Abstract| Logic veri cation tools are often used to verify a gate-level implementation of a digital system in terms of its functional speci cation. If the implementation is found not to be functionally equivalent to the speci cation, it is important to correct the implementation automatically. This paper describes a formal method for the diagnosis and correction of logic design errors in an incorrect gate-level implementation. We use boolean equation techniques to search for potential error locations. An e cient search and pruning algorithm is developed by introducing the notion of immediate dominator set. Two correction procedures are proposed. Gate correction corrects errors such as wrong gate type, missing inverters, etc.; line correction corrects errors such as missing wires and wrong connections. Our method is robust and covers all simple design errors described by Abadir et al. 1]. Experimental results for a set of ISCAS and MCNC benchmark circuits demonstrate the e ectiveness of the proposed techniques.
I. Introduction THE process of designing VLSI circuits generally involves several cycles of validation and correction. Many veri cation processes have been automated, for example, logic veri cation [1] [2] [3] [4] [5] [6] , timing veri cation [7] [8] [9] and layout veri cation [10] [11] [12] However, the debugging process is usually carried out manually by the designers. In this paper, we describe an approach to automatic diagnosis and correction of design errors after a logic veri cation tool determines that a given circuit does not implement the correct logic function.
The design of digital circuits usually starts with a behavioral description. At some stage in the design process, a gate-level circuit implementation is synthesized either manually or automatically according to the behavioral description. With the growing circuit size and complexity, logic design errors can easily occur. Although logic synthesis tools have been increasingly used, the designers very often have to modify the netlists generated by the synthesis tools to improve timing performance, to obtain more compact structures, or to carry out small speci cation changes.
Logic veri cation has been studied extensively for nding out whether a gate-level circuit implementation of a Manuscript received Nov 10, 1992 ; revised Apr 20, 1994. design is functionally equivalent to its functional speci cation. When a gate-level implementation is proven not to be equivalent to its functional speci cation, it is necessary to diagnose and correct the design errors in the gate-level implementation. This paper provides an e cient tool to accomplish this task.
In addition to verifying a circuit in terms of its speci ed functions, this research has the following applications: (1) Veri cation of a new version of implementation in terms of an old implementation. For example, design versions 1.0 and 2.0 may have di erent timing or structure but have the same functionality. Then circuit version 2.0 can be veri ed and corrected in terms of version 1.0. (2) A trick for logic minimization. For example, we can intentionally inject two errors into a implementation then see if it can be corrected at just one location. (3) Debugging CAD tools that cause incorrect implementations. For example, software bugs existing in gate-level or layout optimization tools, timing optimization tools, or technology mapping tools.
In practice, there are usually very few errors existing in a design and the types of commonly encountered errors are limited. In this paper, we assume that one simple design error occurs in a gate-level implementation. We adopt the simple design error model proposed by Abadir et al. 1] . The model includes eight commonly encountered design errors: simple gate replacement, a missing/extra inverter, a missing/extra gate, a missing/extra gate input and an incorrectly placed gate input. An experimental study by Aas et al. 13] has shown that the simple design error model covers 98% of all the errors made by the designers in the study.
Several papers have discussed this problem. Tomita et al. 14] suggested a method for correcting a circuit containing a single design error. Input test patterns for locating logic design errors (IPLDEs) are generated. Each time an IPLDE is applied, a set of error candidates is generated. After all IPLDEs are applied, the error candidates in the intersection of all sets are considered as potential error locations. Any candidate in the intersection can be chosen to correct the circuit. However, there are two problems with this scheme. The rst one is that the IPLDEs may not exist for some incorrect circuits; for example, an inverter is missing at some primary output. The second problem is that it has not yet been proven that the modi cation at any potential error location determined by the IPLDEs can always correct the circuit. In the work by Fujita et al. 15] , the error compensation procedure used in the transduction method 16] The algorithm is however not robust. In some cases, their method does not guarantee a solution. In 17, 18] , formal methods for locating and correcting design errors are developed. The problem of locating errors is transformed into that of solving boolean equations. For each gate in the circuit, an equation is derived and the existence of solutions to this equation can determine as to whether the gate is a potential error location or not. However, only those errors which can be modeled as a single gate with an incorrect function are considered. Their correction techniques cannot rectify connection errors, and are in general very slow. These work has been extended to cover missing gate input errors and 2-input primitive gate missing errors 19] . However, the diagnosis and gate correction procedures are still not e cient enough for large circuits.
