
of values to inputs of M . Input patterns can be combinational (sin­
gle cycle) or sequential (across multiple cycles). An input pattern 
set is a set of all such input patterns in use for a design validation 
effort.
The input pattern set for M  forms the data for the decision tree 
algorithm. We define decision trees as used in our context.
DEFINITION 1. A decision tree Dzfor an output z is a binary 
tree where each node corresponds to a unique splitting variable 
that is statistically correlated to z. A path for a decision tree is a 
sequence of nodes from the root node to a leaf node.
In general, decision trees need not be binary trees, but since our 
variables are in the Boolean domain, there are only two possible 
values of each (one-bit) variable. A decision tree is a data structure 
used in predictive modeling to map observations about a variable 
of interest to inferences about the variable’s target value. In our 
case, every output of M  is a variable of interest. Every output 
has a corresponding decision tree that makes inferences about the 
output’s target value (true and false). These inferences are made 
at the leaves of the decision tree, where the branches leading from 
the root to the leaf represent conjunctions of splitting (correlated) 
variables. These inferences are also considered likely or candidate 
assertions for the concerned output.
DEFINITION 2. A candidate assertion A c  of D z is a Boolean 
conjunction of propositions (variable, value pairs) along a path 
in Dz.
In the next phase of GoldMine, model checking [12]2 is used to 
compute the truth or falsehood of a candidate assertion. In case a 
candidate assertion is false, a counterexample or simulation trace 
through the design is generated, that exemplifies the violation of 
the assertion.
DEFINITION 3. A true assertion A t  is a candidate assertion 
such that M  \= A t .
D e f in it io n  4. The support of a Boolean conjunction y, which 
is denoted as support(y), is the set of variables in y.
DEFINITION 5. I f M  Ac, the conjunction of variable value
pairs in the counterexample is represented b y \ a c such that
support(xAc ) T> support(Ac).
Since the counterexample represents a valid simulation trace through 
the design that is not yet a part of the current input pattern set, it 
is added to the input pattern set. An incremental version of the
2We categorize the formal verification algorithms in SMV and Ca­
dence IFV under the umbrella of model checking for this discus­
sion.
decision tree is used in order to keep track of the coverage. The 
incremental decision tree maintains the ordering of variables as the 
decision tree from a previous iteration for all the variables until the 
leaf nodes. If the counterexample in the current iteration coincides 
with a path in the incremental decision tree, the variable(s) added 
by the counterexample will now be used as the splitting variable(s) 
at the leaf nodes of the incremental decision tree.
DEFINITION 6. An incremental decision tree I z for an output 
z and a previous decision tree D z, is a decision tree such that the 
variable ordering of all variables in D z is preserved until a leaf 
node. Every variable v in support (x a c ) —support (A c) becomes 
a splitting variable at the leaf node o f I z along the path o f A c.
DEFINITION 7. The final decision tree F z is an incremental de­
cision tree such that for all assertions A c  of F z, M\=Ac-
D e f in it io n  8. The logic cone of an output z in M  is the set of 
variables that affect z.
The logic cone is deciphered by computing the transitive closure of 
all variables pertaining to an output. In GoldMine, we do a logic 
cone analysis for every output. The decision tree for an output is 
therefore restricted to the variables in its logic cone, or the relevant 
variables with respect to that output.
THEOREM 1. It takes finite iterations to reach F z for any given 
I 2.
Proof: Let us run the incremental algorithm for k iterations, then 
the minimum number of new nodes added to I z is 2k. The mini­
mum total number of nodes in I z after k iterations is 2k A- 1. Let 
n C JVbe the number of variables in the logic cone of 2 . The 
maximum size for D z by construction and by definition of binary 
trees is 2n+1-l. Therefore, 2k +  1^2n+1-l. This bounds the size 
of the incremental decision tree.
It may be noted that since we are restricting the decision tree for 
an output to focus only on the relevant variables, the maximum size 
of the decision tree is not exponential in the size of the entire set of 
inputs N , but in n. In practice, we observe that n «  N .
THEOREM 2. The final decision tree F z corresponds to the en­
tire functionality o f z.
Proof: Assuming a final decision tree F z does not correspond to 
the entire functionality of z, then there is at least one input pattern 
to reach a state of 2 that does not correspond to a path in F z , so at 
least one Ac of F z should be such that M\=fiAc- But this is false 
by definition of F z. Therefore, the assumption is contradicted.
