Our strategy for automatic generation of functional vectors is based on exercising selected paths in the given hardware description language (HDL) model. The HDL model describes interconnections of arithmetic, logic and memory modules. Given a path in the HDL model, the search for input stimuli that exercise the path can be converted into a standard satis ability checking problem by expanding the arithmetic modules into logic-gates. However, this approach is not very e cient.
I. Introduction
The most common approach to checking design correctness is to verify that a description of the design in some hardware description language has the proper behavior as elicited by a series of simulation vectors. There are several drawbacks to this approach. Exhaustive simulation is required to guarantee correctness and is possible only for small circuits. If a manageable number of input stimuli are to be simulated, the problem of selecting or generating these input stimuli arises. Generating random or pseudorandom input stimuli is relatively easy; however, random input stimuli, typically, do not thoroughly exercise the design and therefore miss a lot of design errors.
One can base a functional vector generation strategy on coverage metrics. Commonly used coverage metrics correspond to instruction counts, i.e., how often, if at all, an instruction or statement in the hardware description language (HDL) code is exercised. Full statement coverage corresponds to the input stimuli exercising every statement in the given HDL code at least once. Full path coverage is a more comprehensive criterion, where every path in the HDL code is exercised by the input stimuli. Since the number of paths in the HDL model can grow exponentially with the size (number of lines) of the model, full path coverage is generally not attainable. Design-speci c strategies for computing coverage have also been proposed.
Very often, designers manually generate functional vectors with full statement coverage, and which exercise all \interesting" paths in the model. The generation of input stimuli that satisfy coverage requirements is a tedious process. However, the automatic generation of functional vectors is a di cult computational problem.
In this paper it is assumed that the given HDL model describes interconnections of arithmetic, logic and memory modules, and that coverage of selected paths is used as a metric for functional vector generation.
Given a set of paths in the HDL model, for each path, a satis ability problem is solved to obtain the input stimuli that exercise the chosen path. Path sensitization in HDL models can be converted into a standard satis ability checking problem by expanding the arithmetic modules into logic-gates. However, this approach is not very e cient.
A satis ability algorithm is presented in this paper that works directly on the HDL model. The primary feature of HDL-satis ability algorithm is a seamless integration of linear-programming techniques for arithmetic modules and Boolean satis ability (SAT) checking for logic modules. This integration is critically important to e ciency, since it avoids module expansion and allows working with logic equations and arithmetic equations that track the size of the HDL model. SAT checking is used to solve the logic equations and linear-programming is used to check the feasibility of the arithmetic equations. Interactions between Boolean variables in the SAT equations and integer variables in arithmetic equations are handled by increasing the number of integer variables.
The path coverage metric has been chosen because exercising computation paths in a circuit is a tried-and-trusted way of design debugging. Since the number of paths in the circuit may be too large to enumerate, a subset of paths is selected. Other coverage metrics, such as statement coverage, and OCCOM 10], 11] can also be used in this framework. This will only impact the speci cs of the generated satis ability problem.
The remainder of this paper is organized as follows. Section II describes previous work on automatic test generation. Our functional vector generation method is presented in Section III. Section IV describes our hybrid satis ability algorithm which is based on linear programming and Boolean satis ability. Experimental results are presented in Section V, while future work is touched upon in Section VI.
II. Previous Work
Some representative work in the use of high-level information in test pattern generation is presented in this section.
A. Stuck-at-Fault Test Generation
In 2], a symbolic test generation system for hierarchically modeled digital systems is described. The sequential system under test is modeled as a data-path and a control section. The partitioning of the circuit into data-path and control sections is often performed somewhat arbitrarily. The modules in the data-path section are de ned as an interconnection of other modules or described behaviorally. The behavioral model is a simpli ed and incomplete model of the module and is used for the purpose of faulte ect propagation and justi cation. The control section is always modeled as a nite state machine. Since a hierarchical description of the controller is not allowed, large controllers for which State Transition Graphs cannot be generated, cannot be handled by this approach. There is a fundamental assumption that the control section has been tested using existing techniques and is found to be faultfree. This can be an arti cial assumption, as the system designer often wants to test the control and the data-path together. Also, for control-dominated chips, this approach will not be applicable because it assumes that the testing of the control portion is handled by some other test generator. Instead of using binary or integer values, symbols are used to represent values on the wires. However, in any computer implementation, the symbols have to be represented as a code, and therefore integers or a similar representation have to be used for the encoding. Therefore, the advantage of using symbols instead of integers is not clear. Very few results were quoted for this approach and it is di cult to gauge its e ectiveness.
