An ATPG-Based Framework for Verifying Sequential Equivalence. Fujitsu Labs. of America 3350 Scott Blvd. Bldg. 34. Santa Clara, CA 95054, U.S.A.

Similar documents
ON REMOVING REDUNDANCY IN SEQUENTIAL CIRCUITS

Retiming Sequential Circuits for Low Power

THE MAJORITY of the time spent by automatic test

A Comprehensive Approach to the Partial Scan Problem using Implicit State Enumeration

Controlling Peak Power During Scan Testing

Partial Scan Selection Based on Dynamic Reachability and Observability Information

Mining Complex Boolean Expressions for Sequential Equivalence Checking

Module 8. Testing of Embedded System. Version 2 EE IIT, Kharagpur 1

Transactions Brief. Circular BIST With State Skipping

Peak Dynamic Power Estimation of FPGA-mapped Digital Designs

A Technique to Reduce Peak Current and Average Power Dissipation in Scan Designs by Limited Capture

Jin-Fu Li Advanced Reliable Systems (ARES) Laboratory. National Central University

K.T. Tim Cheng 07_dft, v Testability

International Journal of Scientific & Engineering Research, Volume 5, Issue 9, September ISSN

Design for Testability

Random Access Scan. Veeraraghavan Ramamurthy Dept. of Electrical and Computer Engineering Auburn University, Auburn, AL

Design for Testability Part II

REDUCING DYNAMIC POWER BY PULSED LATCH AND MULTIPLE PULSE GENERATOR IN CLOCKTREE

Testability: Lecture 23 Design for Testability (DFT) Slide 1 of 43

HIGH PERFORMANCE AND LOW POWER ASYNCHRONOUS DATA SAMPLING WITH POWER GATED DOUBLE EDGE TRIGGERED FLIP-FLOP

Implementation of BIST Test Generation Scheme based on Single and Programmable Twisted Ring Counters

VLSI Technology used in Auto-Scan Delay Testing Design For Bench Mark Circuits

Bit Swapping LFSR and its Application to Fault Detection and Diagnosis Using FPGA

Chapter 8 Design for Testability

International Journal of Emerging Technologies in Computational and Applied Sciences (IJETCAS)

Launch-on-Shift-Capture Transition Tests

Gated Driver Tree Based Power Optimized Multi-Bit Flip-Flops

Lecture 23 Design for Testability (DFT): Full-Scan (chapter14)

Design of Fault Coverage Test Pattern Generator Using LFSR

Chapter 5 Synchronous Sequential Logic

A Design Language Based Approach

Efficient Trace Signal Selection for Post Silicon Validation and Debug

Overview: Logic BIST

Deterministic Logic BIST for Transition Fault Testing 1

Section 6.8 Synthesis of Sequential Logic Page 1 of 8

Lecture 23 Design for Testability (DFT): Full-Scan

Logic Design for Single On-Chip Test Clock Generation for N Clock Domain - Impact on SOC Area and Test Quality

Power Optimization by Using Multi-Bit Flip-Flops

Using on-chip Test Pattern Compression for Full Scan SoC Designs

Available online at ScienceDirect. Procedia Computer Science 46 (2015 ) Aida S Tharakan a *, Binu K Mathew b

Efficient Path Delay Testing Using Scan Justification

Testing Sequential Circuits

COPY RIGHT. To Secure Your Paper As Per UGC Guidelines We Are Providing A Electronic Bar Code

Soft Computing Approach To Automatic Test Pattern Generation For Sequential Vlsi Circuit

CS8803: Advanced Digital Design for Embedded Hardware

Long and Fast Up/Down Counters Pushpinder Kaur CHOUHAN 6 th Jan, 2003

Low Power VLSI Circuits and Systems Prof. Ajit Pal Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Power Problems in VLSI Circuit Testing

Diagnosis of Resistive open Fault using Scan Based Techniques

Weighted Random and Transition Density Patterns For Scan-BIST

Chapter 5: Synchronous Sequential Logic

Partial Scan Selection Based on Dynamic Reachability and Observability Information

On Reducing Both Shift and Capture Power for Scan-Based Testing

TEST PATTERNS COMPRESSION TECHNIQUES BASED ON SAT SOLVING FOR SCAN-BASED DIGITAL CIRCUITS

E-Learning Tools for Teaching Self-Test of Digital Electronics

Sequential Logic Circuits

Design of Test Circuits for Maximum Fault Coverage by Using Different Techniques

Scan. This is a sample of the first 15 pages of the Scan chapter.

Chapter 12. Synchronous Circuits. Contents

Figure.1 Clock signal II. SYSTEM ANALYSIS

UNIT III. Combinational Circuit- Block Diagram. Sequential Circuit- Block Diagram

Department of Electrical and Computer Engineering University of Wisconsin Madison. Fall Final Examination CLOSED BOOK

Y. Tsiatouhas. VLSI Systems and Computer Architecture Lab. Built-In Self Test 2

MVP: Capture-Power Reduction with Minimum-Violations Partitioning for Delay Testing

Built-In Self-Testing of Micropipelines

Interconnect Planning with Local Area Constrained Retiming

Logic Design for On-Chip Test Clock Generation- Implementation Details and Impact on Delay Test Quality

Chapter 3. Boolean Algebra and Digital Logic

Synchronous Sequential Logic

Asynchronous IC Interconnect Network Design and Implementation Using a Standard ASIC Flow

Simulated Annealing for Target-Oriented Partial Scan

NH 67, Karur Trichy Highways, Puliyur C.F, Karur District UNIT-III SEQUENTIAL CIRCUITS

VLSI Design: 3) Explain the various MOSFET Capacitances & their significance. 4) Draw a CMOS Inverter. Explain its transfer characteristics

