The enormous state spaces which must be searched when verifying the correctness of, or generating tests for complex circuits, precludes the use of traditional approaches. Di cult and hard-to-nd abstractions are often required to simplify the circuits and make the problems tractable. This paper presents a simple and automatic method to extract the control ow of a circuit so that the resulting manageable state space can be explored for validation coverage analysis and automatic test generation. This control ow, capturing the essential "behavior" of the circuit, is represented as a nite state machine called the ECFM (Extracted Control Flow Machine). Simulation is currently the primary means of verifying large circuits, but an open problem is the de nition of a coverage measure for simulation vectors. We de ne functional coverage as the amount of control behavior (the ECFM) covered by the test suite, thus providing a pragmatic solution to the problem. We then combine formal veri cation techniques, using BDDs as the underlying technology, with traditional ATPG algorithms, to automatically generate additional sequences which traverse uncovered parts of the state graph of the control logic of the circuit, thus providing a means of augmenting the functional veri cation tests. Additionally, we demonstrate how the same abstraction techniques can complement traditional ATPG techniques when attacking hard-to-detect faults in the control part of the design, for which conventional ATPG techniques alone prove to be inadequate, or ine cient at best. Results on large designs show orders of magnitude improvement over conventional algorithms.
Introduction
The two most di cult problems associated with producing dependable modern high{complexity and high performance circuits are 1) making sure that the design is bug{free before tapeout, and 2) ensuring that the manufactured chips are defect{free. Design veri cation deals with checking the conformance of the design to its functional speci cation. This involves verifying that the design at every level of implementation, from behavioral to layout, is correct. Simulation is the primary means used to achieve this in industry today. Manufacturing test, on the other hand, is aimed at detecting physical faults and depends solely on the physical structure of the system. The di culties with both these problems stem from the complexity of the designs, and the enormous state spaces which have to be searched to check correctness or to generate tests for subtle defects. An indication of the magnitude of the problem can be found by noting that the estimated number of protons in the universe is 10 80 (about 2 266 ), while even simple circuits can have hundreds of state elements with state spaces much larger than this number.
We believe that the solution to this problem is to abstract the design, i.e., reduce the state space to be considered, in such a way that the essential behavior of the design is preserved in the abstract model. We develop a simple, but powerful, abstraction which preserves all the control behavior, and which can be extracted automatically from a design description at either the RTL or gate level with information easily provided by the designer. We then show that this abstract model can be used to provide solutions for the two problems stated above. The problems and our approach are given in more detail in the following sections.
Design Validation Through Simulation
While much progress has been made in automating the veri cation progress and using formal veri cation tools to ensure that a hardware unit will function correctly for all combination of inputs and in all possible execution sequences, a major limitation of this technology is still the size of the units it can handle due to the complexity of the state space. As a result, validation by simulation is still the primary means of checking the correctness of a design. Under this methodology the design is simulated for all the vectors in a functional test suite, in an environment that models the actual hardware system, and then the simulation output is checked against expected results to determine whether the design is behaving as speci ed. The test vectors can be generated by pseudo-random test generators or can be hand written by the designers based on information acquired from the functional speci cation of the design. However, it has been observed that both these methods fail to provide a measurable degree of con dence that a complex design has been adequately tested. This is especially true for modern circuits that include many advanced architectural features to enhance performance, which lead to complex interactions among the parts of the design. These interactions cannot be easily exercised by a hand written or pseudo-random test suite. Associated with validation through simulation are the problems of \coverage" and generation of simulation inputs. Coverage is a measure of the completeness of a test suite. How do we de ne and evaluate functional coverage? We require that functional coverage metrics should quantify the fraction of speci ed behavior of the design that has been exercised by the input stimuli. We need to di erentiate between functional coverage and fault coverage, used to evaluate the quality of manufacturing tests. Fault coverage deals with the physical errors which may occur in the hardware system and which are modeled by well{understood models such as the stuck{at and bridging fault model. Fault coverage of a test suite is then the fraction of all modeled faults that are detected by that suite. In contrast, no such models exist for functional faults. The ideal metric for evaluating the functional coverage of a test suite would be the number of execution paths exercised by that suite. However, nding all possible execution paths has exponential complexity and attempting to exercise all of them would require enormous computational resources. The next best measure is the fraction of reachable states or possible transitions that have been exercised. This is the approach adopted in this paper when de ning functional coverage metrics.
However, most contemporary designs have a data path component of substantial size, contributing to the huge state space which leads to the well{known \state explosion problem". Exercising all possible transitions in the full model is neither feasible nor desirable. Furthermore, e cient techniques for testing datapath circuitry at the lower levels of the design hierarchy are simple and in wide use. In our experience most design errors of signi cance occur in the control logic of the circuit and in its interactions with the datapath circuitry. The hardest bugs to uncover are the ones that involve a complex sequence of interactions among multiple sub{parts of the design. A test suite which covers all possible control state transitions will maximize the probability of nding most design errors while minimizing the simulation time. Thus, it is necessary to di erentiate between control and data and extract the control part of the design. All previous approaches to this problem that we have encountered su er from a major drawback: they are closely tied to the input hardware description language, and depend heavily on the syntactic style.