In 25], the gate-level combinational test pattern gener- ator SOCRATES 4] is augmented to handle circuits described hierarchically. The only high-level primitives supported are decoder, demultiplexor, bus, encoder, multiplexor, tri-state driver, and one-bit adder. The implication, unique sensitization, and multiple backtrack procedures used in SOCRATES are extended to handle these high-level primitives. A gate-level fault model is used and modules inside which faults have to be considered are dynamically expanded to their gate-level circuit. Therefore, the structure of the circuit changes dynamically during test generation. Apart from these modi cations, the procedures are similar to well known procedures in combinational test pattern generation. As mentioned earlier, this approach handles combinational circuits only. A maximum speed-up of a factor of two is reported for this approach. The Boolean satis ability (SAT) approach to stuck-at fault test generation was pioneered by Larrabee 20] . Here, the goal is not stuck-at fault testing, but rather justifying values on a collection of signals. That is, given a logic circuit, an input assignment is desired that produces appropriate signal values at circuit outputs, or intermediate signals. The SAT approach converts this problem into one of satisfying a conjunctive normal form (CNF) expression.
Consider the circuit of Figure 1 . Assume it is desired to nd an input assignment that sets the output to a 1. Clauses are written for each gate in the circuit. The clauses model the input-output relationship for each gate, and are shown below,
In order to produce a 1 at the output of the circuit, the above CNF need to be satis ed with Z set to 1 Constraint solving for test generation is a well-researched problem in the software test area (e.g., 3], 22]). These systems typically attempt to solve nonlinear constraint systems heuristically. In many such systems the logic corresponding to the constraint system is undecidable. The high-level design validation system of 8] uses augmented linear-program solving to solve certain types of constraints. Nonlinear operators in constraints require exhaustive enumeration, random guesses, or the use of heuristics. Bultan et al. 6 ] present a method that uses Presburger formulas as a symbolic representation to perform model checking of in nite state systems. A Presburger solver is used to manipulate these formulas.
Johnson 16] describes an experiment wherein structural testing criteria are used to generate tests for HDL models, and the generated tests are evaluated using fault coverage for stuck-at faults on a logic-gate implementation of the HDL model. It appears that the tests were generated combining symbolic and logic simulation approaches to heuristically check for invariants in a nite-state system is developed in 28].
III. Our Functional Vector Generation Method
In this section, our method for functional vector generation given an HDL model is described. We choose the path coverage metric and generate test vectors to sensitize di erent paths in the design.
The method of nding input values that sensitize a path is to:
1. Write sensitization requirements on (intermediate) signal values. 2. Write module-input module-output relationships for every module in the circuit (cf. Subsection III-B), and 3. Solve a satis ability problem that corresponds to 1 and 2 above (cf. Section IV). This produces an input assignment that satis es the sensitization requirement and is consistent with the behavior of the logic circuit. We use Boolean clauses and Linear Arithmetic Constraints (LAC) to model the test generation problem. The resulting satis ability problem is called hybrid satis ability or HSAT.
A. Path Sensitization Requirements
In this subsection, we explain path sensitization for a combinational circuit which corresponds to an arbitrary interconnection of Boolean and arithmetic operators. For sequential circuits, we use conventional time-frame expansion as in 5].
Out strategy of generating functional vectors is to sensitize paths from the circuit inputs to circuit outputs. Sensitizing a path means that the value at the input to the path should a ect the value at the output of the path. An important point to note is that busses or word-level variables are not expanded into bit-level variables.
Sensitization of a path through a module may require values at the module side-inputs. For OR and AND gates the side-inputs have to be set to 0 and 1, respectively. For word-level operators, sensitization needs to be de ned on the basis of the logic function of the operator. Arithmetic operators are easy to sensitize, only over ow or under ow need to be checked if we are dealing with saturation arithmetic.
In the sequel, it is assumed that the path from A to the module output is sensitized. Sensitization should re ect the condition that a (large enough) change in the value of A should result in a change in the module output.
Adder A + B: If over ow is not of concern, there is no requirement. If it is a concern, then it is necessary to have A + B < MAX, where MAX is the largest represented number.