Adding Analog and Mixed Signal Concerns to a Digital VLSI Course

Logic and Computer Design Fundamentals. Chapter 7. Registers and Counters

CHAPTER 4: Logic Circuits

Logic Design ( Part 3) Sequential Logic- Finite State Machines (Chapter 3)

Testing of Cryptographic Hardware

SIC Vector Generation Using Test per Clock and Test per Scan

Scan-shift Power Reduction Based on Scan Partitioning and Q-D Connection

Objectives. Combinational logics Sequential logics Finite state machine Arithmetic circuits Datapath

Czech Technical University in Prague Faculty of Information Technology Department of Digital Design

4. Formal Equivalence Checking

VLSI System Testing. BIST Motivation

CHAPTER 4: Logic Circuits

High Performance Dynamic Hybrid Flip-Flop For Pipeline Stages with Methodical Implanted Logic

Digital Logic Design I

Power Efficient Design of Sequential Circuits using OBSC and RTPG Integration

CPS311 Lecture: Sequential Circuits

FIELD programmable gate arrays (FPGA s) are widely

Clock Gate Test Points

EL302 DIGITAL INTEGRATED CIRCUITS LAB #3 CMOS EDGE TRIGGERED D FLIP-FLOP. Due İLKER KALYONCU, 10043

Diagnostic Test Generation and Fault Simulation Algorithms for Transition Faults

Design for test methods to reduce test set size

A Review of logic design

TEST PATTERN GENERATION USING PSEUDORANDOM BIST

AN OPTIMIZED IMPLEMENTATION OF MULTI- BIT FLIP-FLOP USING VERILOG

Strategies for Efficient and Effective Scan Delay Testing. Chao Han

ALONG with the progressive device scaling, semiconductor

Efficient Combination of Trace and Scan Signals for Post Silicon Validation and Debug

Transcription:

An ATPG-Based Framework for Verifying Sequential Equivalence Shi-Yu Huang Kwang-Ting Cheng Kuang-Chien Chen Uwe Glaeser Department of Electrical & Computer Engineering University of California, Santa Barbara Santa Barbara, CA 93106, U.S.A. Fujitsu Labs. of America 3350 Scott Blvd. Bldg. 34 Santa Clara, CA 95054, U.S.A. The German National Research Center for Computer Science Schloss Birlinghoven D-53757 St. Augustin abstract In this paper, we address the problem of verifying the equivalence of two sequential circuits. State-of-the-art sequential optimization techniques such as retiming and sequential redundancy removal can handle designs with up to hundreds or even thousands of flip-flops. The BDDbased approaches for equivalence checking can easily run into memory explosion for such designs. With an attempt to handle larger circuits, we modify the test pattern generation techniques for verification. The suggested approach utilizes the efficient backward justification technique popularly used in most sequential ATPG programs. The method explores the structural similarity between circuits under verification, and performs the verification in stages to improve the efficiency. An effective algorithm to identify equivalent flip-flops is presented. This ATPGbased framework is suitable for verifying circuits with or without a reset state. Experimental results of verifying the correctness of circuits after sequential redundancy removal will be presented. 1. Introduction State-of-the-art re-synthesis tools optimize circuits with respect to various constraints, such as area, performance, power dissipation, and testability. Transformations like retiming [2], sequential redundancy removal [3], and redundancy addition and removal [4] may alter the functionality of the combinational portion of a circuit, but the overall sequential input/output behavior is not changed. These approaches can handle circuits with hundreds or even thousands of flip-flops and may remove flip-flops from the original design. Even though these approaches are theoretically correct, the tools that implement these algorithms may not be error-free. Making sure that the transformed circuit indeed preserves the same inpudoutput behavior as the original circuit is a challenging problem. Most existing approaches for verifying sequential equiva- lence are based on state traversal techniques using BDDs. These approaches are very efficient for small to mediumsized circuits [5,6]. However, constructing BDDs for a larger design could cause memory explosion. For circuits without an external reset state, there are several different definitions of sequential equivalence. [8,3,9,10]. These definitions differ from one another in the assumptions of how a circuit normally operates. For some circuits, a synchronizing sequence may be used to drive the circuits to a desired state before operation. In [8], a notion of equivalence that only concerns the post-synchronization (or steady-state) behavior of a design was proposed. If two designs have the same behavior after synchronization, then they are considered as equivalent. A similar definition was also used in [9] for removing untestable, yet irredundant faults. To interpret this notion graphically, they showed that the steady-state behavior of a synchronizable design is determined by one Terminal Strongly Connected Component (TSCC) in the state transition graph. A TSCC is a strongly connected component (SCC) that does not have any outgoing edge. It was proven [8] that a transformation that preserves a circuit s TSCC does not change its input/output behavior after synchronization (assuming that the transformed circuit can still be synchronized). Fig. 1 shows a transformation that preserves the TSCC. This notion of equivalence will be referred to as post-synchronization equivalence for the rest of this paper. @ Transformg @ 100 is a synchronizing sequence OOO is a synchronizing sequence (TSCC) Terminal Strongly Connected Component: (B, C, D) Fig. 1: A transformation that preserves Terminal SCC. *This work was supported by the National Science Foundation under grant MIP-9503651, California MICRO and Fujitsu Labs of America. In [lo], another definition called safe replaceability was proposed. For any input sequence, this definition requires 0-7803-3540-6196 $5.00 1996 IEEE INTERNATIONAL TEST CONFERENCE 865

