Connection Errors Location and Correction in ... - CiteSeerX

RESEARCH REPORT

Connection Errors Location and Correction in Combinational Circuits Ayman Wahba

Dominique Borrione

Abstract

We present new diagnostic routines for localizing connection errors in combinational logic circuit designs. Special, diagnosis oriented, test patterns are generated in order to reduce rapidly the suspected area of the circuit where the error lies. The algorithms are implemented and the results obtained on benchmark circuits show that the error is always found, with an execution time proportional to the product of the circuit size, and the number of applied test patterns.

Resume

Nous presentons de nouveaux algorithmes pour la localisation des erreurs de connexion dans les circuits logiques combinatoires. Des vecteurs de test, specialises pour le diagnostic, sont concus pour reduire rapidement la zone suspecte du circuit ou demeure l'erreur. Ces algorithmes ont ete mis en uvre et executes sur un ensemble de jeux d'essais. Les resultats montrent que l'erreur est toujours trouvee dans un temps proportionnel au produit de la taille de circuit par le nombre de vecteurs de test utilises.

Contents 1 Introduction 2 Basic de nitions and terminology 3 Diagnosis of Extra Connections Errors 3.1 3.2 3.3 3.4 3.5

Analysis with Error-Detecting Patterns Analysis with Non-Detecting Patterns : The Diagnosis Algorithm : : : : : : : : Test Pattern Generation : : : : : : : : Experimental Results : : : : : : : : : :

: : : : :

4 Diagnosis of Missing Connections Errors 4.1 4.2 4.3 4.4 4.5

Analysis with Error-Detecting Patterns Analysis with Non-Detecting Patterns : The Diagnosis Algorithm : : : : : : : : Test Pattern Generation : : : : : : : : Experimental Results : : : : : : : : : :

5 Diagnosis of Bad Connections Errors 5.1 5.2 5.3 5.4 5.5

Analysis with Error-Detecting Patterns Analysis with Non-Detecting Patterns : The Diagnosis Algorithm : : : : : : : : Test Pattern Generation : : : : : : : : Experimental Results : : : : : : : : : :

6 CONCLUSION

: : : : :

: : : : :

: : : : :

: : : : :

: : : : :

: : : : :

: : : : :

: : : : :

: : : : :

: : : : :

: : : : :

: : : : :

: : : : :

: : : : :

: : : : :

: : : : :

: : : : :

: : : : :

: : : : :

: : : : :

: : : : :

: : : : :

: : : : :

: : : : :

: : : : :

: : : : :

: : : : :

: : : : :

: : : : :

: : : : :

: : : : :

: : : : :

: : : : :

: : : : :

: : : : :

: : : : :

: : : : :

: : : : :

: : : : :

: : : : :

: : : : :

: : : : :

: : : : :

: : : : :

: : : : :

: : : : :

: : : : :

: : : : :

: : : : :

: : : : :

: : : : :

: : : : :

: : : : :

: : : : :

: : : : :

: : : : :

: : : : :

: : : : :

: : : : :

2 6 11 11 13 13 18 20

21 21 22 23 25 26

28 28 31 32 34 35

36

1

Chapter 1 Introduction Design fault diagnosis plays an essential role in providing correct VLSI products. Although automated synthesis tools are currently being used to provide correct by construction products, experience shows that it is not always guaranteed to get these correct products without passing through a phase of design correction. We cite here three examples from the real VLSI industry. In the UltraSPARC-I processor, developed by Sun's SPARC technology, very subtle bugs were found using a model checker [1]. In the EWSDCCS7E processor, developed by SIEMENS, a total of 320 errors were discovered during the simulation phase [2]. More than 150 serious problems were found in ASIC's within the system, and about 35 problems were found in library modules of board components other than ASIC's and ASIC libraries. The third example is the PowerPC processor from IBM. The veri cation phase discovered 450 bugs in the PowerPC1 processor, 480 bugs in the PowerPC2 processor, and 600 bugs in the PowerPC3 [3]. There are two main sources for these errors. The rst one is the manual changes that are made to achieve some critical design aspects, that can't be achieved by the automated synthesis tools, such as speed and area requirements, or to carry out small speci cation changes. The other source is the software bugs that may exist in the synthesis tools themselves, due to their increased complexity and to the continuous changes made in them to cope with the rapidly evolving technology. Whatever the source of these design errors, they must be discovered and corrected as early as possible during the design process. The late discovery of these errors may have catastrophic consequences, especially if the product has already been marketed. Existing veri cation tools can discover the existence of design errors, but they don't provide any information about the nature of the error or how to correct it. In the best case, veri ers only provide counter examples in the form of input patterns that witness a dierence between the behaviors of the implementation and of the speci cation. The cumbersome task of nding and correcting the error is then left to the designer who makes use of the counter examples to simulate the design and reason about the type and the location of the error. The place of the diagnosis in the design process is shown in Figure 1.1. We assume that a speci cation is given and validated using simulation and/or formal techniques. After a synthesis step (whether automatic or manual, or a combination of both), a description of 2

