Enhancing quality of assertion generation: methods for automatic assertion generation and evaluation by Hertz, Samuel
© 2013 Samuel L. Hertz
ENHANCING QUALITY OF ASSERTION GENERATION: METHODS
FOR AUTOMATIC ASSERTION GENERATION AND EVALUATION
BY
SAMUEL L. HERTZ
THESIS
Submitted in partial fulﬁllment of the requirements
for the degree of Master of Science in Electrical and Computer Engineering
in the Graduate College of the
University of Illinois at Urbana-Champaign, 2013
Urbana, Illinois
Adviser:
Assistant Professor Shobha Vasudevan
ABSTRACT
We present methods for automatically generating and evaluating register
transfer level (RTL) assertions. We detail the GoldMine methodology and
each of its data mining algorithms. We introduce the Best-Gain Decision
Forest algorithm to mine concise RTL assertions. We develop an assertion
ranking methodology. We deﬁne assertion importance, complexity, rank and
ideality and we detail methods to compute each of them. We present a case
study and experimental results to demonstrate the eﬀectiveness of assertion
rank. We develop an assertion rank aggregation methodology. We deﬁne
assertion coverage and expectedness. We aggregate rankings for assertion
importance, complexity, coverage and expectedness. We present experimen-
tal results to demonstrate the value of these metrics and the rank aggregation
methodology. We rigorously analyze the performance of each data mining
algorithm in GoldMine. We present experimental results that demonstrate
each algorithm’s performance with respect to various metrics.
ii
For my family and friends.
iii
ACKNOWLEDGMENTS
I would like to thank my advisor Shobha Vasudevan. Without her encour-
agement, I would not have attended graduate school. Without her vision
and support, GoldMine would not be the amazing tool that it is today. She
always motivated me to elevate my ideas and research.
I would like to thank Dave Sheridan. Dave was very supportive and patient
while I was translating GoldMine from Java to C++. Without Dave, my
inheritance of GoldMine would have been far more diﬃcult.
I would like to thank Viraj Athavale. Viraj’s assertion coverage implemen-
tation greatly strengthened GoldMine and helped inspire assertion ranking.
His insight was invaluable while I developed GoldMine’s Verilog parser and
static analyzer.
Finally, I would like to thank Lingyi Liu. Our countless conversations
regarding research and graduate school proved invaluable. Many of his ideas
have signiﬁcantly improved GoldMine.
iv
TABLE OF CONTENTS
LIST OF FIGURES . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii
LIST OF ABBREVIATIONS . . . . . . . . . . . . . . . . . . . . . . . x
CHAPTER 1 INTRODUCTION . . . . . . . . . . . . . . . . . . . . 1
1.1 Assertion-Based Veriﬁcation . . . . . . . . . . . . . . . . . . . 1
1.2 Automatic Assertion Generation . . . . . . . . . . . . . . . . . 2
1.3 Assertion Evaluation . . . . . . . . . . . . . . . . . . . . . . . 3
1.4 Contributions . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
CHAPTER 2 ASSERTION GENERATION . . . . . . . . . . . . . . 5
2.1 Related Work and Background . . . . . . . . . . . . . . . . . 5
2.2 Methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
2.3 Decision Tree . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
2.4 Best-Gain Decision Forest . . . . . . . . . . . . . . . . . . . . 13
2.5 Coverage Mining . . . . . . . . . . . . . . . . . . . . . . . . . 18
2.6 Prism . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
2.7 Experimental Results . . . . . . . . . . . . . . . . . . . . . . . 20
CHAPTER 3 ASSERTION RANKING . . . . . . . . . . . . . . . . . 28
3.1 Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
3.2 Related Work and Background . . . . . . . . . . . . . . . . . 31
3.3 Methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
3.4 Case Study . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
3.5 Experimental Results . . . . . . . . . . . . . . . . . . . . . . . 49
CHAPTER 4 ASSERTION RANK AGGREGATION . . . . . . . . . 56
4.1 Related Work and Background . . . . . . . . . . . . . . . . . 56
4.2 Methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
4.3 Experimental Results . . . . . . . . . . . . . . . . . . . . . . . 64
CHAPTER 5 EFFECTIVENESS OF DATA MINING ALGORITHMS 73
CHAPTER 6 CONCLUSION . . . . . . . . . . . . . . . . . . . . . . 79
v
CHAPTER 7 RESOURCES . . . . . . . . . . . . . . . . . . . . . . . 80
7.1 Obtaining GoldMine . . . . . . . . . . . . . . . . . . . . . . . 80
7.2 Executing GoldMine . . . . . . . . . . . . . . . . . . . . . . . 80
REFERENCES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
vi
LIST OF FIGURES
2.1 The GoldMine methodology. . . . . . . . . . . . . . . . . . . . 9
2.2 An and gate. . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
2.3 A decision tree for the Verilog in ﬁgure 2.2. Each node is
pictured with the data it represents and is labeled with its
mean and entropy. Each branch is labeled with the feature
variable and value used to partition the data represented
by its parent. . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
2.4 A decision forest for the Verilog in ﬁgure 2.2. Each node
is labeled with its mean and entropy. Each branch is la-
beled with the feature variable and value used to partition
the data represented by its parent. The BGDF algorithm
selects both a and b to partition the root node’s data since
they do so equally well. . . . . . . . . . . . . . . . . . . . . . . 16
2.5 An example of the prism algorithm for the Verilog in ﬁgure
2.2. Each node is labeled with its mean and entropy. Each
branch is labeled with the feature variable and value used
to partition the data represented by its parent. . . . . . . . . 19
2.6 The size of modules usbf_pe, pci_master32_sm and or1200_ctrl 20
2.7 The number of assertions generated by each data mining
algorithm. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
2.8 The average antecedent size of generated assertions for
each data mining algorithm. . . . . . . . . . . . . . . . . . . . 22
2.9 The average temporal length of generated assertions for
each data mining algorithm. . . . . . . . . . . . . . . . . . . . 23
2.10 The average input space coverage of generated assertions
for each data mining algorithm. . . . . . . . . . . . . . . . . . 24
2.11 The hit rate of generated assertions for each data mining
algorithm. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
2.12 The run time of each data mining algorithm. . . . . . . . . . . 26
2.13 The memory use of data mining algorithm. . . . . . . . . . . . 27
3.1 A 2-port arbiter. . . . . . . . . . . . . . . . . . . . . . . . . . 30
3.2 An example of PageRank. . . . . . . . . . . . . . . . . . . . . 31
vii
3.3 The global dependency graph for the 2-port arbiter. Each
node’s Ig value denotes its global importance score. . . . . . . 44
3.4 The relative dependency graph for gnt1. Each node’s Ir
and Cr values denote its relative importance and complex-
ity scores. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
3.5 An implementation of the PCI bridge master state machine. . 47
3.6 The positional rank and positional rank percentile of each
output based upon the output’s global importance score. . . . 50
3.7 Assertion complexity as a function of importance. . . . . . . . 51
3.8 The average antecedent size of assertions in the 99th, 95th,
90th, 75th and 50th importance, complexity and rank per-
centiles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
3.9 The average temporal length of assertions in the 99th,
95th, 90th, 75th and 50th importance, complexity and
rank percentiles. . . . . . . . . . . . . . . . . . . . . . . . . . 53
3.10 The average importance score of assertions in the 99th,
95th, 90th, 75th and 50th rank percentile. . . . . . . . . . . . 54
3.11 The average complexity score of assertions in the 99th,
95th, 90th, 75th and 50th rank percentile. . . . . . . . . . . . 54
3.12 The ideality score of the lowest, middle, and highest ranked
true assertions for each target variable. . . . . . . . . . . . . . 55
4.1 An example of the Kuhn-Munkres algorithm. The left
bipartite graph uses each W (p; r) value to deﬁne all rank
aggregations. The right bipartite graph uses an optimal
set of W (p; r) values to deﬁne a = [p1  p0  p2]. . . . . . . . 63
4.2 Assertion complexity as a function of importance. . . . . . . . 64
4.3 Assertion coverage as a function of importance. . . . . . . . . 65
4.4 Assertion coverage as a function of complexity. . . . . . . . . . 65
4.5 Assertion expectedness as a function of importance. . . . . . . 66
4.6 Assertion expectedness as a function of complexity. . . . . . . 66
4.7 Assertion expectedness as a function of coverage. . . . . . . . 67
4.8 Kendall tau distance between a ranking for assertion rank
and a rank aggregation for assertion importance and complexity. 67
4.9 The average importance of assertions in the 99th, 95th,
90th, 75th and 50th importance, complexity, coverage, ex-
pectedness and rank aggregation percentiles. . . . . . . . . . . 68
4.10 The average complexity of assertions in the 99th, 95th,
90th, 75th and 50th importance, complexity, coverage, ex-
pectedness and rank aggregation percentiles. . . . . . . . . . . 69
4.11 The average coverage of assertions in the 99th, 95th, 90th,
75th and 50th importance, complexity, coverage, expect-
edness and rank aggregation percentiles. . . . . . . . . . . . . 70
viii
4.12 The average expectedness of assertions in the 99th, 95th,
90th, 75th and 50th importance, complexity, coverage, ex-
pectedness and rank aggregation percentiles. . . . . . . . . . . 71
5.1 The average normalized importance of 25% highest ranked
assertions that passed formal veriﬁcation for each data
mining algorithm. . . . . . . . . . . . . . . . . . . . . . . . . . 74
5.2 The average normalized complexity of 25% highest ranked
assertions that passed formal veriﬁcation for each data
mining algorithm. . . . . . . . . . . . . . . . . . . . . . . . . . 75
5.3 The average normalized ideality of 25% highest ranked as-
sertions that passed formal veriﬁcation for each data min-
ing algorithm. . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
5.4 The average normalized coverage of 25% highest ranked
assertions that passed formal veriﬁcation for each data
mining algorithm. . . . . . . . . . . . . . . . . . . . . . . . . . 77
5.5 The average normalized expectedness of 25% highest ranked
assertions that passed formal veriﬁcation for each data
mining algorithm. . . . . . . . . . . . . . . . . . . . . . . . . . 78
ix
LIST OF ABBREVIATIONS
ABV Assertion-Based Veriﬁcation
BGDF Best-Gain Decision Forest
CPU Central Processing Unit
HDL Hardware Description Language
IFV Incisive Formal Veriﬁer
LTL Linear Temporal Logic
PCI Peripheral Component Interconnect
RTL Register Transfer Level
USB Universal Serial Bus
VCD Value Change Dump
VCS Verilog Compiler Simulator
VHDL Verilog Hardware Description Language
x
CHAPTER 1
INTRODUCTION
1.1 Assertion-Based Veriﬁcation
Digital systems continue to revolutionize the world. However, most take for
granted the amount of eﬀort required to verify these systems. Pre-silicon
veriﬁcation constitutes well over 50% of the eﬀort required to design modern
chips [1]. Therefore, veriﬁcation is the primary bottleneck in digital system
design. Since the complexity of digital systems is perpetually increasing,
veriﬁcation will continue to pose new challenges.
Pre-silicon veriﬁcation validates the correctness of a design’s implementa-
tion with respect to its speciﬁcation before the design is fabricated. Typically,
the design is speciﬁed at the register-transfer level (RTL) using a hardware
description language (HDL). Hardware description languages are a class of
programming language that enable automated simulation and analysis of dig-
ital systems. Popular HDLs include VHDL [2], Verilog [3] and SystemVerilog
[4].
Pre-silicon veriﬁcation uses many methods to verify a design’s correctness.
Popular functional validation methods include simulation and formal veri-
ﬁcation. Simulation uses a test bench to apply input vectors to an RTL
design and veriﬁes the correctness of output values. Directed test benches
apply a predetermined set of input vectors to target speciﬁc design behavior.
In contrast, random test benches apply random input vectors to maximize
behavioral coverage. Simulation is computationally eﬃcient, but inherently
incomplete since it cannot exercise the design’s entire behavior. Typically,
veriﬁcation engineers use coverage metrics to estimate the completeness of a
simulation.
Formal veriﬁcation uses mathematical methods to verify a design’s cor-
rectness. Equivalence checking formally veriﬁes whether or not two imple-
1
mentations of a design are functionally equivalent. Model checking formally
veriﬁes whether or not a design satisﬁes a speciﬁcation. Consequently, formal
veriﬁcation is a complete, but computationally ineﬃcient solution.
Assertions or invariants [5] specify the desirable or required properties the
design should satisfy. Assertion-based veriﬁcation (ABV) [6, 7] uses assertions
in both simulation and formal veriﬁcation. Simulation reports violations of an
assertion during the execution of a test bench. Formal veriﬁcation statically
analyzes the design’s state space and reports conditions that can violate an
assertion. Assertion based veriﬁcation is among the most popular veriﬁcation
methodologies [8].
1.2 Automatic Assertion Generation
Although assertion-based veriﬁcation is an eﬀective veriﬁcation methodology,
generating high-quality assertions is non-trivial. Veriﬁcation engineers spend
a considerable amount of time manually generating concise, high-coverage
assertions. Recently, various works have proposed methodologies to auto-
matically generate RTL assertions [9, 10, 11, 12, 13, 14, 15, 16, 17, 18]. The
generated assertions can expose subtle bugs in the design or guide the de-
sign’s evolution.
Many of these methodologies use data mining algorithms to mine asser-
tions from RTL simulation traces. Data mining is the process of discovering
interesting patterns and knowledge from large amounts of data [19]. As-
sertion generation methods use data mining algorithms to induce a set of
predictive rules from a dataset. These rules use a set of feature variables to
predict the value of a target variable. Assertion generation methods form
assertions from the induced rules.
GoldMine [20] is a unique assertion generation method since it uses static
and formal analysis in addition to data mining. GoldMine uses static analysis
to guide the data mining engine. Since it generates assertions based on a
subset of the design’s behavior, GoldMine uses formal analysis to verify the
generated assertions. In this thesis, we provide an overview of the GoldMine
methodology and detail each of its data mining algorithms. We also analyze
each algorithm’s performance.
2
1.3 Assertion Evaluation
Veriﬁcation is only as good as the properties we wish to verify. As such,
writing quality assertions is tantamount to writing clear speciﬁcations, which
is a problem as old as the veriﬁcation problem itself. Classic veriﬁcation
literature has long discussed and debated questions regarding the quality
of a speciﬁcation, the information contained in a property, or the behavior
covered by a property [21].
In this thesis, we present methods to evaluate the quality of RTL asser-
tions. These methods are primarily motivated by the emergence of automatic
assertion generation. Automatic assertion generation methods frequently
produce a large number of assertions with non-uniform quality. These as-
sertions might cover unimportant behavior or be incomprehensible. Also, a
large number of assertions can discourage designers from parsing them. An
assertion ranking method based on qualitative parameters that human beings
value will greatly ease the use of automatic assertion generation technology.
In chapter 3, we present an assertion ranking methodology that considers
two parameters — assertion importance and complexity. In short, assertion
importance and complexity estimate the importance and understandability
of the behavior conveyed by an assertion respectively. We demonstrate the
eﬀectiveness of the assertion rank methodology using a detailed case study
and experimental results.
In chapter 4 we present an assertion rank aggregation methodology that
considers an arbitrary number of parameters. Rank aggregation algorithms
combine ranking results from various sources to generate an optimal ranking
[22, 23]. We use the rank aggregation methodology to aggregate rankings for
assertion importance, complexity, coverage and expectedness. We demon-
strate the eﬀectiveness of the assertion rank aggregation methodology using
experimental results.
1.4 Contributions
We contribute the following in this thesis.
• We detail the GoldMine methodology and each of its data mining algo-
rithms. We introduce the Best-Gain Decision Forest algorithm to mine
3
concise RTL assertions.
• We develop an assertion ranking methodology. We deﬁne assertion
importance, complexity, rank and ideality and we detail methods to
compute each of them. We present a case study and experimental
results to demonstrate the eﬀectiveness of assertion rank.
• We develop an assertion rank aggregation methodology. We deﬁne as-
sertion coverage and expectedness. We aggregate rankings for assertion
importance, complexity, coverage and expectedness. We present exper-
imental results to demonstrate the value of these metrics and the rank
aggregation methodology.
• We rigorously analyze the performance of each data mining algorithm
in GoldMine. We present experimental results that demonstrate each
algorithm’s performance with respect to various metrics.
4
CHAPTER 2
ASSERTION GENERATION
In this chapter, we detail the GoldMine methodology and its data mining
algorithms.