that every state in the transformed circuit should have a corresponding state in the original circuit that has the same output response for the particular input sequence. This definition is safer for an embedded design when a synchronizing sequence may not be available. However, it is more stringent, and thus allows less flexibility for optimizing a circuit. Furthermore, checking safe replaceability is difficult because every state of the transformed circuit needs to be examined. If the BDD representation can be constructed, this may be feasible. But for circuits beyond the capability of BDDs, the definition of safe replaceability cannot be checked easily. In this paper, we use another definition of sequential equivalence, called circuit covering, for circuits without a reset state. In this definition, the initial value of each flipflop is assumed to be unknown and represented as U. For an input sequence applied to the circuit, the 3-valued logic simulation is used to derived the final response of each primary output. If the response of a primary output bit is 0 or l, then the output response is regarded as a care output response and should be preserved in the transformed circuit to satisfy this definition. On the other hand, if the response is u (it means that the response could be 0 or 1 depending on the power-up values of flip-flops), then it is regarded as a don t care response and could be changed during logic transformations. This definition has been used to describe the behavior of incompletely specified FSM in [ 13. We show that this definition is more stringent than post-synchronization equivalence if the original circuit is 3-valued initializable. A circuit is called 3-valued initializable if it can be driven to a unique state by running the 3-valued logic simulation using any synchronizing sequence. We present a novel method to verify sequential equivalence for two circuits. This approach can handle circuits with or without a reset state. For circuits without a reset state, we verify them according to the definition of circuit covering. Similar to the model used in [11,12,13], we construct a computational model that connects the primary inputs of two circuits together, and connects each primary output pair to an XOR gate as shown in Fig. 2. Without loss of generality, we assume both circuits have single primary output for the rest of this paper. This model is called a miter in [12]. We will use this term in the sequel. Efficient ATPG techniques are applied to search for a test for the stuck-at-0 fault at the miter s output. For circuits with a reset state, undetectability of this fault implies that the two circuits under verification are equivalent, and vice versa. But for circuits without a reset state, additional conditions need to be checked for circuit covering. The w Fig. 2: The computational model (miter) underlying ATPG techniques rely on the time-frameexpansion model and the reverse time processing techniques [14,15], which are popularly used in most commercial ATPG tools. To reduce the time complexity, we explore the similarities between the two circuits and verifying their equivalence in stages. We propose an induction-based algorithm to identify equivalent flip-flop pairs. This algorithm derives a list of candidate equivalent flip-flop pairs first, and then incorporates a monotone screening process to filter out false candidate pairs until no more false candidate exists. This algorithm may requires several iterations to complete, however, it is much more effective than identifying equivalent flip-flop pairs directly. Based on the flip-flop equivalence information, we further identify equivalent internal signal pairs before checking the equivalence of each primary output pair to speed up the entire verification process. The rest of this paper is organized as follows. In Section 2, we discuss and compare several definitions of sequential equivalence. In Section 3, we describe a general ATPGbased framework for verifying circuit equivalence according to different definitions, In Section 4, we introduce several speed-up techniques. In Section 5, we present the experimental results of verifying the circuits after sequential redundancy removal. Section 6 gives the concluding remarks. 2. Definitions of Equivalence 2.1 Reset Equivalence A synchronous sequential circuit can be described in terms of its corresponding deterministic finite state machine (DFSM). Assume two circuits under consideration are M, = (I, 0, SI, &,, A,) and M2 = (I, 0, S2, 82, %) respectively, where I and 0 are the input and output alphabets, respectively. S is a set of states, 6 is the transition function from SxI* to S, and h is the output function from SX I* to 0. A synchronizing sequence is an input sequence that can bring the machine to a unique state from any initial state, while an initializing sequence is a synchronizing sequence that can be verified using 3-valued logic simulation. 866

Definition 1: (Equivalent state pair) Let $1 be a state in MI, and s2 be a state in M2. State s1 is equivalent to state s2, denoted as SI- 9, if there exists no input sequence that can distinguish this state pair, i.e., for any input sequence ne I*, hl(sl, n) = %(s2, a), where hl and & are the output functions. Definition 2: (Reset equivalence) Suppose MI and M2 have external reset states, si and s2 respectively. M1 and M2 are called reset equivalent if and only if s1 and s2 are equivalent states. 2.2 Post-synchronization Equivalence In this section, we discuss two definitions of equivalence for circuits without an external reset state: (1) postsynchronization equivalence, and (2) circuit covering. Definition 3 [8]: (Alignable pair) (SI, s2) is an alignable pair if there exists an input sequence n that can bring the two circuits into an equivalent state pair from (SI, s2), i.e., al(sl, n)-t&(s2, n), where 6, and 6, are the transition functions. The sequence a is called an aligning sequence for the state pair ($1, s2). Definition 4 [8]: (Post-synchronization equivalence) M1 and M2 are equivalent if only of there exists an input sequence a that can align any state pairs in SlxS2 (n is called a universal aligning sequence). A universal aligning sequence can bring two circuits into an equivalent state pair regardless of their initial states. The above definition states that two circuits have the same post-synchronization behavior as long as there exists a universal aligning sequence. Based on this definition, it can be shown that if two circuits are postsynchronization equivalent, then any input sequence that can synchronize both circuits is a universal aligning sequence. Therefore, as long as a synchronization sequence is given for each circuit, checking post-synchronization equivalence can be reduced to checking reset equivalence. Implication 1. Let ni, a2 be a synchronizing sequence for MI and M2, respectively. If input sequence 7~1x2 (concatenation of 7c1 and n2) brings two circuits into a state pair (si, s2). Then M, and M2 are post-synchronization equivalent if and only if (SI, s2) is an equivalent state pair. 2.3 Circuit Covering Consider a pipelined data-path design in Fig. 3. It consists of two functional units, one adder and one 3-stage multiplier. Suppose this circuit operates under a controlling signal select, issued by a controller not shown here. This signal determines what operation should be performed, either an addition or a multiplication. If the first operation to be performed after the circuit is powered inputs 3-stage multiplier : represents internal registers I select I outputs Fig. 3: A data-path circuit that may produce care outputs before the internal registers are initialized. up is an addition, then after one clock cycle, care outputs will be produced even though the internal data registers in the multiplier are not fully initialized. According to the definition of post-synchronization equivalence, these outputs will be regarded as don't cares and can be changed during the transformation. To avoid this kind of mis-interpretation, the definition of circuit covering should be used for this type of circuits. In the context of verifying circuit covering, we assume a signal in the circuit can take on a logic value among {0, 1, U}, where U represents the unknown logic value. We define that signal v1 covers signal v2 if (vl, v2) is one of the following 5 combinations: (U, U), (U, 0), (U, l), (0, 0), (1, 1). In other words, (VI, v2) is not one of the following 4 combinations: (0, l), (1, 0), (0, U) and (1, U). Similarly, a vector V1 covers vector V2 if every bit of V, covers the corresponding bit of V2. Each signal in the combinational portion of a circuit is a function of primary inputs PI = ( il, i;!,..., in} and present state lines PS = {yl, y2,..., ym). A 3-valued state (or state-cube) is a state that each bit could be 0, 1 or U. The unknown state, denoted as x, is a 3- valued state where every bit is U, e.g., x = (uuu). Suppose T is an input sequence, the primary output response (at the last time frame) of the circuit Ml after applying T from a 3- valued state s is denoted as ol(s, T). Similarly, ol(x, 7') denote the output response of o1 from the unknown state x. Definition 5: (circuit covering) Circuit MI covers circuit M2 (MI 3 M2) if and only if ol(x, 7) covers o2(x, 7') for any input sequence T The above definition is intended for a circuit operated from the unknown initial state. Suppose Ml is the original circuit and M2 is a transformed circuit. For a particular input sequence T (some bits could have a unknown value), if an output bit in the original circuit MI exhibits a deterministic value (either 0 or 1, but not U), then this bit is 867