The above theorem makes a powerful statement about the cover­
age of our method. When all the assertions are true, the complete 
functionality of an output is captured.
In practice, the learning-based data mining algorithm is able to 
generate compact assertions, each of which represents several satis- 
fiable input patterns for the corresponding output. The incremental 
decision tree algorithm can converge quickly to cover all the logic 
function of corresponding output.
5. COVERAGE ANALYSIS
In the simplest terms, what we want from a coverage effort is 
expose the entire legal, reachable design behavioral space to ex­
amination so that this space can be validated against a statement 
of desired behavior. We posit that our algorithm using GoldMine
5
and iterative refinement of the decision tree achieves exactly that 
property: when the final decision tree for an output has been con­
structed, the entire reachable design space for that output is cap­
tured by the tree. The combination of input patterns and assertions 
generated by the tree are artifacts that represent the complete func­
tionality of that output. Our notion of coverage, then is output- 
space directed, as opposed to traditional input space directed no­
tions of coverage. With respect to this notion of coverage, we can 
achic\e functional coverage closure with respect to every output in 
the design.
Our test generation strategy automatically computes and explores 
only the reachable state space since it is dynamically derived from 
simulation data. This is distinct from traditional functional cover­
age notions that are input-space directed, like expression coverage 
or conditional coverage. These are not constrained by reachable 
state space or legal states. So, frequently, we can achieve complete 
coverage in our methodology, but not complete expression cover­
age.
GoldMine’s counterexample based approach for test generation 
ensures a monotonic decrease of the uncovered design space with 
each iterative refinement. In each iteration, the generated coun­
terexample is able to cover a new design function which has not 
been covered before by previous patterns. The newly activated 
function can be in the form of conditional expression, branch or 
assignment statements in the RTL design. Moreover, the existence 
of a final decision tree as a goal provides a deterministic metric 
of progress through the refinement process. This is a significant 
improvement over random testing, whose coverage graph can be 
arbitrarily shaped, often resulting in plateaus where no progress is 
being made. In fact, due to the frequent lack of feedback in the ran­
dom test generation process, it is difficult to acquire a satisfactory 
functional coverage picture in this process.
Figure 6: Figure showing the coverage of input patterns in the 
functional design space for an output.
A pictorial example of this process is shown in Figure 6. The 
state space for a single output can be visualized as a discrete 2D 
plot, where the functional points covered by the starting input test 
patterns are marked. Each GoldMine assertion generated includes 
a set of variable-value pairs according to their statistical support in
the patterns.
Every assertion is therefore shown to span a group of points in 
the output state space by rectangular boxes. This grouping by as­
sertions into “regions” in the output space is similar to a Karnaugh 
map notation, but this includes sequential behavior as well. For the 
assertions that are true, the design region has been covered by the 
input test patterns in that iteration. For the ones that are false, there 
is always at least one additional design point that was uncovered by 
the input test pattern. This design point is exposed by a violation of 
the assertion. Each counterexample (Ctx) acts a bridge between an 
uncovered design point in (a) and a covered design point as in (b). 
However, the covered design point in (b) forms a part of the region 
covered by an assertion, that generates a counterexample again. All 
previously true assertions do not perturb the coverage process and 
are retained in every phase. As a side effect, the original, general 
assertion is divided into multiple, more precise and subtle asser­
tions.
We notice here that the GoldMine test generation strategy goes 
from uncovered regions in one iteration to covered regions in an­
other, until it converges at all assertions passing as in (c). This is 
distinct from a traditional validation flow, where all the known re­
gions are covered first, and an advancement is attempted toward 
uncovered regions.
6. EXAMPLE: TWO PORT ARBITER
In this section, we will demonstrate GoldMine’s incremental coun­
terexample refinement using a 2 port arbiter. This arbiter uses 
round robin logic with priority on port 0. In our example, we will 
unroll the circuit 1 cycle in GoldMine to capture some temporal 
properties of the of the port 0 access signal, gntO. The simula­
tion data below represents a directed test that a validation engi­
neer might write. We will show how the A-Miner makes inferences 
about the design and is aided by the counterexample refinement to 
improve assertion and directed test quality.
