Minimal length test vectors for multiple-fault detection  by Füredi, Z. & Kurshan, R.P.
Theoretical Computer Science 315 (2004) 191–208
www.elsevier.com/locate/tcs
Minimal length test vectors for multiple-fault
detection
Z. F(uredia , R.P. Kurshanb;∗
aDepartment of Mathematics, University of Illinois at Urbana-Champaign, Urbana, IL 61801-2975, USA
bCadence Design Systems, Murray Hill, NJ 07974, USA
Abstract
A methodology for circuit testing is proposed for detecting multiple circuit faults in the course
of a minimal length “guided tour” of the circuit transition structure. Deriving a test vector to
guide this tour through an n state subsystem with at most I inputs possible in situ at each state,
corresponds to solving an open tour multigraph version of the “Chinese Postman” problem, in
which out-degrees are bounded by I . In this case, the length L of a minimal length open tour
is shown to satisfy L6 In2; a minimal length open tour is computable in O(n3 + nI) steps for
undirected multigraphs and O(n3 + (nI)2logn=logI) steps for directed multigraphs, both one-time
costs, using weighted matching and bipartite weighted matching, respectively. An open tour can
result in a test vector as much as 12 shorter than the test vector associated with a closed tour,
without any loss in error detection. Examples show that for a directed graph, the length of a
minimal length open tour may be as great as n3=6 for I = n, or ;(n2) when I is bounded, while
in an undirected multigraph, a minimal length tour requires no more than n − 3 repeated state
transitions. This mitigates in favor of “mixed” circuits in which certain transitions are reversible
and need be tested in only one direction.
The practicality of this approach rests with the ability to apply it separately to small sub-
systems, in conjunction with symbolic testing of inter-subsystem coordination. The former is
feasible with existing commercial technologies, such as electron beam scanning, while the latter
is feasible with a >nite-state model-checker.
In summary, the proposed methodology comprises three steps:
1. decompose a circuit into subsystems suAciently small to be model-checked exhaustively;
2. perform symbolic tests of inter-subsystem coordination and conclude that if each subsystem
is correctly implemented, then the entire circuit will behave as required;
3. for each circuit subsystem, exercise every realizable transition through a minimal length (open)
tour, comparing the actual transitions with those of the speci>cation.
c© 2003 Elsevier B.V. All rights reserved.
Keywords: Chinese Postman; Testing; Fault detection
∗ Corresponding author.
E-mail address: rkurshan@cadence.com (R.P. Kurshan).
0304-3975/$ - see front matter c© 2003 Elsevier B.V. All rights reserved.
doi:10.1016/j.tcs.2003.11.018
192 Z. F2uredi, R.P. Kurshan / Theoretical Computer Science 315 (2004) 191–208
1. Introduction
The urgent need for more reliable, more eAcient procedures to test complex syn-
chronous digital hardware, especially VLSI, is now widely recognized [7,21]. A good
survey of current circuit-testing methods may be found in [25]. With few exceptions,
current testing methods test only for single “stuck-at” faults (a fault in a wire-segment
characterized by a >xed logical value on that wire-segment, independent of whatever
value is applied to it). While this often has proved adequate for small- and medium-
scale nMOS integration, large-scale integration and utilization of CMOS technology
have rendered this single stuck-at fault detection standard less than satisfactory, with
many signi>cant faults evading detection [13,25]. Furthermore, in large sequential cir-
cuits, the problem of “controllability and observability” of the circuit state (i.e., inherent
limitations in the ability to set and observe all of a circuit’s memory elements) can
make the detection even of single stuck-at faults intractable [2]. This problem may
be circumvented through “scan” designs such as “LSSD” and “scan=set logic” [25]
wherein the entire memory (total state) of a circuit may be operated in a shift-register
mode, allowing the circuit’s total state to be read or written after any clock cycle, by
sequentially shifting the memory in and out of the circuit. This “solves” the single
stuck-at fault detection problem, in the sense that total controllability and observability
of the circuit state permits application of Roth’s D-algorithm [2], which detects any
single stuck-at fault in a combinatorial circuit. However, there are three serious draw-
backs to this approach, namely the (eNective) inability to detect more general faults
than single stuck-at faults (cf. above), the additional in-circuit hardware needed for
scanning (up to a 20% increase [25]) and the time-consuming procedure of shifting
states in and out of the circuit during testing. Other fault detection methods such as
signature analysis [24], syndrome testing [17] and autonomous testing [12] can detect
more general faults, but this is typically at the expense of fault localization (the ability
to locate the source of a fault, especially in the presence of feedback loops [21,25]),
further increased overhead in hardware and delay, and an uncertainty about the pro-
portion of faults which are thus detected (e.g., signature analysis detects even single
stuck-at faults with only small probability in programmable logic arrays and other cir-
cuits with large “fan-in” [21]). The simple and (hence) popular method of comparing
the output of the circuit under test with the output of a “known correct” circuit or
prototype, both exercised by identical randomly generated input sequences, generally
does not provide a viable testing method, for reasons of ineAcient and hard-to-quantify
fault detection coverage [25] (for certain microprocessor designs, this method has been
found to uncover only 20–30% of single stuck-at faults [7, p. 441]; cf. also [3]). Fur-
thermore, there is signi>cant uncertainty whether the “known correct” circuit is actually
correct.
The proposed methodology can be summarized as follows. In classical fashion, the
circuit is described as a >nite state machine, e.g., [2] or Ref. [7]. However, the machine
is >rst decomposed into a number of interacting machines, each of which is small
enough to be searched exhaustively [10]. Once each subsystem has been shown to
conform to its formal speci>cation, the behavior of the system as a whole can be
guaranteed by symbolic analysis of the coordination among the subsystems. Electron
Z. F2uredi, R.P. Kurshan / Theoretical Computer Science 315 (2004) 191–208 193
beam technology can be used to exhaustively search each subsystem by means of a
minimal length open tour. Tours have been used before in several applications, for
example in [22] closed tours were proposed for protocol testing. In this paper, minimal
length open tours are introduced, analyzed and shown to be twice as eAcient as closed
tours in this application.
2. Multiple-fault detection with electron beam scanning
We propose a general fault-detection method for synchronous circuits. It could be
applied in practice using, for example, electron beam scanning, or any technology that
can render all internal circuit states observable, and certain specially prepared latches
controllable [18,26]; such technology is commercially available [4,19].
