Complete Test Sets And Their Approximations by Goldberg, Eugene
Complete Test Sets And Their Approximations
Eugene Goldberg
eu.goldberg@gmail.com
Abstract—We use testing to check if a combinational circuit
N always evaluates to 0 (written as N ≡ 0). We call a set of
tests proving N ≡ 0 a complete test set (CTS). The conventional
point of view is that to prove N ≡ 0 one has to generate a trivial
CTS. It consists of all 2|X| input assignments where X is the
set of input variables of N . We use the notion of a Stable Set
of Assignments (SSA) to show that one can build a non-trivial
CTS consisting of less than 2|X| tests. Given an unsatisfiable
CNF formula H(W ), an SSA of H is a set of assignments to W
that proves unsatisfiability of H . A trivial SSA is the set of all
2|W | assignments to W . Importantly, real-life formulas can have
non-trivial SSAs that are much smaller than 2|W |. In general,
construction of even non-trivial CTSs is inefficient. We describe a
much more efficient approach where tests are extracted from an
SSA built for a “projection” of N on a subset of variables of N .
These tests can be viewed as an approximation of a CTS for N .
We give experimental results and describe potential applications
of this approach.
I. INTRODUCTION
Testing is an important part of verification flows. For that
reason, any progress in understanding testing and improving
its quality is of great importance. In this paper, we consider
the following problem. Given a single-output combinational
circuit N , find a set of input assignments (tests) proving that
N evaluates to 0 for every test (written as N ≡ 0) or find
a counterexample. We will call a set of input assignments
proving N ≡ 0 a complete test set (CTS)1. We will call the
set of all possible tests a trivial CTS. Typically, one assumes
that proving N ≡ 0 involves derivation of the trivial CTS,
which is infeasible in practice. Thus, testing is used only for
finding an input assignment refuting N ≡ 0. We present an
approach for building a non-trivial CTS consisting only of a
subset of all possible tests. In general, finding even a non-
trivial CTS for a large circuit is impractical. We describe a
much more efficient approach where an approximation of a
CTS is generated.
The circuit N above usually describes a property ξ of a
multi-output combinational circuit M , the latter being the real
object of testing. For instance, ξ may state that M never
produces some output assignments. To differentiate CTSs and
their approximations from conventional test sets verifying M
“as a whole”, we will refer to the former as property-checking
test sets. Let Ξ := {ξ1, . . . , ξk} be the set of properties of M
formulated by a designer. Assume that every property of Ξ
holds and Ti is a test set generated to check property ξi ∈ Ξ.
There are at least two reasons why applying Ti to M makes
sense. First, if Ξ is incomplete2, a test of Ti can expose a bug,
1Term CTS is sometimes used to say that a test set invokes every event
specified by a coverage metric. Our application of this term is quite different.
2That is M can be incorrect even if all properties of Ξ hold.
if any, breaking a property of M that is not in Ξ. Second, if
property ξi is defined incorrectly, a test of Ti may expose a
bug breaking the correct version of ξi. On the other hand, if M
produces proper output assignments for all tests of T1∪· · ·∪Tk,
one gets extra guarantee that M is correct. In Section VI,
we list some other applications of property-checking test sets
such as verification of design changes, hitting corner cases and
testing sequential circuits.
Let N(X,Y, z) be a single-output combinational circuit
where X and Y specify the sets of input and internal variables
of N respectively and z specifies the output variable of N . Let
FN (X,Y, z) be a formula defining the functionality of N (see
Section III). We will denote the set of variables of circuit N
(respectively formula H) as Vars(N) (respectively Vars(H)).
Every assignment3 to Vars(FN ) satisfying FN corresponds to
a consistent assignment4 to Vars(N) and vice versa. Then the
problem of proving N ≡ 0 reduces to showing that formula
FN ∧ z is unsatisfiable. From now on, we assume that all
formulas mentioned in this paper are propositional. Besides,
we will assume that every formula is represented in CNF i.e.
as a conjunction of disjunctions of literals.
Our approach is based on the notion of a Stable Set of
Assignments (SSA) introduced in [9]. Given formula H(W ),
an SSA of H is a set P of assignments to variables of W
that have two properties. First, every assignment of P falsifies
H . Second, P is a transitive closure of some neighborhood
relation between assignments (see Section II). The fact that H
has an SSA means that the former is unsatisfiable. Otherwise,
an assignment satisfying H is generated when building its
SSA. If H is unsatisfiable, the set of all 2|W | assignments is
always an SSA of H . We will refer to it as trivial. Importantly,
a real-life formula H can have a lot of SSAs whose size is
much less than 2|W |. We will refer to them as non-trivial. As
we show in Section II, the fact that P is an SSA of H is a
structural property of the latter. That is this property cannot
be expressed in terms of the truth table of H (as opposed to a
semantic property of H). For that reason, if P is an SSA for
H , it may not be an SSA for some other formula H ′ that is
logically equivalent to H . In other words, a structural property
is formula-specific.
We show that a CTS for N can be easily extracted from
an SSA of formula FN ∧ z. This makes a non-trivial CTS
3By an assignment to a set of variables V , we mean a full assignment
where every variable of V is assigned a value.
4An assignment to a gate G of N is called consistent if the value assigned to
the output variable of G is implied by values assigned to its input variables.
An assignment to variables of N is called consistent if it is consistent for
every gate of N .
ar
X
iv
:1
80
8.
05
75
0v
1 
 [c
s.L
O]
  1
6 A
ug
 20
18
a structural property of circuit N that cannot be expressed in
terms of its truth table. Building an SSA for a large formula is
inefficient. So, we present a procedure constructing a simpler
formula H(V ) implied by FN∧z (where V ⊆ Vars(FN ∧ z))
and building an SSA of H . The existence of such an SSA
means that H (and hence FN ∧ z) is unsatisfiable. So, N ≡ 0
holds. A test set extracted from an SSA of H can be viewed as
a way to verify a “projection” of N on variables of V . On the
other hand, one can consider this set as an approximation of a
CTS for N . We will refer to the procedure above as SemStr
(“Semantics and Structure”). SemStr combines semantic and
structural derivations, hence the name. The semantic part
of SemStr is5 to derive H . Its structural part consists of
constructing an SSA of H thus proving that H is unsatisfiable.
The contribution of this paper is fourfold. First, we intro-
duce the notion of non-trivial CTSs (Section III). Second,
we present a method for efficient construction of property-
checking tests that are approximations of CTSs (Sections IV
and V). Third, we describe applications of such tests (Sec-
tion VI). Fourth, we give experimental results showing the
effectiveness of property-checking tests (Section VII).
II. STABLE SET OF ASSIGNMENTS
A. Definitions
We will refer to a disjunction of literals as a clause. Let
~p be an assignment to a set of variables V . Let ~p falsify
a clause C. Denote by Nbhd(~p, C) the set of assignments
to V satisfying C that are at Hamming distance 1 from ~p.