the implementation is produced. A suitable veri er is then used to check the correctness of the implementation with respect to the speci cation. If an error is detected, counter examples are generated and the diagnosis and the correction are carried out, and nally the veri cation is done again. This diagnosis-correction-veri cation cycle is repeated until a correct implementation is obtained. Initial IMPL

IMPL

Designer

Changes

Verifier

Diagnosis

Equivalent

SPEC

Yes

No Generate Counter-Examples

Return IMPL

Figure 1.1: The place of the diagnosis in the design process This manual diagnosis process takes a very long time, which may exceed the design time itself. It is thus necessary to replace this lengthy manual operation by an automated one. Abadir in [4] classi ed simple design errors into: i) gate errors (missing/extra inverter, gate replaced by another function), and ii) connection errors (missing/extra connection, wrong connection). At that time, little research was done about the automatic diagnosis of these errors. Gate errors were rst considered. An early system, called VERIFIER [5], was made for the diagnosis of missing/extra inverter errors. VERIFIER suggests a set of locations to be checked for correction. The number of suggested locations is large compared with the circuit size. In some experiments this number was up to 37% of the circuit size. The technique discussed in [6] is used for gate replacement errors. It determines the set of possibly incorrect gates by enumerating input patterns that witness the error. The technique can also be applied for connection errors, but only the gate at which the error exists may be found: the faulty connection(s) cannot be determined. A main drawback of this method is that the enumeration of error detecting patterns is practically impossible for circuits with a large number of inputs. The method presented in [7] also locates inverter errors within a sub-circuit of the im3

plementation. Nothing was said about its applicability to other error hypotheses, neither about the area in which the error is located. Madre, in [8], proposed to use the equation solving capabilities of the tautology checker PRIAM. This method considers only gate errors, and is unusable for connection errors diagnosis. Liaw [9] made some performance enhancements over this method but without changing the main hypotheses. Methods have been published, e.g. [10], for fault diagnosis of fabrication wire errors: shorts, a cut of a wire, the occurrences of signals not suciently ampli ed, etc. This is a completely dierent problem than the design errors problem. Design connection errors started being studied in the early nineties. Tomita et al. in [11, 12] consider gate errors and extra/missing connection errors. Their method can only identify the gate at which the extra/missing connection error may exist, but cannot determine which connection(s) is the extra/missing one. The method uses a large number (typically 100-200) of special test patterns called PLE (Patterns for Locating Errors). The existence of these patterns is not always guaranteed, however any pattern which is not PLE is useless for the diagnosis algorithm. Missing connection errors are also diagnosed by the ACCORD diagnostic system presented in [13], but neither extra nor bad connection errors can be treated. The algorithm is completely based on BDD manipulation, and many benchmark circuits could not be processed due to their huge memory requirements. This method was extended in [14] to consider also extra connection errors, but the same problem of BDD size explosion could not be overcome. The method presented in [15, 16] locates gate errors and missing connection errors. The gate at which a missing connection error exists is located but the missing connection itself is not determined. The method is based on the use of BDD's and fault simulation. A large number of test patterns was necessary before the error could be located (typically 1087 patterns for a 546 gates circuit). In this report we present automated algorithms for connection error diagnosis. This work extends our previous system limited to the diagnosis of gate replacement and inverter errors [17, 18, 19]. We improve upon other connection error diagnostic methods mentioned above in three ways: i) we consider a larger class of connection errors that includes extra, missing, and bad connections; ii) our diagnosis algorithm identi es not only the gate at which the erroneous connection exists, but also which connection is the erroneous one; iii) using diagnosis-oriented test patterns, the error localization is made using a small number of patterns (typically 10-20 patterns for a circuit of about 3500 gates). The diagnostic system presented here is based on the close cooperation of three basic modules: a test pattern generator, a simulator and a diagnoser. The pattern generator generates for a given suspected gate special test patterns capable of detecting the error if it exists at this gate. The simulator simulates the implementation and the speci cation under the application of these patterns, and gives the simulation result to the diagnoser which, in turn, uses this result to limit the suspected area of the circuit. This information is passed to the pattern generator which selects a gate from the suspected area, and the same operation is repeated until the error is found. Figure 1.2 shows the information ow among these three modules. 4

