Citation
Coverage-Driven Test Generation for Functional Validation of Pipelined Processors

Material Information

Title:
Coverage-Driven Test Generation for Functional Validation of Pipelined Processors
Creator:
Koo, Heon-Mo
Place of Publication:
[Gainesville, Fla.]
Publisher:
University of Florida
Publication Date:
Language:
english
Physical Description:
1 online resource (96 p.)

Thesis/Dissertation Information

Degree:
Doctorate ( Ph.D.)
Degree Grantor:
University of Florida
Degree Disciplines:
Computer Engineering
Computer and Information Science and Engineering
Committee Chair:
Mishra, Prabhat
Committee Members:
Chen, Shigang
Sahni, Sartaj
Peir, Jih-Kwon
Shea, John M.
Graduation Date:
12/14/2007

Subjects

Subjects / Keywords:
Algorithms ( jstor )
Architectural design ( jstor )
Architectural models ( jstor )
Counterexamples ( jstor )
Distance functions ( jstor )
Microprocessors ( jstor )
Pipelines ( jstor )
Production automation ( jstor )
Property partitioning ( jstor )
Stall ( jstor )
Computer and Information Science and Engineering -- Dissertations, Academic -- UF
formal, processor, simulation, test, verification
Genre:
Electronic Thesis or Dissertation
born-digital ( sobekcm )
Computer Engineering thesis, Ph.D.

Notes

Abstract:
Functional verification of microprocessors is one of the most complex and expensive tasks in the current system-on-chip design methodology. Simulation using functional test vectors is the most widely used form of processor verification. A major challenge in simulation-based verification is how to reduce the overall verification time and resources. Since the test generation and simulation for all input sequences is infeasible, we need a method for deciding effective tests to achieve high confidence of the design. In addition, test generation techniques must be able to accommodate complex processor designs as well as produce tests in a reasonable time. Traditionally, billions of random and directed tests are used during simulation. Compared to random tests, directed tests can reduce overall validation effort significantly since shorter tests can obtain the same coverage goal. However, there is a lack of automated techniques for directed test generation targeting micro-architectural design errors. Furthermore, the lack of a comprehensive functional coverage metric makes it difficult to measure the verification progress. This dissertation presents a functional coverage-driven test generation methodology. Based on the behavior of pipelined processors, a functional coverage is defined to evaluate the verification progress. My research provides efficient test generation techniques using formal methods by decomposing processor designs and properties to reduce test generation time as well as memory requirement. My research also provides a functional test compaction technique to reduce the number of directed tests while preserving the overall functional coverage. The experiments using MIPS and PowerPC processors demonstrate the feasibility and usefulness of the proposed functional test generation methodology. ( en )
General Note:
In the series University of Florida Digital Collections.
General Note:
Includes vita.
Bibliography:
Includes bibliographical references.
Source of Description:
Description based on online resource; title from PDF title page.
Source of Description:
This bibliographic record is available under the Creative Commons CC0 public domain dedication. The University of Florida Libraries, as creator of this bibliographic record, has waived all rights to it worldwide under copyright law, including all related and neighboring rights, to the extent allowed by law.
Thesis:
Thesis (Ph.D.)--University of Florida, 2007.
Local:
Adviser: Mishra, Prabhat.
Electronic Access:
RESTRICTED TO UF STUDENTS, STAFF, FACULTY, AND ON-CAMPUS USE UNTIL 2008-06-30
Statement of Responsibility:
by Heon-Mo Koo.

Record Information

Source Institution:
University of Florida
Holding Location:
University of Florida
Rights Management:
Copyright Koo, Heon-Mo. Permission granted to the University of Florida to digitize, archive and distribute this item for non-profit research and educational purposes. Any reuse of this item in excess of fair use or other copyright exemptions requires permission of the copyright holder.
Embargo Date:
6/30/2008
Resource Identifier:
663111959 ( OCLC )
Classification:
LD1780 2007 ( lcc )

Downloads

This item has the following downloads:


Full Text

PAGE 1

1

PAGE 2

2

PAGE 3

3

PAGE 4

MyjourneytothePh.D.wasfullofchallengingadventuresanditbecameanotherstepping-stoneinmylife.Thoughonlymynameappearsonthecoverofthisdissertation,thecompletionofmydissertationwaspossiblewiththehelpandeortsofmanypeople.First,IexpressmydeepestappreciationtomyesteemedadvisorDr.PrabhatMishra.ThroughmygraduatecareeratUniversityofFlorida,hisunfailingguidance,support,andpatiencehelpedmeovercomemanycrisissituationsandcompletethisdissertation.Heoftenbroughtmetothethresholdofknowledge,andignitedtheinteresttocrossthethreshold.Healsoencouragedmetobeanindependentthinkerwithahighresearchstandard.Additionally,Iamverygratefulforthefriendshipofallofthemembersofhisresearchgroup.Thanksalsogoouttothemembersofthedissertationcommittee,Profs.SartajSahni,Jih-KwonPeir,ShigangChen,andJohnM.Sheafortheirvaluablesuggestions.Theirinsightfulcommentsandconstructivecriticismswerethought-provokingandhelpedmyideaescalateateachphaseofmyresearch.IamgratefultomanypeopleonthefacultyandstaoftheDepartmentofComputerandInformationScienceandEngineeringforallthattheytaughtandsupportedmeinvariousways.IamalsothankfultothestudentswhoIwasprivilegedtoteachandfromwhomIalsolearnedmuchwhenIwasaTeachingAssistant.Finally,andmostimportantly,Isincerelythankmyfamilywhohavebeenaconstantsourceofhelp,support,andstrengthduringdoctoralstudies.Noneofmyachievementwouldhavebeenpossiblewithouttheirlove.MyveryspecialthankstomywifeforherunselshdevotionandloveuponwhichthepathtocompletingmyPh.D.wasbuilt.Iwarmlyappreciatemyparentsfortheirunwaveringfaithinmeaswellasunendingencouragementandsupport.Ithankmybrotherandsistersfortheirloveandsupport.Iappreciateparents-in-lawforconsistentencouragementandsupport. 4

PAGE 5

page ACKNOWLEDGMENTS ................................. 4 LISTOFTABLES ..................................... 7 LISTOFFIGURES .................................... 8 ABSTRACT ........................................ 9 CHAPTER 1INTRODUCTION .................................. 10 1.1ProcessorValidation .............................. 12 1.2Coverage-drivenFunctionalValidation .................... 14 1.3ResearchContributions ............................. 16 2PROCESSORFAULTMODELINGANDFUNCTIONALCOVERAGE .... 19 2.1ExistingFaultModelsandCoverageMetrics ................. 19 2.1.1FaultModels ............................... 19 2.1.2CoverageMetrics ............................ 20 2.2Graph-basedModelingofPipelinedProcessors ................ 23 2.2.1ModelingofMIPSprocessor ...................... 24 2.2.2ModelingofPowerPCe500processor ................. 25 2.3PipelineInteractionFaultModelandFunctionalCoverage ......... 26 2.4ChapterSummary ............................... 28 3TESTGENERATIONUSINGDESIGNANDPROPERTYDECOMPOSITIONS ................................. 29 3.1ModelChecking ................................ 30 3.2TestGenerationusingModelChecking .................... 32 3.3RelatedWork .................................. 34 3.4TestGenerationusingDesignandPropertyDecompositions ........ 36 3.4.1GenerationandNegationofProperties ................ 38 3.4.2PropertyDecomposition ........................ 38 3.4.2.1Decomposableproperties ................... 39 3.4.2.2Non-decomposableproperties ................ 40 3.4.3DesignDecomposition .......................... 43 3.4.4TestGenerationusingDecompositionalModelChecking ....... 44 3.4.5MergingPartialCounterexamples ................... 51 3.5Experiments ................................... 52 3.5.1TestGenerationusingModuleLevelDecomposition ......... 52 3.5.2TestGenerationfore500Processor .................. 54 5

PAGE 6

............................ 54 3.5.2.2Micro-architecturalvalidationusingtestprograms .... 54 3.6ChapterSummary ............................... 57 4TESTGENERATIONUSINGSAT-BASEDBOUNDEDMODELCHECKING 58 4.1SAT-basedBoundedModelChecking ..................... 59 4.2RelatedWork .................................. 61 4.3TestGenerationusingSAT-basedBoundedModelChecking ........ 61 4.3.1DeterminationofBound ........................ 63 4.3.2DesignandPropertyDecompositions ................. 64 4.4ACaseStudy .................................. 64 4.4.1ExperimentalSetup .......................... 65 4.4.2TestGeneration:AnExample ..................... 65 4.4.3Results ................................. 66 4.5ChapterSummary ............................... 68 5FUNCTIONALTESTCOMPACTION ....................... 69 5.1RelatedWork .................................. 70 5.2FSMModeling ................................. 71 5.2.1FunctionalFSMModelingofProcessors ................ 72 5.2.1.1ModelingofFSMstates ................... 72 5.2.1.2ModelingofFSMstatetransitions ............. 73 5.2.2FunctionalCoverageofFSMModel .................. 75 5.3CompactionbeforeTestGeneration ...................... 76 5.3.1IdentifyingUnreachableStates ..................... 76 5.3.2IdentifyingRedundantStatesandTransitions ............ 77 5.3.3IdentifyingIllegalStateTransitions .................. 78 5.4FSMCoverage-directedTestGeneration ................... 79 5.4.1TestGenerationforStateCoverage .................. 79 5.4.2TestGenerationforTransitionCoverage ............... 79 5.5CompactionafterTestGeneration ....................... 80 5.5.1TestMatrixReduction ......................... 80 5.5.2TestSetMinimization .......................... 81 5.6Experiments .................................. 81 5.7ChapterSummary ............................... 84 6CONCLUSIONSANDFUTUREWORK ..................... 85 6.1Conclusions ................................... 85 6.2FutureResearchDirections ........................... 86 REFERENCES ....................................... 87 BIOGRAPHICALSKETCH ................................ 96 6

PAGE 7

Table page 2-1Codecoveragemetrics ................................ 21 2-2FSMcoveragemetrics ................................ 22 3-1Designandpropertydecompositionscenarios ................... 37 3-2Comparisonoftestgenerationtechniques ...................... 53 3-3Varioustestcasesgeneratedbyourframework ................... 55 4-1Exampleofatestprogram .............................. 65 4-2Comparisonoftestgenerationtechniquesforpipelineinteractions ........ 66 5-1Transitionrulesbetweenssk;j1(t1)andssi;j(t) ................. 78 5-2Transitionrulesbetweenssi;j(t1)andssi;j(t) .................. 78 5-3Transitionrulesbetweenssl;j+1(t1)andssi;j(t) ................. 78 7

PAGE 8

Figure page 1-1Pre-siliconlogicbugspergeneration ........................ 11 1-2Simulation-basedprocessorvalidation ........................ 13 1-3Coverage-drivenvalidationow ........................... 15 1-4Functionalcoverage-directedtestgenerationmethodology ............. 17 2-1GraphmodeloftheMIPSprocessor ........................ 24 2-2InstructionowofthePowerPCe500processor .................. 25 3-1Testgenerationmethodologyusingdesignandpropertydecompositions ..... 29 3-2Testgenerationusingmodelchecking ........................ 32 3-3Specication-driventestgenerationusingmodelchecking ............. 33 3-4AnexampleofKripkestructuremodel ....................... 42 3-5Fourdierentdataforwardingmechanisms ..................... 55 3-6Micro-architecturalvalidationow ......................... 56 4-1TestprogramgenerationusingSAT-basedboundedmodelchecking ....... 59 4-2Testgenerationtimecomparisonforfourtechniques ................ 67 5-1Functionaltestcompactionmethodology ...................... 70 5-2BinaryformatofthestatesinFSMmodel ..................... 73 5-3Instructionow .................................... 74 5-4Pipelineinteractions ................................. 74 5-5Singletransitionsbetweenneighboringstates .................... 77 5-6TestmatrixforFSMcoverage ............................ 81 5-7SimpliedMIPSprocessor .............................. 82 5-87-bitsfunctionalFSMmodel ............................. 82 8

PAGE 9

Functionalvericationofmicroprocessorsisoneofthemostcomplexandexpensivetasksinthecurrentsystem-on-chipdesignmethodology.Simulationusingfunctionaltestvectorsisthemostwidelyusedformofprocessorverication.Amajorchallengeinsimulation-basedvericationishowtoreducetheoverallvericationtimeandresources.Traditionally,billionsofrandomanddirectedtestsareusedduringsimulation.Comparedtorandomtests,directedtestscanreduceoverallvalidationeortsignicantlysinceshortertestscanobtainthesamecoveragegoal.However,thereisalackofautomatedtechniquesfordirectedtestgenerationtargetingmicro-architecturaldesignerrors.Furthermore,thelackofacomprehensivefunctionalcoveragemetricmakesitdiculttomeasurethevericationprogress.Thisdissertationpresentsafunctionalcoverage-driventestgenerationmethodology.Basedonthebehaviorofpipelinedprocessors,afunctionalcoverageisdenedtoevaluatethevericationprogress.Myresearchprovidesecienttestgenerationtechniquesusingformalmethodsbydecomposingprocessordesignsandpropertiestoreducetestgenerationtimeaswellasmemoryrequirement.Myresearchalsoprovidesafunctionaltestcompactiontechniquetoreducethenumberofdirectedtestswhilepreservingtheoverallfunctionalcoverage.TheexperimentsusingMIPSandPowerPCprocessorsdemonstratethefeasibilityandusefulnessoftheproposedfunctionaltestgenerationmethodology. 9

PAGE 10

Vericationistheprocessofensuringthattheintentofadesignispreservedinitsimplementation.Functionalverication(orvalidation Inmodernmicroprocessordesigns,functionalvericationisoneofthemajorbottlenecksduetothecombinedeectsofincreasingdesigncomplexityanddecreasingtime-to-market.Designcomplexityofmodernprocessorsisincreasingatanalarmingratetocopeupwiththerequiredperformanceimprovementforincreasinglycomplexapplicationsinthedomainsofcommunication,multimedia,networkingandentertainment.Toaccommodatesuchfastercomputationrequirements,today'sprocessorsemploymanycomplicatedmicro-architecturalfeaturessuchasdeeppipelines,dynamicscheduling,out-of-orderandsuperscalarexecution,anddynamicspeculation.Thistrendagainshows 10

PAGE 11

Pre-siliconlogicbugspergeneration anexponentialincreaseinthenumberoflogicbugs.Forexample,thenumberoflogicbugsindesigningIntelprocessorshasgrownatarateof300-400%fromonegenerationtothenextinFigure 1-1 [ 14 103 ].Theincreaseinlogicbugsisproportionaltotheincreaseindesigncomplexity.Theincreaseindesignerrorsmakesvericationtasksmoredicult.Inadditiontothegrowingdicultyofpipelinedprocessorverication,time-to-markethasbecomeshorterintheembeddedprocessordesigns.Arecentstudyhasshownthatfunctionalvericationaccountsforsignicantportion(upto70%)oftheoveralldesigndevelopmenttimeandresources[ 44 ].Asaresult,designvericationofmodernprocessorsiswidelyacknowledgedasamajorbottleneckindesignmethodology. Existingprocessorvericationtechniquesadoptacombinationofsimulationbased-validationtechniquesandformalvericationmethods.Simulation-basedvalidationisthemostwidelyusedformofprocessorvericationusingtestprogramsconsistingofinstructionsequences.Amajorchallengeinsimulation-basedvalidationishowtoreducetheoverallvalidationtimeandresources.Traditionally,billionsofrandomtestsareusedduringsimulation.Furthermore,thelackofacomprehensivefunctionalcoveragemetricmakesitdiculttomeasurethevericationprogress.Toaddressthesechallenges,thisdissertationpresentsacoverage-driventestgenerationmethodologythatiscomposedof 11