(Here Nbhd stands for “Neighborhood”). Thus, the number of
assignments in Nbhd(~p, C) is equal to that of literals in C. Let
~q be another assignment to V (that may be equal to ~p). Denote
by Nbhd(~q, ~p, C) the subset of Nbhd(~p, C) consisting only
of assignments that are farther away from ~q than ~p (in terms
of the Hamming distance).
Example 1: Let V = {v1, v2, v3, v4} and ~p=0110. We
assume that the values are listed in ~p in the order the cor-
responding variables are numbered i.e. v1 = 0, v2 = 1, v3 =
1, v4 = 0. Let C = v1 ∨ v3. (Note that ~p falsifies C.)
Then Nbhd(~p, C)={~p1, ~p2} where ~p1 = 1110 and ~p2=0100.
Let ~q = 0000. Note that ~p2 is actually closer to ~q than ~p. So
Nbhd(~q, ~p, C)={~p1}.
Definition 1: Let H be a formula6 specified by a set of
clauses {C1, . . . , Ck}. Let P = {~p1, . . . , ~pm} be a set of
assignments to Vars(H) such that every ~pi ∈ P falsifies H .
Let Φ denote a mapping P → H where Φ(~pi) is a clause C
of H falsified by ~pi. We will call Φ an AC-mapping where
“AC” stands for “Assignment-to-Clause”. We will denote the
range of Φ as Φ(P ). (So, a clause C of H is in Φ(P ) iff there
is an assignment ~pi ∈ P such that C = Φ(~pi).)
Definition 2: Let H be a formula specified by a set of
clauses {C1, . . . , Ck}. Let P = {~p1, . . . , ~pm} be a set of
5Implication FN ∧ z → H is a semantic property of FN ∧ z. To verify
this property it suffices to know the truth table of FN ∧ z.
6We use the set of clauses {C1, . . . , Ck} as an alternative representation
of a CNF formula C1 ∧ · · · ∧ Ck .
assignments to Vars(H). P is called a Stable Set of Assign-
ments7 (SSA) of H with center ~pinit ∈ P if there is an AC-
mapping Φ such that for every ~pi ∈ P , Nbhd(~pinit , ~pi, C) ⊆
P holds where C = Φ(~pi).
Example 2: Let H consist of four clauses: C1 = v1∨v2∨v3,
C2 = v1, C3 = v2, C4 = v3. Let P = {~p1, ~p2, ~p3, ~p4} where
~p1 = 000, ~p2 = 100, ~p3 = 010, ~p4 = 001. Let Φ be an
AC-mapping specified as Φ(~pi) = Ci, i = 1, . . . , 4. Since
~pi falsifies Ci, i = 1, . . . , 4, Φ is a correct AC-mapping.
P is an SSA of H with respect to Φ and center ~pinit=~p1.
Indeed, Nbhd(~pinit , ~p1, C1)={~p2, ~p3, ~p4} where C1 = Φ(~p1)
and Nbhd(~pinit , ~pi, Ci) = ∅, where Ci = Φ(~pi), i = 2, 3, 4.
Thus, Nbhd(~pinit , ~pi,Φ(~pi)) ⊆ P , i = 1, . . . , 4.
B. SSAs and satisfiability of a formula
Proposition 1: Formula H is unsatisfiable iff it has an SSA.
The proof8 is given Appendix I. A similar proposition is
proved in [9] for “uncentered” SSAs (see Footnote 7).
BuildPath(H,Φ, ~pinit , ~s){
1 Path := nil
2 ~p1 := ~pinit
3 i := 1
4 while (~pi 6= ~s) {
5 Path := Extend(Path, ~pi)
6 C := Φ(~pi)
7 v := FindVar(C, ~pi, ~s)
8 ~pi+1 := FlipVar(~pi, v)
9 i := i + 1 }
10 return(Path) }
Fig. 1. BuildPath procedure
The set of all assignments
to Vars(H) forms the trivial
uncentered SSA of H . Ex-
ample 2 shows a non-trivial
SSA. The fact that formula H
has a non-trivial SSA P is
its structural property. That is
one cannot check whether P
is an SSA of H if only the
truth table of H is known. In
particular, P may not be an
SSA of a formula H ′ logically
equivalent to H .
BuildSSA(H){
1 E = ∅; Φ := ∅
2 ~pinit := PickInitAssgn(H)
3 Q := {~pinit}
4 while (Q 6= ∅) {
5 ~p := PickAssgn(Q)
6 Q := Q \ {~p}
7 if (SatAssgn(~p,H))
8 return(~p,nil ,nil ,nil )
9 C := PickFlsCls(H, ~p)
10 R := Nbhd(~pinit , ~p, C) \ E
11 Q := Q ∪R
12 E := E ∪ {~p}
13 Φ := Φ ∪ {(~p, C)}}
14 return(nil , E, ~pinit ,Φ) }
Fig. 2. BuildSSA procedure
The relation between
SSAs and satisfiability can
be explained as follows.
Suppose that formula H
is satisfiable. Let ~pinit be
an arbitrary assignment
to Vars(H) and ~s be a
satisfying assignment that is
the closest to ~pinit in terms
of the Hamming distance.
Let P be the set of all
assignments to Vars(H)
that falsify H and Φ be an
AC-mapping from P to H .
Then ~s can be reached from
~pinit by procedure BuildPath shown in Figure 1. It generates
a sequence of assignments ~p1, . . . , ~pi where ~p1 = ~pinit and
~pi=~s. First, BuildPath checks if current assignment ~pi equals
~s. If so, then ~s has been reached. Otherwise, BuildPath uses
clause C = Φ(~pi) to generate next assignment. Since ~s
7In [9], the notion of “uncentered” SSAs was introduced. The definition
of an uncentered SSA is similar to Definition 2. The only difference is that
one requires that for every pi ∈ P , Nbhd(~pi, C) ⊆ P holds instead of
Nbhd(~pinit , ~pi, C) ⊆ P .
8The proof of Proposition 1 presented in report [11] is inacurate.
satisfies C, there is a variable v ∈ Vars(C) that is assigned
differently in ~pi and ~s. BuildPath generates a new assignment
~pi+1 obtained from ~pi by flipping the value of v.
BuildPath reaches ~s in k steps where k is the Hamming
distance between ~pinit and ~s. Importantly, BuildPath reaches
~s for any AC-mapping. Let P be an SSA of H with respect
to center ~pinit and AC-mapping Φ. Then if BuildPath starts
with ~pinit and uses Φ as an AC-mapping, it can reach only
assignments of P . Since every assignment of P falsifies H ,
no satisfying assignment can be reached.
A procedure for generation of SSAs called BuildSSA is
shown in Figure 2. It accepts formula H and outputs either
a satisfying assignment or an SSA of H , center ~pinit and
AC-mapping Φ. BuildSSA maintains two sets of assignments
denoted as E and Q. Set E contains the examined assignments
i.e. those whose neighborhood is already explored. Set Q
specifies assignments that are queued to be examined. Q is
initialized with an assignment ~pinit and E is originally empty.
