Abstract-We propose to use relevant potential invariants in a simulation-based swarm-intelligence test generation technique to generate efficient test vectors for design validation at the Register Transfer Level. These potential invariants are obtained using random stimuli such that they are true under these stimuli. Since these potential invariants are only likely to be true, we try to generate stimuli that can falsify them. Any such vector would help reach some corners of the design. However, the space of potential invariants can be extremely large. To reduce execution time, we implement a two-layer filter to remove the irrelevant potential invariants that may not contribute in reaching difficult states. With the filter, the vectors generated thus help to reduce the overall test length while still reach the same coverage as considering all unfiltered potential invariants. Experimental results show that with only the filtered potential invariants, we were able to reach equal or better branch coverage in the ITC99 benchmarks, with considerable reduction in vector lengths, at reduced execution time.
I. INTRODUCTION
Investment of significant resources and time in hardware design validation at the Register Transfer Level (RTL) are of utmost importance, both to avoid the high costs associated with design errors detected at later stages of development as well as to meet time-to-market window. One standard metric of validation is coverage that maintains the number of lines/branches/etc. of the RTL code executed. A common practice involves simulation with only random vectors, which rarely achieve a reasonable level of coverage and are inclined to exercise the same execution paths repeatedly. It is ideal to combine random vectors with directed testing to get a better coverage than random test vectors. However, directed testing requires many manual hours of test generation. Moreover, even a large number of vectors may not be enough to ensure confidence in a design, as only specific sequences of test vectors may cover the hard-to-reach areas of the design. Thus, it is crucial to devise algorithms to automate the process for the same or better coverage.
Of late, several algorithms have been proposed that target branch coverage at the RTL as a crucial test metric, as 100% branch coverage ensures that every control state described in the RTL has been visited. In our approach, as a baseline test generator, we use BEACON [1] , or Branchoriented Evolutionary Ant Colony OptimizatioN, which is a scalable, simulation-based swarm intelligence technique that uses behavioral simulation of the Hardware Description Language (HDL) design and a self-refining Evolutionary Ant supported in part by NSF Grant 1422054 Colony Optimization (ACO) to generate the vectors. While BEACON gives good results, a number of hard-to reach corner cases of the design are either missed or require a large set of test vectors to achieve the same goals. Empirically, hard corner cases in a design constitute to less than 20% of the total verification, but could require more amount of time and resources than the other 80% broad spectrumgeneric verification. Thus, if the hard-to-reach cases are set as priority of the verification process and covered with minimal time and resources, then the same resources may cover the remaining majority targets as a byproduct without extra efforts. Thus, we propose the use of relevant potential invariants in the RTL circuits to generate improved and shorter vector sequences without additional computational cost to achieve the same or better branch coverage for a set of standard ITC99 benchmarks.
Program invariants, as known, are logical assertions that are true during a complete or certain phase of execution that prove to be beneficial in all aspects of programming especially testing, optimization, and maintenance [4] . Static analysis for invariant identification suffers from basic limitations such as high computational time and cost of modeling program states. For our methodology, we generate a basic list of potential invariants dynamically using the Daikon tool [5] that runs the program for a given set of stimuli, examines the executions and reports properties that hold true for the input stimuli over those executions in a fraction of the time. The derivation of these potential invariants indicate that these relations hold only for the provided stimuli, as there might exist stimuli that can prove them false. Hence, we try to generate additional stimuli in an attempt to violate these derived potential invariants. The addition of these potential invariants as priority conditional statements in the algorithm helps to find test vectors that falsify many potential invariants missed by the original BEACON. This alteration also covers corner case states in the ITC99 benchmarks, with considerable reduction in vector lengths to achieve the same or better branch coverage. However, the space of potential invariants can be very large and some could be irrelevant to the task of reaching hard-to-reach corners of the design. That implies, Daikon may identify a very large set of potential invariants, many of which may contribute little to our goal of achieving high branch coverage. Therefore, in our work, we propose a two-layer filter to remove all the irrelevant invariants that only consume more computational time and extra test vectors for their falsification, but do not actually contribute in reaching any new or corner case branch. The first layer of filter centers on gathered results and observations. Invariants pertaining to certain variables and types do not contribute to covering any new branches and only add to computational time are filtered out. In the second layer, we simulate BEACON very quickly for just 1 cycle (typically just over a span of few microseconds), with a few input vector sequences to detect the easy branches in the circuits. All the invariants affiliated to the variables of the already covered branches prove to be trivial. Thus, those invariants are also filtered out. By targeting these potential invariants first during test generation, the search inadvertently prioritizes the original branches in a way that reduces test length and computational cost. Our results show that this filter presents much better results in terms of both lengths of vector sequences and runtime, with respect to the original BEACON, several other test generation algorithms and unfiltered list of potential invariants.