2.1 Related Work and Background
An assertion p is a linear temporal logic (LTL) [24] formula of the form
G(A =) XkC), where the antecedent A can be propositional or tem-
poral and the consequent C is a single proposition. A proposition in this
formula is a (variable; value) pair. A propositional logic formula can have a
conjunction, disjunction or negation.
Let  denote a Verilog design with variables V . We refer to  as the
target design. Let vt 2 V denote the target variable. The target variable is
the variable for which we would like to generate assertions. A feature variable
is a variable in V used to predict the value of vt. Let t denote the temporal
window length. The temporal window length denotes the maximum number
of cycles for which generated assertions can capture temporal behavior.
We generate temporal assertions by unrolling  for t temporal frames.
Unrolling the design duplicates V in each temporal frame. Let temporal
variable vk 2 V with temporal index k denote v k temporal frames relative
to the current frame.
We deﬁne a simulation S of  as follows. Let B = f0; 1g denote the
Boolean number set. Let S be a set of Boolean vectors and let s 2 S be a
Boolean vector in BtjV j that assigns a Boolean value to each v 2 V . Let s(v)
denote the value of variable v in s.
5
2.1.1 Automatic Assertion Generation
Work in deductive program veriﬁcation [25, 26, 27] has studied assertion
generation through static analysis of source code since the seventies. Work
in software uses static analysis techniques to generate assertions for assist-
ing program veriﬁcation [28, 29]. Additional work in software uses dynamic
analysis [30, 31, 11] to generate assertions.
Previous work [9, 32, 33] has used static analysis to generate hardware
assertions. IODINE [10] generates low-level dynamic assertions for hardware
designs, but it does not use data mining. Instead, IODINE analyzes dynamic
program behavior with respect to standard property templates such as one-
hot encoding or mutex. The methodology in [12] uses dynamic simulation
trace data to generate assertions, but it does not use data mining. Instead,
the methodology tries to generalize design behavior based on simulation data.
Inferno [34] uses simulation data to extract the semantic protocol from
a communication interface RTL design. Inferno infers a set of transaction
diagrams which it uses to generate a set of assertions. Since Inferno only gen-
erates transactional assertions, it might not generate meaningful assertions
for designs that have high temporal depth. Consequently, Inferno assertions
might complicate the search for bugs in such designs. In addition, Inferno is
limited to designs that implement a communication protocol, which consti-
tute a small subset of hardware.
In [13], the authors use sequential pattern mining to infer causal relation-
ships between frequently occurring sequences of input and output events.
Since their methodology only seeks relationships between inputs and outputs,
it might not generate meaningful assertions for designs with high temporal
depth. In addition, since their methodology enumerates each unique input
and output event, it might not scale for large designs.
In [35], the authors use symbolic simulation to extract assertions from
test bench constraints. The authors use the generated assertions to optimize
the design under test. Since their methodology extracts assertions from a
constrained test bench, the assertions might reﬂect a bug in the test bench or
overlook untested behavior. In addition, the generated assertions might have
limited value since their methodology extracts them using simple templates
and veriﬁes them using bounded formal veriﬁcation.
Several commercial methodologies including NextOp’s BugScope [15] and
6
Jasper’s ActiveProp [18] generate hardware assertions.
2.1.2 Data Mining
Overview
Data mining is the process of discovering interesting patterns and knowledge
from large amounts of data [19]. Data mining encompasses a large set of
techniques and algorithms. In this chapter, we are most interested in rule
induction algorithms. Rule induction algorithms induce a set of predictive
rules from a dataset. Typically, these rules are of the form A =) C. Here,
A is a conjunction of propositions that assign concrete values to feature
variables and C is a proposition that assigns a value to the target variable.
Consequently, rule induction algorithms are ideal for assertion generation.
Data mining usually attempts to functionalize data that is diﬃcult to de-
scribe using a mathematical model. For example, we might use data mining
to derive a weather prediction model. In such cases, we would expect and tol-
erate error in the model. However, we can describe Verilog using well-deﬁned
mathematical models. As a result, we cannot tolerate error in generated as-
sertions. Therefore, GoldMine will generate an assertion only if it has 100%
conﬁdence. The conﬁdence of assertion p = A =) C is the fraction of S
that satisﬁes p when A is satisﬁed.
Entropy and Information Gain
Entropy measures the uncertainty in a random variable and was ﬁrst proposed
by Shannon in [36]. Entropy originated in information theory, but rule in-
duction algorithms use it to measure the uncertainty of the value of vt in a
dataset. Formally, let v 2 V denote a variable, let Sv=b = fs 2 S j s(v) = bg
denote the subset of S where v = b and let pb(S; v) = jSv=bjjSj denote the
fraction of S in which v = b. We compute the entropy H(S) of vt in S as
follows:
H(S) =  p0(S; vt)log2(p0(S; vt))  p1(S; vt)log2(p1(S; vt)) (2.1)
If H(S) = 0, then the value of vt does not change in S. In such cases, rule
7
induction algorithms will induce a rule. Otherwise, they will use information
gain as an optimization criteria to reduce H(S). Information gain measures
the entropy reduction between S and partitions of S in which a feature
variables are assigned concrete values. We compute the information gain
G(S; v) between S and partitions Sv=0 and Sv=1 of S as follows:
G(S; v) = H(S)  p0(S; v)H(Sv=0)  p1(S; v)H(Sv=1) (2.2)
We compute the information gain G(S; v; b) between S and partition Sv=b
of S with respect to assignment vt =  as follows:
G(S; v; b) =
p(Sv=b; vt)
p(S; vt)
(2.3)
Rule Induction Methods
Decision tree algorithms [37, 38] are ideal for assertion generation because
they are simple, scalable, and represent the data in a compact and intuitive
way [19]. Decision tree algorithms perform a greedy search to quickly identify
local regions in the data space. These algorithms recursively partition the
dataset by assigning values to feature variables until the value of the target
variable is consistent. Decision tree algorithms use decision trees to represent
the dataset. A decision tree is a multary tree that consists of branch and leaf
nodes. Each node represents a subset of the data and each edge partitions
the data represented by its incident parent node.
Branch nodes represent a subset of the data in which the target variable
is assigned multiple values. Consequently, decision tree algorithms cannot
induce a rule from a branch node. Therefore, they partition the node’s
dataset by assigning concrete values to the feature variable with the greatest
information gain. They assign each partition to a child node. Leaf nodes
represent a subset of the data in which the target variable is assigned only
one value. Consequently, decision tree algorithms induce a rule by walking
from the root of the tree to a leaf. Each edge in the walked path deﬁnes a
proposition in the rule’s antecedent and the leaf node deﬁnes its consequent.
Decision tree algorithms can introduce irrelevant propositions into a set of
rules since they partition the dataset in a hierarchically. Previous work has
proposed methods to overcome this limitation. In [39, 40], the authors pro-
8
pose an algorithm that constructs multiple decision trees, or a decision forest,
using random data subspaces. In [41], the authors propose a methodology
to eﬃciently construct a decision forest by sharing nodes between decision
trees. These methodologies construct decision forests to avoid overﬁtting the
dataset. However, neither of these methodologies addresses how to induce
rules from a decision forest.
In [42], the author presents the prism algorithm to mine concise rules. The
prism algorithm is similar to the tree based algorithms, but induces one rule
at a time for a (target variable, value) pair. Unlike the tree based algorithms,
the prism algorithm does not select feature variables based on their ability
to partition the dataset. Instead, the algorithm selects the (feature variable,
value) pair that reduces the dataset’s entropy most. Therefore, the prism
algorithm recognizes that not all values of a feature variable are relevant to
the target variable. Consequently, the algorithm does not introduce irrelevant
propositions into a set of assertions.
2.2 Methodology
Static 
Analyzer
Data 
Generator
Data Miner AssertionsRTL
Assertion 
Evaluator
Formal 
Verifier
Figure 2.1: The GoldMine methodology.
In this section, we detail the GoldMine methodology. Figure 2.1 depicts each
component of the methodology.
2.2.1 Static Analyzer
The static analyzer parses and extracts various static information from a Ver-
ilog [3] design. First, the static analyzer determines basic design information
to make GoldMine more usable. This includes discerning the top module in
9
the design hierarchy, speculating which input variables are clocks and resets
and selecting a set of target variables.
Next, the static analyzer selects a set of feature variables for the target
variable. Originally, the static analyzer used the classic cone of inﬂuence for
this purpose. The classic cone of inﬂuence [43] uses the design’s dependency
graph to transitively compute which variables can aﬀect another variable’s
value. Model checking algorithms use this information to prune the design’s
state space. However, we used the classic cone of inﬂuence to avoid selecting
feature variables that cannot aﬀect the target variable’s value.
Currently, the static analyzer uses the bounded cone of inﬂuence to select
feature variables. The bounded cone of inﬂuence extends the classic cone
of inﬂuence. Instead of computing all of a variable’s dependencies, it com-
putes only those within a bounded number of temporal frames. Because we
generate assertions with a bounded temporal length, the bounded cone of
inﬂuence selects a set of feature variables superior to that of the classic cone
of inﬂuence.
Other components of GoldMine rely on the static analyzer to accomplish
their tasks. The data generator uses information from the static analyzer to
generate a test bench for the design and parse simulation data. The data
miner uses the static analyzer to select a minimal set of feature variables for
the target variable. Finally, the assertion evaluator uses the static analyzer
to compute an assertion’s importance, complexity and coverage (see chapter
3).
2.2.2 Data Generator
The data generator generates and parses simulation data. The data generator
creates an unconstrained random test bench for the design if a directed or
constrained random test bench is unavailable. The unconstrained random
test bench assigns random values to each input variable for 10000 cycles of
simulation. The data generator uses the created (supplied) test bench to
simulate the design.
The data generator also parses value change dump (VCD) simulation data.
First, the data generator parses the entire simulation. Next, it summarizes
the data by retaining only that which coincides with the clock edge. Finally,
10
the data generator unrolls the data into temporal frames of length t and
compresses it by discarding duplicate frames. The data miner relies on this
process to simplify its task.
2.2.3 Data Miner
The data miner searches for causal relationships between feature variables
and the target variable in the simulation data. If the data miner ﬁnds a
relationship with 100% conﬁdence, then it will generate an assertion. Any
suitable rule induction algorithm can mine a set of assertions from the sim-
ulation data. In sections 2.3, 2.4, 2.5 and 2.6, we discuss the algorithms
GoldMine uses to generate assertions.
2.2.4 Formal Veriﬁer
The data miner generates assertions based on a subset of the design’s func-
tionality. Consequently, we cannot guarantee that generated assertions are
true system invariants. Therefore, the formal veriﬁer uses Cadence Incisive
Formal Veriﬁer (IFV) [44] to verify the generated assertions. The formal
veriﬁer generates code that checks the generated assertions at each clock
edge. The generated code also constrains the design’s reset signal to prevent
IFV from generating trivial counterexamples. The formal veriﬁer reports
assertions that pass formal veriﬁcation as true system invariants. If an as-
sertion fails formal veriﬁcation, then the data miner can use the assertion’s
counterexample to reﬁne it. This technique is detailed in [45].
2.2.5 Assertion Evaluator
GoldMine attempts to automate a traditionally manual process. Conse-
quently, the assertion evaluator evaluates GoldMine’s performance and the
quality of the generated assertions. Originally, the assertion evaluator used
a superﬁcial set of metrics to evaluate an assertion’s quality. These metrics
include antecedent size, temporal length, input space coverage and hit rate.
Antecedent size refers to the number of propositions in an assertion’s an-
tecedent. Temporal length refers to the number of temporal frames spanned
11
by an assertion’s antecedents. The assertion evaluator reports the average
antecedent size and temporal length for a set of generated assertions to esti-
mate their readability.
Input space coverage estimates the functional coverage of an assertion.
Suppose we create a truth table that computes the target variable’s value
as a function of the feature variables. The input space coverage of assertion
p = A =) C is equal to the fraction of entries in the table that satisfy
A. We can use the formula 1
2jAj to compute the input space coverage p.
Intuitively, an assertion with fewer propositions in its antecedent will cover a
greater fraction of the input space. Though computing an assertion’s input
space coverage is trivial, doing so for an entire set of assertions is not since
the coverage of two assertions might not be mutually exclusive.
Hit Rate refers to the fraction of generated assertions that passed formal
veriﬁcation. Hit rate evaluates the data miner’s performance and complete-
ness of the simulation data. In other words, we prefer a data mining algo-
rithm that can ﬁnd true assertions over one that can ﬁnd high quality false
assertions. Regardless, a data mining algorithm’s performance will be limited
by the completeness of the simulation data.
Currently, the assertion evaluator uses importance, complexity, coverage
and expectedness to evaluate a set of assertions. We detail these metrics in
chapters 3 and 4.
2.3 Decision Tree
1 module and_(input a, b, output f);
2
3 assign f = a & b;
4
5 endmodule
Figure 2.2: An and gate.
In [20], we detail GoldMine’s decision tree algorithm. Here, we present an
example of the algorithm. Consider the Verilog and its decision tree in ﬁgures
2.2 and 2.3. The root node assigns multiple values to f . Therefore, the algo-
rithm cannot generate an assertion and partitions the simulation data. The
12
m = 0.25
H = 0.81
m = 0.50
H = 1.00
m = 0.00
H = 0.00
m = 1.00
H = 0.00
m = 0.00
H = 0.00
a = 0 a = 1
b = 1b = 0
a & ~b |-> ~f a & b |-> f
~a |-> ~f
0
1 0
a f
0
0 0
b
00
fa b
1
0
1
1
0
a
0
1
1
0
1
0
fb
0 0
11
fa b
1
0
1 1
a f
1
1 0
b
Figure 2.3: A decision tree for the Verilog in ﬁgure 2.2. Each node is
pictured with the data it represents and is labeled with its mean and
entropy. Each branch is labeled with the feature variable and value used to
partition the data represented by its parent.
root’s left child node always assigns f = 0. Therefore, the algorithm gener-
ates the assertion :a =) :f . Again, the root’s right child node assigns
multiple values to f . Therefore the algorithm will partition the simulation
data again. Each new child node assigns a single value to f . Therefore, the
algorithm generates assertions a ^ :b =) :f and a ^ b =) f .
The decision tree algorithm can introduce irrelevant propositions into a set
of assertions. For example, consider the assertion a ^ :b =) :f in ﬁgure
2.3. Regardless of the value of a, b = 0 =) f = 0. Therefore, the inclusion
of a in this assertion is unnecessary. As a result, the assertion is verbose and
constrained — limiting its use and value.
2.4 Best-Gain Decision Forest
We introduce the Best-Gain Decision Forest algorithm (BGDF) to generate
concise assertions. Decision tree algorithms select one feature variable with
maximum information gain to partition the dataset. In contrast, the BGDF
algorithm partitions the dataset using all such variables. Consequently, the
13
BGDF algorithm builds all decision trees optimized for maximum informa-
tion gain. To maintain eﬃciency, the algorithm shares nodes between deci-
sion trees. The BGDF algorithm extracts all assertions from a decision forest
and uses a set containment algorithm to discard those that are redundant.
Algorithm
Algorithm 1 Best-Gain Decision Forest Algorithm
1: procedure decision_forest(V; S;A)
2: if entropy(S) = 0 then
3: P  P [ (A =) (vt;mean(S)))
4: return
5: end if
6: G f;g
7: gbest =  1
8: for all v 2 V do
9: g  gain(vt; Sv=0; Sv=1)
10: G G [ (v; g)
11: if gbest < g then
12: gbest  g
13: end if
14: end for
15: for all (v; g) 2 G do
16: if g = gbest then
17: V  V n v
18: decision_forest(V; Sv=0; A [ (v; 0))
19: decision_forest(V; Sv=1; A [ (v; 1))
20: end if
21: end for
22: end procedure
Algorithm 1 shows the Best-Gain Decision forest algorithm. The algorithm
requires inputs V , S, and A. Let V and S denote the set of variables and
simulation deﬁned by section 2.1 and let vt 2 V denote the target variable.
Let A denote a set of propositions and let (v 2 V; b 2 B) 2 A denote a
proposition that assigns v = b. Finally, let P denote the set of assertions
generated by the Best-Gain Decision Forest algorithm.
The Best-Gain Decision Forest algorithm requires the following additional
deﬁnitions. Let the function entropy(S) compute the entropy of vt in S and
14
let the functionmean(S) compute the mean value of vt in S. Let the function
gain(S; v) compute information gain G(S; v). Finally, let G denote a set of
(variable, information gain) pairs.
