<%BANNER%>

Coverage-Driven Test Generation for Functional Validation of Pipelined Processors

Permanent Link: http://ufdc.ufl.edu/UFE0014821/00001

Material Information

Title: Coverage-Driven Test Generation for Functional Validation of Pipelined Processors
Physical Description: 1 online resource (96 p.)
Language: english
Creator: Koo, Heon-Mo
Publisher: University of Florida
Place of Publication: Gainesville, Fla.
Publication Date: 2007

Subjects

Subjects / Keywords: formal, processor, simulation, test, verification
Computer and Information Science and Engineering -- Dissertations, Academic -- UF
Genre: Computer Engineering thesis, Ph.D.
bibliography   ( marcgt )
theses   ( marcgt )
government publication (state, provincial, terriorial, dependent)   ( marcgt )
born-digital   ( sobekcm )
Electronic Thesis or Dissertation

Notes

Abstract: Functional verification of microprocessors is one of the most complex and expensive tasks in the current system-on-chip design methodology. Simulation using functional test vectors is the most widely used form of processor verification. A major challenge in simulation-based verification is how to reduce the overall verification time and resources. Since the test generation and simulation for all input sequences is infeasible, we need a method for deciding effective tests to achieve high confidence of the design. In addition, test generation techniques must be able to accommodate complex processor designs as well as produce tests in a reasonable time. Traditionally, billions of random and directed tests are used during simulation. Compared to random tests, directed tests can reduce overall validation effort significantly since shorter tests can obtain the same coverage goal. However, there is a lack of automated techniques for directed test generation targeting micro-architectural design errors. Furthermore, the lack of a comprehensive functional coverage metric makes it difficult to measure the verification progress. This dissertation presents a functional coverage-driven test generation methodology. Based on the behavior of pipelined processors, a functional coverage is defined to evaluate the verification progress. My research provides efficient test generation techniques using formal methods by decomposing processor designs and properties to reduce test generation time as well as memory requirement. My research also provides a functional test compaction technique to reduce the number of directed tests while preserving the overall functional coverage. The experiments using MIPS and PowerPC processors demonstrate the feasibility and usefulness of the proposed functional test generation methodology.
General Note: In the series University of Florida Digital Collections.
General Note: Includes vita.
Bibliography: Includes bibliographical references.
Source of Description: Description based on online resource; title from PDF title page.
Source of Description: This bibliographic record is available under the Creative Commons CC0 public domain dedication. The University of Florida Libraries, as creator of this bibliographic record, has waived all rights to it worldwide under copyright law, including all related and neighboring rights, to the extent allowed by law.
Statement of Responsibility: by Heon-Mo Koo.
Thesis: Thesis (Ph.D.)--University of Florida, 2007.
Local: Adviser: Mishra, Prabhat.
Electronic Access: RESTRICTED TO UF STUDENTS, STAFF, FACULTY, AND ON-CAMPUS USE UNTIL 2008-06-30

Record Information

Source Institution: UFRGP
Rights Management: Applicable rights reserved.
Classification: lcc - LD1780 2007
System ID: UFE0014821:00001

Permanent Link: http://ufdc.ufl.edu/UFE0014821/00001

Material Information

Title: Coverage-Driven Test Generation for Functional Validation of Pipelined Processors
Physical Description: 1 online resource (96 p.)
Language: english
Creator: Koo, Heon-Mo
Publisher: University of Florida
Place of Publication: Gainesville, Fla.
Publication Date: 2007

Subjects

Subjects / Keywords: formal, processor, simulation, test, verification
Computer and Information Science and Engineering -- Dissertations, Academic -- UF
Genre: Computer Engineering thesis, Ph.D.
bibliography   ( marcgt )
theses   ( marcgt )
government publication (state, provincial, terriorial, dependent)   ( marcgt )
born-digital   ( sobekcm )
Electronic Thesis or Dissertation

Notes

Abstract: Functional verification of microprocessors is one of the most complex and expensive tasks in the current system-on-chip design methodology. Simulation using functional test vectors is the most widely used form of processor verification. A major challenge in simulation-based verification is how to reduce the overall verification time and resources. Since the test generation and simulation for all input sequences is infeasible, we need a method for deciding effective tests to achieve high confidence of the design. In addition, test generation techniques must be able to accommodate complex processor designs as well as produce tests in a reasonable time. Traditionally, billions of random and directed tests are used during simulation. Compared to random tests, directed tests can reduce overall validation effort significantly since shorter tests can obtain the same coverage goal. However, there is a lack of automated techniques for directed test generation targeting micro-architectural design errors. Furthermore, the lack of a comprehensive functional coverage metric makes it difficult to measure the verification progress. This dissertation presents a functional coverage-driven test generation methodology. Based on the behavior of pipelined processors, a functional coverage is defined to evaluate the verification progress. My research provides efficient test generation techniques using formal methods by decomposing processor designs and properties to reduce test generation time as well as memory requirement. My research also provides a functional test compaction technique to reduce the number of directed tests while preserving the overall functional coverage. The experiments using MIPS and PowerPC processors demonstrate the feasibility and usefulness of the proposed functional test generation methodology.
General Note: In the series University of Florida Digital Collections.
General Note: Includes vita.
Bibliography: Includes bibliographical references.
Source of Description: Description based on online resource; title from PDF title page.
Source of Description: This bibliographic record is available under the Creative Commons CC0 public domain dedication. The University of Florida Libraries, as creator of this bibliographic record, has waived all rights to it worldwide under copyright law, including all related and neighboring rights, to the extent allowed by law.
Statement of Responsibility: by Heon-Mo Koo.
Thesis: Thesis (Ph.D.)--University of Florida, 2007.
Local: Adviser: Mishra, Prabhat.
Electronic Access: RESTRICTED TO UF STUDENTS, STAFF, FACULTY, AND ON-CAMPUS USE UNTIL 2008-06-30

Record Information

Source Institution: UFRGP
Rights Management: Applicable rights reserved.
Classification: lcc - LD1780 2007
System ID: UFE0014821:00001


This item has the following downloads:


Full Text

PAGE 1

1

PAGE 2

2

PAGE 3

3

PAGE 4

MyjourneytothePh.D.wasfullofchallengingadventuresanditbecameanotherstepping-stoneinmylife.Thoughonlymynameappearsonthecoverofthisdissertation,thecompletionofmydissertationwaspossiblewiththehelpandeortsofmanypeople.First,IexpressmydeepestappreciationtomyesteemedadvisorDr.PrabhatMishra.ThroughmygraduatecareeratUniversityofFlorida,hisunfailingguidance,support,andpatiencehelpedmeovercomemanycrisissituationsandcompletethisdissertation.Heoftenbroughtmetothethresholdofknowledge,andignitedtheinteresttocrossthethreshold.Healsoencouragedmetobeanindependentthinkerwithahighresearchstandard.Additionally,Iamverygratefulforthefriendshipofallofthemembersofhisresearchgroup.Thanksalsogoouttothemembersofthedissertationcommittee,Profs.SartajSahni,Jih-KwonPeir,ShigangChen,andJohnM.Sheafortheirvaluablesuggestions.Theirinsightfulcommentsandconstructivecriticismswerethought-provokingandhelpedmyideaescalateateachphaseofmyresearch.IamgratefultomanypeopleonthefacultyandstaoftheDepartmentofComputerandInformationScienceandEngineeringforallthattheytaughtandsupportedmeinvariousways.IamalsothankfultothestudentswhoIwasprivilegedtoteachandfromwhomIalsolearnedmuchwhenIwasaTeachingAssistant.Finally,andmostimportantly,Isincerelythankmyfamilywhohavebeenaconstantsourceofhelp,support,andstrengthduringdoctoralstudies.Noneofmyachievementwouldhavebeenpossiblewithouttheirlove.MyveryspecialthankstomywifeforherunselshdevotionandloveuponwhichthepathtocompletingmyPh.D.wasbuilt.Iwarmlyappreciatemyparentsfortheirunwaveringfaithinmeaswellasunendingencouragementandsupport.Ithankmybrotherandsistersfortheirloveandsupport.Iappreciateparents-in-lawforconsistentencouragementandsupport. 4

PAGE 5

page ACKNOWLEDGMENTS ................................. 4 LISTOFTABLES ..................................... 7 LISTOFFIGURES .................................... 8 ABSTRACT ........................................ 9 CHAPTER 1INTRODUCTION .................................. 10 1.1ProcessorValidation .............................. 12 1.2Coverage-drivenFunctionalValidation .................... 14 1.3ResearchContributions ............................. 16 2PROCESSORFAULTMODELINGANDFUNCTIONALCOVERAGE .... 19 2.1ExistingFaultModelsandCoverageMetrics ................. 19 2.1.1FaultModels ............................... 19 2.1.2CoverageMetrics ............................ 20 2.2Graph-basedModelingofPipelinedProcessors ................ 23 2.2.1ModelingofMIPSprocessor ...................... 24 2.2.2ModelingofPowerPCe500processor ................. 25 2.3PipelineInteractionFaultModelandFunctionalCoverage ......... 26 2.4ChapterSummary ............................... 28 3TESTGENERATIONUSINGDESIGNANDPROPERTYDECOMPOSITIONS ................................. 29 3.1ModelChecking ................................ 30 3.2TestGenerationusingModelChecking .................... 32 3.3RelatedWork .................................. 34 3.4TestGenerationusingDesignandPropertyDecompositions ........ 36 3.4.1GenerationandNegationofProperties ................ 38 3.4.2PropertyDecomposition ........................ 38 3.4.2.1Decomposableproperties ................... 39 3.4.2.2Non-decomposableproperties ................ 40 3.4.3DesignDecomposition .......................... 43 3.4.4TestGenerationusingDecompositionalModelChecking ....... 44 3.4.5MergingPartialCounterexamples ................... 51 3.5Experiments ................................... 52 3.5.1TestGenerationusingModuleLevelDecomposition ......... 52 3.5.2TestGenerationfore500Processor .................. 54 5

PAGE 6

............................ 54 3.5.2.2Micro-architecturalvalidationusingtestprograms .... 54 3.6ChapterSummary ............................... 57 4TESTGENERATIONUSINGSAT-BASEDBOUNDEDMODELCHECKING 58 4.1SAT-basedBoundedModelChecking ..................... 59 4.2RelatedWork .................................. 61 4.3TestGenerationusingSAT-basedBoundedModelChecking ........ 61 4.3.1DeterminationofBound ........................ 63 4.3.2DesignandPropertyDecompositions ................. 64 4.4ACaseStudy .................................. 64 4.4.1ExperimentalSetup .......................... 65 4.4.2TestGeneration:AnExample ..................... 65 4.4.3Results ................................. 66 4.5ChapterSummary ............................... 68 5FUNCTIONALTESTCOMPACTION ....................... 69 5.1RelatedWork .................................. 70 5.2FSMModeling ................................. 71 5.2.1FunctionalFSMModelingofProcessors ................ 72 5.2.1.1ModelingofFSMstates ................... 72 5.2.1.2ModelingofFSMstatetransitions ............. 73 5.2.2FunctionalCoverageofFSMModel .................. 75 5.3CompactionbeforeTestGeneration ...................... 76 5.3.1IdentifyingUnreachableStates ..................... 76 5.3.2IdentifyingRedundantStatesandTransitions ............ 77 5.3.3IdentifyingIllegalStateTransitions .................. 78 5.4FSMCoverage-directedTestGeneration ................... 79 5.4.1TestGenerationforStateCoverage .................. 79 5.4.2TestGenerationforTransitionCoverage ............... 79 5.5CompactionafterTestGeneration ....................... 80 5.5.1TestMatrixReduction ......................... 80 5.5.2TestSetMinimization .......................... 81 5.6Experiments .................................. 81 5.7ChapterSummary ............................... 84 6CONCLUSIONSANDFUTUREWORK ..................... 85 6.1Conclusions ................................... 85 6.2FutureResearchDirections ........................... 86 REFERENCES ....................................... 87 BIOGRAPHICALSKETCH ................................ 96 6

PAGE 7

Table page 2-1Codecoveragemetrics ................................ 21 2-2FSMcoveragemetrics ................................ 22 3-1Designandpropertydecompositionscenarios ................... 37 3-2Comparisonoftestgenerationtechniques ...................... 53 3-3Varioustestcasesgeneratedbyourframework ................... 55 4-1Exampleofatestprogram .............................. 65 4-2Comparisonoftestgenerationtechniquesforpipelineinteractions ........ 66 5-1Transitionrulesbetweenssk;j1(t1)andssi;j(t) ................. 78 5-2Transitionrulesbetweenssi;j(t1)andssi;j(t) .................. 78 5-3Transitionrulesbetweenssl;j+1(t1)andssi;j(t) ................. 78 7

PAGE 8

Figure page 1-1Pre-siliconlogicbugspergeneration ........................ 11 1-2Simulation-basedprocessorvalidation ........................ 13 1-3Coverage-drivenvalidationow ........................... 15 1-4Functionalcoverage-directedtestgenerationmethodology ............. 17 2-1GraphmodeloftheMIPSprocessor ........................ 24 2-2InstructionowofthePowerPCe500processor .................. 25 3-1Testgenerationmethodologyusingdesignandpropertydecompositions ..... 29 3-2Testgenerationusingmodelchecking ........................ 32 3-3Specication-driventestgenerationusingmodelchecking ............. 33 3-4AnexampleofKripkestructuremodel ....................... 42 3-5Fourdierentdataforwardingmechanisms ..................... 55 3-6Micro-architecturalvalidationow ......................... 56 4-1TestprogramgenerationusingSAT-basedboundedmodelchecking ....... 59 4-2Testgenerationtimecomparisonforfourtechniques ................ 67 5-1Functionaltestcompactionmethodology ...................... 70 5-2BinaryformatofthestatesinFSMmodel ..................... 73 5-3Instructionow .................................... 74 5-4Pipelineinteractions ................................. 74 5-5Singletransitionsbetweenneighboringstates .................... 77 5-6TestmatrixforFSMcoverage ............................ 81 5-7SimpliedMIPSprocessor .............................. 82 5-87-bitsfunctionalFSMmodel ............................. 82 8

PAGE 9

Functionalvericationofmicroprocessorsisoneofthemostcomplexandexpensivetasksinthecurrentsystem-on-chipdesignmethodology.Simulationusingfunctionaltestvectorsisthemostwidelyusedformofprocessorverication.Amajorchallengeinsimulation-basedvericationishowtoreducetheoverallvericationtimeandresources.Traditionally,billionsofrandomanddirectedtestsareusedduringsimulation.Comparedtorandomtests,directedtestscanreduceoverallvalidationeortsignicantlysinceshortertestscanobtainthesamecoveragegoal.However,thereisalackofautomatedtechniquesfordirectedtestgenerationtargetingmicro-architecturaldesignerrors.Furthermore,thelackofacomprehensivefunctionalcoveragemetricmakesitdiculttomeasurethevericationprogress.Thisdissertationpresentsafunctionalcoverage-driventestgenerationmethodology.Basedonthebehaviorofpipelinedprocessors,afunctionalcoverageisdenedtoevaluatethevericationprogress.Myresearchprovidesecienttestgenerationtechniquesusingformalmethodsbydecomposingprocessordesignsandpropertiestoreducetestgenerationtimeaswellasmemoryrequirement.Myresearchalsoprovidesafunctionaltestcompactiontechniquetoreducethenumberofdirectedtestswhilepreservingtheoverallfunctionalcoverage.TheexperimentsusingMIPSandPowerPCprocessorsdemonstratethefeasibilityandusefulnessoftheproposedfunctionaltestgenerationmethodology. 9

PAGE 10

Vericationistheprocessofensuringthattheintentofadesignispreservedinitsimplementation.Functionalverication(orvalidation Inmodernmicroprocessordesigns,functionalvericationisoneofthemajorbottlenecksduetothecombinedeectsofincreasingdesigncomplexityanddecreasingtime-to-market.Designcomplexityofmodernprocessorsisincreasingatanalarmingratetocopeupwiththerequiredperformanceimprovementforincreasinglycomplexapplicationsinthedomainsofcommunication,multimedia,networkingandentertainment.Toaccommodatesuchfastercomputationrequirements,today'sprocessorsemploymanycomplicatedmicro-architecturalfeaturessuchasdeeppipelines,dynamicscheduling,out-of-orderandsuperscalarexecution,anddynamicspeculation.Thistrendagainshows 10

