Abstract
Introduction
Verification of design models is a critical component in the hardware design life cycle of high-assurance systems. Verification of embedded systems' chips, for applications such as micro-electro-mechanical systems (MEMS) and micro-robots is an important concern for many system designers. Methods for verifying these hardware designs need to be efficient and effective. High-assurance systems require that the system is designed with confidence.
There are three major phases in the high-assurance hardware design life cycle, as shown in Fig. 1(a) . First, the desired function and behavior of the system is modeled in a high level of abstraction using a special purpose language. Next, this behavior is mapped into lower levels of abstraction such as the gate and transistor levels ( Fig. 1(b) ). Finally, the mapped layout is sent to the factory for manufacturing.
The first phase describes hardware in terms of a program in a hardware design language, such as VHDL. Hardware designers then perform extensive simulations for what they call "behavioral verification", an activity a software engineer might term "validation", or "software testing". Because VHDL is similar to a high-level programming language, we can apply software assurance techniques to a hardware design in order to identify and remove faults. These faults, if carried to the manufacturing phase would be quite expensive. Further, these faults need to be detected through the use of test benches. Test bench automation through the generation of test patterns and test cases increases the efficiency and effectiveness of behavioral verification.
This paper applies a rule-based method for generating test patterns for VHDL designs as described in [3] . Many methods have been defined which address the issue of generating test patterns [2, 4, 7, 8, 11, 12, 13, 14] . Several of these methods require large amounts of test patterns, others are fairly complex.
RUBASTEM is a heuristic, rule-based method for generating test patterns. The method uses the control flow of the VHDL source code to generate inter/intra procedural control flow graphs. The control flow graphs may be analyzed to determine branch locations within the code. The rule-based method also uses data flow analysis to determine definition use pairs and reaching definitions. Data flow analysis enables RUBASTEM to determine which variables and signals affect decisions at branches. In general, rule-based methods try to satisfy testing criteria. Thus, testing criteria are used to determine when adequate verification has been completed. Statement, branch, condition, bit toggle, and statistical criteria are common in behavioral verification. RUBASTEM is primarily interested in meeting branch coverage criteria.
As [3] defines, the rule-based software testing method consists of three phases. These phases include: control flow graph generation, data flow analysis, and rule-based test case generation. The goal of the rule-based method is to generate the least number of test cases which will guaran-tee that a certain percentage of a coverage criterion will be satisfied. Software metrics are collected which may be used in generating test patterns for future designs. Section 2 describes background information and existing work. Section 3 describes the techniques used in the rule-based approach such as control flow graph generation, data flow analysis, and other tools. Section 4 describes the process for generating the rules. Section 5 describes the results of RUBASTEM on VHDL designs. Section 6 draws conclusions and proposes further work.
Background
When discussing behavioral verification of hardware design, we focus on fault coverage and code coverage. Fault coverage is used in detecting manufacturing faults in the structural level designs. Code coverage helps validate the functionality of the behavioral design. Some techniques to increase coverage are described next.
Hardware testing techniques
1. Random: In random testing, the values of the inputs in each test are selected randomly, sometimes based on user-defined frequencies. Random testing avoids the problem of deterministic test generation that requires structural information about the program to be tested. It is a reasonable choice for obtaining certain levels of coverage. However random testing becomes very inefficient when coverage saturates. [11] proposes a systematic approach to increase the fault coverage obtained by random pattern testing. The paper applies a random vector at the preliminary inputs of the sequential circuit and holds it constant for more than one clock cycle, instead of applying a new random vector every clock cycle. Then a number of flip-flops is chosen to be added to the scan chain, using any of the known flip-flop selection methods. The hold method is highly effective in improving fault coverage. A partial scan can be used to further improve the fault coverage. However this method can be costly. The hold method is only targeted to increase the coverage of circuits which are amenable to random coverage. [8] presents an improved weighted random pattern testing method. A new algorithm is proposed in the paper that throws away weight sets that prove ineffective with simulation. The paper also describes some heuristic rules to enhance the algorithm. The heuristic rules affect the balance between the number of weighted patterns and number of weight sets.