The Best-Gain Decision Forest algorithm begins by computing the en-
tropy of vt in S. If entropy(S) = 0, then the algorithm adds assertion
A =) (vt;mean(S)) to P and terminates. If entropy(S) 6= 0, then the
algorithm selects feature variables to partition S. The algorithm computes
the information gain g of each variable v 2 V and adds the pair (v; g) to
S. While computing each variable’s gain, the algorithm records gbest — the
maximum gain.
Next, the algorithm recurses. For each (v; g) 2 S for which g = gbest, the
algorithm removes v from V and makes two recursive calls. The ﬁrst call
removes vectors from S where v = 1 and adds the proposition (v; 0) to P .
The second call removes vectors from S where v = 0 and adds the proposition
(v; 1) to P .
The BGDF algorithm minimizes redundancy in P using set containment.
Assertion pi = Ai =) Ci contains assertion pj = Aj =) Cj if Ai  Aj
and Ci  Cj. That is, if pi contains pj, then pi conveys the same behavior
as pj more concisely. Consequently, it is impossible for pi to contain pj if
j Ai j>j Aj j. The BGDF algorithm uses this fact to reduce the number of
set containment checks between assertions.
Example
We revisit the Verilog in ﬁgure 2.2 to illustrate the BGDF algorithm. Let
V = fa; b; fg and let vt = f . Let S be the set of Boolean vectors to the left
of the root node in ﬁgure 2.3.
The Best-Gain Decision Forest algorithm begins by computing entropy(S) =
 3
4
log2(
3
4
)  1
4
log2(
1
4
) = 0:81. Since the entropy(S) 6= 0, the algorithm parti-
tions S. To do so, the algorithm computes each variable’s information gain
and records gbest.
gain(a; S) = 0:81  0:50  0:00  0:50  1:00 = 0:31
gain(b; S) = 0:81  0:50  0:00  0:50  1:00 = 0:31
Now, G = f(a; 0:31); (b; 0:31)g and gbest = 0:31.
15
Next, the algorithm recurses. Since the gains of both a and b are equal to
gbest, the algorithm uses both of them to partition S. In the recursive call
where a = 0, the error of f is also equal to 0. Therefore, the algorithm adds
assertion p0 = :a =) :f to P and terminates.
In the recursive call where a = 1, the H(S) 6= 0. Therefore, the algorithm
selects b to partition S since it is the only remaining variable in V . In both
subsequent recursive calls, H(S) = 0. Therefore, the algorithm adds the
assertions p1 = a ^ :b =) :f and p2 = a ^ b =) f to P .
m = 0.25
H = 0.81
m = 0.50
H = 1.00
m = 0.00
H = 0.00
m = 0.00
H = 0.00
m = 0.50
H = 1.00
m = 1.00
H = 0.00
m = 0.00
H = 0.00
a = 0 a = 1 b = 0 b = 1
b = 1b = 0
a & ~b |-> ~f a & b |-> f
~a |-> ~f ~b |-> ~f
Figure 2.4: A decision forest for the Verilog in ﬁgure 2.2. Each node is
labeled with its mean and entropy. Each branch is labeled with the feature
variable and value used to partition the data represented by its parent. The
BGDF algorithm selects both a and b to partition the root node’s data
since they do so equally well.
Figure 2.4 depicts the decision forest constructed by the algorithm. Set P
16
contains the following assertions.
p0 = :a =) :f
p1 = a ^ :b =) :f
p2 = a ^ b =) f
p3 = :b =) :f
(2.4)
Consider the p1 and p3. Both assertions have the same consequent, but p3
is more concise. Therefore, the proposition (b; 1) in the antecedent of p1
is unnecessary. After the algorithm uses set containment to remove such
assertions, P contains p0, p2 and p3.
Analysis
We analyze the Best-Gain Decision Forest algorithm. First, we analyze the
algorithm’s complexity. Consider the construction of a worst case decision
forest with variables V = fv0; v1;    ; vng. Since the BGDF will select all
variables to partition S, it cannot select v0 to partition S in the subforest of
any other vi 2 V . Consequently, if we disregard v0, then the algorithm will
construct a worst case decision forest with n  1 feature variables. Similarly,
each child of v0 will be a worst case decision forest with n 1 feature variables.
Therefore, the worst case size of a decision forest is O(3jV j).
Next, we show that the BGDF algorithm discards only functionally redun-
dant assertions. Let p = A =) (vt; b) and p0 = A0 =) (vt; b) be assertions
generated by the BGDF algorithm and let A  A0. Let f = A _ A0. Since
A  A0 and both A and A0 are conjunctive, it follows from Boolean algebra
that A0 is suﬃcient to satisfy f . Therefore, p is functionally redundant.
Finally, we show that the BGDF algorithm generates assertions that are
either equivalent to or more concise than those generated by the decision
tree algorithm. Let P and P 0 denote the sets of assertions generated by the
BGDF and decision tree algorithms respectively. Since the BGDF algorithm
builds all optimal decision trees, P  P 0. Now, the BGDF algorithm discards
only functionally redundant assertions and P  P 0. Therefore, the assertions
in P are either equivalent to or more concise than those in P 0.
17
2.5 Coverage Mining
In [46], the author details GoldMine’s coverage mining algorithm. The cov-
erage mining algorithm searches the assertion space breadth-ﬁrst to greedily
generate assertions with high input space coverage. In each iteration, the al-
gorithm generates an assertion whose input space coverage gain with respect
to S is highest. The algorithm terminates after satisfying a coverage criteria
for S.
The tree based algorithms are greedy in the data space since they gener-
ate the minimum number of assertions required to cover S. In contrast, the
coverage mining algorithm is greedy in the assertion space since it generates
the minimum number of concise assertions to cover S. Consequently, the
tree based algorithms are signiﬁcantly more eﬃcient than the coverage min-
ing algorithm. However, the coverage mining algorithm might ﬁnd a more
intuitive set of assertions than the tree based algorithms.
2.6 Prism
We adapt the prism algorithm in [42] to generate assertions. The prism al-
gorithm is similar to the tree based algorithms, but induces one rule at a
time for assignment vt = . In each iteration, the algorithm adds a proposi-
tion (v 2 V; b) for which G(S; v; b) is maximum to the candidate rule until
H(S) = 0. After the algorithm generates a rule, it discards vectors in S that
satisfy the rule. The algorithm repeats this process until Svt= is empty.
18
m = 0.25
H = 0.81
m = 0.00
H = 0.00
a = 0
~a |-> ~f
0
1
1
0
a
0
1
1
0
1
0
fb
0 0
m = 0.50
H = 1.00
m = 0.00
H = 0.00
b = 0
0
0
a
1 0
fb
0 0
0
1
1
0
a
0
1
1
0
1
0
fb
0 0
1
a
0 0
b f
~b |-> ~f
0
1
1
0
a
0
1
1
0
1
0
fb
0 0
m = 0.25
H = 0.81
m = 1.00
H = 0.00
a & b |-> f
0
1
1
0
a
0
1
1
0
1
0
fb
0 0
m = 0.50
H = 1.00
1
1
a
0
1 1
0
fb
1
a
1 1
fb
0
1
1
0
a
0
1
1
0
1
0
fb
0 0
a = 1
b = 1
Figure 2.5: An example of the prism algorithm for the Verilog in ﬁgure 2.2.
Each node is labeled with its mean and entropy. Each branch is labeled
with the feature variable and value used to partition the data represented
by its parent.
Figure 2.5 shows an example of the prism algorithm for the Verilog in ﬁgure
2.2. First, the algorithm generates an assertion for f = 0. The algorithm
computes the information gain of propositions (a; 0), (a; 1), (b; 0) and (b; 1)
as follows:
G0(S; a; 0) =
p0(Sa=0; vt)
p0(S; vt)
=
1
3/4
=
4
3
G0(S; a; 1) =
2
3
G0(S; b; 0) =
4
3
G0(S; b; 1) =
2
3
The algorithm adds (a; 0) to the assertion’s antecedent and generates the
assertion p0 = :a =) :f since H(S) = 0.
Next, the algorithm removes the ﬁrst and second rows from S since they
satisfy p0. Because S contains another row where f = 0, the algorithm
generates another assertion for f = 0. Again, the algorithm computes the
information gain of propositions (a; 0), (a; 1), (b; 0) and (b; 1) and adds (b; 0)
to the assertion’s antecedent. The algorithm generates the assertion p1 =
:b =) :f and removes the third row from S. Now, since S does not contain
any rows where f = 0, the algorithm generates the assertion p2 = a^b =) f
for f = 1 and terminates.
19
2.7 Experimental Results
Design Module Number of Variables
Number of 
Bits
Number of 
Output 
Variables
Number of 
Output Bits
Number of 
Module 
Instances
USB usbf_pe 152 785 25 100 0
PCI pci_master32_sm 133 370 20 85 8
OR1200 or1200_ctrl 68 435 45 315 0
Figure 2.6: The size of modules usbf_pe, pci_master32_sm and or1200_ctrl
We present experimental results to compare the assertion mining algorithms.
We used each algorithm to generate assertions for three Verilog modules.
The ﬁrst module is the protocol engine from the Universal Serial Bus (USB)
protocol, the second module is the master state machine from the Peripheral
Component Interconnect (PCI) protocol and the ﬁnal module is the decode
pipeline stage from the OpenRisc 1200 (OR1200) CPU. Figure 2.6 shows
the size of each of these modules. For all experiments, the data generator
simulated each module for 10000 cycles using an unconstrained random test
bench. We explicitly limited the antecedent size and temporal length of all
assertions to 5 and 2 respectively. We conducted all experiments using a 2.67
gigahertz quad core Intel Core i5 with 16 gigabytes of memory.
20
075
150
225
300
usbf_pe pci_master32_sm or1200_ctrl
Number of Assertions for all Outputs
Nu
mb
er
 o
f 
As
se
rt
io
ns
Module
tree forest coverage prism
Figure 2.7: The number of assertions generated by each data mining
algorithm.
Figure 2.7 shows the number of assertions generated by each data min-
ing algorithm. The decision tree algorithm consistently generates a small
number of assertions. We expect this since the decision tree algorithm gen-
erates the minimum number of assertions required to describe the dataset.
The decision forest and coverage mining algorithms generate varying number
of assertions. We expect this since the decision forest and coverage mining
algorithms generate assertions that have low antecedent sizes instead of gen-
erating those that minimally describe the dataset. For all designs, the prism
algorithm generates more assertions than any other algorithm. We expect
this since the prism algorithm generates the minimum number of assertions
that have low antecedent sizes to describe the dataset.
21
01
2
3
4
usbf_pe pci_master32_sm or1200_ctrl
Average Antecedent Size of Assertions for all Outputs
Av
er
ag
e 
An
te
ce
de
nt
 S
iz
e
Module
tree forest coverage prism
Figure 2.8: The average antecedent size of generated assertions for each
data mining algorithm.
Figure 2.8 shows the average antecedent size of generated assertions for
each data mining algorithm. For all designs, the coverage mining algorithm
generates assertions that have lower antecedent sizes than those generated
by any other algorithm. We expect this since the coverage miner optimizes
for input space coverage. For USB, the prism algorithm generates assertions
that have larger antecedent sizes than those generated by any other algo-
rithm. This is reasonable since the prism algorithm typically generates a
large number of assertions. Similarly, the decision forest algorithm gener-
ates assertions that have larger antecedent sizes than those generated by the
decision tree algorithm.
22
1.500
1.625
1.750
1.875
2.000
usbf_pe pci_master32_sm or1200_ctrl
Average Temporal Length of Assertions for all Outputs
Av
er
ag
e 
Te
mp
or
al
 L
en
gt
h
Module
tree forest coverage prism
Figure 2.9: The average temporal length of generated assertions for each
data mining algorithm.
Figure 2.9 shows the average temporal length of generated assertions for
each data mining algorithm. For all designs, the prism algorithm generates
assertions that have higher temporal length than those generated by any
other algorithm. Again, this is reasonable since the prism algorithm generates
a large number of assertions. Similarly, for PCI and OR1200, the decision
forest algorithm generates assertions that have higher temporal length than
those generated by the decision tree algorithm. For USB and OR1200, the
coverage mining algorithm generates assertions that have the lower temporal
length than those generated by any other algorithm. This is reasonable since
we expect temporal assertions to have large antecedent sizes.
23
00.125
0.250
0.375
0.500
usbf_pe pci_master32_sm or1200_ctrl
Average Input Space Coverage of Assertions for all Outputs
Av
er
ag
e 
In
pu
t 
Sp
ac
e 
Co
ve
ra
ge
Module
tree forest coverage prism
Figure 2.10: The average input space coverage of generated assertions for
each data mining algorithm.
Figure 2.10 shows the average input space coverage of generated assertions
for each data mining algorithm. Since input space coverage is inversely pro-
portional to antecedent size, these results provide an alternate interpretation
of those in ﬁgure 2.8. They also validate that the coverage mining algorithm
indeed optimizes for input space coverage.
24
00.225
0.450
0.675
0.900
usbf_pe pci_master32_sm or1200_ctrl
Hit Rate of Assertions for all Outputs
Hi
t 
Ra
te
Module
tree forest coverage prism
Figure 2.11: The hit rate of generated assertions for each data mining
algorithm.
Figure 2.11 shows the hit rate of generated assertions for each data mining
algorithm. The decision tree algorithm consistently generates a high per-
centage of true assertions. This suggests that data mining algorithms that
optimize for antecedent size can generate a high percentage of false asser-
tions. For PCI and OR1200, the coverage mining algorithm generates the
highest percentage of true assertions. This suggests that assertions that cover
a large fraction of the dataset are more likely to pass formal veriﬁcation.
25
0200
400
600
800
usbf_pe pci_master32_sm or1200_ctrl
Run Time including Formal Verification
Ru
n 
Ti
me
 (
se
c)
Module
tree forest coverage prism
Figure 2.12: The run time of each data mining algorithm.
26
0750
1500
2250
3000
usbf_pe pci_master32_sm or1200_ctrl
Memory Use without Formal Verification
Me
mo
ry
 U
se
 (
Mb
)
Module
tree forest coverage prism
Figure 2.13: The memory use of data mining algorithm.
Figures 2.12 and 2.13 show the run time and memory use of each data
mining algorithm. For most designs, every algorithm executes in less than
3 minutes. However, for PCI, the coverage miner executes in more than 10
minutes. We expect this since the coverage miner mines assertions breadth-
ﬁrst. Similarly, most algorithms require less than 100 Mb of memory to
execute. However, for USB and PCI, the coverage miner requires nearly 500
and 2000 Mb respectively.
27
CHAPTER 3
ASSERTION RANKING
In this chapter, we present an assertion ranking methodology that considers
two parameters — assertion importance and complexity. In short, assertion
importance and complexity estimate the importance and understandability
of the behavior conveyed by an assertion respectively.
To compute assertion importance, we ﬁrst compute a global importance
score for each variable in an RTL design using an algorithm inspired by
Google’s PageRank. PageRank [47, 48] is a seminal graph ranking algorithm
used by Google to rank web search results. PageRank represents the world
wide web using a graph, where each node denotes a web page and each
directed edge denotes a hyperlink from one page to another. PageRank
analyzes the hyperlink structure of the world wide web graph to compute an
importance score for each web page. Intuitively, PageRank will rank graph
nodes with many incoming and outgoing edges higher than those with fewer
such edges. We adapt the PageRank algorithm to work for an RTL variable
dependency graph instead of the web graph.
In the context of assertion ranking, each assertion constitutes a search
query. In other words, the relationship between the variables in an asser-
tion’s antecedent and those in its consequent is relevant. Since PageRank is
a query-independent ranking algorithm, it does not consider such relation-
ships. Therefore, we compute a relative importance score that captures how
important a variable is with respect to a target variable. Relative impor-
tance scores consider the spatial distance, temporal distance and importance
of execution paths between references to the given variable and assignments
to the target variable. We use relative importance scores to compute an
assertion’s importance score.
An assertion with a high importance score will likely have low under-
standability. Consequently, we balance assertion importance with assertion
complexity. To compute assertion complexity, we ﬁrst compute a relative
28
complexity score that captures the understandability of the dependencies
between a variable and a target variable. The relative complexity score cap-
tures how understandable a variable is with respect to a target variable.
Relative complexity scores consider the spatial distance, temporal distance
and understandability of execution paths between references to the given
variable and assignments to the target variable. We use relative complexity
scores to compute an assertion’s complexity score.
We use assertion importance and complexity scores to compute assertion
rank. An assertion’s rank score estimates its value with respect to the design
for which it was written. As the name implies, assertion rank scores also
provide a means to rank a set of assertions. We normalize an assertion’s
rank score with respect to a maximum rank score. We refer to an assertion’s
normalized rank score as its ideality score. An assertion’s ideality score
estimates its “completeness.”