Abstracting the State Space of a Design
In this paper we develop an automatic method for extracting the control ow of a circuit with a signi cant datapath component by abstracting away the datapath 1 . The extracted control ow is captured in the form of a Finite State Machine (FSM) which encapsulates the control ow as 1 Note that such abstractions cannot be performed without having some information about the semantics of the design, which is the case with arti cial circuits such as the ISCAS benchmarks. Real designs will, fortunately, have semantics which can be exploited to generate the abstractions.
well as the e ect of the data on this control ow. Furthermore, it can be analyzed easily and manipulated using formal techniques. This model, called the Extracted Control Flow Machine Model (ECFM), has a much smaller state space, while it exhibits the same control ow as the original circuit. Additionally the extraction of this model can be done at any level of the design hierarchy. We then de ne the functional coverage metrics in terms of this model, instead of performing validation coverage analysis on the full circuit.
There are two observations that need to be made here. First, we need to point out one more di erence between design veri cation and physical testing. While the latter is being done on the actual chip, the former is undertaken on a software model of the circuit usually written in some hardware description language like VHDL or Verilog or even in C. Consequently, all signals and latches in the design are observable during simulation. We take advantage of this fact in evaluating functional coverage using the ECFM model. Second, we de ne the notion of \equivalent" control transitions and propose a \grouping" technique to classify transitions in the ECFM to these equivalence classes, that contain transitions whose e ect on the control ow is the same. This reduces the number of transition edges that need to be covered while maintaining the quality of the coverage metrics.
Generating Manufacturing Tests
Even though the use of structural fault models reduces the number of faults which need to be considered for manufacturing tests, generating a test sequence for a given fault is still quite di cult because of the large state spaces which must be examined. Ideally one would like to deal with test early in the design cycle in an attempt to alleviate the di culties commonly encountered later, when testing large and complex circuits. For example, designers could identify certain areas in the design that could bene t from adding testability features and use synthesis techniques to add those features at the behavioral level of description. We will show in this paper that techniques which will reduce the complexity of formal veri cation can also be used in the area of manufacturing test, and will demonstrate a uni ed framework addressing several problems commonly encountered in a validation methodology.
We employ the same abstract model for automatic test generation. Our approach to test generation is twofold. We rst provide a technique for Coverage{Directed Test Generation. In this regard we can either supplement a given test suite that does not achieve satisfactory functional coverage according to our metrics, or generate a test sequence that would guarantee 100% coverage of the control behavior of the design. We employ techniques widely used in formal veri cation to generate a complete state graph of the control part of the design and then automatically generate tests to exercise all control transitions. Test sequence generation is performed on the ECFM model. This sequence may not directly correspond to sequence applicable to the original machine because of data con icts. In this case we use traditional ATPG techniques to expand the generated sequence and map it back to the original machine.
Finally we demonstrate how this framework can be used to assist the ATPG process at lower levels of abstraction. We rst identify redundancies in the control part of the design, which the lower level ATPG tools need not address, and then provide test vectors that will detect hard faults on which conventional test generators spend a large amount of computation, or even abort.
Related Work
Some researchers have used test suites generated from conventional ATPG tools used for structural testing to do functional veri cation. For example, the approach followed in 2, 8, 15] introduces the concept of \design errors" to model possible functional faults. Coverage of the test suite is the fraction of possible design errors detected by the suite. While this approach is e ective at the gate or lower levels in detecting common designer mistakes, it is primarily a localized structural approach and does not give an indication of the extent to which the behavior of the design has been exercised. The coverage measure used in our approach depends only on the functional behavior and does not require availability of the nal net list. Along these lines of de ning a fault model, a \single-state-transition (SST) fault" model was proposed 5] at the state transition level which causes the destination state of a transition to be faulty while retaining its correct output behavior. Tests are generated for these faults using explicit state enumeration and used to detect stuck-at faults. This was a good attempt in using functional information to aid low level test, but was applicable only for small circuits. In general, these approaches attempt to measure test quality by looking at the faulty circuit behavior,i.e., behavior of the circuit with a fault inserted. The coverage metric in this case is closely modeled after the stuck{at fault model coverage metric. Another class of approaches looks at the fault{free behavior of the circuit and does not deal with a fault model. Such a path tracing approach to generate checking experiments of circuits from their Binary Decision Diagram(BDD) representation is presented in 1]. This exhaustive checking of all possible modes of operation of the circuit is not feasible even for moderately sized designs.
There have been other e orts to use information obtained from the high{level description in order to produce either functional tests or stuck{at fault test suites or to assist a lower level test generation tool. In 6], an extended nite state machine (EFSM) model is extracted from the behavioral description and is exhaustively traversed to generate functional tests. The EFSM is a state machine with a collapsed data path and thus includes far fewer states than the machine representing the original circuit. Exhaustive traversal of this machine to generate tests ensures that all statements in the original behavioral program are executed. However, the EFSM for complex circuits is not always small enough to be manageable. Furthermore, the EFSM extraction depends heavily on the description style of the HDL code, unlike the extraction procedure described in this paper.