2. Anti-random: The basic premise of anti-random testing is to chose new test vectors that are as far away from existing test inputs as possible. Distance is commonly measured by terms of Hamming or Cartesian Distance. In previous analysis [9] , anti-random testing has improved code coverage for boundary conditions, and has proved more efficient than random testing. 4. Static Analysis: [13] uses constraint programming techniques to generate test cases for design verification of VHDL programs. The behavioral specification in VHDL is used to generate mathematical constraints. Additionally it is specified which path of the control flow graph of the design should be covered. Constraint solving techniques are then applied that generate a test input, which causes the execution of the desired path. The advantage of this approach is that the process is guaranteed to find a matching test. If it fails, the path is not feasible. However the method is time consuming and not practically applicable to large designs that require the examinations of multiple clock cycles. the hardware's power rails, and corrupting logic values at the pin level. Fault injection-based automated testing (FIAT) is an example of software-based fault injection. Simulation-based fault injection is another kind of fault inject methods. [7] proposes a method to perform a fault-tolerance analysis on the behavioral level using fault injection techniques on the instruction set architecture (ISA). This allows early generation of faults and therefore the simulation of the design with regards to fault tolerance.
6. Rule-based software test method: [6] proposes a rulebased software test data generator to test Ada programs. In the approach, some heuristic rules and symbol information specific to the subject module under test are used by a rule interpreter to generate test cases. The described test data generator is used in conjunction with a software testing environment for a high level programming language. Heuristic rules are specific to the types of statements in the language. To adopt this approach for VHDL requires reformulating the heuristic rules. [3] applies the rule-based method to VHDL programs. Data flow analysis and control flow analysis are used to generate more test patterns to satisfy branch coverage criterion.
Testing criteria
Since VHDL is similar to some of the high level programming languages, it is possible to use software testing techniques on hardware designs modeled in VHDL. Additionally, VHDL has its own characteristics such as hardware delays and triggering mechanisms. Therefore, verifying VHDL models requires the development and justification of different test criteria in addition to those used for conventional software.
[1] and [5] use code-coverage metrics similar to those used in software engineering to detect faults in the behavioral code and to reduce the redundant portions of the design. Examples of software code coverage include statement coverage, branch coverage, condition coverage, and path coverage [1] . Examples of hardware code coverage include process-sensitivity-list coverage and signal toggle coverage. RUBASTEM is primarily interested in branch coverage. Branch coverage measures how many times a simulation executes each branch. Incomplete branch coverage can reveal which conditions prevent access to the statements contained at the most nested branch. Branch coverage subsumes statement coverage.
Tools
RUBASTEM is based on two tools: a control flow graph generator and a data flow analyzer. "Control Flow analysis determines the control structure of a program, that is the set of all possible execution paths." [15] Calling relationships between procedures are also constructed. "Data Flow Analysis (DFA) examines the flow of scalar values through a program. It solves data flow problems by propagating data flow information along the paths of a control flow graph." [15] In this paper, DFA is used as the static analysis of the possible dynamic modification and usage of variable data values in a program. It determines which variables affect the value of others. This is useful for test generation because, knowing what branches need to be covered, we can determine which input variables affect the branch condition at those branches and create test cases for a particular branch condition. DFA requires a complete anno- tated Control Flow Graph to store the necessary information. While building a control flow graph generator, certain software metrics can also be collected. These metrics include the cyclomatic complexity of a process, the number of concurrent constructs, and the number of entities in the program.
Control flow graph generator
The purpose of control flow analysis is to encode the flow of control of a given VHDL program for use in data flow analysis and test case generation. A CFG comprises the basic component in VHDL programs, i.e. entity, concurrent (process and block) and statements. Thus there are three levels in a CFG.¯E ntity level: Entities are represented as a singly linked list. Each node corresponds to an entity. Information stored in each node includes entity type and declared signals/variables. The names of called entities and port maps are also stored. This makes it possible to determine calling relationships between entities.
Concurrent level: Each entity node in the entity structure may contain a concurrent structure (also represented as a singly linked list). Each node in this linked list corresponds to a concurrent block within the same entity. Stored information includes concurrent type, activation list and declared signals/variables. A signal/variable is defined when it is assigned a value. It is used when it is referenced. ¯Control flow graph for sequential statements: Each concurrent node in the concurrent structure may contain a triple Ǽ ×µ [15] , where´AE µ is a directed graph, × ¾ AE is the initial node, and there is a path from × to every node in . Each node Ò ¾ AE corresponds to a statement and edges represent potential transfers of control between statements. There is an arc´Ü Ýµ ¾ from node Ü to node Ý if control can potentially transfer from Ü to Ý at run time. Each node is annotated with the information about the corresponding statement such as statement type, defined signals/variables and used signals/variables/constants.