PAGE 11

Pre-siliconlogicbugspergeneration anexponentialincreaseinthenumberoflogicbugs.Forexample,thenumberoflogicbugsindesigningIntelprocessorshasgrownatarateof300-400%fromonegenerationtothenextinFigure 1-1 [ 14 103 ].Theincreaseinlogicbugsisproportionaltotheincreaseindesigncomplexity.Theincreaseindesignerrorsmakesvericationtasksmoredicult.Inadditiontothegrowingdicultyofpipelinedprocessorverication,time-to-markethasbecomeshorterintheembeddedprocessordesigns.Arecentstudyhasshownthatfunctionalvericationaccountsforsignicantportion(upto70%)oftheoveralldesigndevelopmenttimeandresources[ 44 ].Asaresult,designvericationofmodernprocessorsiswidelyacknowledgedasamajorbottleneckindesignmethodology. Existingprocessorvericationtechniquesadoptacombinationofsimulationbased-validationtechniquesandformalvericationmethods.Simulation-basedvalidationisthemostwidelyusedformofprocessorvericationusingtestprogramsconsistingofinstructionsequences.Amajorchallengeinsimulation-basedvalidationishowtoreducetheoverallvalidationtimeandresources.Traditionally,billionsofrandomtestsareusedduringsimulation.Furthermore,thelackofacomprehensivefunctionalcoveragemetricmakesitdiculttomeasurethevericationprogress.Toaddressthesechallenges,thisdissertationpresentsacoverage-driventestgenerationmethodologythatiscomposedof 11

PAGE 12

25 64 ]andsimulation-basedmethods[ 20 ].Thetrade-obetweenformaltechniquesandsimulation-basedmethodsistheircapacityandcompletenessinverication.Formalvericationtechniquesprovidethecompletenessofvericationtaskbyprovingmathematicallythecorrectnessofadesign.However,theyhavedicultyindealingwiththelargedesignsduetothestatespaceexplosionproblem. 102 113 ],modelchecking[ 77 80 ],SATsolving[ 30 93 ],symbolicsimulation[ 21 72 ],andequivalencechecking[ 73 97 ]aretypicallyusedforformalvericationofprocessordesigns. Simulation-basedvalidationdiscoversdesignerrorsusingtestvectorsconsistingofinputstimuliandexpectedoutputs[ 3 43 94 95 ].Althoughsimulation-basedmethodsareabletohandlecomplexprocessordesigns,theycannotachievethecompletenessofverication.Forexample,formicroprocessorverication,allpossibleinputinstructionsequencesarerequiredinordertoconrmthecorrectnessofagivenmicroprocessordesign.Butitisimpossibletogenerateandsimulatetheminareasonabletime.Therefore,formalmethodsaremoreapplicabletothevericationofthesmallandcriticalcomponents,whereassimulation-basedmethodsaremoreadvantageousinvalidationofacomplicateddesignbysacricingcompletenessofverication.Primarilyduetothis 12

PAGE 13

Simulation-basedprocessorvalidation reason,simulation-basedvalidationisthemostwidelyusedformofverifyingmoderncomplexprocessors. Thebasicprocedureinsimulation-basedprocessorvalidationconsistsofgeneratingtestprograms,simulatingagivenprocessordesignwiththetestprograms,comparingthegeneratedoutputswiththeexpectedresults,andcorrectingdesignerrorsifthesimulationoutputsaredierentfromtheexpectedresults(Figure 1-2 ).Amajorchallengeinprocessorvalidationishowtoreducetheoverallvalidationtimeandresources.Sincethetestgenerationandsimulationforallinputtestprogramsisinfeasible,weneedamethodfordecidingeectiveteststoachievehighcondenceoftheprocessordesign.Inaddition,testgenerationtechniquesmustbeabletoaccommodatecomplexprocessordesignsaswellasproducetestsinreasonabletime.Themainfocusofthisdissertationisthefunctionaltestprogramgenerationforvalidationofpipelinedprocessors. 13

PAGE 14

2 100 ],randomandconstrained-randomtestgenerationtechniquesatarchitecture(ISA)levelaremostwidelyusedbecausetestprogramscanbeproducedautomaticallyanddesignerrorscanbeuncoveredearlyinthedesigncycle.However,ahugenumberoftestsarerequiredtoachievehighcondenceofthedesigncorrectness,andcornercasesareeasilymissed.Furthermore,architecturaltestgenerationtechniqueshavedicultyinactivatingmicro-architecturaltargetartifactsandpipelinefunctionalitiessinceitisnotpossibletogenerateinformationregardingpipelineinteractionsortimingdetailsusinginputISAspecication. Comparedtotherandomorconstrained-randomtests,thedirectedtestscanreduceoverallvalidationeortsignicantlysinceshortertestscanobtainthesamefunctionalcoveragegoal.However,thereisalackofautomatedtechniquesfordirectedtestgenerationtargetingmicro-architecturalfaults.Asaresult,directedtestsaretypicallyhand-writtenbyexperts.Duetomanualdevelopment,itisinfeasibletogeneratealldirectedteststoachievecomprehensivecoverageandthisprocessistimeconsuminganderrorprone.Therefore,thereisaneedforautomateddirectedtestgenerationtechniquesbasedonmicro-architecturalfunctionalcoverage.Testgenerationusingformalmethodshasbeensuccessfullyusedduetoitscapabilityofautomatictestgeneration.However,thetraditionaltestgenerationtechniquesareunsuitableforlargedesignsduetothestateexplosionproblem.Toaddressthesechallenges,myresearchprovidesautomatedtestgenerationtechniquesusingdecompositionofprocessordesignandpropertytomaketheformalmethodsapplicableinpractice. 14

PAGE 15

Coverage-drivenvalidationow thisdegreeofcondenceandtoqualifyatestset.Therefore,itishardtoanswerthequestion,\Whenisvericationdone?",duetodicultyinmeasuringvericationprogressandtesteectiveness. Atraditionalowofcoverage-drivenvalidationbeginsbydeningcoveragemetric,followedbytestgeneration(Figure 1-3 ).Acoveragemetricprovidesawaytoseewhathasnotbeenveriedandwhattestsshouldbeadded.Manycoveragemetricshavebeenproposedfordierenttypesofdesignerrors(e.g.,controlow,dataow)andatdierentdesignabstractionlevels(e.g.,behavioral,RTL,gatelevel).Incoverage-driventestgeneration,testsarecreatedtoactivateatargetcoveragepointanditcaneectivelyreducethenumberoftestscomparedtotherandomtestgeneration.Throughsimulation,thecoverageisanalyzedbyexaminingwhethertargetfunctionalitieshavebeencoveredornot,therebywecanmeasurethevalidationprogress.Ifcoverageholesarefound,additionaltestsaregeneratedtoexercisethem.Ifhigherdegreeofcondenceisrequired,wecanimprovethecoveragemetricormakeuseofadditionalcoveragemeasures.Vericationengineerscanchangethescopeordepthofcoverageduringthevalidation 15

PAGE 16

Althoughdirectedtestsrequireasmallertestsetcomparedtorandomtestsforthesamefunctionalcoveragegoal,thenumberoftestscanstillbeextremelylarge.Therefore,thereisaneedforfunctionaltestcompactiontechniques.Myresearchprovidesafunctionaltestcompactiontechniquetoreducethedirectedtestset. Figure 1-4 showstheoverallowoftheproposedcoverage-drivenfunctionaltestgenerationmethodology[ 66 ].Therststepistocreateaprocessormodelandafunctionalfaultmodelfromtheprocessorarchitecturespecication.Next,itgeneratesalistofallpossiblefunctionalfaultsbasedonthefaultmodelandtheprocessormodelundervalidation.Testcompactionisperformedbeforetestgenerationbyeliminatingtheredundantfaultsforthegivendesignconstraints.Oneoftheremainingfaultsisselectedfortestgeneration.Atestprogramforthisfaultisproducedautomaticallybyformalvericationmethods,e.g.,modelchecking.Thefaultisremovedfromthefaultlist.This 16

PAGE 17

Functionalcoverage-directedtestgenerationmethodology looprepeatsuntiltestsaregeneratedforallthefaultsinthefaultlist.Functionaltestcompactionisperformedafterthisowoftestgeneration.Itisimportanttonotethattwostepsofcompactiontechniquesareappliedbeforeandaftertestgeneration.Thisdissertationmakesthreemajorcontributions:i)developmentofecientfaultmodelsandacoveragemetricforpipelineinteractionfunctionalities,ii)noveltestgenerationtechniquesusingformalmethodsformoderncomplexprocessordesigns,andiii)functionaltestcompaction. 17

PAGE 18

Thisdissertationpresentsauniedmethodologyforautomatedtestgenerationusingmodelcheckingandsatisability(SAT)solving.Toalleviatethestateexplosionproblemintheexistingmodelchecking-basedtestgeneration,wehavedevelopedecienttestgenerationtechniquesthatusedesignlevelaswellaspropertyleveldecompositionstoreducetestgenerationtimeandmemoryrequirement.Thisdissertationpresentsproceduresfordecomposingdesiredpropertiesandprocessormodelwithanalgorithmforconstructingtestprogramsfrompartialcounterexamples.Comparedtotraditionalmodelchecking,SAT-basedboundedmodelchecking(BMC)ismoreecientingeneratingcounterexamplesifthereexistsacounterexamplewithinsearchbound.However,appropriatedecisionofthesearchspaceoftestsisanotherchallengingproblem.Thisdissertationalsoprovidesaprocedurefordeterminingtheboundinthepresenceofdesignandpropertydecompositions.ThedissertationshowstheapplicabilityofdesignandpropertydecompositionsinthecontextoftraditionalmodelcheckingandSAT-basedBMC. Developmentofatestcompactiontechniqueinthedissertationreducesthenumberofdirectedtestswithoutlossoffunctionalcoverageinaneorttofurtherreducetheoverallvalidationeort.Eventhoughtheproposedtestgenerationtechniquesrequireamuchsmallertestsetthanrandomtests,thevolumeofadirectedtestsetstillremainshuge.Redundantpropertiesareeliminatedbeforetestgenerationandtestmatrixreductiontechniquesareappliedaftertestgeneration.Theecienttestgenerationandcompactiontechniquesinthisdissertationwillreducetheoverallvalidationeortbyseveralorderofmagnitude. 18

PAGE 19

Coveragemetricsarenecessarytoevaluatetheprogressoffunctionalvalidation.Severalcoveragemetricsarecommonlyusedduringfunctionalvalidationsuchascodecoverage,andstate/transitioncoverageofabstractnitestatemachines(FSM).However,thesecoveragemetricsdonothaveadirectrelationshipwiththedesignfunctionality.Forexample,noneoftheexistingcoveragemetricsdeterminesifallpossibleinteractionsofstallsaretestedinapipelinedprocessor.Therefore,weneedacoveragemetricbasedonthefunctionalityofpipelinedprocessors.Inthischapter,apipelineinteractionfaultmodelisdenedusinggraph-basedmodelingofpipelinedprocessors.Thefaultmodelisusedforgeneratingdirectedtestsanddeningthefunctionalcoveragetomeasurethevalidationprogressbyreportingthefaultsthatarecoveredbyagivensetoftestprograms. 1 107 ].Afaultmodelshouldbeabletorepresenthighpercentageofactualerrors.Moreover,itshouldbeassimpleaspossibletoreducecomplexityoftestgenerationandcoverageanalysis.Thefaultmodelcanbeusedtodenecoveragemetrics.Forexample,stuck-atfaultmodelandcorrespondingstuck-atfaultcoverageareusedformanufacturingtests.Thissummarizesexistingworkonfunctionalfaultmodelsandcoveragemetrics. 23 62 ].Functionalfaultmodelsaredenedatahighabstractionlevelandfunctionalfaultscorrespondtoincorrectexecutionofthefunctionalitiesagainstagivenspecication.Forexample,invalidationofmicroprocessordesigns,aninstruction 19

PAGE 20

106 ].Structuralfaultmodelsaredenedatthegatelevelwherethedesignisdescribedasanetlistofgates.Structuralfaultsrefertoincorrectinterconnectionsinthenetlist.Themostwell-knownisthestuck-at-faultmodelinwhichfaultsaremodeledbyassigningaxedlogicstate0or1toacircuitline.Switchlevelfaultmodelsaredenedatthetransistorlevelandfaultsaremainlymodeledinanalogcircuittesting.Forexample,instuck-openfaultmodel,ifatransistorisalwaysnon-conducting,itisconsideredtobestuck-open[ 111 ].Inaddition,therearefaultmodelsthatmaynotfallunderanylevelofthedesignabstractions.Thequiescentcurrent(IDDQ)faultmodel,forexample,doesnottinanyofthedesignhierarchiesbutitcanrepresentsomephysicaldefectswhicharenotpresentedbyanyothermodel[ 26 ]. Thefaultmodelatthelowestlevelofabstractionprovidesthebenetofdescribingmoreaccuratedefectsbutthenumberoffaultscanbetoohugetodealwiththeminpractice.Therefore,itisnecessarytodevelopfaultmodelsathigherlevelofabstractioninordertoreducethenumberoffaultsandcorrespondingtestsaswellastodetecterrorsatearlydesignstages.However,duetothelessaccuratemodeling,manyfaultsatlowerlevelsmayremainundetectedbythetestsetgeneratedathigherlevels.Therefore,therearetwoconictinggoalsinfaultmodeling:highaccuracyandlowcomplexity. 104 ]havepresentedanextensivesurveyoncoveragemetricsinsimulation-basedverication.Piziali[ 92 ]describedacomprehensivestudyonfunctional 20

PAGE 21

Table2-1. Codecoveragemetrics LineWhichlineshavebeenexecutedStatement/blockWhichstatementshavebeenexecutedPath/branchWhichcontrolowshavebeentakenforif,for,etcEvent/triggerWhicheventinthesensitivitylistofaprocesshasbeentriggeredToggleWhichsignalshavetransitionedfrom0to1andviceversaExpression/conditionWhichpermutationofbranchconditionshavebeenexecuted 2-1 showsvarioustypesofcodecoveragemetrics.Thecodecoverageanalysisconsistsofdeterminingaquantitativemeasureofcodecoverageaswellasreportingtheareasofadesigndescriptionnotexercisedbyasetoftests.Thisanalysisisusedtocreateadditionaltestcasestoimprovethecoverage. Vericationengineerschoosecoveragemetricsbasedonthedesignstagesandthecostofperformingthecoveragemeasurement.Codecoveragemetricsareoftenemployedastherststepbecausetheycanbeappliedatrelativelylowcostinasystematicway.Forexample,inearlydesignstages,thesimplelinecoveragecanprovideagoodoverallassessmentofthecompletenessofthevalidation.Codecoveragedoesnotindicatethecorrectnessofthedesigndescriptionsinceitconsidersonlypossibleerrorsinthestructureandthelogicofthecodeitself.Inotherwords,codecoverageisnotasucientindicatoroftestqualityorvericationcompletenessbecausemanyfunctionalerrorscanescapeevenwith100%codecoverage.Furthermore,itdoesnotconformtoanyspecicfaultmodel[ 105 ].However,codecoveragecanprovideminimumcoveragerequirementanditsresultscanbeusedtoidentifycornercases. 21

PAGE 22

FSMcoveragemetrics StateWhichstatesofanFSMhavebeenvisitedTransitionWhichtransitionsbetweenneighboringstateshavebeentraversedPathWhichroutesthroughsequentialstateshavebeenexercised 27 ]canbecategorizedintostatecoverage,statetransitioncoverage,andpathcoverageasdescribedinTable 2-2 .Althoughcompletestateortransitioncoveragedoesnotimplythatadesignisveriedexhaustively,theyareveryusefulmetricsbecauseoftheirclosecorrespondencetothebehaviorofthedesign.Transitioncoverage-basedtestprogramgenerationwasappliedtoaPowerPCsuperscalarprocessorbyUrandYadin[ 108 ].FSMcoverage-driventestgenerationhaveshownthatitcandetectmanyhard-to-ndbugsinthedesign[ 13 ].SinceeachpathofthepathcoveragerepresentseachpossiblecombinationofstatetransitionsintheFSM,theFSMpathcoverageprovidesacompleterepresentationofthedesignfunctionality.However,anintractablenumberofpathsmakeitimpracticaltomeasuretheircoverage. IncontrasttothecodecoverageandtheFSMcoverage,thefunctionalcoverageisbasedonthefunctionalityofthedesign,therebyitisspeciedbythedesiredbehaviorofthedesign.Itdeterminesthatmostoftheimportantaspects 46 ]. 22