BuildSSA updates E and Q in a while loop. First, BuildSSA
picks an assignment ~p of Q and checks if it satisfies H . If so,
~p is returned as a satisfying assignment. Otherwise, BuildSSA
removes ~p from Q and picks a clause C of H falsified by
~p. The assignments of Nbhd(~pinit , ~p, C) that are not in E
are added to Q. After that, ~p is added to E as an examined
assignment, pair (~p, C) is added to Φ and a new iteration
begins. If Q is empty, E is an SSA with center ~pinit and
AC-mapping Φ.
III. COMPLETE TEST SETS
Fig. 3. Example of circuit
N(X,Y, z)
Let N(X,Y, z) be a
single-output combinational
circuit where X and Y
specify the input and internal
variables of N respectively
and z specifies the output
variable of N . Let N consist
of gates G1, . . . , Gk. Then
N can be represented as
FN = FG1 ∧ · · · ∧ FGk
where FGi , i = 1, . . . , k is a
CNF formula specifying the
consistent assignments
of gate Gi. Proving
N ≡ 0 reduces to showing
that formula FN ∧ z is
unsatisfiable.
Example 3: Circuit N shown in Figure 3 represents equiv-
alence checking of expressions (x1 ∨ x2) ∧ x3 and (x1 ∧
x3) ∨ (x2 ∧ x3) specified by gates G1, G2 and G3, G4, G5
respectively. Formula FN is equal to FG1 ∧ · · · ∧ FG6 where,
for instance, FG1 = C1 ∧ C2 ∧ C3, C1 = x1 ∨ x2 ∨ y1,
C2 = x1 ∨ y1, C3 = x2 ∨ y1. Every satisfying assignment
to Vars(FG1) corresponds to a consistent assignment to gate
G1 and vice versa. For instance, (x1 = 0, x2 = 0, y1 = 0)
satisfies FG1 and is a consistent assignment to G1 since the
latter is an OR gate. Formula FN ∧ z is unsatisfiable due
to functional equivalence of expressions (x1 ∨ x2) ∧ x3 and
(x1 ∧ x3) ∨ (x2 ∧ x3). Thus, N ≡ 0.
Let ~x be a test i.e. an assignment to X . The set of
assignments to Vars(N) sharing the same assignment ~x to X
forms a cube of 2|Y |+1 assignments. (Recall that Vars(N) =
X∪Y ∪{z}). Denote this set as Cube(~x). Only one assignment
of Cube(~x) specifies the correct execution trace produced
by N under ~x. All other assignments can be viewed as
“erroneous” traces under test ~x.
Definition 3: Let T be a set of tests {~x1, . . . , ~xk} where
k ≤ 2|X|. We will say that T is a Complete Test Set (CTS)
for N if Cube(~x1) ∪ · · · ∪ Cube(~xk) contains an SSA for
formula FN ∧ z.
SemStr(G,V ){
1 H := ∅
2 while (true) {
3 (~v,P ) :=BuildSSA(H)
4 if (P 6= nil )
5 return(nil , P )
6 (C,~s) := GenCls(G,V,~v)
7 if (~s 6= nil )
8 return(~s,nil )
9 H := H ∪ {C} }
Fig. 4. SemStr procedure
If T satisfies Definition 3,
set Cube(~x1)∪· · ·∪Cube(~xk)
“contains” a proof that N ≡ 0
and so T can be viewed as
complete. If k = 2|X|, T is
the trivial CTS. In this case,
Cube(~x1) ∪ · · · ∪ Cube(~xk)
contains the trivial SSA con-
sisting of all assignments to
Vars(FN ∧ z). Given an SSA
P of FN ∧ z, one can easily
generate a CTS by extracting all different assignments to X
that are present in the assignments of P .
Example 4: Formula FN∧z of Example 3 has an SSA of 21
assignments to Vars(FN∧z). They have only 5 different as-
signments to X={x1,x2,x3}. The set {101,100,011,010,000}
of those assignments is a CTS for N .
Definition 3 is meant for circuits that are not “too redun-
dant”. Highly-redundant circuits are discussed in report [11]
and Appendix II.
IV. SemStr PROCEDURE
A. Motivation
Building an SSA for a large formula is inefficient. So, con-
structing a CTS of N from an SSA of FN∧z is impractical. To
address this problem, we introduce a procedure called SemStr
(a short for “Semantics and Structure”). Given formula FN ∧z
and a set of variables V ⊆ Vars(FN ∧ z), SemStr generates
a simpler formula H(V ) implied by FN ∧ z at the same
time trying to build an SSA for H . If SemStr succeeds in
constructing such an SSA, formula H is unsatisfiable and so is
FN∧z. Then a set of tests T is extracted from this SSA. As we
show in Subsection V-A, one can view T as an approximation
of a CTS for N (if X ⊆ V ) or an “approximation of
approximation” of a CTS (if X 6⊆ V ).
Example 5: Consider the circuit N of Figure 3 where X =
{x1, x2, x3}. Assume that V = X . Application of SemStr to
FN∧z produces H(X) = (x1∨x3)∧(x2∨x3)∧(x1∨x2)∧x3.
SemStr also generates an SSA of H of four assignments to
X: {000, 001, 011, 101} with center ~pinit=000. (We omit the
AC-mapping here.) These assignments form an approximation
of CTS for N .
B. Description of SemStr
The pseudocode of SemStr is shown in Figure 4. SemStr
accepts formula G (in our case, G := FN ∧ z) and a set
of variables V ⊆ Vars(G). SemStr outputs an assignment
satisfying G or formula H(V ) implied by G and an SSA of H .
Originally, the set of clauses H is empty. H is computed in a
while loop. First, SemStr tries to build an SSA for the current
formula H by calling BuildSSA (line 3). If H is unsatisfiable,
BuildSSA computes an SSA P returned by SemStr (line 5).
Otherwise, BuildSSA returns an assignment ~v satisfying H . In
this case, SemStr calls procedure GenCls to build a clause C
falsified by ~v. Clause C is obtained by resolving clauses of G
on variables of W . (Hence C is implied by G.) If ~v can be
extended to an assignment ~s satisfying G, SemStr terminates
(lines 7-8). Otherwise, C is added to H and a new iteration
begins.
GenCls(G,V,~v){
1 G~v := GenForm(F,~v)
2 (~s,R) := ChkSat(G~v)
3 if (~s 6= nil )
4 return(nil , ~s ∪ ~v)
5 V ′ := Analyze(R,G~v, G)
6 C := FormCls(V ′, ~v)
7 return(C,nil )
Fig. 5. GenCls procedure
Procedure GenCls is shown in
Figure 5. First, GenCls generates
formula G~v obtained from G by
discarding clauses satisfied by ~v
and removing literals falsified by
~v. Then GenCls checks if there is
an assignment ~s satisfying G~v . If
so, ~s∪~v is returned as an assign-
ment satisfying G. Otherwise, a
proof R of unsatisfiability of G~v
is produced. Then GenCls forms a set V ′ ⊆ V . A variable w
is in V ′ iff a clause of G~v is used in proof R and its parent
clause from G has a literal of w falsified by ~v. Finally, clause
C is generated as a disjunction of literals of V ′ falsified by ~v.