More recently, approaches to coverage measurement and test generation presented in 12] and 11] use techniques similar to the ones presented in this paper. State machines for part of the circuit, usually the control part, are extracted from the HDL description by various means and used as the target of the test generation. The approach in 12] uses graph traversal of the state graph for the extracted machine to traverse all its transitions. The main di erence with the work presented here lies in the mapping on the tests generated on the extracted machine back to the original circuit. Their approach is to arti cially inject the required signal values during simulation, while we propose the use of conventional ATPG techniques to expand the test sequence generated on the extracted model so as to make it valid on the original circuit. Additionally, we employ the same abstraction techniques to address the problems of redundancy Figure 1 : VHDL description of a simple example identi cation and manufacturing test. The approach in 11] also targets part of the state space in a manner very similar to ours and uses the counterexample facility in the SMV model checker 4] to generate a test for each transition in the targeted state space. However, mapping this test to the actual machine depends on recognition of patterns of high level behavior in the generated test sequence and is a labor-intensive process.
In addition, there exist ad-hoc techniques for coverage estimation in functional validation used in practice. These include toggle coverage on signals in the HDL program and HDL statement coverage. It is generally accepted that these are not accurate measures of functional (behavioral) coverage. For example, consider the portion of behavioral HDL code in Figure 1 . In this simple VHDL program the values of the two 16{bit registers regA, regB get swapped if the value of regA is less than the value of regB or remain unchanged otherwise. A test sequence of four vectors with START low in the rst clock period and then using a value of say 10 in regA and 11 in regB with START high in the second clock period will exercise all the statements in the VHDL program and gives 100% HDL coverage. However, as is obvious, we have not tested the case where regA is not less than regB and no swapping takes place. Thus, even in such a simple machine, HDL statement coverage is seen to be an incorrect measure because of its heavy dependence on the program's syntactic style and disregard for the language semantics. Other ad-hoc approaches to evaluate coverage just check that the state elements in the circuit assume all possible values during simulation to ensure all states are visited. A better measure using state transitions measured by a state transition monitor was used in the functional veri cation of processors in a parallel supercomputer 19] . The details of its e cacy are not provided but the state machines tested have at most 110 states and 140 transitions. The coverage metric presented here is also based on a similar metric which measures transitions traversed in the state machine representing the circuit. However, basic transition coverage is practical only for small FSMs. This paper will show how this basic metric can be modi ed and applied e ectively to large designs. Preliminary stages of this work have been reported in 13, 17] .
Formal veri cation techniques have been used before in an ATPG context mainly for redundancy identi cation 16, 7] . Our method of identifying redundancies is quite similar to the approaches described in these papers, but we focus on the high level behavior. By employing abstraction techniques we are able to handle much bigger circuits. The next section presents this abstract model of the state space { the ECFM model.
The Extracted Control Flow Machine Model
Most CAD algorithms depend on an implicit or explicit exploration of the design state space. However, the majority of modern circuits have a large data path, which results in a state explosion when manipulating a model of the circuit. This phenomenon makes many CAD problems intractable by present techniques (even those employing implicit state enumeration). This problem can be tackled using abstraction techniques. In most applications, including design veri cation and test generation, the ow of control is of prime interest. However, extracting the control machine from a circuit description is not an easy task because the control circuitry cannot be distinguished easily from the data path without relying on designer annotations to the circuit description. The ECFM of a sequential circuit is a model of the control ow in the design and is extracted by looking at the nite state machine representing the complete circuit. The di culty in identifying the control circuitry often lies in de ning the interface of the control unit with the rest of the circuit, and not in di erentiating the control registers from registers holding pure data. In the ECFM methodology, it is the designer's choice which registers are to be considered as contributing to the control state space and which make up the data. The key issue here is that we are only interested in the data part of the state space to the extent that it a ects the ow of control in the circuit. Consequently, we abstract the data registers from the circuit and group the data into \equivalence" classes with respect to their e ect on the control. This abstraction is done by making the data registers completely non-deterministic, essentially primary inputs. This extended input space is then grouped into equivalence classes. We therefore de ne an equivalence relation among transitions in the ECFM such that transitions are grouped into equivalence classes. Two transitions in an equivalence class have the same e ect on control ow because they originate in the same control state and terminate in the same control state and produce the same output.
Lemma: The equivalence partitions on the transitions of the ECFM of a circuit de ne corresponding equivalence partitions on the transitions of the original circuit. This is easily understood. As we have seen, each transition in the ECFM maps to a corresponding transition in the original circuit and it is an onto mapping. Thus every transition in the original circuit can be placed in the same equivalence class of its corresponding transition in the ECFM such that all transitions in a class a ect the ow of control in the same manner. The following theorem follows directly from this lemma.
Theorem: The process of grouping equivalent transitions in the ECFM of a circuit partitions the state space of the original circuit in terms of its e ect on the control ow of the circuit.
To better understand the process of ECFM extraction and grouping of equivalent transitions, consider the nite state machine in Figure 2 . The shaded registers correspond to data registers. Making them non-deterministic is equivalent to considering them as primary inputs, as shown in the gure. The ECFM also does not observe the data part of the state space and the inputs to the data registers are dropped (marked by the big cross on the right in Figure 2) . We now determine the dependency set (shown by dotted lines) of the primary outputs and control state in terms of the primary inputs, control state variables and data variables. This forms the new set of primary inputs and may include some data variables. The rest of the data variables are dropped (marked by a small cross on the left in Figure 2 ). This dependency set is determined simply by looking at the support set of the output and next-state functions for the modi ed machine. The e ect of data on control ow is thus taken into account in the ECFM even though the data registers are abstracted away. Finally, transitions in this modi ed machine are grouped into equivalence classes. Two transitions are equivalent if they have the same e ect on the control ow, i.e., they have the same current state and the same next state, and they modify the output behavior of the machine in the same manner. Note that our de nition of control ow includes values on primary outputs. Two transitions with di erent assignments to primary outputs, although with same current and next states, signify di erent functional behavior. The identi cation and grouping of equivalent transitions is also done automatically from the ECFM and without recourse to the HDL description. Note that several groups may exist for each current state and next state pair, depending on the assignment to primary outputs.
