ABSTRACT The semi-formal verification method, in which the functionality is formally specified and the checking is undertaken through the formal model-based simulation, has been a promising choice for the functional verification of hardware designs. The existing methods derive the formal model from design implementation. This causes poor scalability and practicality. A more feasible solution is to derive the formal model directly from the specification. In this paper, we propose a specification-based semi-formal method for functional verification. The proposed semi-formal method uses a stage transition graph (STG) model to formally describe the function points in the specification. Meanwhile, we propose an automatic test pattern generation (ATPG) method to generate the test vectors based on the STG model. The proposed STGbased ATPG method can reach possible corner cases and ensure exhaustive exploration of functionality for both control-dominated designs and data-dominated designs. Moreover, we develop an STG-based tool for automatic verification. Our experiments show that our method can automatically verify the functional correctness from the specification while achieving similar code coverage as implementation-based semi-formal approaches.
I. INTRODUCTION
The increasing complexity and size of hardware designs, along with nonrecurring engineering and time-to-market, put a heavy burden on functional verification. Functional verification has become the critical path in the hardware design cycle regarding development costs and time [1] .
Formal and simulation-based verification are two major techniques of functional verification. The simulation-based verification method is still mainstream in industrial manufacturing. Its scalability and ease of use make it feasible for all verification tasks at almost all abstraction levels. However, the lack of exhaustiveness causes the targeting of interesting corner cases to be difficult over time. Alternately, though traditional formal-based methods (broadly, model checking and theorem proving) can exhaustively prove the functional properties of hardware designs, the well-known state explosion problem in model checking and skilled manual guidance required by theorem proving cause the formal verification methods to be limited in industrial practice.
As an alternative, the semi-formal method makes a tradeoff between simulation and formal method, where the design functionality is formally specified by a model and checking is undertaken through simulation [2] . Compared with the simulation, the semi-formal method significantly improves the exhaustiveness and effectiveness of the firing of corner cases. Meanwhile, compared with the formal method, the semiformal method avoids the state-explosion problem. It appears that the semi-formal method is more scalable than the formal method.
The formal functional model is the base of the semi-formal approach. Existing studies have constructed the formal model directly from implementations. These studies, usually extracting formalism (e.g., finite state machine (FSM) [3] , extended finite state machine (EFSM) [4] - [6] , assignment decision diagram [7] , [8] , binary decision diagram (BDD) [9] , etc.) from implementation (register-transfer level (RTL)), have some drawbacks for industrial design verification: 1) they do not scale well on industrial-strength designs; 2) they need other models, such as temporal assertions or a golden model, to check the design correctness; and 3) they are not practical because a detailed design is not always available.
A more promising method is to derive the formal model from the design specification rather than the implementation of the design. However, because the specification describes the functional requirements of the design rather than the implementation details, in particular, plenty of inner behaviors and middle registers in implementation are not specified in the specification. It is infeasible to describe complex sequential functional behaviors cycle by cycle from the specification. Moreover, the lack of implementation details of the design increases the difficulty of targeting corner cases. These two problems limit the practical application of the specification-based semi-formal method.
To solve the first problem, we find that, although the specifications only define the timing orders and temporal relationships among functional behaviors at a multicycle granularity and eliminate information about inner behaviors and middle registers, these timing orders and temporal relationships just hide some trivial inner behaviors and state transitions of the design. They are sufficient to describe complex sequential functional behaviors without losing much timing accuracy. To this end, we propose a stage transition graph (STG) model. The STG model only concerns the functional behaviors of the ports and the values of inner visible registers (specified in the specification) of interest instead of the entire state space. Each STG consists of different functional behavioral stages and their transitions. Each stage transition contains the condition, timing mark and corresponding reaction of the stage transition. The timing mark indicates the cycles of the transition given the condition is met and can be directly derived from the specification. Therefore, our proposed STG model can describe the sequential functional behaviors in a timing-accurate manner from the specification.
To solve the second problem, we find that all corner cases can be triggered by the corresponding test scenarios, which are included in the test space of the design. This test space can be well covered by the transitions in our proposed STGs. Thus, firing all transitions and ensuring complete coverage of the test space for each transition can reach possible corner cases. Based on this observation, the STG-based automatic test pattern generation (ATPG) method is proposed, which handles the nondeterminism problem in the exhaustive traversal of transitions and ensures efficient and complete coverage of the test space for each transition through multiple passes of transitions in STGs. During each pass, first, our ATPG method uses a random walk algorithm or the modified backjumping algorithm to ensure the firing of all transitions in STGs, and compared with the backjumping algorithm in [5] , our modified backjumping algorithm can handle the dependence of multiple-variable-dependent transitions; second, our ATPG method includes a test-space coverage strategy, which has algorithms for both data-sensitive transitions and controlsensitive transitions to ensure an effective and complete testspace coverage. Overall, our proposed ATPG method can ensure a complete functionality exploration without the entire state space, especially for both control-dominated designs and data-dominated designs. Furthermore, we define a functional coverage based on the STG model to evaluate functional coverage according to the functional requirements in the specification.
