Design debug remains one of the major bottlenecks in the VLSI design cycle today. Existing automated solutions strive to aid engineers in reducing the debug effort by identifying possible error sources in the design. Unfortunately, these techniques do not provide any information regarding the time at which the bug is active during an error trace or counter-example. This work introduces an automated debug technique that provides the user with both spatial and temporal information about the source of error. The proposed method is based on a Partial MaxSAT formulation which models errors at the CNF clause level instead of the traditional gate or module level. Thus, error sites are identified based on erroneous implications that correspond to locations both in the design and in the error trace. Experiments demonstrate that we can provide this additional information at no extra cost in run time and are able to prune about 61% of all simulation time frames from the debugging process. When compared to a trivial formulation we observe a performance improvement of up to two orders of magnitude and 5× on average when using the proposed formulation.
INTRODUCTION
As design tools and methodologies for today's Systems-onChip (SoCs) and VLSI designs become increasingly sophisticated, designing a bug free circuit remains the exception rather than the norm. Functional verification tasks pose a major bottleneck in the design process, consuming up to 70% of the design effort [1] . A multitude of methodologies, formal and semi-formal techniques exist for verifying design functionality [2, 3] . These methods and techniques verify whether a design implements its given specification. However, once the design fails verification, the root cause of the failure must be identified and rectified manually. As the complexity of digital designs steadily increases, the cost of design debug becomes substantial and unpredictable due to the overwhelmingly manual nature of the debugging process [4] and the increased intricacy of the design cycle. The Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. tremendous time-to-market pressures of today's applications make automated design debug tools essential.
Today, design debug comprises of heavy manual engineering tasks such as examining stimulus traces, analyzing the design components, and back-tracing design signals. The result of this arduous debug effort is a set of components and circumstances responsible for the functional failure. Traditionally, automated debug solutions for hardware designs have been proposed based on simulation [5] , path tracing [6] , and Binary Decision Diagrams (BDDs) [7] . More recently, advances based on formal engines such as SAT [8] , QBF [9] , and MaxSAT solvers [10] have been successful at helping the engineers. Without exception, all existing automated debug techniques identify components (gates or modules) in the design for manual analysis. Thus they provide spatial debug information with respect to the error. Surprisingly, none provide temporal information, that is, when during the verification phase the error is active (i.e. it is excited and its effects are propagated to an observation point). Temporal information is very important for designers when determining how to remove the error and correct the design [11] .
This work presents a novel alternative formulation to the automated debugging problem for sequential circuits where the solution is not limited to spatial error sources. More specifically, the proposed technique identifies errors both spatially and temporally thus localizing where and when during the verification trace the errors are active.
The basis of our technique is a departure from conventional debugging frameworks where errors are modeled as either gates or modules [6, 8, 11] . Instead, errors are modeled as implications or clauses in the Conjunctive Normal Form (CNF) representation. By identifying a set of CNF clauses as the root cause of an error, we can determine where in the design and when in the simulation trace the erroneous gates are excited to cause the wrong behavior. Specifically, our approach builds an unsatisfiable Boolean formula from the design, the verification trace and the expected behavior. We use a Partial MaxSAT solver to extract the maximal subset of clauses that is satisfiable and complement this set to derive the minimal set of clauses whose removal make the CNF formula satisfiable. This minimal set represents a set of potential error sources which if corrected allow the circuit to pass verification.
Our major contributions are summarized as follows:
• A novel method for efficiently determining spatial and temporal error sources.
• A formulation of the design debug problem using a Partial MaxSAT encoding with minimal overhead.
• An error cardinality model based on error excitations
and propagations. To demonstrate the effectiveness of the proposed technique, we develop an automated debug framework using the Partial MaxSAT solver in [12] . We show that our technique accurately identifies time frames where errors are excited and their effect propagated to the outputs. We also show that our formulation is superior to a non-optimized clause level MaxSAT approach resulting in speedups of up to two orders of magnitude with an average of 5×. Versus an existing MaxSAT-based debugger, our technique is more effective as it provides additional temporal information while demonstrating a competitive 1.29× speedup.