PAGE 23

11 ]havepresentedanalysistechniquesforacross-productfunctionalcoverage[ 51 ]byprovidingmanualanalysistechniquesaswellasfullyautomatedcoverageanalysis.Toextractusefulinformationoutofthecoveragedata,theydescribedcoveragequeriesthatcombinemanualandautomaticanalysisandndholesthatcontainspeciccoverageevents.Inthecross-productcoverage,thelistofcoverageeventsconsistsofallpossibleCartesianproductsofthevaluesforagivensetofattributes.Basedonthecross-productcoverage,Ziv[ 116 ]hasproposedfunctionalcoveragemeasurementwithtemporalproperties-basedassertions.Holeanalysisfordiscoveringlargeuncoveredspacesforcross-productfunctionalcoveragemodelwaspresentedbyLachishetal.[ 74 ].Theproblemwiththecross-productcoverageisthatthenumberofcross-producteventsistoolargetoenablefastanalysis.Inaddition,itisnecessarytodistinguishlegaleventssincenotallattributesareindependenttherebymanyofthecross-producteventscanneverbeexecuted. Piziali[ 92 ]describedothertypesoffunctionalcoveragemodelsascollectionsofdiscreteevents,trees,andhybridmodelsthatcombinetreesandcross-product.Fournieretal.[ 46 ]haveproposedthevalidationsuiteforthePowerPCarchitecturebasedonasetofcombinationalcoveragemodels.MishraandDutt[ 85 ]haveproposedanode/edgecoverageofthegraphmodelofpipelinedprocessorstogeneratetests.Recently,Harris[ 53 ]hasproposedabehavioralcoveragemetricwhichevaluatesthevalidationoftheinteractionsbetweenprocesses. 23

PAGE 24

GraphmodeloftheMIPSprocessor typicalarchitecturemanual.ThissectionpresentsgraphmodelsforaMIPSprocessorandaPowerPCe500processor. 54 ].Figure 2-1 showsthegraphmodeloftheprocessorthatcanissueuptofouroperations(anintegerALUoperation,aoating-pointadditionoperation,amultiplyoperation,andadivideoperation).Inthegure,rectangularboxesdenoteunits,dashedrectanglesarestorages,boldedgesareinstruction-transfer(pipeline)edges,anddashededgesaredata-transferedges.Apathfromarootnode(e.g.,Fetch)toaleafnode(e.g,WriteBack)consistingofunitsandpipelineedgesiscalledapipelinepath.Forexample,oneofthepipelinepathisfFetch,Decode,IALU,MEM,WriteBackg.Apathfromaunittomainmemoryorregisterleconsistingofstoragesanddata-transferedgesiscalledadata-transferpath.Forexample,fMEM,DataMemory,MainMemorygisadata-transferpath. 24

PAGE 25

InstructionowofthePowerPCe500processor 2-2 showsafunctionalgraphmodelofthefour-widesuperscalarcommerciale500processorbasedonthePowerArchitectureTMTechnology 58 ]withsevenpipelinestages.Wehavedevelopedaprocessormodelbasedonthemicro-architecturalstructure,theinstructionbehavior,andtherulesineachpipelinestagethatdeterminewheninstructionscanmovetothenextstage.Themicro-architecturalfeaturesintheprocessormodelincludepipelinedandclock-accuratebehaviorssuchasmultipleissueforinstructionparallelism,out-of-orderexecutionandin-order-completionfordynamicscheduling,registerrenamingforremovingfalsedatadependency,reservationstationsforavoidingstallsatFetchandDecodepipelinestages,anddataforwardingforearlyresolutionofread-after-write(RAW)datadependency. 25

PAGE 26

Werstdenethepossiblepipelineinteractionsbasedonthenumberofnodesinthegraphmodelandtheaveragenumberofactivitiesineachnode.Forexample,anIALUnodecanhavefouractivities:operationexecution,stall,exception,andnooperation(NOP).Ingeneral,thenumberofactivitiesforanodewillbedierentbasedonwhatactivitywewouldliketotest.Forexample,executionofADDandSUBoperationscanbetreatedasthesameactivitybecausetheygothroughthesamepipelinepath.Separationofthemintodierentactivitieswillrenethefunctionaltestsbutincreasethetestgenerationcomplexity.Furthermore,thenumberofactivitiesvariesfordierentnodes.Consideringagraphmodelwithnnodeswhereeachnodecanhaveonaverageractivities,atotalofr(1rn)=(1r)propertiesarerequiredtoverifyallinteractions.Thebasicideaoftheproofisthatifweconsidernointeractions,thereare(nr)testprogramsnecessary.Inthepresenceofoneinteractionweneed(nC2r2)testprogramsforpossiblecombinationoftwonodes.nCidenotesthewaysofchoosinginodesfromnnodes.Basedonthismodel,thetotalnumberofinteractionswillbe: Althoughthetotalnumberofinteractionscanbeextremelylarge,inrealitythenumberofsimultaneousinteractionscanbesmallandmanyotherrealisticassumptions 26

PAGE 27

Thenodeinteractiondescribesasnapshotbehaviorofapipelinedprocessoratagiventime,whereasthetransitioninteractioncapturesthetemporalbehavioroftheprocessor.ComparingtoFSMcoverage,thenodeinteractionfaultsandtransitioninteractionfaultscorrespondtoFSMstatefaultsandFSMstatetransitionfaults.Inthepresenceofafault,unexpectedvalueswillbewrittentotheprimaryoutputsuchasdatamemoryorregisterle,orthetestprogramwillnishatincorrectclockcycleduringsimulation. Usingthesepipelineinteractionfaultmodels,wedeneafunctionalcoveragemetricwiththeconsiderationofthefollowingcases: Thefunctionalcoverage(FC)isdenedasfollows: FC=thenumberoffaultsdetectedbythetestprograms totalnumberofdetectablefaultsinthefaultmodel(2{2) 27

PAGE 28

28

PAGE 29

Asignicantbottleneckinprocessorvalidationisthelackofautomatedtoolsandtechniquesfordirectedtestgeneration.Modelchecking-basedtestgenerationhasbeenintroducedasapromisingapproachforpipelinedprocessorvalidationduetoitscapabilityofautomatictestgeneration.However,traditionalapproachesareunsuitableforlargedesignsduetothestateexplosionprobleminmodelchecking.Weproposeanecienttestgenerationtechniqueusingbothdesignandpropertydecompositionstoenablemodelchecking-basedtestgenerationforcomplexdesigns. Figure3-1. Testgenerationmethodologyusingdesignandpropertydecompositions Figure 3-1 showsourfunctionaltestprogramgenerationmethodology.Theprocessormodelcanbegeneratedfromthearchitecturespecicationorcanbedevelopedbythedesigners.Thepropertiescanbegeneratedfromthespecicationbasedonafunctionalcoveragesuchasgraphcoverageorpipelineinteractioncoverage.Additionalpropertiescanbeaddedbasedoninterestingscenariosusingcombinedpipelinestagerulesandcornercases.Forecienttestgeneration,wedecomposethepropertiesaswellastheprocessormodel.ModelcheckerandSATsolverareusedtogeneratepartialcounterexamplesfor 29

PAGE 30

Theproposedmethodologymakesthreeimportantcontributions:i)itdevelopsaprocedurefordecomposingatemporallogicpropertyintomultiplesmallerproperties,ii)itpresentsanalgorithmformergingthecounterexamplesgeneratedbydecomposedproperties,andiii)itdevelopsanintegratedframeworktosupportbothdesignandpropertydecompositionsforecienttestgenerationofpipelinedprocessors. 35 ].Themodelisoftenderivedfromahardwareorsoftwaredesignandthespecicationistypicallydescribedastemporallogicproperties.Modelcheckingalsoprovidesanautomatedwayofvericationcomparedtoothervericationmethodssuchastheoremproving.Duetotheabilityofndingevensubtledesignerrors,modelcheckingtechniquehasbeensuccessfullyappliedtomanyrealsystemdesignsandithasbecomeanintegralpartofindustrialdesigncycle.Thevericationprocedureofmodelcheckingconsistsofformalmodelingofadesign,creatingformalproperties,andprovingordisprovingbyexploringtheentirecomputationspaceofthemodelexhaustively. Adesignismodeledasastatetransitiongraph,calledaKripkestructure[ 71 ],whichisafour-tuplemodelM=(S;S0;R;L).Sisanitesetofstates.S0isasetofinitialstates,whereS0S.R:S!Sisatransitionrelationbetweenstates,whereforeverystates2S,thereisastates02Ssuchthatthestatetransition(s;s0)2R.L:S!2APisthelabelingfunctiontomarkeachstatewithasetofatomicpropositions(AP)thatholdinthatstate.Apathinthestructure,2Mfromastates,isacomputationoftheimplementationwhichisaninnitesequenceofstatesandtransitions,=s0s1s2suchthats0=sandR(si;si+1)holdsforalli0.Temporalbehavioroftheimplementationisthecomputationrepresentedbyasetofpathsinthestructure.Propertiesareexpressed 30

PAGE 31

1. 2. 3. 4. Forexample,thepropertyG(req!F(ack))describesthatifreqisassertedthenthedesignmusteventuallyreachastatewhereackisasserted. GivenaformalmodelM=(S;S0;R;L)ofadesignandapropositionaltemporallogicpropertyp,themodelcheckingproblemistondasetofallstatesinSthatsatisfyp,fs2SjM;sj=pg.Ifallinitialstatesareintheset,thedesignsatisestheproperty.Ifthepropertydoesnotholdforthedesign,atracefromtheerrorstatetoaninitialstateisgivenasacounterexamplethathelpsdesignersdebugtheerror.Toachievecompletecondenceofcorrectnessofthedesign,thespecication Duetothehighcomplexityofrealisticdesigns,thenumberofstatesofthedesigncanbeverylargeandtheexplicittraversalofthestatespacebecomesinfeasible,knownasthestateexplosionproblem.Toalleviatethisproblem,symbolicmodelchecking[ 22 80 ]representsthenitestatemachineofthedesignintheformofbinarydecisiondiagrams 31

PAGE 32

19 ],acanonicalformforbooleanexpression.Morethan1020statescanbehandledbyBDD-basedmodelcheckers.Morerecently,SATsolvershavebeenappliedtoboundedmodelchecking[ 15 16 ].ThebasicideabehindSAT-basedboundedmodelcheckingistoconsidercounterexamplesofaparticularlengthandproduceapropositionalformulathatissatisableifsuchacounterexampleexists.Thistechniquecannotonlygeneratecounterexamplesmuchfasterofminimallengthbutalsohandlelargernumberofstatesofthedesigncomparedtotraditionalsymbolicmodelchecking. Despitethesuccessofsymbolicmodelchecking,thestateexplosionproblemisstillchallenginginapplyingtolargedesignsofindustrialstrength.Toreducethenumberofstatesofthedesignmodel,alotoftechniqueshavebeenproposedsuchassymmetryreductions[ 31 42 82 101 ],partialorderreductions[ 5 6 12 49 91 ],andabstractiontechniques[ 9 10 32 36 39 61 76 ].Amongthesetechniques,combiningmodelcheckingwithabstractionhasbeensuccessfullyappliedtoverifyapipelineALUcircuitwithmorethan101300reachablestates[ 33 ].Theproposedtestgenerationapproachesinthisdissertationtintheabstractiontechniquesinthatthecomponentsoftheoriginaldesignmodelthatareirrelevanttoagivenpropertyareremovedthroughthedecompositionofdesignandpropertyunderconsideration. Figure3-2. Testgenerationusingmodelchecking 32

PAGE 33

3-2 showsabasictestgenerationframeworkusingmodelchecking.Inthisscenario,aprocessormodelisdescribedinatemporalspecicationlanguageandadesiredbehaviorisexpressedintheformoftemporallogicproperty.Amodelcheckerexhaustivelysearchesallreachablestatesofthemodeltocheckifthepropertyholds(verication)ornot(falsication),whichiscalledunboundedmodelchecking.Ifthemodelcheckerndsanyreachablestatethatdoesnotsatisfytheproperty,itproducesacounterexample.Thisfalsicationcanbequiteeectivelyexploitedfortestgeneration.Insteadofadesiredproperty,itsnegatedversionisappliedtothemodelcheckertoproduceacounterexample.Thecounterexamplecontainsasequenceofinstructionsfromaninitialstatetoastatewherethenegatedversionofthepropertyfails. Figure3-3. Specication-driventestgenerationusingmodelchecking Specication-driventestgenerationusingmodelcheckinghasshownpromisingresults[ 86 ].Itcangeneratetestprogramsatearlydesignstagewithoutanylow-levelimplementationknowledge.Figure 3-3 showsaspecication-driventestprogramgenerationscenario.AdesignerstartsbyspecifyingtheprocessorarchitectureinanArchitectureDescriptionLanguage(ADL)thatisusedtocaptureboththestructureandthebehavioroftheprocessor.AprocessormodelisgeneratedfromtheADLspecication.Variousproperties(desiredbehaviors)aregeneratedfromthehighlevelmicroarchitectural 33

PAGE 34

However,thetimeandmemoryrequiredfortestgenerationareprohibitivelylarge.Furthermore,thismethodcannotbeusedfortestgenerationofcomplexpipelinedprocessorsduetothestateexplosionproblem.Thisdissertationpresentsanecienttestgenerationtechniquetoreducebothtestgenerationtimeandmemoryrequirementforcomplexprocessors.Theproposedtestgenerationapproachreducesthesearchspaceofcounterexamplesbydecomposingdesignspecicationandproperties[ 67 69 ]andrestrictingthelengthofcounterexamples[ 68 87 ]. 2 ],usedforfunctionalvericationofIBMprocessors,combinesarchitectureandtestingknowledgeforecienttestgeneration.InPiparazzi[ 2 ],amodelofmicro-architecturalprocessorandtheuser'sspecicationareconvertedintoaConstraintSatisfactionProblem(CSP)andthededicatedCSPsolverisusedtoconstructanactualtestprogram.Manytechniqueshavebeenproposedfordirectedtestprogramgenerationbasedonaninstructiontreetraversal[ 4 ],micro-architecturalcoverage[ 70 108 ],andfunctionalcoverageusingBayesianNetworks[ 44 ].Recently,Gluska[ 48 ]describedtheneedforcoveragedirectedtestgenerationincoverage-orientedvericationoftheIntelMerommicroprocessor. Severalformalmodel-basedtestgenerationtechniqueshavebeendevelopedforvalidationofpipelinedprocessors.InFSM-basedtestgeneration,FSMcoverageisusedtogeneratetestprogramsbasedonreachablestatesandstatetransitions[ 24 56 59 65 ].Sincecomplicatedmicro-architecturalmechanismsinmodernprocessordesignsincludeinteractionsamongmanypipelinestagesandbuers,theFSM-based 34

PAGE 35

109 ]havepresentedanFSMmodelpartitioningtechniquebasedonmicro-architecturalpipelinestoragebuers.Similarly,ShenandAbraham[ 99 ]haveproposedanRTLabstractiontechniquethatcreatesanabstractFSMmodelwhilepreservingclockaccuratebehaviors.Wagneretal.[ 112 ]havepresentedaMarkovmodeldrivenrandomtestgeneratorwithactivitymonitorsthatprovidesassistanceinlocatinghard-to-ndcornercasedesignbugsandperformanceproblems. Modelchecking[ 35 ]hasbeensuccessfullyusedinprocessorvericationforprovingproperties.Hoetal.[ 55 ]extractcontrolledtokennetsfromalogicdesigntoperformecientmodelchecking.Jacobi[ 60 ]usedamethodologytoverifyout-of-orderpipelinesbycombiningmodelcheckingforthevericationofthepipelinecontrol,andtheoremprovingforthevericationofthepipelinefunctionality.Compositionalmodelcheckingisusedtoverifyaprocessormicroarchitecturecontainingmostofthefeaturesofamodernmicroprocessor[ 63 ].Parthasarathyetal.[ 90 ]havepresentedasafetypropertyvericationframeworkusingsequentialSATandboundedmodelchecking.Modelcheckingbasedtechniquesarealsousedinthecontextoffalsicationbygeneratingcounterexamples.Clarkeetal.[ 34 ]havepresentedanecientalgorithmforgenerationofcounterexamplesandwitnessesinsymbolicmodelchecking.Bjesseetal.[ 17 ]haveusedcounterexampleguidedabstractionrenementtondcomplexbugs.Automatictestgenerationtechniquesusingmodelcheckinghavebeenproposedinsoftware[ 47 ]aswellasinhardwarevalidation[ 83 ].However,traditionalmodelcheckingbasedtechniquesdoesnotscalewellduetothestatespaceexplosionproblem.Toreducethetestgenerationtimeandmemoryrequirement,MishraandDutt[ 84 85 ]haveproposedadesigndecompositiontechniqueatthemodulelevelwhentheoriginalpropertycontainsvariablesforonlyasinglemodule.However,theirtechniquedoesnothandlepropertiesthathavevariablesfrommultiplemodules.Suchpropertiesarecommonintestgeneration.Ourframeworkallowssuch 35