By construction, clause C is implied by G and falsified by ~v.
V. BUILDING APPROXIMATIONS OF CTS
A. Two kinds of approximations of CTSs
GenTests(FN , X, P,Tries){
1 T := ∅
2 for each ~v ∈ P {
3 ~s := SatAssgn(FN , ~v)
4 if (~s 6= nil ) {
5 ~x := ExtrTest(~s,X)
6 T := T ∪ ~x}
7 else
8 for (i = 0;i < Tries;i++){
9 F ∗N := Relax (FN )
10 ~s := SatAssgn(F ∗N , ~v)
11 if (~s = nil ) continue
12 ~x := ExtrTest(~s,X)}
13 T := T ∪ ~x}}
14 return(T )}
Fig. 6. GenTests procedure
As before, let H(V ) de-
note a formula implied by
FN ∧ z that is generated by
SemStr and P denote an
SSA for H . Projections of
N can be of two kinds de-
pending on whether X ⊆ V
holds. Let X ⊆ V hold and
T be the test set extracted
from P as described in Sec-
tion III. That is T consists
of all different assignments
to X present in the assign-
ments of P . On one hand,
using the reasoning of Sec-
tion III one can show that T is a CTS for projection of N on
V . On the other hand, since H(V ) is essentially an abstraction
of FN ∧z, set T is an approximation of a CTS for N . For that
reason, we will refer to T as a CTSa of N where superscript
“a” stands for “approximation”.
Now assume that X 6⊆ V holds. Generation of a test set
T from P for this case is described in the next section. The
set T can be viewed as an approximation of a set T ′ built for
projection of N on set V ∪X . Since T ′ is a CTSa for N , we
will refer to T as CTSaa where “aa” stands for “approximation
of approximation”.
B. Construction of CTSaa
Consider extraction of a test set T from SSA P of formula
H(V ) when X 6⊆ V . Since V , in general, contains internal
variables9 of N , translation of P to a test set T needs a special
procedure GenTests shown in Figure 6. For every assignment
~v of P , GenTests checks if formula FN is satisfiable under
assignment ~v (i.e. if there exists a test under which N assigns
~v to V ). If so, an assignment ~x to X is extracted from the
satisfying assignment and added to T as a test. Otherwise,
GenTests runs a for loop (lines 8-13) of Tries iterations. In
every iteration, GenTests relaxes FN by removing the clauses
specifying a small subset of gates picked randomly. If the
relaxed version of FN is satisfiable, a test is extracted from
the satisfying assignment and added to T .
C. Finding a set of variables to project on
GenCut(N,Size){
1 Gout := OutGate(N)
2 Gts := {Gout}
3 Dpth(Gout) := 0
4 Inps := ∅
5 while (|Gts∪Inps|<Size) {
6 G :=MinDepth(Gts,Dpth)
7 Gts := Gts \ {G}
8 Seen(G) := true
9 foreach G′ ∈ FanIn(G){
10 if (Seen(G′)) continue
11 if (G′ ∈ Inputs(N)) {
12 Inps = Inps ∪ {G′}
13 continue }
14 Dpth(G′) :=Dpth(G)+1
15 Gts := Gts ∪ {G′}}}
16 return(Gts ∪ Inps)}
Fig. 7. GenCut procedure
Intuitively, a good choice
of the set V to project N on
is a (small) coherent subset
of variables of N reflecting
its structure and/or seman-
tics. One obvious choice of
V is the set X of input vari-
ables of N . In this section,
we describe generation of a
set V whose variables form
an internal cut of N denoted
as Cut. Procedure GenCut for
generation of set Cut consist-
ing of Size gates is shown
in Figure 7. Set V is formed
from output variables of the
cut gates.
The current cut is specified by Gts ∪ Inps . Set Gts is
initialized with the output gate Gout of circuit N and Inps
is originally empty. GenCut computes the depth of every gate
of Gts. The depth of Gout is set to 0. Set Gts is processed
in a while loop (lines 5-15). In every iteration, a gate of the
smallest depth is picked from Gts. Then GenCut removes gate
G from Gts and examines the fan-in gates of G (lines 9-15).
Let G′ be a fan-in gate of G that has not been seen yet and is
not a primary input of N . Then the depth of G′ is set to that
of G plus 1 and G′ is added to Gts. If G′ is a primary input
of N it is added to Inps.
VI. APPLICATIONS OF PROPERTY-CHECKING TESTS
Given a multi-output circuit M , traditional testing is used to
verify M “as a whole”. In this paper, we describe generation
of a test set meant for checking a particular property of M
9If the special case V ⊂ X holds, every assignment of P can be easily
turned into a test by assigning values to variables of X \ V (e.g. randomly).
specified by a single-output circuit N . In this section, we
present some applications of property-checking test sets.
A. Testing properties specified by similar circuits
Let N be a single-output circuit and T be a test set generated
when proving N ≡ 0. Let N∗ be a circuit that is similar to
N . (For instance, N can specify a property of a circuit M
whereas N∗ specifies the same property after a modification
of M .) Then one can use T to verify if N∗ ≡ 0. Since T is
generated for a similar circuit N , there is a good chance that it
contains a counterexample to N∗ ≡ 0, if any. (Of course, the
fact that N∗ evaluates to 0 for all tests of T does not mean that
N∗ ≡ 0 even if T is a CTS for N ). In Subsection VII-B, we
give experimental evidence supporting the observation above.
Assuming that N ≡ 0 was proved formally, checking if
N∗ ≡ 0 holds can be verified formally too. So applying tests
of T to N∗ can be viewed as a “light” verification procedure
for exposing bugs. On the other hand, one can re-use test
T in situations where the necessity to apply a formal tool
is overlooked or formal methods are not powerful enough.
Let N specify a property ξ of a component of a design D.
Suppose that this component is modified under assumption
that preserving ξ is not necessary any more. By applying T to
D one can invoke behaviors that break ξ and expose a bug in
D, if any, caused by ignoring ξ. If D is a large design, finding
such a bug by formal verification may not be possible.
B. Verification of corner cases
Fig. 8. Subcircuit K of
circuit M
Let K be a single-output subcircuit
of circuit M as shown in Figure 8.
For the sake of simplicity we consider
here the case where the set XK of
input variables of K is a subset of the
set X of input variables of M . (The
technique below can also be applied
when input variables of K are internal
variables of M .) Suppose K evaluates,
say, to value 0 much more frequently
then to 1. Then one can view an input
assignment of M for which K evalu-
ates to 1 as specifying a “corner case” i.e. a rare event. Hitting
such a corner case by a random test can be very hard. This
issue can be addressed by using a coverage metric that requires
setting the value of K to both 0 and 1. (The task of finding a
test for which K evaluates to 1 can be solved, for instance, by
a SAT-solver.) The problem however is that hitting a corner
case only once may be insufficient.