regarded as a care output, and its corresponding bit in M2 should have an identical response for this particular input sequence. On the other hand, if an output bit in MI has an unknown response U, it will be regarded as a don t care response, and its corresponding bit in M2 could have any output response without violating the definition of circuit covering. It can be shown easily that if MI covers M2 then all initializing sequences of MI can also initialize M2. 2.4 Definition Comparison The following lemma describes the relationship between the definition of circuit covering and the definition of post-synchronization equivalence when both circuits under verification are 3-valued initializable. Lemma 1: If MI and M2 are 3-valued initializable and MI xm2 then MI and M2 are post-synchronization equivalent. (Proof by contraposition): Let n: be an initializing sequence for both MI and M2. Assume that Mi and M2 are not post-synchronization equivalent. Then there exists a universal distinguishing sequence nd that can differentiate any state pair [17]. Therefore, the output combination (ol, 02) in response to nd from the unknown state satisfies sequence that proves MI does not cover M2. Hence, by contraposition, we conclude that if MI covers M2, then M1 and M2 are post-synchronization equivalent. (Q.E.D.) In [9], a method was proposed to remove untestable yet irredundant faults in a sequential circuit without an external reset state to achieve a higher fault coverage. A fault is called partially testable if there exists an input sequence T such that the output combination of the faultfree and faulty circuits for this sequence is (0, U) or (1, U). Obviously, removing such faults will violate the condition of circuit covering. However, it was proven in [9] that removing this kind of fault preserves the post-synchronization behavior as long as the transformed circuit is still synchronizable. We therefore conclude that circuit covering is a more stringent definition than post-synchronization equivalence when the original circuit is 3-valued initializable. In light of this, we conjecture that even though removing a partially testable fault that does not destroy all synchronizing sequences is a safe transformation for the definition of post-synchronization equivalence, it may not be safe for some circuits that produce cure outputs before being completely initialized. 3. Methodology 3.1 Checking Circuit Covering In this section, we describe the basic scenario of verifying circuit covering and then discuss the modification for checking reset equivalence. Assume that Ml and M2 are two circuits to be verified. An exclusive-or gate g is added for the output pair (ol, 02) in the miter (Fig. 2). The g stuck-at-0 fault is considered for test generation. Definition 6: (Undetectability) g stuck-at-0 fault is called undetectable if there exists no input sequence T such that where x represents the unknown state. The undetectability of g stuck-at-0 is simply a necessary condition for circuit covering. Even if g stuck-at-0 fault is undetectable, it is likely that input sequence T satisfies 0 (x,t) ( o: (x, n) E {(:), (A) >, which violates the definition of circuit covering. We derived the necessary and sufficient condition for MI covers M2 in the following lemma. Lemma 2: MI covers M2 if and only if there exists no input sequence T and state s2 in M2 such that the following 0 (x r) condition: (, E { ( y), (A) } is satisfied. 02 (s2 (Proof): see Appendix. In the above lemma, If s2 is the unknown state x, then the input sequence T is a test for g stuck-at-fault of the miter. Otherwise, Tis called a partial test. In the following discussion, we also referred to T as a distinguishing sequence for MI and M2. The above necessary and sufficient condition for circuit covering can be checked by a sequential ATPG program with some minor modification. A sequential ATPG program which employs the time frame expansion model, consists of three-phases: (1) fault injection, (2) fault-effect propagation, and (3) backward justification. In our application, the fault is at the output of the miter, no fault effect propagation is required. Only the backward justification is needed after a fault is injected (i.e., asserting signal g to 0). The backward justification process may take more than one time frame to complete. At each time frame, the set of binary values required at the present-state lines is called a state requirement, which needs to be further justified until the above necessary and sufficient condition is satisfied, or proven unjustifiable. A state requirement of the miter can be regarded as a 3- valued state consisting of two parts: state-requirement for MI, and state requirement for M2. For example, (Ouu I luu) is a state requirement that requires a 0 for M, s first state variable, and a 1 for M2 s first state variable. According to Lemma 2, the backward justification process stops whenever one of the following two conditions is satisfied: (1) Unjustifiable condition: all state 868