PAGE 36

4 .Theprocessormodel,thenegatedversionoftheproperty,andtherequiredboundareappliedtoourdecompositionalmodelcheckingframeworktogenerateatestprogramfortheproperty. Thealgorithmiteratesoveralltheinteractionfaultsbasedonthefunctionalcoverageandcornercases.Theprocessormodelaswellasthepropertiescanbegeneratedfromthe 36

PAGE 37

Designandpropertydecompositionscenarios DesignPropertyComments 00Traditionalmodelchecking01Mergingofcounterexamplesisnotalwayspossible10Similartotraditionalmodelchecking11Ourapproach,bothpropertyanddesigndecompositions 0:Original;1:Decomposed/partitioned. specication.Section 2.2 describesagraph-basedmodelingofpipelinedprocessors.ThepropertygenerationbasedonpipelineinteractioncoverageisdescribedinSection 3.4.1 .ThedesignandpropertydecompositiontechniquesaredescribedinSection 3.4.2 andSection 3.4.3 respectively.Section 4.3.1 presentsatechniquetodetermineaboundforndingcounterexamplesforagivenproperty.Theproposedapproachinthischapterusesunboundedmodelcheckingtogeneratepartialcounterexamplesforthepartitionedmodulesandproperties. Integrationofthesepartialcounterexamplesisamajorchallengeduetothefactthattherelationshipsamongdecomposedmodulesandsub-propertiesmaynotbepreservedatthetoplevel.Weproposeatimestep-basedintegrationofpartialcounterexamplestoconstructthenaltestprogram.Section 3.4.4 presentstheproposedtestgenerationtechniquebasedondecompositionalmodelchecking.Section 3.4.5 presentsourconictresolutiontechniqueduringmergingofpartialcounterexamples. Itisimportanttonotethatthepropertyanddesigndecompositionsarenotindependent.Table 3-1 showsfourpossiblescenariosofdesignandpropertydecompositions.Therstscenarioindicatestraditionalmodelcheckingwhereoriginalpropertyisappliedtothewholedesign.Thesecondcaseimpliesthatthedecomposedpropertiesareappliedtothewholedesign.Incertainapplicationsthismayimproveoverallmodelcheckingeciency.However,ingeneralthisprocedureisnotapplicablesincemergingofcounterexamplesmaynotgeneratetheexpectedresult.Forexample,twosub-propertiesmaygeneratecounterexamplestostalltherespectiveunitsinapipelinedprocessorbutthecombinedtestprogrammaynotsimultaneouslystallboththeunits.Thethirdscenario 37

PAGE 38

2.3 areexpressedinlineartemporallogic(LTL)[ 35 ]whereeachpropertyconsistsoftemporaloperators(G,F,X,U)andBooleanconnectives(^,_,:,and!).Wegenerateapropertyforeachpipelineinteractionfromthespecication.Sincepipelineinteractionsatagivencyclearesemanticallyexplicitandourprocessormodelisorganizedasstructure-orientedmodules,pipelineinteractionscanbeconvertedintheformofapropertysuchasF(p1^p2^...^pn)thatcombinesactivitiespiovernmodulesusinglogicalANDoperator.Theatomicpropositionpiisafunctionalactivityatanodeisuchasoperationexecution,stall,exceptionorNOP.Thepropertyistruewhenallthepi's(i=1ton)holdatsometimestep.Sinceweareinterestedincounterexamplegeneration,weneedtogeneratethenegationofthepropertyrst.Thenegationofthepropertiescanbeexpressedas: Forexample,thenegationofF(p1^p2^...^pn),interactionfault,canbedescribedasG(:p1_:p2_..._:pn)whosecounterexampleswillsatisfytheoriginalproperty.Inthefollowingsection,wedescribehowtodecomposetheseproperties(alreadynegated)forecienttestgenerationusingmodelchecking. 38

PAGE 39

(3{2) 39

PAGE 40

ThepropertyF(p^q)istruewhenbothpandqholdatthesametimestep.ButF(p)^F(q)istrueevenwhenpandqholdatdierenttimesteps.Therefore,F(p^q)6=F(p)^F(q).However,wecanuseF(p)andF(q)fortestgenerationtoactivatethepropertyF(p^q)basedonLemma4. 40

PAGE 41

ThepropertyG(p_q)istruewheneitherporqholdsateverytimestep.ButG(p)_G(q)istrueeitherwhenpholdsateverytimestep,orwhenqholdsateverytimestep.Therefore,G(p_q)6=G(p)_G(q).Inthiscase,thecounterexamplesofthedecomposedpropertiesG(p)andG(q)cannotdirectlybeusedtogenerateacounterexampleofG(p)_G(q)sinceG(p)_G(q)!G(p_q),thatis,(CG(p)\CG(q))CG(p_q).Inotherwords,notallcommoncounterexamplesofG(p)andG(q)canbeusedasacounterexampleofG(p_q).Furthermore,itishardtoknowwhetherthecommoncounterexamplesofG(p)andG(q)belongtoCG(p_q).Toaddressthisproblem,thisdissertationproposesaschemeofintroducingthenotionofclockthatallowsthedecomposedpropertiestoproduceacounterexampleofG(p_q)asdescribedinLemma5. Forexample,Figure 3-4 describesaKripkestructure[ 35 ]withfourstatess0,s1,s2,ands3,wheres0istheonlyinitialstate.Thestructurehasthreetransitions:(s0;s1),(s0;s2),(s0;s3),andself-loopineachstate.Therearetwolocalvariablespformodule1andqformodule2:pholdsonstatesfs0;s1gandqholdsonstatesfs0;s2g.AssumingtheoriginalpropertyisF(p=0^q=0),aspecictimestepisintroducedF(clk=ts^p= 41

PAGE 42

AnexampleofKripkestructuremodel 0^q=0) BasedonLemma5,theinteractionfaultG(:p1_:p2_:::_:pn)isconvertedintoG((clk6=ts)_:p1_:p2_:::_:pn)).ThedecomposedpropertiesG((clk6=ts)_:p1),G((clk6=ts)_:p2),...,G((clk6=ts)_:pn)arerepeatedlyappliedtothemodelcheckeruntilacommoncounterexampleisfoundamongthemasdescribedinSection 3.4.4 .ThecounterexampleisoneoftheinteractionsthatsatisesthepropertyF((clk=ts)^p1^p2^:::^pn)).Inthisdecompositionscenario,thetimestep(ts) 42

PAGE 43

8 ],decidingboundisachallengingproblemsincethedepthofcounterexamplesisunknowninmostcases.Section 4.3.1 describesawayofdecidingthebound(ts)thatenablestestgenerationusingSAT-basedboundedmodelchecking. ForcertainpropertiessuchaspUq,F(p!F(q)),F(p!G(q)),G(p!G(q)),orG(p!F(q)),decompositionsarenotbenecialcomparedtotraditionalmodelcheckingbecauseitisverydiculttodecideaspecictimestepbetweentheirdecomposedproperties.Althoughmanypropertydecompositionsarenotpossible,itisimportanttonotethatthescenariosdescribedinthissectionaresucienttogeneratethetestprogramsinthecontextofpipelineinteractions.Inadditiontotheseinteractionproperties,manymicro-architecturalpropertieshavebeencreatedthatarebasedonrealexperiencesofindustrialdesignersfortestgenerationofane500processor. Animportantconsiderationduringpropertydecompositionishowtospecify/handlethedierenttypesofvariablesintheproperty.Ingeneral,thepropertiesaredescribedaspairsofmodulenamesandvariablenames.Aninteractionfaultpropertypicanbeeitheralocalvariableinasinglemoduleoraglobalvariableovermultiplemodules.Ifpiisalocalvariable,itisconvertedinto(mi:pi)wheremiisthecorrespondingmodule.Ifpiisaglobalvariable,piisdecomposedintosub-propertiesofcorrespondingmodules.Forexample,forthepropertyG(:p1_:p2),ifp1isaninterfacevariablebetweenm1andm2,thenthepropertyisconvertedasG(:m1:p1_(:m2:p1_:m2:p2)).Decompositionofglobalvariablesisbasedonthedecomposedmodulesofaprocessormodelandtheirinterfaces. 2.2 .Inother 43

PAGE 44

Itisimportanttonotethatthedesigndecompositionisdependentonthepropertydecomposition.Thepipelinedprocessorcanbesimplypartitionedintofunctionalmodules.However,weneedtochangethepartitioningpolicybasedontheproperties.BecausesomepropertiesarehardtobedecomposedatthemodulelevelwhentheyarespreadacrossmultiplemodulesorinthecomplicatedformssuchaspUq,F(p!G(q)),G(p!F(q)),andsoon.Forexample,apropertymaynotbedecomposablebasedonamodulelevelpartitioningbutitmaybedecomposablebasedonapipelinepathlevelpartitioning. Weconsiderthreepartitioningtechniques:module-level,path-levelandstage-levelpartitioning.Module(ornode)levelpartitioninggivesthelowestlevelofgranularityinthegraphmodelinFigure 2-1 .Theinteger-ALUpipelinepathfFetch,Decode,IALU,MEM,WriteBackgistreatedasoneofthepathlevelpartitions.Similarly,themultiplierpath,theoating-pointadderpath,andthedividerpatharetheotherexamplesofpathlevelpartitioningfortheMIPSprocessorinFigure 2-1 .Stage-levelpartitioningisdeterminedbythedistancefromtherootnode(e.g.,Fetch).Ingeneral,variousformsofdesignandpropertypartitioningarepossibleanddierentgraphclusteringalgorithmscanbeusedtonddierentdesignpartitionsforagivenpropertydecomposition.Section 3.4.4 describestwodesignpartitioningtechniquesusingillustrativeexamples. 44

PAGE 45

inputsforeachapplicableparentnodeMrofMkoutRr=ExtractoutputrequirementsforMrfrominpRkNextList[r]=NextList[r][outRrAllList[clk][r]=AllList[clk][r][outRrendforelsePrimaryInputs=PrimaryInputs[inpRkendififTaskListisemptyclk=clk1;TaskList=NextList;NextList=endifendwhileifclk=0andTaskListisnotemptyReport(boundiistoosmall);testi=endifelsetesti=ExtractInstructions(PrimaryInputs)returntestiEnd

PAGE 46

3.4.2 .Similarly,thedesignisdecomposedbasedonthepropertydecompositionandthetechniquesdescribedinSection 3.4.3 .Thisalgorithmusesthreeliststomaintainthedecomposedproperties:TaskListforthepresentclockcycleclk,NextListforthenextcyclei.e.,clk1,andAllListforallproperties.EachentryintheTaskListandtheNextListcontainacollectionofsub-propertiesthatareapplicabletocorrespondingdesignpartitions.Therefore,eachlistcanhaveuptonentrieswherenisthenumberofdesignpartitionsintheprocessormodel.ThetasksintheTaskListneedtobeperformedinthecurrenttimestep(clk).ThetasksintheNextListwillbeperformedinthenexttimestep(clk1).AllListcontainsalltheentriesofTaskListforeachtimestep.Thisinformationisusedtoresolvetheconictamongsub-propertiesasdescribedinSection 3.4.5 .Initiallytheselistsareempty. TheproposedalgorithmgeneratesonetestprogramforeachpropertysetDPithatconsistsofoneormoresub-propertiesbasedontheirapplicabilitytodierentmodulesorpartitionsinthedesignasdiscussedinSection 3.4.1 .Thealgorithmaddsthesub-propertiesintheTaskListandAllListbasedonthepartitionstowhichthesepropertiesareapplicable.Thealgorithmiteratesoverallthesub-propertiesintheTaskList.Itremovesanentry(sayk-thlocation)fromtheTaskListwhichistheoutputrequirementoutRkofk-thpartition.Ingeneral,thisentrycanbealistofsub-properties(duetosimultaneousoutputrequirementsfrommultiplechildrennodes)thatneedtobeappliedtopartitionMk.Thesesub-propertiesarecomposedtocreatetheintermediatepropertyPkiusingMergeRequirementsproceduredescribedinSection 3.4.5 .AfternegationofPki,theproperty 46

PAGE 47

Forillustration,considerasimplepropertyP1toverifyamultipleexecutionscenarioconsistingofIALU(3rdmodule)andDIV(15thmodule)nodesinFigure 2-1 atclockcycle5.Weassumethemodulelevelpartitioningofthedesignforthisexample.Thepropertycanbedecomposedintotwosub-propertiesP31(IALUnotstalledincycle5)andP151(DIVnotstalledincycle5).ThisimpliesthatTaskListwillhavetwoentriesbeforeenteringthewhileloop:TaskList[3]=P31andTaskList[15]=P151.AttherstiterationofthewhileloopP31willbeappliedtoM3(IALU)usingmodelchecker;generatedcounterexamplewillbeanalyzedtondtheoutputrequirementfortheDecodeunit(2ndmoduleinFigure 2-1 )inclockcycle4;andtherequirementwillbeaddedtoNextList[2].DuringseconditerationofthewhileloopP151(TaskList[15])willbeappliedtoM15(DIV);generatedcounterexamplewillbeanalyzedtondtheoutputrequirementfortheDecodeunitinclockcycle4;andtherequirementwillbeaddedtoNextList[2].Atthispoint,theTaskListisemptyandtheNextListhasonlyone 47

PAGE 48

Consideramultipleexceptionscenarioatclockcycle7consistingofanoverowexceptioninIALU,dividebyzeroexceptioninDIVunit,andamemoryexceptionintheMEMunit.ThedesiredpropertyPisshownasbelow: &(DIV.exception=1)) |(DIV.exception~=1)) P2:G((clk~=7)|(IALU.exception~=1)) P3:G((clk~=7)|(DIV.exception~=1)) 48

PAGE 49

P23':G((clk~=6)|(decOp[0].opcode~=ADD)|(decOp[0].src1Val~=2)| (decOp[0].src2Val~=2)|(decOp[3].opcode~=DIV)| (decOp[3].src2Val~=0)) Cycle[0][1][2][3]//R0is0 1ADDIR2R0#2NOPNOPNOP//R2=2 2NOPNOPNOPNOP 3NOPNOPNOPNOP 4LDR10(R0)NOPNOPNOP 5ADDR3R2R2NOPNOPDIVR3R0R0 Theexampleshownaboveassumesamodule-levelpartitioningoftheprocessormodel.However,itisnotalwayspossibletodecomposeapropertybasedonmodulelevelpartitioning.Forexample,ifwearetryingtodeterminewhethertwofeedback 3.4.5 49

PAGE 50

2-1 areactivatedatthesametime,itisnotpossibletodecomposethispropertyatmodulelevelbecausethe\implication"relationbetweenfeedOutandfeedIn(inthefollowingproperty)willbelost. Toenablepropertydecompositioninthethisexample,weneedtopartitionthedesigndierently.Theoating-pointadderpath(FADD1toFADD4)shouldbetreatedasadesignpartitionFpath.Similarly,themultiplierpath(MUL1toMUL7)shouldbetreatedasanotherpartitionMpath.Thisnewpartitioningisappliedfortestgeneration.First,P1andP2canbeappliedonFpathandMpathrespectivelytogeneratecounterexamplesC1andC2.Next,C1andC2arecombinedandthecorrespondingpropertyisappliedtotheDecodeunittogeneratethecounterexampleC3.Next,thepropertycorrespondingtoC3isappliedtotheFetchunitthatgeneratestheprimaryinputrequirements.Finally,theseprimaryinputrequirementsareconvertedintotherequiredtestprogram.Thepropertydecompositionprocedureisshownbelow. P:F((clk=9)&(FADD4.feedOut->X(FADD1.feedIn)) &(MUL7.feedOut->X(MUL1.feedIn))) /*ConvertedProperty*/ P:F(((clk=9&FADD4.feedOut)&(clk=10&FADD1.feedIn)) &((clk=9&MUL7.feedOut)&(clk=10&MUL1.feedIn))) /*PropertyafterNegation*/ P':G(((clk~=9|~FADD4.feedOut)|(clk~=10|~FADD1.feedIn)) |((clk~=9|~MUL7.feedOut)|(clk~=10|~MUL1.feedIn))) /*PropertiesafterDecomposition*/ P1:G((clk~=9|~FADD4.feedOut)|(clk~=10|~FADD1.feedIn)) P2:G((clk~=9|~MUL7.feedOut)|(clk~=10|~MUL1.feedIn))