PAGE 12

25 64 ]andsimulation-basedmethods[ 20 ].Thetrade-obetweenformaltechniquesandsimulation-basedmethodsistheircapacityandcompletenessinverication.Formalvericationtechniquesprovidethecompletenessofvericationtaskbyprovingmathematicallythecorrectnessofadesign.However,theyhavedicultyindealingwiththelargedesignsduetothestatespaceexplosionproblem. 102 113 ],modelchecking[ 77 80 ],SATsolving[ 30 93 ],symbolicsimulation[ 21 72 ],andequivalencechecking[ 73 97 ]aretypicallyusedforformalvericationofprocessordesigns. Simulation-basedvalidationdiscoversdesignerrorsusingtestvectorsconsistingofinputstimuliandexpectedoutputs[ 3 43 94 95 ].Althoughsimulation-basedmethodsareabletohandlecomplexprocessordesigns,theycannotachievethecompletenessofverication.Forexample,formicroprocessorverication,allpossibleinputinstructionsequencesarerequiredinordertoconrmthecorrectnessofagivenmicroprocessordesign.Butitisimpossibletogenerateandsimulatetheminareasonabletime.Therefore,formalmethodsaremoreapplicabletothevericationofthesmallandcriticalcomponents,whereassimulation-basedmethodsaremoreadvantageousinvalidationofacomplicateddesignbysacricingcompletenessofverication.Primarilyduetothis 12

PAGE 13

Simulation-basedprocessorvalidation reason,simulation-basedvalidationisthemostwidelyusedformofverifyingmoderncomplexprocessors. Thebasicprocedureinsimulation-basedprocessorvalidationconsistsofgeneratingtestprograms,simulatingagivenprocessordesignwiththetestprograms,comparingthegeneratedoutputswiththeexpectedresults,andcorrectingdesignerrorsifthesimulationoutputsaredierentfromtheexpectedresults(Figure 1-2 ).Amajorchallengeinprocessorvalidationishowtoreducetheoverallvalidationtimeandresources.Sincethetestgenerationandsimulationforallinputtestprogramsisinfeasible,weneedamethodfordecidingeectiveteststoachievehighcondenceoftheprocessordesign.Inaddition,testgenerationtechniquesmustbeabletoaccommodatecomplexprocessordesignsaswellasproducetestsinreasonabletime.Themainfocusofthisdissertationisthefunctionaltestprogramgenerationforvalidationofpipelinedprocessors. 13

PAGE 14

2 100 ],randomandconstrained-randomtestgenerationtechniquesatarchitecture(ISA)levelaremostwidelyusedbecausetestprogramscanbeproducedautomaticallyanddesignerrorscanbeuncoveredearlyinthedesigncycle.However,ahugenumberoftestsarerequiredtoachievehighcondenceofthedesigncorrectness,andcornercasesareeasilymissed.Furthermore,architecturaltestgenerationtechniqueshavedicultyinactivatingmicro-architecturaltargetartifactsandpipelinefunctionalitiessinceitisnotpossibletogenerateinformationregardingpipelineinteractionsortimingdetailsusinginputISAspecication. Comparedtotherandomorconstrained-randomtests,thedirectedtestscanreduceoverallvalidationeortsignicantlysinceshortertestscanobtainthesamefunctionalcoveragegoal.However,thereisalackofautomatedtechniquesfordirectedtestgenerationtargetingmicro-architecturalfaults.Asaresult,directedtestsaretypicallyhand-writtenbyexperts.Duetomanualdevelopment,itisinfeasibletogeneratealldirectedteststoachievecomprehensivecoverageandthisprocessistimeconsuminganderrorprone.Therefore,thereisaneedforautomateddirectedtestgenerationtechniquesbasedonmicro-architecturalfunctionalcoverage.Testgenerationusingformalmethodshasbeensuccessfullyusedduetoitscapabilityofautomatictestgeneration.However,thetraditionaltestgenerationtechniquesareunsuitableforlargedesignsduetothestateexplosionproblem.Toaddressthesechallenges,myresearchprovidesautomatedtestgenerationtechniquesusingdecompositionofprocessordesignandpropertytomaketheformalmethodsapplicableinpractice. 14

PAGE 15

Coverage-drivenvalidationow thisdegreeofcondenceandtoqualifyatestset.Therefore,itishardtoanswerthequestion,\Whenisvericationdone?",duetodicultyinmeasuringvericationprogressandtesteectiveness. Atraditionalowofcoverage-drivenvalidationbeginsbydeningcoveragemetric,followedbytestgeneration(Figure 1-3 ).Acoveragemetricprovidesawaytoseewhathasnotbeenveriedandwhattestsshouldbeadded.Manycoveragemetricshavebeenproposedfordierenttypesofdesignerrors(e.g.,controlow,dataow)andatdierentdesignabstractionlevels(e.g.,behavioral,RTL,gatelevel).Incoverage-driventestgeneration,testsarecreatedtoactivateatargetcoveragepointanditcaneectivelyreducethenumberoftestscomparedtotherandomtestgeneration.Throughsimulation,thecoverageisanalyzedbyexaminingwhethertargetfunctionalitieshavebeencoveredornot,therebywecanmeasurethevalidationprogress.Ifcoverageholesarefound,additionaltestsaregeneratedtoexercisethem.Ifhigherdegreeofcondenceisrequired,wecanimprovethecoveragemetricormakeuseofadditionalcoveragemeasures.Vericationengineerscanchangethescopeordepthofcoverageduringthevalidation 15

PAGE 16

Althoughdirectedtestsrequireasmallertestsetcomparedtorandomtestsforthesamefunctionalcoveragegoal,thenumberoftestscanstillbeextremelylarge.Therefore,thereisaneedforfunctionaltestcompactiontechniques.Myresearchprovidesafunctionaltestcompactiontechniquetoreducethedirectedtestset. Figure 1-4 showstheoverallowoftheproposedcoverage-drivenfunctionaltestgenerationmethodology[ 66 ].Therststepistocreateaprocessormodelandafunctionalfaultmodelfromtheprocessorarchitecturespecication.Next,itgeneratesalistofallpossiblefunctionalfaultsbasedonthefaultmodelandtheprocessormodelundervalidation.Testcompactionisperformedbeforetestgenerationbyeliminatingtheredundantfaultsforthegivendesignconstraints.Oneoftheremainingfaultsisselectedfortestgeneration.Atestprogramforthisfaultisproducedautomaticallybyformalvericationmethods,e.g.,modelchecking.Thefaultisremovedfromthefaultlist.This 16

PAGE 17

Functionalcoverage-directedtestgenerationmethodology looprepeatsuntiltestsaregeneratedforallthefaultsinthefaultlist.Functionaltestcompactionisperformedafterthisowoftestgeneration.Itisimportanttonotethattwostepsofcompactiontechniquesareappliedbeforeandaftertestgeneration.Thisdissertationmakesthreemajorcontributions:i)developmentofecientfaultmodelsandacoveragemetricforpipelineinteractionfunctionalities,ii)noveltestgenerationtechniquesusingformalmethodsformoderncomplexprocessordesigns,andiii)functionaltestcompaction. 17

PAGE 18

Thisdissertationpresentsauniedmethodologyforautomatedtestgenerationusingmodelcheckingandsatisability(SAT)solving.Toalleviatethestateexplosionproblemintheexistingmodelchecking-basedtestgeneration,wehavedevelopedecienttestgenerationtechniquesthatusedesignlevelaswellaspropertyleveldecompositionstoreducetestgenerationtimeandmemoryrequirement.Thisdissertationpresentsproceduresfordecomposingdesiredpropertiesandprocessormodelwithanalgorithmforconstructingtestprogramsfrompartialcounterexamples.Comparedtotraditionalmodelchecking,SAT-basedboundedmodelchecking(BMC)ismoreecientingeneratingcounterexamplesifthereexistsacounterexamplewithinsearchbound.However,appropriatedecisionofthesearchspaceoftestsisanotherchallengingproblem.Thisdissertationalsoprovidesaprocedurefordeterminingtheboundinthepresenceofdesignandpropertydecompositions.ThedissertationshowstheapplicabilityofdesignandpropertydecompositionsinthecontextoftraditionalmodelcheckingandSAT-basedBMC. Developmentofatestcompactiontechniqueinthedissertationreducesthenumberofdirectedtestswithoutlossoffunctionalcoverageinaneorttofurtherreducetheoverallvalidationeort.Eventhoughtheproposedtestgenerationtechniquesrequireamuchsmallertestsetthanrandomtests,thevolumeofadirectedtestsetstillremainshuge.Redundantpropertiesareeliminatedbeforetestgenerationandtestmatrixreductiontechniquesareappliedaftertestgeneration.Theecienttestgenerationandcompactiontechniquesinthisdissertationwillreducetheoverallvalidationeortbyseveralorderofmagnitude. 18

PAGE 19

Coveragemetricsarenecessarytoevaluatetheprogressoffunctionalvalidation.Severalcoveragemetricsarecommonlyusedduringfunctionalvalidationsuchascodecoverage,andstate/transitioncoverageofabstractnitestatemachines(FSM).However,thesecoveragemetricsdonothaveadirectrelationshipwiththedesignfunctionality.Forexample,noneoftheexistingcoveragemetricsdeterminesifallpossibleinteractionsofstallsaretestedinapipelinedprocessor.Therefore,weneedacoveragemetricbasedonthefunctionalityofpipelinedprocessors.Inthischapter,apipelineinteractionfaultmodelisdenedusinggraph-basedmodelingofpipelinedprocessors.Thefaultmodelisusedforgeneratingdirectedtestsanddeningthefunctionalcoveragetomeasurethevalidationprogressbyreportingthefaultsthatarecoveredbyagivensetoftestprograms. 1 107 ].Afaultmodelshouldbeabletorepresenthighpercentageofactualerrors.Moreover,itshouldbeassimpleaspossibletoreducecomplexityoftestgenerationandcoverageanalysis.Thefaultmodelcanbeusedtodenecoveragemetrics.Forexample,stuck-atfaultmodelandcorrespondingstuck-atfaultcoverageareusedformanufacturingtests.Thissummarizesexistingworkonfunctionalfaultmodelsandcoveragemetrics. 23 62 ].Functionalfaultmodelsaredenedatahighabstractionlevelandfunctionalfaultscorrespondtoincorrectexecutionofthefunctionalitiesagainstagivenspecication.Forexample,invalidationofmicroprocessordesigns,aninstruction 19

PAGE 20

106 ].Structuralfaultmodelsaredenedatthegatelevelwherethedesignisdescribedasanetlistofgates.Structuralfaultsrefertoincorrectinterconnectionsinthenetlist.Themostwell-knownisthestuck-at-faultmodelinwhichfaultsaremodeledbyassigningaxedlogicstate0or1toacircuitline.Switchlevelfaultmodelsaredenedatthetransistorlevelandfaultsaremainlymodeledinanalogcircuittesting.Forexample,instuck-openfaultmodel,ifatransistorisalwaysnon-conducting,itisconsideredtobestuck-open[ 111 ].Inaddition,therearefaultmodelsthatmaynotfallunderanylevelofthedesignabstractions.Thequiescentcurrent(IDDQ)faultmodel,forexample,doesnottinanyofthedesignhierarchiesbutitcanrepresentsomephysicaldefectswhicharenotpresentedbyanyothermodel[ 26 ]. Thefaultmodelatthelowestlevelofabstractionprovidesthebenetofdescribingmoreaccuratedefectsbutthenumberoffaultscanbetoohugetodealwiththeminpractice.Therefore,itisnecessarytodevelopfaultmodelsathigherlevelofabstractioninordertoreducethenumberoffaultsandcorrespondingtestsaswellastodetecterrorsatearlydesignstages.However,duetothelessaccuratemodeling,manyfaultsatlowerlevelsmayremainundetectedbythetestsetgeneratedathigherlevels.Therefore,therearetwoconictinggoalsinfaultmodeling:highaccuracyandlowcomplexity. 104 ]havepresentedanextensivesurveyoncoveragemetricsinsimulation-basedverication.Piziali[ 92 ]describedacomprehensivestudyonfunctional 20

PAGE 21

Table2-1. Codecoveragemetrics LineWhichlineshavebeenexecutedStatement/blockWhichstatementshavebeenexecutedPath/branchWhichcontrolowshavebeentakenforif,for,etcEvent/triggerWhicheventinthesensitivitylistofaprocesshasbeentriggeredToggleWhichsignalshavetransitionedfrom0to1andviceversaExpression/conditionWhichpermutationofbranchconditionshavebeenexecuted 2-1 showsvarioustypesofcodecoveragemetrics.Thecodecoverageanalysisconsistsofdeterminingaquantitativemeasureofcodecoverageaswellasreportingtheareasofadesigndescriptionnotexercisedbyasetoftests.Thisanalysisisusedtocreateadditionaltestcasestoimprovethecoverage. Vericationengineerschoosecoveragemetricsbasedonthedesignstagesandthecostofperformingthecoveragemeasurement.Codecoveragemetricsareoftenemployedastherststepbecausetheycanbeappliedatrelativelylowcostinasystematicway.Forexample,inearlydesignstages,thesimplelinecoveragecanprovideagoodoverallassessmentofthecompletenessofthevalidation.Codecoveragedoesnotindicatethecorrectnessofthedesigndescriptionsinceitconsidersonlypossibleerrorsinthestructureandthelogicofthecodeitself.Inotherwords,codecoverageisnotasucientindicatoroftestqualityorvericationcompletenessbecausemanyfunctionalerrorscanescapeevenwith100%codecoverage.Furthermore,itdoesnotconformtoanyspecicfaultmodel[ 105 ].However,codecoveragecanprovideminimumcoveragerequirementanditsresultscanbeusedtoidentifycornercases. 21

PAGE 22

FSMcoveragemetrics StateWhichstatesofanFSMhavebeenvisitedTransitionWhichtransitionsbetweenneighboringstateshavebeentraversedPathWhichroutesthroughsequentialstateshavebeenexercised 27 ]canbecategorizedintostatecoverage,statetransitioncoverage,andpathcoverageasdescribedinTable 2-2 .Althoughcompletestateortransitioncoveragedoesnotimplythatadesignisveriedexhaustively,theyareveryusefulmetricsbecauseoftheirclosecorrespondencetothebehaviorofthedesign.Transitioncoverage-basedtestprogramgenerationwasappliedtoaPowerPCsuperscalarprocessorbyUrandYadin[ 108 ].FSMcoverage-driventestgenerationhaveshownthatitcandetectmanyhard-to-ndbugsinthedesign[ 13 ].SinceeachpathofthepathcoveragerepresentseachpossiblecombinationofstatetransitionsintheFSM,theFSMpathcoverageprovidesacompleterepresentationofthedesignfunctionality.However,anintractablenumberofpathsmakeitimpracticaltomeasuretheircoverage. IncontrasttothecodecoverageandtheFSMcoverage,thefunctionalcoverageisbasedonthefunctionalityofthedesign,therebyitisspeciedbythedesiredbehaviorofthedesign.Itdeterminesthatmostoftheimportantaspects 46 ]. 22

PAGE 23

11 ]havepresentedanalysistechniquesforacross-productfunctionalcoverage[ 51 ]byprovidingmanualanalysistechniquesaswellasfullyautomatedcoverageanalysis.Toextractusefulinformationoutofthecoveragedata,theydescribedcoveragequeriesthatcombinemanualandautomaticanalysisandndholesthatcontainspeciccoverageevents.Inthecross-productcoverage,thelistofcoverageeventsconsistsofallpossibleCartesianproductsofthevaluesforagivensetofattributes.Basedonthecross-productcoverage,Ziv[ 116 ]hasproposedfunctionalcoveragemeasurementwithtemporalproperties-basedassertions.Holeanalysisfordiscoveringlargeuncoveredspacesforcross-productfunctionalcoveragemodelwaspresentedbyLachishetal.[ 74 ].Theproblemwiththecross-productcoverageisthatthenumberofcross-producteventsistoolargetoenablefastanalysis.Inaddition,itisnecessarytodistinguishlegaleventssincenotallattributesareindependenttherebymanyofthecross-producteventscanneverbeexecuted. Piziali[ 92 ]describedothertypesoffunctionalcoveragemodelsascollectionsofdiscreteevents,trees,andhybridmodelsthatcombinetreesandcross-product.Fournieretal.[ 46 ]haveproposedthevalidationsuiteforthePowerPCarchitecturebasedonasetofcombinationalcoveragemodels.MishraandDutt[ 85 ]haveproposedanode/edgecoverageofthegraphmodelofpipelinedprocessorstogeneratetests.Recently,Harris[ 53 ]hasproposedabehavioralcoveragemetricwhichevaluatesthevalidationoftheinteractionsbetweenprocesses. 23