requirements generated during the search of a distinguishing sequence are proven unjustifiable, then MI covers M2. (2) Justijied condition: a state requirement that does not have requirement on MI is reached. E.g., (uuu I luu) is a state requirement that has no requirement on M,. It implies that a distinguishing sequence is found and MI does not cover M2. Some ATPG algorithms such as PODEM [ 161 may over-specify the value requirements at some signals to speed up the search. It should be pointed out that the underlying ATPG algorithm used for verification should not over-specify the value requirements during the backward justification for checking the definition of circuit covering. Otherwise some possible distinguishing sequences may be overlooked. We use techniques proposed in [ 181 to resolve the over-specification problem. Fig. 4. shows an example in which a distinguishing sequence, (t3 t2 tl), is found after 3 time frames are expanded for backward justification. The state z *-- *-- comb. of comb of = MI 3- : U L MI + 3 L - (backward justijicarion) comb. of MI M2 (Time-frame) 3 2 1 Fig. 4: T = (tg, c2, tl) is a distinguishing sequence that can set signal g to 1 from any state covered by (uuu I OOu) requirement of the left-most time frame does not have any value requirement for MI S state variables, and thus the search stops according to the justified condition as shown above. To check reset equivalence, we need to search for a sequence that can distinguish two circuits from the initial state pair of MI andm2, denoted as (SI, q). In other words, T is a distinguishing sequence if the following condition is 0 (s T) satisfied: ( ) E { ( y), (A) }. This can be checked 0202 T) by modifying the stopping criteria of the backward justification process. In this case, the justified condition should be a state requirement of the miter that covers (s, I s2). To check post-synchronization equivalence, we first apply an input sequence that can initialize both circuits to a state pair, e.g., (41, 42), and then check if the state pair (ql, 42) is equivalent. 3.2 Correctness It is known that the use of 3-valued logic simulation may result in some loss of information [203. However, the suggested approach is as accurate as the symbolic approach for the case of checking reset sequence even though the 3-valued logic is employed in the process. The following lemma states that if there exists a distinguishing sequence for the definition of reset equivalence, then our approach can find it if sufficient time is given for the search. Lemma 3: Let T be an input sequence (some bits could be don t cares) that can distinguish MI and M2 from the reset state pair (s,, s2). Then there exists an input sequence D that can be found during the backward justification process discussed above so that the output combination to this sequence based on 3-valued logic simulation satisfies c; :;:: 3 a E (Proof): See appendix. (A) } * 4. Speed-up Techniques For large designs, directly using ATPG for the stuck-at- 0 fault at the miter s output will be too time-consuming. In this section, we discuss several speed-up techniques to improve the efficiency of the search process. 4.1 Test Generation with Breadth-First-Search A sequential ATPG-program is designed to find a test sequence for a target fault as soon as possible. Hence it usually incorporates a guided depth-first-search. However, this kind of search is not suitable for the purpose of verification. In general, we have to explore the entire search space to conclude a miter s output stuck-at-0 fault is not even partially testable. The controllability guidance that tries to predict the best decision used in a conventional ATPG-program is not effective anymore. What could boost the efficiency is the guidance that could trim down the search-space. The backward justification process can be characterized as a tree shown in Fig. 5. The root node corresponds to the objective of setting a miter s output to 1. Each non-root node represents a state requirement to be further justified. A leaf node is a state requirement not explored yet or proven unjustifiable (denoted by being connected to the ground). We modify the main flow of test generation process as follows. (1) Select an unjustijied node (a leaf node in the tree). (2) Perform pre-image computation for one time frame to explore all the children of the target node. Preimage computation is to find all minimally specified cubes 869