PAGE 51

2-2 ,fourreservationstation(RS)modulessharetheparentmoduleIssue.Counterexamples(inputrequirementsofeachRS)generatedfromfourRSsatthetimestepts+1shouldbecombinedforcreatingtheoutputpropertyofIssuemoduleatclk=ts.However,theycanrequiredierentoutputvaluesforthesamevariableofthemoduleIssue. Incaseofoutputrequirementconict,thealgorithmadjustsinputrequirementsofthechildrennodesbyexcludingthecurrentinputrequirement,calledfalserequirement.Forexample,assumethatoutputvariablesoftheparentarepandq,theinputrequirementofonechildis(p=1^q=0)thatisgeneratedbyG((clk6=(ts+1))_:(m1:p=1))atmodule1,andtheinputrequirementoftheotherchildis(p=0^q=1)thatisgeneratedbyG((clk6=(ts+1))_:(m2:q=1))atmodule2.Obviously,thereisnowaytoassignoutputpandqtosatisfythesetwoconictinginputs.Werenethesub-propertiesofchildrennodestoresolvetheconictrequirementsbyexcludingthefalserequirement.Thedesiredsub-propertiesstoredinAllList[ts+1]forchildrennodesaremodiedbyaddingthenegatedversionoftheconictrequirementasshownbelow: Togeneratetheinputrequirementsofthemodule1,theabovepropertiesarenegatedasshownbelow: 51

PAGE 52

Thesesub-propertiesdoesnotallowthecounterexample(p=1^q=0)anymore.Thegeneratedcounterexamplewillbe(p=1^q=1)astheinputrequirementsofmodule1andmodule2.Asaresult,wecanmergethemintotheoutputrequirementoftheparentnodeas(p=1^q=1)atclk=ts.Ifthereisaninterfacevariablerbetweentheparentanditschildmodule2,itdoesnotcausetheoutputrequirementconictoftheparentnodesincetheinputrequirementofmodule1doesnotcareaboutthevariabler.Ifthereisanotherchildnodemodule3thathastheinterfacevariablespandr,weneedtoadjustthreeinputrequirementsofmodule1,module2,andmodule3toresolveanyconictamongthem.Itispossiblethatthereisnocommonvariableassignmentsforsharedinputvariablesamongchildrennodessincetheiroutputrequirementsmaybegeneratedfromfalseinputrequirementsfromthesubsequentstages(grandchildrennodes).Inthiscase,weneedtorenethesub-propertiesofgrandchildrennodesstoredinAllList[ts+2].Theprocedureofsub-propertyrenementcontinuesuntiltheconictisresolvedorclkisequaltoboundiwhichisupperboundtosearchforatestprogram. 54 ]andasuperscalarcommerciale500processor[ 58 ].Varioustestgenerationexperimentswereperformedforvalidatingthepipelineinteractionsbyvaryingdierentdesignpartitionsandpropertydecompositions.Thissectionpresentsexperimentalresultsintermsoftimeandmemoryrequirementintestgeneration. 2-1 .SMV[ 79 ]modelcheckerhasbeenusedtoperformalltheexperiments.FewsimplicationswasneededtotheMIPSprocessortocomparewithtwootherapproaches:i)naiveapproachwheretheoriginal 52

PAGE 53

84 ].Forexample,if3232-bitregistersareusedintheregisterle,thenaiveapproachcannotproduceanycounterexampleevenforasimplepropertywithnopipelineinteractionduetomemorydepletionduringmodelchecking.Weusedeight2-bitregistersforthefollowingexperimentstoensurethatthenaiveapproachcangeneratecounterexamples.Alltheexperimentswererunona1GHzSunUltraSparcwith8GRAM. Table3-2. Comparisonoftestgenerationtechniques ModuleNaiveapproachExistingapproachOurapproachinteractionsBDDTimeBDDTimeBDDTime None6M1653K0.063K0.06Twomodules11M215NANA6K0.12Threemodules21M240NANA9K0.19Fourmodules27M290NANA11K0.28 NA:Notapplicable. Table 3-2 presentstheresultsofthecomparisonoftestgenerationtechniques.Therstcolumndenesthetypeofpropertiesusedfortestgeneration.Forexample,\None"impliespropertiesapplicabletoonlyonemodule;\TwoModules"impliespropertiesthatincludetwomoduleinteractionsandsoon.EachrowpresentstheaveragevaluesfortheBDDnodes(memoryrequirement)usedaswellastestgenerationtime(inseconds)foroneproperty.Forexample,therstrowpresentstheaveragetimeandmemoryrequirementfor68(n=17,r=4,andi=1inEq. 2{1 )singlemoduleproperties.Thenaiveapproachtakesseveralordersofmagnitudemorememoryandtestgenerationtime.Theexistingapproachisonlyapplicabletotherstrowsinceitcannothandlemultiplesimultaneouspropertiesorpropertydecompositions.Asmentionedearlier,thenaiveapproachcannotnishinmajorityofthecaseswhenmoreregistersareused.Asaresultweusedonly82-bitregisters.Inspiteofthissimplication,naiveapproachtakesseveralordersofmagnitudemorememoryandtestgenerationtime. 53

PAGE 54

3-3 showsasubsetofthedirectedtestcases,theircorrespondinglengthintermsofnumberofinstructions,andtestgenerationtime.Forexample,thetestprogramforcase11validatesthefeatureofCompletionQueue(CQ)bypilingdataupanddownintherst-in-rst-out(FIFO)queue.Testprogramsforcase3through6exerciseoperandreadfromfourdierentresourcesasshowninFigure 3-5 ,whichcanbegeneratedatmicro-architecturelevelbutverydicultatISAlevel.Intermsofeciency,onlyseveralsecondswerespentontestgenerationexceptforthecase11wheretestgenerationtookfewminutes.Thetestcases13-18showsvariousinteractionscenarios.Forexample,testcase13onlyactivatesonenodewhereastestcase15considersthreenodeinteractionsatthesameclockcycle. 54

PAGE 55

Varioustestcasesgeneratedbyourframework TestcasesTestlengthTime 1Instructiondualissue15302Renamingsrc1operand12253Readoperandfromforwardingpath(RAW)9204Reservationstationreadsoperandfromforwardingpath7155Readoperandfromrenamingreg.(RAW)10206ReadoperandfromGPR(RAW)11257RenamingforWAW(nostall)8208StallatDecodestageduetoIQfull14359StallatDecodestageduetoCQfull,thenreleasedqueue3461fullatthenextclockcycle10CQfull,thenfullagain357011CQfull,thenempty,andthenfullagain9529012RetireonlyoneinstructioninCompletion122813\lwz"instructionatLSU stage371514\add"atFetch2and\mulhw"atMU stage2simultaneously61815\addi"atCompletion,\mulhw"atMU stage1,&\lwz"at1225LSU stage1atthesameclock16\mulhw"atCompletion,\add"&\addi"waitsin1240completionqueue,&\lzw"atLSU stage317\lwz"and\add"atCompletion,\mulhw"atMU stage3,1435\addi"atCQ,\lwz"atLSU stage118\mulhw"&\add"retire,\mulhw"atMU stage4,1545\addi"atCQ,&\lwz"atLSU-stage2 Figure3-5. Fourdierentdataforwardingmechanisms 55

PAGE 56

Micro-architecturalvalidationow simulation.Forexample,testgenerationforuncoveringincorrectstallsinpipelinestagesrequiretiminginformationofinstructionowandthosebugsareonlyvisibleduringtheclock-accuratesimulation.Therefore,micro-architecturalvalidationplaysanimportantroleinensuringthecorrectnessofperformanceaswellasfunctionalityoftheprocessordesigns. Wehaveperformedmicro-architecturalvalidationbyusingtheexistingmethodologyinanindustrialsettingsthatincludesaninternalrandomtestpatterngenerator(RTPG)tool.Figure 3-6 showsthevalidationow.WeconvertedtheassemblytestsequencesgeneratedbyourmethodintotheinputformatoftheRTPGtoolthatproducestestbenchesforRTLsimulation.Thesimulatorshowshowinstructionsgothroughthepipelinestagesonacycle-by-cyclebasisaswellaswhetherthestoredresultsinregisterlesandmemoryarecorrectornot.Capturingwhenandwhichinstructionsmovefromonestagetothenextensuresthatthegeneratedtestsexercisethetargetmicro-architecturalartifacts.Wecomparedthevalidationeortforactivatingthesemicro-architecturalfeaturesusingtheexistingvalidationmethodologyinanindustrialsettingandourapproach.Onanaverageeachofourtestcasetooklessthan100clock 56

PAGE 57

Thischapterpresentedanecientdirectedtestgenerationtechniqueforvalidationofperformanceaswellasfunctionalityofthemodernmicroprocessors.Ourmethodologyisbasedondecompositionalmodelcheckingwheretheprocessormodelaswellasthepropertiesaredecomposedandthemodelcheckingisappliedonsmallerpartitionsofthedesignusingdecomposedproperties.Weintroducedthenotionoftimestepstoenabledecompositionofthepropertiesintosmalleronesbasedontheirclockcycles.Wehavedevelopedanecientalgorithmtomergethepartialcounterexamplesgeneratedbythedecomposedpropertiestocreatethenaltestprogramcorrespondingtotheoriginalproperty.OurexperimentalresultsusingMIPSandPowerPCe500processorarchitecturesdemonstratetheeciencyofourmethodbygeneratingcomplicatedmicro-architecturaltests.Sincetheproposedtechniqueisgeneric,itsframeworkcanbeusedforvalidationofotherindustrial-strengthprocessors.Furthermore,thisworkcanbeseamlesslyintegratedinthecurrentRTPGvalidationmethodologywithoutmodicationoftheexistingvalidationow. 57

PAGE 58

Ecienttestgenerationiscrucialforthesimulation-basedvalidationsinceitdeterminesthequalityoftestsuitesaswellastheperformanceofvalidation.ThischapterpresentsanecienttestgenerationmethodologyforfunctionalvalidationofprocessordesignsusingSAT-basedboundedmodelchecking(BMC). Asacomplementarytechniqueofunboundedmodelchecking(UMC)inChapter 3 ,SAT-basedboundedmodelchecking(BMC)hasgivenpromisingresultsinthevericationdomain.Thebasicideaistorestrictthesearchspacethatisreachablefrominitialstateswithinaxednumber(k)oftransitions,calledthebound.Afterunwindingthemodelofdesignktimes,theBMCproblemisconvertedintoapropositionalsatisability(SAT)problem.ASATsolverisusedtondasatisableassignmentofvariablesthatisconvertedintoacounterexample.Iftheboundisknowninadvance,SAT-basedBMCistypicallymoreeectiveforfalsicationthanUMCbecausethesearchforcounterexamplesisfasterandtheSATcapacityreachesbeyondtheBDDcapacity[ 15 ].However,ndingtheboundisachallengingproblemsincethedepthofcounterexamplesisunknowningeneral. Choosinganincorrectboundincreasestestgenerationtimeandmemoryrequirement.Intheworstcase,testgenerationmaynotbepossible.Forexample,wecanincreasethebounditerativelystartingfromasmallbounduntilacounterexampleisfound.Thisapproachisadvantageousforshallowcounterexamples,butdisadvantageousfordeepcounterexamplesduetoaccumulationofiterativerunningtime.Anotherexampleistochoosealargeboundsuchthatallcounterexamplesarefound.ThisapproachlosesthebenetsofBMCduetosearchinalargenumberofirrelevantstateswhentheboundistoobig.Therefore,theperformanceoftestgenerationcloselydependsontheschemesofdecidingthebound.Weproposeamethodtondtheboundforeachpropertyinsteadofusingthemaximumboundforallproperties. 58

PAGE 59

TestprogramgenerationusingSAT-basedboundedmodelchecking Figure 4-1 showsourtestgenerationmethodology.Processormodelandpropertiesaregeneratedfromthearchitecturespecication.Weusethepipelineinteractionfaultmodeltodenefunctionalcoverage.Temporallogicpropertiesarecreatedfrompipelineinteractionfaults.Wedeterminetheboundforeachpropertytoreducetestgenerationtimeandmemoryrequirementcomparedtousingthemaximumboundforallproperties.Theprocessormodel,negatedproperties,andtheboundareappliedtoSAT-basedBMCtogenerateatestprogram.Basedonthecoveragereport,morepropertiescanbeadded,ifnecessary.Weusedesignandpropertydecompositionstofurtherimprovetheperformanceoftestgeneration.Ourtechniquemakestwoimportantcontributions:i)itdevelopsaproceduretodeterminetheboundforeachproperty,andii)itpresentsaschemefordesignandpropertydecompositionsinthecontextofSAT-basedBMC. 59

PAGE 60

BoundedModelChecking(BMC)isarestrictedformofmodelchecking.Insteadofexhaustivelysearchingacounterexample,BMCsearchesforacounterexampleofaparticularlengthk,calledboundormaximumlengthofcounterexamples.Theassumptionisthatthepropertycanbefalsied(acounterexampleexists)withinktimesteps. InSAT-basedBMC,theBMCproblemisencodedintothesatisabilityproblemandaSATsolverisusedasavericationengineinsteadofamodelchecker.Toperformverication,SAT-basedBMCincludesthefollowingsteps: 1.Unfolddesignandpropertyuptotheboundk. 2.EncodetheboundeddesignandpropertyintoaCNFformula. 3.ApplytheCNFformulatoaSATsolver. 4.Ifsatisable,thenthepropertydoesnotholdforthedesignandthesatisableassignmentofvariablesisconvertedtoacounterexample. 5.Ifunsatisableandkd(d:diameter TheCNFformulaissatisableifandonlyifaviolatedstateisreachablewithintheboundk.Theresultingsatisableassignmentofvariablesistranslatedintoanerrortracefromavalidinitialstatetotheviolatedstate.IftheboundkisequaltoorlargerthanthediameterandtheCNFformulaisunsatisable,thenthedesignsatisestheproperty 81 ] 60

PAGE 61

16 ]introducedboundedmodelchecking(BMC)combinedwithsatisabilitysolving.TherecentdevelopmentsinSAT-basedBMCtechniqueshavebeenpresentedin[ 15 30 93 ].BMCisanincompletemethodthatcannotguaranteeatrueorfalsedeterminationwhenacounterexampledoesnotexistwithinagivenbound.However,oncetheboundofacounterexampleisknown,largedesignscanbefalsiedveryfastsinceSATsolvers[ 50 78 88 114 ]donotrequireexponentialspace,andsearchingcounterexampleinanarbitraryorderconsumesmuchlessmemorythanbreadthrstsearchinmodelchecking. Theperformanceofboundedandunboundedalgorithmswasanalyzedonasetofindustrialbenchmarksin[ 7 8 ].ThecapacityincreaseofBMCtechniqueshasbecomeattractiveforindustrialuse.AnIntelstudy[ 37 ]showedthatBMChasbettercapacityandproductivityoverunboundedmodelcheckingforrealdesignstakenfromthePentium-4processor.Recently,Gurumurthyetal.[ 52 ]haveusedBMCastestprogramgeneratorformappingpre-computedmodule-leveltestsequencestoprocessorinstructions. SAT-basedBMCisoneofthemostpromisingtestgenerationenginesduetoitscapacityandperformance.However,ndingtheboundisachallengingproblem.Weproposeamethodtodeterminetheboundforeachtestgenerationscenario,therebymakingSAT-basedBMCfeasibleinpractice. 79 ]orNuSMV[ 29 ].Wecreatenegatedpropertiesandtheirbounds.ASAT-basedBMCunfoldstheprocessormodelalongwithanegatedproperty 61