In the rest of the paper, we first present the tools and techniques used in the preprocessing of the RTL designs and the generation of potential invariants, that are subsequently used as conditional statements in modifying BEACON algorithm as per our approach. Furthermore, we will discuss our methodology and theory to filter the potential invariants to incorporate only relevant invariants as target conditions. In the end, we present results with conclusions.
II. BACKGROUND, INSTRUMENTATION AND PREREQUISITES

A. Previous Related Work
Several known algorithms like HYBRO [2] and [13] function on restraining the classical symbolic evaluation to analyze the real executable paths extracted during dynamic simulation using random vectors.
HYBRO [2] is a hybrid algorithm that uses static and dynamic program analysis techniques for test generation of Register Transfer Level (RTL) design source code. The algorithm uses concrete simulations for a fixed number of cycles and for every simulation, concrete traces are extracted from the design Control Flow Graph (CFG). The instrumented RTL code for the methodology maintains branch coverage counters per simulation cycle and any change in these counters qualifies as the execution path in the CFG. Starting from a fixed state and random input vectors, the extracted concrete traces are evaluated to identify covered branches (or guards) along the respective traces. The conditions and constraints for covered branches are inverted and then fed as constraints through a Satisfiability Modulo Theory (SMT) solver, to generate new test vectors that explore the untraversed branches of the design. This approach proves to be inefficient because of its high computational cost of the SMT solver calls, especially for bigger circuits that require large vector sets of particular sequences to reach some branches. Moreover, HYBRO poorly relies on random stimuli to reach system states and does not support HDL array elements or memories, which makes it an unfit approach for practical designs.
[13] is quite similar to the HYBRO algorithm, with certain improvements. The algorithm uses dynamic analysis for concrete simulation and symbolic execution. The instrumented RTL, simulated with random stimuli, generates a trace file that has the syntactic objects printed after every simulation. A constraint solver, used to identify all the covered control statements symbolically, analyzes this output trace file. The unstimulated variables in all the covered control statements are substituted with their concrete equivalent. Since this algorithm uses dynamic program analysis, it can support symbolic evaluation of memory arrays by treating them as individual index-annotated scalar variables. However, like HYBRO, the process produces test vectors by simulating the design for a fixed number of cycles from a specific starting state and is limited to the exploration of system states reachable within the fixed number of simulation cycles.
In comparison to HYBRO and [13] , BEACON explores the circuit over a greater number of cycles and avoids the computational cost of SMT solver calls and still achieves a high level of coverage, but with a trade-off in form of comparatively larger set of test vectors. Thus, to improve and refine the vector set and avoid overhead computational time, we modify the original BEACON algorithm by guiding the algorithm with addition of invariants.
B. RTL Translation and Instrumentation
For fast simulation, a synthesizable high level description is cross compiled to a cycle-accurate behavioral model in a C++ base wrapper, using Verilator [3] and this design is altered further during compile time. Example of Verilog snippet and its Verilator translated C++ RTL is shown in Fig The translated behavioral model contains object oriented classes and functions. Foremost, the Vtop function, which is structurally same as the top module in the Verilog HDL, contains all signals of the design declared as public data members. Moreover, the behavioral characteristic entirely is modeled into a public member function called eval. Since this is a cycle-accurate behavioral model, stimuli can be provided by setting all primary-inputs, followed by two calls to eval with alternating values of clock input variable, one cycle to set the stimuli and the next to execute one complete cycle of the design. Additionally, added instrumentation for each branch during C++ compilation allows a one-to-one mapping (VCoverage) between branches in the compiled code and the original HDL. This VCoverage is a public C++ integer array in Vtop, maintaining the number of times each mapped branch is covered or hit.