Based on the proposed semi-formal method with STG and ATPG, we have developed an automatic HW/SW Coverification tool called STG-Test. STG-Test contains an easyto-use and specialized graphical user interface (GUI) that provides a simple graphical template to help users develop the STG model for design under verification (DUV). Meanwhile, when connecting to an RTL-simulator, STG-Test can generate test vectors and check the correctness for DUV based on the given STG model automatically. The STG-based functional coverage and the code coverage are automatically generated after the verification finishes. According to the evaluations across benchmarks (collected from ITC99 and OpenCores) and multiple in-home hardware designs, our method can automatically verify the functional correctness of the design from the STG model and achieve similar coverage compared to existing implementation-based semi-formal approaches.
II. RELATED WORK
Because simulation verification lacks exhaustiveness and formal verification lacks scalability, the semi-formal verification as an alternative has become a promising choice. The basic process of the semi-formal verification is to describe the functionality of the design via a functional model and apply the functional model for the generation of test vectors.
In semi-formal verification, the mainstream method of model development is to extract a functional model from implementation. The Extended finite state machine (EFSM) is a common model for model development from implementation. Some papers [5] , [10] propose methods to extract the EFSM-based model from implementation details. References [4] , [5] , [10] , and [11] propose corresponding ATPG methods for the generation of test vectors based on the EFSM-based model. Alternately, Control Flow Graphs (CFGs), which describe the control branches in the designs, are also used for model development from implementations. Some papers [12] - [14] propose methods to extract the CFG-based model from implementation details and corresponding ATPG methods for the generation of test vectors. In addition, assignment decision diagram [7] , [8] and BDD [9] are also used for the implementation-based semiformal verification. However, these implementation-based semi-formal methods are limited for practical verification in industrial design because 1) detailed RTL designs are not always available; 2) they lack scalability, so they do not work well for industrial-strength designs; and 3) they always need other models, such as temporal assertions or a golden model, to check the design correctness.
To solve this problem, some papers study the specificationbased semi-formal method, where the functional models are developed from the specifications. Some papers [15] - [19] extract the transaction-based models from the specifications and generate test vectors based on these transactionbased models. These transaction-based models consist of SystemC [15] , unified modeling language (UML) [16] , [17] and other transactional description models [18] , [19] . These transaction-based models can express each functional behavior as a transaction, but the sequential relationships and logical relationships between transactions are difficult to characterize. Thus, the transaction model-based semi-formal method is unsuitable for control-dominated designs. Other papers [20] - [24] extract temporal logic-based models from specifications for semi-formal verification. These temporal logic-based models include computation tree logic (CTL) [20] , linear temporal logic (LTL) [21] , and ω-regular [22] . In industrial practice, SystemVerilog assertions (SVA) [23] and property specification language (PSL) [24] are also widely used as temporal logic-based models. Though the temporal relationships among behaviors can be described in the temporal logic-based models, they do not work well for data-sensitive functional operations. Meanwhile, the temporal logic-based models cannot describe functional behaviors in a timing-accurate manner.
Thus, we propose a stage transition graph (STG) model, which can describe the function behaviors in a timingaccurate manner from the specifications. We also propose the ATPG method to generate test vectors for complete coverage of the STG model. Thus, the proposed STG-based semi-formal verification is a specification-based method, and it ensures a complete functionality exploration of the STG model and finds corner cases for both control-dominated designs and data-dominated designs.
III. STAGE TRANSITION GRAPH MODEL A. OVERVIEW OF STG
To bridge the gap between the specification and the description of functional behaviors in a timing-accurate manner, we propose a stage transition graph (STG) model. The functional description in the specification is comprised of multiple functional points. Each STG in the model describes a functional point.
The STG is defined by two nonempty sets S and T . The elements of S and T are called stages and transitions, respectively. Each stage represents an execution stage in the functional point. Each transition represents the transition from the corresponding source stage to the destination stage. Each transition is described by a triple {β}C [α] , in which β is the condition of the transition; α is the corresponding behavior, called the reaction; and C is the timing mark used to indicate the cycles of the transition given that the condition is met. The condition and reaction are described based on the primary inputs (PIs), primary outputs (POs) and variables. Variables represent inner visible registers, which are defined by the specification.
Next, we will illustrate an example in which a functional point of a customized fix-point arithmetic unit is described by an STG. In the specification of the unit, we can see that in1, in2, and cntr are the primary inputs (PIs), out is the primary output (PO), and a and b are the control registers. The initial values of a and b are both 0.
The execution process of the functional point is described in the specification. At the beginning, if (in 1 < 2 16 ) and (in 2 < 2 16 ), register a is assigned by in1 after 1 cycle. Then, if (a = 1) and (b = 1), out is assigned by the sum of a and b after 2 cycles, and the operation of the functional point is finished; otherwise, out is assigned by 0 after 1 cycle. Next, if cntr is 1, then out is assigned by (a-b) after 2 cycles, and the operation of the functional point is finished; otherwise, a is assigned by in1 after one cycle, and it loops back to judging (a = 1) and (b = 1) and continues to execute.