An overview of our approach is shown in Fig. 1 . Given an incorrect implementation, we rst search for a potential error location. After a potential error location is found, gate correction, line correction, and input addition procedures are applied sequentially for correcting the error. Gate correction changes the function of the gate driving the error location. Line correction uses another line in the circuit to drive the error location. Input addition is used to correct missing gate input errors. It adds a pseudo input to the gate driving the potential error location, then uses line correction procedure to correct it. It is possible that a potential error location is not an actual error location. In such cases, the correction may fail. The diagnosis and correction procedures are then repeated until a potential error location that can be corrected is found. If none of the potential error locations can be successfully corrected, we conclude that the erroneous circuit does not satisfy our single error assumption.
In the next section, we formally describe the problem and introduce the simple design error model. Section III describes the potential error locations and derives the diagnosis procedure; error equations are de ned and an efcient branch-and-bound search algorithm is given. Gate correction and line correction are described in Section IV. Section V presents the experimental results for a set of IS-CAS and MCNC benchmark circuits which demonstrate the e ciency of our method.
II. Problem Description
In this paper, we are interested in the veri cation of a gatelevel implementation of a design in terms of its functional description. We assume that both the functional speci cation and the gate-level implementation are combinational circuits, or that both are synchronous sequential circuits with the same state variables and the same state assignments. By considering the inputs of ip-ops as pseudo primary outputs and the outputs of ip-ops as pseudo primary inputs, a synchronous sequential circuit can be treated as a combinational one 1].
A functional speci cation is assumed given which de nes the input and output relationship for a certain design. Suppose the design has n primary inputs, fx i : 1 i ng, and m primary outputs, fy i : 1 i mg. Let S denote the functional speci cation. S can be represented by a vector consisting of m boolean functions, i.e., S(X) = (s 1 (X); s 2 (X); :::; s m (X)), where X = (x 1 ; x 2 ; :::; x n ) and each s i (X) is the boolean function de ning output y i . Suppose that a gate-level implementation N with n inputs and m outputs has been designed to realize S and the correspondence between the inputs (outputs) of S and the inputs (outputs) of N is given. The function F of N can be derived from the circuit structure and represented by F(X) = (f 1 (X); f 2 (X); :::; f m (X)), where each f i (X) is the boolean function for its corresponding output y i .
The gate-level implementation is said to be error-free if and only if F(X) = S(X), or more precisely s i (X) = f i (X) for 1 i m. A primary output y j is an erroneous output if s j (X) 6 = f j (X Figure 2 shows the functional speci cation of a design and its gate-level implementation. In this example, there are three primary inputs, x 1 , x 2 and x 3 , and two primary outputs, y 1 and y 2 .
In the gate-level implementation, a, b, ... , r, t, and u are lines in the circuit; G 1 , G 2 , G 3 and G 4 are gates in the circuit. Line q is said to be reachable from line c or c reaches q since there is a directed path from c to q. In contrast, line q is not reachable from line a. Note that we say q is reachable from q itself. The backtrace cone of a line l is the set of lines that reaches l. For example, the backtrace cone of q is fb; c; e; o; qg. The successors of a line l are the set of lines that are reachable from l. For example, the successors of c are fc; o; q; r; t;ug. The RPO(l) is de ned as the set of reachable primary outputs from l.
For example, RPO(a) = fy 1 g and RPO(b) = fy 1 ; y 2 g. In later discussions, for simplicity, we use the same name for a primary input(or output) and its corresponding line. The global function of a line l, denoted by f l (X), is the boolean function evaluated at line l in terms of primary input variables X. For example, in Fig. 2 , f q (X) = x 2 x 3 .
B. Simple Design Error Model
We adopt the simple logic design error model from 1]. The model includes eight commonly encountered design errors as listed in Fig. 3 We demonstrate here that every simple design error model described above can be corrected by either gate correction or line correction. The shadowed area in Fig. 3 indicates the error location for each design error.
De nition 1 Suppose an error location l is driven by a gate G with p inputs. Gate correction replaces G with a di erent gate which can assume any function of the same p input variables.