a lw a ys  @  (p o sed ge  e lk) 
if (rs t) beg in  
gntO <=  0; 
gnt1 <= 0; 
end  e lse  beg in
gntO <=  (~ gn t0  &  reqO) | 
(gntO & reqO & ~req1); 
gnt1 <=  (gntO &  req1) | 
(-gn tO  & -req O  & req1); 
end
reqO
(t-1 )
req1
(t-1)
reqO
(t)
req1
(t)
gntO
(t)
gntO
(t+1)
0 0 1 0 0 1
1 0 1 1 1 0
1 1 0 1 0 0
0 1 1 1 0 1
Figure 7: Arbiter: RTL and simulation trace
The goal of the A-Miner is to partition our simulation data, also 
known as our example set, into subsets that all display some com­
mon behavior based on statistics. Our decision tree data structure 
starts with a root node which contains all examples and the exam­
ples are partitioned into likely behavior by the time they reach the 
leaf nodes. The initial structure of the decision tree is represented 
below.
6
Figure 8: Initial Decision Tree
> Counterexample A l Counterexample
reqO req1 reqO req1 gnto gnto
t u ) 0-1) 0) 0) 0) 0+1)
1 0 1 0 1 1
1 0 1 0 1 1
gnto
reqO req1 reqO req1 gnto gnto
0-1) 0-1) 0) 0) 0) 0+1)
0 0 0 0 0 0
0 0 1 0 0 1
Figure 9: First Iteration: Counterexamples and Refined Tree
AO: -ireqO=>XgntO 
Al: reqO=>X-igntO
The two candidate assertions generated above are proven false by 
formal verification. A counterexample is produced for each failed 
assertion containing the series of states that will contradict this as­
sertion. We simulate these counterexamples and add the results to 
our example set as show below. The decision tree continues to grow 
since the error is greater than 0 for each node. This means that the 
confidence is no longer 100% for AO and Al. The A-Miner finds 
four more candidate assertions based on the new data.
A2: -ireqOA(X-reqO)=>A'X-'gntO 
A3: ->reqOA(XreqO)=>XAgntO 
A4: reqOA(A'-ireql)=>A'A'gntO 
A5: reqOA(A’reql)=>A'X-igntO
After one iteration, A2 and A3 are verified to be true. However, 
A4 and A5 both fail formal verification and a counterexample is 
produced for each. We again simulate the counterexamples and 
add them to our data set. The refined tree is shown below.
A4 Counterexample A5 Counterexample
reqO req1 reqO req1 gnto gnto
0-1) 0-1) 0) 0) 0) 0+1)
1 0 1 1 1 0
1 1 1 1 0 1
reqO
0-1)
req l
(t-D
reqO
0)
re q l
(t)
gntO
(t)
gnto
(t+1)
1 0 0 0 1 0
V A9 X  A10
Figure 10: Second Iteration: Counterexamples and Refined 
Tree
A6: reqOA(X->req0)A(X->req 1 )=>XX -igntO 
A7: reqOA(XreqO)A(X-reql)=^A’XgntO 
A8: reqOA(-ireql)A(Xreql)=»XA'-igntO 
A9: reqOAreq 1 A(X-ireqO)A (X req 1 )=>X X ->gnt0 
A10:req0Areql A(XreqO)A(Xreql)=>A’A’gntO 
A6, A7, A8, and A9 are verified as true. However, A10 is shown 
to be false even though all primary inputs have been assigned. This
is because there is a state outside of the window that affects the 
output, gntO. At this point, we allow the A-Miner to search the 
registers and primary outputs in the farthest back temporal state for 
a suitable split. In our example, we add the signal gntO(t-l) to the 
search. The A-Miner makes this split and produces the full tree 
below and Al 1 and A 12 are newly generated true assertions.
gnto
0-1)
reqO
(t-1)
reql
(t-1)
reqO
(0
reql
0)
gnto
0)
gnto
(t+1)
0 1 1 1 1 1 0
VA11 V A12
Figure 11: Third Iteration: Full Tree
All :  reqOAreqlA(A'reqO)A(Xreql)AgntO=>A'2igntO 
A12: reqOAreq 1 A(XreqO) A(2ireq 1)A(-ignt0)=$>X X (-igntO) 
After the assertions are generated by incremental counterexam­
ple refinement, the counterexamples can be added to the the orig­
inal directed test to improve coverage of the test. The series of 
inputs for each counterexample are simply added to the current in­
put stimulation in the directed test. The improvement in expression 
coverage of each counterexample iteration is shown below.