Based on the execution process described in the specification, we describe the functional point by an STG as shown in FIGURE 1. In the STG, {S 0 , S 1 , S 2 , S 3 , S 4 , S 5 } is the set of stages, and {t 0 , t 1 , t 2 , t 3 , t 4 , t 5 } is the set of transitions. The condition and reaction of each transition are enclosed in ''{}'' and ''[],'' respectively. The cycle interval C is described as ''## value,'' and the value can be a specific value or a range between two values. An operation of the STG shown in FIGURE 1 is defined in this manner. In the beginning, the STG is in the initial stage S 0 . The STG cannot start to execute until the transition t 0 is satisfied. Once the condition function of t 0 is satisfied, the corresponding reaction is executed, and the STG moves to S 1 after cycle interval C of t 0 . Then, the STG continues to receive the inputs and moves to the new stages until it moves to the last stages (S 3 or S 4 in FIGURE 1), and then the operation is finished. If the transition t 0 is not satisfied, it means that the corresponding STG (the corresponding function point) cannot start to execute. However, it will not cause the system waits forever, because our ATPG method (presented in Chapter 4) will generate the suitable test vector VOLUME 7, 2019 to satisfy the condition of t 0 to achieve complete coverage of all STGs in the STG model.
B. BASE DEFINITIONS
Next, we provide the base definitions of the STG. Hereinafter, we suppose that port parameters or local variables can be unified by the general term variables. In the following definitions, we suppose that each variable v is associated with a set of possible values D v , which is called the domain of variable v. If V is a set of variables, then D V denotes a set of possible valuations of variables from set V .
• I is the set of primary input symbols; for an input port • O is the set of primary output symbols; for an output port • S is the set of stages;s 0 ∈ S is the initial stage, which is the stage in which an operation starts.
• T is the set of transitions; each transition t is a 5-tuple <C t , s t , s t , β t , α t >, consisting of: C t : the cycle interval between firing the transition and the reaction finishing; s t : s t ∈ S is the source stage of the transition; s t : s t ∈ S is the destination stage of the transition; Based on the characteristics of the condition function, we classify the transitions as an input-dependent transition or a variable-dependent transition. The corresponding definition is given as follows:
Definition 2: Assume that t is a transition of a given STG G = <I , O, V , S, T >. The t is an input-dependent transition if its condition function involves only PIs. Otherwise, t is a variable-dependent transition if its condition function involves at least one variable.
As shown in FIGURE 1, t 0 , t 3 , t 4 , and t 5 are the input-dependent transitions, and t 1 and t 2 are the variabledependent transitions.
C. PECULIARITIES OF THE STG MODEL
To present the novelties introduced by the STG model, we will discuss the difference between existing state-based formalisms and our proposed STG model below.
Normally, the state machines or similar formalisms are used for indicating the state of the circuit design. There are two reasons that the state-based formalism is not suitable for our specification-based semi-formal verification. First, the state-based formalism does not describe the data types of primary inputs. This makes it difficult to target corner cases in the following ATPG process. Second, the statebased formalism lacks the description of the timing mark. So that it cannot efficiently describe function points from the specification. This is because that in specifications, temporal relationships among functional behaviors are defined at a multicycle granularity rather than cycle by cycle.
To overcome the above shortcomings, we propose STG. First, STG has the initial stage and final stage, which represent the beginning and end of the executive process of the function point respectively. Second, in order to describe the function points for both control-dominated designs and datadominated designs, the data types of all primary input and output symbols are also declared in the STG model. This helps to efficiently target corner cases in the ATPG process. Third, we introduce the timing mark C, which indicates the cycles of the stage transition given that the condition is met. It is more than an annotation, it is used for checking the temporal relationships among functional behaviors directly from the specifications. For example, if the time delay of DUT accomplishing a functional behavior is more than the corresponding timing mark C, it means that the functionality of the DUT is incompatible with the description of the STG model, and a timing error is found.
IV. THE FUNCTIONAL ATPG APPROACH
To exhaustively explore the design functionality, we propose a functional ATPG method to generate test vectors based on the STG model. The ATPG method can 1) ensure exhaustive traversal of transitions in STGs and 2) ensure efficient and complete coverage of the test space for each transition.
Therefore, we propose a functional ATPG method based on multiple passes of transitions in STGs. The process of the proposed ATPG method is shown in FIGURE 2. First, an uncovered STG is selected for ATPG. Second, the transition traversal engine selects a transition to fire in the STG. Third, the test space coverage strategy generates the corresponding test vector to fire the transition.
Step 2 and step 3 will iterate to traverse the STG many times until the testspace coverage of the STG is complete. Finally, all STGs are covered completely, and the ATPG process stops.