C. Dynamic Analysis for Generation of Potential Invariants
To generate a list of unfiltered, generic potential invariants from program executions dynamically, we use the Daikon [5] tool. It interacts with the Vtop function of the Verilator translated C++ model to access all the public variables of the HDL design, and report all the likely invariants for given test suites. The competency of the tool to report precise invariants is directly proportional to size of the test suites. Larger set of test cases can check and report more relations and properties with higher degree of correctness. There exist several techniques [9] [10] [11] to avoid exhaustive checks and yet produce good test suites for resultant invariants but these procedures demand high computational time and cost for building these test suites. Thus, we provide a relatively large sized, random stimuli to Daikon to generate a long list of invariants without any compromise in computational time.
Since this execution provides stimuli to the circuit based on a random seed, not all invariants detected by the tool maybe true invariants. Hence, the reported invariants are termed as likely or potential invariants. All the non redundant invariants reported can be inserted in the original BEACON algorithm as conditional statements to guide the algorithm for generation of test sequences. Each of these properties are stowed and monitored in an array of integers.
III. METHODOLOGY
This section first describes the basic modification made to the original BEACON algorithm by injecting Daikon generated potential invariants, to provide a better guidance path for BEACON. Further on in the approach, applied potential invariants lists are refined to filter out all the inconsequential invariants and to thus, produce better test vector sequences for the designs and reduce the computational time.
A. Modified BEACON Algorithm
The original BEACON directly interacts with all the signals and the branch points in the design, translated and instrumented using Verilator and based on the same principle as ACO algorithm [6] [7] , with minor alteration. Traditionally, ACO algorithm favors the trail with more pheromone deposits or branches that are easier to traverse. However, the fitness function used in BEACON is a process opposite to the traditional ACO. High pheromone deposits in BEACON model make the trace less desirable, that is, it filters out highly visited branches from the search and focuses the search on rarely occurring branches and paths.
With modification in the BEACON algorithm, the initial focus of the approach is not the original branches of the design, but the potential invariants passed to BEACON as conditional statements. Thus, the procedure computes the fitness function based on these branches and puts higher weights on coverage of the invariants than the original branches. Since the invariants introduced may or may not be true, these conditions can serve as good checks for corner cases. The number of false invariants among this set are a good guidance to measure the diversity of input stimuli; that is, whenever a vector sequence is able to report a false invariant, that invariant array element is considered traversed.
For example, if a < b is a potential invariant reported, meaning that with random stimuli, the value of a is always less than the value of b, then if BEACON is able to generate a vector-sequence that violates this condition, we have then traversed a space that was initially difficult to reach by the random vectors. The pheromone deposits maintained in pheromone maps are updated twice: once for only invariants, and one for both invariants and the original branches. To compare the original and modified BEACON, we have used Verilator translated C++ code for benchmark b12 as this control-exhaustive circuit has a number of hard-to-cover branches. For simple illustration purpose, we skip signal declarations and use only a section of the design where the state variable gamma, for the finite state machine (FSM) changes. The instrumented C++ code contains the VCoverage array to update the traversed branch points of the design. As per experiments, we note that branches VCoverage [1] and VCoverage [6] are hard-to-traverse corner cases and thus, Fig. 3(a) are set to 0. Once this is traversed, the path acts as a guidepost to stay in state G10, decrement the variable count to 0 in multiple cycles and thus cover the branch VCoverage [1] . Fig. 3(b) depicts the implication invariants type generated by Daikon, specific to the mentioned section of b12, based on random stimuli. It shows that the tool found, that branches VCoverage [1] and VCoverage [6] cannot be traversed for random inputs. For modified BEACON with injection of these invariants as new conditional branches as shown in Fig. 3(c) , the invariants array elements increment only if we can find inputs that falsify the properties stated in Fig.  3(b) . As per the altered algorithm of fitness function, all the invariants array elements will have higher weight than the original branches. Here, both Invariants[0] and Invariants [1] are on hard to reach path and thus will have very little accumulated pheromone, resulting in directing BEACON to cover these paths on priority. From the previous state of gamma, count was set to a value 32. As soon as BEACON covers Invariants[0], the value of count decrements as per line 9 in Fig. 3(a) . We pass the same vector sequence to the circuit, until the value of count does not become 0. That helps BEACON to cover Invariants [1] . Experiments have shown that BEACON takes only a few iterations to cover Invariants[0] and following the same path, it eventually covers Invariants [1] too. The results provide a set of vector sequences to prove that the reported invariants are false. At the same time, we could cover the hard-to-cover branches VCoverage [1] and VCoverage [6] in fewer iterations.