The remainder of this paper is structured as follows. Section 2 discusses some of the previous contributions to the field. In Section 3 we provide the necessary background regarding automated design debugging and Partial MaxSAT. Our proposed debugging approach is given in Section 4. Section 5 extends on ideas from Section 4 by introducing a new cardinality model for sequential circuits. Finally, our experiments and conclusions are given in Sections 6 and 7.
PREVIOUS WORK
Existing formal SAT-based techniques for design debugging can be grouped into two broad categories. Approaches that are based on satisfiability (i.e. finding a satisfying assignment to the CNF problem) and those that are based on unsatisfiability (i.e. identifying which parts of the CNF problem cannot be satisfied). For this paper we will mainly focus on approaches based on unsatisfiability as the debugging problem is naturally unsatisfiable and recent advances in Maximum Satisfiability solvers are showing promising results for industrial applications [13] .
There are two major contributions to the field of design debugging using unsatisfiability. In [10] the first MaxSAT formulation for design debug is introduced. The use of clauses for identifying exact error locations in combinational circuits is presented but deemed impractical. Instead, for sequential circuits, it is shown that MaxSAT can be used as a powerful tool to group clauses together for a quick over-approximation of the solutions. Error locations are modeled at the gate level as clauses are grouped across time frames. By increasing the granularity of errors, Safarpour et al [10] combine a groupings based MaxSAT formulation with an exact SAT based debugger to achieve performance gains.
Furthermore the solver [14] used by [10] significantly differs from the solution technique presented here. In [14] all satisfiable subsets are enumerated, independent of their size, using disjunctions of relaxation variables. This paper presents an algorithm which enumerates MaxSAT solutions using no relaxation variables.
In [15] , unsatisfiable cores are used to speed up the debugging process for multiple fault diagnosis problems. This approach extracts a set of unsatisfiable cores from the CNF problem and prunes potential error locations not contained in any of the cores. A SAT based exact debugger is then used to find the actual error locations from the reduced problem.
Both contributions focus on using unsatisfiability during pre-processing to improve performance. Error sources are modeled as physical locations in the design (gates or modules) and the final solution is returned by a secondary SAT based debugger. Our approach differs from previous approaches in that we do not attempt to balance the use of unsatisfiability and satisfiability for performance gains. Instead we use a Partial MaxSAT solver on sequential circuits to find the exact error location in the design without the need for an additional solver. Our formulation models errors at a finer level of granularity offering a better resolution than other approaches in addition to being the first formulation able to locate suspects in time. Even though the search space of our problem is significantly increased, our experiments show that the impact on run time is insignificant due to advances made in modern MaxSAT solvers.
BACKGROUND 3.1 Automated Design Debugging
Design debugging occurs at the early stages of the design cycle when the implementation of a design does not meet the specification. At this stage, the RTL design has failed verification (simulation or formal). Given an erroneous circuit, a sequence of input values (stimulus trace) and expected output values, design debugging seeks to find a set of error sources in the design, that if corrected can rectify the problem. This is similar to fault diagnosis which focuses on locating defects in silicon [6] . While the techniques presented here are also applicable to fault diagnosis, we will mainly focus our discussion on design debugging.
Traditionally, error sources and their corresponding correction models are represented at either the gate or module level [8, 11] . For SAT [8] and QBF [9] based debug, the problem is converted to CNF using techniques that may [16] or may not [17] take into account circuit information. The stimulus and expected behavior are then used to constrain the resulting CNF problem. Additional constraints are added to limit the maximum number of errors, that can be simultaneously activated. Finding a satisfying assignment to the resulting formula effectively finds a set of possible error locations E l . A debugger is limited to finding the set of all sites E q functionally equivalent to E l , such that |E q | ≤ N e . N e is a user defined cardinality providing the upper bound on the number of errors that can be active in the circuit simultaneously [8] . Sets of error locations are said to be functionally equivalent if they cannot be functionally distinguished from each other under a given stimulus trace [6] .