PAGE 62

3.4.1 .BoundkiforeachpropertyisdecidedasdiscussedinSection 4.3.1 .SAT-basedBMCtakesprocessormodel 62

PAGE 63

Sofar,weassumedthatthewholedesignmodelisappliedtoSAT-basedBMC.Thisapproachiseectivewhenthedesignisofmoderatesizeandtheboundisshallow.However,forthetestgenerationscenariosconsistingoflargedesignsanddeepcounterexamples,SAT-basedBMCmaynotbeabletogeneratetestsinareasonableamountoftimeduetolargesearchspace.Inotherwords,thecomplexityproblemstillremainsinSAT-basedBMC.Insuchcases,decompositionsofpropertyaswellasdesignwillreducethetestgenerationcomplexity. 2-1 ,themaximumboundisdeterminedbythelengthoffFE!DE!IALU!MEM!Cache!MM!Cache!MEM!WBgifcachemisstakesmoretimethananyotherpipelinepaths.However,thisboundisover-conservativeinmosttestscenariosbecausealotofinteractionsdonotincludethislongestpath.Therefore,usingboundforeachinteractionismoreecientfortestgenerationintermsoftimeandmemoryrequirement. Boundforeachinteractionisdeterminedbythelongesttemporaldistancefromtherootnodetothenodesunderconsideration.Forexample,boundfortheproperty\IALU,FADD2,andFADD3inoperationexecutionatthesametime"willbe5becauseFADD3hasthelongesttemporaldistancefromFetchstage.Ifapropertyincludesstallor 63

PAGE 64

2.2 .However,SAT-basedBMCatthemodulelevelmaynotbebenecialanymorebecauseUMCcanhandlesmalldesignseciently.ExperimentalresultsinSection 4.4.3 showthatUMCmightbebetterforsmalldesigns.Inaddition,moduleleveldecompositionisnotalwayspossiblesincelocalpropertiesarenotpreservedatthegloballevelingeneral.However,thepropertiesthatarenotdecomposableatmodulelevelmaybedecomposablebythehorizontalandverticalpartitioningtechniques. 64

PAGE 65

2-1 .WechosetheMIPSprocessorsinceithasbeenwellstudiedinacademiaandthereareHDLimplementationsavailablefortheprocessorthatcanbeusedforvalidationpurposes.Additionally,theMIPSprocessorhasmanyinterestingfeatures,suchasfragmentedpipelinesandmulti-cyclefunctionalunitsthatarerepresentativesofmanycommercialpipelinedprocessorssuchasTIC6xandPowerPC. Forourexperiments,weusedCadenceSMV[ 79 ]asamodelcheckerandzCha[ 88 ]asaSATsolver.Weused1616-bitregistersintheregisterleforthefollowingexperiments.Alltheexperimentswererunona1GHzSunUltraSparcwith8GRAM. 4-1 whereDecodeunitisinstallduetotheread-after-write(RAW)hazardbyFADDinstruction. Table4-1. Exampleofatestprogram FetchcycleInstructions 1FADDR1R2R22NOP3ADDR3R2R24ADDR3R1R25NOP 65

PAGE 66

Comparisonoftestgenerationtechniquesforpipelineinteractions InteractionDecomposedUMCSAT-basedBMCmodulesdesignMax.kEachk 4-2 comparesourtestgenerationtechniquewithUMC-basedtestgenerationfordierentmoduleinteractions.Therstcolumnspeciesasetofpropertiesbasedonthenumberofinteractions.Forexample,thethirdrowpresentsaveragetestgenerationtime(inseconds)forallpropertiesconsistingoftwo(\2")moduleinteractions.Thesecondcolumnpresentsthelevelofdecompositionusedduringtestgeneration.Theentrywholeimpliesthatnodecompositionisused.Theentrygroupimpliesthateitherhorizontalorverticalorbothdecompositionsareused.Similarly,theentrymoduleimpliesthatthetestgenerationusesmodule-leveldecomposition.Thenextthreecolumnsshowtheperformanceofthreetestgenerationtechniques:UMC,BMCusingmaximumbound,andBMCusingboundforeachproperty.Themaximumbound45wasusedassumingthatthelongestlengthistakenbymemoryoperationsi.e.,thesumoftheIALUpipeline 66

PAGE 67

Testgenerationtimecomparisonforfourtechniques pathlength(5)anddata-transferpathlength(40).Inthetable,Xindicatesthatacounterexamplewasnotfounddueto\OutofMemory"problem. Figure 4-2 showstestgenerationtimecomparisonforfourtechniquesusing:maximumboundwithoutdecomposition,maximumboundwithdecomposition,individualboundwithoutdecomposition,andindividualboundwithdecomposition.Asexpected,Table 4-2 andFigure 4-2 showthatthetestgenerationtimegrowswiththeincreaseofthenumberofmoduleinteractions.UMCcanbeusedonlywithmoduleleveldecompositionswhileSAT-basedBMCcanbeusedwithoutdecomposition.Boundforeachpropertyreducesapproximately90%ofthetestgenerationtimecomparedtousingBMCwithmaximumbound.AninterestingobservationisthatUMCwithmoduleleveldecompositionprovidesbetterperformancethanSAT-basedBMC.ThisisbecausethetimetounfoldthemodelandconvertittoaSATproblemismorethanthetimetosearchforacounterexample. 67

PAGE 68

68

PAGE 69

Inthecurrentindustrialpractice,randomandbiased-randomtestgenerationtechniquesatarchitecture(ISA)levelaremostwidelyusedforsimulation-basedvalidationtouncovererrorsearlyinthedesigncycle[ 2 100 ].Althoughdirectedtestsrequireasmallertestsetcomparedtorandomtestsforthesamefunctionalcoveragegoal,thenumberofdirectedtestscanstillbeextremelylarge.Therefore,thereisaneedforfunctionaltestcompactiontechniques.Sinceatestgeneratedforactivatingaparticularfunctionalfaultgoesthroughpipelinepathsovermultipleclockcycles,thereisahighprobabilitythatthetestcanaccompanymultiplepipelineinteractionsbeforeandafteritreachesthestatethatittriestoactivate.Wepresentanecienttestcompactiontechniquetosignicantlyreducethefunctionaltestsetforvalidationofpipelinedprocessors. Figure 5-1 showstheoverallowofourproposedtestcompactionmethodology.Usingthespecicationofaprocessor,wecreateanitestatemachine(FSM)modeloftheprocessorandanFSMcoveragemetricbasedonpipelineinteractions.EachFSMstate(transition)indicatesapipelineinteractionandcanberepresentedasapropertyfortestgeneration.FSMcompactionisperformedbeforetestgenerationbyeliminatingthestatesandthetransitionsthatareillegal,redundant,orunreachableforthegivendesignconstraints.Propertiesfortheremainingstates(afterelimination)canbeautomaticallygeneratedfromtheFSMmodeloftheprocessor.TestprogramstoexercisethestatesintheFSMmodelareproducedusingthemodelchecking-basedtestgenerationtechnique.Onceallthetestsaregenerated,testcompactionisperformedbypruningredundanttestprogramstoreducethesizeofatestset. Theproposedmethodmakesthreeimportantcontributions.First,weproposeanecientFSMmodelofthepipelinedprocessors,anddeneFSMstateandtransitioncoveragebasedonthepipelineinteractions.Second,weproposeanecientcompaction 69

PAGE 70

Functionaltestcompactionmethodology techniquetosignicantlyreduceFSMstates/transitions.Finally,weapplyexistingtestmatrixreductionandminimizationtechniquestofurtherreducethenumberofdirectedtests. 24 59 65 115 ]havebeendevelopedforvalidationofpipelinedprocessorswhereanFSMmodelisusedtogenerateatestsuitebasedonFSMcoveragemetricssuchasstate,transition,orpathcoverage.Inmodernprocessordesigns,complicatedmicro-architecturalmechanismsincludeinteractionsamongmanypipelinestagesandbuersthatcanleadtheFSM-basedapproachestothestatespaceexplosionproblem.Toalleviatethestateexplosion,FSMabstractiontechniques[ 89 99 109 ]havebeenpresented.However,thesetechniquesuse 70

PAGE 71

Duetothelargevolumeoftestdataandtheextremelylongtesttimeformanufacturingtest,considerableresearchhasbeendonetoreducethestructuraltestdatavolume.Testcompactiontechniquesaregenerallycategorizedintodynamicandstaticcompactions.Dynamiccompactionisappliedduringtestgenerationwhilestaticcompactionisappliedaftertestgeneration.RudnickandPatel[ 96 ]haveproposeddynamictestcompactionforsequentialcircuitsusingfaultsimulationandgeneticalgorithms.El-MalehandOsais[ 41 ]havepresenteddecomposition-basedstaticcompactionalgorithmswhereatestvectorisdecomposedintoatomiccomponentsandthetestvectoriseliminatedifitscomponentscanbeallmovedtoothertestvectors.Setcoveringhasbeenappliedtostaticcompactionproceduresforcombinationalcircuitsusingthefaultdetectionmatrix[ 18 45 57 ].DimopoulosandLinardis[ 40 ]havemodeledstaticcompactionforsequentialcircuitsasaset-coveringproblem.Thematrixreductiontechniques[ 110 ]canbeappliedtomitigatethecomplexityofsetcoveringbyeliminatingredundantrows(faults)andcolumns(testvectors)inthefaultdetectionmatrix. Althoughalotofstructuraltestcompactiontechniqueshavebeenproposedinmanufacturingtestdomain,therehasbeennoworkinfunctionaltestcompactioninvalidationdomainsincefunctionalredundancycanbehardtondamongfunctionaltests.Sincethevolumeoffunctionaltestscanbeextremelylargeevenfordirectedtests,weproposeafunctionaltestcompactionmethodologytoreduceoverallprocessordesignvalidationeorts. 28 56 75 98 ]havebeendoneonFSMmodelingofprocessorsasbottom-upapproacheswhereanabstractFSMmodelisextractedfromRTLdesignsforformalvericationandtestgeneration.However,inadditiontodicultyincreatingan 71

PAGE 72

72

PAGE 73

Figure5-2. BinaryformatofthestatesinFSMmodel Forexample,weassigntwobitstorepresentfourfunctionalstatesofFetchunit:`00'foridle,`01'forinstructionfetch,`10'forstall,and`11'forexception.Figure 5-2 showsanexampleoftheFSMstatesofthepipelinedprocessor.Giventhatallthefunctionalunitshaveonlyfourpossiblestates,eachunitrequires2bitsforitsfourfunctionalities.ThisbinaryformatoffunctionalFSMmodelprovidesanecientindexingmechanismtoaccessandanalyzeeachfunctionalstate.Inaddition,nextstatescanbedescribedasBooleanfunctions.Forexample,assumingthestatetransitions(si;sj)and(si;sk)withsj=`0011'andsk=`0010',thenextstatesofsiareexpressedasB4B3B2B1+B4B3B2B1=B4B3B2.Foreachstate,alistofthenextstatesareproducedbytransitionfunctionsdescribedinthefollowingsection. 73

PAGE 74

Instructionow Figure5-4. Pipelineinteractions Figure 5-3 and 5-4 showthegeneralbehaviorsofpipelinedprocessors.EveryinstructionsgoesthroughthecurrentpipelinestagetothenextstageasshowninFigure 5-3 ,wherefuisafunctionalunit,1i,k,lU,1jD,andDisthepipelinedepth.Sinceeachfunctionalunitfui;jcanhavedierentnumberofinteractivefunctionalunitsatstagej1andj+1,fuk;j1andful;j+1canbemultipleunits.Forexample,adecodeunitmayhavemultipleexecutionunitsatitsfollowingstagewhileafetchunitmayhaveonlyoneunit(decodeunit)atthefollowingstage. Figure 5-4 showsthepipelineinteractionsofthefunctionalunitfui;j.Thestateoffui;jattimesteptisdecidedbythepreviousandcurrentstatesofitsinteractiveunitsfuk;j1andful;j+1aswellasitself.Forexample,ifful;j+1andfui;jareonthesamepipelineandful;j+1isinthestallstateattimestept,thenfui;jshouldbeinstallbecausetheinstructioninfui;jcannotgotothenextstageful;j+1.Consideringfeedbackloopsuch 74

PAGE 75

Basedonthepipeliningbehavior,thestatetransitiontothefunctionalunitfui;jattimesteptisdenedasssi;j(t)=f(ssk;j1(t1);ssi;j(t1);ssl;j+1(t1);ssl;j+1(t)).Here,ssi;j(t)representsasetofbitstodescribethefunctionalstateoffui;jattimestept,andfrepresentsatransitionfunctiondecidedbyinteractiveunits.Therefore,thestatesoftheprocessorFSMcanbeexpressedbyconcatenatingssi;jwherei=1,...,Uand1jD. Assumingthateachstatetransitionoccursonthebasisofclockcycle,thestatecoverageoftheproposedFSMmodelissimilartothepipelineinteractioncoverageatagivenclockcyclebecauseanFSMstateconsistsofthestatesofeachfunctionalunit.Thetestprogramthatcoversthestatewillactivatethecorrespondingpipelineinteraction.WecancomputethenumberoftheoreticallypossibleFSMstatesbasedonthenumberoffunctionalunitsintheprocessormodelandtheaveragenumberofactivitiesateachunit.Ingeneral,thenumberofactivitiesforaunitwillbedierentbasedonwhatactivitieswewanttotest.Furthermore,thenumberofactivitiesvariesfordierentunits,therebyeachunitmayrequiredierentnumberofbitsforitsfunctionalstates.ConsideringanFSMmodelwithmunitswhereeachunitcanhaveonaveragepactivities,theFSMwillhavepmstateswhichcanbeextremelylargeevenforsimpleprocessors.Forexample,asimpleMIPSprocessor[ 54 ]with10functionalunitsand4activitieshasapproximatelyonemillionstates.Thistheoreticalnumberoffunctionalstatescanbereducedbyeliminatingunreachablestatesusingfunctionalconstraintsdescribedintheprocessorspecication. 75

PAGE 76

5.2.1.2 ,eachstatehasalistoftheirnextstates.Whenatestvisitsthestateandgoestooneofitsnextstate,weputthenextstateothelistsincethetransitionbetweenthetwostatesiscovered.StatetransitioncoverageoftheFSMisachievedwhenthenextstatelistsforeverystatesareempty.Thenumberofstatetransitionsisdeterminedbytheprocessor'sfunctionalbehaviors.Theoretically,ThemaximumnumberofstatetransitionsisN2,whereNisthenumberofstates,andanystatecangotoanystate. 76

PAGE 77

Figure5-5. Singletransitionsbetweenneighboringstates Weemployvarioustechniquestoremoveredundantstatesandtransitions.Figure 5-5 showsinevitablestatesandtransitionsthathavesingleoutgoingtransition(aandb)andsingleincomingtransition(eandf).Thestatescanddareinevitablestatestotheirneighborsbecauseallthepathstotravelaandb(eandf)shouldincludethestatec(d).Thetransitions(a!c),(b!c),(d!e),and(d!f)areinevitabletransitionstotheirneighbors.Wecaneliminatethetestcasestoactivatetheseinevitablestatesandtransitionssinceanytestprogramtoexercisetheirneighboringstatesgoesthroughthem.Thenextstatelistsofeachstateareusedtoidentifytheinevitablestatesofthesingleoutgoingtransitions.Ifastatehasonlyonestateinitsnextstatelist,thenextstateisaninevitablestate.Inthesameway,thepreviousstatelistsareusedtoidentifythesingleincomingtransitions. 77

PAGE 78

5.2.1.2 .Forexample,ifthestateofthefunctionalunitssi;jisinnormaloperationattimet,thenthestateofthepreviousstageunitssk;j1cannotbeinidlestateattimet1sincetheinstructioninfui;jmustbereadyatthepreviouspipelinestageattimet1. Table5-1. Transitionrulesbetweenssk;j1(t1)andssi;j(t) idleidle,stallnormalop.normalop.,stall,exceptionstallidle,stallexceptionidle,stall Transitionrulesbetweenssi;j(t1)andssi;j(t) idleidle,normalop.,stall,exceptionnormalop.idle,normalop.,exceptionstallidle,normalop.,stall,exceptionexceptionidle Transitionrulesbetweenssl;j+1(t1)andssi;j(t) idleidle,normalop.,stall,exceptionnormalop.idle,normalop.,stall,exceptionstallidle,normalop.,stall,exceptionexceptionidle 5-1 ,ifssk;j1(t1)=stall,thenssi;j(t)canbeeitherinidleorstallstatebecausenoinstructionmovesfromthepreviousstage.InTable 5-2 andTable 5-3 ,ifssk;j1(t1)orssl;j+1(t1)=exception,thenssi;j(t)shouldbetheidlestatetoushthefollowinginstructionsinthepipeline. 78