Example: Consider the state transition graph for the simple design shown in Figure  1 . The design has one input (start), one output (done), four 16-bit registers (r, m, regA and regB) and a ag ip-op ( ag-bit). The behavior described basically involves swapping the values in registers regA and regB if the value in regA is less than the value in regB. This sort of behavior is common where registers r and m can be the ALU registers and regA and regB are part of a general-purpose register le. The complete state space of the nite state machine for this example is of the order of 10 20 states. Manipulating a state space of this magnitude is no easy task even for implicit state enumeration methods. However, most of the state space is due to the data registers (r, m, regA and regB).
The ECFM for the circuit under consideration is shown in Figure 3 . The ag-bit is r, m, regA and regB are pure data and abstracted away. As seen from the gure, control ow depends on r and m and they are included in the ECFM as primary inputs. Registers regA and regB do not appear in the ECFM. This ECFM has just ve states but actually embodies the complete ow of control in the actual circuit. Recall that the actual circuit has 67 ip-ops and 10 20 states. The number of primary inputs (PIs) to the ECFM is 33 as compared to 1 for the original circuit. However, this increase is overshadowed by the decrease in state space. The net e ect is a dramatic reduction in the size of the state space and the transition relation, both of which are central to the operations required by us. Furthermore, scaling the data path in the actual circuit to 32 bits does not result in any increase in the ECFM state space which demonstrates the scalability of this model. While it may seem that the state space has decreased at the expense of the input space, the increase in input space is minimized by the grouping of equivalent transitions. Also, large input spaces are more easily handled by our implicit enumeration procedures than large state spaces.
For the circuit in Figure 3 , several transitions can be grouped for each state pair. This grouping is shown in Figure 4 . For instance, one group is all transitions between state (S1, 1) and state (S2,0) with start=1 since that transition is independent of the other inputs. Thus, As discussed earlier, it is not an easy task to extract a correct or satisfactorily approximate control machine from an HDL description since the extraction process depends on heuristics and the syntactic style. On the other hand, the ECFM extracted from the underlying state machine is independent of the description style of the HDL program. Note that synthesis of the complete underlying state machine from a VHDL program is a trivial task, given the state-of-the-art in automatic synthesis. The techniques used by us to extract the ow of control are based on the underlying mathematical model of state machines and only depend on the designer's input in order to identify registers which hold pure data. These algorithms will be explained in Section 5.
It should be noted that computing the reachable states in the ECFM does not directly correspond to the control states that may be reachable in the actual machine. Rather, it is an over-estimation of the reachable control state space because some data registers of the original circuit are unconstrained in the ECFM and may assume values not possible in the actual circuit. However, it is intuitively a close approximation because, in general, data assumes any value.
Functional Coverage and Generation of Veri cation Tests
We now describe how the ECFM can be used to derive a pragmatic estimate of the functional coverage provided by a sequence of input vectors. At this point we assume that a functional test suite has been generated a priori for design veri cation (that is we are not doing functional test generation), and we present a method for estimating the control ow coverage provided by that suite. This capability is critical, since it is obvious that design errors cannot be detected if the simulation never enters the state or exercises the transition on which the erroneous behavior is displayed. A detailed report is provided to the designers pointing to the coverage holes. We can also automatically generate tests that would cause the simulation to traverse unvisited states and uncovered transitions. These tests can be used to augment the veri cation tests. With this capability, we can also automatically generate a set of veri cation tests which covers all the control states, and as many transitions as desired, limited only by the length of the tests.
Coverage Metrics
In order to compute a quantitative measure that re ects the quality of a test suite, we use two metrics, a state coverage metric (SCM) and a more accurate transition coverage metric (TCM). Given an initial state or a set of possible initial states, we rst compute the part of the design space that is actually reachable from those state(s). This is a necessary pruning step because it does not make sense to try to cover the whole design space when part of it can never be reached from the start state(s). The next step is to look at what part of the reachable state space is covered by the test vectors. The two metrics are then given as, SCM = Number of states visited Total number of reachable states (1) TCM = Number of transitions traversed Total number of reachable transitions (2) Obviously, TCM is the most comprehensive metric of the two. It is possible to have 100% state coverage without having 100% transition coverage. One could argue that SCM is not really necessary and that is probably true, but using our method of calculating the two metrics, there is virtually no penalty for computing SCM. Additionally, 100% SCM can be the rst target. After covering all the reachable states, covering the remaining transitions will be an easier task. Providing pointers to the part of the state space that is not covered by the given tests is a useful feature in case the designer wishes to address the coverage holes by adding handwritten tests.