A. THE TRANSITION TRAVERSAL ENGINE
The transition traversal engine is used for the complete traversal of transitions in each STG. The transition traversal engine works as follows: 1) firing the most easy-to-traverse transitions; 2) analyzing the control dependence of transitions which are missed in the first step; 3) firing the missed transitions based on the control dependences. For step 1) and 2), there are the existing algorithms (i.e., the random walk and the control dependence analysis) that can well solve the problem. Although the most important step 3) can be implemented based on the backjumping algorithm proposed in [5] , the existing backjumping [5] is unable to fire the multiplevariable-dependence transitions deterministically. To solve this problem, we propose a modified backjumping algorithm with multiple-variable-dependence backjumping path and backjumping process.
1) RANDOM WALK
The random walk algorithm works as a deep first visit to cover the majority of transitions in STGs. Because the random walk algorithm only uses a simple heuristic that randomly selects a satisfiable transition from the current stage, it works with low time and resource costs.
Let us illustrate that the random walk algorithm works in the STG shown in FIGURE 1 as follows: starting from S 0 , it fires transition t 0 by assigning in1 and in2 a value between 0 and 2 16 . We assume that the values are 100 and 200, respectively. Then, it moves to S 1 and randomly selects a transition from t 1 and t 2 . If t 2 is chosen, t 2 cannot be fired because its condition function cannot be satisfied. Thus, t 2 is discarded, and transition t 1 is chosen to fire. The STG moves to S 2 , and the random walk algorithm continues until STG moves to the final stages. This means that an operation is finished for the STG.
Though the random walk works with low time and resource costs, some variable-dependent transitions are hard to fire for the random walk algorithm. For example, the transition t 2 cannot be fired deterministically by the random walk. The reason is that the random walk only concerns the satisfiability of out-degree transitions of the current stage rather than the dependencies among all transitions. Thus, the control dependence analysis and backjumping algorithm are used to solve this problem.
2) CONTROL DEPENDENCE ANALYSIS
The control dependence analysis is used to extract the control dependencies among transitions to guide the backjumping process to fire all missed variable-dependent transitions after the random walk process.
Control dependence exists in the two transitions, where one transition sets the value of a variable and another transition uses this value to trigger itself. Based on the control dependencies among transitions, control-dependence paths are extracted. The control-dependence path (CP) is a situation in which v is a variable involved in the condition function of transition t 2 , variable v is assigned to a value in t 1 , and no more transitions update v between t 1 and t 2 . The existence of CP means that the v-control-dependence relationship exists between t 1 and t 2 .
For example, for the STG in FIGURE 1, the transition connection graph and control-dependence graph are shown in FIGURE 3. There is an a-control-dependence relationship between transition t 0 and t 2 and a b-control-dependence relationship between transition t 4 and t 2 . (a, t 0 , t 2 ) is the a-control dependence path, and (b, t 4 , t 2 ) is the b-control-dependence path. 
3) THE MODIFIED BACKJUMPING
The backjumping algorithm is used for deterministically firing the variable-dependent transitions with the help of control dependence analysis. However, the backjumping algorithm in [5] is unable to fire the multiple-variable-dependence transition because this approach deals with the dependence of each involved variable separately so that values of all involved variables cannot satisfy the missed transition at the same time. VOLUME 7, 2019 To solve this problem, we modified the backjumping algorithm. The basic improvement of the modified backjumping algorithm is to handle multiple-variable control dependencies in the same path so that the values of all involved variables can satisfy the missed transition at the same time. Therefore, compared with the backjumping algorithm presented in [5] , our modified backjumping method can deterministically fire the multiple-variable-dependence transitions.
Our modified backjumping algorithm works as follows: 1) obtain each control-dependence path of each variable with the help of the dependence analysis; 2) form all controldependence paths into a backjumping path (the backjumping path is the shortest path that contains all control-dependence paths); and 3) backjump to the source stage of the backjumping path and handle the dependence of each variable along the backjumping path. As the proposed backjumping strategy dynamically 1) changes its backjumping path and/or 2) updates the condition to fire transitions along with the backjumping path, according to the control-dependence path, the proposed method is robust with different controldependent situations.
Let us illustrate the back-jumping strategy used in FIGURE 4 for the STG shown in FIGURE 1. The transition t 2 is missed after the random walk process. Variable a and variable b are involved in the condition function of t 2 . According to the control dependence analysis, (a, t 0 , t 2 ) is the a-control-dependence path, and (b, t 4 , t 2 ) is the b-controldependence path. Then, the backjumping algorithm generates the backjumping path p, and the transition order of p is t 0 − > t 1 − > t 4 − > t 5 . Next, based on the backjumping path p, the STG backjumps to S 0 and try to fire t 0 by solving the constraint β t 0 ∧ α t 0 | a ∧ β t 2 | a (which is (in1 < 2 16 ) && (in 2 < 2 16 ) && (a = in1) && (a = 1)) so that the value of variable a can satisfy the condition function of t 2 . Then, the STG moves from S 1 to S 2 along the path p. Similarly, it solves the constraint β t 4 4 so that the value of variable b can satisfy the condition function of t 2 . Finally, moving to stage S 1 along with the backjumping path, the transition t 2 is satisfiable to fire. 