PAGE 24

GraphmodeloftheMIPSprocessor typicalarchitecturemanual.ThissectionpresentsgraphmodelsforaMIPSprocessorandaPowerPCe500processor. 54 ].Figure 2-1 showsthegraphmodeloftheprocessorthatcanissueuptofouroperations(anintegerALUoperation,aoating-pointadditionoperation,amultiplyoperation,andadivideoperation).Inthegure,rectangularboxesdenoteunits,dashedrectanglesarestorages,boldedgesareinstruction-transfer(pipeline)edges,anddashededgesaredata-transferedges.Apathfromarootnode(e.g.,Fetch)toaleafnode(e.g,WriteBack)consistingofunitsandpipelineedgesiscalledapipelinepath.Forexample,oneofthepipelinepathisfFetch,Decode,IALU,MEM,WriteBackg.Apathfromaunittomainmemoryorregisterleconsistingofstoragesanddata-transferedgesiscalledadata-transferpath.Forexample,fMEM,DataMemory,MainMemorygisadata-transferpath. 24

PAGE 25

InstructionowofthePowerPCe500processor 2-2 showsafunctionalgraphmodelofthefour-widesuperscalarcommerciale500processorbasedonthePowerArchitectureTMTechnology 58 ]withsevenpipelinestages.Wehavedevelopedaprocessormodelbasedonthemicro-architecturalstructure,theinstructionbehavior,andtherulesineachpipelinestagethatdeterminewheninstructionscanmovetothenextstage.Themicro-architecturalfeaturesintheprocessormodelincludepipelinedandclock-accuratebehaviorssuchasmultipleissueforinstructionparallelism,out-of-orderexecutionandin-order-completionfordynamicscheduling,registerrenamingforremovingfalsedatadependency,reservationstationsforavoidingstallsatFetchandDecodepipelinestages,anddataforwardingforearlyresolutionofread-after-write(RAW)datadependency. 25

PAGE 26

Werstdenethepossiblepipelineinteractionsbasedonthenumberofnodesinthegraphmodelandtheaveragenumberofactivitiesineachnode.Forexample,anIALUnodecanhavefouractivities:operationexecution,stall,exception,andnooperation(NOP).Ingeneral,thenumberofactivitiesforanodewillbedierentbasedonwhatactivitywewouldliketotest.Forexample,executionofADDandSUBoperationscanbetreatedasthesameactivitybecausetheygothroughthesamepipelinepath.Separationofthemintodierentactivitieswillrenethefunctionaltestsbutincreasethetestgenerationcomplexity.Furthermore,thenumberofactivitiesvariesfordierentnodes.Consideringagraphmodelwithnnodeswhereeachnodecanhaveonaverageractivities,atotalofr(1rn)=(1r)propertiesarerequiredtoverifyallinteractions.Thebasicideaoftheproofisthatifweconsidernointeractions,thereare(nr)testprogramsnecessary.Inthepresenceofoneinteractionweneed(nC2r2)testprogramsforpossiblecombinationoftwonodes.nCidenotesthewaysofchoosinginodesfromnnodes.Basedonthismodel,thetotalnumberofinteractionswillbe: Althoughthetotalnumberofinteractionscanbeextremelylarge,inrealitythenumberofsimultaneousinteractionscanbesmallandmanyotherrealisticassumptions 26

PAGE 27

Thenodeinteractiondescribesasnapshotbehaviorofapipelinedprocessoratagiventime,whereasthetransitioninteractioncapturesthetemporalbehavioroftheprocessor.ComparingtoFSMcoverage,thenodeinteractionfaultsandtransitioninteractionfaultscorrespondtoFSMstatefaultsandFSMstatetransitionfaults.Inthepresenceofafault,unexpectedvalueswillbewrittentotheprimaryoutputsuchasdatamemoryorregisterle,orthetestprogramwillnishatincorrectclockcycleduringsimulation. Usingthesepipelineinteractionfaultmodels,wedeneafunctionalcoveragemetricwiththeconsiderationofthefollowingcases: Thefunctionalcoverage(FC)isdenedasfollows: FC=thenumberoffaultsdetectedbythetestprograms totalnumberofdetectablefaultsinthefaultmodel(2{2) 27

PAGE 28

28

PAGE 29

Asignicantbottleneckinprocessorvalidationisthelackofautomatedtoolsandtechniquesfordirectedtestgeneration.Modelchecking-basedtestgenerationhasbeenintroducedasapromisingapproachforpipelinedprocessorvalidationduetoitscapabilityofautomatictestgeneration.However,traditionalapproachesareunsuitableforlargedesignsduetothestateexplosionprobleminmodelchecking.Weproposeanecienttestgenerationtechniqueusingbothdesignandpropertydecompositionstoenablemodelchecking-basedtestgenerationforcomplexdesigns. Figure3-1. Testgenerationmethodologyusingdesignandpropertydecompositions Figure 3-1 showsourfunctionaltestprogramgenerationmethodology.Theprocessormodelcanbegeneratedfromthearchitecturespecicationorcanbedevelopedbythedesigners.Thepropertiescanbegeneratedfromthespecicationbasedonafunctionalcoveragesuchasgraphcoverageorpipelineinteractioncoverage.Additionalpropertiescanbeaddedbasedoninterestingscenariosusingcombinedpipelinestagerulesandcornercases.Forecienttestgeneration,wedecomposethepropertiesaswellastheprocessormodel.ModelcheckerandSATsolverareusedtogeneratepartialcounterexamplesfor 29

PAGE 30

Theproposedmethodologymakesthreeimportantcontributions:i)itdevelopsaprocedurefordecomposingatemporallogicpropertyintomultiplesmallerproperties,ii)itpresentsanalgorithmformergingthecounterexamplesgeneratedbydecomposedproperties,andiii)itdevelopsanintegratedframeworktosupportbothdesignandpropertydecompositionsforecienttestgenerationofpipelinedprocessors. 35 ].Themodelisoftenderivedfromahardwareorsoftwaredesignandthespecicationistypicallydescribedastemporallogicproperties.Modelcheckingalsoprovidesanautomatedwayofvericationcomparedtoothervericationmethodssuchastheoremproving.Duetotheabilityofndingevensubtledesignerrors,modelcheckingtechniquehasbeensuccessfullyappliedtomanyrealsystemdesignsandithasbecomeanintegralpartofindustrialdesigncycle.Thevericationprocedureofmodelcheckingconsistsofformalmodelingofadesign,creatingformalproperties,andprovingordisprovingbyexploringtheentirecomputationspaceofthemodelexhaustively. Adesignismodeledasastatetransitiongraph,calledaKripkestructure[ 71 ],whichisafour-tuplemodelM=(S;S0;R;L).Sisanitesetofstates.S0isasetofinitialstates,whereS0S.R:S!Sisatransitionrelationbetweenstates,whereforeverystates2S,thereisastates02Ssuchthatthestatetransition(s;s0)2R.L:S!2APisthelabelingfunctiontomarkeachstatewithasetofatomicpropositions(AP)thatholdinthatstate.Apathinthestructure,2Mfromastates,isacomputationoftheimplementationwhichisaninnitesequenceofstatesandtransitions,=s0s1s2suchthats0=sandR(si;si+1)holdsforalli0.Temporalbehavioroftheimplementationisthecomputationrepresentedbyasetofpathsinthestructure.Propertiesareexpressed 30

PAGE 31

1. 2. 3. 4. Forexample,thepropertyG(req!F(ack))describesthatifreqisassertedthenthedesignmusteventuallyreachastatewhereackisasserted. GivenaformalmodelM=(S;S0;R;L)ofadesignandapropositionaltemporallogicpropertyp,themodelcheckingproblemistondasetofallstatesinSthatsatisfyp,fs2SjM;sj=pg.Ifallinitialstatesareintheset,thedesignsatisestheproperty.Ifthepropertydoesnotholdforthedesign,atracefromtheerrorstatetoaninitialstateisgivenasacounterexamplethathelpsdesignersdebugtheerror.Toachievecompletecondenceofcorrectnessofthedesign,thespecication Duetothehighcomplexityofrealisticdesigns,thenumberofstatesofthedesigncanbeverylargeandtheexplicittraversalofthestatespacebecomesinfeasible,knownasthestateexplosionproblem.Toalleviatethisproblem,symbolicmodelchecking[ 22 80 ]representsthenitestatemachineofthedesignintheformofbinarydecisiondiagrams 31

PAGE 32

19 ],acanonicalformforbooleanexpression.Morethan1020statescanbehandledbyBDD-basedmodelcheckers.Morerecently,SATsolvershavebeenappliedtoboundedmodelchecking[ 15 16 ].ThebasicideabehindSAT-basedboundedmodelcheckingistoconsidercounterexamplesofaparticularlengthandproduceapropositionalformulathatissatisableifsuchacounterexampleexists.Thistechniquecannotonlygeneratecounterexamplesmuchfasterofminimallengthbutalsohandlelargernumberofstatesofthedesigncomparedtotraditionalsymbolicmodelchecking. Despitethesuccessofsymbolicmodelchecking,thestateexplosionproblemisstillchallenginginapplyingtolargedesignsofindustrialstrength.Toreducethenumberofstatesofthedesignmodel,alotoftechniqueshavebeenproposedsuchassymmetryreductions[ 31 42 82 101 ],partialorderreductions[ 5 6 12 49 91 ],andabstractiontechniques[ 9 10 32 36 39 61 76 ].Amongthesetechniques,combiningmodelcheckingwithabstractionhasbeensuccessfullyappliedtoverifyapipelineALUcircuitwithmorethan101300reachablestates[ 33 ].Theproposedtestgenerationapproachesinthisdissertationtintheabstractiontechniquesinthatthecomponentsoftheoriginaldesignmodelthatareirrelevanttoagivenpropertyareremovedthroughthedecompositionofdesignandpropertyunderconsideration. Figure3-2. Testgenerationusingmodelchecking 32

PAGE 33

3-2 showsabasictestgenerationframeworkusingmodelchecking.Inthisscenario,aprocessormodelisdescribedinatemporalspecicationlanguageandadesiredbehaviorisexpressedintheformoftemporallogicproperty.Amodelcheckerexhaustivelysearchesallreachablestatesofthemodeltocheckifthepropertyholds(verication)ornot(falsication),whichiscalledunboundedmodelchecking.Ifthemodelcheckerndsanyreachablestatethatdoesnotsatisfytheproperty,itproducesacounterexample.Thisfalsicationcanbequiteeectivelyexploitedfortestgeneration.Insteadofadesiredproperty,itsnegatedversionisappliedtothemodelcheckertoproduceacounterexample.Thecounterexamplecontainsasequenceofinstructionsfromaninitialstatetoastatewherethenegatedversionofthepropertyfails. Figure3-3. Specication-driventestgenerationusingmodelchecking Specication-driventestgenerationusingmodelcheckinghasshownpromisingresults[ 86 ].Itcangeneratetestprogramsatearlydesignstagewithoutanylow-levelimplementationknowledge.Figure 3-3 showsaspecication-driventestprogramgenerationscenario.AdesignerstartsbyspecifyingtheprocessorarchitectureinanArchitectureDescriptionLanguage(ADL)thatisusedtocaptureboththestructureandthebehavioroftheprocessor.AprocessormodelisgeneratedfromtheADLspecication.Variousproperties(desiredbehaviors)aregeneratedfromthehighlevelmicroarchitectural 33

PAGE 34

However,thetimeandmemoryrequiredfortestgenerationareprohibitivelylarge.Furthermore,thismethodcannotbeusedfortestgenerationofcomplexpipelinedprocessorsduetothestateexplosionproblem.Thisdissertationpresentsanecienttestgenerationtechniquetoreducebothtestgenerationtimeandmemoryrequirementforcomplexprocessors.Theproposedtestgenerationapproachreducesthesearchspaceofcounterexamplesbydecomposingdesignspecicationandproperties[ 67 69 ]andrestrictingthelengthofcounterexamples[ 68 87 ]. 2 ],usedforfunctionalvericationofIBMprocessors,combinesarchitectureandtestingknowledgeforecienttestgeneration.InPiparazzi[ 2 ],amodelofmicro-architecturalprocessorandtheuser'sspecicationareconvertedintoaConstraintSatisfactionProblem(CSP)andthededicatedCSPsolverisusedtoconstructanactualtestprogram.Manytechniqueshavebeenproposedfordirectedtestprogramgenerationbasedonaninstructiontreetraversal[ 4 ],micro-architecturalcoverage[ 70 108 ],andfunctionalcoverageusingBayesianNetworks[ 44 ].Recently,Gluska[ 48 ]describedtheneedforcoveragedirectedtestgenerationincoverage-orientedvericationoftheIntelMerommicroprocessor. Severalformalmodel-basedtestgenerationtechniqueshavebeendevelopedforvalidationofpipelinedprocessors.InFSM-basedtestgeneration,FSMcoverageisusedtogeneratetestprogramsbasedonreachablestatesandstatetransitions[ 24 56 59 65 ].Sincecomplicatedmicro-architecturalmechanismsinmodernprocessordesignsincludeinteractionsamongmanypipelinestagesandbuers,theFSM-based 34

PAGE 35

109 ]havepresentedanFSMmodelpartitioningtechniquebasedonmicro-architecturalpipelinestoragebuers.Similarly,ShenandAbraham[ 99 ]haveproposedanRTLabstractiontechniquethatcreatesanabstractFSMmodelwhilepreservingclockaccuratebehaviors.Wagneretal.[ 112 ]havepresentedaMarkovmodeldrivenrandomtestgeneratorwithactivitymonitorsthatprovidesassistanceinlocatinghard-to-ndcornercasedesignbugsandperformanceproblems. Modelchecking[ 35 ]hasbeensuccessfullyusedinprocessorvericationforprovingproperties.Hoetal.[ 55 ]extractcontrolledtokennetsfromalogicdesigntoperformecientmodelchecking.Jacobi[ 60 ]usedamethodologytoverifyout-of-orderpipelinesbycombiningmodelcheckingforthevericationofthepipelinecontrol,andtheoremprovingforthevericationofthepipelinefunctionality.Compositionalmodelcheckingisusedtoverifyaprocessormicroarchitecturecontainingmostofthefeaturesofamodernmicroprocessor[ 63 ].Parthasarathyetal.[ 90 ]havepresentedasafetypropertyvericationframeworkusingsequentialSATandboundedmodelchecking.Modelcheckingbasedtechniquesarealsousedinthecontextoffalsicationbygeneratingcounterexamples.Clarkeetal.[ 34 ]havepresentedanecientalgorithmforgenerationofcounterexamplesandwitnessesinsymbolicmodelchecking.Bjesseetal.[ 17 ]haveusedcounterexampleguidedabstractionrenementtondcomplexbugs.Automatictestgenerationtechniquesusingmodelcheckinghavebeenproposedinsoftware[ 47 ]aswellasinhardwarevalidation[ 83 ].However,traditionalmodelcheckingbasedtechniquesdoesnotscalewellduetothestatespaceexplosionproblem.Toreducethetestgenerationtimeandmemoryrequirement,MishraandDutt[ 84 85 ]haveproposedadesigndecompositiontechniqueatthemodulelevelwhentheoriginalpropertycontainsvariablesforonlyasinglemodule.However,theirtechniquedoesnothandlepropertiesthathavevariablesfrommultiplemodules.Suchpropertiesarecommonintestgeneration.Ourframeworkallowssuch 35

PAGE 36

4 .Theprocessormodel,thenegatedversionoftheproperty,andtherequiredboundareappliedtoourdecompositionalmodelcheckingframeworktogenerateatestprogramfortheproperty. Thealgorithmiteratesoveralltheinteractionfaultsbasedonthefunctionalcoverageandcornercases.Theprocessormodelaswellasthepropertiescanbegeneratedfromthe 36