It is clear that simple gate replacement error can be corrected by gate correction. In the case of extra inverter, the inverter can be replaced by a bu er, and since the existence of a bu er would not a ect the functionality of the whole circuit, the bu er can then be deleted. On the other hand, in the case of missing inverter, we have to pretend that there is a bu er driving the error location, the bu er can then be replaced by an inverter. In the case of simple extra gate, shown in (4) in Fig. 3 , if G 1 is AND or NAND, replacing G 2 by an AND gate would correct the error; if G 1 is OR or NOR, replacing G 2 by an OR gate would correct the error; if G 1 is XOR, then G 2 must be replaced by an XOR gate. In the case of simple missing gate, G 1 cannot be simply replaced by another primitive gate; instead, a complex gate combining G 1 and G 2 should be used. Since the complex gate uses the same set of input variables of G 1 , the replacement is considered as gate correction. In the case of extra gate input, as shown in (6) in Fig. 3 , the correct function of G 2 depends on a subset of the original inputs, which also satis es the de nition of gate correction.
De nition 2 Given an error location l, line correction disconnects the line to l and connects another line existing in the circuit to l.
In the case of missing gate input, we pretend that every gate has an extra input, connected to ZERO if the gate type is OR, NOR or XOR, or connected to ONE if the gate type is AND or NAND. The extra input is the error location and is corrected by replacing it with y as shown in (7) in Fig. 3 . The case of incorrectly placed gate input can obviously be corrected by line correction.
D. Error Equivalence
Since there is more than one way to synthesize a given function, it is possible that there is more than one way to model the error in an incorrect implementation, i.e., the correction can be made at di erent error locations. For example, in Fig. 4 , the incorrect scenario of ab can be modeled as an incorrectly placed gate input at either of the two locations; the incorrect scenario of abcd can be modeled as a missing gate input at either of the two locations; the incorrect scenario for a b can be modeled as a missing inverter or as a simple gate replacement. These errors are considered equivalent. Our algorithm diagnoses an error to within a functional equivalence class, which means that if a designer makes a simple design error , the error diagnosed by our scheme is equivalent to .
E. Preliminaries
Our approach is based on the boolean algebra of boolean functions. Let B be a boolean algebra comprising k elements 1 and F n (B) be the set of n-variable boolean functions on B. The algebraic system (F n (B), +, , 0, 1) is a boolean algebra in which 0 is the zero-function and 1 is the onefunction 20]. The boolean functions such as s i (X) and f i (X) can be considered as elements in F n (B).
De nition 3 Let g(X); h(X) 2 F n (B), the inclusion relation is de ned as follows:
In this paper, we are especially interested in sets of boolean functions expressed as intervals.
De nition 4 An interval g(X); h(X)] is de ned as
where g(X) is the lower bound and h(X) is the upper bound. An interval g(X); h(X)] is nonempty if and only if the condition g(X) h(X) is satis ed. Property 1 A function f(X) 2 g(X); h(X)] if and only if f(X)g(X) + f(X)h(X) = 0 20]: Property 1 will be used in developing our gate correction procedure to identify whether a function belongs to a given interval.
III. Search for Error Location
When a gate-level implementation N has been shown to be incorrect, the rst step is to search for an error location. If the circuit has only one error, the error location must exist within the intersection of the backtrace cones of all erroneous primary outputs, called the suspicious area.
De nition 5 Given two lines p, q in N, the boolean function f p q (X; z) is constructed as follows: (1) disconnect p from its fanouts; (2) introduce z as a new primary input and connect z to p's fanouts; (3) f p q (X; z) is the function evaluated at q in terms of X and z. Note that f p q is independent of z if q is not a successor of p.
De nition 6 Given a line l in N, de ne
where RPO(l) is the set of primary outputs reachable from l. E l (X; z) = 0 is called the error equation at line l. For example, in Fig. 2 , f b y1 (X; z) = x 1 x 3 z, f b y2 (X; z) = x 3 + z, f h y1 (X; z) = x 2 x 3 z, and f c h (X; z) = x 1 x 2 . The error equations at b and h are E b (X; z) = x 1 x 3 z s 1 (X)+(x 3 + z) s 2 (X) and E h (X; z) = x 2 x 3 z s 1 (X), respectively.
De nition 7 If there exists a boolean function z(X), such that E l (X; z(X)) = 0, we say l is changeable.
We say l is changeable because if we change the global function at l into z(X), then all of the functions at RPO(l) will be correct.
Lemma 1 If l is an error location, then l is changeable.