IMPL

SPEC

Pattern Generator

Error Candidates

Diagnoser

Results

Simulator

Special Test Patterns

Figure 1.2: The overall diagnosis system Chapter 2 of this report introduces the basic de nitions and terminology, and gives the assumptions under which the diagnosis algorithm works. Chapter 3 is devoted to diagnosis of extra connection errors. Missing connection errors are dealt with in chapter 4. Chapter 5 presents the diagnosis of bad connection errors. Our conclusions are given in chapter 6.

5

Chapter 2 Basic de nitions and terminology Throughout this report we consider a circuit speci cation SPEC, and its implementation IMPL, both at logic level. The speci cation output is denoted W = fw1; w2 ; :::wmg, and the implementation output is denoted Y = fy1; y2; :::ymg, where m is the number of outputs. The implementation is described as a gate network, while the description style for the speci cation is not restricted.

De nition 2.1 : A Connection:

A connection from the output of gate G1 to the input of gate G2 is denoted C (G1 ; G2 ). 

De nition 2.2 : A Bad Connection:

An erroneous implementation IMPL is said to have a bad connection BC (G1; G2 ; Ge ) at the input of a gate Ge , if IMPL can be corrected by removing a connection C (G1; Ge ), and adding another connection C (G2 ; Ge ), where G1 6= G2 , and fG1 ; G2 ; Geg  IMPL. 

De nition 2.3 : Search Space:

The search space is a subset of all the circuit gates, and it contains any gate Ge at which extra/missing or bad connections may exist. 

Initially, the search space contains all the implementation gates, and then it is reduced gradually by the diagnosis algorithm as test patterns are applied.

De nition 2.4 : Test Patterns. For a circuit with n inputs, a test pattern is a n-bit vector which may be binary Bn or Ternary T n , where B: f0; 1g - The Boolean Domain. T : f0; 1; X g - The Ternary Domain. X is an unspeci ed value (don't care).

Test patterns are generated so that they produce a binary value, (0 or 1) on one or more outputs of the implementation when they are applied to its inputs. Both the speci cation and the implementation are simulated under the application of the generated test patterns. 6

It is then necessary to distinguish between the patterns that detect the error and the ones that don't detect it. A test pattern TP is classi ed as an Error Detecting Pattern (EDP), or Non-Detecting Pattern (NDP), according to the following rule:

TP is

(

EDP if Y = 6 W NDP if Y = W

In the following, whenever we refer to a gate, it should be understood that we talk about a gate in the implementation (since the speci cation may be described functionally). The gate types considered are AND, OR, NAND, NOR, NOT and BUF (Buer). Other gate types (XOR, XNOR, complex gates) are represented as networks of the previous ones.