PAGE 37

Designandpropertydecompositionscenarios DesignPropertyComments 00Traditionalmodelchecking01Mergingofcounterexamplesisnotalwayspossible10Similartotraditionalmodelchecking11Ourapproach,bothpropertyanddesigndecompositions 0:Original;1:Decomposed/partitioned. specication.Section 2.2 describesagraph-basedmodelingofpipelinedprocessors.ThepropertygenerationbasedonpipelineinteractioncoverageisdescribedinSection 3.4.1 .ThedesignandpropertydecompositiontechniquesaredescribedinSection 3.4.2 andSection 3.4.3 respectively.Section 4.3.1 presentsatechniquetodetermineaboundforndingcounterexamplesforagivenproperty.Theproposedapproachinthischapterusesunboundedmodelcheckingtogeneratepartialcounterexamplesforthepartitionedmodulesandproperties. Integrationofthesepartialcounterexamplesisamajorchallengeduetothefactthattherelationshipsamongdecomposedmodulesandsub-propertiesmaynotbepreservedatthetoplevel.Weproposeatimestep-basedintegrationofpartialcounterexamplestoconstructthenaltestprogram.Section 3.4.4 presentstheproposedtestgenerationtechniquebasedondecompositionalmodelchecking.Section 3.4.5 presentsourconictresolutiontechniqueduringmergingofpartialcounterexamples. Itisimportanttonotethatthepropertyanddesigndecompositionsarenotindependent.Table 3-1 showsfourpossiblescenariosofdesignandpropertydecompositions.Therstscenarioindicatestraditionalmodelcheckingwhereoriginalpropertyisappliedtothewholedesign.Thesecondcaseimpliesthatthedecomposedpropertiesareappliedtothewholedesign.Incertainapplicationsthismayimproveoverallmodelcheckingeciency.However,ingeneralthisprocedureisnotapplicablesincemergingofcounterexamplesmaynotgeneratetheexpectedresult.Forexample,twosub-propertiesmaygeneratecounterexamplestostalltherespectiveunitsinapipelinedprocessorbutthecombinedtestprogrammaynotsimultaneouslystallboththeunits.Thethirdscenario 37

PAGE 38

2.3 areexpressedinlineartemporallogic(LTL)[ 35 ]whereeachpropertyconsistsoftemporaloperators(G,F,X,U)andBooleanconnectives(^,_,:,and!).Wegenerateapropertyforeachpipelineinteractionfromthespecication.Sincepipelineinteractionsatagivencyclearesemanticallyexplicitandourprocessormodelisorganizedasstructure-orientedmodules,pipelineinteractionscanbeconvertedintheformofapropertysuchasF(p1^p2^...^pn)thatcombinesactivitiespiovernmodulesusinglogicalANDoperator.Theatomicpropositionpiisafunctionalactivityatanodeisuchasoperationexecution,stall,exceptionorNOP.Thepropertyistruewhenallthepi's(i=1ton)holdatsometimestep.Sinceweareinterestedincounterexamplegeneration,weneedtogeneratethenegationofthepropertyrst.Thenegationofthepropertiescanbeexpressedas: Forexample,thenegationofF(p1^p2^...^pn),interactionfault,canbedescribedasG(:p1_:p2_..._:pn)whosecounterexampleswillsatisfytheoriginalproperty.Inthefollowingsection,wedescribehowtodecomposetheseproperties(alreadynegated)forecienttestgenerationusingmodelchecking. 38

PAGE 39

(3{2) 39

PAGE 40

ThepropertyF(p^q)istruewhenbothpandqholdatthesametimestep.ButF(p)^F(q)istrueevenwhenpandqholdatdierenttimesteps.Therefore,F(p^q)6=F(p)^F(q).However,wecanuseF(p)andF(q)fortestgenerationtoactivatethepropertyF(p^q)basedonLemma4. 40

PAGE 41

ThepropertyG(p_q)istruewheneitherporqholdsateverytimestep.ButG(p)_G(q)istrueeitherwhenpholdsateverytimestep,orwhenqholdsateverytimestep.Therefore,G(p_q)6=G(p)_G(q).Inthiscase,thecounterexamplesofthedecomposedpropertiesG(p)andG(q)cannotdirectlybeusedtogenerateacounterexampleofG(p)_G(q)sinceG(p)_G(q)!G(p_q),thatis,(CG(p)\CG(q))CG(p_q).Inotherwords,notallcommoncounterexamplesofG(p)andG(q)canbeusedasacounterexampleofG(p_q).Furthermore,itishardtoknowwhetherthecommoncounterexamplesofG(p)andG(q)belongtoCG(p_q).Toaddressthisproblem,thisdissertationproposesaschemeofintroducingthenotionofclockthatallowsthedecomposedpropertiestoproduceacounterexampleofG(p_q)asdescribedinLemma5. Forexample,Figure 3-4 describesaKripkestructure[ 35 ]withfourstatess0,s1,s2,ands3,wheres0istheonlyinitialstate.Thestructurehasthreetransitions:(s0;s1),(s0;s2),(s0;s3),andself-loopineachstate.Therearetwolocalvariablespformodule1andqformodule2:pholdsonstatesfs0;s1gandqholdsonstatesfs0;s2g.AssumingtheoriginalpropertyisF(p=0^q=0),aspecictimestepisintroducedF(clk=ts^p= 41

PAGE 42

AnexampleofKripkestructuremodel 0^q=0) BasedonLemma5,theinteractionfaultG(:p1_:p2_:::_:pn)isconvertedintoG((clk6=ts)_:p1_:p2_:::_:pn)).ThedecomposedpropertiesG((clk6=ts)_:p1),G((clk6=ts)_:p2),...,G((clk6=ts)_:pn)arerepeatedlyappliedtothemodelcheckeruntilacommoncounterexampleisfoundamongthemasdescribedinSection 3.4.4 .ThecounterexampleisoneoftheinteractionsthatsatisesthepropertyF((clk=ts)^p1^p2^:::^pn)).Inthisdecompositionscenario,thetimestep(ts) 42

PAGE 43

8 ],decidingboundisachallengingproblemsincethedepthofcounterexamplesisunknowninmostcases.Section 4.3.1 describesawayofdecidingthebound(ts)thatenablestestgenerationusingSAT-basedboundedmodelchecking. ForcertainpropertiessuchaspUq,F(p!F(q)),F(p!G(q)),G(p!G(q)),orG(p!F(q)),decompositionsarenotbenecialcomparedtotraditionalmodelcheckingbecauseitisverydiculttodecideaspecictimestepbetweentheirdecomposedproperties.Althoughmanypropertydecompositionsarenotpossible,itisimportanttonotethatthescenariosdescribedinthissectionaresucienttogeneratethetestprogramsinthecontextofpipelineinteractions.Inadditiontotheseinteractionproperties,manymicro-architecturalpropertieshavebeencreatedthatarebasedonrealexperiencesofindustrialdesignersfortestgenerationofane500processor. Animportantconsiderationduringpropertydecompositionishowtospecify/handlethedierenttypesofvariablesintheproperty.Ingeneral,thepropertiesaredescribedaspairsofmodulenamesandvariablenames.Aninteractionfaultpropertypicanbeeitheralocalvariableinasinglemoduleoraglobalvariableovermultiplemodules.Ifpiisalocalvariable,itisconvertedinto(mi:pi)wheremiisthecorrespondingmodule.Ifpiisaglobalvariable,piisdecomposedintosub-propertiesofcorrespondingmodules.Forexample,forthepropertyG(:p1_:p2),ifp1isaninterfacevariablebetweenm1andm2,thenthepropertyisconvertedasG(:m1:p1_(:m2:p1_:m2:p2)).Decompositionofglobalvariablesisbasedonthedecomposedmodulesofaprocessormodelandtheirinterfaces. 2.2 .Inother 43

PAGE 44

Itisimportanttonotethatthedesigndecompositionisdependentonthepropertydecomposition.Thepipelinedprocessorcanbesimplypartitionedintofunctionalmodules.However,weneedtochangethepartitioningpolicybasedontheproperties.BecausesomepropertiesarehardtobedecomposedatthemodulelevelwhentheyarespreadacrossmultiplemodulesorinthecomplicatedformssuchaspUq,F(p!G(q)),G(p!F(q)),andsoon.Forexample,apropertymaynotbedecomposablebasedonamodulelevelpartitioningbutitmaybedecomposablebasedonapipelinepathlevelpartitioning. Weconsiderthreepartitioningtechniques:module-level,path-levelandstage-levelpartitioning.Module(ornode)levelpartitioninggivesthelowestlevelofgranularityinthegraphmodelinFigure 2-1 .Theinteger-ALUpipelinepathfFetch,Decode,IALU,MEM,WriteBackgistreatedasoneofthepathlevelpartitions.Similarly,themultiplierpath,theoating-pointadderpath,andthedividerpatharetheotherexamplesofpathlevelpartitioningfortheMIPSprocessorinFigure 2-1 .Stage-levelpartitioningisdeterminedbythedistancefromtherootnode(e.g.,Fetch).Ingeneral,variousformsofdesignandpropertypartitioningarepossibleanddierentgraphclusteringalgorithmscanbeusedtonddierentdesignpartitionsforagivenpropertydecomposition.Section 3.4.4 describestwodesignpartitioningtechniquesusingillustrativeexamples. 44

PAGE 45

inputsforeachapplicableparentnodeMrofMkoutRr=ExtractoutputrequirementsforMrfrominpRkNextList[r]=NextList[r][outRrAllList[clk][r]=AllList[clk][r][outRrendforelsePrimaryInputs=PrimaryInputs[inpRkendififTaskListisemptyclk=clk1;TaskList=NextList;NextList=endifendwhileifclk=0andTaskListisnotemptyReport(boundiistoosmall);testi=endifelsetesti=ExtractInstructions(PrimaryInputs)returntestiEnd

PAGE 46

3.4.2 .Similarly,thedesignisdecomposedbasedonthepropertydecompositionandthetechniquesdescribedinSection 3.4.3 .Thisalgorithmusesthreeliststomaintainthedecomposedproperties:TaskListforthepresentclockcycleclk,NextListforthenextcyclei.e.,clk1,andAllListforallproperties.EachentryintheTaskListandtheNextListcontainacollectionofsub-propertiesthatareapplicabletocorrespondingdesignpartitions.Therefore,eachlistcanhaveuptonentrieswherenisthenumberofdesignpartitionsintheprocessormodel.ThetasksintheTaskListneedtobeperformedinthecurrenttimestep(clk).ThetasksintheNextListwillbeperformedinthenexttimestep(clk1).AllListcontainsalltheentriesofTaskListforeachtimestep.Thisinformationisusedtoresolvetheconictamongsub-propertiesasdescribedinSection 3.4.5 .Initiallytheselistsareempty. TheproposedalgorithmgeneratesonetestprogramforeachpropertysetDPithatconsistsofoneormoresub-propertiesbasedontheirapplicabilitytodierentmodulesorpartitionsinthedesignasdiscussedinSection 3.4.1 .Thealgorithmaddsthesub-propertiesintheTaskListandAllListbasedonthepartitionstowhichthesepropertiesareapplicable.Thealgorithmiteratesoverallthesub-propertiesintheTaskList.Itremovesanentry(sayk-thlocation)fromtheTaskListwhichistheoutputrequirementoutRkofk-thpartition.Ingeneral,thisentrycanbealistofsub-properties(duetosimultaneousoutputrequirementsfrommultiplechildrennodes)thatneedtobeappliedtopartitionMk.Thesesub-propertiesarecomposedtocreatetheintermediatepropertyPkiusingMergeRequirementsproceduredescribedinSection 3.4.5 .AfternegationofPki,theproperty 46

PAGE 47

Forillustration,considerasimplepropertyP1toverifyamultipleexecutionscenarioconsistingofIALU(3rdmodule)andDIV(15thmodule)nodesinFigure 2-1 atclockcycle5.Weassumethemodulelevelpartitioningofthedesignforthisexample.Thepropertycanbedecomposedintotwosub-propertiesP31(IALUnotstalledincycle5)andP151(DIVnotstalledincycle5).ThisimpliesthatTaskListwillhavetwoentriesbeforeenteringthewhileloop:TaskList[3]=P31andTaskList[15]=P151.AttherstiterationofthewhileloopP31willbeappliedtoM3(IALU)usingmodelchecker;generatedcounterexamplewillbeanalyzedtondtheoutputrequirementfortheDecodeunit(2ndmoduleinFigure 2-1 )inclockcycle4;andtherequirementwillbeaddedtoNextList[2].DuringseconditerationofthewhileloopP151(TaskList[15])willbeappliedtoM15(DIV);generatedcounterexamplewillbeanalyzedtondtheoutputrequirementfortheDecodeunitinclockcycle4;andtherequirementwillbeaddedtoNextList[2].Atthispoint,theTaskListisemptyandtheNextListhasonlyone 47

PAGE 48

Consideramultipleexceptionscenarioatclockcycle7consistingofanoverowexceptioninIALU,dividebyzeroexceptioninDIVunit,andamemoryexceptionintheMEMunit.ThedesiredpropertyPisshownasbelow: &(DIV.exception=1)) |(DIV.exception~=1)) P2:G((clk~=7)|(IALU.exception~=1)) P3:G((clk~=7)|(DIV.exception~=1)) 48

PAGE 49

P23':G((clk~=6)|(decOp[0].opcode~=ADD)|(decOp[0].src1Val~=2)| (decOp[0].src2Val~=2)|(decOp[3].opcode~=DIV)| (decOp[3].src2Val~=0)) Cycle[0][1][2][3]//R0is0 1ADDIR2R0#2NOPNOPNOP//R2=2 2NOPNOPNOPNOP 3NOPNOPNOPNOP 4LDR10(R0)NOPNOPNOP 5ADDR3R2R2NOPNOPDIVR3R0R0 Theexampleshownaboveassumesamodule-levelpartitioningoftheprocessormodel.However,itisnotalwayspossibletodecomposeapropertybasedonmodulelevelpartitioning.Forexample,ifwearetryingtodeterminewhethertwofeedback 3.4.5 49

PAGE 50

2-1 areactivatedatthesametime,itisnotpossibletodecomposethispropertyatmodulelevelbecausethe\implication"relationbetweenfeedOutandfeedIn(inthefollowingproperty)willbelost. Toenablepropertydecompositioninthethisexample,weneedtopartitionthedesigndierently.Theoating-pointadderpath(FADD1toFADD4)shouldbetreatedasadesignpartitionFpath.Similarly,themultiplierpath(MUL1toMUL7)shouldbetreatedasanotherpartitionMpath.Thisnewpartitioningisappliedfortestgeneration.First,P1andP2canbeappliedonFpathandMpathrespectivelytogeneratecounterexamplesC1andC2.Next,C1andC2arecombinedandthecorrespondingpropertyisappliedtotheDecodeunittogeneratethecounterexampleC3.Next,thepropertycorrespondingtoC3isappliedtotheFetchunitthatgeneratestheprimaryinputrequirements.Finally,theseprimaryinputrequirementsareconvertedintotherequiredtestprogram.Thepropertydecompositionprocedureisshownbelow. P:F((clk=9)&(FADD4.feedOut->X(FADD1.feedIn)) &(MUL7.feedOut->X(MUL1.feedIn))) /*ConvertedProperty*/ P:F(((clk=9&FADD4.feedOut)&(clk=10&FADD1.feedIn)) &((clk=9&MUL7.feedOut)&(clk=10&MUL1.feedIn))) /*PropertyafterNegation*/ P':G(((clk~=9|~FADD4.feedOut)|(clk~=10|~FADD1.feedIn)) |((clk~=9|~MUL7.feedOut)|(clk~=10|~MUL1.feedIn))) /*PropertiesafterDecomposition*/ P1:G((clk~=9|~FADD4.feedOut)|(clk~=10|~FADD1.feedIn)) P2:G((clk~=9|~MUL7.feedOut)|(clk~=10|~MUL1.feedIn))