The biggest stumbling block to this straightforward approach has been the size of circuits. Computing the set of reachable states for large circuits is not currently feasible even when implicit enumeration methods 20] are being used. However, it is important to realize that it is not the designer's goal to exercise all transitions of the circuit state machine as this will be prohibitively expensive for circuits with a data path of even moderate size. What designers are interested in is whether the control behavior of the circuit has been fully tested or not. Given this fact, the ECFM model can be used for coverage evaluation. The same coverage metrics are now computed on the ECFM model and re ect the amount of control behavior exercised during the simulation.
Using the ECFM Model
Consider the ECFM for the circuit described in Figure 1 , which is shown in Figure 3 . The dashes denote don't cares and grouping of equivalent transitions is not shown. Grouping would result in just 7 groups of transitions as shown in Figure 4 . In this ECFM the ag{bit is considered part of the control state. Registers regA, regB, r and m are pure data and are abstracted away. However, r and m are considered primary inputs because the control ow depends on them. Ensuring that every transition in the ECFM, modulo transition equivalence, is exercised during veri cation guarantees that both cases of swapping registers regA and regB and leaving them untouched are covered. The values to be fed as data variables r and m, which are primary inputs to the ECFM, can easily be determined during the simulation runs of the actual circuit performed earlier during design veri cation. These values are fed to the ECFM along with the input vectors while computing the coverage. An outline of our system is shown in Figure 5 .
We use FCOVER, the tool that we have developed, for the extraction of the ECFM from Figure 5 : System Outline a circuit described at any level of abstraction. Next, we feed FCOVER with a test sequence. FCOVER computes the coverage metrics described earlier, and reports instances of unexercised behavior in terms of states not visited and transitions not covered in the control part of the design by the provided test suite. This is valuable information for the designer since it can be used to enhance the test set so that the whole control state space is covered. FCOVER can also automatically provide a test sequence targeting transitions not covered by the original test sequence. Test sequence generation is performed on the ECFM. This sequence may not directly correspond to a sequence in the original machine because of data con icts. This is possible because some of the original registers are now unconstrained inputs and can thus assume any value. It is then possible for two consecutive vectors in the sequence to have inconsistent values for the same data register. This situation cannot occur in the original machine. In this case we use conventional ATPG techniques to supplement the initial sequence with a subsequence that would justify the state encoded in the second of those vectors. Our method of generating these vectors consists of two steps. An uncovered transition is reported as the control state from which it originates and the assignments to the inputs in the ECFM necessary for that transition to be taken. Some of the PIs in the extended set of primary inputs of the ECFM are actually data registers. The rst step involves exercising the transition by rst generating a sequence of vectors that will bring the machine to the control state of interest and appending one more vector corresponding to the uncovered transition. This sequence is generated so as to keep as many inputs as possible as don't cares. The second step involves using ATPG techniques to expand this test sequence to make it valid on the original circuit. The test generation process is described in detail in Section 6.
There are two points that need to be made about this approach. First, one can use any tool that gives an initial test sequence. A functional test sequence manually generated by designers or generated in a pseudo-random manner could also be used. Second, there might be some data registers that do not appear in the ECFM if they are not in any dependency set. We can take the destination index register (DIR) as an example. If it is considered as part of the data path, it is deleted from the state space. Since we are not interested in the register le, no output or next state function in the ECFM depends on the DIR and this register does not appear in the ECFM at all. But if the designers want to make sure that all registers are accessed, i.e., the DIR takes all valid values during simulation, they need the DIR in the ECFM. They can then go back and retain the DIR as part of the control space and re-extract the ECFM. This demonstrates the exibility of this methodology.
Our method of extracting the ECFM, grouping transitions and calculating the two metrics described above utilizes ideas that have been extensively used in formal design veri cation over the last few years. It uses Ordered Binary Decision Diagrams (OBDDs) 3] and will be described in detail in the following section. The rst two steps can be e ciently performed using the elegant method developed by Clarke et al 4].
The well known algorithm for computing reachable states is described in Figure 6 . Given a set of present states, the set of states reachable in one step is computed as the Image of the next state function over the subdomain given by the present states. The set of the newly reached states is then taken as the set of present states and the process is repeated until no new states are reached. After each iteration the set of states reached thus far (reachable) is updated by adding the set of newly reached states 7, 20]. From=To-Reachable; 5.
Reachable=Reachable AND From;
6. endwhile 
Algorithm For Finding Covered Transitions
A transition in an FSM can either be represented as a pair of the form hq;xi whereq is the current state andx is the input vector applied to it, or as a triple of the form hq;Q;xi whereQ is the next state. We choose this second representation, because it facilitates the representation and manipulation of sets of transitions which have the same e ect on control ow, or equivalent transitions.
Additionally, we modify the Image procedure outlined in the previous section to give us the pair hcurrent state, next statei for a particular input vectorx i applied to a particular state. More speci cally, in the second step instead of existentially quantifying out the input variables, we substitute the values provided by the designers in the test sequence. Furthermore, we eliminate the third step. That is, we no longer employ the composition operation in order to substitute the next state variables with the present state ones. In this way, we are able to maintain the current state in terms of the present state variables and the next state in terms of the next state variables. From this point onwards, by Image we mean this modi ed routine: ATR(ỹ;x;q;Q) = T(x;q;Q)^O(ỹ;x;q) (6) It encodes the relationship between outputs, current state, next state and inputs.