An example of a CFG is shown in Fig. 2 . The graph is built based on an intermediate format of VHDL. We have chosen to extract information from the .ivf file for three reasons: 1) It contains all information present in the VHDL source code; 2) Being in an intermediate format it is easy to parse; 3) Since it is processed by the second phase of compilation the lex/yacc programs for vsim are already present and can be reused with modifications. Therefore the lex/yacc files used by vsim are modified for the CFG generation. Fig. 2(c) shows the resulting CFG.
At the entity level of the example in Fig. 2 
Data flow analysis
Data Flow Analysis (DFA) [15] is a static analysis method that determines which variables/signals affect the value of other variables/signals. This is useful for test generation because when we know what branches need to be covered, we can determine which input variables affect the branch condition at those branches. As a result we can create test cases for a particular branch condition, taking into consideration the signals or variables that influence branching behavior at any given branch. Here, DFA is employed to extract signal and variable use-definition information. We use heuristic rules to generate test cases that potentially improve branch coverage. For a VHDL pro- For example for the following code segment, uses the top two levels of the CFG (entity level and concurrent level). We can also get the port maps between signals/variables in one procedure and others in another procedure. Thus local reaching inputs ÊÁ´Òµ, which is defined below, can be propagated to other procedure signals/variables, and finally to the signals/variables declared in the main procedure. To implement this, bit vector matrices are used. Every cell in the bit vector matrix records the use-definition relationship between one bit of a signal/variable and another. It is 1 if a use-definition relationship exists, 0 otherwise. 
Dominator [15]

Test coverage criteria
We use all branches criterion in RUBASTEM. A branch is defined to be covered if both the true and false parts of the branch are executed at least once. The following branches are required to be covered:
1. The beginning of process bodies. The criterion requires each process to be invoked at least once, in addition to any initialization runs a specific VHDL simulator may perform.
2. The IF statement has branches related to the THEN and ELSE options. Additionally, nested IF statements (EL-SIF) must all be covered.
3. FOR LOOP and WHILE LOOP. Branch coverage requires executing the body at least once. In the case of FOR LOOPs branch coverage also requires exactly one execution (the body is executed once, the condition is false, and execution control does not branch back to the beginning of the FOR LOOP), as well as executing the body more than once (the looping condition must be true at least once). Similarly, branch coverage for the WHILE loop requires that the condition for looping must be false at least once (the body of the loop is not executed, control skips to the statement after the loop), as well as another run where the looping condition is true and the body of the loop is executed at least once.
4. The true and false branches of EXIT WHEN and NEXT WHEN statements.
5. Each alternative of a CASE statement, except the infeasible alternatives, if any.
6. The branch following a WAIT ON or WAIT UNTIL.
7. The branches of WHEN-ELSE in the signal assignment statements.
8. The true and false conditions of ASSERT statements.
Software metrics
Since the VHDL programs are parsed for control flow and data flow analysis, software metrics can be collected.
These metrics include cyclomatic complexity [10] , the number of concurrent statements, and the number of entities. Table 1 shows these metrics for the executable in 2(a) and six other models. The cyclomatic metric is a cumulative measure of all cyclomatic complexities of concurrent constructs within the design. In future applications of RUBASTEM, these metrics may be applied to approximate the number of test patterns needed to satisfy a coverage criterion. The number of test patterns generated should be proportional to a combination of the cyclomatic complexity, the number of concurrent constructs, and the number of entities in the design.
Rule-based approach
Our approach is based on static analysis of the VHDL code and a series of heuristic rules. The static analysis provides a control flow graph and data flow information for the VHDL code. The proposed approach not only draws information from the VHDL source programs, but also makes use of the results of prior tests to guide the generation of additional test cases. Specifically, the simulator has been instrumented to provide coverage information as the VHDL code processes input patterns. Thus, the test analysis system knows which branches are executed with which inputs. In addition, the data flow analysis provides information about the inputs that affect the decision at a branching point. This information is used in rules to generate new inputs that are more likely to execute a previously uncovered branch. In this section, a brief overview of the rule-based approach is presented. Table 2 presents the rules and [3] describes the rules in detail.