PAGE 51

2-2 ,fourreservationstation(RS)modulessharetheparentmoduleIssue.Counterexamples(inputrequirementsofeachRS)generatedfromfourRSsatthetimestepts+1shouldbecombinedforcreatingtheoutputpropertyofIssuemoduleatclk=ts.However,theycanrequiredierentoutputvaluesforthesamevariableofthemoduleIssue. Incaseofoutputrequirementconict,thealgorithmadjustsinputrequirementsofthechildrennodesbyexcludingthecurrentinputrequirement,calledfalserequirement.Forexample,assumethatoutputvariablesoftheparentarepandq,theinputrequirementofonechildis(p=1^q=0)thatisgeneratedbyG((clk6=(ts+1))_:(m1:p=1))atmodule1,andtheinputrequirementoftheotherchildis(p=0^q=1)thatisgeneratedbyG((clk6=(ts+1))_:(m2:q=1))atmodule2.Obviously,thereisnowaytoassignoutputpandqtosatisfythesetwoconictinginputs.Werenethesub-propertiesofchildrennodestoresolvetheconictrequirementsbyexcludingthefalserequirement.Thedesiredsub-propertiesstoredinAllList[ts+1]forchildrennodesaremodiedbyaddingthenegatedversionoftheconictrequirementasshownbelow: Togeneratetheinputrequirementsofthemodule1,theabovepropertiesarenegatedasshownbelow: 51

PAGE 52

Thesesub-propertiesdoesnotallowthecounterexample(p=1^q=0)anymore.Thegeneratedcounterexamplewillbe(p=1^q=1)astheinputrequirementsofmodule1andmodule2.Asaresult,wecanmergethemintotheoutputrequirementoftheparentnodeas(p=1^q=1)atclk=ts.Ifthereisaninterfacevariablerbetweentheparentanditschildmodule2,itdoesnotcausetheoutputrequirementconictoftheparentnodesincetheinputrequirementofmodule1doesnotcareaboutthevariabler.Ifthereisanotherchildnodemodule3thathastheinterfacevariablespandr,weneedtoadjustthreeinputrequirementsofmodule1,module2,andmodule3toresolveanyconictamongthem.Itispossiblethatthereisnocommonvariableassignmentsforsharedinputvariablesamongchildrennodessincetheiroutputrequirementsmaybegeneratedfromfalseinputrequirementsfromthesubsequentstages(grandchildrennodes).Inthiscase,weneedtorenethesub-propertiesofgrandchildrennodesstoredinAllList[ts+2].Theprocedureofsub-propertyrenementcontinuesuntiltheconictisresolvedorclkisequaltoboundiwhichisupperboundtosearchforatestprogram. 54 ]andasuperscalarcommerciale500processor[ 58 ].Varioustestgenerationexperimentswereperformedforvalidatingthepipelineinteractionsbyvaryingdierentdesignpartitionsandpropertydecompositions.Thissectionpresentsexperimentalresultsintermsoftimeandmemoryrequirementintestgeneration. 2-1 .SMV[ 79 ]modelcheckerhasbeenusedtoperformalltheexperiments.FewsimplicationswasneededtotheMIPSprocessortocomparewithtwootherapproaches:i)naiveapproachwheretheoriginal 52

PAGE 53

84 ].Forexample,if3232-bitregistersareusedintheregisterle,thenaiveapproachcannotproduceanycounterexampleevenforasimplepropertywithnopipelineinteractionduetomemorydepletionduringmodelchecking.Weusedeight2-bitregistersforthefollowingexperimentstoensurethatthenaiveapproachcangeneratecounterexamples.Alltheexperimentswererunona1GHzSunUltraSparcwith8GRAM. Table3-2. Comparisonoftestgenerationtechniques ModuleNaiveapproachExistingapproachOurapproachinteractionsBDDTimeBDDTimeBDDTime None6M1653K0.063K0.06Twomodules11M215NANA6K0.12Threemodules21M240NANA9K0.19Fourmodules27M290NANA11K0.28 NA:Notapplicable. Table 3-2 presentstheresultsofthecomparisonoftestgenerationtechniques.Therstcolumndenesthetypeofpropertiesusedfortestgeneration.Forexample,\None"impliespropertiesapplicabletoonlyonemodule;\TwoModules"impliespropertiesthatincludetwomoduleinteractionsandsoon.EachrowpresentstheaveragevaluesfortheBDDnodes(memoryrequirement)usedaswellastestgenerationtime(inseconds)foroneproperty.Forexample,therstrowpresentstheaveragetimeandmemoryrequirementfor68(n=17,r=4,andi=1inEq. 2{1 )singlemoduleproperties.Thenaiveapproachtakesseveralordersofmagnitudemorememoryandtestgenerationtime.Theexistingapproachisonlyapplicabletotherstrowsinceitcannothandlemultiplesimultaneouspropertiesorpropertydecompositions.Asmentionedearlier,thenaiveapproachcannotnishinmajorityofthecaseswhenmoreregistersareused.Asaresultweusedonly82-bitregisters.Inspiteofthissimplication,naiveapproachtakesseveralordersofmagnitudemorememoryandtestgenerationtime. 53

PAGE 54

3-3 showsasubsetofthedirectedtestcases,theircorrespondinglengthintermsofnumberofinstructions,andtestgenerationtime.Forexample,thetestprogramforcase11validatesthefeatureofCompletionQueue(CQ)bypilingdataupanddownintherst-in-rst-out(FIFO)queue.Testprogramsforcase3through6exerciseoperandreadfromfourdierentresourcesasshowninFigure 3-5 ,whichcanbegeneratedatmicro-architecturelevelbutverydicultatISAlevel.Intermsofeciency,onlyseveralsecondswerespentontestgenerationexceptforthecase11wheretestgenerationtookfewminutes.Thetestcases13-18showsvariousinteractionscenarios.Forexample,testcase13onlyactivatesonenodewhereastestcase15considersthreenodeinteractionsatthesameclockcycle. 54

PAGE 55

Varioustestcasesgeneratedbyourframework TestcasesTestlengthTime 1Instructiondualissue15302Renamingsrc1operand12253Readoperandfromforwardingpath(RAW)9204Reservationstationreadsoperandfromforwardingpath7155Readoperandfromrenamingreg.(RAW)10206ReadoperandfromGPR(RAW)11257RenamingforWAW(nostall)8208StallatDecodestageduetoIQfull14359StallatDecodestageduetoCQfull,thenreleasedqueue3461fullatthenextclockcycle10CQfull,thenfullagain357011CQfull,thenempty,andthenfullagain9529012RetireonlyoneinstructioninCompletion122813\lwz"instructionatLSU stage371514\add"atFetch2and\mulhw"atMU stage2simultaneously61815\addi"atCompletion,\mulhw"atMU stage1,&\lwz"at1225LSU stage1atthesameclock16\mulhw"atCompletion,\add"&\addi"waitsin1240completionqueue,&\lzw"atLSU stage317\lwz"and\add"atCompletion,\mulhw"atMU stage3,1435\addi"atCQ,\lwz"atLSU stage118\mulhw"&\add"retire,\mulhw"atMU stage4,1545\addi"atCQ,&\lwz"atLSU-stage2 Figure3-5. Fourdierentdataforwardingmechanisms 55

PAGE 56

Micro-architecturalvalidationow simulation.Forexample,testgenerationforuncoveringincorrectstallsinpipelinestagesrequiretiminginformationofinstructionowandthosebugsareonlyvisibleduringtheclock-accuratesimulation.Therefore,micro-architecturalvalidationplaysanimportantroleinensuringthecorrectnessofperformanceaswellasfunctionalityoftheprocessordesigns. Wehaveperformedmicro-architecturalvalidationbyusingtheexistingmethodologyinanindustrialsettingsthatincludesaninternalrandomtestpatterngenerator(RTPG)tool.Figure 3-6 showsthevalidationow.WeconvertedtheassemblytestsequencesgeneratedbyourmethodintotheinputformatoftheRTPGtoolthatproducestestbenchesforRTLsimulation.Thesimulatorshowshowinstructionsgothroughthepipelinestagesonacycle-by-cyclebasisaswellaswhetherthestoredresultsinregisterlesandmemoryarecorrectornot.Capturingwhenandwhichinstructionsmovefromonestagetothenextensuresthatthegeneratedtestsexercisethetargetmicro-architecturalartifacts.Wecomparedthevalidationeortforactivatingthesemicro-architecturalfeaturesusingtheexistingvalidationmethodologyinanindustrialsettingandourapproach.Onanaverageeachofourtestcasetooklessthan100clock 56

PAGE 57

Thischapterpresentedanecientdirectedtestgenerationtechniqueforvalidationofperformanceaswellasfunctionalityofthemodernmicroprocessors.Ourmethodologyisbasedondecompositionalmodelcheckingwheretheprocessormodelaswellasthepropertiesaredecomposedandthemodelcheckingisappliedonsmallerpartitionsofthedesignusingdecomposedproperties.Weintroducedthenotionoftimestepstoenabledecompositionofthepropertiesintosmalleronesbasedontheirclockcycles.Wehavedevelopedanecientalgorithmtomergethepartialcounterexamplesgeneratedbythedecomposedpropertiestocreatethenaltestprogramcorrespondingtotheoriginalproperty.OurexperimentalresultsusingMIPSandPowerPCe500processorarchitecturesdemonstratetheeciencyofourmethodbygeneratingcomplicatedmicro-architecturaltests.Sincetheproposedtechniqueisgeneric,itsframeworkcanbeusedforvalidationofotherindustrial-strengthprocessors.Furthermore,thisworkcanbeseamlesslyintegratedinthecurrentRTPGvalidationmethodologywithoutmodicationoftheexistingvalidationow. 57

PAGE 58

Ecienttestgenerationiscrucialforthesimulation-basedvalidationsinceitdeterminesthequalityoftestsuitesaswellastheperformanceofvalidation.ThischapterpresentsanecienttestgenerationmethodologyforfunctionalvalidationofprocessordesignsusingSAT-basedboundedmodelchecking(BMC). Asacomplementarytechniqueofunboundedmodelchecking(UMC)inChapter 3 ,SAT-basedboundedmodelchecking(BMC)hasgivenpromisingresultsinthevericationdomain.Thebasicideaistorestrictthesearchspacethatisreachablefrominitialstateswithinaxednumber(k)oftransitions,calledthebound.Afterunwindingthemodelofdesignktimes,theBMCproblemisconvertedintoapropositionalsatisability(SAT)problem.ASATsolverisusedtondasatisableassignmentofvariablesthatisconvertedintoacounterexample.Iftheboundisknowninadvance,SAT-basedBMCistypicallymoreeectiveforfalsicationthanUMCbecausethesearchforcounterexamplesisfasterandtheSATcapacityreachesbeyondtheBDDcapacity[ 15 ].However,ndingtheboundisachallengingproblemsincethedepthofcounterexamplesisunknowningeneral. Choosinganincorrectboundincreasestestgenerationtimeandmemoryrequirement.Intheworstcase,testgenerationmaynotbepossible.Forexample,wecanincreasethebounditerativelystartingfromasmallbounduntilacounterexampleisfound.Thisapproachisadvantageousforshallowcounterexamples,butdisadvantageousfordeepcounterexamplesduetoaccumulationofiterativerunningtime.Anotherexampleistochoosealargeboundsuchthatallcounterexamplesarefound.ThisapproachlosesthebenetsofBMCduetosearchinalargenumberofirrelevantstateswhentheboundistoobig.Therefore,theperformanceoftestgenerationcloselydependsontheschemesofdecidingthebound.Weproposeamethodtondtheboundforeachpropertyinsteadofusingthemaximumboundforallproperties. 58

PAGE 59

TestprogramgenerationusingSAT-basedboundedmodelchecking Figure 4-1 showsourtestgenerationmethodology.Processormodelandpropertiesaregeneratedfromthearchitecturespecication.Weusethepipelineinteractionfaultmodeltodenefunctionalcoverage.Temporallogicpropertiesarecreatedfrompipelineinteractionfaults.Wedeterminetheboundforeachpropertytoreducetestgenerationtimeandmemoryrequirementcomparedtousingthemaximumboundforallproperties.Theprocessormodel,negatedproperties,andtheboundareappliedtoSAT-basedBMCtogenerateatestprogram.Basedonthecoveragereport,morepropertiescanbeadded,ifnecessary.Weusedesignandpropertydecompositionstofurtherimprovetheperformanceoftestgeneration.Ourtechniquemakestwoimportantcontributions:i)itdevelopsaproceduretodeterminetheboundforeachproperty,andii)itpresentsaschemefordesignandpropertydecompositionsinthecontextofSAT-basedBMC. 59

PAGE 60

BoundedModelChecking(BMC)isarestrictedformofmodelchecking.Insteadofexhaustivelysearchingacounterexample,BMCsearchesforacounterexampleofaparticularlengthk,calledboundormaximumlengthofcounterexamples.Theassumptionisthatthepropertycanbefalsied(acounterexampleexists)withinktimesteps. InSAT-basedBMC,theBMCproblemisencodedintothesatisabilityproblemandaSATsolverisusedasavericationengineinsteadofamodelchecker.Toperformverication,SAT-basedBMCincludesthefollowingsteps: 1.Unfolddesignandpropertyuptotheboundk. 2.EncodetheboundeddesignandpropertyintoaCNFformula. 3.ApplytheCNFformulatoaSATsolver. 4.Ifsatisable,thenthepropertydoesnotholdforthedesignandthesatisableassignmentofvariablesisconvertedtoacounterexample. 5.Ifunsatisableandkd(d:diameter TheCNFformulaissatisableifandonlyifaviolatedstateisreachablewithintheboundk.Theresultingsatisableassignmentofvariablesistranslatedintoanerrortracefromavalidinitialstatetotheviolatedstate.IftheboundkisequaltoorlargerthanthediameterandtheCNFformulaisunsatisable,thenthedesignsatisestheproperty 81 ] 60

PAGE 61

16 ]introducedboundedmodelchecking(BMC)combinedwithsatisabilitysolving.TherecentdevelopmentsinSAT-basedBMCtechniqueshavebeenpresentedin[ 15 30 93 ].BMCisanincompletemethodthatcannotguaranteeatrueorfalsedeterminationwhenacounterexampledoesnotexistwithinagivenbound.However,oncetheboundofacounterexampleisknown,largedesignscanbefalsiedveryfastsinceSATsolvers[ 50 78 88 114 ]donotrequireexponentialspace,andsearchingcounterexampleinanarbitraryorderconsumesmuchlessmemorythanbreadthrstsearchinmodelchecking. Theperformanceofboundedandunboundedalgorithmswasanalyzedonasetofindustrialbenchmarksin[ 7 8 ].ThecapacityincreaseofBMCtechniqueshasbecomeattractiveforindustrialuse.AnIntelstudy[ 37 ]showedthatBMChasbettercapacityandproductivityoverunboundedmodelcheckingforrealdesignstakenfromthePentium-4processor.Recently,Gurumurthyetal.[ 52 ]haveusedBMCastestprogramgeneratorformappingpre-computedmodule-leveltestsequencestoprocessorinstructions. SAT-basedBMCisoneofthemostpromisingtestgenerationenginesduetoitscapacityandperformance.However,ndingtheboundisachallengingproblem.Weproposeamethodtodeterminetheboundforeachtestgenerationscenario,therebymakingSAT-basedBMCfeasibleinpractice. 79 ]orNuSMV[ 29 ].Wecreatenegatedpropertiesandtheirbounds.ASAT-basedBMCunfoldstheprocessormodelalongwithanegatedproperty 61

PAGE 62

3.4.1 .BoundkiforeachpropertyisdecidedasdiscussedinSection 4.3.1 .SAT-basedBMCtakesprocessormodel 62