Error Model:

Our model for connection errors is based on the study presented in [4] about simple design errors, and the problems submitted to us by the design engineers at Thomson-TCS. The model covers ve types of connection errors: 1. Missing connection at a gate input: A gate with n ? 1 inputs is used instead of a n inputs gate. All of the n ? 1 inputs are correctly connected. 2. Extra connection(s) at a gate input: A gate with n + m inputs is used instead of a n inputs gate. All of the n inputs are correctly connected, and the extra m inputs are connected to arbitrary nodes in the circuit. 3. Bad connection at a gate input: one gate input is replaced by another input. 4. Extra connection(s) to a constant value: a gate with n + m inputs is used instead of a n inputs gate. All of the n inputs are correctly connected, and the extra m inputs are connected to constant values (1 or 0). 5. Bad connection to a constant value: One gate input is replaced by a connection to 1 or 0. Figure 2.1 illustrates the dierent types of connection errors. A basic assumption is that the circuit is combinational and that the error does not introduce loops in it. The extra connection to a constant, and the bad connection to a constant are special cases of the extra and bad connection errors. We mention them explicitly here because, as was reported to us by the design engineers at Thomson TCS, a connection to Vcc or Vdd is a common error in practice. We shall represent the constant value 1 by an OR gate fed with complementary values of an arbitrary primary input i, and the 0 by a similar construction using an AND gate. During test generation, the value of the primary input i will always be set to a binary value 1 or 0. This represents no extra constraints for the pattern generator. Pattern generation is made as usual, and if in the generated pattern the value of i is 1 or 0 nothing is done. If the value of i is not speci ed, 7

Error Type

Wrong Circuit

Missing

A

Connection

B

Extra

A B C

Connection

Bad

A

Connection

B

Extra Connection to Constant

Bad Connection to Constant

A B 1 or 0

A 1 or 0

Correct Circuit

A B C

G

A

G

B

A

G

C

A

G

B

A

G

B

G

G

G

G

G

Figure 2.1: Connection errors i.e. X, then it does not aect the sensitized path nor the error excitation conditions and this value X is replaced by an arbitrary binary value. The diagnosis methodology is based on error hypotheses: an error type is assumed and the diagnosis is then made according to this assumption. If the error is not found, another type is assumed, and so on [20].

De nition 2.5 : Current Value at the a gate output:

CV (G; TP ) is the current value at the output of a gate G, when the test pattern TP

is applied at the implementation primary inputs. 

De nition 2.6 : Required value at a gate output

Let Ym(G; V; TP ) denote the value obtained at the output of the implementation, under the application of an input pattern TP , if the current value at the output of a gate G, CV (G; TP ), is replaced by another value V . The required value at the output of a gate G, RV (G; TP ), under the application of an error detecting pattern TP , is the value which satis es Ym(G; RV (G; TP ); TP ) = W (TP ).  We introduce a new Boolean operator to facilitate the description of the diagnosis algorithm. 8

De nition 2.7 : The (*) logic operator:

The function realized by the operator (*) is de ned as shown in table 2.1.  bna

1 0 x

1 x 1 1

0 0 x 0

x 0 1 x

Table 2.1: The (*) operator. a * b

De nition 2.8 : Suspectability function:

We de ne the suspectability function for a gate G, of type Type(G), when a test pattern

TP is applied to the implementation inputs, as follows: 8 > if Type(G) = AND or NOR < RV (G; TP )  CV (G; TP ) sus(G; TP ) = > not(RV (G; TP )  CV (G; TP )) if Type(G) = OR or NAND :0 if Type(G) = NOT or BUF

For each gate type, there exists a boolean value of its output which is forced if any of the gate inputs is set to a given boolean value, regardless of the possible ternary values of the other gate inputs. This output value is called forced value and the corresponding input value is called forcing value. We shall denote these values Forced(G) and Forcing(G). The following table shows these values for the dierent types of gates. Gate type Forcing(G) Forced(G) AND 0 0 OR 1 1 NAND 0 1 NOR 1 0 NOT v 2 f1; 0g v BUF v 2 f1; 0g v

De nition 2.9 : Values compatible with a gate output value: Let VG be the value of the output of a gate G, VG 2 T . A value Vcomp (G; VG ) 2 T is called compatible with VG if it is necessary to set one or more inputs of G to the value Vcomp (G; VG ) to generate VG at its output. For all gate types, we have:

Vcomp (G; VG ) = Forcing(G)  Forced(G)  VG . The set of inputs of G that have a value compatible with VG is denoted comp(G; VG ). 