B. THE TEST SPACE COVERAGE STRATEGY
For the complete functionality exploration based on the STG model, only achieving the complete traversal of transitions is not sufficient. The test space of each transition also needs to be covered completely. The test space of a transition is comprised of the value ranges of all input parameters that can satisfy the condition function of the transition.
However, it is infeasible to traverse all the solutions in the test space of each transition. We find that, if the condition function of a transition involves a long-bit input parameter in 1 that is used for communication, it is unnecessary to cover all legal values of in 1 because most of the legal values are similar and redundant. On the other hand, if the condition function of a transition only involves the input parameters that are used for configuring different work modes, it is necessary to iterate over each legal solution in the test space of the transition. Based on the observation, we propose the test space coverage strategy by categorizing the functional types of transitions into data-sensitive and control-sensitive groups.
We distinguish the different functional types of transitions based on the properties of the involved input parameters. The properties of the input ports can be categorized as data-path or control-path: the data-path port is concerned with communication and calculation, and the control-path port relates to functional mode change.
Further, the transitions can be categorized as data-sensitive or control-sensitive. For a transition t, if its condition function involves one or some data-path input parameters, t is a data-sensitive transition. Otherwise, if its condition function only involves control-path input parameters, it is a control-sensitive transition.
In this paper, we propose a test-space coverage strategy for both the data-sensitive transition and the control-sensitive transition. Next, we will detail them.
1) TEST-SPACE COVERAGE STRATEGY FOR THE CONTROL-SENSITIVE TRANSITION
For the control-sensitive transition, because the legal value range of the control-path input port is normally small, the test space of the control-sensitive transition is relatively small. It supports an opportunity to iterate over each legal solution in the test space. Therefore, the test-space coverage strategy generates the corresponding test vectors to traverse all legal solutions in the test space through the multiple passes of the control-sensitive transition in the ATPG process.
Let us suppose that a control-sensitive transition t and its condition function clause involve two control-path input parameter in1 and in2. The legal value range of in1 is from 3'b000 to 3'b100, and the legal value range of in2 is from 2'b00 to 2'b11. The test space of the transition t is all combinations of each legal value of in1 and in2, i.e., 5 * 4 = 20 different combinations. The proposed testspace coverage strategy will generate a corresponding test vector to cover each different combination by firing the transition t 20 times.
2) TEST-SPACE COVERAGE STRATEGY FOR THE DATA-SENSITIVE TRANSITION
For the data-sensitive transition, the legal value range of the involved data-path parameter is always large. This leads to the test space of the data-sensitive transition being too large to iterate over each legal solution. Fortunately, most solutions are similar and redundant. It is not necessary to simulate all solutions in the test space. Thus, the proposed test-space coverage strategy aims to achieve a ''satisfying'' test-space coverage for the data-sensitive transition.
Based on the above analysis, we define the criterion for ''satisfying'' test-space coverage as covering all corner cases and a certain scale of random cases in the test space. The scale of random cases can be set firstly. To achieve the ''satisfying'' test-space coverage, we propose the corner-case analysis method to cover all corner cases and the test-space decomposition method to cover a certain scale of random cases.
To target all corner cases in the test space, we find 1) that the corner cases in the test space are mainly concentrated on combinations of each corner value of data-path input parameters and each legal value of control-path input parameters and 2) that the corner values of a data-path input parameter are relatively constant based on its data type, which supports an opportunity to infer corner cases automatically.
Thus, we propose the corner-case analysis method to generate corner cases for the data-sensitive transition automatically. The method works as follows: it 1) employs expert knowledge to record and update the corner values for each data type; 2) obtains each corner value of data-path input parameters based on their data types; and 3) combines each corner value of data-path input parameters and each legal value of control-path input parameters to generate corresponding corner cases.
Let us assume that there is a data-sensitive transition t and that its condition function clause involves a data-path input parameter in 1 and control-path port input parameter in 2 . The data type of in 1 is a 32-bit integer, and the legal value range of in 2 is from 3'b000 to 3'b100. Thus, the corner cases are mainly concentrated on combinations of each corner value of in 1 and each legal value of in 2 . For example, in 1 = 0 and in 1 = 3'b000 constitute a corner case, and in 1 = 0 and in 1 = 3'b001 constitute another corner case for t. The cornercase analysis method will generate the corresponding test vector to cover each corner case in the test space of the transition t.
On the other hand, to achieve a certain scale of random coverage of the test space, the constraint-randomized verification (CRV) method is a normal method to adopt. However, redundancy and uncertainty exist in the random stimulus generated by CRV. They lead to uneven verification strength in different parts of the test space.