The modified BEACON evaluates the entire hardware design twice, once to target only the invariants introduced as conditional statements, and then again to focus on both invariants and the original branches of the circuit. For any potential invariant to be counted as traversed, the algorithm directs to generate vector sequences that prove the candidate false. In that process, BEACON mostly covers a large space of the circuit that was earlier hard to cover by the random test vectors, along with broad-spectrum branches as a byproduct. As a result, all the original branches are covered with lower vector sequences, in fewer iterations, as shown in column No filter in Table II . While the modification proves to improve BEACON in terms of branch coverage, vector sequences and relative computational time, the number of potential invariants injected in circuits would only increase exponentially with the size of the design. Thus, even if the candidate invariants prove to be a useful barometer to generate better vectors, the computational time to target these new conditional statements would be much more for bigger designs. Hence, it is of vital importance to get rid of all the invariants that do not have any significant contribution in branch coverage.
B. Invariants Types Reported and Used
The invariants reported by Daikon depend on the grammar of invariants that are expressible by the invariant detector, the variables over which the invariants are checked, and the program points at which the invariants are checked [8] . The ability of these factors to report precise invariants is directly proportional to size of the test suites. Larger set of test cases can check and report more relations and properties with higher degree of correctness.
The stochastic ant colony search for BEACON uses the following parameters: the ant colony population K; the maximum number of iterations or rounds R; and vector sequences of arbitrary cycles Nc. With given constraints, an appropriate stimuli for Daikon to generate invariants lists within a fraction of a second is estimated to be K * Nc 20%, which roughly varies between 200,000 to 300,000 vectors.
Daikon is capable of checking and generating 75 different invariants types and allows users to easily extend and find more types. A few noteworthy and common invariants types reported are:
• Redundant invariants: Random stimuli results in many invariants that are redundant and do not need to be checked. For instance, clock = clock or for any given design, if variable a ≤ array.length -1 then, a < array.length is obvious and thus, a redundant invariant.
Since we use the translated and instrumented HDL design with the C++ wrapper as an input to Daikon, we get a large chunk of redundant invariants. Computing and checking for these redundant invariants only wastes resources and slows down the process. Therefore, we simply filter out such invariants at the initial stage itself, without even parsing these as branches for the modified BEACON. The next few invariant types contribute as a good fit to test and find corner case states.
• Equal variables: For all variables that are equal, any invariant that is true for one of the variables will also be true for all the other variables as well. For example, if a = b, then for any invariant f, f(a) => f(b).
• Dynamically constant variables: A dynamically constant variable has the same value at each observed sample. This type usually includes constants and equations. For example, x = 150 implies x is even and x ≥ 150. Similarly for equations, x = 8 and y = 15 imply both x < y and x = y -7.