PAGE 79

35 ]whereeachpropertyconsistsofsub-states,temporaloperators(G;F;X;U),andBooleanconnectives(^,_,:,and!).Sincepipelineinteractionsatagivencyclearesemanticallyexplicitandourprocessormodelisorganizedasstructure-orientedfunctionalunits,eachstatecanbeconvertedintheformofapropertyF(p1^p2^:::^pU^(clk=t))thatcombinesactivitiespiati-thunitoverUfunctionalunitsattimestept.ThenegationofthepropertyresultsinG(:p1_:p2_:::_:pU_(clk6=t))thatisappliedtoamodelcheckerfortestgeneration. Forexample,inordertogenerateatestfora4-bitFSMstatesj=`0011'thathas2-bitsub-statesss1andss2fortwofunctionalunits,thepropertyofthestateisdescribedasF(ss1=`00'^ss2=`11'^(clk=t))anditsnegatedpropertyG(ss16=`00'_ss26=`11'_(clk6=t))isappliedtogenerateatestprogramthatactivatesthestatesjattimet. 5.2.1.2 ,thenextstatecanbeexpressedinthesameformofthecurrentstateasp1'^p2'^:::^pU'^(clk=t+1).TemporaloperatorXisusedtodescribethestatetransitionbetweentwoconsecutivestateswhereXpmeansthatpholdsatnexttimestep.WeconverteachstatetransitionintheformofapropertyF((p1^p2^:::^pU^(clk=t))!X(p1'^p2'^:::^pU'^

PAGE 80

Forexample,fortestgenerationofastatetransition(sj;sk)wheresj=`0011'andsk=`0110',thetransitionisdescribedasF((ss1=`00'^ss2=`11'^(clk=t))!X(ss1=`01'^ss2=`10'^(clk=t+1))).WeapplythenegatedpropertyG((ss16=`00'_ss26=`11'_(clk6=t))_(ss16=`01'_ss26=`10'_(clk6=t+1)))togenerateatestprogramthatactivatesthestatetransitionbetweensjandsk. 5-6 showstheTestMatrixafter 80

PAGE 81

TestmatrixforFSMcoverage testgeneration.Diagonalelementsinthematrixareallsetto1duetothedirectedtestgeneration. 38 ].However,ndingtheminimumtestsetsuersfromexponentialblow-upbecausethesetcoveringproblemsareNP-complete.Therefore,thereisaneedtoreducethesizeofmatrixbeforeapplyinganyalgorithmtosolvesetcoveringproblems.TheTestMatrixshrinksafteriterativelyapplyingthefollowingrules:testessentiality,testdominanceforrowelimination,andstate(orstatetransition)dominanceforcolumnelimination.Ifi-thcolumniscoveredbyonlyonetest,thetestisanessentialtestthatcannotberemovedfromthetestset.Thecolumnsthatarecoveredbytheessentialtestscanberemovedfromthematrix.Ifallstates(orstatetransitions)oftiarecoveredbytj,tjdominatestiandti(i-throw)iseliminated.Ifalltestsofsidetectsj,sjdominatessiandsj(j-thcolumn)isremoved.Aftermatrixreduction,thesetcoveringisusedtoachievetheminimumtestset. 54 ].Figure 5-7 showsasimpliedversionofthearchitecture.Therearethreepipelinestages:Fetch(FE),Execution,andWriteBack(WB).ExecutionstageconsistsoffourpipelinesforintegerALU(IALU),load(LD),store(ST),andmultiplication(MULT)operationandeachpipelineisconsideredasonefunctionalunit. 81

PAGE 82

SimpliedMIPSprocessor Weassumedthattheprocessorhastwoconstraints:singleissueandwritebackofonlyoneexecutionresult.Figure 5-8 showsthefunctionalFSMmodeloftheprocessorintheformof7-bitbinary.Eachfunctionalunithastwostates(idleornormaloperation)excepttheWriteBackunitwhichhasthreestates(idle,writeback,orwritebackwithExecutioninstall)andwritesoneexecutionresultatatime.Therefore,theoreticallypossiblenumberofstatesis325=96. Figure5-8. 7-bitsfunctionalFSMmodel Unreachablestatesareremovedbyusingtheconstraintsofprocessorbehavior.Forexample,theunreachablebinarypattern`xxxx11x'(wherexisadon't-carebit)representsthesingleissueconstraintthattwoexecutionunitsIALUandSTcannotbeexecutedatthesametime.Wecaneliminate24statessincethispatternofstatesmeansmultipleissuefromtheFEunit.Inaddition,`101101x'and`101110x'areunreachablesincethese 82

PAGE 83

SofarwediscussedthetestcompactioninthecontextofFSMstates.Intheremainderofthissection,wepresenttheresultsfortestcompactionusingFSMtransitions.Unlessweapplyourtestcompactiontechniqueweneedtogeneratetestfor3249(5757)transitionssincethereare57validstates.Clearly,eachstatecannothavetransitiontoallotherstates.OnceweapplytheeliminationtechniquedescribedinSection 5.3.3 ,ourframeworkidenties2793illegaltransitions(86%reduction)andtherebyonly456validtransitionsareleft.Inotherwords,only456testvectorsaresucienttocoverallthetransitionsintheMIPSprocessor.Thiscanbeimprovedfurtherbyapplyingmatrixreductionandsetcoveringtechniques.However,thenumberofnalrequiredtestsdependonthelengthofeachtest.Ifeachtesttriestocoveralongestpathinthetransitiondiagram,only44(overall99%reduction)testswillberequired.However,amodelcheckertypicallyusestheshortestpossibletesttoactivatetherequiredtransitionwhichcanleadtoanynumberbetween44and456.Therefore,ourapproachcangenerate86-99%overallreductioninfunctionaltestswithoutsacricingfunctionalcoverage. 83

PAGE 84

84

PAGE 85

Functionalvalidationiswidelyacknowledgedasamajorbottleneckinmodernprocessordesignmethodology.Duetothelackofacomprehensivefunctionalcoveragemetricanddirectedtests,hugeamountofrandomtestprogramsareusedforthevalidationofmicroprocessordesign.Thisdissertationpresentedcoverage-driventestgenerationtechniquesusingformalmethodstoreduceoverallvalidationeorts.Thischapterconcludesthedissertationanddescribesfutureresearchdirections. Theproposedfunctionaltestgenerationmethodologyprovideshighqualitytestprograms,ecienttestgeneration,andsmalltestsuitestonddesignerrorsinearlystagesofthedevelopment.Furthermore,itcombinesthebenetsofbothsimulation-based 85

PAGE 86

86

PAGE 87

[1] J.AbrahamandW.Fuchs.FaultanderrormodelsforVLSI.Proc.ofIEEE,74(5):639{654,1986. [2] A.Adir,E.Almog,L.Fournier,E.Marcus,M.Rimon,M.Vinov,andA.Ziv.Genesys-pro:Innovationsintestprogramgenerationforfunctionalprocessorverication.IEEEDesign&TestofComputers,21(2):84{93,2004. [3] A.Adir,S.Asaf,L.Fournier,I.Jaeger,andO.Peled.Aframeworkforthevalidationofprocessorarchitecturecompliance.InProc.ofDesignAutomationConference(DAC),pages902{905,2007. [4] A.Aharon,D.Goodman,M.Levinger,Y.Lichtenstein,Y.Malka,C.Metzger,M.Molcho,andG.Shurek.Testprogramgenerationforfunctionalvericationofpowerpcprocessorsinibm.InProc.ofDesignAutomationConference(DAC),pages279{285,1995. [5] R.Alur,R.K.Brayton,T.A.Henzinger,S.Qadeer,andS.K.Rajamani.Partial-orderreductioninsymbolicstate-spaceexploration.FormalMethodsinSystemDesign,18(2):97{116,2001. [6] R.Alur,K.McMillan,andD.Peled.Decidingglobalpartial-orderproperties.FormalMethodsinSystemDesign,26(1):7{25,2005. [7] N.Amla,X.Du,A.Kuehlmann,R.Kurshan,andK.McMillan.AnanalysisofSAT-basedmodelcheckingtechniquesinanindustrialenvironment.InConferenceonCorrectHardwareDesignandVericationMethods(CHARME),pages254{268.Springer,2005. [8] N.Amla,R.Kurshan,K.McMillan,andR.Medel.Experimentanalysisofdierenttechniquesforboundedmodelcheckings.InToolsandAlgorithmsfortheAnalysisandConstructionofSystems(TACAS),volume2619ofLNCS,pages34{48.Springer,2003. [9] Z.S.Andraus,M.H.Liton,andK.A.Sakallah.Renementstrategiesforvericationmethodsbasedondatapathabstraction.InProc.ofAsiaSouthPacicDesignAutomationConference(ASPDAC),pages19{24,2006. [10] Z.S.AndrausandK.A.Sakallah.Automaticabstractionandvericationofverilogmodels.InProc.ofDesignAutomationConference(DAC),pages218{223,2004. [11] H.Azatchi,L.Fournier,E.Marcus,S.Ur,A.Ziv,andK.Zohar.Advancedanalysistechniquesforcross-productcoverage.IEEETransactionsonComputers,55(11):1367{1379,2006. [12] T.Basten,D.Bonacki,andM.Geilen.Cluster-basedpartial-orderreduction.AutomatedSoftwareEngineering,11(4):365{402,2004. 87

PAGE 88

[13] M.Benjamin,D.Geist,A.Hartman,G.Mas,andR.Smeets.Astudyincoverage-driventestgeneration.InProc.ofDesignAutomationConference(DAC),pages970{975,1999. [14] B.Bentley.Highlevelvalidationofnextgenerationmicroprocessors.InProceedingsofHighLevelDesignValidationandTest(HLDVT),pages31{35,2002. [15] A.Biere,A.Cimatti,andE.M.Clarke.Boundedmodelchecking.AdvancesinComputers,58,2003. [16] A.Biere,A.Cimatti,E.M.Clarke,andY.Zhu.SymbolicmodelcheckingwithoutBDDs.InToolsandAlgorithmsfortheAnalysisandConstructionofSystems(TACAS),volume1579ofLNCS,pages193{207.Springer,1999. [17] P.BjesseandJ.Kukula.Usingcounterexampleguidedabstractionrenementtondcomplexbugs.InProc.ofDesignAutomationandTestinEurope(DATE),page10156,2004. [18] K.O.Boateng,H.Konishi,andT.Nakata.Amethodofstaticcompactionofteststimuli.InProceedingsofAsianTestSymposium(ATS),pages137{142,2001. [19] R.Bryant.Graph-BasedAlgorithmsforBooleanFunctionManipulation.IEEETrans.Computers,C-35(8):677{691,August1986. [20] R.E.Bryant.Amethodologyforhardwarevericationbasedonlogicsimulation.JournaloftheACM(JACM),38(2):299{328,1991. [21] R.E.Bryant.Symbolicsimulationtechniquesandapplications.InProc.ofDesignAutomationConference(DAC),pages517{521,1991. [22] J.R.Burch,E.M.Clarke,andK.L.McMillan.Symbolicmodelchecking:1020statesandbeyond.InformationandComputation,98:142{170,1992. [23] M.L.BushnellandV.D.Agrawal.EssentialsofElectronicTestingforDigital,MemoryandMixed-SignalVLSICircuits.KluwerAcademicPublishers,Boston,MA,2000. [24] D.Campenhout,T.Mudge,andJ.Hayes.High-leveltestgenerationfordesignvericationofpipelinedmicroprocessors.InProc.ofDesignAutomationConference(DAC),pages185{188,1999. [25] P.CamuratiandP.Prinetto.Formalvericationofhardwarecorrectness:Introductionandsurveyofcurrentresearch.IEEEComputer,21(7):8{19,1988. [26] S.ChakravartyandP.J.Thadikaran.IntroductiontoIDDQTesting.KluwerAcademicPublishers,Boston,MA,1997. [27] K.-T.ChengandJ.-Y.Jou.Afunctionalfaultmodelforsequentialmachines.IEEETransactionsonComputer-AidedDesign,11(9):1065.1073,1992.

PAGE 89

[28] K.-T.ChengandA.S.Krishnakumar.Automaticgenerationoffunctionalvectorsusingtheextendednitestatemachinemodel.ACMTransactionsonDesignAutomationofElectronicSystems(TODES),1(1):57{79,1996. [29] A.Cimatti,E.M.Clarke,F.Giunchiglia,andM.Roveri.NUSMV:Anewsymbolicmodelverier.InProc.ofIntl.ConferenceonComputerAidedVerication(CAV),volume1633ofLNCS,pages495{499.Springer,1999. [30] E.M.Clarke,A.Biere,R.Ramimi,andY.Zhu.Boundedmodelcheckingusingsatisabilitysolving.FormalMethodsinSystemDesign(FMSD),19(1):7{34,2001. [31] E.M.Clarke,T.Filkorn,andS.Jha.Exploitingsymmetryintemporallogicmodelchecking.InProc.ofInternationalConferenceonComputerAidedVerication(CAV),pages450{462,1993. [32] E.M.Clarke,O.Grumberg,S.Jha,Y.Lu,andH.Veith.Counterexample-guidedabstractionrenementforsymbolicmodelchecking.JournaloftheACM(JACM),50(5):752{794,2003. [33] E.M.Clarke,O.Grumberg,andD.E.Long.Modelcheckingandabstraction.ACMTransactionsonProgrammingLanguagesandSystems(TOPLAS),16(5):1512{1542,1994. [34] E.M.Clarke,O.Grumberg,K.L.McMillan,andX.Zhao.Ecientgenerationofcounterexamplesandwitnessesinsymbolicmodelchecking.InProc.ofDesignAutomationConference(DAC),pages427{432,1995. [35] E.M.Clarke,O.Grumberg,andD.A.Peled.ModelChecking.MITPress,Cambridge,MA,1999. [36] E.M.Clarke,H.Jain,andD.Kroening.Vericationofspeccusingpredicateabstraction.FormalMethodsinSystemDesign,30(1):5{28,2007. [37] F.Copty,L.Fix,R.Fraer,E.Giunchiglia,G.Kamhi,A.Tacchella,andM.Y.Vardi.Benetsofboundedmodelcheckingatanindustrialsetting.InProc.ofIntl.ConferenceonComputerAidedVerication(CAV),LNCS,pages436{453.Springer,2001. [38] F.Corno,P.Prinetto,M.Rebaudengo,andM.S.Reorda.Newstaticcompactiontechniquesoftestsequencesforsequentialcircuits.InProc.ofEuropeanConferenceonDesignandTest(ED&TC)),pages37{43,1997. [39] P.CousotandR.Cousot.Abstractinterpretation:Auniedlatticemodelforstaticanalysisofprogramsbyconstructionorapproximationofxpoints.InProc.oftheACMSymposiumonPrinciplesofProgrammingLanguages,pages238{252,1997. [40] M.DimopoulosandP.Linardis.Ecientstaticcompactionoftestsequencesetsthroughtheapplicationofsetcoveringtechniques.InProc.ofDesignAutomationandTestinEurope(DATE),page10194,2004.