Maximum Satisfiability
This section reviews MaxSAT and its extensions, and briefly overviews recent algorithms for MaxSAT, capable of handling large complex problem instances.
Given an unsatisfiable CNF formula Φ, the MaxSAT problems consists of identifying an assignment to the problem variables such that the number of satisfied clauses in Φ is maximized [18] . The MaxSAT problem is a well-known NPHard optimization problem.
In the Partial MaxSAT problem the CNF formula is organized into a set of hard clauses, which must be satisfied, and a set of soft clauses, which may or may not be satisfied, i.e. Φ = Φ H · Φ S . For Partial MaxSAT problems the objective is to find an assignment that satisfies all the hard clauses and that maximizes the number of satisfied soft clauses.
In the remainder of this paper, hard clauses will be represented in square brackets and soft clauses in round brackets. For example, consider the following formula:
(1) The first two clauses are hard clauses, and so must be satisfied, whereas the remaining three clauses are soft clauses and may or may not be satisfied.
In the recent past [18] , the most effective MaxSAT algorithms have been based on branch-and-bound search (B&B), supported by effective lower bounding and dedicated inference techniques. Nevertheless, most of the experimental evaluation associated with B&B MaxSAT solvers assumed random and handmade problem instances, which unfortunately often bear little relationship with hard industrial instances. As a result, recent work has addressed alternative approaches, aiming the use of MaxSAT algorithms in industrial settings, and focusing on instances derived from realistic applications. The most effective algorithms are based on solving MaxSAT with unsatisfiable sub-formula identification and relaxation [12, 19, 20] . The relaxation of the clauses in each unsatisfiable sub-formula is achieved by associating a relaxation variable with each such clause. Cardinality constraints are used to constrain the number of relaxed clauses.
DEBUGGING SEQUENTIAL CIRCUITS WITH PARTIAL MAXSAT
For the design debugging problem we are primarily interested in sequential circuits specified using logic gates and state elements. We use time frame expansion to model the behavior of state elements over a finite number of clock cycles k. This technique effectively transforms the sequential circuit into a combinational circuit, otherwise known as an Iterative Logic Array (ILA) [6] , by replicating the combinational portion of the circuit k times. Adjacent time frames are connected by their respective next and current state variables. Let ILA k (C) be the ILA obtained by expanding a buggy sequential circuit C over k time frames. Let CN F (ILA k (C)) denote the Boolean formula obtained by translating each gate in ILA k (C) into their respective CNF representation as in [17] . We can formulate the debugging problem as a Partial MaxSAT problem as follows: As the erroneous circuit cannot produce the expected output response, Φ is inherently unsatisfiable. The complement of the solution set obtained from a Partial MaxSAT solver is the minimal set of clauses whose removal satisfies Φ (i.e. the clauses corresponding to a possible error). Due to the many-to-one mapping between clauses and gates in the CNF, this solution set also corresponds to a minimal collection of logic gates in C that may be responsible for the discrepancy between the observed and expected behavior. The input, output, and initial state constraints are specified as hard clauses, as indicated by the square brackets, since their removal trivially satisfies the CNF formula. We can also specify trusted portions of the circuit (such as adders and multipliers) as hard clauses to reduce the solution space. For the remainder of this paper the phrase 'MaxSAT solution' will refer to the set complement of the Partial MaxSAT solution.