Our method entails logical isolation of pre-designated sequential subsystems, via
electron-beam-programmable non-volatile latch=switches [18]. These switches are in-
troduced into the circuit so that in the resulting partition of the circuit into subsystems,
each subsystem is suAciently small to permit exhaustive “in situ” testing (see be-
low). The switches provide subsystem isolation and furthermore serve as subsystem
input latches during testing. Switch placement is con>gured in a way that maintains
the integrity of circuit timing [1]. The subsystems thus isolated are tested using elec-
tron beam switching of the subsystem input latches and electron beam sensing of the
(total) state of the subsystem (while keeping the subsystem logically disconnected from
the rest of the circuit) [18]. The sequential progression of (total) subsystem states is
compared with that from a symbolic prototype whose behavior has been proved correct
using formal, automated methods [10]; these formal methods have been implemented
into a software system called COSPAN [8]. The derived testing procedure thus consists
of sequentially writing input words from a >xed, predetermined list into the isolated
subsystem, reading out the associated sequence of subsystem states, and comparing
this state sequence with a >xed, predetermined list of states generated (once, for all
tests) from the prototype. The subsystem tests “fault-free” if and only if the two state
sequences are identical. Each write and associated read is accomplished in one clock
cycle.
Under the proposed method, subsystems are designated so as to have a state space
which is suAciently small to permit exercising of all “circuit-reachable” subsystem
state transitions. A subsystem state transition is circuit-reachable provided it can occur
in situ, that is, in the context of the operation of the entire circuit. When the subsystem
is viewed through a classical paradigm for sequential devices (Fig. 1), the total state
of the subsystem has two vector components: v and x. The component x represents
the subsystem electron-beam-programmable input while the component v represents the
subsystem internal state, components from which produce the subsystem output to the
rest of the circuit; (v; x) is the total state of the subsystem.
During normal (non-test) operation, the subsystem communicates with the rest of the
circuit through its input x and the output components of its internal state v. In principle,
if x is a binary vector of length k, for each value of v there are 2k possibilities for x.
However, due to coordination between the given subsystem and the rest of the circuit,
194 Z. F2uredi, R.P. Kurshan / Theoretical Computer Science 315 (2004) 191–208
v ′
zero-delay
x
x ′
v
delay
unit
input
output
function
Fig. 1. The total state (v; x) of a subsystem at time i determines the internal state v′ at time i+1, while the
input x′ at time i determines the value of the “input latch” at time i + 1.
it may be that at a given v only m¡2k values for x are ever actually possible, as
inputs from the rest of the circuit. Limiting subsystem tests to those m values of x
actually possible at each respective internal state v (as a function of v), is what is
meant by “in situ” testing, and we will say that such an x is “possible in situ at v”;
the transitions of the form (v; x)→ (v′; x′) where x and x′ are inputs possible in situ at
v and v′, respectively, are the circuit-reachable total state transitions.
Restriction of subsystem tests to circuit-reachable transitions can greatly reduce the
number of tests required to exhaustively test the subsystem. The values of the in-
puts x possible in situ at each respective v are determined empirically in the pro-
totype. Experience [10] shows that for properly designated subsystems, the average
taken over v of the number of values of x possible in situ at v, may be much less
than 2k (where k is the dimension of x); thus, this approach can result in a signif-
icant saving in testing time. Speci>cally, when a subsystem implements high level
control logic, it is typical for only a relatively few diNerent input vectors x to be
possible in situ at any given internal state v. On the other hand, when a subsystem
implements general memory or an arithmetic unit, the resulting reduction may not be
signi>cant.
Testing all circuit-reachable subsystem state transitions has the eNect of detecting
and locating all subsystem behavioral faults. (While certain stuck-at faults may remain,
these will not aNect the required behavior of the subsystem.) It is proved symbolically
in the prototype that the circuit will be behaviorally correct provided all of its sub-
systems are correctly implemented. Thus, interactions among the subsystems need not
be tested in the implemented circuit, aside from veri>cation that certain “design rules”
have been correctly implemented. These design rules, which govern the interface in-
teractions among the subsystems, are formally characterized in the course of symbolic
analysis of the prototype. Examples of such design rules which must be checked in
the implementation are generally limited to features which may be checked relatively
easily through “parameter tests” [7] and include control of propagation delay, setup
time and the like.
Z. F2uredi, R.P. Kurshan / Theoretical Computer Science 315 (2004) 191–208 195
The problem of fault detection is thus reduced to a particularly simple form of the
problem of >nite state machine distinguishability. In general, as is well-known [14], if
a bound on the actual number of states in the (possibly faulty) circuit under test is not
known, it is not always possible to determine whether the circuit under test is faulty.
On the other hand, if the circuit under test is known to have at most k states while the
prototype is reduced and has n6k states, it is possible to determine whether or not the
circuit under test has any behavioral fault through the application of O(n2 2k−n) test
vectors of length O(n2 k2k−n) [23, Theorem 1]; if k = n and the prototype is strongly
connected (and reduced), this test may be accomplished by a single test vector of length
O(n4 ln n) [23, Theorem 2] when only a component of the total state is observable.
(An n state unreduced prototype may be reduced in time O(n log n) [9].)
We consider here the case of a strongly connected subsystem prototype and a circuit
under test whose total state is observable and whose state space may be of arbitrary
size in the presence of faults, but is identical to that of the prototype when fault-free.
In this case, all behavioral faults in the circuit under test are detected by a single test
vector which guides a “tour” of all circuit-reachable total states. This corresponds to
testing every input possible in situ at every circuit-reachable internal state, checking
that the resulting internal state transition is correct and that applied inputs are correctly
“latched up” by the input latches. In the course of the tour, inputs are applied at
successive internal states. Speci>cally, a tour of length L may be described as a vector
(v0; x0); : : : ; (vL; xL)
where x0; : : : ; xL are input vectors possible in situ at respective internal states v0; : : : ; vL,
where {(vi; xi) | 06i6L} comprises the entire set of circuit-reachable total states and
where, for 06i¡L, the correct internal state transition under application of the input
xi at the internal state vi, is to vi+1. The necessity of testing in the manner of a tour
comes from the nature of the proposed electron beam testing methodology, wherein
internal circuit states, while observable, are not directly controllable (i.e., internal states
cannot be directly set externally). Thus, from a given state, the next possible internal
circuit state is one which is adjacent to (i.e., one state transition away from) the given
state. In particular, it is not generally possible to test consecutively several diNerent
inputs at one internal state v; as soon as one of the inputs causes an internal state
change, the next of the several inputs can be applied to v only when the internal state
of the circuit has returned to v.