• Conditional invariants and implications: These are the most important types of invariants so far. Variable relations used to define another invariant. The example explained in Fig. 3(b) uses an implication invariant. A few others are range definitions and sets like, x ∈ (0,5) or x ∈ {0, 1, 5}; comparisons like clock ≤ setbit. We next discuss the filter layers to remove all immaterial invariants from the lists before adding to BEACON algorithm.
C. Filter Layer I
Based on the results with no filter on standard ITC99 benchmark circuits, we found that potential invariants affiliated to certain common variables and types do not play any role in enhancing branch coverage, but only add to computational time for the algorithm in order to search vector sequences that falsify these. Thus, in our filter layer I we get rid of these invariants such that modified BEACON only has to focus on the remaining filtered list.
• Invariants affiliated to certain variables: These variables are standard for all circuits. All invariants associated to variables clock and reset prove to be inconsequential, even if for certain cases they prove to be false invariants. They do not define any properties that can contribute to any corner case or any new branch coverage.
• Invariants affiliated to certain types: Based on previous results and observations, it is noted that no matter how small or large the input stimuli to Daikon may be, the invariants type defining range of variables, like x ∈ (0, 5), are reported truly. Thus, it only consumes more time for the test generator to verify that these type of branches are in fact true for the tested circuits. Thus, all these invariants types are removed from the set of potential invariants. Even though, the space of potential invariants reduces by a small ratio (as shown in Table I ), there is a significant improvement in test vector sequence generated, with improved computational time, as depicted in Table II . BEACON no longer needs to generate buffer vectors with extra time to check these unimportant branches in the invariants list.
D. Filter Layer II
Filter layer I is based on previous records and observations. However, it is difficult to find a broad, generic classification of invariants that may prove to be insignificant in the guidance search, especially for larger circuits with as many as thousands of variables. The invariant lists and types would only increase exponentially, and finding such a classification would only negate our original aim of minimizing the computational time for optimized vector set.
Thus, in our filter layer II, we move a step back and use the original BEACON algorithm on the circuit under validation. We set the initial parameters of BEACON to bare minimum to complete the execution within microseconds: the ant colony population K = 1; the maximum number of iterations or rounds R = 1; and vector sequences of arbitrary cycles 100 ≤ Nc ≤ 2000, depending on the size of the circuit and number of variables. With such settings, BEACON does not fully use ACO to guide the ant colony to complete the search and cover all branches possible. However, it quickly reports all the branches that can be easily fetched within 1 round and set of random vectors. Using this as base, we start to filter out all the invariants containing variables included in these easily covered branches. The number of invariants injected in BEACON reduce by a significant portion, as compared to the original list of non-redundant invariants without any filters, as depicted in Table I . Interestingly, quite a few invariants filtered out in this layer were actually verified as false invariants by the modified BEACON. However, those only generate extra vector-sequences to falsify them and cover no new hard corner branches. Thus, in filter layer II, we remove all the invariants with variables associated to the branches that traversed without any ACO applied.
It is of utmost importance to note that neither of the two filters are applicable to any conditional or implication invariants. The example in Fig. 4 depicts an extension of Fig.  3(b) . The relational invariant gamma < 26 was present in the initial invariant list. Since gamma is the state variable for the FSM, a number of states covered in a single round, with only 2000 random vector sequences and hence, we removed this relational invariant after filter layer II. However, the next two invariants are implication invariants that define the conditions for variables count and k, that were not associated to any branch covered in the initial stage. Thus, we save these invariants in the final invariants list. The same is true if clock, reset or range defining invariants are part of a conditional or implication invariant. The quality and fitness of resultant potential invariants generated by Daikon depends on the size of test suites, and thus, the size of random stimuli to Daikon is set as big as the input parameters of original BEACON: the ant colony population K = 100; the maximum number of iterations or rounds R = 15; vector sequences of arbitrary cycles Nc ≥ 3000. The size of input stimuli to Daikon for the same ITC99 circuits is in the range from 200,000 to 300,000 vectors. It is worth noting that even with such large input sets, Daikon generated list of invariants in fractions of a second. We use ITC99 [12] benchmarks to conduct our experiments, as many of these benchmarks are representatives of general sequential logic and contain hard-to-reach states (control states). With addition of the two layer filters, a significant number of invariants removed, saving a lot of time in computing the overall branch coverage using modified BEACON. Table I depicts the number of raw invariants generated by Daikon and the number of non-redundant invariants injected in BEACON without any filters and F1 and F2 as the two filter layers. It shows that layer I helps shed out only a few generic, observed types of invariants while layer II reduces the overall invariants list size by 50-70%. It is noticeable that with larger set of non redundant invariants, more filter layers may be explored and added to further enhance the scalability of the proposed approach.