One can increase the frequency of hitting the corner case
above as follows. Let N be a miter of circuits K ′ and K ′′
(see Figure 9) i.e. a circuit that evaluates to 1 iff K ′ and K ′′
are functionally inequivalent. Let K ′ and K ′′ be two copies of
circuit K. So N ≡ 0 holds. Let test set TK be extracted from
an SSA built for a projection of N on a set V ⊆ Vars(N). Set
TK can be viewed as a result of “squeezing” the truth table of
K. Since this truth table is dominated by input assignments
for which K evaluates to 0, this part of the truth table is
reduced the most. So, one can expect that the ratio of tests
of TK for which K evaluates to 1 is higher than in the truth
table of K. In Subsection VII-C, we substantiate this intuition
experimentally. One can easily extend an assignment ~xK of
TK to an assignment ~x to X e.g. by randomly assigning values
to the variables of X \XK .
C. Dealing with incomplete specifications
One can use property-checking tests to mitigate the problem
of incomplete specifications. By running tests generated for
an incomplete set of properties of M , one can expose bugs
overlooked due to missing some properties. An important
special case of this problem is as follows. Let ξ be a property
of M that holds. Assume that the correctness of M requires
proving a slightly different property ξ′ that is not true. By
running a test set T built for property ξ, one may expose
a bug overlooked in formal verification due to proving ξ
instead of ξ′. In Subsection VII-D, we illustrate the idea above
experimentally.
D. Testing sequential circuits
There are a few ways to apply property-checking tests meant
for combinational circuits to verification of sequential circuits.
Here is one of them based on bounded model checking [3].
Let M be a sequential circuit and ξ be a property of M . Let
N(X,Y, z) be a circuit such that N ≡ 0 holds iff ξ is true
for k time frames. Circuit N is obtained by unrolling M k
times and adding logic specifying property ξ. Set X consists
of the subset X ′ specifying the state variables of M in the
first time frame and subset X ′′ specifying the combinational
input variables of M in k time frames.
Fig. 9. The miter of circuits K′
and K′′
Having constructed N , one can
build CTSs, CTSas and CTSaas
for testing property ξ of M .
The only difference here from
the problem we have considered
so far is as follows. Circuit M
starts in a state satisfying some
formula I(X ′) that specifies the
initial states. So, one needs to
check if N ≡ 0 holds only for
the assignments to X satisfying
I(X ′). A test here is an assign-
ment (~x′1, ~x′′1, . . . , ~x′′k) where
~x′1 is an initial state and ~x′′i, 1 ≤ i ≤ k is an assignment
to the combinational input variables of i-th time frame. Given
a test, one can easily compute the corresponding sequence of
states (~x′1, . . . , ~x′k) of M . In Subsection VII-D, we give an
example of building an CTSaa for a sequential circuit.
VII. EXPERIMENTS
In this section, we describe experiments with property-
checking tests (PCT) generated by procedure GenPCT shown
in Figure 10. GenPCT accepts a single-output circuit N and
outputs a set of tests T . (For the sake of simplicity, we assume
here that N ≡ 0 holds.) GenPCT starts with generating
TABLE I
Computing CTSs, CTSas and CTSaas
name la- #inp #ga- CTS CTSa or CTSaa
tch vars tes |SSA| time test |SSA| time
(#tests) (s.) set |V | (#tests) (s.)
×103 type ×103
bob3 L26 14 41 46 (2.0) 0.1 CTSa 14 0.6 (0.6) 0.01
eijks258 L10 16 45 259 (8.2) 0.5 CTSa 16 0.1 (0.1) 0.02
cmudme1 L230 19 50 2,184 (63) 5.4 CTSa 19 13 (13) 0.1
mutexp0 L60 29 199 memout ∗ CTSa 29 659 (659) 26
pdtpmsmiim L118 31 136 memout ∗ CTSa 31 936 (936) 4.2
abp4pold L270 129 1,178 memout ∗ CTSaa 22 0.9 (0.5) 0.6
pj2009 L1318 366 25,160 memout ∗ CTSaa 22 0.6 (0.3) 51
mentorb..00 L8670 626 3,156 memout ∗ CTSaa 22 1.2 (0.6) 11
139454p0 L1676 791 19,843 memout ∗ CTSaa 22 0.1 (0.1) 99
formula FN ∧ z and a set of variables V ⊆ Vars(FN ∧ z).
Then it calls SemStr (see Fig. 4) to compute an SSA P of
formula H(V ) describing a projection of circuit N on V. If
H(V ) does not depend on a variable w ∈ V , all assignments of
P have the same value of w. Procedure Diversify randomizes
the value of w in the assignments of P . Finally, BldTests uses
P to extract a test set for circuit N . If X ⊆ V holds (where
X is the set of input variables of N ), BldTests outputs all
the different assignments to X present in assignments of P .
Otherwise, BldTests calls procedure GenTests (see Fig. 6).
GenPCT (N,Tries){
1 FN ∧ z := GenForm(N)
2 V := GenVars(FN ∧ z)
3 P := SemStr(FN ∧ z, V )
4 P := Diversify(P )
5 T := BldTests(FN , P,Tries)
6 return(T )}
Fig. 10. GenPCT procedure
If V = Vars(FN ∧ z),
then H(V ) is FN ∧ z it-
self and GenPCT produces
a CTS of N . Otherwise, ac-
cording to definitions of Sub-
section V-A, GenPCT gener-
ates a CTSa (if X ⊆ V ) or
CTSaa (if X 6⊆ V ).
In the following subsec-
tions, we describe results of four experiments. In the first three
experiments we used circuits specifying next state functions of
latches of HWMCC-10 benchmarks. (The motivation was to
use realistic circuits.) In our implementation of SemStr , as a
SAT-solver, we used Minisat 2.0 [6], [17]. We also employed
Minisat to run simulation. To compute the output value of N
under test ~x, we added unit clauses specifying ~x to formula
FN ∧ z and checked its satisfiability.
A. Comparing CTSs, CTSas and CTSaas
The objective of the first experiment was to give examples
of circuits with non-trivial CTSs and compare the efficiency
of computing CTSs, CTSas and CTSaas. In this experiment,
N was a miter specifying equivalence checking of circuits
M ′ and M ′′ (see Figure 9). M ′′ was obtained from M ′ by
optimizing the latter with ABC [14].
The results of the first experiment are shown in Table I. The
first two columns specify an HWMCC-10 benchmark and its
latch whose next state function was used as M ′. The next
two columns give the number of input variables and that of
gates in the miter N . The following pair of columns describe
computing a CTS for N . The first column of this pair gives
the size of the SSA P found by GenPCT in thousands. The
number of tests in the set T extracted from P is shown in
the parentheses in thousands. The second column of this pair
gives the run time of GenPCT in seconds.
The last four columns of Table I describe results of com-
puting test sets for a projection of N on a set of variables V .