Proof. If l is an error location, l can be corrected by either gate correction or line correction. Let f l (X) denote the new global function at l after the correction is made. Because the function at the primary outputs after correction must be equal to the speci cation, we have f l yi (X; f l (X)) = s i (X), or f l yi (X; f l (X)) s i (X) = 0, for all 1 i m. Thus, E l (X; f l (X)) = 0, so l is changeable. Proof. (a) Suppose there exists a solution z(X) such that E l (X; z(X)) = 0. Then z(X)E l (X; 0) + z(X)E l (X; 1) = 0, by Shannon's expansion theorem 20]. By consensus, z(X)E l (X; 0)+z(X)E l (X; 1)+E l (X; 0)E l (X; 1) = 0. Thus E l (X; 0)E l (X; 1) = 0. On the other hand, suppose E l (X; 0)E l (X; 1) = 0. Then E l (X; 0) is a solution, for E l (X; E l (X; 0)) = E l (X; 0)E l (X; 0)+ E l (X; 0)E l (X; 1) = 0 + 0 = 0.
(b) Suppose a function z 0 (X) 2 E l (X; 0); E l (X; 1)]. Then by Property 1, z 0 (X)E l (X; 0) + z 0 (X)E l (X; 1) = 0. Thus E ( X; z 0 (X)) = 0 and z 0 (X) is a solution.
2
Note that E l (X; 0)E l (X; 1) 6 = 0 implies that there exists X (an assignment of values to x 1 ; x 2 ; ::::x n ) such that E l (X; 0)E l (X; 1) = 1. This means that, under the assignment X, no matter what value is given to line l, some outputs will remain incorrect. Therefore, under the single simple design error assumption, l cannot be an error location.
B. Dominator set
The basic procedure for searching for the error equation can then be described as follows. An error equation is formed for each line in the suspicious area. If the equation has at least one solution z(X), the line is declared as a potential error location.
The process as described above is very expensive because the lines in the suspicious area have to be examined one by one until an error location is found, and the equations are calculated by symbolic boolean function manipulation. In this section, we introduce the notion of dominator set which not only reduces the cost for equation calculation but also provides a strong pruning condition for reducing the search space.
De nition 8 A dominator set of a line l is a set of lines fe 1 ; e 2 ; :::; e k g such that (1) e j 6 = l, for 1 j k; (2) RPO(e 1 ); RPO(e 2 ); :::; RPO(e k ) form a partition of RPO(l); (3) for every primary output y i 2 RPO(e j ), every path from l to y i must pass through e j . If e j is in a dominator set of l, we say e j set-dominates l and l is set-dominated by e j . E ej (X; f l ej (X; z)): 2
Note that Lemma 2(a) is not true if e j does not belong to any dominator set of l. For example, in Fig. 2 , h does not belong to any dominator set of b, so f b y1 (X; z) = x 1 x 3 z does not equal f h y1 (X; f b h (X; z)), since f b h (X; z) = x 1 z and f h y1 (X; x 1 z) = x 1 x 2 x 3 z. This is because when we evaluate f h y1 , the function at o is x 2 x 3 but it should be x 3 z when we evaluate f b y1 .
Theorem 2 Let fe 1 ; e 2 ; :::; e k g be a dominator set of line l. If l is changeable, then e j is changeable for 1 j k. Proof. If l is changeable, then there exists a solution r(X) such that E l (X; r(X)) = 0. By Lemma 2(b), P k j=1 E ej (X; f l ej (X; r(X))) = 0. Thus, E ej (X; f l ej (X; r(X))) = 0 for 1 j k and every E ej (X; z) = 0 has at least a solution f l ej (X; r(X)). Hence, e j is changeable for 1 j k. 2
By Theorem 2, a line is changeable only if all the lines in its dominator sets are changeable. This property provides a pruning strategy in the search for potential error locations. More speci cally, a line cannot be a potential error location if any line in its dominator sets is shown to be not changeable.
By applying Shannon expansion to Lemma 2(b), we obtain
(f l ej (X; z)E ej (X; 0) + f l ej (X; z)E ej (X; 1)) (1) E l (X; 0) and E l (X; 1) can then be obtained by substituting z with 0 and 1, respectively. Equation (1) allows an incremental calculation of E l (X; 0) and E l (X; 1) from E ej (X; 0) and E ej (X; 1). The calculation is carried out backwards from the primary output side to the primary input side. Once E ej (X; 0) and E ej (X; 1) are calculated, only f l ej (X; z) has to be computed to obtain E l (X; z). At every primary output y i , the error equation E yi (X; z) = z s i (X) = 0 has a solution for z, i.e., s i (X). We can then obtain E yi (X; 0) = s i (X) and E yi (X; 1) = s i (X) as the bases for the incremental calculation.