To solve this problem, we propose the test-space decomposition method. The test-space decomposition aims at ensuring the same verification strength among different parts of the test space for a certain scale of random coverage of the test space. The basic principles of the method are as follows: 1) decomposing the test space into multiple subspaces evenly (the number of subspaces can be set by the engineer or automatically determined by expert knowledge based on the size of the test space); and 2) generating corresponding test vectors to traverse all the subspaces separately through multiple passes of the transition.
The mathematical derivation can prove the efficiency of the test-space decomposition method. If a test space's size is n, the expected number of random vectors needed to cover the test space T is:
We assume that one cut is made to decompose a test space into two average subspaces. After k cuts, the expected number of random vectors needed to cover the test space T (K ) is:
Thus, we can see that the introduction of the test-space decomposition method can decrease some redundant random vectors. It ensures a high-efficiency random coverage of the large test space for the data-sensitive transition.
The test-space decomposition for data-sensitive transition is illustrated in FIGURE 5. t is a data-sensitive transition. Ports P1, P2, andP3 are involved in the condition function of t.P1andP2 are the data-path ports, and P3 is the controlpath ports. The legal value range of P1 is divided into P1 a , P1 b , and legal value range of P2 is divided into P2 a , P2 b . The subranges of each data-path port (P1 and P2) and the legal value ranges of each control-path port (P3) are then combined. Each combination of subranges presents a test subspace. Thus, the test-space decomposition loops through all test subspace to generate the corresponding test vector through the multiple passes of the transition. The test-space coverage strategy for data-sensitive transition adopts the corner-case analysis method and test-space decomposition method for achieving the ''satisfying'' testspace coverage. First, the corner-case analysis is used to ensure the complete coverage of corner cases. When the complete coverage of corner cases is achieved, the test-space decomposition method is used for obtaining a certain scale of random coverage of the test space. VOLUME 7, 2019 In particular, to improve the automation in the ATPG, the test-space coverage strategy integrates an expert knowledge base to reduce the human labor. Based on the data type of each input parameter, this expert knowledge base can 1) infer the corner values, 2) set the scale of random cases for achieving ''satisfying'' coverage, and 3) set the number of test subspaces in the test-space decomposition.
C. THE FUNCTIONAL COVERAGE BASED ON THE STG MODEL
For evaluating functional coverage with respect to functional requirements in the specification, we define a functional coverage based on the STG model. The STG-based functional coverage involves three kinds of coverage: stage coverage (SC), transition coverage (TC) and test-space coverage (TSC). The SC is the percentage of the traversed stages in the STGs. The TC is the percentage of the fired transitions in the STGs. The TSC is the percentage of the covered valid test space for transitions. As explained in 4.2, the valid test spaces of data-sensitive transitions and control-sensitive transitions are different. Thus, the measures of TSC for data-sensitive transitions and control-sensitive transitions are different. For the data-sensitive transition, TSC is the percentage of the coverage in ''satisfying'' the test space (complete coverage of corner cases and a certain scale of random coverage of the test space). For the control-sensitive transition, TSC is the percentage of the coverage in the entire test space.
The STG-based functional coverage can target the test coverage of each functional point in the specification. It is more objective than the traditional code coverage for reflecting the coverage of the functional requirements in the specification.
D. DISCUSSION
The concurrent execution may exist among multiple function points. The major problems caused by the concurrence of function points are the data and resource conflicts among these function points. As such conflicts are already considered in the condition functions of our proposed STGs. So that we have the extensibility of testing concurrency.
To support testing concurrency, an existing priority-based dynamic scheduling strategy [5] can be integrated into the ATPG method to avoid the data and resource conflicts and determine which STGs are traversed at each simulation cycle. Meanwhile, the dynamic scheduling can give consideration of both maximizing concurrence and fairness of each STG.
The priority-based dynamic scheduling strategy executes before our ATPG method, namely, in each cycle, the prioritybased dynamic scheduling strategy selects which STGs can execute in parallel firstly, and then our ATPG method is used for firing each STG and generating the corresponding input vectors. In this way, the priority-based dynamic scheduling strategy can be integrated into our ATPG method easily.
At each simulation cycle, the priority-based dynamic scheduling strategy determines which STGs can execute in parallel based on their respective priorities. The priority of a STG is determined by two factors: CF and VF. CF is a constant factor, and it is inversely proportional to the number of input parameters involved in the STG, so that CF can ensure the exploration of maximizing concurrence of STGs. VF is a varying factor. VF increases if the STG is not fired at the simulation cycle. The factor VF is used to avoid the starvation of low-priority STGs.
To evaluate the ability of our proposed method for testing concurrency, we choose some control-dominated designs with concurrent executions among function points for experiments. The experiments show that the branching coverage and the FSM coverage increase as integrating the dynamic scheduling strategy into our ATPG method, because the dynamic scheduling strategy supplements testing of concurrency among function points, enabling more branches and state transitions.