We show a detailed case study using an open source RTL implementation of
the PCI protocol. The case study demonstrates that the proposed assertion
quality metrics agree with human judgement. We present an analysis of
the choices made by the ranking methodology for assertions generated using
GoldMine. In addition to the case study, we present experimental results
that further verify the eﬀectiveness of the methodology.
29
3.1 Motivation
1 module arb2(clk, rst, req1, req2, gnt1, gnt2);
2
3 input clk, rst;
4 input req1, req2;
5 output gnt1, gnt2;
6
7 reg gnt_;
8 reg gnt1, gnt2;
9
10 always @ (posedge clk, posedge rst)
11 if (rst)
12 gnt_ <= 0;
13 else
14 gnt_ <= gnt1;
15
16 always @ (*)
17 if (gnt_)
18 begin
19 gnt1 = req1 & ~req2;
20 gnt2 = req2;
21 end
22 else
23 begin
24 gnt1 = req1;
25 gnt2 = req2 & ~req1;
26 end
27
28 endmodule
Figure 3.1: A 2-port arbiter.
We motivate assertion ranking with an example. Figure 3.1 depicts the
Verilog source code for a 2-port arbiter. The arbiter uses the temporary
variable gnt_ to guarantee that neither request line is starved. Consider
30
properties p0 and p1, deﬁned as follows. Property p0 expresses if the ﬁrst
request line is low, then the ﬁrst grant line is low. Property p1 expresses if
the second request line is high and the ﬁrst grant line was high previously and
one cycle later the ﬁrst request line is high, then the ﬁrst grant line is high.
Both properties are true and express important design intent. However,
many designers would agree that p0 is inferior to p1. Property p0 is a trivial
recitation of the source code expressing combinational behavior, while p1
expresses subtle temporal behavior. Also, p0 conveys nothing about the
second request line while p1 conveys the main functionality of an arbiter —–
a contention scenario. Finally, p0 does not utilize gnt_, the most important
design variable, while p1 does.
3.2 Related Work and Background
3.2.1 PageRank
PageRank [47, 48] is a seminal graph ranking algorithm used by Google to
rank web search results. PageRank proposes that a web page is important
if it has incoming hyperlinks from many important pages. This deﬁnition
recognizes that not all hyperlinks should have equal weight. For example, if
a page has a single incoming hyperlink from the Apple home page, it should
have a higher importance score than those with many incoming hyperlinks
from obscure pages.
b
PR = 128
d
PR = 64
c
PR = 128
a
PR = 64
64
64
64
32
32
128
Figure 3.2: An example of PageRank.
31
PageRank computes an importance score for each web page based on its
incoming hyperlinks. Intuitively, each web page distributes its importance
score equally amongst its outgoing hyperlinks. Consequently, the importance
score for a web page is equal to the sum of the importance scores distributed
to its incoming hyperlinks. The simpliﬁed PageRank formula formalizes this
relationship.
Let p denote a web page. Let B(p) denote the set of pages that have
an outgoing hyperlink to p and let F (p) denote the set of pages that p has
outgoing hyperlinks to. We deﬁne the simpliﬁed PageRank PR(p) of p as
follows:
PR(p) =
X
pi2B(p)
PR(pi)
j F (pi) j (3.1)
Figure 3.2 illustrates equation 3.1. For example, PR(c) = PR(a) + PR(b)
2
=
128 since a has one outgoing hyperlink and b has two outgoing hyperlinks.
We explain the intuition behind PageRank using a random surfer model.
Suppose a web surfer browses the web by clicking hyperlinks at random. The
simpliﬁed PageRank of a given web page represents the probability that the
random surfer will navigate to that page. If the random surfer is caught in
a cycle of web pages, then the surfer is unlikely to continue in such a cycle
forever. Consequently, the PageRank formula adds an additional term to
equation 3.1 to account for such behavior.
Let  be a constant between 0 and 1 and let n denote the total number of
web pages. We deﬁne the PageRank PR(p) of p as follows:
PR(p) = (1  )
X
pi2B(p)
PR(pi)
j F (pi) j +

n
(3.2)
The additional term in equation 3.2 represents the probability of the random
surfer growing bored and navigating to a random page in the web graph.
3.2.2 Dependency Graph
We analyze a design’s dependency graph to rank its variables. We deﬁne a
dependency graph based on the semantics of the Verilog Hardware Descrip-
tion Language [3]. An expression is a function deﬁned over values, variables
and operators. A left reference refers to a variable reference that appears
32
in an expression on the left side of a Verilog assignment. A right reference
refers to all variable references that are not left references.
Let vi and vj denote two Verilog variables. We say that vi depends on
vj if there exists a Verilog assignment to vi that will execute only if a right
reference to vj is evaluated. Formally, we deﬁne a dependency graph as a
directed graph G = (V;E) with vertices V and directed edges E. Let each
vertex v 2 V denote a Verilog variable and let each directed edge (vi; vj) 2 E
denote a dependence between variables vi and vj. If (vi; vj) 2 E, then vj
depends on vi.
We construct two types of dependency graphs. A global dependency graph
expresses dependencies between all variables in a Verilog design. The global
dependency graph is analogous to the dependency graph used by the classic
cone of inﬂuence computation [43]. A relative dependency graph transitively
expresses dependencies for a target variable within a bounded number of tem-
poral frames. The relative dependency graph is analogous to the dependency
graph used by the bounded cone of inﬂuence computation [49, 50].
If target variable vt is temporal, then it will have temporal dependencies.
Let temporal variable vk with temporal index k denote v k temporal frames
relative to the current frame. We treat each such variable as a unique vari-
able. For example, v 1 6= v. If there is a cycle in the dependency graph of
vt, then it will depend on an inﬁnite number of temporal variables. Con-
sequently, we construct the relative dependency graph of vt for a bounded
number of temporal frames.
3.3 Methodology
We compute the rank score of an assertion in three phases. The ﬁrst phase
computes the assertion’s importance score. The second phase computes the
assertion’s complexity score. The third phase uses an assertion’s importance
and complexity scores to compute its rank score.
3.3.1 Importance
We ﬁrst compute the importance score of an assertion. This phase includes
three subphases. The ﬁrst subphase computes a global importance score
33
for each variable in the design. The second subphase computes a relative
importance score for each variable in the assertion’s antecedent. The ﬁnal
subphase uses the relative importance scores of the variables in the assertion’s
antecedent to compute its importance score.
Global Variable Importance
We adapt the PageRank algorithm [47, 48] to compute a global importance
score for each variable in a Verilog design. The PageRank formula is de-
rived from the intuition that important web pages have incoming hyperlinks
from many important pages. Similarly, we propose that important variables
depend on many important variables. For example, a designer might intu-
itively consider a variable representing the next state in a design important.
Consequently, such a variable would depend on other important variables,
including those that determine the current state of the design.
The global importance computation requires a global dependency graph.
We represent a global dependency graph using an adjacency matrix. Let
aij denote the number of right references to variable i in all assignments
to variable j. Let ai denote the number of right references to variable i in
all assignments. Let A be an n  n square matrix with rows and columns
corresponding to variables. Let Aij = aijai if ai > 0 and let Aij =
1
n
otherwise.
Intuitively, Aij is equal to the fraction of right references to variable i
that exist in all assignments to variable j. If no references to variable i exist
in the design, then we assume a right reference to variable i exists in an
assignment to each other variable. Hence, Aij = 1n when ai = 0. PageRank
refers to such nodes with no outgoing edges as dangling nodes and manages
them in a similar manner to ensure the importance score distribution models
a probability distribution.
The global importance computation iteratively computes the global im-
portance score of each variable in the design. Let 0 <  < 1 be a constant
source of global importance. We have found through experimentation that
when  = 0:5, the global importance score distribution agrees with designer
intuition. Let r denote a global importance score vector over variables and
let rk denote r in the kth iteration of the global importance computation.
Let r0i = 1n . We compute the global importance score of each variable as
34
follows:
rk+1 = (1  )Ark + 
n
(3.3)
Equation 3.3 can iterate to convergence. However, we have found that 100
iterations computes the global importance score of each variable with a pre-
cision of up to 5 decimal places.
PageRank is scalable to hundreds of millions of pages [51, 52]. Conse-
quently, an appropriate implementation of the global importance computa-
tion would be scalable to hundreds of millions of variables. However, we
implement equation 3.3 in a straightforward manner. Such an implementa-
tion is suﬃcient since RTL assertions rarely specify complex intermodular
behavior.
The global importance computation does not consider the semantics of
variable references. Therefore, a variable’s global importance score estimates
its structural importance or connectedness with respect to the design. In
other words, removing a variable with a high global importance score from
the design would signiﬁcantly alter the design’s functionality while removing
a variable with a low global importance score would not.
Relative Variable Importance
We are usually interested in a variable’s importance within a speciﬁc func-
tional context. However, global importance scores cannot convey such infor-
mation. For example, consider a design with inputs a and b, and outputs fa
and fb. Suppose the design trivially assigns fa = a and fb = b. Intuitively,
the global importance scores of a and b would be equivalent since they are
both inputs. However, if we consider the importance of a and b with respect
to fa, then we would expect the importance score of a to be greater than
that of b since the value of fa is not aﬀected by the value of b. We compute
relative importance scores to measure the relative importance of one variable
with respect to another.
We present additional examples to illustrate why global importance scores
are insuﬃcient for estimating an assertion’s importance. Each example
presents a set of assertions. For each assertion, we discuss the relative impor-
tance score of each variable in the assertion’s antecedent with respect to the
variable in its consequent. We assume that each variable in each assertion’s
35
antecedent is an input variable. Consequently, the global importance score
of each such variable will be equivalent.
1. Spatial distance — Consider the assertions a =) f and b =) f .
Suppose the spatial distance between a and f is 3 assignments while
that between b and f is 1 assignment. Intuitively, a should have a higher
importance score than b with respect to f since the spatial distance
between a and f is greater than that between b and f .
2. Temporal distance — Consider the assertions a =) XXf and a =)
f . Both assertions reference a in their antecedents. However, the ﬁrst
assertion references a in a previous temporal frame. Therefore, we can
rewrite the ﬁrst assertion as a 2 =) f . Since the spatial distance
between a 2 and f is greater than that between a and f , a 2 should
have a higher importance score than a with respect to f .
3. Execution path importance — Consider the assertions a =) f and
b =) f . Suppose the spatial distances between a and f and b and
f are both equal to 3 assignments. If the assignments between a and
f reference variables with higher global importance scores than those
between b and f , then a should have a higher importance score than b
with respect to f .
Global importance scores cannot capture the concepts presented in the pre-
vious set of examples. Therefore, we compute relative importance scores.
Let Ir(v; vt) denote the relative importance score of variable v with respect
to target variable vt. In any practical design, vt would depend on many vari-
ables. It is unreasonable to consider each of these variables equally important
with respect to vt. Consequently, we compute Ir(v; vt) based on the global
importance scores of the variables referenced between references to v and
assignments to vt.
Algorithm 2 constructs a relative dependency graph for a target variable
and computes a relative importance score for each variable in the graph.
The algorithm constructs relative dependency graph Gr = (Vr; Er). The
algorithm requires inputs v, k and vt. Input v denotes the current variable
in the depth ﬁrst construction of the relative dependency graph, k denotes
the current temporal index, and vt denotes the target variable.
36
Algorithm 2 Relative Variable Importance
1: procedure relative_importance(v; k; vt)
2: if k < kmax then
3: V  dependencies(v)
4: for all vi 2 V do
5: ir  Ig(vi) + Ir(v; vt)
6: Vr  Vr [ (v ki ; ir)
7: Er  Er [ (v ki ; v)
8: end for
9: for all vi 2 V do
10: if temporal(vi) then
11: relative_importance(v ki ; k + 1; vt)
12: else
13: relative_importance(v ki ; k; vt)
14: end if
15: end for
16: end if
17: end procedure
Algorithm 2 requires the following additional deﬁnitions. Let kmax de-
note the maximum temporal length of the relative dependency graph. Let
Gg = (Vg; Eg) denote the global dependency graph and let the function
dependencies(v) = fvi 2 Vg j (vi; v) 2 Egg. That is, dependencies(v) re-
turns the set of variables on which v depends within 1 temporal frame. Let
the function Ig(v) return the global importance score of v. Finally, let the
function temporal(v) be satisﬁed only if assignments to v span multiple tem-
poral frames.
Algorithm 2 begins by checking if k < kmax. If k < kmax, then the al-
gorithm terminates. Otherwise, for each variable on which v depends, the
algorithm adds a new node and edge to Gr. The algorithm computes the
relative importance score ir of v ki by summing the global importance score
of vi and relative importance score of v with respect to vt. Next, for each
variable vi on which v depends, the algorithm increases k if vi is temporal
and recurses.
Assertion Importance
An important assertion should have high spatial distance, high temporal
distance, and/or cover important execution paths between the satisfaction of
37
its antecedent and consequent. Therefore, we use relative importance scores
to compute the importance score of an assertion since they measure these
attributes.
Let p denote an assertion, let Va denote the set of variables in the an-
tecedent of p and let vc be the variable in the consequent of p. We compute
the importance score I(p) of p as follows:
I(p) =
X
vi2Va
Ir(vi; vc) (3.4)
Equation 3.4 considers all variables in the antecedent of an assertion equally.
In other words, it makes no diﬀerence how variables are related to one another
via operators. Each variable contributes its relative importance score to an
assertion each time it appears in the assertion’s antecedent.
An assertion’s importance score reﬂects the relative importance of the
variables in its antecedent with respect to the variable in its consequent. A
variable’s relative importance score depends transitively on the relative im-
portance scores of the variables it assigns. Therefore, a variable with a high
relative importance score constitutes an important execution path. Conse-
quently, an assertion’s importance score estimates its important execution
path coverage. As a result, an assertion with a high importance score conveys
behavior that is critical with respect to the design.
3.3.2 Complexity
Assertions with high importance scores might be diﬃcult to understand. To
understand such assertions, a designer might need to parse complex expres-
sions and reason about multiple temporal frames. Consequently, these asser-
tions will have limited use and value. Therefore, we compute the complexity
score of an assertion to convey its understandability.
We compute the complexity score of an assertion in two subphases. The
ﬁrst subphase computes a relative complexity score for each variable in the
assertion’s antecedent. The second subphase uses the relative complexity
scores of the variables in the assertion’s antecedent to compute its complexity
score.
38
Relative Variable Complexity
We devised relative complexity scores based on the process required to un-
derstand the meaning of an assertion. Suppose a designer would like to
understand the assertion a =) XXf . First, they would need to search the
design for all assignments to f . Next, they would need to transitively parse
the set of assignments that assign to f . The designer would continue this
process until they encountered an assignment that references a. After ﬁnding
all such assignments, the designer would reason about them to understand
how they satisfy the assertion.
We compute a variable’s relative complexity score based on the following
observations. First, understanding the semantics of a variable reference in a
large expression will require more eﬀort than doing so for a small expression.
Therefore, a variable’s relative complexity score should be proportional to the
size of expressions that reference it. Second, understanding the dependence
between variables that are spatially or temporally distant requires more eﬀort
than doing so for those that are spatially or temporally close. Therefore, a
variable’s relative complexity score should depend on variables that it assigns.
Algorithm 3 constructs a relative dependency graph for a target variable
and computes a relative complexity score for each variable in the graph.
Algorithms 2 and 3 share deﬁnitions for Gr, v, k, vt, kmax, dependencies(v)
and temporal(v). Algorithm 3 requires the following additional deﬁnitions.
Let the function expressions(v) return the set of expressions on which v
depends within 1 temporal frame. Let the function sensitivities(v) return
the set of expressions that reference v.
Algorithm 3 begins by checking if k < kmax. If k < kmax, then the algo-
rithm terminates. Otherwise, for each variable vi on which v depends, the
algorithm adds a new node and edge to Gr. The algorithm computes the
relative complexity score cr of v ki by summing the sizes of the expressions
in X \ S, which includes expressions that both assign to v and reference vi.
Next, for each variable vi on which v depends, the algorithm increases k if vi
is temporal and recurses.