C. Immediate dominator set
For any line l in the circuit N, there may exist more than one dominator set. For our application, we choose to use the immediate dominator set for both the pruning and the equation calculation. The immediate dominator set of l is the dominator set which is closest to l. For any line that has no fanout branches, its immediate dominator set has only one element, i.e., the output line of its successor gate. For example, fig is a's immediate dominator set in Fig. 6(a) . For any line that has nonreconvergent branches, its immediate dominator set consists of all of its branches.
For example, fo 1 ; o 2 g is o's immediate dominator set in Fig. 6(a) . For those lines that have reconvergent branches, their immediate dominator set can be found by using the same algorithm for the supergates 21] 2 For example, in Fig. 6(a) , the immediate dominator set of b is fi 1 ; r; sg.
The relationship based on the immediate dominator set can be represented by a directed acyclic graph called the I-DAG and denoted by I. Each node in I represents a line in N and an edge (u; v) exists if v is in the immediate dominator set of u. Line u is in a dominator set of line v if there is a directed path from v to u. We say u is a successor of v in I-DAG and v is a predecessor of u in I-DAG. Figure 6(b) shows the I-DAG for the circuit in (a).
D. Search algorithm
To search for potential error locations, we rst nd the subgraph of the I-DAG consisting of all the lines in the suspicious area, denoted by I s . A reversed depth-rst-search is performed by starting from a sink node in I s . While visiting a node l, we rst determine whether it is changeable or not; if not, by Theorem 2, the search on l's predecessors in I s is pruned. The algorithm is listed in Algorithm 1.
The bene t of this branch-and-bound approach is that the pruning condition can reduce the search space size quickly. The search algorithm is very e cient as shown by the experimental results.
The changeability determination algorithm follows the previous discussion. If l is a primary output, then l is changeable. If any e j in l's immediate dominator set is not changeable, then it is not. It is possible that the changeability of e j is not checked yet at this point because e j is outside the suspicious area or l is searched before e j in the depth-rst order. In such a case, the subroutine will be called recursively to check e j 's changeability. If all e j 's are changeable, E l (X; 0) and E l (X; 1) can then be calculated incrementally to determine l's changeability. The algorithm is listed in Algorithm 2.
Example 1 In Fig. 6(a) , let the primary input vector X = (a; b; c; d; e; f; g; h). The speci ed functions for the three primary outputs i 1 , r and s are (ab; abcgh; bceh(d+ f)). A simple gate replacement error is inserted by changing the AND gate driving j to a NAND gate. The primary output functions derived from the incorrect circuit structure are (ab; ab cgh; ( b + c)eh(d + f)). r and s are the erroneous outputs, the intersection of their backtrace cones consists of fo; j 1 ; h; j; b 3 ; c; bg, indicated by the grey nodes in Fig. 6(b) . I s is the subgraph induced by these grey nodes, in which fo; j; bg are the three sink nodes. Figure 7 shows the steps of nding potential error locations.
We start with checking o. Since fo 1 ; o 2 g is o's immediate dominator set, we rst check if o 1 and o 2 are changeable.
Because o 1 's immediate dominator set is frg, and r is a primary output, and thus changeable, we conclude that o 1 is changeable after calculating E o1 (X; 0) and E o1 (X; 1), as shown in Fig. 7 . A similar procedure shows that o 2 is not changeable, which means that o is not changeable. j 1 and h, the predecessors of o, can then be pruned. 2 The di erence is that all the edges must be reversed in the graph and the input nodes of a supergate of a node X in the modi ed graph is then the immediate dominator set of X.
Next, another sink node j is checked. Nodes o 1 and s are in j's immediate dominator set and they have been shown to be changeable. After calculation, we nd that j is changeable and is therefore a potential error location. Because j can be corrected by the gate correction procedure (described in next section), the program stops. 1 and the entry is a don't care. By the above method, we have to calculate 2 p minterm products 18]. Instead of explicitly enumerating all 2 p minterms, implicit enumeration can be used to save computation cost. Similar to the minterms, a cube can be assigned by the same argument. Hence, instead of generating 2 p minterms directly, we generate them in depth-rst order in a binary tree form as shown in Fig. 9 . The gate correction algorithm is described as follows. At each node in the binary tree, two products are calculated, which are the intersections with E l (X; 0) and with E l (X; 1), respectively, for the corresponding cube. If a cube does not intersect E l (X; 0) (or E l (X; 1)), we can assign 0 (or 1) to all the truth table entries corresponding to the cube. Therefore, a cube has to be further divided only if it intersects both. When such a cube is a minterm, it indicates that the correction fails. The algorithm is listed in Algorithm 3.