PAGE 63

Sofar,weassumedthatthewholedesignmodelisappliedtoSAT-basedBMC.Thisapproachiseectivewhenthedesignisofmoderatesizeandtheboundisshallow.However,forthetestgenerationscenariosconsistingoflargedesignsanddeepcounterexamples,SAT-basedBMCmaynotbeabletogeneratetestsinareasonableamountoftimeduetolargesearchspace.Inotherwords,thecomplexityproblemstillremainsinSAT-basedBMC.Insuchcases,decompositionsofpropertyaswellasdesignwillreducethetestgenerationcomplexity. 2-1 ,themaximumboundisdeterminedbythelengthoffFE!DE!IALU!MEM!Cache!MM!Cache!MEM!WBgifcachemisstakesmoretimethananyotherpipelinepaths.However,thisboundisover-conservativeinmosttestscenariosbecausealotofinteractionsdonotincludethislongestpath.Therefore,usingboundforeachinteractionismoreecientfortestgenerationintermsoftimeandmemoryrequirement. Boundforeachinteractionisdeterminedbythelongesttemporaldistancefromtherootnodetothenodesunderconsideration.Forexample,boundfortheproperty\IALU,FADD2,andFADD3inoperationexecutionatthesametime"willbe5becauseFADD3hasthelongesttemporaldistancefromFetchstage.Ifapropertyincludesstallor 63

PAGE 64

2.2 .However,SAT-basedBMCatthemodulelevelmaynotbebenecialanymorebecauseUMCcanhandlesmalldesignseciently.ExperimentalresultsinSection 4.4.3 showthatUMCmightbebetterforsmalldesigns.Inaddition,moduleleveldecompositionisnotalwayspossiblesincelocalpropertiesarenotpreservedatthegloballevelingeneral.However,thepropertiesthatarenotdecomposableatmodulelevelmaybedecomposablebythehorizontalandverticalpartitioningtechniques. 64

PAGE 65

2-1 .WechosetheMIPSprocessorsinceithasbeenwellstudiedinacademiaandthereareHDLimplementationsavailablefortheprocessorthatcanbeusedforvalidationpurposes.Additionally,theMIPSprocessorhasmanyinterestingfeatures,suchasfragmentedpipelinesandmulti-cyclefunctionalunitsthatarerepresentativesofmanycommercialpipelinedprocessorssuchasTIC6xandPowerPC. Forourexperiments,weusedCadenceSMV[ 79 ]asamodelcheckerandzCha[ 88 ]asaSATsolver.Weused1616-bitregistersintheregisterleforthefollowingexperiments.Alltheexperimentswererunona1GHzSunUltraSparcwith8GRAM. 4-1 whereDecodeunitisinstallduetotheread-after-write(RAW)hazardbyFADDinstruction. Table4-1. Exampleofatestprogram FetchcycleInstructions 1FADDR1R2R22NOP3ADDR3R2R24ADDR3R1R25NOP 65

PAGE 66

Comparisonoftestgenerationtechniquesforpipelineinteractions InteractionDecomposedUMCSAT-basedBMCmodulesdesignMax.kEachk 4-2 comparesourtestgenerationtechniquewithUMC-basedtestgenerationfordierentmoduleinteractions.Therstcolumnspeciesasetofpropertiesbasedonthenumberofinteractions.Forexample,thethirdrowpresentsaveragetestgenerationtime(inseconds)forallpropertiesconsistingoftwo(\2")moduleinteractions.Thesecondcolumnpresentsthelevelofdecompositionusedduringtestgeneration.Theentrywholeimpliesthatnodecompositionisused.Theentrygroupimpliesthateitherhorizontalorverticalorbothdecompositionsareused.Similarly,theentrymoduleimpliesthatthetestgenerationusesmodule-leveldecomposition.Thenextthreecolumnsshowtheperformanceofthreetestgenerationtechniques:UMC,BMCusingmaximumbound,andBMCusingboundforeachproperty.Themaximumbound45wasusedassumingthatthelongestlengthistakenbymemoryoperationsi.e.,thesumoftheIALUpipeline 66

PAGE 67

Testgenerationtimecomparisonforfourtechniques pathlength(5)anddata-transferpathlength(40).Inthetable,Xindicatesthatacounterexamplewasnotfounddueto\OutofMemory"problem. Figure 4-2 showstestgenerationtimecomparisonforfourtechniquesusing:maximumboundwithoutdecomposition,maximumboundwithdecomposition,individualboundwithoutdecomposition,andindividualboundwithdecomposition.Asexpected,Table 4-2 andFigure 4-2 showthatthetestgenerationtimegrowswiththeincreaseofthenumberofmoduleinteractions.UMCcanbeusedonlywithmoduleleveldecompositionswhileSAT-basedBMCcanbeusedwithoutdecomposition.Boundforeachpropertyreducesapproximately90%ofthetestgenerationtimecomparedtousingBMCwithmaximumbound.AninterestingobservationisthatUMCwithmoduleleveldecompositionprovidesbetterperformancethanSAT-basedBMC.ThisisbecausethetimetounfoldthemodelandconvertittoaSATproblemismorethanthetimetosearchforacounterexample. 67

PAGE 68

68

PAGE 69

Inthecurrentindustrialpractice,randomandbiased-randomtestgenerationtechniquesatarchitecture(ISA)levelaremostwidelyusedforsimulation-basedvalidationtouncovererrorsearlyinthedesigncycle[ 2 100 ].Althoughdirectedtestsrequireasmallertestsetcomparedtorandomtestsforthesamefunctionalcoveragegoal,thenumberofdirectedtestscanstillbeextremelylarge.Therefore,thereisaneedforfunctionaltestcompactiontechniques.Sinceatestgeneratedforactivatingaparticularfunctionalfaultgoesthroughpipelinepathsovermultipleclockcycles,thereisahighprobabilitythatthetestcanaccompanymultiplepipelineinteractionsbeforeandafteritreachesthestatethatittriestoactivate.Wepresentanecienttestcompactiontechniquetosignicantlyreducethefunctionaltestsetforvalidationofpipelinedprocessors. Figure 5-1 showstheoverallowofourproposedtestcompactionmethodology.Usingthespecicationofaprocessor,wecreateanitestatemachine(FSM)modeloftheprocessorandanFSMcoveragemetricbasedonpipelineinteractions.EachFSMstate(transition)indicatesapipelineinteractionandcanberepresentedasapropertyfortestgeneration.FSMcompactionisperformedbeforetestgenerationbyeliminatingthestatesandthetransitionsthatareillegal,redundant,orunreachableforthegivendesignconstraints.Propertiesfortheremainingstates(afterelimination)canbeautomaticallygeneratedfromtheFSMmodeloftheprocessor.TestprogramstoexercisethestatesintheFSMmodelareproducedusingthemodelchecking-basedtestgenerationtechnique.Onceallthetestsaregenerated,testcompactionisperformedbypruningredundanttestprogramstoreducethesizeofatestset. Theproposedmethodmakesthreeimportantcontributions.First,weproposeanecientFSMmodelofthepipelinedprocessors,anddeneFSMstateandtransitioncoveragebasedonthepipelineinteractions.Second,weproposeanecientcompaction 69

PAGE 70

Functionaltestcompactionmethodology techniquetosignicantlyreduceFSMstates/transitions.Finally,weapplyexistingtestmatrixreductionandminimizationtechniquestofurtherreducethenumberofdirectedtests. 24 59 65 115 ]havebeendevelopedforvalidationofpipelinedprocessorswhereanFSMmodelisusedtogenerateatestsuitebasedonFSMcoveragemetricssuchasstate,transition,orpathcoverage.Inmodernprocessordesigns,complicatedmicro-architecturalmechanismsincludeinteractionsamongmanypipelinestagesandbuersthatcanleadtheFSM-basedapproachestothestatespaceexplosionproblem.Toalleviatethestateexplosion,FSMabstractiontechniques[ 89 99 109 ]havebeenpresented.However,thesetechniquesuse 70

PAGE 71

Duetothelargevolumeoftestdataandtheextremelylongtesttimeformanufacturingtest,considerableresearchhasbeendonetoreducethestructuraltestdatavolume.Testcompactiontechniquesaregenerallycategorizedintodynamicandstaticcompactions.Dynamiccompactionisappliedduringtestgenerationwhilestaticcompactionisappliedaftertestgeneration.RudnickandPatel[ 96 ]haveproposeddynamictestcompactionforsequentialcircuitsusingfaultsimulationandgeneticalgorithms.El-MalehandOsais[ 41 ]havepresenteddecomposition-basedstaticcompactionalgorithmswhereatestvectorisdecomposedintoatomiccomponentsandthetestvectoriseliminatedifitscomponentscanbeallmovedtoothertestvectors.Setcoveringhasbeenappliedtostaticcompactionproceduresforcombinationalcircuitsusingthefaultdetectionmatrix[ 18 45 57 ].DimopoulosandLinardis[ 40 ]havemodeledstaticcompactionforsequentialcircuitsasaset-coveringproblem.Thematrixreductiontechniques[ 110 ]canbeappliedtomitigatethecomplexityofsetcoveringbyeliminatingredundantrows(faults)andcolumns(testvectors)inthefaultdetectionmatrix. Althoughalotofstructuraltestcompactiontechniqueshavebeenproposedinmanufacturingtestdomain,therehasbeennoworkinfunctionaltestcompactioninvalidationdomainsincefunctionalredundancycanbehardtondamongfunctionaltests.Sincethevolumeoffunctionaltestscanbeextremelylargeevenfordirectedtests,weproposeafunctionaltestcompactionmethodologytoreduceoverallprocessordesignvalidationeorts. 28 56 75 98 ]havebeendoneonFSMmodelingofprocessorsasbottom-upapproacheswhereanabstractFSMmodelisextractedfromRTLdesignsforformalvericationandtestgeneration.However,inadditiontodicultyincreatingan 71

PAGE 72

72

PAGE 73

Figure5-2. BinaryformatofthestatesinFSMmodel Forexample,weassigntwobitstorepresentfourfunctionalstatesofFetchunit:`00'foridle,`01'forinstructionfetch,`10'forstall,and`11'forexception.Figure 5-2 showsanexampleoftheFSMstatesofthepipelinedprocessor.Giventhatallthefunctionalunitshaveonlyfourpossiblestates,eachunitrequires2bitsforitsfourfunctionalities.ThisbinaryformatoffunctionalFSMmodelprovidesanecientindexingmechanismtoaccessandanalyzeeachfunctionalstate.Inaddition,nextstatescanbedescribedasBooleanfunctions.Forexample,assumingthestatetransitions(si;sj)and(si;sk)withsj=`0011'andsk=`0010',thenextstatesofsiareexpressedasB4B3B2B1+B4B3B2B1=B4B3B2.Foreachstate,alistofthenextstatesareproducedbytransitionfunctionsdescribedinthefollowingsection. 73

PAGE 74

Instructionow Figure5-4. Pipelineinteractions Figure 5-3 and 5-4 showthegeneralbehaviorsofpipelinedprocessors.EveryinstructionsgoesthroughthecurrentpipelinestagetothenextstageasshowninFigure 5-3 ,wherefuisafunctionalunit,1i,k,lU,1jD,andDisthepipelinedepth.Sinceeachfunctionalunitfui;jcanhavedierentnumberofinteractivefunctionalunitsatstagej1andj+1,fuk;j1andful;j+1canbemultipleunits.Forexample,adecodeunitmayhavemultipleexecutionunitsatitsfollowingstagewhileafetchunitmayhaveonlyoneunit(decodeunit)atthefollowingstage. Figure 5-4 showsthepipelineinteractionsofthefunctionalunitfui;j.Thestateoffui;jattimesteptisdecidedbythepreviousandcurrentstatesofitsinteractiveunitsfuk;j1andful;j+1aswellasitself.Forexample,ifful;j+1andfui;jareonthesamepipelineandful;j+1isinthestallstateattimestept,thenfui;jshouldbeinstallbecausetheinstructioninfui;jcannotgotothenextstageful;j+1.Consideringfeedbackloopsuch 74

PAGE 75

Basedonthepipeliningbehavior,thestatetransitiontothefunctionalunitfui;jattimesteptisdenedasssi;j(t)=f(ssk;j1(t1);ssi;j(t1);ssl;j+1(t1);ssl;j+1(t)).Here,ssi;j(t)representsasetofbitstodescribethefunctionalstateoffui;jattimestept,andfrepresentsatransitionfunctiondecidedbyinteractiveunits.Therefore,thestatesoftheprocessorFSMcanbeexpressedbyconcatenatingssi;jwherei=1,...,Uand1jD. Assumingthateachstatetransitionoccursonthebasisofclockcycle,thestatecoverageoftheproposedFSMmodelissimilartothepipelineinteractioncoverageatagivenclockcyclebecauseanFSMstateconsistsofthestatesofeachfunctionalunit.Thetestprogramthatcoversthestatewillactivatethecorrespondingpipelineinteraction.WecancomputethenumberoftheoreticallypossibleFSMstatesbasedonthenumberoffunctionalunitsintheprocessormodelandtheaveragenumberofactivitiesateachunit.Ingeneral,thenumberofactivitiesforaunitwillbedierentbasedonwhatactivitieswewanttotest.Furthermore,thenumberofactivitiesvariesfordierentunits,therebyeachunitmayrequiredierentnumberofbitsforitsfunctionalstates.ConsideringanFSMmodelwithmunitswhereeachunitcanhaveonaveragepactivities,theFSMwillhavepmstateswhichcanbeextremelylargeevenforsimpleprocessors.Forexample,asimpleMIPSprocessor[ 54 ]with10functionalunitsand4activitieshasapproximatelyonemillionstates.Thistheoreticalnumberoffunctionalstatescanbereducedbyeliminatingunreachablestatesusingfunctionalconstraintsdescribedintheprocessorspecication. 75

PAGE 76

5.2.1.2 ,eachstatehasalistoftheirnextstates.Whenatestvisitsthestateandgoestooneofitsnextstate,weputthenextstateothelistsincethetransitionbetweenthetwostatesiscovered.StatetransitioncoverageoftheFSMisachievedwhenthenextstatelistsforeverystatesareempty.Thenumberofstatetransitionsisdeterminedbytheprocessor'sfunctionalbehaviors.Theoretically,ThemaximumnumberofstatetransitionsisN2,whereNisthenumberofstates,andanystatecangotoanystate. 76

PAGE 77

Figure5-5. Singletransitionsbetweenneighboringstates Weemployvarioustechniquestoremoveredundantstatesandtransitions.Figure 5-5 showsinevitablestatesandtransitionsthathavesingleoutgoingtransition(aandb)andsingleincomingtransition(eandf).Thestatescanddareinevitablestatestotheirneighborsbecauseallthepathstotravelaandb(eandf)shouldincludethestatec(d).Thetransitions(a!c),(b!c),(d!e),and(d!f)areinevitabletransitionstotheirneighbors.Wecaneliminatethetestcasestoactivatetheseinevitablestatesandtransitionssinceanytestprogramtoexercisetheirneighboringstatesgoesthroughthem.Thenextstatelistsofeachstateareusedtoidentifytheinevitablestatesofthesingleoutgoingtransitions.Ifastatehasonlyonestateinitsnextstatelist,thenextstateisaninevitablestate.Inthesameway,thepreviousstatelistsareusedtoidentifythesingleincomingtransitions. 77

PAGE 78

5.2.1.2 .Forexample,ifthestateofthefunctionalunitssi;jisinnormaloperationattimet,thenthestateofthepreviousstageunitssk;j1cannotbeinidlestateattimet1sincetheinstructioninfui;jmustbereadyatthepreviouspipelinestageattimet1. Table5-1. Transitionrulesbetweenssk;j1(t1)andssi;j(t) idleidle,stallnormalop.normalop.,stall,exceptionstallidle,stallexceptionidle,stall Transitionrulesbetweenssi;j(t1)andssi;j(t) idleidle,normalop.,stall,exceptionnormalop.idle,normalop.,exceptionstallidle,normalop.,stall,exceptionexceptionidle Transitionrulesbetweenssl;j+1(t1)andssi;j(t) idleidle,normalop.,stall,exceptionnormalop.idle,normalop.,stall,exceptionstallidle,normalop.,stall,exceptionexceptionidle 5-1 ,ifssk;j1(t1)=stall,thenssi;j(t)canbeeitherinidleorstallstatebecausenoinstructionmovesfromthepreviousstage.InTable 5-2 andTable 5-3 ,ifssk;j1(t1)orssl;j+1(t1)=exception,thenssi;j(t)shouldbetheidlestatetoushthefollowinginstructionsinthepipeline. 78