Since each fabricated circuit may be subject to testing by the derived tour-guiding
test vector, it can be of signi>cant importance to derive such a test vector of mini-
mal possible length. In Section 3, we describe how to derive such a minimal length
tour-guiding test vector. If the subsystem prototype has n internal (circuit-reachable)
states and I is the maximum number of inputs possible in situ at any internal state, we
show that the length L of a minimal length test vector satis>es L6In2. If each distinct
input possible in situ at a given internal state results in an internal state transition to
a distinct state, we say the subsystem circuit di;erentiates inputs. In this case, clearly
I6n and the given bound on L may be written as L6n3 (independent of I).
This is an upper bound and depending upon the circuit, the minimal length test
vector may be much shorter. However, we give examples which show that a circuit
196 Z. F2uredi, R.P. Kurshan / Theoretical Computer Science 315 (2004) 191–208
can require a test vector of length L¿n3=6 (for I = n) and, even if I is bounded
as a function of n, there are circuits which require test vectors of length L=;(n2).
(In Ref. [15], it is proposed to detect stuck-at faults through generation of a tour of each
state transition, using random inputs to guide the tour and discarding redundant cycles
to reduce the tour length. It is contended there that for any given n state machine, this
method produces a tour of length O(n log n) “on the average”; this contention appears
to be without foundation, at least for those circuits which we show have minimal tour
length L=;(n2).)
In some circuits there may be certain cases of an internal state transition v→w
caused by an input x possible in situ at v, which is reversible in the sense that some
input y possible in situ at w causes the state transition w→ v and furthermore, if the
circuit performs either (v; x)→w or (w; y)→ v correctly, then it may be presumed that
it could perform the other test correctly as well. For example, if x is a vector, one
component of which switches a simple latch while the other components leave the rest
of the circuit invariant, it may be enough to test the latch by showing either that it
“sets” from “clear” or “clears” from “set”. When one or more state transitions may
be reversible, we say the circuit is mixed; if all state transitions are reversible, we
say the circuit is undirected, while if no state transitions are reversible, we say that
the circuit is directed. In a mixed circuit, the de>nition of a tour (above) is relaxed
to allow {(vi; xi) | 06i6L} to include only one of (v; x) or (w; y) for each reversible
pair of total states. This can result in a considerable saving in the length of a minimal
length tour; in an undirected circuit, it is shown that a minimal length tour may be
found with at most n− 3 transitions in excess of the number of circuit-reachable total
states, counting reversible pairs as only one state. By contrast, in a directed circuit, a
minimal length tour may require as many as ;(n3) transitions in excess of the number
of circuit-reachable total states. (This “excess” is the number of redundant transition
tests required by the constraint that the tests be performed in the course of a tour.)
The cost of computing a minimal length tour-guiding test vector is shown to be
that of >nding a solution to an open tour, multigraph version of the “Chinese Post-
man” problem [5]. It is seen that in all cases (directed, mixed, undirected), a tour may
be found in O(n3 + (nI)2 log n= log I) steps using one form or another of “weighted
matching” (a one-time cost for all associated circuit tests); in the directed and undi-
rected cases, this algorithm can be used to >nd an (open) tour of minimal length,
the undirected case requiring only O(n3 + nI) steps. An open tour can result in a
saving of as much as 12 of the test vector length of a minimal length closed tour, in
both the directed and undirected cases. (The potential for such saving is lost if the
initial state v0 of all physically possible tours is >xed and if furthermore, from each
circuit-reachable state v there is a “reset” input x possible in situ at v which causes
the transition (v; x)→ v0. However, typically, a “reset” entails propagation of the reset
signal through several states, and the potential for saving with an open tour is actual.)
If the initial state v0 for any tour is given, then a minimal length tour is found subject
to that constraint.
The assumption of strong connectivity in the prototype is trivially satis>ed by any
circuit design which includes a (“power-up”) reset or clear, and thus this requirement
is trivially satis>ed in practice. Adding minimal memory to an initial design to eNect
Z. F2uredi, R.P. Kurshan / Theoretical Computer Science 315 (2004) 191–208 197
CHECK steps
SET steps
0
L321
0v0x 2v2x1v1x LvLx
L21
Fig. 2. The test vector of length L, illustrated here, is applied to the circuit through an alternating succession
of CHECK and SET steps. During each SET step, the input latches are given a new value and the circuit
internal state, with the old input value, is advanced one cycle. During each CHECK step, the value of the
resulting circuit total state is checked.
subsystem isolation in such a way that consistent timing is maintained in the circuit
can be accomplished in time quadratic in the number of subsystem nodes [1] (assuming
constant complexity of enabling predicates at logical branch-points). Symbolic analysis
of the prototype may be accomplished by a search algorithm which is linear in the
number of system state transitions, in conjunction with applicable complexity-reduction
techniques [10]. (All of the preceding are one-time costs.) Observability of the total
state of the circuit subsystem under test can be guaranteed by electron-beam scanning
[18]. (This is in contrast with conventional “shift-register” scanning methods such as
LSSD, wherein certain types of faults may introduce extraneous memory, whose state
component is thus unobservable [25].) Once a faulty state transition is located in the
circuit under test, the cause of the fault is relatively easy to locate using conventional
techniques for fault location in combinatorial circuits [2], since a test for the fault is
given by the input vector associated with the faulty transition.
The proposed design for testability and speci>c circuit test is now summarized.
During the design stage, special electron-beam-programmable latches are introduced
into the circuit in a fashion which maintains the consistency of circuit timing and has
the eNect of partitioning the circuit into subsystems which are suAciently small to
be tested exhaustively. Formal methods are then used to prove that the entire circuit
will perform properly, assuming proper implementation of each subsystem. These same
methods are used to enumerate “design rules” (concerning mainly relative constraints
on delay) necessary for the proper interface coordination of the subsystems. Proper
implementation of each subsystem is checked by testing each implemented subsystem
circuit in turn. Each subsystem circuit is tested by a single test vector which guides a
minimal length tour of the subsystem transition structure. By the end of the tour, every
input which is possible in situ at every respective circuit-reachable internal state has
been applied, thus guiding the subsystem circuit through every possible internal state
transition generated by every possible input.