Example 2 In Example 1, we have found that j is a potential error location. Now we show how j can be corrected by gate correction. The NAND gate driving j has two fanins with global functions b and c, respectively. In Fig. 7 , we have calculated E j (X; 0) and E j (X; 1). The binary tree expansion and the value assignment are shown in Fig. 10 . Since the truth table entries are 0, 0, 0 and 1, the correct gate type is AND. 2
Example 2 shows the following advantages of our approach.
1. By using implicit instead of explicit enumeration, the complexity is reduced from exponential to linear (in the number of gate inputs) if the correct gate function is BUFFER, NOT, AND, OR, NAND or NOR. 2. The two products at each level can be used for incrementally calculating the products at the next level.
B. Line Correction
Line correction is used for correcting missing gate input and incorrectly placed gate input. Line correction for a line l follows immediately after gate correction for l fails (see Fig. 1 ). Based on the calculated solution interval for l, line correction for line l searches for any existing line in the circuit with a function falling into that interval. Because there should not be any feedback loop in a correct implementation, the only candidates are those lines not reachable from l. A successful candidate with function h(X) must satisfy the following two boundary tests: (1) E l (X; 0) h(X) and (2) h(X) E l (X; 1). Line correction checks the candidates one by one until a solution is found. The procedure is listed in Algorithm 4.
C. Screening tests for missing gate input
Note that for missing gate input, we have to introduce a pseudo input as the error location. The following lemma shows that if gate G has a missing gate input, the output of G must be a potential error location, so we suspect a gate has a missing gate input only if its output is proven to be a potential error location.
Lemma 3 If gate G has a missing gate input, then the output of G is a potential error location. Proof. We pretend that G has an extra input l x , as shown in Fig. 11 . Let the output of G be l. The immediate dominator set of l x is flg. Because l x is the error location, l x is changeable and l x reaches all erroneous outputs. By Theorem 2, l is changeable. Because every path from l x to a primary output goes through l, l reaches all erroneous outputs too, i.e., l is in the suspicious area. Hence, l is a potential error location. 2
The changeability of the pseudo input can be determined by the same method stated in Section III, but the test can be further simpli ed.
Lemma 4 Suppose G is an AND gate with output line l, and l is changeable. The pseudo input l x of G is changeable if and only if E l (X; 0) f l (X), where f l (X) is the function evaluated at l. The solution interval for l x is E l (X; 0), f l (X) + E l (X; 1)]. Proof. G is an AND gate, so f lx l (X; z) = zf l (X), as shown in Fig. 11 . E lx (X; z) = zf l (X)E l (X; 0) + zf l (X)E l (X; 1) from Eq: (1) E lx (X; 0) = E l (X; 0) E lx (X; 1) = f l (X)E l (X; 0) + f l (X)E l (X; 1) E lx (X; 0)E lx (X; 1) = f l (X)E l (X; 0); because l is changeable; E l (X; 0)E l (X; 1) = 0:
By Theorem 1, l x is changeable if and only if f l (X)E l (X; 0) = 0, which is equivalent to E l (X; 0) f l (X). The solution interval of l x is then E lx (X; 0), E lx (X; 1)] = E l (X; 0),
The condition E l (X; 0) f l (X) in Lemma 4 is called the screening test and can be viewed as follows. The goal is to make the function at the output of G fall in the solution interval E l (X; 0), E l (X; 1)]. For an AND gate, if one more fanin is added, the new output function is the conjunction of the old output function and the added input function. Thus the function at the gate's output is reduced. If the old output function does not include the lower bound, neither does the new function. Therefore, the changeability test for AND gates checks whether the gate's function includes E l (X; 0) or not, and screens out those gates not possible of having missing gate inputs.
The screening tests and solution intervals for the other gate types are listed in Table 2 . The procedure for input addition is listed in Algorithm 5.
Example 3 Suppose abc + b c is the speci ed function, and the corresponding circuit is implemented as shown in Fig. 12(a) . There are errors in the implementation because the output function of the circuit is ab + b c.