V. IMPLEMENTATION OF THE STG-TEST TOOL
Based on the proposed STG model and the ATPG approach, we develop an STG-based automatic verification tool called STG-Test. STG-Test contains an easy-to-use and specialized GUI that provides a simple graphical template to help the user develop the STG model. Meanwhile, STG-Test connects with an RTL-simulator for simulating the test vector and checking the correctness for the DUV based on the given STG model automatically. The simulation reports and coverage reports are automatically generated after verification finishes. The tool realizes automatic semi-formal verification with little human intervention. For this purpose, the following tasks are implemented in STG-Test: 1) Receiving the STG model based on the given graphical template; 2) Allowing user preset of a corresponding verification configuration; 3) Making a connection between STG-Test and the interface of the DUV; 4) Adopting the proposed ATPG approach to generate test vectors based on the STG model; 5) Checking the behavioral correctness for DUV based on the STG model; 6) Recording the simulation reports and outputting coverage reports. The implementation architecture of our semi-formal approach is shown in FIGURE 6. The entire semi-formal verification system, involving the STG-test system and simulator, is implemented in the C language and SystemVerilog language. The verification flow works as follows:
First, the function points of the DUV in the specification are described as the STG model through the GUI. The received STG model descriptions are parsed and stored in the STG's data register. Moreover, the verification engineer can preset the verification configurations, including properties of all input parameters (data-path or control path), corner values of each data type and ''satisfying'' random stimuli number for data-sensitive transitions.
After the development of the STG model and the verification configurations, the simulation is launched. The testbench includes the DUV environment, the connector module, and parts of the STG test system. The DUV environment initializes the DUV design, launches communication to STG-Test through the connector module, receives test vectors from STG-Test, and sends the DUV's output signals to STG-Test. The connector module employs the SystemVerilog Direct Programming Interface (DPI) to enable communication between the STG test system and simulator. The parts of the STG test system contain the STGs data register, the ATPG engine, and the test trace recorder. The STGs data register connects with the connector, receives the DUV's interface signals, checks compliance of the DUV's behaviors with the current stage of the STG, and invokes the ATPG engine to generate the test vectors. The ATPG engine employs the proposed STG-based ATPG approach to generate test vectors and sends them to the DUV via the connector. The test trace recorder traversal information includes the traversed path track and corresponding input vectors. The traversal information can be used for the backjumping process in ATPG and the regression test.
Finally, the simulation report, value change dump (VCD) files, and coverage report are generated after the verification finishes. The simulation report records the history of simulated test vectors. The VCD File records waveforms for the self-checking test. The coverage report records the code coverage and the STG-based functional coverage.
VI. CASE STUDIES
Three forms of experimental analysis have been performed to show the exhaustiveness and effectiveness of the proposed STG-based semi-formal approach. First, the STG-based semi-formal approach has been used in various benchmarks and in-house designs to compare with the implementationbased semi-formal approach; the experiment shows that our proposed specification-based semi-formal approach achieves similar coverage compared to the existing implementationbased semi-formal approaches. Second, it has been experimentally confirmed that the ATPG method with the modified backjumping algorithm allows for more exhaustive coverage of variable-dependent transitions than the ATPG method without the backjumping algorithm or with the backjumping approach algorithm in [5] . Third, it has been experimentally confirmed that, compared with the ATPG method without the proposed test-space coverage strategy, the ATPG method with the test-space coverage strategy allows for more exhaustive and effective exploration of the DUV functionality and state space.
The characteristics of the benchmarks are described in TABLE 1. Columns report the number of primary inputs (PIs), primary outputs (POs), flip-flops (FFs) and gates (Gates). Such benchmarks are selected because they have different characteristics and allow us to evidence the scalability and efficiency of the proposed STG-based semiformal approach. b04, b06, b07, b10, and b11 are selected from the ITC-99 benchmark suite [25] since they contain a high number of nested conditions on signals and registers of different size. in1 and in2 are the internal benchmarks and contain some variable-dependent transitions, especially multiple-variable-dependent transitions. These transitions are very hard to fire via the random ATPG method. FPU is a floating-point unit that is an open-source IP selected from OpenCores [26] . MAC, DMA, and XMC, which are in-house industrial cases, are selected for the experiments. MAC is an integer multiply-add unit, DMA is a data management access, and XMC is a controller between L2 cache and memory. We have described the functional points of each DUV via the STG model from their own specification. Because b04, b07, b10, and b11 have no specification from ITC-99 benchmarks, we write respective specifications for them based on the functional descriptions in [25] and the understanding from the RTL descriptions. Characteristics of the STG model are also presented in TABLE 1 for each DUV. Columns report the number of STGs (STGs) and transitions (Trans). Compared with the implementation-based methods, the STG model abstracts away the underlying inner behaviors and middle registers in the design, simplifies descriptions of functional behaviors from the cycle-by-cycle manner to the multicycle manner, and avoids the description of the entire state space.
First, the efficiency of the proposed STG-based semi-formal approach has been evaluated with some implementation-based semi-formal methods [5] , [13] . The implementation-based semi-formal method in [5] (EFSMbased semi-formal method [5] ) models the implementation of DUV as a set of EFSMs and proposes a functional deterministic ATPG approach on such EFSMs to generate input sequences. The implementation-based semi-formal method in [13] (CFG-based semi-formal method [13] ) models the implementation of DUV as a set of Control Flow Graphs (CFGs) and generates input sequences based on the execution paths in CFGs.