The first column of this group shows if CTSa or CTSaa was
computed whereas the next column gives the size of V . The
third column of this group provides the size of SSA P and
the test set T extracted from P (in parentheses). Both sizes
are given in thousands. The last column shows the run time
of GenPCT. For the first five examples, we used a projection
of N on X , thus constructing a CTSa of N . For the last four
examples we computed a projection of N on an internal cut
(see Subsection V-C) thus generating a CTSaa of N . GenPCT
was called with parameter Tries set to 5 (see Fig. 6 and 10).
For the first three examples, GenPCT managed to build non-
trivial CTSs that are smaller than 2|X|. For instance, the trivial
CTS for example bob3 consists of 214=16,384 tests, whereas
GenPCT found a CTS of 2,004 tests. (So, to prove M ′ and
M ′′ equivalent it suffices to run 2,004 out of 16,384 tests.) For
the other examples, GenPCT failed to build a non-trivial CTS
due to exceeding the memory limit (1.5 Gbytes). On the other
hand, GenPCT built a CTSa or CTSaa for all nine examples
of Table I. Note, however, that CTSas give only a moderate
improvement over CTSs. For the last four examples GenPCT
failed to compute an CTSa of N due to memory overflow
whereas it had no problem computing an CTSaa of N . So
CTSaas can be computed efficiently even for large circuits.
Further, we show that CTSaas are also very effective.
B. Re-using property-checking tests to detect bugs
In the second experiment, we employed the idea of re-
using property-checking tests (see Subsection VI-A) to verify
relaxed equivalence [16]. Let circuit Mpi be obtained from
circuit M by applying a set of changes pi. Regular equivalence
of M and Mpi means that these circuits produce the same
output assignment for the same input assignment. Relaxed
equivalence requires only that the difference between output
assignments of M and Mpi is in a specified range. So
regular equivalence implies relaxed one and hence the latter
is a weaker property than the former. Intuitively, this makes
relaxed equivalence harder for testing (because the space of
buggy behaviors is smaller).
In this experiment, we compared two-output circuits M and
Mpi . Namely we checked property ξ(M,Mpi) that (y1 ≡ ypi1 )∨
(y2 ≡ ypi2 ) holds where y1, y2 and ypi1 , ypi2 specify the outputs
of M and Mpi respectively. Property ξ(M,Mpi) states that the
Hamming distance between the output assignments produced
by M and Mpi for the same input assignment is less or equal
to 1. Circuit M was extracted from the transition relation of
an HWMCC-10 benchmark. Circuit Mpi was obtained from
M by making changes pi that broke property ξ(M,Mpi).
Let Npi denote a circuit specifying property ξ(M,Mpi). In
the experiment, we tested Npi using three approaches. The
first approach was to apply tests generated to detect stuck-at
faults (SAF) [1] in M . We used SAF tests as an example of
a test set driven by a coverage metric10 The second approach
was random testing of Npi . In the third approach we did the
following. First, we built a CTSaa for circuit N∅ specifying
property ξ(M,Mpi) for the case where pi = ∅ and hence Mpi
was identical to M . (Obviously, N∅ ≡ 0 holds.) Then we
re-used this CTSaa to verify circuit Npi for the case pi 6= ∅.
TABLE II
Bug detection. CTSaas are computed for |V | = 18. The number of random
tests is limited to 108. An asterisk marks test sets with a counterexample
name #inp #ga- SAF random testing by
vars tes tests tests CTSaa
#tests time #tests time |SSA| #tests time
(s.) ×106 (s.) (s.)
cmugigamax 104 2,007 989 4.5 100 1,649 50 3,421∗ 22
kenoopp1 162 2,247 1,007 4.7 100 2,147 72 2,345∗ 20
pd..ackjack4 198 1,251 216 0.4 2.4∗ 30 62 728∗ 8.5
pdtpmsns2 236 1,187 967 1.0 100 1,507 31 560∗ 1.2
abp4pold 258 2,547 1,306 6.6 100 3,555 22 500∗ 1.5
pdtvissfeistel 342 2,111 1,232 2.8 100 4,557 86 932∗ 35
neclaftp1001 398 2,707 1,723 0.2 100 1,313 40 417∗ 6.7
mentorb..00 640 2.951 1,932 10 3.4∗ 688 43 1,476∗ 15
A representative subset of examples we tried is shown in
Table II. The first column gives the name of the HWMCC-
10 benchmark from which circuit M was extracted. The next
two columns show the size of the circuit. The following two
columns list the number of SAF tests and the total run time
(i.e. time taken to generate tests11 and run simulation by
Minisat). The next two columns show the performance of
random testing. The last three columns describe testing by
CTSaas. The first column of the three gives the size of the
SSA for formula H(V ) generated by GenPCT . The set of
variables V , |V | = 18, forming an internal cut was generated
by procedure GenCut (see Fig. 7). The next column shows
the size of a CTSaa obtained with Tries set to 100. The last
column gives the total run time.
The test sets with a counterexample breaking ξ(M,Mpi) are
marked with an asterisk. Table II shows that SAF tests failed to
detect a bug, random tests found a bug for two examples and
CTSaas succeeded for all examples. (On the other hand, the
same SAF tests and CTSaas found bugs in all eight examples
modified to check regular equivalence i.e the property (y1 ≡
ypi1 ) ∧ (y2 ≡ ypi2 ). Random testing limited to 100 million tests
found a bug in five examples.) So CTSaas proved effective
even in testing a “weak” property.
C. Testing corner cases
In the third experiment, we generated CTSas and CTSaas to
test corner cases (see Subsection VI-B). First, we formed a
circuit K that evaluates to 0 for almost all input assignments.
So, the assignments for which K evaluates to 1 are corner
10Note that SAF tests are stronger than tests satisfying traditional coverage
metrics e.g. those used in software. In addition to exciting an event in M , a
SAF test must propagate the effect of this event to a primary output of M .
11To generate SAF tests we wrote a simple program based on Minisat.
Although this program did not have the efficiency of a dedicated ATPG tool
it was good enough for the purpose of studying the effectiveness of SAF tests.
cases12. We compared the frequency of hitting corner cases
by random tests and by tests of a set T built by GenPCT as
follows. Let N be a miter of copies K ′ and K ′′ (see Figure 9).
The set T was generated using a projection of N either on the
set X of input variables or an internal cut of N .
TABLE III
Testing corner cases
name la- #inp #and #ga- random testing by
tch vars vars tes testing CTSa and CTSaa
#te- #hits test #te- #hits time
sts % set |V | sts % (s.)
pd..gigamax5 L46 43 10 512 105 0.02 CTSa 43 547 7.1 0.2
pd..gigamax5 L46 63 30 512 108 0 CTSa 63 1,243 3.0 0.2
pdtvisbpb1 L48 46 10 108 105 0.04 CTSa 46 398 9.0 0.01
pdtvisbpb1 L48 66 30 108 108 0 CTSa 66 736 3.1 0.03
abp4pold L270 139 10 637 105 0.02 CTSaa 35 2,047 8.5 0.9
abp4pold L270 159 30 637 108 0 CTSaa 55 5,256 3.3 2.1
mentorbm1p00 L8670 636 10 1,630 105 0.1 CTSaa 35 594 11 3.7
mentorbm1p00 L8670 656 30 1,630 108 0 CTSaa 55 2,009 4.7 8.7
To build circuit K, we extracted the circuit R specifying the
next state function of a latch of a HWMCC-10 benchmark and
composed it with an n-input AND gate as shown in Figure 11.