2 (set g E 1 Fig.5: Justification tree. The sub-tree within dashed line could be avoided. in terms of PI'S and PS's that can satisfy the state requirement at the next state lines. If no pre-image exists, then the selected state requirement is declared unjustifiable. (3) Check stopping criteria: if the objective has been justified (a test or partial test has been found) or every node has been explored and proven unjustifiable, then stop. Otherwise go to step (1) and continue. This breadthfirst search algorithm allows a higher degree of flexibility in selecting the next target state requirement for justification than a traditional guided depth-first-search algorithm. The following observation shows the motivation of a heuristic for the order of selecting the next target state requirement at each iteration. Observation 1: (Motivation of Largest-first scheduling): Let BIG and SMALL be two state requirements (3-valued state). If BIG covers SMALL and BIG is unjustifiable, then SMALL is also unjustifiable. A state requirement can be regarded as a cube in terms of the state variables. The size of the cube can be represented by the number of unknown bits. The above observation suggests that among a set of state requirements to be chosen as the next target for justification, the largest one is a good candidate. If the largest one is justifiable, a distinguishing sequence is found and M1 does not cover M2. If the largest one turns out to be unjustifiable, then any smaller state requirement covered by this candidate are also unjustifiable. In either case, the smaller state requirement can be dropped from further consideration without losing accuracy. This largest-first policy is particular beneficial when the state requirement SMALL requires a long justification sequence to be proved unjustifiable. Fig. 5 illustrates an example that if BIG covers SMALL, then the sub-tree originated from the node SMALL need not be explored. 4.2 Exploring the Structural Similarity Even for a medium-sized circuit, the backward justification routine could be very time consuming because a lot of effort is wasted in justifying the unjustifiable states repeatedly. An incremental approach that verifies two combinational circuits in stages has been proposed in [12]. It takes advantage of the structural similarity between circuits to reduce the computational complexity. The miter is traversed from inputs towards outputs to identify the equivalent internal signal pairs. Once an equivalent signalpair is found, they are merged to reduce the size of the miter immediately. We incorporate this idea and generalize it for sequential circuits to improve the efficiency of backward justification process. In our generalization, once an equivalent internal signal pair is found, we impose a constraint between the signal pair implicitly, instead of merging them explicitly as in [12]. The constraint is more general and could he either an equivalent or covering relation. The reason that we cannot merge two sequentially equivalent signals explicitly is the following. We are dealing with 3-valued logic instead of binary-valued logic. A covering relation between signals is used when checking circuit covering and it does not imply binary equivalence. For instance, if internal signal s1 in MI covers signal s2 in M2, then value combinations at (SI, s2) could be one of (0, 0), (1, I), (U, U), (U, 0) and (U, 1). If we merge these two signals, then the signal with value U might be over-specified. Therefore, we cannot merge a signal pair that satisfies only the covering relation. However, the imposed constraint still provides an effective bounding condition during the backward justification process. Whenever the value combination at a signal pair violates its imposed constraint, the backtrack is performed immediately to avoid unnecessary search. 4.3 Identifying Equivalent FF-pairs The most important issue of extending the idea of incremental verification for sequential circuits is how to identify equivalent flip-flop pairs first. A simple way to do this is to treat each present-state line pair as a pseudo output pair and run modified ATPG. In our experience, we found this very inefficient. In this section, we discuss a novel induction-based procedure to identify the equivalent flip-flop pairs. In this procedure, we first run logic simulation for a large number of weighted random patterns to find flip-flop pairs that could potentially be equivalent. These flip-flop pairs are called candidate flip-flop pairs. The next (present) state lines of the candidate flip-flop pairs are referred to as candidate NS-pairs (PS-pairs). At the beginning, we have a list of candidate flip-flop pairs. Then we successively identify and remove false candidate FF-pairs from the initial list until no more false candidate flip-flop pair exists. At each iteration of this monotone filtering procedure, we assume each flip-flop pair in the candidate list is equivalent and impose the constraint on 870

each candidate PS-pair. Then we run modified ATPG to verify if each candidate NS-pair is indeed equivalent under these constraints. If all the candidate NS-pairs are proven equivalent under the assumption that every candidate PS-pair is equivalent, then we can conclude that all candidate flipflop pairs remained in the list are indeed equivalent. On the other hand, if any NS-pair is found not equivalent, then it is removed from the candidate list and the process starts over again with a smaller candidate list. The advantages of this procedure rely on the equivalent constraint imposed at each candidate PS-pair. These constraints have two advantages: (1) The number of state requirements during the backward justification process are reduced substantially, so that our breadth-first search algorithm is less vulnerable to memory explosion. (2) The time compiexity is substantially reduced because a lot of unjustifiable state requirements that violate the imposed constraints are detected early and thus, a lot of unnecessary search is avoided. Fig. 6. shows an example with two flip-flops in each comb. of y, y, Y2 Y, Y2 comb. of Yi alent. But those candidate NS-pairs that remain in the list before the end of the process may not be truly equivalent. The number of candidate NS-pairs decreases monotonously until a stable condition is reached, i.e., all NS-pairs in the current candidate list pass the screening process. Lemma 4: All FF-pairs remaining in the candidate list are indeed equivalent after the stable condition is reached. (Proof): We use induction to prove that all candidate NSpairs surviving the screening process are equivalent at all time frames. The index of a time frame is increased in a forward manner. (BASIS): Initially, all candidate FF pairs are unknown, and thus are equivalent. (INDUCTION-STEP): Assume all candidate NS-pairs are equivalent for the first n time frame. Then, all candidate PS-pairs are equivalent at time frame n+l. The above stable condition implies that every candidate NS-pair at time frame n+ 1 is also equivalent. (CONCLUSION) All candidate NS-pairs are equivalent at all time frames. (Q.E.D.) The above procedure can be further enhanced by identifying internal equivalent signal pairs. At each iteration, we sort the candidate internal pairs in an order that each signal is after its transitive fanins. Then we examine the equivalence of each candidate internal pairs. Once an equivalent pair is found, we impose the equivalent constraint on this pair to assist the subsequent process of identifying the other equivalent pairs. Note that it may take more than one Candidate list: ((YI, Yl ), (Yz, Y2 )) Assumed constraints: y1 = y~, y2 = yz at every time frame Fig. 6: An example for equivalent FF identification algorithm. construct miter circuit. Suppose both FF-pairs are in the candidate list initially. Their corresponding PS-pairs are (y 1, y 1 ), (y2, y2 ), and their corresponding NS-pairs are (Y 1, Y 1 ), (Y2, Y2 ). We first verify the equivalence of the first NSpair, (Y1, Yl ), under the constraint that y1 = yl, y2 = y2 at every time frame. This is done by connecting Y1 and Y, to an exclusive OR gate and running modified ATPG for this gate s output stuck-at-0 fault. Suppose after the backward justification of two time frames, only one state requirement, (01 I OO), is left as shown in Fig. 6. This state requirement violates one of the assumed constraint, y2 = y2, and thus, is declared as unjustifiable immediately. As a result, (Yl, Y, ) is regarded as equivalent at this iteration. On the contrary, if (Y1, Y17) is proven nonequivalent, then it should be dropped from the candidate list. At each iteration of this screening process, the identified non-equivalent NS-pairs are indeed non-equiv- impose constraints on candidate PS-pars *Check equivalence of each canhdate NS-par I *Check equivalence of each PO-par all imposed Fig. 7: Overall procedure of our verification approach. (* indicates operations that need to run modified ATPG) 871