The structure of this test is depicted in Fig. 2. The precomputed test vector v0; x0; v1;
x1; : : : ; vL; xL is applied to the subsystem circuit through successive, alternating CHECK
and SET steps. During the ith CHECK step (06i6L), the input latches are checked
(through electron beam scanning) to be in state xi and the internal state of the cir-
cuit is likewise checked to be vi. The circuit then is advanced one clock cycle, which
corresponds to application to the circuit of input xi at internal state vi, and at the
same time the input latches are set to the value xi+1. This is the (i + 1)st SET
step.
198 Z. F2uredi, R.P. Kurshan / Theoretical Computer Science 315 (2004) 191–208
It remains to show how to compute a minimal length tour-guiding test vector, for a
mixed circuit. The problem and its solution may be recast in terms of >nding a minimal
length tour in a “mixed” multigraph (see the following section). The multigraph vertices
correspond to the internal states of the given subsystem, while each multigraph edge
from vertex v to vertex w corresponds to an input possible in situ at v which results in
a transition (in the prototype) to w. In the case of a reversible pair (v; x)↔ (w; y), the
directed edges (v; w) and (w; v) corresponding to x and y respectively, are paired to
form a single undirected edge. If a circuit diNerentiates inputs, the associated multigraph
problem reduces to a graph problem.
It may be worthwhile to observe that the same testing methodology can be applied
to software testing, and this could be meaningful if input control is limited (and “print”
commands take the place of electron beam scanning). In this direction, a proposal is
given in [22] for high-level conformance testing of communication protocols through
a (closed) tour of the entire state space (presuming the protocol diNerentiates inputs).
3. Minimal length open tour of a multigraph
A (“mixed”) multigraph G is an ordered pair (MG;UG), where MG is a square
matrix of non-negative integers, the directed adjacency matrix of G, and UG is the
undirected adjacency function of G, described below. The vertices of G are the indices
of the rows (or columns) of MG, presumed >nite, the set of which is denoted by
V (G). If v; w∈V (G) and the (v; w)th element of MG, denoted by MG(v; w), satis>es
MG(v; w)¿0, then (v; w) is said to be a directed edge of G, with multiplicity MG(v; w);
the set of directed edges of G is denoted by E(G). UG is any function de>ned on the
set of unordered pairs of vertices of G, into the non-negative integers. If UG(e)¿0 then
e is said to be an undirected edge of G, with multiplicity UG(e); the set of undirected
edges of G is denoted by E0(G). If E0(G)= ∅, G is called directed while if E(G)= ∅,
G is called undirected. If G is directed (undirected), we may write MG(UG) in place
of G. A graph is a multigraph, all of whose edges have multiplicity 1. The content of
a multigraph G is
(G) ≡ ∑
e∈E(G)
MG(e) +
∑
f∈E0(G)
UG(f);
the number of edges, directed and undirected, counting multiplicities. If G is a graph
then (G)= |E(G)|+ |E0(G)|.
A multigraph H is a subgraph of G, written H ⊂G, if V (H)=V (G) and for
all v; w∈V (G), MH (v; w)6MG(v; w) and UH ({v; w})6UG({v; w}). If H ⊂G, then
H + G≡ (MH + MG;UH + UG), where MH + MG is the usual matrix addition and
likewise, UH + UG is de>ned by pointwise addition. For any multigraph G, let G0
be the undirected multigraph de>ned by V (G0)=V (G), UG0 ({v; w})=MG(v; w) +
MG(w; v) + UG({v; w}) for all v; w∈V (G); let G∗ be the directed multigraph de>ned
by V (G∗)=V (G); MG∗(v; w)=MG(v; w) +UG({v; w}) for all v; w; ∈V (G). Note that
(G0)= (G)6(G∗).
Z. F2uredi, R.P. Kurshan / Theoretical Computer Science 315 (2004) 191–208 199
A path of length L in a multigraph G is a vector v=(v0; : : : ; vL) of L+1 vertices of
G with the property that for 06i¡L, either (vi; vi+1)∈E(G) or {vi; vi+1}∈E0(G). The
path v is said to be from v0 to vL, and we write L(v)=L. A path v of length L in M is
a tour of G if for each e∈E(G) there are at least MG(e) distinct values of i; 06i¡L,
for which (vi; vi+1)= e, and in addition to all these, for each e∈E0(G), there are at least
UG(e) (additional) distinct values of i, 06i¡L, for which {vi; vi+1}= e. The edges of
v are the ordered pairs (vi; vi+1); 06i¡L, the set of which is denoted by E(v). (Note
that E(v) may not be a subset of E(G).) The multiplicity of e∈E(v) is the number of
distinct values of i, 06i¡L, for which (vi; vi+1)= e. The path v is closed if vL= v0;
otherwise v is open. A cycle is a closed path; a multigraph is acyclic if it admits of
no cycles. A path is simple if each of its edges has multiplicity 1. A multigraph G
is strongly connected if for each v; w∈V (G) there is a path in G from v to w, or
equivalently, if G admits of a closed tour; G is connected if for each v; w there is
either a path from v to w or a path from w to v. Clearly, an undirected multigraph
is strongly connected if and only if it is connected. If v is a tour such that for each
pair v; w∈V (G), the multiplicity m of (v; w) in v and the multiplicity n of (w; v) in
v satisfy a≡m−MG(v; w)¿0, b≡ n−MG(w; v)¿0 and a+ b=UG({v; w}), then v is
an Eulerian tour (which in this paper may be open as well as closed). For any path v
in G let RG(v) be the directed multigraph whose edges and multiplicities are those of
v. Note that a tour v of G is an Eulerian tour of both RG(v) and R0G(v)(≡ (R0G(v))0),
MG ⊂RG(v) and G0⊂R0G(v).