The most basic Partial MaxSAT formulation is one that relates each clause found as a solution back to its gate or module level representation. The following example demonstrates this process for a simple circuit. Example 1 Fig. 1(a) and (b) give an example of a correct and erroneous circuit. Gate A in the correct circuit was wrongly implemented by an AND gate. Fig. 1(c) Fig. 1(c) is given below along with the gates represented by each set of clauses. error sources = error sources ∪ {Sc} 6:
Obtaining Multiple Solution Sets
Sc ⇐ maxsat(Φ) 7: end while 8: return error sources
Extracting Temporal Information
The MaxSAT solutions also provide valuable information regarding the temporal location of the errors. In Example 1, all the solution clauses originate from gates A 2 , C 2 , B 3 in either time frame 2 or 3. Thus, further analysis or correction by the engineer can focus on clock cycles 2 or 3 within a stimulus trace or counter-example. Incidentally, these solution clauses describe a propagation path from the error source in time frame 2 to the observed error at the output in time frame 4. Even though gate A is also erroneous in time frame 1, the value of a1 actually matches its expected value. Thus the error is undetectable in time frame 1. In contrast, existing automated debug solutions only provide spatial information (gates A, B and C) regarding error suspects.
Our experiments show that our method can reduce the number of time frames requiring analysis for debug by an average of 61%. Furthermore, we can measure the frequency that a certain time frame is implicated from the set of solutions returned. Experimentally, time frames which are implicated by solutions more frequently are more likely to contain the actual error excitation. In the example given, two out of three solutions implicate the actual erroneous time frame. For longer simulation traces this analysis allows the designer to shorten the debugging process by prioritizing their efforts to a small selection of simulation time frames.
Using Literal Information
Another benefit of modeling error sources at the clause level is that a solution clause returned by MaxSAT does not merely present a specific gate as erroneous. It also provides additional information regarding the nature of the problem. For instance, consider the solution (a 2 + b 2 + c 2 ) from Example 1. Since the removal of this clause makes the CNF problem satisfiable, this clause must evaluate to false in the satisfying assignment. The following observations can be deduced regarding the nature of the error.
1. The error could have been caused by the incorrect behavior of gate C. 2. The literal c2 implies that setting c = 0 (gate C) only in time frame 2 by some circuit modification would rectify the problem. 3. The literals a 2 and b 2 imply that changing either the output value of gate A or gate B in time frame 2 from 0 to 1 would rectify the problem. Of these points, only observation 1 is returned by traditional automated debug techniques. Observations 2 and 3 are unique to clause level debugging as they reason about implications in a particular time frame.
Further analysis can be made for the input literals in observation 3. Due to the output constraint imposed on on gate B at time frame 2 (out 3 = 0), setting b 2 = 1 is not a viable option. In general, this means that these additional implied solutions should be checked against other clauses to ensure the correcting assignment does not cause another clause to evaluate to 0 due to multiple fanouts. Thus, gate A in time frame 2 is the only other potential error source implied by this solution.
Since each clause level solution effectively returns a small cluster of gates as possibly erroneous we can effectively add the extra gates found to the set of error sources returned by Algorithm 1. Continuing with our above example, this means that both the gates A 2 and C 2 are added as potential error candidates to the error sources set after finding the clause (a 2 + b 2 + d 2 ).
MODELING ERROR CARDINALITY AS EXCITATIONS AND PROPAGATIONS
In existing gate level debugging approaches, the maximum cardinality of solution sets N g is given by the user [8] . That is, N g represents an estimate on the maximum number of simultaneous gate level error sources active in the circuit. In this section we establish a new way to express error cardinality which describes error sources at a finer level of granularity. To do so, we must first find the relationship between between Ng and Nc.
Consider the case where Φ is derived from a single clock cycle simulation of a circuit C. We can treat C as a combinational circuit. Let E be the set of all functionally equivalent gate level error locations of cardinality ≤ Ng. We define m cl to be the maximum number of clauses generated for any gate in the circuit. For example, for a circuit with only 2-input AND/NAND gates and NOT gates, m cl = 3. Due to the minimality of solutions returned by maxsat(Φ) every element in E is found by mxs solve for Nc = Ng · m cl .
For circuit problems optimized through Boolean Constraint Propagation (BCP), where all unit literal clauses are removed, m cl can be further be replaced by (m cl − 1) in the above upper bounds.