Subtractor A ? B: Similar to an adder, except underow is a possible concern instead of over ow. Comparator A > B: Requirement is B < MAX. Similarly, for other types of comparators. Scalar multiplication A k: A < MAX k to avoid overow. While the above sensitization requirements for logicgates and word-level arithmetic operators may appear simple, it is important to note that the requirements are on intermediate signals in the circuit. As an example for path sensitization, consider the circuit in Figure 2 (a). It is desired to nd a test vector which sensitizes the bold path from x 2 to h. Figure 2 (b) shows the constraints required for sensitizing the selected path.
In the above example, we used path sensitization criteria to write the constraints. Di erent sensitization criteria can be chosen without changing the overall framework described immediately above.
B. Module-Input Module-Output Relationship
In this subsection, we explain how every module of a circuit can be modeled. We use SAT clauses to model Boolean operations as described in 20]. Word-level operators are modeled using addition, subtraction, comparison, and scalar multiplication.
Consider c = A > B. Note that c is a Boolean variable. In the sequel, U refers to 2 n where n is the maximum number of bits in A or B. Thus, the above constraints will express the inputoutput relationships of a > comparator. Similar pairs of constraints for , , and < comparators can be written.
Nonlinear operators such as integer multiplication can Integer division can be handled in a similar manner. As an example for this section, consider the circuit given in Figure 2 This section describes the hybrid algorithm for satis ability checking. This algorithm seamlessly integrates linearprogramming feasibility and Boolean satis ability checking. Integration would be easy if there was no correlation between word-level variables and Boolean variables. But, in general, a word-level variable A may appear in an arithmetic operation (e.g., C = A+B), and a bit-masked version may appear in a Boolean operation (e.g., d = a n?1 _ b 0 , where _ denotes logical OR).
A. Basic Algorithm Flow Figure 4 gives the algorithm in pseudocode. The algorithm uses several methods to simplify the SAT portion of the HSAT problem. It also uses some pruning heuristics to detect if the HSAT problem is infeasible to nish the search quickly. If it cannot prove infeasibility, it picks a variable heuristically and sets its value to 1(0) and tries to nd a solution to the resulting HSAT subproblem. If the subproblem is infeasible, it recurs and sets the value of the selected variable to 0(1) and continues with nding a solution for the new subproblem. In the general case, the LAC will be non-empty. Still it is possible to check for essential variables, and delete dominating clauses. However, the variables that are unate with respect to the Boolean clauses cannot be set without checking for correlation in the LAC. For example, if we have, (w 0 _ a _ b) W + X 5 with w 0 only appearing in the one clause shown, it cannot be assumed that w 0 = 1, because w 0 is correlated with W. In order to satisfy the clauses and LAC, it might be necessary to have w 0 = 0, a = 1.
A.2 Pruning Methods
Regardless of correlation among bit-level and word-level variables, the following can be asserted:
Polynomial-time checks using cycle detection can be performed to see if SAT is infeasible 20]. If SAT is infeasible, so is HSAT. Note that for SAT even if cycle detection fails, the problem may still be infeasible. Full-edged conjunctive normal form (CNF) satis ability algorithms can be run with a limit on the number of backtracks in search, to possibly prove infeasibility of SAT. The linear program relaxation (LPR) of the LAC's corresponds to relaxing the assumption that the wordlevel variables are integral. (That is, they can be real.) If the LPR corresponding to LAC or HSAT (i.e., SAT and LAC) is infeasible, then the HSAT problem is infeasible.
A.3 Variable Selection
The selection of the Boolean variable is dependent on how many clauses it appears in. Selecting a variable which appears in many clauses and setting its value to 1 or 0, can satisfy many clauses and eliminate the selected variable from some other clauses. This simpli es the HSAT problem and helps to nd a solution to the problem faster. On the other hand if there is a word-level variable correlated to the selected Boolean variable, setting the value of the selected Boolean variable to 1 or 0 can make the LAC's constraints tighter. As a result, it is necessary to give priority to the Boolean variables with no correlated word-level variable or Boolean variables for which setting their values make relatively few LAC's tighter.
B. Coupling Between Binary and Integer Variables
Because there is correlation or coupling between the word-level variables and the Boolean variables, it is necessary to modify LAC after xing the value of every Boolean variable.