For v∈V (G) the out-degree of v is
d+G(v) ≡
∑
w∈V (G)
MG(v; w);
the in-degree of v is
d−G (v) ≡
∑
w∈V (G)
MG(w; v);
and the undirected degree of v is
d0G(v) ≡
∑
w∈V (G)
UG({v; w}):
The parity of v is the parity of the integer d0G(v); v is symmetric if d
+
G (v)=d
−
G (v).
Let
L(G) = inf{L | there exists a tour of G of length L}:
Note that if Z is a directed multigraph formed from a directed cycle on n vertices
by duplicating exactly one edge (so as to give it multiplicity 2), then L(Z)= n + 1
whereas every closed tour of Z has length at least 2n. Similarly, an undirected linear
graph l on n + 1 vertices satis>es L(l)= n, while every closed tour of l has length
at least 2n. If G is strongly connected, every v∈V (G) is even and d+G (v)=d−G (v)
for all v∈V (G), then G admits of a closed Eulerian tour [11, 5.9.6], and conversely;
200 Z. F2uredi, R.P. Kurshan / Theoretical Computer Science 315 (2004) 191–208
G admits of an Eulerian tour if and only if L(G)= (G) (the content of G, de>ned
above).
Now, let G be a >xed strongly connected multigraph with n= card V (G), and
let
I = max{d+G(v) + d0G(v) | v ∈ V (G)}:
Note that
∑
e∈E(G)
MG(e) + 2
∑
e∈E0(G)
UG(e) =
∑
v∈V (G)
∑
w∈V (G)
MG(v; w) + UG({v; w})
6
∑
v
I = nI:
Proposition 1. L(G)6In2.
Proof. Let M =G∗. Note that I = max{d+M (v) | v∈V (M)}. For each e∈E(M) let ze be
a simple cycle containing e (which exists because of the assumed strong connectivity of
G); let Ze=RG(ze). Set Z =
∑
e∈E(M) M (e)Ze; then M ⊂Z , E(M)=E(Z), Z is strongly
connected and d+Z (v)=d
−
Z (v) for all v∈V (Z). Hence, there is a closed Eulerian tour
v of Z , and this constitutes a (closed) tour of M . Since v is an Eulerian tour of
Z , L(v)=
∑
f∈E(Z) Z(f) =
∑
f∈E(Z)
∑
e∈E(M) M (e)Ze(f) =
∑
e M (e)
∑
f Ze(f)6∑
e M (e)n6In
2.
Example 1. Let Gn be the n vertex directed graph de>ned by
MGn(i; j) =
{
1 if 16 j ¡ 1 or j= i + 1;
0 otherwise
and pictured below.
nn-1321
Say (i; j)∈E(Gn) is a backedge if j¡i. Let v be a tour of Gn. Then v traverses each
backedge of Gn. In order to traverse the i−1 backedges emanating from vertex i, v must
also traverse the edge (j; j+1) j times for 16j¡i−1 and the edge (i−1; i) i−2 times,
since intervening backedges in v from other vertices cannot decrease this repetition.
Thus, for n¿2,
L(Gn)=
n∑
i=2
[
(i + 1) +
i−2∑
j=1
j + (i − 2)
]
= n(n+ 1)(n+ 2)=6− 2n+ 1:
Z. F2uredi, R.P. Kurshan / Theoretical Computer Science 315 (2004) 191–208 201
Example 2. Let Gn be the n vertex directed graph pictured below:
2k−1 2k−1
If the “expansion” part of Gn “expands” to 2k−1 vertices and then “contracts” symmet-
rically, while the linear portion of Gn (the long branchless chain at the bottom of the
>gure) contains 2k − 1 vertices, then n=3(2k − 1). Note that each of the 2k edges of
the linear portion of Gn must be traversed once for each of the 2k paths through the
upper portion. Thus, while d+Gn(v)62 for all v∈V (Gn); L(Gn)¿n2=9.
For a strongly connected multigraph G, let
"(G) ≡ L(G)− (G);
the tour index of G. This is the total number of edge traversals in excess of the re-
spective edge multiplicities required by any tour of G. The preceding examples show
that in general, the maximum value of "(G) over all multigraphs with n vertices ;(n3),
or ;(n2) if I is bounded. However, for undirected multigraphs, the tour index is sub-
stantially smaller, as the next proposition shows.
A forest is an undirected acyclic graph.
Lemma 1. Let U be an undirected multigraph. Then there is a forest F ⊂U such
that every vertex of U + F is even. Such an F with fewest possible edges may be
found in O(|V (U )|3) steps.
Proof (Edmonds and Johnson [5]). Since
∑
v∈V (U ) d
0
U (v)= 2(U ), there are an even
number of odd parity vertices of U , and the same applies for every connected compo-
nent of U . Let these odd vertices be partitioned into pairs {v1; w1}; {v2; w2}; : : : such
that the sum Z of the lengths of respective shortest paths Pi from vi to wi; i=1; 2; : : :
is as small as possible, and set F =
∑
i R
0
U (Pi). If there are 2n odd vertices, then
the length of the shortest path between each pair of them may be found in O(n3)
steps using Dijkstra’s algorithm (e.g., [20, Section 7.2]) and an optimal partition into
pairs may be found using Edmonds’ weighted matching algorithm (cf. [5, Section 3]),
202 Z. F2uredi, R.P. Kurshan / Theoretical Computer Science 315 (2004) 191–208
in another O(n3) steps (cf. [20, Section 9.4]). If for i = j; Pi is from v to w, Pj is from
v′ to w′ and R0U (Pi) and R
0
U (Pj) share an edge e, then there is a path Q from v to v
′
(or w′) and a path Q′ from w to w′ (or v′) each of which avoids e, with the result that
L(Q) + L(Q′)=L(Pi) + L(Pj) − 2, contradicting the assumed minimality of Z . Thus,
F ⊂U . Since the odd vertices of F are precisely the endpoints of each Pi (which
comprise the odd vertices of U ), the parity of each v∈V (F) is the same relative to F
and U . Hence, every vertex of U+F is even. If F contained a cycle, then its elimination
would not aNect the parity of the vertices of F , and thus its elimination could not leave
any of the odd vertices of F unpaired; but its elimination would decrease the value
of Z ; thus, F is a forest, and by construction, it has a fewest possible number of
edges.