Theorem 1: In BCP optimized circuit problems with no unit literal clauses the maximum number of clauses that can be unsatisfiable per gate is m cl − 1. For sequential circuits, since a gate is replicated k times in ILA k (C), in the worst case N c = (m cl − 1) · N g · k to find all gate level solutions of cardinality ≤ N g . Notice that k actually denotes the maximum number of times that a gate level error is active, i.e. the gate level error is excited and its effect is propagated to the output [6] . Since in general a gate level error is not active for every clock cycle, k can be effectively replaced by k ep , where k ep ≤ k denotes the expected number times the error site is active.
Since errors are modeled at the clause level, errors from the same or different gate level sources are not distinguished. Thus, once a clause cardinality Nc is specified, mxs solve finds all clause level errors irrespective of their corresponding gates. As a result, Nc can be more appropriately specified as N c = (m cl − 1) · N ep , where N ep is the maximum expected number of error excitations and propagations for a given stimulus trace. This is in contrast to previous definitions of gate level error cardinality which demand the estimated number of error locations that are active in the circuit at once. Similar to N g , the user can provide an estimate for this number based on trace length and the complexity of the problem [8] .
Example 2 shows a simple circuit where using a Nc independent of the gate level locations provides valuable debug information. Example 2 Consider the erroneous circuit in Fig 2(a) . Some gates irrelevant to the problem are omitted in the time frame expansion model of Fig 2(b) . The correct circuit is derived by replacing gate A with an OR gate so the actual number of error excitations and propagations is 2. Suppose m cl = 3 and we guess Nep = 2. Consequently, mxs solve with Nc = (m cl − 1) · Nep = 4 returns a total of 9 solutions (all of cardinality 2). Three of these solutions are given below with their gate level representations shown for clarity. 
EXPERIMENTS
In this section we demonstrate the effectiveness of our temporal and spatial debug techniques. The techniques described in this paper are implemented using C++, Perl and the Partial MaxSAT solver from [12] . All experiments are run on a 2.20GHz Intel Core2 Duo machine with 2GB of memory and a timeout of 6 hours. In total five educational circuits (cct1-5) and three circuits obtained from OpenCores.org [21] (divider, fpu, rsdecoder) are presented. These circuits are modified at the RTL level where a single Verilog error is inserted. The buggy circuits are first simulated to verify that the errors are detected. They are then synthesized and converted to CNF using the method in [17] . The input and output constraints are captured from simulation. As described in Section 4 providing temporal debug information such as the most likely time frame when an error is active is crucial. The temporal information provided by our technique is illustrated in Fig. 3 . The histograms in Fig. 3 show the frequency a time frame is implicated by a literal in solution clauses. The likelihood of an error being active at a particular time frame is indicated by the height of the bars. The scatter plots underneath the histograms illustrate which error locations are found for which time frame. The y-axis lists all unique error locations found by the algorithm and the x-axis shows the time frames during which these locations can be excited to cause the error. Fig. 3(a) shows the results for cct4 which is a large state machine with a wrong state transition. In total 30 unique error locations are found. The graphs show two visible spikes at time frames 43 and 47. The actual error location was excited in time frame 43.
For divider-2 ( Fig. 3(b) ) a constant assignment is inserted into the datapath and excited by the testbench at time frame 21. We see a wider distribution of possible erroneous time frames as the erroneous behavior is propagated through multiple pipeline stages Similarly, for fpu-1, an RTL operation is replaced with another in the datapath. The peak in Fig. 3(c) correctly implies that the bug is excited in time frame 6. As the error propagates through the datapath the number of possible error sources for the observed bug decreases.
These graphs can allow the designer to focus on these locations during these time frames to correct the problem. For all three circuits our technique correctly indicates the time frame during which the bug is excited and propagated to the output. The frequency of the erroneous time frame, i.e. when the error is active, is more than double that of the next highest data point for the three circuits shown.