time frame to prove an internal pair is equivalent as in the case of proving equivalence of primary output pairs. We summarize our overall verification algorithm in Fig. 7. 5. Experimental Results We have implemented our algorithm in C++ using the ATPG program described in [19]. We verified the ISCAS89 benchmark circuits that are optimized by a sequential redundancy removal program [19]. In Table 1, we show the result of checking circuit covering. All circuits satisfy the condition of circuit covering. The CPUtimes are shown in the last column. In Table 2, we show the results of verifying the reset equivalence. For the circuit s5378, since the optimized circuit is not reset equivalent to the original circuit, we first apply an initialization sequence to bring both circuits under verification to a state pair and then prove this state pair is equivalent. Therefore, they are post-synchronization equivalent. The results of running the verification program in SIS [21] are also given. Our program successfully verified three larger circuits (~1423, s5378, s9234.1) that SIS fails on a Sun workstation with 128-M byte memory. Our approach is efficient due to the several techniques used to cut down the search space. Among them, the most significant technique is identifying the equivalent FFs (the number of identified It s344 i 184/161 i 15/15 i 1 5 ~ 0 ; 11 s382 I 182/163 I 21/21 I 21(15/6) I It s386 i 1721139 I 6/6 1 6(6/0) i 9.9 II 3101304 5 (5 I O) ~ ~1494 661 I599 6/6 6 (6 / 0) - s5378 3890/3390 164/137 137(108/29) ~9234.1 674416372 211/200 189(188/1) 119.2 460.4 2660.5 Table 2: Verifying reset-equivalence for circuits after sequential redundancy removal s444 I 21/21 I 20(19/ 1) I 37.5 I It s510 I 6/6 I 6 (6/0) I 3.6 I I} s820 I 5/5 I 5 (5/0) I 5.6 I 21.1 s713 I 19/ 19 I 19 (1910) [ 12.4 I 37.1 II s832 i 5/5 I i 5.8 i 44.5 II II s5378 i 164/137 i 137(108/29) i - i 456.9 II I s9234.1 I 211/200 I 198(188/10) I - 1 1471.4 I Table 1 : Verifying circuit covering for circuits after sequential redundancy removal equivalent FF-pairs is shown in the column labeled # equivalent FF-pairs), and then use them to provide the powerful bounding conditions. As a result, the number of optimized (comb. / seq.) state requirements generated in the entire search process is reduced significantly and the possibility of running into 17/ 17 3 (3 / 0) memory explosion is dramatically reduced. We list the s298 4.0 numbers of combinational equivalent FF-pairs and the i 5.5 II sequentially equivalent FF-pairs identified in our program. s349 I 185/161 I 15/15 I- 15(15/0, I The difference between these two is that it requires more ~ 5.8 than one time frame to identify sequentially equivalent pairs in our algorithm. For circuit ~9234.1, the number of identified equivalent FF-pairs in checking reset-equivalence (198) is different from the number in checking 236/231 6(6/0) circuit covering (189). As a consequence, checking the definition of reset equivalence is much faster than checking the definition of circuit covering. s820 312 I304 5/5 5 (5 10) 38.7 6. Conclusion We have presented an ATPG-based framework that can verify the equivalence of two sequential circuits with or without a reset state. We proved that this approach is correct and complete for circuits with a reset state. For circuits without a reset state, this approach can verify the definitions of either post-synchronization equivalence or circuit covering. We show that circuit covering is a more 872

stringent definition than post-synchronization equivalence for the circuits that are 3-valued initializable. This approach is particularly effective in the cases when two circuits possess significant structural similarity, e.g., circuits optimized by sequential redundancy removal, circuits optimized by retiming, and circuits that have gone through the process of engineering change. We have developed several techniques to speed up the verification process: (1) a breadth-first-search with largest-first scheduling to cut down the search space, (2) a generalization for exploring internal similarity to perform the verification in stages, and (3) an iterative and efficient procedure to identify equivalent flip-flop pairs. The experimental results of verifying the circuits after sequential redundancy removal show that this approach can handle much larger designs than the existing BDD-based approaches. We have also developed new algorithms to apply this framework for verifying the correctness of retimed circuits [22]. Appendix In this section, we prove Lemma 2 and Lemma 3. Lemma 2: (necessary and sufficient condition) Ml covers M2 There exists no input sequence T that 1 (x, T) satisfies (:, (s2, n) E { ( y), (A) }, where s2 is a state of M2. (Proof): (I) (e): Assume that (z;:;,:) E {(y),(a)}.thenthe possible output combinations of signal o1 and o2 in response to sequence T (when both circuits are started from the known states) is one out of { (0, l), (1, 0), (0, U), (0, U)}. Thus M1 does not cover M2 and T is a distinguishing sequence. (11) (*): Assume that M1 does not covers M2. Then there exists an input sequence such that output combination 1 (4 T) satisfies: ( 1, (x, q) E {(9,(A), (o), (3 }. Hence, based on 3-valued logic, we can find a state 42 such that 0 (4 T) ( o:(q2, T)) E {( y), (A) }. We thus conclude that if MI covers M2, then there exists an input sequence and a state Lemma 3: Let T be an input sequence (some bits could be U) that can distinguish M1 and M2 from the reset state pair (SI, s2). Then there exists an input sequence D that can be found during the backward justification process in our algorithm such that the output combination to this sequence using 3-valued logic simulation satisfies (Proof): First we construct a binary input sequence T' from T by replacing every unknown bit with value '0'. Qbviously, T' is a refinement of T and is still a distinguishing sequence. Let T' = (tl, t2,..., r,), where ti is a binary vector. Assume that Twill bring the miter through a sequence of completely specified states (41, 42,..., qn, qn+l) from the initial state 41 as shown in Fig. 8., where q1 = (s, I s2). We prove by induction that there exists an input sequence D = (dl, d2,..., d,) that can be found during our backward justification process....... state - q2 -...- 4" - miter's sequence " state sr2 - e. requirement "1 - sequence - 4n+l SRn - Fig. 8: Time-frame expansion model for proving Lemma 3. (BASE): At the right-most time-frame, since the binary vector (tn I 4,) can set signal g to 1, then a state requirement SR, and an input vector d,, can be found during the backward justification process of this timeframe so that the following two conditions are satisfied: (1) (d, I SR,) can set g to 1, and (2) SR, 2 4,. Otherwise the justification of this time frame is not complete. It is known that combinational backward justification is a complete process even though the over-specification is made at some signals. (INDUCTION-STEP): Suppose at the i-th time frame, there exists SRI such that SRi I> qi. Similar to the above argument, we can find a input vector 4-1 and a state requirement SRi-, such that SR,1 2 qi-l and di-l r) ti-1. (CONCLUSION): Given sufficient time, a state requirement that covers the reset state (sf I s2) will be generated at the first time frame. This state requirement satisfies the justified condition of the backward justification process. The input vectors collected so far is a 3-valued distinguishing sequence. (Q.E.D.) 873