The circuit K outputs 1 only if R evaluates to 1 and the first
n−1 inputs variables of the AND gate are set to 1 too. So
the input assignments for which K evaluates to 1 are “corner
cases”.
Fig. 11. Circuit K
whose output value is
biased to 0
The results of the experiment are given
in Table III. The first two columns name
the benchmark and latch whose next state
function was used as circuit R. The next
three columns give the total number of
input variables of K, the value of n in
the n-input AND gate fed by R and
the number of gates in circuit K. The
following pair of columns describes the
performance of random testing. The first
column of this pair gives the total num-
ber of tests. The next column shows the
percentage of times circuit K evaluated
to 1 (and so a corner case was hit). The last five columns of
Table III describe the results of GenPCT . The first column of
the five indicates whether a CTSa or CTSaa was generated. The
second column gives the size of set V on which the projection
of N was computed. CTSas were generated with V = X .
When computing CTSaas, the set V formed an internal cut
of N and the value of Tries was set to 1. The next column
shows the size of the test set. The fourth column gives the
percentage of times a corner case was hit. The last column
shows the total run time.
The examples of Table III were generated in pairs that
shared the same circuit R and were different only in the size
of the AND gate fed by R. For instance, in the first and second
entry of Table III, circuit K was obtained by composing the
12We assume here that K is a subcircuit of some circuit M . The input
assignments for which K evaluates to 1 are corner cases for M .
same circuit R extracted from benchmark pdtvisgigamax5 with
10-input and 30-input AND gates respectively. Table III shows
that for circuits with a 10-input AND gate, random testing hit
corner cases but the percentage of those events was much
lower than for CTSas and CTSaas. On the other hand, 100
millions of random tests failed to hit a single corner case for
examples with a 30-input AND gate in sharp contrast to CTSas
and CTSaas.
D. Testing properties defined incorrectly
TABLE IV
Testing a “misdefined” property of a
counter. CTSaa is computed for
|V | = 14
#time #rand CTSaa
Cp fra- tests #SAF #it #te- time
mes ×106 tests ter sts (s.)
C4 14 0.001∗ 172∗ 1 572∗ 0.1
C5 30 28∗ 505 2 1,393∗ 0.2
C6 62 100 1,276 2 338∗ 0.5
C7 126 100 3,031 1 1,025∗ 2.1
The objective of the last
experiment was to show that
one can use tests generated
by GenPCT to address the
problem of incorrect defini-
tion of properties (see Sub-
section VI-C). Assume that
our design D contains a p-bit
counter. Denote this counter
as Cp. Let val(Cp) denote
the current value of Cp. As-
sume that Cp has one initial state val(Cp) = 0 and the counter
is reset to this state every time it reaches state val(Cp) = 2p−2.
So property ξ that val(Cp) < 2p−1 is true. Assume that the
correctness of D requires proving a stronger property ξ′ that,
say, val(Cp) < 2p− 3 holds. In contrast to ξ, property ξ′
is not true. Let N (respectively N ′) be a circuit specifying
the correctness of ξ (respectively ξ′) for a given number
of time frames. Let T be a CTSaa built by GenPCT when
proving N ≡ 0 under the assumption that the initial state
of Cp is val(Cp) = 0 (see Subsection VI-D). The idea of the
experiment was to show that T could contain a counterexample
to N ′ ≡ 0. So, testing design D by T could expose a bug
overlooked due to checking property ξ instead of ξ′.
Circuits N and N ′ above were obtained by unrolling the
transition relation of the counter k times and adding gates
specifying property ξ or ξ′. The value of k was set to 2p−2
to guarantee the existence of a trace breaking ξ′. Table IV
compares random and SAF tests13 with a CTSaa. The latter
was computed for a set V specifying an internal cut of N
and Tries set to 1. The second column of Table IV shows
the number of times the transition relation was unrolled to
obtain N and N ′. The next two columns describe results of
running random and SAF tests. An asterisk marks test sets
with a counterexample to ξ′. The last three columns show the
performance of CTSaas. The first column of the three gives
the number of iterations needed to break ξ′. In each iteration,
a new CTSaa was generated using a different choice of the
center of SSA P (see Definition 2). The last two columns
give the total number of tests and run time summed up over
all iterations.
13SAF tests were generated for the circuit obtained by unrolling the
transition relation of the counter k times. The input variables of this circuit
corresponding to state varaibles of the first time frame were set to 0 (to take
into account the initial state of the counter).
Table IV shows that random testing broke ξ′ only for C4
and C5 and SAF tests succeeded only for C4. Tests of CTSaa
broke ξ′ for all 4 examples.
VIII. BACKGROUND
As we mentioned earlier, traditional testing checks if a
circuit M is correct as a whole. This notion of correctness
means satisfying a conjunction of many properties of M . For
this reason, one tries to spray tests uniformly in the space of
all input assignments. To improve the effectiveness of testing,
one can try to run many tests at once as it is done in symbolic
simulation [4]. To avoid generation of tests that for some
reason should be or can be excluded, a set of constraints can be
used [12]. Another method of making testing more reliable is
to generate tests exciting a particular set of events specified by
a coverage metric [15]. Our approach is different from those
above in that it is aimed at testing a particular property of M .
The method of testing introduced in [10] is based on the
idea that tests should be treated as a “proof encoding” rather
than a sample of the search space. (The relation between tests
and proofs have been also studied in software verification, e.g.
in [7], [8], [2]). In this paper, we take a different point of view
where testing becomes a part of a formal proof namely the
part that performs structural derivations.
Reasoning about SAT in terms of random walks was pio-
neered in [13]. The centered SSAs we introduce in this paper
bear some similarity to sets of assignments generated in de-
randomization of Scho¨ning’s algorithm [5]. Typically, centered
SSAs are much smaller than uncentered SSAs of [9].
The first version of SemStr procedure is presented in
report [11]. It has a much tighter integration between the
structural part (computation of SSAs) and semantic part
(derivation of formula H implied by the original formula).
The advantage of the new version of SemStr described in this
paper is twofold. First, it is much simpler than SemStr of [11].
In particular, any resolution based SAT-solver that generates
proofs can be used to implement the new SemStr . Second, the
simplicity of the new version makes it much easier to achieve
the level of scalability where SemStr becomes practical.