Assume that W is a four-bit positive integer. Suppose w 2 is set to 1 in W. Then two new variables X and Y are introduced and 8X +4+Y is written instead of W, where X 1, Y 3. X is e ectively a Boolean variable, and Y is a two-bit integer. There is no longer a need to keep W, so the increase in the number of variables is 1.
In general, given a word-level variable W, the following linear expression for the arithmetic value for W can always be written, W = k 2 n?1 w n?1 + 2 n?2 w n?2 + + 2w 1 + w 0 ;
where k is ?1 for sign/magnitude or two's complement numbers, and 1 otherwise. If W is of n bits, and r bits of W are set, then in the worst case, r + 1 new word-level variables are necessary, assuming none of the r bits are adjacent.
Thus, given an arbitrary setting of Boolean variables that correlate to word-level variables in an LAC, the LAC can be modi ed into another LAC using the method outlined above. The modi ed LAC will typically have more variables than the original LAC, however, the ranges of the variables will be smaller. Further, there is no exponential increase in the number of variables or constraints; the total number of constraints and the total number of variables in the LAC will grow no more than the number of Boolean variables that are set to 0 or 1.
The above transformation is key to the seamless integration of Boolean clauses and LAC in the hybrid satis ability algorithm.
As an example for our hybrid satis ability algorithm, we solve the constraints given in Figure 5 (a) . There is a clause with a single variable c in the SAT constraints, and as a result c is an essential variable and it must be set to 0 in order to nd a solution to the SAT problem. Variable e is another essential variable and its value has to be set to 1. Figure 5 (b) shows the Boolean clauses after xing the values of variables c and e. Variables b and f are unate variables and there are no integer variables corresponding to them. In order to nd a solution to the SAT problem, we can set the value of variables b and f to 1 and 0, respectively. Figure 5 (c) shows the HSAT problem after simplifying the Boolean clauses. The algorithm proceeds with choosing variable x 2 to branch. Variable x 2 is set to 1 and search continues to nd a feasible solution to the HSAT problem. Figure 5 (d) shows the HSAT problem after simpli cation. Using the essential variable rule several times for the new HSAT problem, a solution to the SAT problem can be obtained as shown in Figure 5 (e). Note that during the search, the value of the variable x 2 has been xed and there is an integer variable correlated to it in the LAC's. In order to nd consistent values for integer and Boolean variables, it is necessary to modify the LAC's. Figure 5 (f) shows expansion of variable X using two new integer variables X 7?3 and X 1?0 . Note that the number of bits of variable X 7?3 is 5 and the number of bits of variable X 1?0 is 2, so the upper bounds for variables X 7?3 and X 1?0 are 31 and 3, respectively. After substituting the value of x 2 with 1 in the expansion for variable X, the variable X is substituted in the LAC's. Figure 5 (g) shows the LAC's after substitution. There is a feasible solution to the resulting LAC's, so the algorithm has found a solution to the HSAT problem. Figure 5 (h) shows the solution to the HSAT problem. If there was no solution to the subproblem of Figure 5 (g), it would be necessary to backtrack and set the value of variable x 2 to 0.
In the solution that has been found Boolean variables x 0 and g are unbound. On the other hand, the values of integer variables corresponding to those Boolean variables have been xed. In order to have consistent values for Boolean and integer variables, the values of x 0 and g are set to 0 and 1, respectively.
C. Handling Wide Data-Paths
In the method described in this paper, a single integer variable was used to abstract input to a word level module. Although, this approach works for small size data-paths, it is not appropriate for wide data-paths (e.g., data-path with 64 bits). The reason is the number of bits of an integer variable have to be limited for a few reasons, notably to limit the size of the constant U. To handle wide data-paths, it is necessary to use several integer variables instead of one. In the sequel, it is assumed that every integer variable has n bits. It is shown how addition, and can be modeled for a data-path with bit width 2n. Subtraction and can be modeled similarly. In this section two sets of results on some example HDL models are presented. The HDL models correspond to a parallel port for an embedded processor (pport), various nite state machines with some data operations, notably comparisons (schsm, ctla8, ctla64, ctlbc8, ctlbc64), and two protocols (protrisc and protmpp). We have used 8-bit and 64-bit versions of ctla and ctlabc to show the e ect of having wide data-path in a design. The HDL models are described in Verilog and their size varies between 100-500 lines of code. An example is also presented that corresponds to checking if the output of a 16-bit multiplier can be a prime number (mult16), restricting the operands to be di erent from 1.