Counterexample
Iteration
Input Space 
Coverage (%)
Expression 
Coverage (%)
0 0 70
l 50 80
2 93.75 90
3 100 90
Figure 12: Coverage of Arbiter Design
7. EXPERIMENTAL RESULTS
To evaluate the quality of our method, we implement the in­
cremental decision tree building algorithm and generate validation 
stimulus and assertions for several design modules. These include 
some simple synthetic blocks we created to test various features, 
and some blocks from the Rigel RTL design [11] and the ITC 
Benchmark Suite of designs . The simple blocks include a small 
combinatorial example block (cex_small), a 2-input arbiter (arbiter2). 
and a 4-input arbiter with more internal state (arbiter4). Specific 
signals are sometimes indicated in the results or figures, such as 
arbiter2 . gntO for the output signal gntO of the abiters2 mod­
ule. From the Rigel design three key modules in the processor are 
chosen: Instruction Fetch (fetch), Instruction Decode (decode), and 
Instruction Writeback (wbstage). These modules are used for the 
following experiments:
1. Plot expression coverage of simple modules as GoldMine 
test generation proceeds
2. Limit studies of the counterexample method
(a) Zero-pattern seed, start with no test patterns and iterate
(b) Full-coverage seed, start with patterns that provide
7
3. Bug finding, inject random faults and use the previously de­
rived assertions as a regression suite to find the bugs
4. Compare and contrast to standard coverage metrics
The runtime for this algorithm is proportional to number of Gold- 
Mine tests generated. The size of the design, number of initial sam­
ples, and maximum number of iterations all affect the number of 
counterexamples. A more complex design will require more coun­
terexamples to be generated because in the worst case, the asser­
tion will only be refined by one variable per iteration. The number 
of initial samples affects how complete the decision tree is before 
counterexamples are added because a larger number of examples 
gives a better indication of the design and therefore a more accu­
rate decision tree. As the completeness of the initial tree increases, 
the number of counterexamples decreases because fewer candidate 
assertions will need to be refined. The maximum counterexam­
ple depth determines how many iterations before the decision tree 
stops trying to refine an assertion. As the counterexample depth de­
creases, the runtime decreases as does the accuracy of the decision 
tree. Experimental results show the average time per formal veri­
fication of an assertion to be 1.5 seconds. If a counterexample is 
produced, the time to produce that counterexample is an additional 
1.5 seconds. Most tests completed within 24 hours on an Intel Core 
2 Quad Q6600 with 4GB of memory. Memory usage is propor­
tional to the number of examples, which increases as the number of 
counterexamples increases. All tests used well below the 4GB of 
the machine.
Our implementation for this algorithm is a very najve approach 
and there are many potential performance optimizations. Every 
time a candidate assertion is produced, that assertion is formally 
verified. This means that the formal verifier must compile the full 
design every time a candidate assertion is produced. An improved 
approach would collect all candidate assertions and formally verify 
all assertions at once, drastically decreasing the time spent during 
formal verification. Counterexamples are also produced at the same 
time that an assertion is run through formal verification. Combin­
ing the counterexamples into one large test bench could drastically 
cut down on simulation time as well. In addition, only the current 
node in the decision tree and its descendants can benefit from a 
counterexample. Using the batched approach, all nodes with fail­
ing assertions would benefit from all counterexamples produced, 
rather than just their own counterexample. Given these enhance­
ments, it would be very reasonable to expect at least a 100% speed 
increase.
7.1 Coverage Increase
The first experiment demonstrates the increase in expression cov­
erage as the counterexample algorithm progresses, showing a mono­
tonic increase in coverage. We have summarized these results in 
Figure 13 and Figure 14. Expression coverage was chosen as a 
representative example of an industry standard metric, though as 
explained in Section 5 this metric is often unable to achieve 100% 
coverage on its own. Redundant statements, unreachable states, 
and other RTL characteristics often limit expression coverage ef­
fectiveness. A steady increase in such coverage is however an in­
dicator of progress in the quality of the assertions and tests created 
by this algorithm.
This experiment was performed on several typical circuit de­
signs. The first step of the test is to simulate the original test suite. 
The original test suite can be in the form of a directed test or a com­
pletely random input stimulus test. Any spurious assertions are re­
fined using counterexamples until the A-Miner has generated a true 
assertion or until the counterexample exceeds the length of the un-
Figure 13: Design Space Coverage by Iteration
Iterations cex small arb iter2 arbiter4
0 66.67% 70% 39%
1 83.33% 80% 82%
2 83.33% 90% 87%
3 83.33% 90% 88%
Figure 14: Expression Coverage Increase by Iteration
rolled circuit. We can easily calculate the input space covered by 
an assertion as \ / ( 2 depth °f node). We accumulate the coverage of 
all system invariants to determine the input space coverage of our 
set of assertions. This experiment can be split into several groups.