ATR(ỹ;x;q;Q) = 1 if the next state isQ and the output vector isỹ for input vectorx in current stateq. Figure 7 describes the algorithm we employ for the calculation of the transitions that are exercised by the given input test sequence. We assume that fx 0 ;x 1 ; : : :;x n g is the sequence of the input test vectors. The basic idea behind this algorithm is that the transitions that have the same e ect on the control ow, i.e., equivalent transitions, should be grouped together, so that if one is exercised by the given input sequence, all of the transitions in that group are considered to be exercised. Recall that two transitions are equivalent if they have the same current state, the same next state and all primary outputs are assigned the same values on both transitions. The ATR enables us to identify equivalent transitions more easily, as described below. The rst four steps of the algorithm involve building the previously described relations and also two initializations. Steps 5{17 implement a loop which is driven by the number of vectors that the designer provides. T curr (x;q;Q) = T prev _ Z 4 (x;q;Q)
12.
T prev = T curr 13.
To(Q)=9q M(q;Q) 14 . From(q)=Compose(To(Q);q)
15. endfor Finally, the characteristic function T curr stores all the exercised transitions (Step 11).
In steps 13 and 14, the next state becomes current state by means of a composition operation where the next state variables are substituted by the present state variables. This is equivalent to the third step in the original Image routine. After the completion of the loop the Transition Coverage Metric can be computed easily as the fraction of true valuations of the OBDD storing the exercised transitions after existentially quantifying out the next state variables over the fraction of true valuations of the OBDD storing the reachable transitions (which is the same as the OBDD storing the reachable states). The State Coverage Metric can now be computed easily too. All one needs to do is to existentially quantify out of T curr the next state and the input variables. Then SCM is the fraction of true valuations of this resulting OBDD over the fraction of true valuations of the OBDD encoding the reachable states.
Using ECFM in Structure{Based Manufacturing Test Generation
We employ the extracted control ow machine model of a circuit described at the behavioral level to assist or supplement the structure-based test generation process for that circuit. The tool, FTGEN, incorporates our techniques. We can provide the lower level tools with information about redundant faults in the control part of the design, faults that can then be removed from the faultlist when doing test generation at the gate level. Additionally, for faults that are hard to detect by ATPG we can, in most cases, e ciently generate a test sequence that would detect them. An outline of our method is shown in Figure 8 .
Description of our Method
Our algorithm consists of the following steps:
Given the gate level description of the circuit generate the complete collapsed fault list.
Extract the ECFM of the fault-free circuit.
Generate the collapsed faultlist from the ECFM (captures the control faults). Perform an equivalence check between the ECFMs of the faulty and fault{free circuits.
1. If the two ECFMs are equivalent then the fault is untestable.
2. If they are not then generate a test sequence to detect that fault.
In this algorithm we concentrate on the faults that belong to the control part of the circuit. Conceptually, one could use our method for all the faults in the faultlist that belong to the control part of the machine. However, depending on the size of the ECFM for the given machine, this might be computationally expensive. It is better to initially use an ATPG tool and impose a reasonable timeout limit on it in order to detect easy faults.
The notion of state equivalence and state machine equivalence we use is that from classical nite state automata theory. We make the assumption that the circuits on which we apply our methodology have a set of initial states and ignore the faults a ecting the resetting function.
De nition: Two states in a nite state machine are equivalent i there does not exist an input sequence such that the machine produces di erent output sequences when starting from those two states.
De nition: Two nite state machines with reset states are equivalent i their reset states are equivalent.
Since we have a set of initial states, an untestable fault, identi ed by the procedure above, is a redundant fault. There can be two types of redundant faults in the ECFM. First, we can have faults that do not a ect the reachable part of the ECFM of the circuit. Secondly, there may be a fault that changes the reachable part of the control ow machine but does not a ect the output behavior. This kind of fault will also be classi ed as redundant by the above method. The equivalence check that we employ in the above process tests the equivalence of the reset state (and all the states reachable from reset) in the faulty and fault-free circuit in terms of their I/O behavior. If no discrepancy in the I/O behavior is found, the fault is redundant, otherwise a test can be generated.
At this point we need to consider what it means for the original circuit if a fault is characterized as redundant in the ECFM of that circuit. We have the following theorem.
Theorem: If the ECFM of a circuit retains all the primary outputs of the original circuit and if a fault in the control part of a circuit is classi ed as redundant in the ECFM of that circuit, then that fault is also redundant in the original circuit.
Proof: A fault is redundant in the original circuit and in the ECFM if there exists no input (distinguishing) sequence that would cause the values at the primary outputs to di er for the faulty and the fault-free circuits. This means that there are no values which, when loaded in the data registers, would cause the e ect of the fault to be propagated to the POs. In the ECFM, data registers have been freed, some of them becoming PIs. This means that the data registers in the original circuit can only take a subset of the values that they can take in the ECFM. By construction, the outputs and the output functions are identical in the ECFM and the original circuit. The input-output behavior exhibited by the ECFM is then a superset of the behavior exhibited by the original circuit. Consequently, if no input sequence can cause the primary outputs to di er in the faulty and fault-free ECFM, there does not exist such a sequence for the original circuit. Therefore, if a fault is redundant in the ECFM it will also be redundant in the original circuit.
While the basic approach of nding redundant faults and test sequences by using implicit enumeration techniques to look for distinguishing sequences has been used before 7, 16] , it was always applied to the original circuit and could only handle relatively small circuits. Our use of abstraction techniques allows us to handle much larger circuits. We describe this process in the next section.