39
Algorithm 3 Relative Variable Complexity
1: procedure relative_complexity(v; k; vt)
2: if k < kmax then
3: X  expressions(v)
4: V  dependencies(v)
5: for all vi 2 V do
6: S  sensitivities(vi)
7: cr  0
8: for all Xi 2 X \ S do
9: cr  cr + jXij
10: end for
11: Vr  Vr [ (v ki ; cr)
12: Er  Er [ (v ki ; v)
13: end for
14: for all vi 2 V do
15: if temporal(vi) then
16: relative_complexity(v ki ; k + 1; vt)
17: else
18: relative_complexity(v ki ; k; vt)
19: end if
20: end for
21: end if
22: end procedure
40
Assertion Complexity
A complex assertion should have high spatial distance, high temporal dis-
tance, and/or cover complex execution paths between the satisfaction of its
antecedent and consequent. Therefore, we use relative complexity scores
to compute the complexity score of an assertion since they measure these
attributes.
Let p denote an assertion, let Va be the set of variables in the antecedent
of p and let vc be the variable in the consequent of p. Let Cr(v; vt) denote
the relative complexity score of variable v with respect to target variable vt.
We compute the complexity score C(p) of p as follows:
C(p) =
X
vi2Va
Cr(vi; vc) (3.5)
Equation 3.5 considers all variables in the antecedent of an assertion equally.
In other words, it makes no diﬀerence how variables are related to one another
via operators. Each variable contributes its relative complexity score to an
assertion each time it appears in the assertion’s antecedent.
An assertion’s complexity score reﬂects the relative complexity of the vari-
ables in its antecedent with respect to the variable in its consequent. A
variable’s relative complexity score depends transitively on the relative com-
plexity scores of the variables it assigns. Therefore, a variable with a high rel-
ative complexity score constitutes a complex execution path. Consequently,
an assertion’s complexity score estimates its complex execution path cover-
age. As a result, an assertion with a high complexity score conveys behavior
that is diﬃcult to understand with respect to the design.
3.3.3 Rank
Assertion importance and complexity scores are ideal for estimating the value
of an assertion. If a designer evaluated a set of assertions based on their
importance and complexity, then they would prefer assertions that maximize
importance with respect to complexity. We utilize this idea to compute the
rank score of an assertion.
41
Let p denote an assertion. We compute the rank score R(p) of p as follows:
R(p) =
I(p)
C(p)
(3.6)
Equation 3.6 is simple but eﬀective. Intuitively, an assertion that conveys
the most important behavior in the least complex way should have greater
value than any other assertion.
Assertion rank scores do not evaluate the semantics of an assertion. Such
an analysis would be subjective and arbitrary. Instead, the assertion rank
computation relies on the structural analysis techniques used by the assertion
importance and complexity computations to compute an assertion’s rank
score. Consequently, the computation is general, consistent and eﬃcient. In
addition, it is not limited by assertions with complicated semantics.
3.3.4 Ideality
Assertion rank scores are absolute. This raises a question regarding the
existence of an ideal assertion. An ideal assertion is one whose rank score is
equal to the maximum assertion rank score for a given target variable and
temporal bound. We can use the ideal assertion’s rank score to compute
another assertion’s ideality score.
Let V denote the ﬁnite set of variables target variable vt depends on within
temporal bound k. Let  denote the ideal assertion for vt and k. Based on
equation 3.6, the rank score of  has the following form.
R() =
P
vi2V
Ir(vi; vt)P
vi2V
Cr(vi; vt)
(3.7)
We can compute R() by selecting the subset V of V that maximizes equa-
tion 3.7. Next, we prove that V includes only the variable with the maximum
relative importance score to complexity score ratio.
Let v 2 V denote the variable with the maximum relative importance
score to complexity score ratio. Let Rr(v; vt) = Ir(v;vt)Cr(v;vt) denote the relative
rank score of v with respect to vt. We would like to prove V = fvg, given
Rr(v; vt)  Rr(vi; vt); 8vi 2 V . To do so, we must show that including
42
another variable in V can only decrease R(). Therefore, we must prove the
following.
(Rr(v; vt)  Rr(vi; vt) =) Rr(v; vt)  Ir(v; vt) + Ir(vi; vt)
Cr(v; vt) + Cr(vi; vt)
);8vi 2 V
Proof. Let I, C and R denote Ir(v; vt), Cr(v; vt) and Rr(v; vt) respec-
tively. Let Ii, Ci and Ri denote Ir(vi; vt), Cr(vi; vt) and Rr(vi; vt) for any
vi 2 V respectively. Now,
R  Ri
I
C
 Ii
Ci
I  Ci  Ii  C
I  Ci + I  C  Ii  C + I  C
I  (C + Ci)  C  (I + Ii)
I
C
 I + Ii
C + Ci
Let p denote an assertion. We compute the ideality (p) score of p as
follows:
(p) =
R(p)
R()
(3.8)
Equation 3.8 normalizes an assertion’s rank score with respect to the ideal
assertion’s rank score. Consequently, an assertion’s ideality score conveys its
completeness with respect to the design.
3.3.5 Example
In this section, we revisit the 2-port arbiter example from section 3.1. We
would like to rank the following set of assertions.
a0: ( req2 == 1 && gnt_ == 1 ) ##1
( req1 == 1 ) |->
( gnt1 == 1 )
a1: ( req1 == 0 ) ##1 ( req1 == 1 ) |->
( gnt1 == 1 )
a2: ( req1 == 0 ) |-> ( gnt1 == 0 )
43
req1
Ig = 0.09
req2
Ig = 0.09
gnt_
Ig = 0.24
gnt1
Ig = 0.20
gnt2
Ig = 0.20
clk
Ig = 0.09
rst
Ig = 0.09
2
2
2
27
2
7
Figure 3.3: The global dependency graph for the 2-port arbiter. Each
node’s Ig value denotes its global importance score.
a3: ( req1 == 1 && req2 == 0 ) |->
( gnt1 == 1 )
Assertions a0 and a1 express nontrivial temporal properties while a2 and
a3 express trivial combinational properties. Therefore, we expect both the
importance and complexity scores of a0 and a1 to be higher than those of a2
and a3.
Figure 3.3 shows the global dependency graph for the arbiter. Each node in
the graph is labeled with its respective variable and global importance score.
Edge weights denote the number of dependencies between two variables. For
example, since gnt1 depends on req1 in both lines 19 and 24 of the Verilog,
the weight of edge (req1; gnt1) is equal to 2. The weights of edges without a
speciﬁed weight are equal to 1.
We discuss algorithms 2 and 3 simultaneously since they are similarly
structured and share deﬁnitions. Figure 3.4 depicts the relative dependency
graph constructed for gnt1 by both algorithms. Since the maximum temporal
length of all assertions is equal to 2, kmax = 2. The algorithms begin with
v = gnt1, k = 0 and vt = gnt1. Line 2 checks if k < kmax. Since k < kmax,
the algorithms continue.
Line 3 of algorithm 3 initializes X to the set of expressions that assign
gnt1 within 1 temporal frame. Therefore, X = fgnt_; req1 & ~req2; req1g.
Line 3 (4) in algorithm 2 (3) initializes V to the set of variables that assign
44
gnt1
Ir = 0.20
cr = 0.00
req1
Ir = 0.49
cr = 3.00
req2
Ir = 0.29
cr = 2.00
gnt_
Ir = 0.63
cr = 2.00
[1]gnt1
Ir = 0.83
cr = 3.00
[1]req1
Ir = 1.75
cr = 6.00
[1]req2
Ir = 0.92
cr = 5.00
[1]gnt_
Ir = 1.89
cr = 5.00
2
2 2
2
Figure 3.4: The relative dependency graph for gnt1. Each node’s Ir and Cr
values denote its relative importance and complexity scores.
gnt1 within 1 temporal frame. Therefore, V = freq1; req2; gnt_g. Lines
4 (5) through 8 (13) add nodes for each of these variables to the relative
dependency graph.
Consider req1. In algorithm 2, line 5 computes the relative importance
score of req1 as Ir(req1; gnt1) = 20:20+0:09 = 0:49. Since gnt1 refers req1
in two assignments, gnt1 contributes its relative importance score to the rela-
tive importance score of req1 twice. In algorithm 3, line 6 initializes S to the
set of expressions that reference req1. Therefore, S = freq1 & ~req2; req1g.
Line 8 computes X \ S = S and lines 8 through 10 compute the relative
complexity score of req1 as Cr(req1; gnt1) = 2 + 1 = 3.
Lines 9 (14) through 15 (20) recurse algorithm 2 (3). Since req1 and req2
are inputs, they do not depend on any variables. Therefore, the algorithms
will terminate in each of these recursive calls. When the algorithms recurse
on gnt_, they will increment k since gnt_ is temporal. Algorithms 2 and 3
terminate when k  kmax or when V = ;.
Next, we compute the importance score of each assertion as follows:
I(a0) = 0:92 + 1:89 + 0:49 = 3:30
I(a1) = 2:24
I(a2) = 0:49
I(a3) = 0:72
45
Similarly, we compute the complexity score of each assertion as follows:
C(a0) = 5:00 + 5:00 + 3:00 = 13:00
C(a1) = 9:00
C(a2) = 3:00
C(a3) = 5:00
Finally, we compute the rank score of each assertion as follows:
R(a0) =
I(a0)
C(a0)
= 0:254
R(a1) =
I(a1)
C(a1)
= 0:249
R(a2) =
I(a2)
C(a2)
= 0:163
R(a3) =
I(a3)
C(a3)
= 0:144
3.4 Case Study
In this section we qualitatively analyze a set of ranked assertions. We used
GoldMine to generate assertions for the Peripheral Component Interconnect
(PCI) bridge master state machine. We used the methodology in section 3.3
to rank the assertions. Figure 3.5 shows the relevant Verilog source code for
the PCI bridge master state machine module.
The PCI bridge connects a PCI host device with a PCI bus. The master
state machine of the PCI bridge is responsible for executing requests to target
devices. To execute a request, the state machine acquires control of the PCI
bus. Next, the state machine broadcasts the target address and command,
and waits for the target to respond. Finally, the state machine transfers data
between the host and target.
We analyze the highest and lowest ranked assertions for output
pci_frame_en_out from the master state machine. Output pci_frame_en_out
is the enable signal for pci_frame_out. Output pci_frame_out signals that
the master state machine is transferring data on the bus. During a transfer,
pci_frame_out should be enabled unless a master abort occurs.
46
1 module pci_master32_sm(input clk_in, reset_in, pci_gnt_in, pci_frame_in,
2 pci_frame_out_in, pci_irdy_in, pci_trdy_in,
3 pci_stop_in, req_in, rdy_in,
4 output pci_frame_out, pci_frame_en_out);
5 reg sm_idle;
6 reg sm_address;
7 reg sm_data_phases;
8 reg sm_turn_arround;
9
10 wire u_dont_have_pci_bus = pci_gnt_in || ~pci_frame_in || ~pci_irdy_in;
11 wire u_have_pci_bus = ~pci_gnt_in && pci_frame_in && pci_irdy_in;
12
13 wire frame_en_slow = (sm_idle && u_have_pci_bus && req_in && rdy_in) ||
14 sm_address || (sm_data_phases && ~pci_frame_out_in);
15 wire frame_en_keep = sm_data_phases && pci_frame_out_in && ~mabort1 && ~mabort2;
16 assign pci_frame_en_out = frame_en_slow ||
17 frame_en_keep && pci_stop_in && pci_trdy_in;
18
19 reg [3:0] cur_state;
20 reg [3:0] next_state;
21
22 parameter S_IDLE = 4'h1 ;
23 parameter S_ADDRESS = 4'h2 ;
24 parameter S_TRANSFER = 4'h4 ;
25 parameter S_TA_END = 4'h8 ;
26
27 wire ch_state_slow = sm_address || sm_turn_arround ||
28 sm_data_phases && (pci_frame_out_in && mabort1 || mabort2);
29 wire ch_state_med = ch_state_slow ||
30 sm_idle && u_have_pci_bus && req_in && rdy_in;
31 wire change_state = ch_state_med ||
32 sm_data_phases && (~(pci_trdy_in && pci_stop_in));
33
34 always @ (posedge reset_in or posedge clk_in)
35 begin
36 if (reset_in)
37 cur_state <= S_IDLE;
38 else if (change_state)
39 cur_state <= next_state;
40 end
41
42 always @ (cur_state or do_write or pci_frame_out_in)
43 begin
44 sm_idle = 1'b0 ;
45 sm_address = 1'b0 ;
46 sm_data_phases = 1'b0 ;
47 sm_turn_arround = 1'b0 ;
48
49 case (cur_state)
50 S_IDLE:
51 begin
52 sm_idle = 1'b1 ;
53 next_state = S_ADDRESS ;
54 end
55
56 S_ADDRESS:
57 begin
58 sm_address = 1'b1 ;
59 next_state = S_TRANSFER ;
60 end
61
62 S_TRANSFER:
63 begin
64 sm_data_phases = 1'b1 ;
65 if (pci_frame_out_in)
66 next_state = S_TA_END ;
67 else
68 next_state = S_TRANSFER ;
69 end
70
71 S_TA_END:
72 begin
73 sm_turn_arround = 1'b1 ;
74 next_state = S_IDLE ;
75 end
76
77 default:
78 next_state = S_IDLE ;
79 endcase
80 end
81 endmodule
Figure 3.5: An implementation of the PCI bridge master state machine.
47
GoldMine generated 36 true assertions for pci_frame_en_out — ranked as
follows:
a1: ( cur_state[3] == 1 ) ##1
( rdy_in == 0 ) |->
( pci_frame_en_out == 0 )
a36: ( rdy_in == 0 ) ##1
( pci_frame_out_in == 1 &&
pci_trdy_in == 0 &&
rdy_in == 0 ) |->
( pci_frame_en_out == 0 )
Assertions a1 and a36 were the highest and lowest ranked assertions respec-
tively. We justify this ranking and show the diﬀerence in quality between
these assertions.
Assertion a1 expresses the property if the state machine’s current state is
turn around and one cycle later the host is not ready to send or receive data,
then disable pci_frame_out.
Consider the ﬁrst cycle of a1. The proposition cur_state[3] == 1 conveys
that the design’s current state is turn around. Careful inspection of the
Verilog reveals that the design will change state only if signal change_state
is asserted. Lines 43 through 48 reveal that since the design’s current state is
turn around, change_state is asserted. Consequently, the design’s next state
is idle.
Consider the second cycle of a1. Since the design’s current state is idle,
the proposition rdy_in == 0 ensures that frame_en_slow is not asserted on
line 29. In addition, frame_en_keep is not asserted on line 30. Since both
frame_en_slow and frame_en_keep are not asserted, pci_frame_en_out is not
asserted on lines 32 and 33. Therefore, pci_frame_out will be disabled.
Assertion a36 expresses the property if the host is not ready to transfer data
and one cycle later the host is still not ready to transfer data and the target
is not ready to transfer data and the master state machine is not transferring
data, then disable pci_frame_out.
Consider the second cycle of a36. The proposition pci_trdy_in == 0 en-
sures that the second disjunctive term on line 33 is not asserted. Therefore,
we consider the logic for frame_en_slow on lines 29 through 30. The propo-
sitions rdy_in == 0 and pci_frame_out_in == 1 ensure that the ﬁrst and
48
third disjunctive terms on lines 29 through 30 are not asserted. Therefore,
pci_frame_en_out is asserted only if the design’s current state is address.
Consequently, pci_frame_en_out is asserted only if the design’s previous
state was idle.
Consider the ﬁrst cycle of a36. The proposition rdy_in == 0 ensures
that change_state on lines 47 through 48 is not asserted. Since the de-
sign’s current state is idle, the second disjunctive term on line 48 is not
asserted. Therefore, we consider the logic for ch_state_med on lines 45
through 46. The proposition rdy_in == 0 ensures that the second disjunc-
tive term on line 46 is not asserted. Therefore, we consider the logic for
ch_state_slow on lines 43 through 44. Since the design’s current state is
idle, ch_state_slow is not asserted. Since the design’s current state is idle
and change_state is not asserted, the design’s next state cannot be address.
Therefore, pci_frame_en_out will not be asserted and pci_frame_out will be
disabled.
Assertion a1 is consistent with PCI speciﬁcation. In addition, it is not
trivial recitation of the Verilog. In contrast, a36 is convoluted with respect
to the PCI speciﬁcation. While the assertion is not a trivial recitation of the
Verilog, it is diﬃcult to understand. Hence, a1 is ranked higher than a36.
Intuitively, a veriﬁcation engineer would consider a1 more valuable than a36.
3.5 Experimental Results
In this section we present experimental results for the assertion ranking
methodology. We used GoldMine to generate 260 assertions for the PCI
bridge master state machine. We used the assertion ranking methodology to
rank the assertions.