Furthermore, we analyze and compare the results of our approach with the different stages of modifications made in BEACON algorithm, as shown in Table II . Our results include various parameters: branch coverage, vector lengths, runtime to complete the execution. Based on earlier reported experiments, the original BEACON can already reach very high branch coverages for most ITC99 benchmarks. With our approach, the branch coverage is at least as high as the original BEACON or in a few cases, higher coverage is achieved, such as in b10, b11, and b13. In addition, compared to the original algorithm and modified BEACON with unfiltered invariants, we achieve shorter test vector lengths with reductions in execution time. Table II shows that our algorithm improves the length of vector sequences by extensive factors. For smaller designs like b06, the final vector count of 22 is approximately 79× shorter than the original BEACON vectors of 1731, since the addition of the invariants guide BEACON to prioritize the search towards them first. Consequently, these initial high-quality vectors often cover the original branches as a side product. In order to reach the remaining branches, only a small number of vectors are needed in a few iterations. For the bigger circuits like b12 and b13, our approach trims most of the redundant vectors added to cover the hard corner states. For example, for circuit b07, the original algorithm executes for multiple cycles and approximately 65% branches are covered in initial 2-3 cycles. In addition, after every iteration, more vectors are added to the final list of vector sequences. With the two layer filter, the algorithm only focuses on the invariants and reaches as high as 80-85% in the first iteration itself. Thus, the number of cycles required to cover all the reachable branches also reduce. This is true for most circuits tested for our final modification to the original algorithm.
Even though there are Overheads: (1) another tool used (Daikon), (2) additional logics and checks are added in the BEACON algorithm (invariants array), (3) the original BEACON is run for 1 cycle for filter layer II, the overall runtime of our algorithm is faster than the original BEACON. This is because only the invariants associated to hard corners are included, given higher priority and covered first without running multiple iterations with irrelevant vectors. Due to this modification, our approach can initialize the algorithm with reduced set up resources: K = 20; R = 5; Nc ≤ 3000.
The speedup is as much as 37× (for b10) and 34× (for b11).
We also compare the results of our two layer filter against HYBRO [2] and [13] in Table III . A quick glance at the results show that our work demonstrates significantly shorter test generation time and achieves a higher RTL branch coverage. For example, in design b10 our algorithm achieves a high branch coverage score (96.88%) on par with HYBRO and [13] in only 0.312s. Although HYBRO and [13] base their test generation effort on hybrid concrete and symbolic simulation, our work is more than at least 79× faster for b10. For b11, our approach manages to cover all reachable branches, no less than 766× faster than previous methods. We have reported results in Table III only for the circuits reported for HYBRO and [13] , except b14 circuit that we have not tested for our algorithm. The available b14 circuit code involved several VHDL operators, which are not completely compatible with the original Verilator tool that we have used and conversion of the code to complete Verilog was not accurate. 
V. CONCLUSIONS
In this paper, we propose a modification to the existing BEACON algorithm to achieve equal or higher branch coverage along with considerable reduction in vector lengths and computational cost. To do so, we inject only relevant potential invariants of the design in the existing algorithm and direct BEACON such that it addresses the added invariant conditions as priority cases and cover those paths first. This helps to cover many of the hard-to-traverse states. The list of meaningful invariants fetched by using a two-layer filter produces even better results. Experiments conducted on several ITC99 benchmarks have shown considerable improvement in performance for our methodology including equal or higher coverages, shorter test lengths, and reduced execution times.