Test generation process
We define more formally the terms test pattern, test case, and branch point. We also define what it means for a test case to reach a branch point. Branch Point: As we mentioned in 3.1, for Ò ¾ AE, Ò is a branch point if there is more than one outgoing arc.
In a given VHDL CFG, Ò is a branch point if it is one of the types described in section 3.3.
Proceedings of the Eighth IEEE International Symposium on High Assurance Systems Engineering (HASE'04) 
We assume that there is an initial test sequence of input patterns (step 1) that has been simulated and for which we have step-by-step coverage information (step 2). As long as the coverage is not complete, and as long as a user-defined number of generation steps has not been exceeded, we do the following: first we determine a branch point we want to cover. Then we determine the subsequence that reaches the branch point (step 3a). We replace the test input pattern of this sequence with a sequence of inputs that according to the heuristic rules, is more likely to execute the uncovered branch. The simulator executes this new test sequence and records coverage information.
Experimental evaluation
This section describes some of the results that have been obtained by automating the RUBASTEM generator. Like other heuristics, RUBASTEM cannot be proven to always achieve a certain level of coverage. This depends on the particulars of a specific design. Therefore, empirical evaluation of a heuristic approach is important. The questions about the success of the RUBASTEM method include: Is the method effective at reaching a higher percentage of branch coverage, than other methods? Is the method efficient at generating fewer test patterns for satisfying branch coverage, than other methods? [3] reports the results of the ruled-based method on three types of designs. The test generator was applied to small, medium, and large VHDL examples. The results of these experiments indicate that RUBASTEM is a very effective and efficient method for generating test cases to satisfy the branch criterion. Table 4 shows the test results using RUBASTEM. Fewer test cases are used to achieve the same branch coverage as with Random pattern generation. RUBASTEM starts with randomly selected input patterns, then applies the rulebased heuristics to generate more patterns. For Ì Ð , only 54 test cases are used to reach 100% branch coverage, this is less than 1 percent of the 8000 test cases generated by the Random method which do not achieve 100% coverage.
Small and medium sized examples
Next, we investigate what types of rules were used by the test generator. Notice that for Dec5to32, Gcd, Priority, and Tlc that Rule 1 was applied. Rule 1 targets IF/ELSIF/WHILE statements. This rule seems to be effective at executing uncovered branches. Rule 7 is also applied to these designs. This rule generates new test patterns that are the NOT of the previous patterns. This rule tries to increase the number of test patterns that are opposite of patterns that have been already generated in order to execute the more difficult branches. According to Tables 1 and 4, the trend seems to be that more rules are applied as the designs contain a higher cyclomatic complexity, and the trend seems to always include Rules 1 and 7.
Large example-MINTEL
Another large VHDL model we use is MINTEL. The experimental results are shown in Table 5 . From the results we observe that we get the highest coverage if we apply DFA together with the Random method.
The results reported in [3] and the results of the examples reported in this paper indicate that RUBASTEM is very effi- 
Conclusion
This paper applies the heuristic rules defined in [3] to more designs. The results of the experiments indicate that applying randomly generated test patterns and RUBASTEM patterns increase the branch coverage of a behavioral VHDL design. The test generator is able to produce new test patterns based on reaching definitions and the coverage results of previously generated patterns. The interesting cases for generating test patterns occur when the coverage begins to saturate. However, RUBASTEM is able to intelligently generate new test patterns that increase the chances of covering more branches. The automated test generation of patterns has clear advantages over random generation of patterns. The test generator producers fewer test patterns than random generation alone.
We plan to investigate whether and how VHDL code
Proceedings of the Eighth IEEE International Symposium on High Assurance Systems Engineering (HASE'04) metrics can be used to generate effective new test patterns. Candidate metrics include cyclomatic complexity, the number of concurrent constructs, and the number of entities. New heuristic rules may be able to be derived based on the collected metrics and the control graph of the VHDL model. This paper does not infer any techniques for comparing the actual output of the circuit described by the design to the desired output of the circuit. Ultimately, defining new software metrics, testing methods, and combinations of testing methods may lead to higher branch coverage with fewer test patterns. Further research is required to derive new verification methods and heuristic rules, which generate more code coverage with less test cases than existing rules and techniques.