References E. J. McCluskey, Introduction to the theory of switching circuits, New York, McGraw-Hill, (1 965). C. E. Leiserson and J. B. Saxe, Retiming Synchronous Circuitry, Algorithmica, vol. 6, pp. 5-35, (1991). K.-T. Cheng, Redundancy Removal for Sequential Circuits Without Reset States, IEEE Trans. on CAD, pp. 652-667 (Jan. 1993). L. Entrena and K.-T. Cheng, Sequential Logic Optimization by Redundancy Addition and Removal, Proc. Int l Con$ on CAD, pp. 310-315 (Nov. 1993). 0. Coudert, C. Berthet and J. C. Madre, Verification of Synchronous Sequential Machines Based on Symbolic Execution, Automatic Verification Methods for Finite State System, LNCS no. 407, Springer Verlag (1990). H. J. Touati, H. Sarvoj, B. Lin, R. K. Brayton and A. Sangiovanni-Vincentelli, Implicit State Enumeration of Finite State Machines Using BDD s, Proc. Int l Con$ on CAD-90, pp. 130-133 (Nov. 1990). A. Ghosh, S. Devadas and A. R. Newton, Test Generation and Verification for Highly Sequential Circuits, IEEE trans. on CAD, pp. 652-667 (May 1991). C. Pixley, A Theory and Implementation of Sequential Hardware Equivalence, IEEE Trans. on CAD, pp. 1469-1494 (Dec. 1992). 1. Pomeranz and S. M. Reddy, On Achieving Complete Testability of Synchronous Sequential Circuits with Synchronizing Sequences, Proc. Int l Test Conference, pp. 1007-1016 (Oct. 1994). [lo] C. Pixley, V. Singhal, A. Aziz and R. K. Brayton, Multi-level Synthesis for Safe Replaceability, Proc. Int l Con$ on CAD, pp. 442-449 (Nov. 1994). [ 111 S. Devadas, H.-K. T. Ma and A Sangiovanni-Vincentelli, Logic Verification, Testing and Their Relationship to Logic Synthesis, Testing & Diagnosis of VLSI & ULSI, Kluwer Academic Publishers, pp. 181-246 (1988). [12] D. Brand, Verification of Large Synthesized Designs, Proc. Int l Con$ on CAD, pp. 534-537 (Nov. 1993). [ 131 W. Kunz, Novel Verification Framework Combining Structural and OBDD Methods in a Synthesis Environment, Proc. Design Automation Conference, pp. 414-419 (June 1995). [ 141 R. Marlett, EBT A Comprehensive Test Generation Technique for Highly Sequential Circuits, Proc. 15th Design Automation Conference, pp. 332-339 (June 1978). [ 151 W.-T. Cheng, The BACK Algorithm for Sequential Test Generation, Proc. Int l Conference on Computer Design, pp. 66-69 (Oct. 1988). [ 161 P. Goel, An Implicit Enumeration Algorithm to Generate Tests for Combinational Logic Circuits, ZEEE Trans. on Computers C-30, pp., 215-222 (March 1981). [I71 H. Cho, S.-W. Jeong, F. Somenzi and C. Pixley, Synchronizing Sequences and Symbolic Traversal Techniques in Test Generation, Jetta, vol. 4, no. 12, pp. 19-31. (1993). [ 181 K.-T. Cheng and H.-K T. Ma, On the Over-specification Problem in Sequential ATPG Algorithms, IEEE Trans. on CAD, pp. 1599-1604 (Oct. 1993). [ 191 U. Glaeser, H. T. Vierhaus Mixed Level Test Generation for Synchronous Sequential Circuits using the FOGBUSTER-Algorithm, IEEE Trans on CAD of Integrated Circuits and Systems, Vol. 15, No. 4, pp. 410-423, (April 1996). [20] M. Abramovici, M. A. Breuer, and A. D. Friedman, Digital Systems Testing and Testable Design, ZEEE Press ( 1990). [21] SIS: A System for Sequential Circuit Synthesis, Report M92/41, University of California, Berkeley, (May 1992). [22] S.-Y. Huang, K.-T. Cheng and K.-C. Chen, On Verifying the Correctness of Retimed Circuits, Great- Lake Symposium on VLSI, pp. 277-280, (March 1996). 874

2024 © artsdocbox.com Privacy Policy | Terms of Service | Feedback