•  Combinational, directed test: cex_small
•  Combinational, random stimulus test: wb_stage
• Sequential, directed test: arbiter2, arbiter4
• Sequential, random stimulus test: fetch_stage
The coverage of the true assertions is evaluated by considering the 
percentage of the truth table that is covered by that assertion. We 
consider the possible input space as
2 (num ber o f inputs *  length o f unrolling )
We can consider the inputs specified in the assertion as concrete 
inputs and the rest as don’t care inputs. This means that the number 
of input combinations covered by an assertions is equal to
number o f d o n 't care inputs)
In our decision tree, the number of concrete inputs in an assertion 
is equal to the depth of the node containing it. Based on this in­
formation, we can see that the input space covered by a potential 
assertion is cut in half every time the depth increases. This shows 
that the input space covered is l / ( 2 rfept/i).
The results show a consistent increase in the input space covered 
by the assertions in each iteration. For the wb_stage and cex_small 
modules, we note that incremental refinement converges to 100% 
input space covered. We also note that since the cex_small module 
is a simple design and the wb_stage module is a complex design, 
there is a direct correlation between the complexity of the module 
and the number of counterexample iterations required to converge.
We also notice that there is an exponential increase in the input 
space covered in the early iterations but only a logarithmic increase 
in input space covered in the later iterations. This shows that even 
if incremental refinement is only applied up to a certain depth, there 
will still be a relatively large coverage gain.
8
7.2 Zero Initial Patterns
The second experiment is a limit study showing that the coun­
terexample algorithm works even when no directed tests exist. The 
lack of any patterns would begin the procedure with a simple asser­
tion of the form “output always 0”, for example, which the formal 
verification would show false and provide a counterexample, which 
would be the first functional pattern. Table 1 shows the increase in 
coverage for each tested design as the algorithm progresses. Even 
with no initial test patterns, the counterexample method is able to 
create a test suite that achieves good coverage with few iterations. 
This indicates that counterexamples may be a useful methodology 
to jump start a module design environment by creating many tests 
that can then be run on the testbench model checkers.
Iterations 0 1 2 5 12 15 17
arbiter2.gnt0 0% 50 75 100 100 100 100
arbiter4.gnt0 0% 0 31.25 69.53 97.29 99.97 100
fetchstage. valid 0% 0 25 100 100 100 100
Table 1: Coverage Percentage by Iteration Starting From Zero 
Patterns
7.3 Complete Coverage Initial Patterns
The third experiment explores GoldMIne test development on a 
module that already has full coverage by at least some of the com­
mon coverage metrics. The goal is to see if GoldMine tests can 
find any of the uncovered state in the design by finding counterex­
amples. If a block already has full coverage on some metrics, and 
very high coverage on others, it is often difficult to get to higher 
coverage or to know if higher coverage is even possible. We evalu­
ated such a condition and were able to derive counterexample tests 
that did indeed improve expression coverage that was already quite 
high. Figure 15 shows that a block with 100% line and branch 
coverage, and high condition coverage, achieved higher condition 
coverage after GoldMine test generation.
Test line branch cond
50 Random Cycles 100 100 93.02
50 Random Cycles + 
GoldMine 100 100 95.35
Figure 15: Increasing Coverage on High Coverage Block
7.4 Fault Detection by Assertions
The fourth experiment is an example of using the provided asser­
tions in a regression testing environment by injecting and finding 
bugs in a design that has previously had assertions built on the cor­
rect version. We implement a systematic mutation-based method to 
test the assertions’ ability to detect bugs. The internal design signal 
is selected to mutate and all generated assertions are then formally 
check on the mutated design model. The failed assertions are con­
sidered able to cover the corresponding bug on the mutated design. 
Since we do not have actual block-level testbench code with moni­
tors and checkers, we have used assertions as the regression vehicle 
in this experiment, but since the generated test vector suite also has 
very high coverage it would also be an effective regression suite.
Table 2 shows the results for several randomly chosen signals in 
the Rigel RTL modules. For a randomly chosen signal in a design, 
the figure shows the number of assertions that detected the fault. In 
each case, the assertion suite is able to detect the faults.