Test generation
The procedure implementing the algorithm for generating di erentiating sequences is shown in Figure 9 . The product machine of the faulty and fault{free machines is formed with output functional vector p = faulty faultfree and next-state functional vector p = ( faulty ; faultfree ).
An output of the product machine is 0 whenever the value for that output does not match for the two component machines and 1 otherwise. The characteristic function of the set of transitions with matching outputs is generated (step 3). Starting from a given initial state of the product machine (s 0 ), the algorithm performs a forward traversal, saving the set of newly visited states (new i ) at each step, until a discrepancy in some the output for the component machines is encountered (step 5). A sequence of input vectors (inp j ) to this product machine state is then generated (steps 6{14) using the saved state sets (new i ) to do a backward traversal from the state showing incorrect outputs (s n ) back to the initial state (s 0 ). The PickOneCube routine just picks one cube from the ON-set of the function given as the argument. Forward traversal is accomplished using the Image routine, which, as mentioned earlier, gives the set of states in the product machine that can be reached in one clock cycle from some state in the set of states given as argument to the routine. Backward traversal is accomplished using the PreImage routine, which gives the states from which some state in the set of states given as argument can be reached. In this case, the PreImage routine also gives the inputs causing the transitions. (inp n ; s n ) = PickOneCube(new i^ ); 7. 
Test Sequence Expansion
As was mentioned earlier, the test sequence generated on the ECFM is not directly applicable to the original circuit. This sequence has to be expanded and mapped back to the original circuit.
First, for inputs that have been abstracted away in the ECFM model, random values have to be provided. Secondly, all data con icts in the generated sequence must be resolved by justifying the values of those PI's which were data registers in the original circuit. We propose the use of ATPG techniques for performing this justi cations. While in the process of implementing our own code, we used HITEC 18] to demonstrate the validity of our approach. HITEC can produce a justi cation sequence for a given state assuming a don't care initial state.
There are two cases that need to be handled. We may have to generate a justi cation sequence for a given state (set of values for PI's that were data registers in the original circuit) to a don't care state. In this case the sequence generated by HITEC is directly applicable. In the other case we have a pair of partially or completely speci ed states and need to generate a sequence that will bring the original machine from the rst to the second state. In this case we take the justi cation sequence generated by HITEC for the second state and look for a subsequence that involves the rst state. This subsequence is then incorporated in our test. If HITEC cannot produce a justi cation sequence then the corresponding vectors are dropped from our test. We force HITEC to generate the justi cation sequence that we need for a given state by introducing an AND gate \implementing" that state. The output of that gate becomes PO and we introduce a stuck-at-zero fault on it. Finally, we perform a fault grade of the sequence on the original circuit to ensure that the fault is indeed detected. We believe that code speci cally written to provide the functionality required by our technique will improve the e ciency of our approach, both in terms of speed and length of the generated justi cation sequences. Results shown for veri cation of sequential circuits using modi ed ATPG techniques such as \partial justi cation" 14] provide encouraging evidence for this statement.
Experimental Results
We applied our methodology to a number of example circuits. As mentioned in the introduction, the ISCAS benchmark circuits are not appropriate, since there is no information regarding their behavior. In addition, two of the examples used are much more complex for test generation purposes, as can be seen from the test generation times for state-of-the-art tools. The circuit Table 1 . The rst four columns provide information about the original circuit (number of primary inputs and outputs and DFFs in the circuit). The remaining four columns provide statistics for the ECFM of the examined circuits. Column 8 gives the extraction time of the ECFM model in msecs. As it can be seen the number of DFFs in the ECFM is signi cantly smaller than the number of DFFs in the original circuit, while there is an increase in the number of primary inputs. The number of POs in the ECFM is either the same as the number of POs in the original circuit or smaller depending on whether the circuit has data outputs or not. If it has, those outputs are discarded in the ECFM model. The am2910 circuit is a microprogram sequencer with an on{chip RAM. It controls the sequence of execution of microinstructions stored in the microprogram memory. The Viper microprocessor 10] is a 32-bit microprocessor designed at RSRE, England for safety-critical applications. It has four general purpose registers, two ALU registers along with a memory address register and an instruction register. The netlist has approximately 6000 gates. Memory is not included in this description. The approximately 40 instructions include arithmetic, comparison, Boolean instructions along with instructions for reading and writing to the memory. The Viper halts operation if an exception is raised, which occurs if an illegal instruction is fetched or over ow occurs. The gl85 circuit is a model of the 8085 microprocessor developed by Dr. Alex Miczo. One major di erence is that it uses 8{bit input and output buses in the place of the 8{bit bidirectional address{data bus. The instruction set includes data transfer, arithmetic, logic, branch, stack, IO, machine control instructions. Each instruction has one,two or three bytes. Operation of the gl85 proceeds under the control of two state machines, the M{cycle and t{state machines. When the opcode byte is read and decoded it requires anywhere from one to ve M{cycles and each of the M{cycles requires from three to ve t{cycles. Table 2 presents our validation coverage analysis results on the above circuits. Column 2 gives the number of test vectors applied. Columns 3 and 4 give the SCM and TCM coverage metrics for the corresponding circuits and Column 5 gives the time to compute the coverage metrics in minutes. Take the Viper as an example. Since the state space for the Viper is in the order of 10 75 , it is not possible to compute the reachable state space using current techniques. Most of the state