A. Hybrid vs. Boolean Satis ability
The rst set of results compares the new HSAT algorithm to gate-level SAT (GSAT). The HSAT algorithm has been implemented using the SAT package from 27] and a commercial LP solver cplex.
The performance of HSAT is compared to vanilla satis ability using the software from 27], adapted to read CNF expressions. During the process of vector generation, many satis ability problems are solved. For the di erent HDL examples, data on the hardest satis ability problem is given.
In Table I the quantitative comparison between HSAT and GSAT is given. For HSAT, the number of clauses (SAT), the number of LAC's, the number of backtracks, and the amount of CPU time required for vector generation are reported. For GSAT, the number of clauses, number of backtracks, the CPU time required to expand the LAC's into Boolean clauses, and the CPU time required to solve the satis ability problem are reported. To compare overall performance the sum of the GSAT times have to be compared against the HSAT time, because, in order to run GSAT the expansion of the LAC's into clauses has to be done.
Just comparing the time for satis ability checking, HSAT performs signi cantly better than GSAT for all the satis ability problems. The improvement is due to the signi cant reduction in the number of backtracks, which directly translates to faster execution time. The reduction in backtracks is due to the LP feasibility check which prunes unsatis able branches of the tree early in the recursion.
The CPU time required per backtrack is signi cantly higher for HSAT as compared to GSAT because an LP solve is performed at each node of the branching tree. Note that Table I corresponds to the hardest satis ability problems encountered in vector generation. Many of the satis ability problems encountered in vector generation are simple, and both HSAT and GSAT nd satisfying assignments without backtracking. There was no satis ability problem where GSAT was successful, and HSAT failed. Other satis ability approaches such as GRASP 26] may outperform GSAT in some cases; however, these approaches still have to deal with a substantially larger problem than HSAT, and do not use LPR feasibility checking.
Finally, one can envision using commercial ILP solvers once the problem has been set up, but this is also ine cient because any integer variable that appears in a Boolean clause has to be expanded in the initial problem speci cation; there is no notion of remembering correlation between di erent representations of a variable in ILP formulations.
B. Directed vs. Random Test Generation
Next, results on comparing the vector generation strategy against random pattern generation are reported. The data is reported in Table II The directed vector generation method produces as good, or higher coverage, using a much smaller number of vectors in all cases.
The circuits were initially assumed to be in a known state, since this makes it easier to generate random patterns. (If the circuit were in an unknown state, random pattern generation gives signi cantly worse results. However, using HSAT the circuit can be put into a known state and then vector generation can be performed.)
The CPU times in both tables correspond to seconds on a Sun Ultra-Sparc 30/300 with 256 MB of RAM running at 300 MHz.
VI. Future Work
In this section, some possible improvements to the HSAT method are described. 1 These sets were generated using di erent seeds.
A. Logical Operation on Integer Variables
The current method for modeling a logical operation on an integer variable involves expanding the integer variable into several Boolean variables and writing Boolean clauses for logical operation on single bits.
This results in O(n) Boolean clauses for an n-bit integer variable. It is desirable to decrease the number of constraints.
To decrease the number of constraints, it is possible to approximate logical operations on integer variables using a constant number of LAC's and improve the approximation by adding more constraints during the search.
The bitwise AND operation on integer variables is used to describe this method. For Boolean variables, the AND operation can be modeled using the following LAC's, It remains to compare this method for handling logical operators with the method described in the previous section to nd out which one performs better for di erent problems.
B. Feedback from the LP solver to the SAT solver
In the method described for solving HSAT problems, an LP solver is used to check the feasibility of the LAC's or to possibly nd an integer solution for the LAC's. It is possible to get more information about the LAC's and use this information to improve the overall performance. LP solvers usually use some preprocessing techniques to tighten the range of the variables. For example, if A is an 8-bit integer variable and its range has been set to 0; 255], preprocessing might nd a tighter range like 0; 100]. If the most signi cant bit of A has been used in Boolean clauses, knowing that tight range, the bit could possibly be set to 0. This helps to simplify Boolean clauses faster which improves the overall performance. The LP solver that was used in the experiments described in this paper did not provide direct access to preprocessing results, so this technique could not be used.