TABLE 2 reports the comparison among our STGbased semi-formal method, the EFSM-based semi-formal method [5] and the CFGs-based semi-formal method [13] with respect to code coverage, including the branching coverage (BC%) and the transition coverage in FSM coverage (TF%). For each DUV, the numbers of input vectors by using our ATPG method, the EFSM-based semi-formal method [5] , and the CFG-based semi-formal method [13] are the same. We can see that our semi-formal method achieves similar FSM coverage as the EFSM-based semi-formal method [5] and branching coverage with the CFG-based semi-formal method [13] . It can be proved that, compared with the implementation-based semi-formal method, our proposed STG-based semi-formal method can ensure the verification efficiency despite the lack of implementation details from the specifications. Moreover, compared with the implementation-based semi-formal method, our STG-based method is a specification-based semi-formal method, which has natural advantages of scalability and practically for industrial designs. Thus, our STG-based semi-formal method can support a feasible solution for functional verification in the industrial process.
Next, the efficiency of our modified backjumping algorithm has been further evaluated by comparing our STG-based ATPG method without the backjumping algorithm (NoB-ATPG) and the ATPG method with the backjumping algorithm proposed in [5] (WOB-ATPG). The NoB-ATPG method only uses the random walk algorithm to traverse the transitions. TABLE 3 reports the comparison among our ATPG method, the NoB-ATPG method, and the WOB-ATPG method with respect to stage coverage (SC%) and transition coverage (TC%) of the STG model. We can see that our ATPG method outperforms both the NoB-ATPG method and WOB-ATPG method. The low stage transition and transition coverage achieved by the NoB-ATPG method for some DUVs are due to the existence of variable-dependent transitions, whose condition functions may have an infinitesimal probability of being fired by the random walk process. Such a problem is partially solved by the WOB-ATPG method, which can deterministically fire single-variable-dependent transitions. However, the WOB-ATPG method has little ability to fire the multiple-variable-dependent transitions. Our ATPG method with modified backjumping method solves this problem so that our ATPG method can achieve 100% coverage for most DUVs.
Finally, the efficiency of the proposed test-space coverage strategy has been further evaluated by comparing our ATGP method with the ATPG method without the test-space coverage strategy (NoT-ATPG method). The NoT-ATPG method only uses the CRV to generate the test vectors. TABLE 4 reports the comparison between our ATPG method and the NoT-ATPG method with respect to the code coverage and test-space coverage (TSC%). In particular, the code coverage contains the branching coverage (BC%) and the FSM coverage (TF%). For each DUV, the numbers of input vectors by using our ATPG method and the NoT-ATPG method are the same. It can be observed that our ATPG method outperforms the NoT-ATPG method, especially for the data-dominated DUVs. The reason can be explained as follows: the NoT-ATPG method generates pseudorandom test vectors by CRV. The redundancy and uncertainty existing in random test vectors lead to inefficient and incomplete coverage for the test space. Because the test space is normally very large for data-dominated DUVs, this problem is more obvious. Thus, our ATPG method with the test-space coverage strategy outperforms the NoT-ATPG method, especially for the data-dominated DUVs.
To demonstrate the suitability and scalability of our proposed method, we have compared our semi-formal method with an advanced bounded model checking based tool named EBMC [14] , [27] . We choose an AES cipher from OpenCores as the benchmark and uses EBMC and our semi-formal approach respectively. TABLE 5 reports the comparison between our STG-based semi-formal method and the EBMC method with respect to the execution time (Time) and the memory consumption (Mem). To show the scalability, we increase the AES encryption rounds gradually. These DUVs are named as cb_aes_x, in which the x represents the number of rounds. The circuit complexity and the difficulty of exhaustively verifying the functionality of these DUVs increase as the number of rounds increases. For EBMC, it can be observed that the memory consumption increases exponentially with the circuit complexity. After the number of rounds exceeds 20, the memory consumption exceeds the available memory and it fails to produce results. On the contrary, it can be observed that our STG-based semi-formal method shows a linear increase in memory requirement. Meanwhile, the execution time for each DUV indicates our approach is faster than EBMC. Thus, the experiment shows that our proposed semi-formal method scales better than the EBMC.
VII. CONCLUSION
In this paper, we have proposed a specification-based semiformal method. The proposed method contains the proposed stage transition graph (STG) model to describe the functional behaviors in an accurate-timing manner from the specification and a functional ATPG method to ensure efficient and satisfied exploration of functionality for both the controldominated design and the data-dominated design. Moreover, based on the proposed STG-based semi-formal method, we develop an automatic verification tool to support the practical design process. The experimental results show that our specification-based method scales well for industrial designs, and it achieves similar code coverage compared to that of existing implementation-based semi-formal methods. 