space is due to the register le. So we evaluate the functional coverage on the ECFM of the Viper which has 32 states out of which 17 are reachable from the initial state. Our system also identi ed instances of unexercised behavior in terms of uncovered transitions. The designer can then write tests to exercise these transitions or we can automatically generate a test sequence that would exercise all the uncovered transitions (modulo transition equivalence) in the ECFM. This sequence can be mapped back to the original machine in a manner similar to the one described in the previous section. For am2910 the ECFM has 8 states, out of which 6 are reachable. In this circuit we have retained the POs of the original circuit and thus the opportunities for grouping equivalent transitions during coverage estimation are reduced. Thus the TCM in this case is 53.52%. For the gl85, 7296 states out of the possible 16384 states in the ECFM are reachable. Table 3 correlates the stuck{at fault coverage and the functional coverage for the test suites that we utilized in our experiments. Although the relation between these coverage metrics is not clear, an interesting observation can be made. High stuck{at coverage does not guarantee high functional coverage, while the converse seems to be true. That is, a high TCM number will also imply high stuck{at fault coverage for the circuit at hand. We believe that this is an We next applied the procedure described in Figure 8 to perform test generation for stuck{at faults in the control portion of the above circuits. To evaluate the performance of our approach we used HITEC to perform test generation on this reduced fault list. Table 4 summarizes these results. The second column lists the number of faults in the reduced fault list. Due to the complexity of the circuit and the large amount of time needed for test generation, we were unable to complete it for the gl85 circuit before the deadline for paper submission. The results are given for the 1041 faults which were tried by HITEC when this paper was written. We are continuing the experiment and expect it to complete in the next few days, and the nal results for this, as well as for larger example circuits, will be given in the nal version of the paper. The next ve columns present the number of detected, redundant and aborted faults when using HITEC, as well as the e ciency and the time taken by HITEC to achieve this e ciency. We also applied our approach to each fault in the reduced fault list. That is, for each fault we inject that fault, extract the ECFM for the faulty circuit, perform an equivalence check against the fault-free ECFM and, if they are not equivalent, generate a test sequence. Additionally, we have an overhead associated with the generation of justi cation sequences for test sequence expansion using HITEC (see Section 6.1.2). Currently we set the backtrack limit to 100,000 and the whole process takes only 2-3 seconds in the case of the Viper. Furthermore, the average justi cation sequence for the Viper is in the order of 10 vectors (i.e., 2 instructions). The test generation results of our approach are given in columns 8 to 12 of Table 4 . For all the faults, we were able to either nd input sequences to detect a fault or determine that it was redundant, while analyzing the ECFM. However, when expanding the sequences to the original circuit using HITEC, some tests could not be justi ed, and these are reported as aborted in the table. Again, for gl85, the results are for the 1394 faults which were tried at the time of writing. In Figure 10 we plot the E ciency versus Time curves for HITEC and our approach. Time is in seconds on a logarithmic scale. In Figure 11 we do the same for the Viper microprocessor. For the amd2910, HITEC achieves high e ciency quite fast but then the curve attens out and eventually HITEC aborts on 17 faults. Our approach achieves higher e ciency, although the pace is a little slower at the beginning. However, the advantage of our approach is clearer in the case of the Viper, where we achieve higher e ciency in a signi cantly smaller amount of time, while the HITEC curve once again attens out at the end. Note that we achieve an e ciency of 94% in less time than it took HITEC to reach an e ciency of less than 30%. It should be made clear that our approach targets the faults that directly a ect the control part of the machine which are identi ed by the procedure described above. These are generally acknowledged to be more di cult to detect than faults in the data portion of a circuit. In this way, we have been able to generate tests very quickly for most of the hard-to-detect faults.
Conclusions
In this paper we have proposed a uni ed framework for multi-level design validation and test generation based on abstraction techniques. An overview of our framework and methodology is shown in Figure 12 . We have demonstrated how abstraction techniques can be employed at the behavioral level of description to assist design veri cation by providing quantitative measures for the quality of the functional tests used during simulation. Additionally we have proposed a method of generating functional vectors that would exercise parts of the state space not exercised by the original functional test sequence. The method is completely automatic and e cient, using powerful implicit enumeration techniques.
In addition. we have proposed a technique for redundancy identi cation and test generation at the state transition level, again by using an abstraction that captures the control ow of the original circuit. The set of stuck-at faults in the control portion of the circuit, generally Figure 12 : A Uni ed Framework acknowledged to be the more di cult to detect in a large circuit, is being targeted, with test generation times on the order of a few seconds for each fault. Conventional low-level test generation tools like HITEC abort for faults which our method either classi ed as redundant, or generated a test sequence, in a matter of seconds. We are in the process of evaluating these techniques on even bigger circuits. Our approach demonstrates how high-level abstractions can help the design validation process at several levels of the design hierarchy. Moreover, abstractions make it possible to handle circuits that cannot be handled even when using implicit enumeration techniques. However, even our current approach based on a attened circuit representation will fail for large real life circuits. Our future research involves developing techniques for the hierarchical extraction of the ECFM at the behavioral level making use of information about the symmetry of the system. This will allow us to deal with larger circuits. Furthermore, we are working on an extension of the transition coverage metric that will allow us to handle sequences of events.