PAGE 79

35 ]whereeachpropertyconsistsofsub-states,temporaloperators(G;F;X;U),andBooleanconnectives(^,_,:,and!).Sincepipelineinteractionsatagivencyclearesemanticallyexplicitandourprocessormodelisorganizedasstructure-orientedfunctionalunits,eachstatecanbeconvertedintheformofapropertyF(p1^p2^:::^pU^(clk=t))thatcombinesactivitiespiati-thunitoverUfunctionalunitsattimestept.ThenegationofthepropertyresultsinG(:p1_:p2_:::_:pU_(clk6=t))thatisappliedtoamodelcheckerfortestgeneration. Forexample,inordertogenerateatestfora4-bitFSMstatesj=`0011'thathas2-bitsub-statesss1andss2fortwofunctionalunits,thepropertyofthestateisdescribedasF(ss1=`00'^ss2=`11'^(clk=t))anditsnegatedpropertyG(ss16=`00'_ss26=`11'_(clk6=t))isappliedtogenerateatestprogramthatactivatesthestatesjattimet. 5.2.1.2 ,thenextstatecanbeexpressedinthesameformofthecurrentstateasp1'^p2'^:::^pU'^(clk=t+1).TemporaloperatorXisusedtodescribethestatetransitionbetweentwoconsecutivestateswhereXpmeansthatpholdsatnexttimestep.WeconverteachstatetransitionintheformofapropertyF((p1^p2^:::^pU^(clk=t))!X(p1'^p2'^:::^pU'^

PAGE 80

Forexample,fortestgenerationofastatetransition(sj;sk)wheresj=`0011'andsk=`0110',thetransitionisdescribedasF((ss1=`00'^ss2=`11'^(clk=t))!X(ss1=`01'^ss2=`10'^(clk=t+1))).WeapplythenegatedpropertyG((ss16=`00'_ss26=`11'_(clk6=t))_(ss16=`01'_ss26=`10'_(clk6=t+1)))togenerateatestprogramthatactivatesthestatetransitionbetweensjandsk. 5-6 showstheTestMatrixafter 80

PAGE 81

TestmatrixforFSMcoverage testgeneration.Diagonalelementsinthematrixareallsetto1duetothedirectedtestgeneration. 38 ].However,ndingtheminimumtestsetsuersfromexponentialblow-upbecausethesetcoveringproblemsareNP-complete.Therefore,thereisaneedtoreducethesizeofmatrixbeforeapplyinganyalgorithmtosolvesetcoveringproblems.TheTestMatrixshrinksafteriterativelyapplyingthefollowingrules:testessentiality,testdominanceforrowelimination,andstate(orstatetransition)dominanceforcolumnelimination.Ifi-thcolumniscoveredbyonlyonetest,thetestisanessentialtestthatcannotberemovedfromthetestset.Thecolumnsthatarecoveredbytheessentialtestscanberemovedfromthematrix.Ifallstates(orstatetransitions)oftiarecoveredbytj,tjdominatestiandti(i-throw)iseliminated.Ifalltestsofsidetectsj,sjdominatessiandsj(j-thcolumn)isremoved.Aftermatrixreduction,thesetcoveringisusedtoachievetheminimumtestset. 54 ].Figure 5-7 showsasimpliedversionofthearchitecture.Therearethreepipelinestages:Fetch(FE),Execution,andWriteBack(WB).ExecutionstageconsistsoffourpipelinesforintegerALU(IALU),load(LD),store(ST),andmultiplication(MULT)operationandeachpipelineisconsideredasonefunctionalunit. 81

PAGE 82

SimpliedMIPSprocessor Weassumedthattheprocessorhastwoconstraints:singleissueandwritebackofonlyoneexecutionresult.Figure 5-8 showsthefunctionalFSMmodeloftheprocessorintheformof7-bitbinary.Eachfunctionalunithastwostates(idleornormaloperation)excepttheWriteBackunitwhichhasthreestates(idle,writeback,orwritebackwithExecutioninstall)andwritesoneexecutionresultatatime.Therefore,theoreticallypossiblenumberofstatesis325=96. Figure5-8. 7-bitsfunctionalFSMmodel Unreachablestatesareremovedbyusingtheconstraintsofprocessorbehavior.Forexample,theunreachablebinarypattern`xxxx11x'(wherexisadon't-carebit)representsthesingleissueconstraintthattwoexecutionunitsIALUandSTcannotbeexecutedatthesametime.Wecaneliminate24statessincethispatternofstatesmeansmultipleissuefromtheFEunit.Inaddition,`101101x'and`101110x'areunreachablesincethese 82

PAGE 83

SofarwediscussedthetestcompactioninthecontextofFSMstates.Intheremainderofthissection,wepresenttheresultsfortestcompactionusingFSMtransitions.Unlessweapplyourtestcompactiontechniqueweneedtogeneratetestfor3249(5757)transitionssincethereare57validstates.Clearly,eachstatecannothavetransitiontoallotherstates.OnceweapplytheeliminationtechniquedescribedinSection 5.3.3 ,ourframeworkidenties2793illegaltransitions(86%reduction)andtherebyonly456validtransitionsareleft.Inotherwords,only456testvectorsaresucienttocoverallthetransitionsintheMIPSprocessor.Thiscanbeimprovedfurtherbyapplyingmatrixreductionandsetcoveringtechniques.However,thenumberofnalrequiredtestsdependonthelengthofeachtest.Ifeachtesttriestocoveralongestpathinthetransitiondiagram,only44(overall99%reduction)testswillberequired.However,amodelcheckertypicallyusestheshortestpossibletesttoactivatetherequiredtransitionwhichcanleadtoanynumberbetween44and456.Therefore,ourapproachcangenerate86-99%overallreductioninfunctionaltestswithoutsacricingfunctionalcoverage. 83

PAGE 84

84

PAGE 85

Functionalvalidationiswidelyacknowledgedasamajorbottleneckinmodernprocessordesignmethodology.Duetothelackofacomprehensivefunctionalcoveragemetricanddirectedtests,hugeamountofrandomtestprogramsareusedforthevalidationofmicroprocessordesign.Thisdissertationpresentedcoverage-driventestgenerationtechniquesusingformalmethodstoreduceoverallvalidationeorts.Thischapterconcludesthedissertationanddescribesfutureresearchdirections. Theproposedfunctionaltestgenerationmethodologyprovideshighqualitytestprograms,ecienttestgeneration,andsmalltestsuitestonddesignerrorsinearlystagesofthedevelopment.Furthermore,itcombinesthebenetsofbothsimulation-based 85

PAGE 86

86

PAGE 87

[1] J.AbrahamandW.Fuchs.FaultanderrormodelsforVLSI.Proc.ofIEEE,74(5):639{654,1986. [2] A.Adir,E.Almog,L.Fournier,E.Marcus,M.Rimon,M.Vinov,andA.Ziv.Genesys-pro:Innovationsintestprogramgenerationforfunctionalprocessorverication.IEEEDesign&TestofComputers,21(2):84{93,2004. [3] A.Adir,S.Asaf,L.Fournier,I.Jaeger,andO.Peled.Aframeworkforthevalidationofprocessorarchitecturecompliance.InProc.ofDesignAutomationConference(DAC),pages902{905,2007. [4] A.Aharon,D.Goodman,M.Levinger,Y.Lichtenstein,Y.Malka,C.Metzger,M.Molcho,andG.Shurek.Testprogramgenerationforfunctionalvericationofpowerpcprocessorsinibm.InProc.ofDesignAutomationConference(DAC),pages279{285,1995. [5] R.Alur,R.K.Brayton,T.A.Henzinger,S.Qadeer,andS.K.Rajamani.Partial-orderreductioninsymbolicstate-spaceexploration.FormalMethodsinSystemDesign,18(2):97{116,2001. [6] R.Alur,K.McMillan,andD.Peled.Decidingglobalpartial-orderproperties.FormalMethodsinSystemDesign,26(1):7{25,2005. [7] N.Amla,X.Du,A.Kuehlmann,R.Kurshan,andK.McMillan.AnanalysisofSAT-basedmodelcheckingtechniquesinanindustrialenvironment.InConferenceonCorrectHardwareDesignandVericationMethods(CHARME),pages254{268.Springer,2005. [8] N.Amla,R.Kurshan,K.McMillan,andR.Medel.Experimentanalysisofdierenttechniquesforboundedmodelcheckings.InToolsandAlgorithmsfortheAnalysisandConstructionofSystems(TACAS),volume2619ofLNCS,pages34{48.Springer,2003. [9] Z.S.Andraus,M.H.Liton,andK.A.Sakallah.Renementstrategiesforvericationmethodsbasedondatapathabstraction.InProc.ofAsiaSouthPacicDesignAutomationConference(ASPDAC),pages19{24,2006. [10] Z.S.AndrausandK.A.Sakallah.Automaticabstractionandvericationofverilogmodels.InProc.ofDesignAutomationConference(DAC),pages218{223,2004. [11] H.Azatchi,L.Fournier,E.Marcus,S.Ur,A.Ziv,andK.Zohar.Advancedanalysistechniquesforcross-productcoverage.IEEETransactionsonComputers,55(11):1367{1379,2006. [12] T.Basten,D.Bonacki,andM.Geilen.Cluster-basedpartial-orderreduction.AutomatedSoftwareEngineering,11(4):365{402,2004. 87

PAGE 88

[13] M.Benjamin,D.Geist,A.Hartman,G.Mas,andR.Smeets.Astudyincoverage-driventestgeneration.InProc.ofDesignAutomationConference(DAC),pages970{975,1999. [14] B.Bentley.Highlevelvalidationofnextgenerationmicroprocessors.InProceedingsofHighLevelDesignValidationandTest(HLDVT),pages31{35,2002. [15] A.Biere,A.Cimatti,andE.M.Clarke.Boundedmodelchecking.AdvancesinComputers,58,2003. [16] A.Biere,A.Cimatti,E.M.Clarke,andY.Zhu.SymbolicmodelcheckingwithoutBDDs.InToolsandAlgorithmsfortheAnalysisandConstructionofSystems(TACAS),volume1579ofLNCS,pages193{207.Springer,1999. [17] P.BjesseandJ.Kukula.Usingcounterexampleguidedabstractionrenementtondcomplexbugs.InProc.ofDesignAutomationandTestinEurope(DATE),page10156,2004. [18] K.O.Boateng,H.Konishi,andT.Nakata.Amethodofstaticcompactionofteststimuli.InProceedingsofAsianTestSymposium(ATS),pages137{142,2001. [19] R.Bryant.Graph-BasedAlgorithmsforBooleanFunctionManipulation.IEEETrans.Computers,C-35(8):677{691,August1986. [20] R.E.Bryant.Amethodologyforhardwarevericationbasedonlogicsimulation.JournaloftheACM(JACM),38(2):299{328,1991. [21] R.E.Bryant.Symbolicsimulationtechniquesandapplications.InProc.ofDesignAutomationConference(DAC),pages517{521,1991. [22] J.R.Burch,E.M.Clarke,andK.L.McMillan.Symbolicmodelchecking:1020statesandbeyond.InformationandComputation,98:142{170,1992. [23] M.L.BushnellandV.D.Agrawal.EssentialsofElectronicTestingforDigital,MemoryandMixed-SignalVLSICircuits.KluwerAcademicPublishers,Boston,MA,2000. [24] D.Campenhout,T.Mudge,andJ.Hayes.High-leveltestgenerationfordesignvericationofpipelinedmicroprocessors.InProc.ofDesignAutomationConference(DAC),pages185{188,1999. [25] P.CamuratiandP.Prinetto.Formalvericationofhardwarecorrectness:Introductionandsurveyofcurrentresearch.IEEEComputer,21(7):8{19,1988. [26] S.ChakravartyandP.J.Thadikaran.IntroductiontoIDDQTesting.KluwerAcademicPublishers,Boston,MA,1997. [27] K.-T.ChengandJ.-Y.Jou.Afunctionalfaultmodelforsequentialmachines.IEEETransactionsonComputer-AidedDesign,11(9):1065.1073,1992.

PAGE 89

[28] K.-T.ChengandA.S.Krishnakumar.Automaticgenerationoffunctionalvectorsusingtheextendednitestatemachinemodel.ACMTransactionsonDesignAutomationofElectronicSystems(TODES),1(1):57{79,1996. [29] A.Cimatti,E.M.Clarke,F.Giunchiglia,andM.Roveri.NUSMV:Anewsymbolicmodelverier.InProc.ofIntl.ConferenceonComputerAidedVerication(CAV),volume1633ofLNCS,pages495{499.Springer,1999. [30] E.M.Clarke,A.Biere,R.Ramimi,andY.Zhu.Boundedmodelcheckingusingsatisabilitysolving.FormalMethodsinSystemDesign(FMSD),19(1):7{34,2001. [31] E.M.Clarke,T.Filkorn,andS.Jha.Exploitingsymmetryintemporallogicmodelchecking.InProc.ofInternationalConferenceonComputerAidedVerication(CAV),pages450{462,1993. [32] E.M.Clarke,O.Grumberg,S.Jha,Y.Lu,andH.Veith.Counterexample-guidedabstractionrenementforsymbolicmodelchecking.JournaloftheACM(JACM),50(5):752{794,2003. [33] E.M.Clarke,O.Grumberg,andD.E.Long.Modelcheckingandabstraction.ACMTransactionsonProgrammingLanguagesandSystems(TOPLAS),16(5):1512{1542,1994. [34] E.M.Clarke,O.Grumberg,K.L.McMillan,andX.Zhao.Ecientgenerationofcounterexamplesandwitnessesinsymbolicmodelchecking.InProc.ofDesignAutomationConference(DAC),pages427{432,1995. [35] E.M.Clarke,O.Grumberg,andD.A.Peled.ModelChecking.MITPress,Cambridge,MA,1999. [36] E.M.Clarke,H.Jain,andD.Kroening.Vericationofspeccusingpredicateabstraction.FormalMethodsinSystemDesign,30(1):5{28,2007. [37] F.Copty,L.Fix,R.Fraer,E.Giunchiglia,G.Kamhi,A.Tacchella,andM.Y.Vardi.Benetsofboundedmodelcheckingatanindustrialsetting.InProc.ofIntl.ConferenceonComputerAidedVerication(CAV),LNCS,pages436{453.Springer,2001. [38] F.Corno,P.Prinetto,M.Rebaudengo,andM.S.Reorda.Newstaticcompactiontechniquesoftestsequencesforsequentialcircuits.InProc.ofEuropeanConferenceonDesignandTest(ED&TC)),pages37{43,1997. [39] P.CousotandR.Cousot.Abstractinterpretation:Auniedlatticemodelforstaticanalysisofprogramsbyconstructionorapproximationofxpoints.InProc.oftheACMSymposiumonPrinciplesofProgrammingLanguages,pages238{252,1997. [40] M.DimopoulosandP.Linardis.Ecientstaticcompactionoftestsequencesetsthroughtheapplicationofsetcoveringtechniques.InProc.ofDesignAutomationandTestinEurope(DATE),page10194,2004.