IX. CONCLUSION
We consider the problem of finding a Complete Test Set
(CTS) for a combinational circuit N that is a test set proving
N ≡ 0. We use the machinery of stable sets of assignments
to derive non-trivial CTSs i.e. those that do not include all
possible input assignments. Computing a CTS for a large
circuit N is inefficient. So, we present a procedure that
generates a test set for a “projection” of N on a subset V of
variables of N . Depending on the choice of V, this procedure
generates a test set CTSa that is an approximation of an CTS
or a test set CTSaa that is an approximation of CTSa. We give
experimental results showing that CTSaas can be efficiently
computed even for large circuits and are effective in solving
verification problems.
REFERENCES
[1] M. Abramovici, M. Breuer, and A. Friedman. Digital Systems Testing
and Testable Design. John Wiley & Sons, 1994.
[2] N. Beckman, A. Nori, S. Rajamani, R. Simmons, S. Tetali, and
A. Thakur. Proofs from tests. IEEE Transactions on Software Engi-
neering, 36(4):495–508, July 2010.
[3] A. Biere, A. Cimatti, E. Clarke, M. Fujita, and Y. Zhu. Symbolic model
checking using sat procedures instead of bdds. In DAC, pages 317–320,
1999.
[4] R. Bryant. Symbolic simulation—techniques and applications. In DAC-
90, pages 517–521, 1990.
[5] E. Dantsin, A. Goerdt, E. Hirsch, R. Kannan, J. Kleinberg, C. Pa-
padimitriou, P. Raghavan, and U. Scho¨ning. A deterministic (22/(k+1))n
algorithm for k-sat based on local search. Theoretical Computer Science,
289(1):69 – 83, 2002.
[6] N. Ee´n and N. So¨rensson. An extensible sat-solver. In SAT, pages
502–518, Santa Margherita Ligure, Italy, 2003.
[7] C. Engel and R. Ha¨hnle. Generating unit tests from formal proofs. In
TAP, pages 169–188, 2007.
[8] P. Godefroid and N. Klarlund. Software model checking: Searching
for computations in the abstract or the concrete. In Integrated Formal
Methods, pages 20–32, 2005.
[9] E. Goldberg. Testing satisfiability of cnf formulas by computing a stable
set of points. In Proc. of CADE-02, pages 161–180, 2002.
[10] E. Goldberg. On bridging simulation and formal verification. In VMCAI-
08, pages 127–141, 2008.
[11] E. Goldberg. Generation of complete test sets. Technical Report
arXiv:1804.00073 [cs.LO], 2018.
[12] N. Kitchen and A.Kuehlmann. Stimulus generation for constrained
random simulation. In ICCAD-07, pages 258–265, 2007.
[13] C. H. Papadimitriou. On selecting a satisfying truth assignment. In
32nd Annual Symposium of Foundations of Computer Science, pages
163–169, Oct 1991.
[14] Berkeley Logic Synthesis and Verification Group. ABC:
A system for sequential synthesis and verification, 2017.
http://www.eecs.berkeley.edu/∼alanmi/abc.
[15] S. Tasiran and K. Keutzer. Coverage metrics for functional validation
of hardware designs. IEEE Design Test of Computers, 18(4):36–45, Jul
2001.
[16] Z. Vasicek. Relaxed equivalence checking: a new challenge in logic
synthesis. In Int. Symp. on Design and Diagnostics of Electronic Circuits
Systems (DDECS), pages 1–6, 2017.
[17] Minisat2.0. http://minisat.se/MiniSat.html.
APPENDIX I
PROOFS
Proposition 1: Formula H is unsatisfiable iff it has an SSA.
Proof: If part. Assume the contrary i.e. P is an SSA of H
with center ~pinit and AC-mapping Φ and H is satisfiable. Let
~s be an assignment satisfying H that is the closest to ~pinit
in terms of the Hamming distance. Then procedure BuildPath
(see Fig. 1) can build a sequence of assignments ~p1, . . . , ~pi
such that
• i = Hamming distance(~pinit , ~s) + 1
• ~p1 = ~pinit and ~pi = ~s
By definition of BuildPath, assignment ~pj+1 is closer to ~s
and farther away from ~pinit than ~pj where 1 ≤ j ≤ i − 1.
This means that ~pj+1 is in Nbhd(~pinit , ~pj , C) where C =
Φ(~pj). In particular, ~s is in Nbhd(~pinit , ~pi−1, C) and so ~s is
in P . However, by definition of an SSA, P consists only of
assignments falsifying H . Thus, we have a contradiction.
Only if part. Assume that formula H is unsatisfiable. By
applying BuildSSA (see Fig. 2) to H , one generates a set P
that is an SSA of H with respect to some center ~pinit and
AC-mapping Φ. QED
APPENDIX II
CTSS AND CIRCUIT REDUNDANCY
Let N ≡ 0 hold. Let R be a cut of circuit N . We will denote
the circuit between this cut and the output of N as NR (see
Figure 12). We will say that N is non-redundant if NR 6≡ 0
for any cut R other than the cut specified by primary inputs
of N . Note that if NR 6≡ 0 for some cut R, then NR′ 6≡ 0 for
every cut R′ located above R.
Definition 3 of a CTS may not work well if N is highly
redundant. Assume, for instance, that NR ≡ 0 holds for a cut
R. This means that the clauses specifying gates of N below
R (i.e. those that are not in NR) are redundant in FN ∧ z.
Then one can build an SSA P for FN ∧ z as follows. Let
PR be an SSA for FNR ∧ z. Let ~v be an arbitrary assignment
to the variables of Vars(N) \ Vars(NR). Then by adding ~v
to every assignment of PR one obtains an SSA for FN ∧ z.
This means that for any test ~x, Cube(~x) contains an SSA of
FN ∧ z. Therefore, according to Definition 3, circuit N has a
CTS consisting of just one test.
Fig. 12. A cut R in circuit
N
The problem above can be solved
using the following observation. Let
T be a set of tests {~x1, . . . , ~xk} for
N where k ≤ 2|X|. Denote by ~ri the
assignment to the variables of cut R
produced by N under input ~xi. Let
TR denote {~r1, . . . , ~rk}. Denote by
T ∗R the set of assignments to vari-
ables of R that cannot be produced
in N by any input assignment. Now
assume that T is constructed so that TR ∪ T ∗R is a CTS for
circuit NR. This does not change anything if NR is itself
redundant (i.e. if NR′ ≡ 0 for some cut R′ that is closer to
the output of N than R). In this case, it is still sufficient to use
T of one test because NR has a CTS of one assignment (in
terms of cut R). Assume however, that NR is non-redundant.
In this case, there is no “degenerate” CTS for NR and T has
to contain at least |TR| tests. Assuming that T ∗R alone is far
from being a CTS for NR, a CTS T for N will consist of
many tests.
So, one can modify the definition of CTS for a redundant
circuit N as follows. A test set T is a CTS for N if there is
a cut R such that
• circuit NR is non-redundant i.e.
• NR ≡ 0 holds
• N ′R 6≡ 0 for every cut R′ above R
• set TR ∪ T ∗R is a CTS for NR.