Signal stuck at 0 stuck at 1
stall_in 269 94
branch_pc 35 35
branch_mi spredict 8 66
icache_rdvl_i 1 2
Table 2: Faults Covered by Assertions
7.5 Comparison to Standard Coverages
In the second experiment, we show the output of several stan­
dard coverage analyses comparing standard directed and random 
tests with tests generated by the counterexample algorithm. Final 
coverage values for both Rigel designs and ITC Benchmark de­
signs are included, showing the coverage achieved by the various 
methods.
Module
dumber
of
Cycles
Random GoldMine
line cond toggle fsm branch line cond toggle fsm branch
bOl 85 98.42 84.38 87.5 71.43 88.89 100 93.75 94.44 76.19 94.44
b02 50 100 X 92.86 66.67 91.67 100 X 92.86 66.67 91.67
b09 28000 100 100 96.77 57.14 90 100 100 96.77 57.14 90
b l2 12000 39.42 40.7 58.59 10.47 30.67 40.88 40.7 58.59 10.47 33.33
b l7 23000 40.23 17.19 21.85 29.86 34.64 40.23 17.19 21.85 29.86 34.64
b!8 10000 33.81 10.53 16.17 25.69 21.61 33.81 10.53 16.17 25.69 21.61
Figure 16: Coverage Comparison Between Random Tests and 
GoldMine Tests
Table 3 and Figure 16 show comparisons to the GoldMine gener­
ated test method and both directed and random test pattern meth­
ods, applied to different designs. The Cycles column of each table 
lists the number of simulation cycles run to achieve the given test 
coverage for the Directed and Random examples, and the number 
of final test pattern cycles created for the Counterexamples section. 
From these tables we see that some of the coverage metrics remain 
low even after 1.5M cycles. In all cases, the final coverage results 
for tests created by the counterexample method are very high.
8. RELATED WORK
We discuss work that is related to different aspects of our ap­
proach. Our counterexample based stimulus generation approach 
distinguishes itself from all the existing coverage guided test gen­
eration approaches in that the generated counterexample is able 
to automatically explore logic not covered by previous stimulus. 
Counterexample- based refinement of abstractions for verification 
has been studied widely [4], The idea of generating tests from 
counterexamples using model checking has been explored in soft­
ware testing and hardware validation [2] [3] [7]. These methods 
require a predefine set of properties and then formally verify these 
properties. In our work, the set of properties are generated auto­
matically, minimizing human intervention in the loop. Many tech­
niques in prior art automatically generate validation patterns by 
incorporating coverage feedback [6] [13] dynamically. However, 
they do not use a flow similar to GoldMine for generating feed­
back.
Statistical methods have been adopted in hardware validation for 
assertion generation [9] [10] [15] and test generation [17] [8] [3]. 
IODINE [9] tries to automatically infer likely invariants by hypoth­
esizing a set of predefined invariant pattern across one or more vari­
ables in the design and then analyzing the deisgn’s dynamic behav­
ior during simulation. The generated assertions need not be sound,
Design-
Module
Directed test GoldMine
Cycles Line Cond Toggle Branch Cycles Line Cond Toggle Branch
wbstage 1.5M 100% 63.33% 33.96% 100% 9182 100% 95.53% 96.75% 100%
fetch 1.5M 95.92% 87.5% 55.22% 95% 13466 100% 92% 94.46% 100%
decode 1.5M 47.82% 55.04% 81.89% 57.82% 14649 99.87% 76.96% 91.42% 88.17%
Table 3: Coverage Comparison Between Directed Tests and GoldMine Tests
as well as they are usually simple assertions like one-hot encoding. 
In the field of data mining, incremental decision tree algorithms like 
VFDT(Very Fast Decision Trees) [5] are explored to allow an ex­
isting tree to be updated or revised using new data instances. These 
are typically applied to handling stream data whose characteristics 
change over time.
9. CONCLUSIONS
In conclusion, we have presented a completely automated stimu­
lus generation methodology for systematic coverage closure based 
on GoldMine. The forward progress and termination properties of 
the algorithm make it a sound and practically attractive solution.
Our methodology starts from uncovered design space and cov­
ers it systematically. With every iteration, a new uncovered region 
is converted to a covered region. This is different from covering 
all known state space and inching forwards toward the uncovered 
space.