A forest F as in Lemma 1 is said to be an evening forest for U , the set of which is
denoted by E(U ). Clearly, if 0 is an evening forest for U , then there can be no other,
and "(U )= 0.
The diameter of a multigraph G is
&(G) = max
v;w∈V (G)
min{L(v) | v is a path in G from v to w}:
Proposition 2. Let U be a connected undirected multigraph. Then
"(U )6 min
F∈E(U )
{|E0(F)| − &(F)};
with equality if every F ∈E(U ) is a tree.
Proof. Suppose U admits of a non-zero evening forest F . Let v be a simple path in
F of length &(F), from (say) v to w and let V =R0U (v)⊂F . Let w be a maximal
length path of U satisfying R0U (w)⊂U + F , which starts at v, and from each vertex
u of which “uses” an edge e∈E0(V ) only if all edges of U + F − V have already
been used, counting multiplicities; in this case, the edge is required to be oriented in
the same “direction” (i.e., in E(v) or not) as any edge in E0(V ) previously “used”
in this sense (for its last traversal). We claim w is in fact an open Eulerian tour of
U + F − V . Indeed, since all vertices of U + F are even, the >rst edge e∈E0(V )
“used” in w (in the above sense) will be incident either to v or w (thus determining
the direction of all future edges “used” from E0(V )). By the same argument, the
order in which the edges of E0(V ) are “used” is either the natural order in which
they appear in v, or else the reverse of that order. Since an edge of E0(V ) is “used”
only when necessary, and V ⊂F ⊂U , by the time w is forced to end, all the edges
of U + F − V have been traversed exactly once, counting multiplicities. Thus, w is
a tour of U and L(w)=
∑
e∈E0(U ) U (e) + |E0(F)| − L(v) so "(U )6|E0(F)| − &(F).
Now, suppose w is a tour of U which satis>es L(w)−∑e∈E0(U ) U (e)= "(U ), and let
F =R0U (w) − U (so "(U )= (F)). Since w is a minimal length tour of U;w is not a
cycle (otherwise, the multiplicity of any edge of w could be reduced). Hence, if w is
from v to w, then w = v. Let d be a simple minimal length path in U from w to v.
Then w followed by d is a closed Eulerian tour of R0U (w)+R
0
U (d)=U +F+R
0
U (d), so
Z. F2uredi, R.P. Kurshan / Theoretical Computer Science 315 (2004) 191–208 203
the odd vertices of U are precisely the odd vertices of F +R0U (d). Let f⊂F +R0(d)
be an evening forest of F + R0(d). Then f is an evening forest of U as well, and
thus is a tree. Furthermore, since L(d) is minimal, &(f)¿L(d). Thus, "(U )= (F) +
L(d)− L(d)¿|E0(f)| − L(d)¿|E0(f)| − &(f). The required equality follows.
Corollary. Let U be a connected undirected multigraph with n¿3 vertices. Then
"(G)6n− 3.
Proof. If there are no odd vertices then U admits of an Eulerian tour and so "(U )= 0.
Otherwise, let F ⊂U be a non-zero evening forest. If &(F)= 1 then |E0(F)|=1 so by
Proposition 2, again "(U )= 0. Otherwise, &(F)¿2 while |E0(F)|6n− 1 since F is a
forest, so again by Proposition 2, "(U )6(n− 1)− 2= n− 3.
Example 3. Let U be an n vertex undirected “star” graph: U ({1; i})= 1 for 1¡i6n;
U ({i; j})= 0 for i; j¿1. Then "(U )= n− 3.
Example 4. The undirected graph U pictured below, on n+4 vertices (with n=6 vertices
per “long edge”), has d0U (v)63 for every vertex v, yet "(U )= (n=6) + 1:
The generalization of evening forest in an arbitrary multigraph G is acyclic com-
plement, a |V (G)|-state acyclic multigraph H such that E(H)⊂E(G); E0(H)⊂E0(G)
and for each v ∈ V (G),
d0G+H (v)− |d+G+H (v)− d−G+H (v)|
is even and non-negative. The set of acyclic complements of G is denoted A (G).
The eNect of an acyclic complement H of a multigraph G is to produce a multigraph
G + H in which, for each vertex v, the number of potential “entrances to” v and
204 Z. F2uredi, R.P. Kurshan / Theoretical Computer Science 315 (2004) 191–208
“exits from” v are equal; since a directed edge can be used only for an entrance or
only for an exit, any in- or out-going de>ciency at v must be compensated by undirected
edges, after which the remaining number of undirected edges at v must be even.
Unfortunately, unlike the undirected case in which every minimal content acyclic
complement of U is an evening forest F ⊂U , in the general or directed cases (as
Examples 1 and 2 show), edges in an acyclic complement may require higher multiplic-
ity than the same edge in the original multigraph. Furthermore, an acyclic complement
exists if and only if each connected component is strongly connected.
We prove >rst the existence of acyclic complements in the strongly connected di-
rected case. Given a directed multigraph M , a directed |V (M)|-vertex acyclic multi-
graph S is a symmetric complement of M if every vertex of M + S is symmetric;
the set of all symmetric complements of M is denoted by S (M); the de@ciency of a
vertex v∈V (M) is
dM (v) ≡ d−M (v)− d+M (v):
Note that since
∑
v d
+
M (v)=
∑
v d
−
M (v),
∑
v dM (v)= 0; thus, for I = max{d+M (v) | v∈
V (M)} and n= |V (M)| ∑v max{0; dM (v)}= − ∑v min{0; dM (v)}6nI .
Lemma 2. Let M be a strongly connected directed multigraph. Then S(M) = ∅.
For n= card{v∈V (M) |dM (v) =0} and m=
∑
v∈V (M) max{0; dM (v)}, an element
S ∈S(M) with (S) minimal may be found in O(n3 + m2 logm) steps.
Proof (Papadimitriou [16]). Let V+ be a set containing dM (v) “copies” of v for each
v∈V (M) for which dM (v)¿0, and let V− be likewise for those v with dM (v)¡0.