PAGE 90

[41] A.H.El-MalehandY.E.Osais.Testvectordecomposition-basedstaticcompactionalgorithmsforcombinationalcircuits.ACMTransactionsonDesignAutomationofElectronicSystems,8(4):430{459,2003. [42] E.EmersonandR.Treer.Fromasymmetrytofullsymmetry:Newtechniquesforsymmetryreductioninmodelchecking.InProc.ofCorrectHardwareDesignandVericationMethods(CHARME),volume1703ofLNCS,pages142{156.Springer,1999. [43] S.EzerandS.Johnson.Smartdiagnosticsforcongurableprocessorverication.InProc.ofDesignAutomationConference(DAC),pages789{794,2005. [44] S.FineandA.Ziv.Coveragedirectedtestgenerationforfunctionalvericationusingbayesiannetworks.InProc.ofDesignAutomationConference(DAC),pages286{291,2003. [45] P.F.Flores,H.C.Neto,andJ.P.Marques-Silva.Onapplyingsetcoveringmodelstotestsetcompaction.InProceedingsofGreatLakesSympoisumonVLSI(GLSVLSI),pages8{11,1999. [46] L.Fournier,A.Koyfman,andM.Levinger.Developinganarchitecturevalidationsuite:applicationtothepowerpcarchitecture.InProc.ofDesignAutomationConference(DAC),pages189{194,1999. [47] A.GargantiniandC.Heitmeyer.Usingmodelcheckingtogeneratetestsfromrequirementsspecications.InACMSIGSOFTSoftwareEngineeringNotes,volume24,pages146{162,1999. [48] A.Gluska.Practicalmethodsincoverage-orientedvericationofthemerommicroprocessor.InProc.ofDesignAutomationConference(DAC),pages332{337,2006. [49] P.Godefroid,D.Peled,andM.Staskauskas.Usingpartial-ordermethodsintheformalvalidationofindustrialconcurrentprograms.InProc.ofInternationalSymposiumonSoftwareTestingandAnalysis(ISSTA),pages261{269,1996. [50] E.GoldbergandY.Novikov.BerkMin:afastandrobustSAT-solver.InProc.ofDesignAutomationandTestinEurope(DATE),pages142{149,2002. [51] R.Grinwald,E.Harel,M.Orgad,S.Ur,andA.Ziv.Userdenedcoverage-Atoolsupportedmethodologyfordesignverication.InProc.ofDesignAutomationConference(DAC),pages158{163,1998. [52] S.Gurumurthy,S.Vasudevan,andJ.A.Abraham.Automatedmappingofpre-computedmodule-leveltestsequencestoprocessorinstructions.InProc.ofIntl.TestConference(ITC),2005. [53] I.G.Harris.Acoveragemetricforthevalidationofinteractingprocesses.InProc.ofDesignAutomationandTestinEurope(DATE),pages1019{1024,2006.

PAGE 91

[54] J.HennessyandD.Patterson.ComputerArchitecture:AQuantitativeApproach.MorganKaufmann,Sanfrancisco,CA,2003. [55] P.Ho,A.Isles,andT.Kam.Formalvericationofpipelinecontrolusingcontrolledtokennetsandabstractinterpretation.InProc.ofInternationalConferenceonComputer-AidedDesign(ICCAD),pages529{536,1998. [56] R.C.Ho,C.H.Yang,M.A.Horowitz,andD.L.Dill.Architecturevalidationforprocessors.InProc.InternationalSymposiumonComputerArchitecture(ISCA),pages404{413,1995. [57] D.S.Hochbaum.Anoptimaltestcompressionprocedureforcombinationalcircuits.IEEETransactionsonComputer-AidedDesignofIntegratedCircuitsandSystems,15(10):1294{1299,1996. [58] http:www.freescale.com/les/32bit/doc/ref manual/e500CORERMAD.pdf.PowerPCTMe500CoreFamilyReferenceManual,2006. [59] H.Iwashita,S.Kowatari,T.Nakata,andF.Hirose.Automatictestprogramgenerationforpipelinedprocessors.InProc.InternationalConferenceonComputer-AidedDesign(ICCAD),pages580{583,1994. [60] C.Jacobi.Formalvericationofcomplexout-of-orderpipelinesbycombiningmodelcheckingandtheoremproving.InE.BrinksmaandK.Larsen,editor,Proc.ofComputerAidedVerication(CAV),volume2404ofLNCS,pages309{323.Springer-Verlag,2002. [61] H.Jain,D.Kroening,N.Sharygina,andE.Clarke.Wordlevelpredicateabstractionandrenementforverifyingrtlverilog.InProc.ofDesignAutomationConference(DAC),pages445{450,2005. [62] N.JhaandS.Gupta.TestingofDigitalSystems.CambridgeUniversityPress,Cambridge,UnitedKingdom,2003. [63] R.JhalaandK.L.McMillan.Microarchitecturevericationbycompositionalmodelchecking.InG.Berryetal.,editor,Proc.ofComputerAidedVerication(CAV),volume2102ofLNCS,pages396{410.Springer-Verlag,2001. [64] C.KernandM.Greenstreet.Formalvericationinhardwaredesign:Asurvey.ACMTransactionsonDesignAutomationofElectronicSystems(TODAES),4(2):123{193,1999. [65] K.KohnoandN.Matsumoto.Anewvericationmethodologyforcomplexpipelinebehavior.InProc.ofDesignAutomationConference(DAC),pages816{821,2001. [66] H.-M.KooandP.Mishra.Functionalcoverage-driventestgenerationformicroprocessorverication.InProc.ofUS-KoreaConference(UKC),pages19{24,2006.

PAGE 92

[67] H.-M.KooandP.Mishra.Functionaltestgenerationusingpropertydecompositionsforvalidationofpipelinedprocessors.InProc.ofDesignAutomationandTestinEurope(DATE),pages1240{1245,2006. [68] H.-M.KooandP.Mishra.Testgenerationusing(sat)-basedboundedmodelcheckingforvalidationofpipelinedprocessors.InProc.ofACMGreatLakesSymposiumonVLSI(GSLVLSI),pages362{365,2006. [69] H.-M.KooandP.Mishra.Automatedmicro-architecturaltestgenerationforvalidationofmodernprocessors.InProc.ofUS-KoreaConference(UKC),pages25{30,2007. [70] H.-M.Koo,P.Mishra,J.Bhadra,andM.Abadir.Directedmicro-architecturaltestgenerationforanindustrialprocessor:Acasestudy.InIEEEInternationalWorkshoponMicroprocessorTestandVerication(MTV)),pages33{36,2006. [71] S.Kripke.Semanticconsiderationonmodellogic.InProc.ofaColloquium:ModalandManyvaluedLogics,pages83{94,1963. [72] N.Krishnamurthy,A.K.Martin,M.S.Abadir,andJ.A.Abraham.ValidatingPowerPCmicroprocessorcustommemories.IEEEDesign&Test,17(4):61{76,2000. [73] A.KuehlmannandF.Krohm.Equivalencecheckingusingcutsandheaps.InProc.ofDesignAutomationConference(DAC),pages263{268,1997. [74] O.Lachish,E.Marcus,S.Ur,andA.Ziv.Holeanalysisforfunctionalcoveragedata.InProc.ofDesignAutomationConference(DAC),pages807{812,2002. [75] C.Liu,C.-C.Yen,andJ.-Y.Jou.AutomaticfunctionalvectorgenerationusingtheinteractingFSMmodel.InProc.ofInternationalSymposiumonQualityElectronicDesign(ISQED),pages372{377,2001. [76] F.Y.MangandP.-H.Ho.Abstractionrenementbycontrollabilityandcooperativenessanalysis.InProc.ofDesignAutomationConference(DAC),pages224{229,2004. [77] P.ManoliosandS.K.Srinivasan.Acompletecompositionalreasoningframeworkfortheecientvericationofpipelinedmachines.InProc.ofInternationalConferenceonComputerAidedDesign(ICCAD),pages863{870,2005. [78] J.P.Marques-SilvaandK.A.Sakallh.GRASP:Asearchalgorithmforpropositionalsatisability.IEEETransactionsonComputers,48(5):506{521,1999. [79] K.L.McMillan.SMVModelChecker,CadenceBerkeleyLaboratory.http://embedded.eecs.berkeley.edu/Alumni/kenmcmil/smv,October,2002. [80] K.L.McMillan.SymbolicModelChecking:AnApproachtotheStateExplosionProblem.KluwerAcademicPublishers,Boston,MA,1993.

PAGE 93

[81] K.L.McMillan.MethodsforexploitingSATsolversinunboundedmodelchecking.InProceedingsofMEMOCODE,pages135{142,2003. [82] A.Miller,A.Donaldson,andM.Calder.Symmetryintemporallogicmodelchecking.ACMComputingSurveys(CSUR),38(3):1{36,2006. [83] P.MishraandN.Dutt.AutomaticFunctionalTestProgramGenerationforPipelinedProcessorsusingModelChecking.InProc.ofHighLevelDesignValidationandTest(HLDVT),pages99{103,2002. [84] P.MishraandN.Dutt.Graph-basedfunctionaltestprogramgenerationforpipelinedprocessors.InProc.ofDesignAutomationandTestinEurope(DATE),pages182{187,2004. [85] P.MishraandN.Dutt.Functionalcoveragedriventestgenerationforvalidationofpipelinedprocessors.InProc.ofDesignAutomationandTestinEurope(DATE),pages678{683,2005. [86] P.MishraandN.D.Dutt.FunctionalVericationofProgrammableEmbeddedArchitectures:ATop-DownApproach.SpringerVerlag,NewYork,NY,2005. [87] P.Mishra,H.-M.Koo,andZ.Huang.Language-drivenvalidationofpipelinedprocessorsusingsatisabilitysolvers.InIEEEInternationalWorkshoponMicropro-cessorTestandVerication(MTV)),pages119{126,2005. [88] M.H.Moskewicz,C.F.Madigan,Y.Zhao,L.Zhang,andS.Malik.Cha:EngineeringanecientSATsolver.InProc.ofDesignAutomationConference(DAC),pages530{535,2001. [89] D.Moundanos,J.A.Abraham,andY.V.Hoskote.Abstractiontechniquesforvalidationcoverageanalysisandtestgeneration.IEEETransactionsonComputers,47(1):2{14,1998. [90] G.Parthasarathy,M.K.Iyer,K.-T.Cheng,andL.-C.Wang.Safetypropertyvericationusingsequentialsatandboundedmodelchecking.IEEEDesign&TestofComputers,21(2):132{143,2004. [91] D.Peled.Usingpartial-ordermethodsintheformalvalidationofindustrialconcurrentprograms.InProc.ofInternationalConferenceonComputerAidedVerication(CAV),pages409{423,1993. [92] A.Piziali.FunctionalVericationCoverageMeasurementandAnalysis.KluwerAcademicPublishers,Boston,MA,2004. [93] M.R.Prasad,A.Biere,andA.Gupta.AsurveyofrecentadvancesinSAT-basedformalverication.Intl.JournalonSoftwareToolsforTechnologyTransfer(STTT),7(2):156{173,2005.

PAGE 94

[94] M.Puig-Medina,G.Ezer,andP.Konas.Vericationofcongurableprocessorcores.InProc.ofDesignAutomationConference(DAC),pages426{431,2000. [95] A.Roy,S.K.Panda,R.Kumar,andP.P.Chakrabarti.Aframeworkforsystematicvalidationanddebuggingofpipelinesimulators.ACMTransactionsonDesignAutomationofElectronicSystems(TODES),10(3):462{491,2005. [96] E.M.RudnickandJ.H.Patel.Ecienttechniquesfordynamictestsequencecompaction.IEEETransactionsonComputers,48(3):323{330,1999. [97] A.Sen.Errordiagnosisinequivalencecheckingofhighperformancemicroprocessors.ElectronicNotesinTheoreticalComputerScience(ENTCS),174(4):9{18,2007. [98] J.ShenandJ.Abraham.Vericationofprocessormicroarchitectures.InProc.ofVLSITestSymposium(VTS),pages189{194,1999. [99] J.ShenandJ.A.Abraham.AnRTLabstractiontechniqueforprocessormicroarchitecturevalidationandtestgeneration.JournalofElectronicTesting:TheoryandApplications,16(1-2):67{81,2000. [100] K.Shimizu,S.Gupta,T.Koyama,T.Omizo,J.Abdulhaz,L.McConville,andT.Swanson.Vericationofthecellbroadbandengineprocessor.InProc.ofDesignAutomationConference(DAC),pages338{343,2006. [101] A.P.SistlaandP.Godefroid.Symmetryandreducedsymmetryinmodelchecking.ACMTransactionsonProgrammingLanguagesandSystems(TOPLAS),26(4):702{734,2004. [102] M.SrivasandM.Bickford.Formalvericationofapipelinedmicroprocessor.IEEESoftware,7(5):52{64,1990. [103] T.Schubert.Highlevelformalvericationofnextgenerationmicroprocessors.InProceedingsofDesignAutomationConference(DAC),pages1{6,2003. [104] S.TasiranandK.Keutzer.Coveragemetricsforfunctionalvalidationofhardwaredesigns.IEEEDesign&TestofComputers,18(4):36{45,2001. [105] P.A.Thaker,V.D.Agrawal,andM.E.Zaghloul.Validationvectorgrade(VVG):Anewcoveragemetricforvalidationandtest.InProc.ofVLSITestSymposium,pages182{188,1999. [106] S.ThatteandJ.Abraham.Testgenerationformicroprocessors.IEEETransactionsonComputers,29(6):429{441,1980. [107] C.Timoc,M.Buehler,T.Griswold,C.Pina,F.Stott,andL.Hess.Logicalmodelsofphysicalfailures.InProc.ofInternationalTestConference(ITC),pages546{553,1983.

PAGE 95

[108] S.UrandY.Yadin.Microarchitecturecoveragedirectedgenerationoftestprograms.InProc.ofDesignAutomationConference(DAC),pages175{180,1999. [109] N.Utamaphethai,R.D.S.Blanton,andJ.P.Shen.Eectivenessofmicroarchitecturetestprogramgeneration.IEEEDesign&Test,17(4):38{49,2000. [110] T.Villa,T.Kam,R.K.Brayton,andA.L.Sangiovanni-Vincentelli.Explicitandimplicitalgorithmsforbinatecoveringproblems.IEEETransactionsonComputer-AidedDesignofIntegratedCircuitsandSystems,16(7):677{691,1997. [111] R.L.Wadsack.FaultmodelingandlogicsimulationofCMOSandMOSintegratedcircuits.BellSystemTechnicalJournal,57(5):1449{1474,1978. [112] I.Wagner,V.Bertacco,andT.Austin.StressTest:anautomaticapproachtotestgenerationviaactivitymonitors.InProc.ofDesignAutomationConference(DAC),pages783{788,2005. [113] M.Wilding,D.Greve,andD.Hardin.Ecientsimulationofformalprocessormodels.FormalMethodsinSystemDesign,18(3):233{248,2001. [114] H.Zhang.SATO:Anecientpropositionalprover.InProc.ofInternationalConferenceonAutomatedDeduction(CADE),volume1249ofLNCS,pages272{275.Springer,1997. [115] Y.Zhang,D.Wang,J.Wang,andW.Zheng.Usingmodel-basedtestprogramgeneratorforsimulationvalidation.InEmbeddedSoftwareandSystems,volume3605ofLNCS,pages549{556.Springer,2005. [116] A.Ziv.Cross-productfunctionalcoveragemeasurementwithtemporalproperties-basedassertions.InProc.ofDesignAutomationandTestinEurope(DATE),pages834{841,2003.

PAGE 96

Heon-MoKooreceivedhisB.S.andM.S.degreesattheDepartmentofElectronicandElectricEngineeringfromKyungpookNationalUniversityinSouthKoreain1993and1995respectively.DuringM.S.studies,hedevelopeddigitalimageprocessingandvideocompressionalgorithms.In1995,hejoinedatLGElectronicsResearchCenterinSeoul,SouthKorea.Asaseniorresearchengineer,heworkedonfunctionalmodelingandvalidationofMPEGencoder/decoder,developmentofaRISC-typeembeddedprocessorforMPEGdecoder,anddigitalvideoprocessingandenhancementalgorithmsforHDTVandDVDsystems.Since2003,hehasbeenworkingonvericationofmodernmicroprocessordesigns,functionaltestgenerationforvalidation,formalverication,andfunctionalmodelingandvalidationofSoCdesignsatEmbeddedSystemsLab.inUniversityofFlorida.In2006,heworkedatFormalVericationandTestGroupinFreescaleInc.asaresearchintern.Duringinternship,hedesignedapipelinedPowerPCprocessormodelatmicro-architecturelevelandestablishedadirectedtestgenerationmethodologyforvalidationoftheprocessordesign.InAugust2007,hejoinedGraphicsChipsetGroupatIntelCorp.asaSoftwareDevelopmentEngineer.Hehasbeenworkingondevelopingsimulationmodelsofmulti-formatmediadecoderforthenextgenerationgraphicschipsatIntel.Heisalsoworkingonthesoftwaredesignandtesting,andisassistinghardwareteamonRTLvalidation. 96