49
3.5.1 Global Variable Importance
Output Positional Rank Percentile
pci_ad_out 3 98.1203
pci_cbe_out 5 96.6165
pci_frame_en_out 14 89.8496
pci_cbe_en_out 15 89.0977
pci_frame_out 19 86.0902
pci_irdy_out 21 84.5865
pci_frame_load_out 22 83.8346
pci_ad_en_out 23 83.0827
ad_load_out 26 80.8271
retry_out 27 80.0752
data_out 35 74.0602
rtransfer_out 47 65.0376
first_out 52 60.5263
wait_out 56 57.5188
pci_irdy_en_out 58 56.015
ad_load_on_transfer_out 61 53.0075
rerror_out 62 52.2556
pci_req_out 70 44.7368
mabort_out 71 43.985
wtransfer_out 81 30.0752
Figure 3.6: The positional rank and positional rank percentile of each
output based upon the output’s global importance score.
The ﬁrst experiment validates the global variable importance computation.
Figure 3.6 shows the positional rank and positional rank percentile of each
output in the PCI bridge master state machine. A variable’s positional rank
is equal to its numerical position in a list of all variables descendingly ordered
according to their global importance scores. In general, ﬁgure 3.6 shows that
output variables are ranked highly.
50
3.5.2 Ranking
0
22.5
45.0
67.5
90.0
0 75 150 225 300
Complexity versus Importance
Co
mp
le
xi
ty
Importance
Figure 3.7: Assertion complexity as a function of importance.
The next set of experiments validate rank score computation. Figure 3.7 cor-
relates assertion importance and complexity. The ﬁgure shows that assertion
importance weakly correlates with complexity. Therefore, despite the sim-
ilarity of algorithms 2 and 3, assertion importance and complexity are not
dual metrics.
51
01
2
3
4
99% 95% 90% 75% 50%
Comparison of Average Antecedent Size for all Rankings
Av
er
ag
e 
An
te
ce
de
nt
 S
iz
e
Percentile of Ranking
Importance Ranking
Complexity Ranking
Rank Ranking
Figure 3.8: The average antecedent size of assertions in the 99th, 95th,
90th, 75th and 50th importance, complexity and rank percentiles.
52
00.5
1.0
1.5
2.0
99% 95% 90% 75% 50%
Comparison of Average Temporal Length for all Rankings
Av
er
ag
e 
Te
mp
or
al
 L
en
gt
h
Percentile of Ranking
Importance Ranking
Complexity Ranking
Rank Ranking
Figure 3.9: The average temporal length of assertions in the 99th, 95th,
90th, 75th and 50th importance, complexity and rank percentiles.
Figures 3.8 and 3.9 show the average antecedent size and temporal length
of assertions in the 99th, 95th, 90th, 75th and 50th importance, complexity
and rank percentiles. We observe the following from these ﬁgures. First
assertions that have high importance also have high antecedent sizes and
high temporal length. Second, assertions that have low complexity also have
low antecedent sizes and low temporal length. Finally, assertions that have
high rank also have moderate antecedent sizes and high temporal length.
53
075
150
225
300
99% 95% 90% 75% 50%
Average Importance for Rank Ranking
Av
er
ag
e 
Im
po
rt
an
ce
Percentile of Ranking
Figure 3.10: The average importance score of assertions in the 99th, 95th,
90th, 75th and 50th rank percentile.
0
15
30
45
60
99% 95% 90% 75% 50%
Average Complexity for Rank Ranking
Av
er
ag
e 
Co
mp
le
xi
ty
Percentile of Ranking
Figure 3.11: The average complexity score of assertions in the 99th, 95th,
90th, 75th and 50th rank percentile.
Figures 3.10 and 3.11 show the average importance and complexity of
assertions in the 99th, 95th, 90th, 75th and 50th rank percentile. We observe
54
the following from these ﬁgures. First, assertions that have high rank also
have high importance. Second, assertions that have high rank also have low
complexity. Finally, assertions that have high rank will not necessarily have
the highest importance.
3.5.3 Ideality
Target Minimum Ideality Median Ideality Maximum Ideality
pci_irdy_out 0.809296 0.809407 0.809519
wtransfer_out 1 1 1
pci_ad_en_out 0.00137253 0.394661 0.792062
pci_frame_load_out 1 1 1
pci_cbe_en_out 0.0296962 0.373479 0.67663
pci_irdy_en_out 1 1 1
pci_frame_out 0.408212 0.424985 1
wait_out 1 1 1
first_out 0.888156 1 1
rerror_out 1 1 1
pci_frame_en_out 0.0297634 0.36018 0.618062
retry_out 0.117951 0.117951 0.117951
ad_load_on_transfer_out 0.072491 0.503257 1
ad_load_out 0.0530941 0.0579914 0.7411
pci_req_out 0.0684741 0.377218 0.844746
rtransfer_out 1 1 1
Figure 3.12: The ideality score of the lowest, middle, and highest ranked
true assertions for each target variable.
Figure 3.12 shows the ideality of the lowest, middle and highest ranked true
assertions for each target variable. For most target variables, GoldMine was
able to generate an ideal or nearly ideal assertion. GoldMine was unable to
generate an ideal assertion for retry_out.
55
CHAPTER 4
ASSERTION RANK AGGREGATION
In chapter 3, we introduced an assertion ranking methodology. Though ef-
fective, the methodology considers only two parameters — importance and
complexity. Consequently, the methodology might misjudge an assertion’s
value. For example, if a designer cares only about an assertion’s impor-
tance and coverage regardless of its complexity, then the assertion ranking
methodology will be ineﬀective.
In this chapter, we introduce an assertion rank aggregation methodology.
Rank aggregation algorithms combine ranking results from various sources to
generate an optimal ranking [22, 23]. Rank aggregation algorithms are capa-
ble of combining an arbitrary number of rankings. The proposed methodol-
ogy aggregates assertion rankings for importance, complexity, coverage and
expectedness.
4.1 Related Work and Background
Let  denote a Verilog design with variables V . We refer to  as the target
design. We deﬁne a simulation S of  as follows. Let B = f0; 1g denote the
Boolean number set. Let S be a set of Boolean vectors and let s 2 S be a
Boolean vector in BjV j that assigns a Boolean value to each v 2 V . Let s(v)
denote the value of variable v in s.
4.1.1 Assertion Coverage
Assertion coverage estimates the fraction of design functionality covered by
an assertion. Previous work [53, 54] has proposed methods to compute the
fraction of the state space covered by an assertion. However, these methods
are intractable since they must enumerate the entire state space of the de-
56
sign. In [55], the authors propose the correctness based coverage algorithm
to compute the fraction of RTL statements covered by an assertion.
The correctness based coverage algorithm computes the set of statements
executed after the satisfaction of an assertion’s antecedent. If an executed
statement transitively satisﬁes the assertion’s consequent, then the assertion
covers that statement. The algorithm proceeds as follows. Let p denote an
assertion with temporal length k. First, the algorithm initializes S so that
it satisﬁes the antecedent of p. Next, the algorithm performs an event-based
simulation of  for k temporal frames. During simulation, the algorithm
records the statement that assigns each v 2 V in each temporal frame. Fi-
nally, the algorithm adds the transitive set of statements that satisﬁed each
proposition in the consequent of p to the set of statements it covers.
4.1.2 Rank Aggregation
Overview
Social choice theory establishes the theoretical basis for rank aggregation.
Informally, social choice theory analyzes the problem of using individual
preferences to make a collective decision. Social choice theory dates back
to the late eighteenth century. Seminal works include those of Borda [56],
Condorcet [57], and Arrow [58].
We formalize rank aggregation as follows. Let X denote a ﬁnite set of n
alternatives, let  denote an ordering relation on X and let  = [x1  x2 
    xn] be an ordering of the alternatives in X. We refer to  as a ranking.
Let (xi) denote the position of xi in ranking  . We refer to (xi) as the rank
of xi. Let T denote a ﬁnite set of rankings of the alternatives in X. Rank
aggregation uses the rankings in T to ﬁnd an optimal ranking a.
Properties
There has been considerable research regarding the desirable properties of a
rank aggregation. In [57], Condorcet proposed that the winning alternative
should be the one preferred by the majority of voters in pairwise contests
against all other alternatives. Rank aggregation methods that can ﬁnd such
an alternative satisfy the Condorcet criterion.
57
In [59], Truchon proposed an extension to the Condorcet criterion. Suppose
we partitioned the alternatives into subsets Y and Z. In addition, suppose
that for any y 2 Y and z 2 Z, the majority of voters prefer y over z.
Rank aggregation methods that can ﬁnd such a partition satisfy the extended
Condorcet criterion. The extended Condorcet criterion is less strict than the
Condorcet criterion.
In [58], Arrow proposed a set of desirable properties for rank aggregation
methods and proved that no method choosing between more than 2 alter-
natives can satisfy the properties simultaneously. Social choice theory refers
to this result as Arrow’s impossibility theorem. Arrow’s impossibility theo-
rem implies that a “perfect” rank aggregation method cannot exist. In other
words, all rank aggregation methods will be unfair in some sense.
Arrow’s criteria included non-dictatorship, unrestricted-domain, indepen-
dence of irrelevant attributes, and Pareto eﬃciency. We summarize these
criteria as follows:
• Non-dictatorship — a rank aggregation method should consider the
preferences of each ranking equally.
• Unrestricted-domain — a rank aggregation method should consider the
preferences of all rankings.
• Independence of irrelevant attributes — a rank aggregation method’s
preference between alternatives x1 and x2 should depend only on the
rankings’ preferences between x1 and x2.
• Pareto eﬃciency — a rank aggregation method should prefer x1 over
x2 if all rankings prefer x1 over x2.
Distance Measures
The Spearman footrule distance and Kendall tau distance are the most com-
mon measures used to quantify the distance between a pair of rankings.
The Spearman footrule distance computes the absolute diﬀerence in an al-
ternative’s rank between a pair of rankings and sums this quantity for all
alternatives. Formally, we compute the Spearman footrule distance S(; )
58
between rankings  and  as follows:
S(; ) =
X
xi2X
j (xi)  (xi) j (4.1)
The Kendall tau distance computes the number of pairwise disagreements
between a pair of rankings. The Kendall tau distance is also known as the
“bubble sort” distance since it computes the number of swaps required by
the bubble sort algorithm to transform one ranking into another. Formally,
we compute the Kendall tau distance K(; ) between rankings  and  as
follows:
K(; ) =j f(xi; xj) j i < j; sgn((xi)  (xj) 6= sgn((xi)  (xj)g j (4.2)
Methods
In [56], Borda proposed a simple rank aggregation method known as the
Borda count method. The Borda count method computes a Borda score
B(x) for each alternative xi 2 X. We deﬁne B(x) as follows:
B(x) =
X
i2T
i(x) (4.3)
The Borda count method aggregates the rankings in T by ascendingly or-
dering the alternatives in X according to their Borda scores. The Borda
count method satisﬁes neither the Condorcet nor the extended Condorcet
criteria. In addition, Previous work has shown that this method is relatively
ineﬀective [22].
In [60], Kemeny proposed a rank aggregation method known as Kemeny-
Young method. The Kemeny-Young method computes a Kemeny optimal
aggregation by minimizing the sum of the Kendall tau distances between the
aggregation and rankings. This method satisﬁes the Condorcet, extended
Condorcet, non-dictatorship, unrestricted-domain and Pareto eﬃciency cri-
teria. Consequently, the Kemeny-Young method computes a high-quality
aggregation. However, it is computationally prohibitive when j X j> 3 [22].
59
4.2 Methodology
In this section, we detail the assertion rank aggregation methodology. The
methodology consists of three phases. The ﬁrst phase computes a set of rank-
ings for a set of assertions. The second phase computes a rank aggregation
for the assertions. The ﬁnal phase uses a process called local Kemenization
to optimize the aggregation.
4.2.1 Ranking
The ﬁrst phase of the rank aggregation methodology computes a set of rank-
ings for the assertions. In general, this phase will depend highly on the
metrics selected for aggregation. We compute an assertion rank aggrega-
tion using four metrics — assertion importance, complexity, coverage and
expectedness. We detail assertion importance and complexity in chapter 3.
In short, assertion importance and complexity estimate the importance and
understandability of the behavior conveyed by an assertion respectively.
Coverage
We modify the correctness-based coverage algorithm to consider only the set
of assignments covered by an assertion. Let  denote the total number of
assignments in  and let p denote the number of assignments covered by p.
We compute the coverage R(p) of p as follows:
R(p) =
p

(4.4)
Since each assignment constitutes an execution path in the design, equation
4.4 eﬀectively computes an assertion’s execution path coverage.
Expectedness
Assertion expectedness estimates the probability that an assertion’s antecedent
will be satisﬁed — assuming the design’s inputs vary uniform-randomly. As-
sertions with low expectedness convey design behavior that occurs rarely.
Consequently, we rank assertions with low expectedness higher than those
60
with high expectedness. We use simulation techniques to estimate an asser-
tion’s expectedness.
Let p denote an assertion and let A denote the set of propositions in the
antecedent of p. We compute the expectedness E(p) of p as follows:
E(p) =
j fs 2 S j 8(v; b) 2 A; s(v) = bg j
j S j (4.5)
Equation 4.5 computes an assertion’s simulation trace coverage.
4.2.2 Aggregation
We use the footrule aggregation algorithm to aggregate a set of assertion
rankings since it computes an aggregation that approximates that of the
Kemeny-Young method [22]. Let a denote a rank aggregation of n assertions.
Let G = (P;R;E) denote a bipartite graph with nodes P and R and weighted
edges E. Each node p 2 P denotes an assertion and each node r 2 R denotes
one of n available ranks in a. Note that a perfect matching for G implicitly
deﬁnes an assertion ranking.
Let T denote a set of assertion rankings. We compute the weight W (p; r)
of edge (p; r) 2 E as follows:
W (p; r) =
X
i2T
j i(p)  r j (4.6)
We explain the intuition behind equation 4.6 as follows. Suppose we assigned
assertion p to rank r in a hypothetical a. For each i 2 T , equation 4.6
computes the Spearman footrule distance between r and i(p). Because the
equation’s ﬁnal result is equal to the sum of these distances, it eﬀectively
computes the cost of assigning assertion p to rank r in a hypothetical a.
An optimal assertion rank aggregation will minimize W (p; r) for each
p 2 P . Therefore, we would like to compute a minimum cost perfect match-
ing for G. Such a matching will implicitly deﬁne an optimal assertion rank
aggregation. We use the Kuhn-Munkres algorithm [61] to compute a mini-
mum cost perfect matching for G. Since this algorithm is well-documented,
we do not detail it here.
61
4.2.3 Local Kemenization
We use a process called local Kemenization [22, 23] to optimize the asser-
tion rank aggregation. Local Kemenization transforms an aggregation into
a locally Kemeny optimal aggregation. Such an aggregation is a relaxation
of a Kemeny optimal aggregation and is guaranteed to satisfy the extended
Condorcet criteria. Unlike the Kemeny-Young aggregation method, local
Kemenization is computationally tractable.
Let K(a; T ) denote the sum of the Kendall tau distances between a and
the rankings in T . Aggregation a is locally Kemeny optimal if swapping
an adjacent pair of assertions in a cannot reduce K(a; T ). Consequently,
we can locally Kemenize a by swapping adjacent pairs of assertions in the
aggregation until K(a; T ) cannot be reduced further.
4.2.4 Example
We present an example of the assertion rank aggregation methodology. Let
p0, p1 and p2 denote assertions and let 0 = [p0  p1  p2], 1 = [p1  p0  p2]
and 2 = [p2  p1  p0] denote rankings for p0, p1 and p2. The rank
aggregation methodology computes W (p; r) for each assertion and rank as
follows:
W (p0; 0) =j 0(p0)  0 j + j 1(p0)  0 j + j 2(p0)  0 j= 0 + 1 + 2 = 3
W (p0; 1) = 2
W (p0; 2) = 3
W (p1; 0) = 2
W (p1; 1) = 1
W (p1; 2) = 4
W (p2; 0) = 4
W (p2; 1) = 3
W (p2; 2) = 2
Next, the rank aggregation methodology uses the Kuhn-Munkres algo-
rithm to compute a. Figure 4.1 shows an example of the algorithm. The
left bipartite graph in the ﬁgure uses each W (p; r) value to deﬁne all rank
62
p0
p1
p2
0
1
2
3
2
3
2
1
4
4
3
2
p0
p1
p2
0
1
2
2
2
2
Figure 4.1: An example of the Kuhn-Munkres algorithm. The left bipartite
graph uses each W (p; r) value to deﬁne all rank aggregations. The right
bipartite graph uses an optimal set of W (p; r) values to deﬁne
a = [p1  p0  p2].
aggregations. The algorithm optimizes the left graph until the right bipartite
graph in ﬁgure 4.1 remains. The right graph uses an optimal set of W (p; r)
values to deﬁne a = [p1  p0  p2].