Then |V+|= |V−|. As in the proof of Lemma 1, use Dijkstra’s algorithm to >nd the
respective lengths of shortest paths from each w∈V− to each v∈V+, in O(n3) steps;
then let (v1; w1); (v2; w2); : : : be a “matching” between V− and V+ (i.e., each v∈V−
is equal to exactly one vi and each w∈V+ is equal to exactly one wi) so that the sum
of the lengths of respective shortest paths Pi from vi to wi; i=1; 2; : : : (non-vacuous
since M is strongly connected) is as small as possible; set S =
∑
i Pi. The “Hungarian”
bipartite weighted matching algorithm >nds such a minimal matching in O(m2 logm)
steps [20, Theorem 8.13; Section 9.1]. As in the proof of Lemma 1, S is acyclic.
Proposition 3. Let G be an arbitrary strongly connected multigraph. Then A(G) = ∅.
Proof. Start with a multigraph A0 such that MA0 ∈S(MG) and UA0 ∈E(UA0 ), as given
by Lemmas 1 and 2. Then every vertex of MG+MA0 is symmetric, so for all v∈V (G),
|d+G+A0 (v) − d−G+A0 (v) |=0, while every vertex of UG + UA0 is even. If A0 is acyclic,
then A0 ∈A(G). If not, let v be a cycle of A0 and let Z ⊂A0 be de@ned as follows:
for each e∈E(v), if MA0 (e)¿0 let MZ(e)= 1 and UZ(e)= 0; otherwise, let MZ(e)= 0
and UZ(e)= 1; for all v; w∈V (A0) with (v; w) =∈ E(v), let MZ(v; w)=UZ({v; w})= 0.
Set A1 =A0−Z . By construction, for each v∈V (G), d0G+A1 (v)−|d+G+A1 (v)−d−G+A1 (v)|
is even and non-negative, while (A1)¡(A0). In this way we produce a strictly
decreasing chain of multigraphs A0 ⊃ A1⊃ · · · which must terminate (after a @nite
number m of terms) in a multigraph Am ∈A(G).
Z. F2uredi, R.P. Kurshan / Theoretical Computer Science 315 (2004) 191–208 205
Note: While Proposition 3 gives an algorithm to >nd an element of A (G) in
O((nI)3) steps, the problem of >nding an element of A (G) with minimal content
is NP-complete, even if G is taken to be planar, with d0G+d
+
G +d
−
G63 [16]. However,
in view of Proposition 1 and Example 2, the tour produced using this algorithm (see
below), in the worst case has length of the same order as the minimal length tour.
The analog to Proposition 2 for directed multigraphs is given next. The value of "
may be much less favorable in this case, as every symmetric complement of M may
fail to be a subgraph of M , as already noted.
Proposition 4. Let M be a strongly connected directed multigraph. Then
"(M)6 min
S∈S(M)
{(S)− &(S)}
with equality when every symmetric complement is connected.
Proof. This is completely analogous to the proof of Proposition 2.
For a general multigraph G, the analogous bound on "(G) obtains; however, compu-
tationally, the best one may hope for is the somewhat worse second bound. The proof
again follows that of Proposition 2, and is omitted.
Proposition 5. Let G be an arbitrary strongly connected multigraph. Then
"(G)6 min
A∈A(G)
{(A)− &(A)}
6 min
S∈S(MG)
{(S)− &(S)}+ min
F∈E(UG)
{|E0(F)| − &(F)}:
4. The complexity of (nding an optimal open tour
As mentioned above, to >nd an optimal tour in a mixed graph is an NP-complete
problem. However, using powerful known methods, one can >nd eNectively an optimal
open tour in a (purely) directed or undirected graph.
Given an arbitrary strongly connected multigraph G with |V (G)|= n, the problem
of how to >nd a minimal length tour of G and to compute "(G), may be decomposed
into three subproblems. The >rst is to >nd the lengths of all minimal length paths
between ordered pairs of vertices; for this we use Dijkstra’s algorithm, requiring O(n3)
steps. The second is to >nd an acyclic complement A∈A (G) with "(G)= (A)−&(A).
We will give solutions to this problem in the cases in which G is undirected or di-
rected, using variations of Edmonds’ general weighted matching and Hungarian bipartite
weighted matching, cited in the proofs of Lemmas 1 and 2, respectively; these vari-
ations have the same respective complexities as the original algorithms and apply as
well to the constrained problem, in which the tour must begin at a given vertex. This
also serves to >nd an acyclic complement A in the general case, which satis>es the
bound given in Proposition 5, although this acyclic complement may not have minimal
possible content.
206 Z. F2uredi, R.P. Kurshan / Theoretical Computer Science 315 (2004) 191–208
Given an acyclic complement A, a tour of G is constructed, of length (G)+(A)−
&(A). This is done by constructing an (open) Eulerian tour of G + A − V , where
(V )= &(A), using the variation of the van Aardenne–Ehrenfest=deBruin spanning ar-
borescence algorithm for mixed graphs presented in Ref. [5] (which applies directly to
mixed multigraphs as well), in conjunction with the algorithm of Proposition 2; this
requires O(nI) steps.
The crucial step, then, is to >nd an acyclic complement A with "(G)= (A)− &(A).
We can solve this problem for the cases in which G directed or undirected. (For general
G, although this problem is NP-complete, one may >nd a suboptimal tour by applying
this step twice: once for MG and once for UG; the resulting tour will satisfy the bound
of Proposition 5.) The problem which this step solves may be restated as follows. In
the undirected case (cf. the proof of Lemma 1), partition the odd vertices into pairs
{v1; w1}; : : : ; {vk ; wk}, such that the sum of the lengths of the respective shortest paths
from vi to wi for 16i¡k is as small as possible. Let us call this the truncated weighted
matching problem.
Proposition 6. The truncated weighted matching of 2k points may be solved in O(k3)
steps.
Proof. Run the (non-truncated) weighted matching algorithm [6] through the (k−1)th
augmentation step, and stop. From the proof of [20, Theorem 8.12], it follows that the
corresponding truncated matching problem is solved.
In the directed case, let us denote the vertices of G with negative (positive) de>-
ciencies by v1; : : : ; vk (w1; : : : ; wl, respectively). (If all the vertices are balanced, then G
has a closed Euler tour [5].) First, we de>ne a network N (see >gure) with source s,
sink t on the set {s; s′; t′; t}∪V (G) with integer capacities and costs in the following
way: cap(s′; vi)= de>ciency of vi, similarly cap(wj; t′)= |de>ciency of wj| cap(s; s′)=
cap (t′; t)=
∑
i cap(s
′; vi)− 1, and all the edges of G have capacity ∞. The cost of an
edge of G is 1; the additional edges have cost 0.
w1
+ − 
ts s ′ t ′
wl
v2
vk
1v
.