PAGE 90

[41] A.H.El-MalehandY.E.Osais.Testvectordecomposition-basedstaticcompactionalgorithmsforcombinationalcircuits.ACMTransactionsonDesignAutomationofElectronicSystems,8(4):430{459,2003. [42] E.EmersonandR.Treer.Fromasymmetrytofullsymmetry:Newtechniquesforsymmetryreductioninmodelchecking.InProc.ofCorrectHardwareDesignandVericationMethods(CHARME),volume1703ofLNCS,pages142{156.Springer,1999. [43] S.EzerandS.Johnson.Smartdiagnosticsforcongurableprocessorverication.InProc.ofDesignAutomationConference(DAC),pages789{794,2005. [44] S.FineandA.Ziv.Coveragedirectedtestgenerationforfunctionalvericationusingbayesiannetworks.InProc.ofDesignAutomationConference(DAC),pages286{291,2003. [45] P.F.Flores,H.C.Neto,andJ.P.Marques-Silva.Onapplyingsetcoveringmodelstotestsetcompaction.InProceedingsofGreatLakesSympoisumonVLSI(GLSVLSI),pages8{11,1999. [46] L.Fournier,A.Koyfman,andM.Levinger.Developinganarchitecturevalidationsuite:applicationtothepowerpcarchitecture.InProc.ofDesignAutomationConference(DAC),pages189{194,1999. [47] A.GargantiniandC.Heitmeyer.Usingmodelcheckingtogeneratetestsfromrequirementsspecications.InACMSIGSOFTSoftwareEngineeringNotes,volume24,pages146{162,1999. [48] A.Gluska.Practicalmethodsincoverage-orientedvericationofthemerommicroprocessor.InProc.ofDesignAutomationConference(DAC),pages332{337,2006. [49] P.Godefroid,D.Peled,andM.Staskauskas.Usingpartial-ordermethodsintheformalvalidationofindustrialconcurrentprograms.InProc.ofInternationalSymposiumonSoftwareTestingandAnalysis(ISSTA),pages261{269,1996. [50] E.GoldbergandY.Novikov.BerkMin:afastandrobustSAT-solver.InProc.ofDesignAutomationandTestinEurope(DATE),pages142{149,2002. [51] R.Grinwald,E.Harel,M.Orgad,S.Ur,andA.Ziv.Userdenedcoverage-Atoolsupportedmethodologyfordesignverication.InProc.ofDesignAutomationConference(DAC),pages158{163,1998. [52] S.Gurumurthy,S.Vasudevan,andJ.A.Abraham.Automatedmappingofpre-computedmodule-leveltestsequencestoprocessorinstructions.InProc.ofIntl.TestConference(ITC),2005. [53] I.G.Harris.Acoveragemetricforthevalidationofinteractingprocesses.InProc.ofDesignAutomationandTestinEurope(DATE),pages1019{1024,2006.

PAGE 91

[54] J.HennessyandD.Patterson.ComputerArchitecture:AQuantitativeApproach.MorganKaufmann,Sanfrancisco,CA,2003. [55] P.Ho,A.Isles,andT.Kam.Formalvericationofpipelinecontrolusingcontrolledtokennetsandabstractinterpretation.InProc.ofInternationalConferenceonComputer-AidedDesign(ICCAD),pages529{536,1998. [56] R.C.Ho,C.H.Yang,M.A.Horowitz,andD.L.Dill.Architecturevalidationforprocessors.InProc.InternationalSymposiumonComputerArchitecture(ISCA),pages404{413,1995. [57] D.S.Hochbaum.Anoptimaltestcompressionprocedureforcombinationalcircuits.IEEETransactionsonComputer-AidedDesignofIntegratedCircuitsandSystems,15(10):1294{1299,1996. [58] http:www.freescale.com/les/32bit/doc/ref manual/e500CORERMAD.pdf.PowerPCTMe500CoreFamilyReferenceManual,2006. [59] H.Iwashita,S.Kowatari,T.Nakata,andF.Hirose.Automatictestprogramgenerationforpipelinedprocessors.InProc.InternationalConferenceonComputer-AidedDesign(ICCAD),pages580{583,1994. [60] C.Jacobi.Formalvericationofcomplexout-of-orderpipelinesbycombiningmodelcheckingandtheoremproving.InE.BrinksmaandK.Larsen,editor,Proc.ofComputerAidedVerication(CAV),volume2404ofLNCS,pages309{323.Springer-Verlag,2002. [61] H.Jain,D.Kroening,N.Sharygina,andE.Clarke.Wordlevelpredicateabstractionandrenementforverifyingrtlverilog.InProc.ofDesignAutomationConference(DAC),pages445{450,2005. [62] N.JhaandS.Gupta.TestingofDigitalSystems.CambridgeUniversityPress,Cambridge,UnitedKingdom,2003. [63] R.JhalaandK.L.McMillan.Microarchitecturevericationbycompositionalmodelchecking.InG.Berryetal.,editor,Proc.ofComputerAidedVerication(CAV),volume2102ofLNCS,pages396{410.Springer-Verlag,2001. [64] C.KernandM.Greenstreet.Formalvericationinhardwaredesign:Asurvey.ACMTransactionsonDesignAutomationofElectronicSystems(TODAES),4(2):123{193,1999. [65] K.KohnoandN.Matsumoto.Anewvericationmethodologyforcomplexpipelinebehavior.InProc.ofDesignAutomationConference(DAC),pages816{821,2001. [66] H.-M.KooandP.Mishra.Functionalcoverage-driventestgenerationformicroprocessorverication.InProc.ofUS-KoreaConference(UKC),pages19{24,2006.

PAGE 92

[67] H.-M.KooandP.Mishra.Functionaltestgenerationusingpropertydecompositionsforvalidationofpipelinedprocessors.InProc.ofDesignAutomationandTestinEurope(DATE),pages1240{1245,2006. [68] H.-M.KooandP.Mishra.Testgenerationusing(sat)-basedboundedmodelcheckingforvalidationofpipelinedprocessors.InProc.ofACMGreatLakesSymposiumonVLSI(GSLVLSI),pages362{365,2006. [69] H.-M.KooandP.Mishra.Automatedmicro-architecturaltestgenerationforvalidationofmodernprocessors.InProc.ofUS-KoreaConference(UKC),pages25{30,2007. [70] H.-M.Koo,P.Mishra,J.Bhadra,andM.Abadir.Directedmicro-architecturaltestgenerationforanindustrialprocessor:Acasestudy.InIEEEInternationalWorkshoponMicroprocessorTestandVerication(MTV)),pages33{36,2006. [71] S.Kripke.Semanticconsiderationonmodellogic.InProc.ofaColloquium:ModalandManyvaluedLogics,pages83{94,1963. [72] N.Krishnamurthy,A.K.Martin,M.S.Abadir,andJ.A.Abraham.ValidatingPowerPCmicroprocessorcustommemories.IEEEDesign&Test,17(4):61{76,2000. [73] A.KuehlmannandF.Krohm.Equivalencecheckingusingcutsandheaps.InProc.ofDesignAutomationConference(DAC),pages263{268,1997. [74] O.Lachish,E.Marcus,S.Ur,andA.Ziv.Holeanalysisforfunctionalcoveragedata.InProc.ofDesignAutomationConference(DAC),pages807{812,2002. [75] C.Liu,C.-C.Yen,andJ.-Y.Jou.AutomaticfunctionalvectorgenerationusingtheinteractingFSMmodel.InProc.ofInternationalSymposiumonQualityElectronicDesign(ISQED),pages372{377,2001. [76] F.Y.MangandP.-H.Ho.Abstractionrenementbycontrollabilityandcooperativenessanalysis.InProc.ofDesignAutomationConference(DAC),pages224{229,2004. [77] P.ManoliosandS.K.Srinivasan.Acompletecompositionalreasoningframeworkfortheecientvericationofpipelinedmachines.InProc.ofInternationalConferenceonComputerAidedDesign(ICCAD),pages863{870,2005. [78] J.P.Marques-SilvaandK.A.Sakallh.GRASP:Asearchalgorithmforpropositionalsatisability.IEEETransactionsonComputers,48(5):506{521,1999. [79] K.L.McMillan.SMVModelChecker,CadenceBerkeleyLaboratory.http://embedded.eecs.berkeley.edu/Alumni/kenmcmil/smv,October,2002. [80] K.L.McMillan.SymbolicModelChecking:AnApproachtotheStateExplosionProblem.KluwerAcademicPublishers,Boston,MA,1993.

PAGE 93

[81] K.L.McMillan.MethodsforexploitingSATsolversinunboundedmodelchecking.InProceedingsofMEMOCODE,pages135{142,2003. [82] A.Miller,A.Donaldson,andM.Calder.Symmetryintemporallogicmodelchecking.ACMComputingSurveys(CSUR),38(3):1{36,2006. [83] P.MishraandN.Dutt.AutomaticFunctionalTestProgramGenerationforPipelinedProcessorsusingModelChecking.InProc.ofHighLevelDesignValidationandTest(HLDVT),pages99{103,2002. [84] P.MishraandN.Dutt.Graph-basedfunctionaltestprogramgenerationforpipelinedprocessors.InProc.ofDesignAutomationandTestinEurope(DATE),pages182{187,2004. [85] P.MishraandN.Dutt.Functionalcoveragedriventestgenerationforvalidationofpipelinedprocessors.InProc.ofDesignAutomationandTestinEurope(DATE),pages678{683,2005. [86] P.MishraandN.D.Dutt.FunctionalVericationofProgrammableEmbeddedArchitectures:ATop-DownApproach.SpringerVerlag,NewYork,NY,2005. [87] P.Mishra,H.-M.Koo,andZ.Huang.Language-drivenvalidationofpipelinedprocessorsusingsatisabilitysolvers.InIEEEInternationalWorkshoponMicropro-cessorTestandVerication(MTV)),pages119{126,2005. [88] M.H.Moskewicz,C.F.Madigan,Y.Zhao,L.Zhang,andS.Malik.Cha:EngineeringanecientSATsolver.InProc.ofDesignAutomationConference(DAC),pages530{535,2001. [89] D.Moundanos,J.A.Abraham,andY.V.Hoskote.Abstractiontechniquesforvalidationcoverageanalysisandtestgeneration.IEEETransactionsonComputers,47(1):2{14,1998. [90] G.Parthasarathy,M.K.Iyer,K.-T.Cheng,andL.-C.Wang.Safetypropertyvericationusingsequentialsatandboundedmodelchecking.IEEEDesign&TestofComputers,21(2):132{143,2004. [91] D.Peled.Usingpartial-ordermethodsintheformalvalidationofindustrialconcurrentprograms.InProc.ofInternationalConferenceonComputerAidedVerication(CAV),pages409{423,1993. [92] A.Piziali.FunctionalVericationCoverageMeasurementandAnalysis.KluwerAcademicPublishers,Boston,MA,2004. [93] M.R.Prasad,A.Biere,andA.Gupta.AsurveyofrecentadvancesinSAT-basedformalverication.Intl.JournalonSoftwareToolsforTechnologyTransfer(STTT),7(2):156{173,2005.

PAGE 94

[94] M.Puig-Medina,G.Ezer,andP.Konas.Vericationofcongurableprocessorcores.InProc.ofDesignAutomationConference(DAC),pages426{431,2000. [95] A.Roy,S.K.Panda,R.Kumar,andP.P.Chakrabarti.Aframeworkforsystematicvalidationanddebuggingofpipelinesimulators.ACMTransactionsonDesignAutomationofElectronicSystems(TODES),10(3):462{491,2005. [96] E.M.RudnickandJ.H.Patel.Ecienttechniquesfordynamictestsequencecompaction.IEEETransactionsonComputers,48(3):323{330,1999. [97] A.Sen.Errordiagnosisinequivalencecheckingofhighperformancemicroprocessors.ElectronicNotesinTheoreticalComputerScience(ENTCS),174(4):9{18,2007. [98] J.ShenandJ.Abraham.Vericationofprocessormicroarchitectures.InProc.ofVLSITestSymposium(VTS),pages189{194,1999. [99] J.ShenandJ.A.Abraham.AnRTLabstractiontechniqueforprocessormicroarchitecturevalidationandtestgeneration.JournalofElectronicTesting:TheoryandApplications,16(1-2):67{81,2000. [100] K.Shimizu,S.Gupta,T.Koyama,T.Omizo,J.Abdulhaz,L.McConville,andT.Swanson.Vericationofthecellbroadbandengineprocessor.InProc.ofDesignAutomationConference(DAC),pages338{343,2006. [101] A.P.SistlaandP.Godefroid.Symmetryandreducedsymmetryinmodelchecking.ACMTransactionsonProgrammingLanguagesandSystems(TOPLAS),26(4):702{734,2004. [102] M.SrivasandM.Bickford.Formalvericationofapipelinedmicroprocessor.IEEESoftware,7(5):52{64,1990. [103] T.Schubert.Highlevelformalvericationofnextgenerationmicroprocessors.InProceedingsofDesignAutomationConference(DAC),pages1{6,2003. [104] S.TasiranandK.Keutzer.Coveragemetricsforfunctionalvalidationofhardwaredesigns.IEEEDesign&TestofComputers,18(4):36{45,2001. [105] P.A.Thaker,V.D.Agrawal,andM.E.Zaghloul.Validationvectorgrade(VVG):Anewcoveragemetricforvalidationandtest.InProc.ofVLSITestSymposium,pages182{188,1999. [106] S.ThatteandJ.Abraham.Testgenerationformicroprocessors.IEEETransactionsonComputers,29(6):429{441,1980. [107] C.Timoc,M.Buehler,T.Griswold,C.Pina,F.Stott,andL.Hess.Logicalmodelsofphysicalfailures.InProc.ofInternationalTestConference(ITC),pages546{553,1983.

PAGE 95

[108] S.UrandY.Yadin.Microarchitecturecoveragedirectedgenerationoftestprograms.InProc.ofDesignAutomationConference(DAC),pages175{180,1999. [109] N.Utamaphethai,R.D.S.Blanton,andJ.P.Shen.Eectivenessofmicroarchitecturetestprogramgeneration.IEEEDesign&Test,17(4):38{49,2000. [110] T.Villa,T.Kam,R.K.Brayton,andA.L.Sangiovanni-Vincentelli.Explicitandimplicitalgorithmsforbinatecoveringproblems.IEEETransactionsonComputer-AidedDesignofIntegratedCircuitsandSystems,16(7):677{691,1997. [111] R.L.Wadsack.FaultmodelingandlogicsimulationofCMOSandMOSintegratedcircuits.BellSystemTechnicalJournal,57(5):1449{1474,1978. [112] I.Wagner,V.Bertacco,andT.Austin.StressTest:anautomaticapproachtotestgenerationviaactivitymonitors.InProc.ofDesignAutomationConference(DAC),pages783{788,2005. [113] M.Wilding,D.Greve,andD.Hardin.Ecientsimulationofformalprocessormodels.FormalMethodsinSystemDesign,18(3):233{248,2001. [114] H.Zhang.SATO:Anecientpropositionalprover.InProc.ofInternationalConferenceonAutomatedDeduction(CADE),volume1249ofLNCS,pages272{275.Springer,1997. [115] Y.Zhang,D.Wang,J.Wang,andW.Zheng.Usingmodel-basedtestprogramgeneratorforsimulationvalidation.InEmbeddedSoftwareandSystems,volume3605ofLNCS,pages549{556.Springer,2005. [116] A.Ziv.Cross-productfunctionalcoveragemeasurementwithtemporalproperties-basedassertions.InProc.ofDesignAutomationandTestinEurope(DATE),pages834{841,2003.

PAGE 96

Heon-MoKooreceivedhisB.S.andM.S.degreesattheDepartmentofElectronicandElectricEngineeringfromKyungpookNationalUniversityinSouthKoreain1993and1995respectively.DuringM.S.studies,hedevelopeddigitalimageprocessingandvideocompressionalgorithms.In1995,hejoinedatLGElectronicsResearchCenterinSeoul,SouthKorea.Asaseniorresearchengineer,heworkedonfunctionalmodelingandvalidationofMPEGencoder/decoder,developmentofaRISC-typeembeddedprocessorforMPEGdecoder,anddigitalvideoprocessingandenhancementalgorithmsforHDTVandDVDsystems.Since2003,hehasbeenworkingonvericationofmodernmicroprocessordesigns,functionaltestgenerationforvalidation,formalverication,andfunctionalmodelingandvalidationofSoCdesignsatEmbeddedSystemsLab.inUniversityofFlorida.In2006,heworkedatFormalVericationandTestGroupinFreescaleInc.asaresearchintern.Duringinternship,hedesignedapipelinedPowerPCprocessormodelatmicro-architecturelevelandestablishedadirectedtestgenerationmethodologyforvalidationoftheprocessordesign.InAugust2007,hejoinedGraphicsChipsetGroupatIntelCorp.asaSoftwareDevelopmentEngineer.Hehasbeenworkingondevelopingsimulationmodelsofmulti-formatmediadecoderforthenextgenerationgraphicschipsatIntel.Heisalsoworkingonthesoftwaredesignandtesting,andisassistinghardwareteamonRTLvalidation. 96