The circuit has only one output, so the entire circuit is in the suspicious area. The I-DAG is shown in Fig. 12(b) . Using the techniques described in Section III, the problem is solved in the following steps.
1. f is a potential error location, but cannot be corrected by gate correction or line correction. 2. We check if G 3 has a missing gate input. Fig. 12(c) .
V. Experimental Results
We have implemented our diagnosis and correction algorithms in C language and provided a tool called ACCORD (Automatic Catching and CORection of Design errors Table 3 . We generated the functional speci cations from the given circuit descriptions. For each test circuit, we repeatedly inserted a random simple design error into its gate-level implementation for 100 separate times. Both the error location and error type were chosen randomly. Program AC-CORD was applied to diagnose and correct the errors. The error found and corrected was then compared to the inserted error. Based on the results, we classi ed the errors into three categories, namely, exact, equivalent and redundant. Exact error means the error found is exactly the inserted error; equivalent error means the error found is not the error inserted but is equivalent to it; redundant error means the inserted error does not change the function at any primary output and therefore does not need any diagnosis or correction. We list the number of errors in each category in Table 4 . It is interesting to note that a large percentage of errors are equivalent errors, because many di erent realizations exist for the same boolean function. Table 4 also gives the total cpu time including diagnosis, correction, and garbage collection for BDDs. All results were measured on a SPARC-II workstation. On average, correcting an error took less than 3 minutes of CPU time. The worst case took 33 minutes of CPU time. The high standard deviation is due to di erent BDD sizes and di erent search and correction costs for di erent error locations. Table 5 lists the cpu times for searching for potential error locations, including the calculation of error equations. The average number of lines visited until an error location was found in the depth-rst search process is also listed. These numbers re ect the number of times the changeability checking has been performed. In general, the numbers of lines visited are very small compared to the total numbers of lines in the circuits. This demonstrates the e ectiveness of our pruning technique. Table 6 lists the average cpu times for the correction procedure. The rst two columns give the average and the maximum numbers of potential error locations found during the search. The numbers also show how many times the correction procedure is called. On average, the error location is found at the fourth potential error location during the search, which implies that the potential error locations are a very useful indication of error locations. In the worst case, the number of potential error locations found can be up to 102. The average CPU time for gate correction is only a few seconds. The average CPU time for line correction increases as the circuit size increases, because the search space is directly proportional to the number of lines in the circuit. Figure 13 shows that there is a strong relationship between the cpu time and the shared BDD size. Because our algorithm is based on boolean function manipulation, the execution time increases when the size of BDD increases.
It is also interesting to know that if an incorrect circuit cannot be modeled as a single design error, how much time is needed to complete the search and report failure. We measured the data by injecting two random errors into each test circuit for 100 times. The average CPU times for the cases that could not be corrected by the single error model are listed in Table 7 . It usually took longer than for the cases which can be corrected by the single error model because every potential error location in the suspicious area has to be checked. But for circuits such as des and C5315, which have 245 and 123 primary outputs, respectively, the injected errors may not reach the same outputs and the intersection of backtrace cones of all erroneous outputs may be empty. Therefore, it is very easy to determine that more than one error exists in the circuit.
VI. Conclusions
This paper includes the following main contributions.
1. An e cient and exact search algorithm for correcting a single simple design error is developed. The notion of an immediate dominator set is introduced to e ectively reduce the search space. 2. The concept of solution intervals is introduced to perform corrections. Gate correction and line correction procedures are derived. The cube assignment method is designed to generate correct gate functions more efciently. 3. Experimental results have shown the e ectiveness of our approach. This research is a start for the design correction problem. Future research includes the following open problems.
1. It is possible for a design to have multiple design errors. In order to handle multiple errors, the error equation and the search strategy need modi cations. 2. Some large circuits do not have feasible BDD representations. Circuit partitioning is considered as a solution to this problem. In practice, most of the circuits are designed hierarchically with each module having its own input-output speci cation. When a design is detected to be incorrect, it is best to verify the modules one by one. This not only reduces the size of the circuit, but also reduce the number of errors to be corrected in each veri cation process. An alternative to this problem is using di erent veri cation methods. Several veri cation methods have been suggested to verify circuits with no reasonable BDD representations 3, 26-28]. However, some of these methods are not exact, but their results are correct with a substantially high probability. It is a challenging problem to incorporate these techniques into our diagnosis and correction algorithms. 