.
.
.
.
.
G
Now consider a minimal length open tour w of G. Let A denote the graph formed
by the edges of G with multiplicities Rw(e) − G(e). We call A a truncated acyclic
complement of G. Then every vertex of G is balanced in A except one vi and wj
with de>ciencies −1, +1, respectively. So for every A, we can associate a Uow in the
Z. F2uredi, R.P. Kurshan / Theoretical Computer Science 315 (2004) 191–208 207
network N with maximum capacity. Thus, in order to solve the problem in the directed
case, it is enough to >nd a minimum cost Uow (with maximum capacity) in N .
Proposition 7. A truncated acyclic complement of G with minimum number of edges
can be found in O(n2I 2 log n= log I) steps.
Proof. In general, in an integer network with non-negative costs and capacities, one can
>nd a minimum cost Uow in O(m|f∗ | log(2+m=v) v) steps using the so-called minimum
cost augmentation method (see, [20, Theorem 8.13]). Here m is the number of edges in
the network, v is the number of vertices and |f∗| is the value of the maximum Uow. In
our case, m6nI , |f∗|= − 1+- de>ciencies of vi6nI , so we have O(n2I 2 log n= log I)
steps.
When a minimal length tour is required subject to the constraint that it begins at a
given vertex v0, the associated truncated matching problem is reduced to an ordinary
weighted matching problem among 2k − 1 points in the undirected case. The directed
case can be handled by a slight modi>cation of N .
Acknowledgements
One of the authors, R.P. Kurshan thanks R.E. Tarjan for pointing him to Edmonds’
weighted matching algorithm, and discussing its application to the open postman
problem.
References
[1] S.N. Bhatt, F.R.K. Chung, A.L. Rosenberg, Partitioning circuits for improved testability, Proc. 4th MIT
Conf. in Advanced Res. in VLSI, 1986, pp. 91–106.
[2] H.Y. Chang, E. Manning, G. Metze, Fault Diagnosis of Digital Systems, Wiley, NY, 1974.
[3] C.K. Chin, E.J. McCluskey, Test length for pseudorandom testing, IEEE Trans. Comput. C-36 (1987)
252–256.
[4] M. Cocito, D. Soldani, Evaluation of the performance of an electron beam testing system based on
commercially available subsystems, Scanning Electron Microscopy (1983) 45–54.
[5] J. Edmonds, E.L. Johnson, Matching, Euler tours and the Chinese Postman, Math. Programming 5
(1973) 88–124.
[6] H.N. Gabow, An eAcient implementation of Edmonds’ algorithm for maximum matching on graphs,
J. Assoc. Comput. Mach. 23 (1976) 221–234.
[7] L.A. Glasser, D.W. Dobberpuhl, The Design and Analysis of VLSI Circuits, Addison–Wesley, UK,
1985.
[8] R.H. Hardin, Z. Har’el, R.P. Kurshan, COSPAN, Proc. CAV’96, Lecture Notes in Computer Science,
Vol. 1102, 1996, pp. 423–427.
[9] J.E. Hopcroft, An nlogn Algorithm for Minimizing States in a Finite Automaton, in: Z. Kohavi, A. Paz
(Eds.), Theory of Machines and Computations, Academic Press, New York, 1971, pp. 189–196.
[10] R.P. Kurshan, Computer-aided Veri>cation of Coordinating Processes: The Automata-Theoretic
Approach, Princeton University Press, Princeton, NJ, 1994.
[11] L. LovWasz, Combinatorial Problems and Exercises, North-Holland, Amsterdam, 1979.
208 Z. F2uredi, R.P. Kurshan / Theoretical Computer Science 315 (2004) 191–208
[12] E.J. McCluskey, S. Bozorgui-Nesbat, Design for autonomous test, IEEE Trans. Comput. C-30 (1981)
866–875.
[13] K.C.Y. Mei, Bridging and stuck-at faults, IEEE Trans. Comput. C-23 (1974) 720–727.
[14] E.F. Moore, Gedanken-experiments on sequential machines, in: C.E. Shannon, J. McCarthy (Eds.),
Automata Studies, Annals of Mathematical Studies, Vol. 34, Princeton University Press, Princeton, NJ,
1956, pp. 129–153.
[15] S. Naito, M. Tsunoyama, Fault detection for sequential machines by transition-tours, Proc. 11th Ann.
IEEE Internat. Symp. Fault-Tolerant Comput., 1981, pp. 238–243.
[16] C.H. Papadimitriou, On the complexity of edge-traversing, JACM 23 (1976) 544–554.
[17] J. Savir, Syndrome-testable design of combinatorial circuits, IEEE Trans. Comput. C-29 (1980)
442–451.
[18] D.C. Shaver, Techniques for electron beam testing and restructuring integrated circuits, J. Vac. Sci.
Technol. 19 (4) (1981) 1010–1013.
[19] K. Smith, Electron beam tests dense VLSI chips, Electronics, April 19, 1984, pp. 86–88.
[20] R.E. Tarjan, Data Structures and Network Algorithms, SIAM, Philadelphia, 1983.
[21] R.E. Tulloss, Automated board testing: coping with complex circuits. IEEE Spectrum, July 1983,
pp. 38–43.
[22] M.U. Uyar, A.T. Dahbura, Optimal test generation for protocols: the Chinese Postman algorithm applied
to Q. 931, Proc. IEEE Global Telecomm. Conf., December 1986, pp. 68–72.
[23] M.P. Vasilevskii, Failure diagnosis of automata, Cybernetics 9 (1973) 653–665 [translated from
Kibernetika 4 (1973) 98–108].
[24] E. White, Signature analysis–enhancing the serviceability of microprocessor-based industrial products,
Proc. IECI, 1978, pp. 68–76.
[25] T.W. Williams, K.P. Parker, Design for testability–a survey, Proc. IEEE 71 (1983) 98–112.
[26] E. Wolfgang, R. Lindner, P. Fazekas, H. Feuerbaum, Electron beam testing of VLSI circuits, IEEE
Trans. Electron Dev. ED-26 (1979) 549–559.