Although we achieve coverage closure within an implementa­
tion, this does not imply adherence to a higher level specification or 
design intent. We believe that the enhanced test suite output from 
our methodology can be applied in a validation environment that 
includes traditional monitors and checkers. We also believe that 
together, the GoldMine assertions and test vectors have significant 
value to a design validation effort, but the key contribution comes 
when a completed Final Decision Tree has been constructed. The 
existence of this structure itself implies a fully explored and vali­
dated design.
Acknowledgements. The authors wish to thank Professor Steven
S. Lumetta of the University of Illinois Electrical and Computer En­
gineering Department for his valuable insights and generous help 
with computing resources for experiments.
10. REFERENCES
[ 1 ] Ieee standard for system verilog: Unified hardware design, 
specification, and verification language. IEEE Std 
1800-2005, pages 0-648, 2005.
[2] D. Beyer, A. J. Chlipala, and R. Majumdar. Generating tests 
from counterexamples. In Proceedings o f the 26th 
International Conference on Software Engineering, pages 
326-335, 2004.
[3] M. Chen and P. Mishra. Functional test generation using 
efficient property clustering and learning techniques. IEEE 
Transactions on Computer-Aided Design of Integrated 
Circuits and Systems, 29(3):396 -404, march 2010.
[4] E. Clarke, O. Grumberg, S. Jha, Y. Lu, and H. Veith. 
Counterexample-guided abstraction refinement for symbolic 
model checking. J. ACM, 50(5):752-794, 2003.
[5] P. Domingos and G. Hulten. Mining high-speed data streams. 
In Proceedings of the sixth ACM SIGKDD international 
conference on Knowledge discovery and data mining, pages 
71-80, 2000.
[6] S. Fine and A. Ziv. Coverage directed test generation for 
functional verification using bayesian networks. In 
Proceedings o f the 40th annual Design Automation 
Conference, pages 286-291, 2003.
[7] S. Gurumurthy, R. Vemu, J. A. Abraham, and S. Natarajan. 
On efficient generation of instruction sequences to test for 
delay defects in a processor. In Proceedings o f the 18th ACM 
Great Lakes symposium on VLSI, pages 279-284, 2008.
[8] O. Guzey, L.-C. Wang, J. R. Levitt, and H. Foster. Functional 
test selection based on unsupervised support vector analysis. 
In Proceedings of the 44nd annual Design Automation 
Conference, pages 262-267, 2008.
[9] S. Hangal, N. Chandra, S. Narayanan, and S. Chakravorty. 
Iodine: a tool to automatically infer dynamic invariants for 
hardware designs. In Proceedings o f the 42nd annual Design 
Automation Conference, pages 775-778, 2005.
[10] B. Isaksen and V. Bertacco. Verification through the principle 
of least astonishment. In Proceedings of the 2006IEEEJACM 
international conference on Computer-aided design, pages 
860-867, 2006.
[11] J. H. Kelm, D. R. Johnson, M. R. Johnson, N. C. Crago,
W. Tuohy, A. Mahesri, S. S. Lumetta, M. I. Frank, and S. J. 
Patel. Rigel: An architecture and scalable programming 
interface for a 1000-core accelerator. In Proceedings o f the 
International Symposium on Computer Architecture, June 
2009.
[12] K. L. Mcmillan. Symbolic Model Checking: an approach to 
the state explosion problem. PhD thesis, Carnegie Mellon 
University, 1992.
[13] P. Mishra and N. Dutt. Functional coverage driven test 
generation for validation of pipelined processors. In 
Proceedings of the conference on Design, Automation and 
Test in Europe, pages 678-683, 2005.
[14] A. Pnueli. The temporal logic of programs. In Proceedings of 
the 18th Annual Symposium on Foundations of Computer 
Science, pages 46-57, 1977.
[15] F. Rogin, T. Klotz, G. Fey, R. Drechsler, and S. Riilke. 
Automatic generation of complex properties for hardware 
designs. In Proceedings of the conference on Design, 
automation and test in Europe, pages 545-548, 2008.
[16] S. Vasudevan, D. Sheridan, D. Tcheng, S. Patel, W. Tuohy, 
and D. Johnson. Goldmine: Automatic assertion generation 
using data mining and static analysis. In Proceedings of the 
conference on Design, automation and test in Europe, 2010.
[17] C. H.-P. Wen, O. Guzey, and L.-C. Wang. Simulation-based 
functional test justification using a decision-digram-based 
boolean data miner. In International Conference on 
Computer Design, 2006.
10