Next, the rank aggregation methodology locally Kemenizes a. The method-
ology computes K(a; T ) as follows:
K(a; 0) =j f(p0; p1)g j= 1
K(a; 1) = 0
K(a; 2) = 2
K(a; T ) = K(a; 0) +K(a; 1) +K(a; 2) = 3
The rank aggregation methodology checks whether or not swapping any
adjacent pair of assertions in a will reduce K(a; T ). The methodology
computes K( 0a = [p0  p1  p2]; T ) as follows:
K( 0a; 0) = 0
K( 0a; 1) = 1
K( 0a; 2) = 3
K( 0a; T ) = 4
63
Since K( 0a; T ) 6< K(a; T ), the rank aggregation methodology tries swap-
ping another adjacent pair of assertions in a. The methodology computes
K( 0a = [p1  p2  p0]; T ) as follows:
K( 0a; 0) = 1
K( 0a; 1) = 1
K( 0a; 2) = 1
K( 0a; T ) = 3
Again, K( 0a; T ) 6< K(a; T ). Therefore, a is locally Kemeny optimal since
it does not contain another adjacent pair of assertions.
4.3 Experimental Results
In this section we present experimental results for the rank aggregation
methodology. We used GoldMine to generate 260 assertions for the PCI
bridge master state machine. We used the rank aggregation methodology
to aggregate rankings for assertion importance, complexity, coverage and
expectedness.
0
22.5
45.0
67.5
90.0
0 75 150 225 300
Complexity versus Importance
Co
mp
le
xi
ty
Importance
Figure 4.2: Assertion complexity as a function of importance.
64
00.0375
0.0750
0.1125
0.1500
0 75 150 225 300
Coverage versus Importance
Co
ve
ra
ge
Importance
Figure 4.3: Assertion coverage as a function of importance.
0
0.0375
0.0750
0.1125
0.1500
0 22.5 45.0 67.5 90.0
Coverage versus Complexity
Co
ve
ra
ge
Complexity
Figure 4.4: Assertion coverage as a function of complexity.
65
00.225
0.450
0.675
0.900
0 75 150 225 300
Expectedness versus Importance
Ex
pe
ct
ed
ne
ss
Importance
Figure 4.5: Assertion expectedness as a function of importance.
0
0.225
0.450
0.675
0.900
0 22.5 45.0 67.5 90.0
Expectedness versus Complexity
Ex
pe
ct
ed
ne
ss
Complexity
Figure 4.6: Assertion expectedness as a function of complexity.
66
00.225
0.450
0.675
0.900
0 0.0375 0.0750 0.1125 0.1500
Expectedness versus Coverage
Ex
pe
ct
ed
ne
ss
Coverage
Figure 4.7: Assertion expectedness as a function of coverage.
Figures 4.2 through 4.7 correlate each pair of assertion metrics. These
ﬁgures show that each assertion metric weakly correlates with each other
metric. Therefore, these metrics’ rankings are ideal for aggregation since no
ranking will credit or discredit any other.
pci_irdy_out
wtransfer_out
pci_ad_en_out
pci_frame_load_out
pci_cbe_en_out
pci_irdy_en_out
pci_frame_out
wait_out
first_out
rerror_out
pci_frame_en_out
retry_out
ad_load_on_transfer_out
ad_load_out
pci_req_out
rtransfer_out
0 0.25 0.50 0.75 1.00
Kendall Tau Distance between Rankings
Kendall Tau Distance
Ta
rg
et
Figure 4.8: Kendall tau distance between a ranking for assertion rank and a
rank aggregation for assertion importance and complexity.
67
Figure 4.8 shows the Kendall tau distance between a ranking for asser-
tion rank and a rank aggregation for assertion importance and complexity.
The ﬁgure shows that the ranking methodology presented in chapter 3 and
the rank aggregation methodology are not equivalent. Therefore, the rank
aggregation methodology interprets assertion importance and complexity dif-
ferently than the assertion ranking methodology.
0
75
150
225
300
99% 95% 90% 75% 50%
Comparison of Average Importance for all Rankings
Av
er
ag
e 
Im
po
rt
an
ce
Percentile of Ranking
Importance Ranking Complexity Ranking
Coverage Ranking Expectedness Ranking
Aggregated Ranking
Figure 4.9: The average importance of assertions in the 99th, 95th, 90th,
75th and 50th importance, complexity, coverage, expectedness and rank
aggregation percentiles.
68
020
40
60
80
99% 95% 90% 75% 50%
Comparison of Average Complexity for all Rankings
Av
er
ag
e 
Co
mp
le
xi
ty
Percentile of Ranking
Importance Ranking Complexity Ranking
Coverage Ranking Expectedness Ranking
Aggregated Ranking
Figure 4.10: The average complexity of assertions in the 99th, 95th, 90th,
75th and 50th importance, complexity, coverage, expectedness and rank
aggregation percentiles.
69
00.0375
0.0750
0.1125
0.1500
99% 95% 90% 75% 50%
Comparison of Average Coverage for all Rankings
Av
er
ag
e 
Co
ve
ra
ge
Percentile of Ranking
Importance Ranking Complexity Ranking
Coverage Ranking Expectedness Ranking
Aggregated Ranking
Figure 4.11: The average coverage of assertions in the 99th, 95th, 90th,
75th and 50th importance, complexity, coverage, expectedness and rank
aggregation percentiles.
70
00.15
0.30
0.45
0.60
99% 95% 90% 75% 50%
Comparison of Average Expectedness for all Rankings
Av
er
ag
e 
Ex
pe
ct
ed
ne
ss
Percentile of Ranking
Importance Ranking Complexity Ranking
Coverage Ranking Expectedness Ranking
Aggregated Ranking
Figure 4.12: The average expectedness of assertions in the 99th, 95th, 90th,
75th and 50th importance, complexity, coverage, expectedness and rank
aggregation percentiles.
Figures 4.9, 4.10, 4.11 and 4.12 show the average importance, complexity,
coverage and expectedness for assertions in the for assertions in the 99th,
95th, 90th, 75th and 50th importance, complexity, coverage, expectedness
and rank aggregation percentiles. We observe the following from these ﬁg-
ures. First, assertions that have high importance also have high complex-
ity, moderate coverage and moderate expectedness. Second, assertions that
have low complexity also have low importance, low coverage and high ex-
pectedness. Third, assertions that have high coverage also have moderate
importance, high complexity and low expectedness. Fourth, assertions that
have low expectedness also have moderate importance, high complexity and
moderate coverage. Fifth, highly ranked assertions have high importance,
low complexity, high coverage and low expectedness. Second, lowly ranked
assertions never outperform highly ranked assertions with respect to any met-
71
ric. Finally, the rank aggregation methodology fairly compromises between
the metrics.
72
CHAPTER 5
EFFECTIVENESS OF DATA MINING
ALGORITHMS
In this chapter, we present experimental results that compare GoldMine’s
data mining algorithms with respect to importance, complexity, ideality,
coverage and expectedness. We used each algorithm to generate assertions
for three Verilog modules. We used the methodology from chapter 4 to
aggregate rankings for assertion importance, complexity, coverage and ex-
pectedness. The ﬁrst module is the protocol engine from the Universal Serial
Bus (USB) protocol, the second module is the master state machine from
the Peripheral Component Interconnect (PCI) protocol and the ﬁnal module
is the decode pipeline stage from the OpenRisc 1200 (OR1200) CPU. For
all experiments, the data generator simulated each module for 10000 cycles
using an unconstrained random test bench. We explicitly limited the an-
tecedent size and temporal length of all assertions to 5 and 2 respectively.
We conducted all experiments using a 2.67 gigahertz quad core Intel Core i5
with 16 gigabytes of memory.
73
00.25
0.50
0.75
1.00
usbf_pe pci_master32_sm or1200_ctrl
Average Importance of 25% Highest Ranked True Assertions for all Outputs
Av
er
ag
e 
Im
po
rt
an
ce
 (
no
rm
al
iz
ed
)
Module
tree forest coverage prism
Figure 5.1: The average normalized importance of 25% highest ranked
assertions that passed formal veriﬁcation for each data mining algorithm.
Figure 5.1 shows the average normalized importance of the 25% highest
ranked assertions that passed formal veriﬁcation for each data mining algo-
rithm. We observe the following from these results. First, there is no algo-
rithm that always generates assertions that have high importance. Therefore,
we should select a data mining algorithm based on the target design’s be-
havior. Second, the coverage mining algorithm does not generate assertions
that have high importance. We expect this since concise assertions are more
likely to have lower importance than verbose assertions.
74
00.25
0.50
0.75
1.00
usbf_pe pci_master32_sm or1200_ctrl
Average Complexity of 25% Highest Ranked True Assertions for all Outputs
Av
er
ag
e 
Co
mp
le
xi
ty
 (
no
rm
al
iz
ed
)
Module
tree forest coverage prism
Figure 5.2: The average normalized complexity of 25% highest ranked
assertions that passed formal veriﬁcation for each data mining algorithm.
Figure 5.2 shows the average normalized complexity of the 25% highest
ranked assertions that passed formal veriﬁcation for each data mining algo-
rithm. We observe the following from these results. First, we should select
the coverage mining algorithm if we wish to generate assertions that have
low complexity. Second, the decision forest algorithm usually generates as-
sertions that have lower complexity than those generated by the decision
tree algorithm. Finally, the prism algorithm usually generates assertions
that have low complexity.
75
00.25
0.50
0.75
1.00
usbf_pe pci_master32_sm or1200_ctrl
Average Ideality of 25% Highest Ranked True Assertions for all Outputs
Av
er
ag
e 
Id
ea
li
ty
 (
no
rm
al
iz
ed
)
Module
tree forest coverage prism
Figure 5.3: The average normalized ideality of 25% highest ranked
assertions that passed formal veriﬁcation for each data mining algorithm.
Figure 5.3 shows the average normalized ideality of the 25% highest ranked
assertions that passed formal veriﬁcation for each data mining algorithm.
We observe the following from these results. First, we should select the
coverage mining or prism algorithms if we wish to generate assertions that
consistently have high ideality. Finally, the decision tree based algorithms
perform similarly with respect to ideality.
76
00.25
0.50
0.75
1.00
usbf_pe pci_master32_sm or1200_ctrl
Average Coverage of 25% Highest Ranked True Assertions for all Outputs
Av
er
ag
e 
Co
ve
ra
ge
 (
no
rm
al
iz
ed
)
Module
tree forest coverage prism
Figure 5.4: The average normalized coverage of 25% highest ranked
assertions that passed formal veriﬁcation for each data mining algorithm.
Figure 5.4 shows the average normalized coverage of the 25% highest
ranked assertions that passed formal veriﬁcation for each data mining al-
gorithm. We observe the following from these results. First, there is no
algorithm that always generates assertions that have high coverage. There-
fore, we should select a data mining algorithm based on the target design’s
behavior. Second, the decision tree based algorithms perform similarly with
respect to coverage. Finally, the coverage mining and prism algorithms also
perform similarly with respect to coverage.
77
00.25
0.50
0.75
1.00
usbf_pe pci_master32_sm or1200_ctrl
Average Expectedness of 25% Highest Ranked True Assertions for all Outputs
Av
er
ag
e 
Ex
pe
ct
ed
ne
ss
 (
no
rm
al
iz
ed
)
Module
tree forest coverage prism
Figure 5.5: The average normalized expectedness of 25% highest ranked
assertions that passed formal veriﬁcation for each data mining algorithm.
Figure 5.5 shows the average normalized expectedness of the 25% high-
est ranked assertions that passed formal veriﬁcation for each data mining
algorithm. We observe the following from these results. First, we should se-
lect the decision tree based algorithms if we wish to generate assertions that
consistently have low expectedness. Second, the coverage mining algorithm
always generates assertions that have high expectedness.
78
CHAPTER 6
CONCLUSION
In this work, we detailed the GoldMine methodology and its algorithms.
We introduced various metrics and two methodologies for evaluating a set
of assertions. Together, GoldMine and the assertion ranking methodologies
can change Veriﬁcation forever. Instead of spending eﬀort reﬁning manually
generated assertions, we can use these methods to generate assertions that
surpass those crafted by human beings. Eventually, GoldMine and the as-
sertion ranking methodologies will bring the day when we no longer require
human eﬀort to generate assertions.
79
CHAPTER 7
RESOURCES
In this chapter, we discuss how to obtain and use GoldMine to generate and
rank a set of assertions.
7.1 Obtaining GoldMine
To obtain GoldMine, navigate to http://goldmine.csl.illinois.edu, regis-
ter for an account and sign in.
7.2 Executing GoldMine
7.2.1 Requirements
• Synopsys Verilog Compiler Simulator (VCS) – GoldMine uses
VCS to generate random simulation data. GoldMine can accept VCD
ﬁles on the command line if VCS is not available.
• Cadence Incisive Formal Veriﬁer (IFV) – GoldMine uses IFV to
formally verify the assertions it generates. GoldMine will label the
assertions it generates as “unveriﬁed” if IFV is not available.
7.2.2 Quick Start
GoldMine can be executed using the following command:
goldmine verilog/arb2.v
GoldMine does not require VCS to generate assertions for the Verilog ﬁle
arb2.v because we have provided the VCD ﬁle goldmine.out/arb2/arb2.vcd.
80
7.2.3 Usage
GoldMine can be executed using the following command:
goldmine [options] <input_files>
GoldMine will parse the input ﬁles, simulate a random testbench and gen-
erate a set of assertions for the top module in the design. GoldMine will
attempt to ﬁnd the top module, clock signal and reset signal automatically.
By default, GoldMine will select each scalar output from the top module as
a target for assertion generation. Each of these execution parameters can be
speciﬁed using command line options.
GoldMine will generate the following ﬁles in the directory goldmine.out:
• <top_module>/<top_module>_bench.v – The testbench used
to simulate <top_module>.
• <top_module>/<top_module>.gold – A detailed analysis of
each assertion generated for <top_module>. The assertions are listed
descendingly according to rank.
• <top_module>/<top_module>.log – The command line output
generated by GoldMine.
• <top_module>/<top_module>.vcd – The simulation data used
to generate the assertions.
• <top_module>/<top_module>.rank – The global importance
score for each variable in <top_module>.
• <top_module>/<target>/<target>.cone – A detailed analysis
of each variable in the bounded cone of inﬂuence for <target>.
• <top_module>/<target>/<target>.gold – A detailed analysis
of each assertion generated for <target>. The assertions are listed
descendingly according to rank.
7.2.4 Options
• -h [ –help ] – GoldMine will print the list of command line options
and exit.
81
• -p [ –parse ] – GoldMine will parse the input ﬁles and exit.
• -m [ –module ] arg – GoldMine will generate assertions using <arg>
as the top module.
• -c [ –clock ] arg – GoldMine will generate assertions using <arg> as
the clock signal.
• -r [ –reset ] arg – GoldMine will generate assertions using <arg> as
the reset signal.
• –target-vectors – GoldMine will generate assertions for both output
scalars and vectors.
• -t [ –targets ] arg – GoldMine will generate assertions using <arg>
as the target signals.
• -v [ –vcd ] arg – GoldMine will generate assertions using <arg> as
the simulation data.
• -e [ –engine ] arg – GoldMine will generate assertions using <arg>
as the assertion mining engine. You can select either the decision tree
<arg = tree>, best-gain decision forest <arg = forest>, coverage miner
<arg = coverage> or prism <arg = prism> engine.
• –rank – GoldMine will rank assertions using the assertion ranking
methodology instead of the rank aggregation methodology.
7.2.5 Conﬁguration
GoldMine will parse any additional options in the conﬁguration ﬁle gold-
mine.cfg. You can maximize a numerical parameter by assigning it a value
of +. A description of the options in the conﬁguration ﬁle follows.