These histograms and scatter plots can therefore be used to reduce the amount of time spent on analyzing simulation waveforms by reducing the search space to a few clock cycles. For example in cct4, if the engineer is aware of when state transitions occur, the error source in the state machine may be deduced even without any spatial information. Table 1 summarizes the performance of our technique on all the sample circuits. For the larger circuits multiple interesting error instances are considered (four for divider, three for fpu, two for rsdecoder).
Columns 1 to 3 give the instance of the buggy circuit, the number of gates, and the number of state elements, respectively. Columns 4 and 5 indicate the length of the stimulus trace in clock cycles and the number of literals in the MaxSAT formulation. The number of equivalent gate level error locations is given in column 6.
Columns 7 to 10 provide run time information for the basic Partial MaxSAT formulation as described in Section 4. For each clause, only the gate that it was derived from is considered a solution. Column max card provides the maximum cardinality Nc required to find all error locations at the clause level. The run time to find all equivalent error locations using this method is summarized in columns iter (number of iterations), time/iter (average solver time per iteration), and total (total run time).
Columns 11 to 14 present the cardinality requirements and run time results for the case where clause literals are interpreted as solutions as presented in Section 4.3. The improvement in run time of this method over the basic formulation is given by the improv column. On average we observe a speedup of around 5× for finding all equivalent error locations when comparing against the basic formulation with best results reaching up to two orders of magnitude (cct4 and fpu-1). Finally, the percentage of time frames pruned due to temporal information is given in the last column. Our formulation is able to prune about 61% of all possible error excitation time frames on average. Note that this number does not take into consideration visible spikes in frequency as given by the histograms in Fig.3 which could further reduce the time to find the actual erroneous time frame.
Consider divider-2 with 5670 gates and 424 state elements which is simulated for 27 clock cycles resulting in a MaxSAT formulation with 176,481 literals. The inserted error results in 15 equivalent error locations at the gate level. The clause based method finds all 15 error locations after 64 iterations with an Nc of 2. In contrast, our literal based method finds all error locations in 13 iterations requiring an Nc of 1. Since the error trace ran for a total of 27 time frames and our formulation found 7 possible time frames during which the error could be excited the percentage of possible error excitation time frames pruned is 74%.
We also implemented the debug problem using groupings similar to the method presented in [10] . In this variation, solutions are found based on grouping clauses at the gate level over all time frames by using additional CNF variables. For a fairer performance comparison we used the Partial MaxSAT solver of [12] instead of the solver [14] originally used by [10] . Experimentally our Partial MaxSAT solver outperforms the solver of [14] by a large margin for our sample circuits. The results are not presented here due to space constraints. A representative sample of the results comparing our run times against gate level groupings is presented in Table 2 . Since errors are modeled at the clause level our formulation generally has a larger search space and finds additional solutions not provided by a formulation based on gate level cardinality. However, since a single clause may imply multiple gate level error locations, in all cases except for cct4, fewer iterations are required by our proposed technique to find all equivalent error locations. With the solve time per iteration almost identical between the two approaches, our technique results in an overall performance improvement of 1.29× for the sample of circuits given. Furthermore, since the work in [10] also groups clauses for gates across all time frames, no temporal debug information can be deduced from the solutions. As a result, our formulation not only provides a speedup, but also provides valuable temporal debug information to the user.
CONCLUSION
This work introduces a technique for debugging sequential circuits using a Partial MaxSAT formulation which provides both temporal and spatial information about error locations. Temporal information is critical to the user during the debugging process. The proposed framework is a departure from traditional debug techniques as error sources are modeled at the clause and literal levels. Experiments demonstrate that the temporal locations can accurately locate when in an error trace the errors are active. Performance gains of orders of magnitude are observed in some cases, with an improvement of 5× on average.
ACKNOWLEDGMENTS
The authors would like to thank Mr. Duncan Smith for offering his technical expertise and help with implementation aspects of this framework.