• vcs_home:arg – VCS_HOME environment variable
• synopsys_license:arg – LM_LICENSE_FILE environment variable
• ifv_home:arg – IFV_ROOT environment variable
• cadence_license:arg – CDS_LICENSE_FILE environment variable
82
• engine:arg – Assertion mining engine
• num_examples:arg – Maximum number of simulation cycles
• num_cycles:arg – Maximum temporal length of an assertion
• num_propositions:arg – Maximum antecedent size of an assertion
• num_partitions:arg – Maximum number of partitions per iteration
of the Decision Forest algorithm
• num_counterexamples:arg – Maximum number of counterexam-
ples used to reﬁne assertions
83
REFERENCES
[1] A. Evans, A. Silburt, G. Vrckovnik, T. Brown, M. Dufresne, G. Hall,
T. Ho, and Y. Liu, “Functional veriﬁcation of large asics,” in
Proceedings of the 35th annual Design Automation Conference, ser.
DAC ’98. New York, NY, USA: ACM, 1998. [Online]. Available:
http://doi.acm.org/10.1145/277044.277210 pp. 650–655.
[2] “IEEE standard vhdl language reference manual,” IEEE Std 1076-2008
(Revision of IEEE Std 1076-2002), pp. c1–626, 2009.
[3] “IEEE standard for verilog hardware description language,” IEEE Std
1364-2005 (Revision of IEEE Std 1364-2001), pp. 1 – 560, 2006.
[4] “Systemverilog,” 2012. [Online]. Available: http://www.systemverilog.
org
[5] C. A. R. Hoare, “An axiomatic basis for computer programming,”
Commun. ACM, vol. 12, no. 10, pp. 576–580, Oct. 1969. [Online].
Available: http://doi.acm.org/10.1145/363235.363259
[6] M. Boule, J.-S. Chenard, and Z. Zilic, “Assertion checkers in
veriﬁcation, silicon debug and in-ﬁeld diagnosis,” in Proceedings of the
8th International Symposium on Quality Electronic Design, ser. ISQED
’07. Washington, DC, USA: IEEE Computer Society, 2007. [Online].
Available: http://dx.doi.org/10.1109/ISQED.2007.38 pp. 613–620.
[7] H. D. Foster, A. C. Krolnik, and D. J. Lacey, Assertion-Based Design,
2nd ed. Springer Publishing Company, Incorporated, 2010.
[8] A. Gupta, “Assertion-based veriﬁcation turns the corner,” IEEE Des.
Test, vol. 19, no. 4, pp. 131–132, July 2002. [Online]. Available:
http://dl.acm.org/citation.cfm?id=622210.623179
[9] L.-C. Wang, M. S. Abadir, and N. Krishnamurthy, “Automatic
generation of assertions for formal veriﬁcation of powerpc microprocessor
arrays using symbolic trajectory evaluation,” in Proceedings of
the 35th annual Design Automation Conference, ser. DAC ’98.
New York, NY, USA: ACM, 1998. [Online]. Available: http:
//doi.acm.org/10.1145/277044.277188 pp. 534–537.
84
[10] S. Hangal, N. Chandra, S. Narayanan, and S. Chakravorty, “Iodine: a
tool to automatically infer dynamic invariants for hardware designs,”
in Proceedings of the 42nd annual Design Automation Conference, ser.
DAC ’05. New York, NY, USA: ACM, 2005. [Online]. Available:
http://doi.acm.org/10.1145/1065579.1065786 pp. 775–778.
[11] X. Cheng and M. S. Hsiao, “Simulation-directed invariant mining
for software veriﬁcation,” in Proceedings of the conference on Design,
automation and test in Europe, ser. DATE ’08. New York, NY, USA:
ACM, 2008. [Online]. Available: http://doi.acm.org/10.1145/1403375.
1403541 pp. 682–687.
[12] F. Rogin, T. Klotz, G. Fey, R. Drechsler, and S. Rülke, “Automatic
generation of complex properties for hardware designs,” in Proceedings
of the conference on Design, automation and test in Europe, ser.
DATE ’08. New York, NY, USA: ACM, 2008. [Online]. Available:
http://doi.acm.org/10.1145/1403375.1403506 pp. 545–548.
[13] P.-H. Chang and L.-C. Wang, “Automatic assertion extraction via
sequential data mining of simulation traces,” in Proceedings of the 2010
Asia and South Paciﬁc Design Automation Conference, ser. ASPDAC
’10. Piscataway, NJ, USA: IEEE Press, 2010. [Online]. Available:
http://dl.acm.org/citation.cfm?id=1899721.1899864 pp. 607–612.
[14] W. Li, A. Forin, and S. A. Seshia, “Scalable speciﬁcation mining
for veriﬁcation and diagnosis,” in Proceedings of the 47th Design
Automation Conference, ser. DAC ’10. New York, NY, USA: ACM,
2010. [Online]. Available: http://doi.acm.org/10.1145/1837274.1837466
pp. 755–760.
[15] “Assertion synthesis,” 2010. [Online]. Available: http://www.
nextopsoftware.com/BugScope-assertion-synthesis.html
[16] S. Vasudevan, D. Sheridan, S. Patel, D. Tcheng, B. Tuohy, and
D. Johnson, “Goldmine: automatic assertion generation using data
mining and static analysis,” in Proceedings of the Conference on Design,
Automation and Test in Europe, ser. DATE ’10. 3001 Leuven, Belgium,
Belgium: European Design and Automation Association, 2010. [Online].
Available: http://dl.acm.org/citation.cfm?id=1870926.1871074 pp.
626–629.
[17] L. Liu, D. Sheridan, W. Tuohy, and S. Vasudevan, “Towards cover-
age closure: Using goldmine assertions for generating design validation
stimulus,” in Design, Automation Test in Europe Conference Exhibition
(DATE), 2011, March 2011, pp. 1 –6.
85
[18] “Activeprop assertion-based veriﬁcation system,” 2012.
[Online]. Available: http://www.jasper-da.com/products/
activeprop-assertion-based-verification-system
[19] J. Han and M. Kamber, Data mining: concepts and techniques. San
Francisco, CA, USA: Morgan Kaufmann Publishers Inc., 2000.
[20] S. Hertz, D. Sheridan, and S. Vasudevan, “Mining hardware assertions
with guidance from static analysis,” Computer-Aided Design of Inte-
grated Circuits and Systems, IEEE Transactions on, 2013.
[21] S. Katz, O. Grumberg, and D. Geist, “‘Have I written enough proper-
ties?’ - a method of comparison between speciﬁcation and implementa-
tion,” in CHARME, 1999, pp. 280–297.
[22] C. Dwork, R. Kumar, M. Naor, and D. Sivakumar, “Rank
aggregation methods for the web,” in Proceedings of the 10th
International Conference on World Wide Web, ser. WWW ’01.
New York, NY, USA: ACM, 2001. [Online]. Available: http:
//doi.acm.org/10.1145/371920.372165 pp. 613–622.
[23] C. Dwork, R. Kumar, M. Naor, and D. Sivakumar, “Rank aggregation
revisited,” 2001.
[24] A. Pnueli, “The temporal logic of programs,” in Proceedings of the 18th
Annual Symposium on Foundations of Computer Science, ser. SFCS
’77. Washington, DC, USA: IEEE Computer Society, 1977. [Online].
Available: http://dx.doi.org/10.1109/SFCS.1977.32 pp. 46–57.
[25] M. Caplain, “Finding invariant assertions for proving programs,”
in Proceedings of the international conference on Reliable software.
New York, NY, USA: ACM, 1975. [Online]. Available: http:
//doi.acm.org/10.1145/800027.808436 pp. 165–171.
[26] J. Misra, “Prospects and limitations of automatic assertion generation
for loop programs,” SIAM J. Comput., vol. 6, no. 4, pp. 718–729, 1977.
[27] S. Bensalem, Y. Lakhnech, and H. Saïdi, “Powerful techniques for the
automatic generation of invariants,” in Computer Aided Veriﬁcation, 8th
International Conference, CAV 96, New Brunswick, NJ, USA, July 31
- August 3, 1996, Proceedings, ser. Lecture Notes in Computer Science,
R. Alur and T. A. Henzinger, Eds., vol. 1102. Springer, 1996, pp.
323–335.
86
[28] A. Tiwari, H. Rueß, H. Saïdi, and N. Shankar, “A technique for invariant
generation,” in Tools and Algorithms for the Construction and Analysis
of Systems, 7th International Conference, TACAS 2001 Held as Part
of the Joint European Conferences on Theory and Practice of Software,
ETAPS 2001 Genova, Italy, April 2-6, 2001, Proceedings, ser. Lecture
Notes in Computer Science, T. Margaria and W. Yi, Eds., vol. 2031.
Springer, 2001, pp. 113–127.
[29] C. S. Pasareanu and W. Visser, “Veriﬁcation of java programs using
symbolic execution and invariant generation,” in Model Checking Soft-
ware, 11th International SPIN Workshop, Barcelona, Spain, April 1-3,
2004, Proceedings, ser. Lecture Notes in Computer Science, S. Graf and
L. Mounier, Eds., vol. 2989. Springer, 2004, pp. 164–181.
[30] G. Ammons, R. Bodík, and J. R. Larus, “Mining speciﬁcations,” in
POPL, 2002, pp. 4–16.
[31] J. W. Nimmer and M. D. Ernst, “Automatic generation of program
speciﬁcations,” in ISSTA, 2002, pp. 229–239.
[32] A. Hekmatpour and A. Salehi, “Block-based schema-driven assertion
generation for functional veriﬁcation,” in 14th Asian Test Symposium
(ATS 2005), 18-21 December 2005, Calcutta, India. IEEE Computer
Society, 2005, pp. 34–39.
[33] G. Pintér and I. Majzik, “Automatic generation of executable asser-
tions for runtime checking temporal requirements,” in Ninth IEEE In-
ternational Symposium on High Assurance Systems Engineering (HASE
2005), 12-14 October 2005, Heidelberg, Germany. IEEE Computer
Society, 2005, pp. 111–120.
[34] A. DeOrio, A. Bauserman, V. Bertacco, and B. Isaksen, “Inferno:
Streamlining veriﬁcation with inferred semantics,” Computer-Aided De-
sign of Integrated Circuits and Systems, IEEE Transactions on, vol. 28,
no. 5, pp. 728 –741, may 2009.
[35] C.-N. Chung, C.-W. Chang, K.-H. Chang, and S.-Y. Kuo, “Applying
veriﬁcation intention for design customization via property mining
under constrained testbenches,” in Proceedings of the 2011 IEEE
29th International Conference on Computer Design, ser. ICCD ’11.
Washington, DC, USA: IEEE Computer Society, 2011. [Online].
Available: http://dx.doi.org/10.1109/ICCD.2011.6081380 pp. 84–89.
[36] C. E. Shannon, “A mathematical theory of communication,”
SIGMOBILE Mob. Comput. Commun. Rev., vol. 5, no. 1, pp. 3–55, Jan.
2001. [Online]. Available: http://doi.acm.org/10.1145/584091.584093
87
[37] J. R. Quinlan, “Induction of decision trees,” Mach. Learn.,
vol. 1, no. 1, pp. 81–106, Mar. 1986. [Online]. Available: http:
//dx.doi.org/10.1023/A:1022643204877
[38] J. R. Quinlan, C4.5: programs for machine learning. San Francisco,
CA, USA: Morgan Kaufmann Publishers Inc., 1993.
[39] T. K. Ho, “The random subspace method for constructing decision
forests,” IEEE Trans. Pattern Anal. Mach. Intell., vol. 20, no. 8, pp.
832–844, Aug. 1998. [Online]. Available: http://dx.doi.org/10.1109/34.
709601
[40] L. Breiman, “Random forests,” Mach. Learn., vol. 45, no. 1, pp.
5–32, Oct. 2001. [Online]. Available: http://dx.doi.org/10.1023/A:
1010933404324
[41] H. Zhao and A. Sinha, “An eﬃcient algorithm for generating generalized
decision forests,” Systems, Man and Cybernetics, Part A: Systems and
Humans, IEEE Transactions on, vol. 35, no. 5, pp. 754 – 762, sept. 2005.
[42] J. Cendrowska, “Prism: An algorithm for inducing modular rules,”
International Journal of Man-Machine Studies, vol. 27, no. 4, pp. 349 –
370, 1987. [Online]. Available: http://www.sciencedirect.com/science/
article/pii/S0020737387800032
[43] R. P. Kurshan, Computer-aided veriﬁcation of coordinating processes:
the automata-theoretic approach. Princeton, NJ, USA: Princeton Uni-
versity Press, 1994.
[44] C. D. S. Inc., “Incisive formal veriﬁer,” 2013. [Online]. Avail-
able: http://http://www.cadence.com/products/ld/formal\_verifier/
pages/default.aspx
[45] L. Liu, D. Sheridan, W. Tuohy, and S. Vasudevan, “A technique for test
coverage closure using goldmine,” Computer-Aided Design of Integrated
Circuits and Systems, IEEE Transactions on, vol. 31, no. 5, pp. 790–803,
2012.
[46] D. Sheridan, “Goldmine: An integration of data mining and static anal-
ysis for automatic generation of hardware assertions,” M.S. thesis, Uni-
versity of Illinois at Urbana-Champaign, 2011.
[47] S. Brin and L. Page, “The anatomy of a large-scale hypertextual
web search engine,” in Proceedings of the seventh international
conference on World Wide Web 7, ser. WWW7. Amsterdam, The
Netherlands, The Netherlands: Elsevier Science Publishers B. V., 1998.
[Online]. Available: http://dl.acm.org/citation.cfm?id=297805.297827
pp. 107–117.
88
[48] L. Page, S. Brin, R. Motwani, and T. Winograd, “The pagerank citation
ranking: Bringing order to the web.” Stanford InfoLab, Technical Report
1999-66, November 1999, previous number = SIDL-WP-1999-0120.
[Online]. Available: http://ilpubs.stanford.edu:8090/422/
[49] A. Biere, E. M. Clarke, R. Raimi, and Y. Zhu, “Veriﬁying safety
properties of a power pc microprocessor using symbolic model checking
without bdds,” in Proceedings of the 11th International Conference
on Computer Aided Veriﬁcation, ser. CAV ’99. London, UK, UK:
Springer-Verlag, 1999. [Online]. Available: http://dl.acm.org/citation.
cfm?id=647768.733940 pp. 60–71.
[50] E. Clarke, A. Biere, R. Raimi, and Y. Zhu, “Bounded model checking
using satisﬁability solving,” Form. Methods Syst. Des., vol. 19, no. 1,
pp. 7–34, July 2001. [Online]. Available: http://dx.doi.org/10.1023/A:
1011276507260
[51] T. Haveliwala, “Eﬃcient computation of pagerank,” Stanford
InfoLab, Technical Report 1999-31, 1999. [Online]. Available: http:
//ilpubs.stanford.edu:8090/386/
[52] S. Kamvar, T. Haveliwala, C. Manning, and G. Golub, “Extrapolation
methods for accelerating pagerank computations,” in Proceedings of the
Twelfth International World Wide Web Conference. ACM Press, 2003,
pp. 261–270.
[53] Y. Hoskote, T. Kam, P.-H. Ho, and Z. Zhao, “Coverage estimation
for symbolic model checking,” in Design Automation Conference, 1999.
Proceedings. 36th, 1999, pp. 300–305.
[54] H. Chockler, O. Kupferman, R. P. Kurshan, and M. Y. Vardi, “A
practical approach to coverage in model checking,” in Proceedings of
the 13th International Conference on Computer Aided Veriﬁcation, ser.
CAV ’01. London, UK, UK: Springer-Verlag, 2001. [Online]. Available:
http://dl.acm.org/citation.cfm?id=647770.734261 pp. 66–78.
[55] V. Athavale, “Coverage analysis for assertions and emulation based veri-
ﬁcation,” M.S. thesis, University of Illinois at Urbana-Champaign, 2012.
[56] J. C. de Borda, “Mémoire sur les élections au scrutin,” Histoire de
l’Académie Royale des Sciences, 1784.
[57] M. Condorcet, Essai sur l’application de l’analyse à la probabilité des
décisions rendues à la pluralité des voix. Paris: Imprimerie Royale,
1785.
[58] K. Arrow, Social Choice and Individual Values, ser. Monograph (Yale
University). Yale University Press, 1963.
89
[59] M. Truchon, “An extension of the Concordet criterion and Kemeny
orders,” Université Laval - Département d’économique, Cahiers de
recherche 9813, 1998. [Online]. Available: http://ideas.repec.org/p/lvl/
laeccr/9813.html
[60] J. G. Kemeny, “Mathematics without Numbers,” Daedalus, vol. 88,
no. 4, 1959.
[61] J. Munkres, “Algorithms for the Assignment and Transportation Prob-
lems,” Journal of the Society for Industrial and Applied Mathematics,
vol. 5, no. 1, pp. 32–38, 1957.
90