De nition 2.10 : A changeable input:

A changeable input of a gate, under the application of an input pattern TP , is an input which, if its value is complemented, forces the output of G to take the required value

9

RV (G; P ). 

De nition 2.11 : A xed input:

A xed input of a gate, under the application of an input pattern TP , is an input which, if its value is complemented, forces the output of G to take a new value V , V 6= CV (G; P ). 

De nition 2.12 : Successor of a gate

A gate G2 is said to be in the successor set of another gate G1, successor(G1), if there is a path from the output of G1 to one (or more) input of G2. 

10

Chapter 3 Diagnosis of Extra Connections Errors 3.1 Analysis with Error-Detecting Patterns

Proposition 3.1 : Suspected gates under the extra connection error hypothesis: A gate G in IMPL under the application of an error detecting pattern TP is suspected for having extra connections at its inputs if and only if the following conditions hold: 1. G 2 Search Space. 2. comp(G,RV(G,TP)) 6= . Justi cation:

The rst condition is evident: the olny gates that are investgated are those which are in the search space. The second condition guarantees that RV(G,TP) can be generated at the output of G, by removing some of its inputs, and consequently correcting the implementation output. 

If a gate, G in IMPL under the application of an error detecting pattern TP , is suspected then its inputs are classi ed into three classes: 1. Sure extra inputs set Sx(G; TP ): Sx(G; TP ) is a subset of the inputs of G that must be removed, or else RV (G; TP ) cannot be obtained at the output of G. 2. Impossible extra inputs set Ix(G; TP ): Ix(G; TP ) is a subset of the inputs of G that can't be removed simultaneously, otherwise RV (G; TP ) cannot be obtained. 3. Probable extra inputs set Px(G; TP ): Px(G; TP ) is the subset of inputs of G, such that any combination of the inputs in Px(G; TP ), except for Ix(G; TP ), can be removed after the removal of Sx(G; TP ) without aecting the obtained RV(G,TP). 11

Example 3.1 :If we have an AND gate, G, with inputs (A1; A2; A3; A4; A5) = (0; 0; 1; X; X ) when a test pattern TP1 is applied to the implementation. If RV (G; TP1) is X , then Sx(G; TP1) = fA1; A2g, Px (G; TP1) = fA3; A4; A5g, and Ix(G; TP1) = fA4; A5g.  The following proposition expresses these facts more formally.

Proposition 3.2 :

If a gate G in IMPL, under the application of an error detecting pattern TP is suspected for having extra connections, then:

Proof:

Sx(G; TP ) = comp(G; CV (G; TP )) Ix(G; TP ) = comp(G; RV (G; TP )) Px(G; TP ) = inputs(G) ? Sx(G; TP )

The inputs causing the gate output to have the value CV(G,TP) must be removed to change this value. Thus the inputs in the set comp(G,CV(G,TP)) must be removed, otherwise the gate output will not change. If all the inputs compatible with RV(G,TP) are removed simultaneously, then RV(G,TP) will not be obtained. Thus the inputs in the set comp(G,RV(G,TP)) cannot be removed simultaneously. After the removal of Sx(G; TP ), any one, or any combination (excluding Ix(G; TP )), of the remaining inputs can be removed without aecting the obtained output value, and thus these inputs constitute Px (G; TP ). 

If the gate G is analyzed under the application of several error detecting patterns TP1; TP2;


TPn then the sure, possible and impossible extra connection sets for G are given by:

Sx(G) = Sx(G; TP1) [ Sx(G; TP2) [


Sx(G; TPn ) Ix(G) = fIx(G; TP1); Ix(G; TP2);


Ix(G; TPn )g Px (G) = inputs(G) ? Sx(G) Note that Sx(G) and Px(G) are subsets of the gate inputs while Ix(G) is a set of input combinations that can't be the extra connected lines (i.e. Ix(G) is a set of sets).

Example 3.2 : For the same AND gate of example 3.1, if under the application of another pattern TP2 the inputs of G are (A1; A2; A3; A4; A5) = (0; 1; 0; 1; X ), and RV (G; TP1) is X then Sx(G; TP2) = fA1; A3g, Px(G; TP2) = fA2; A4; A5g, and Ix(G; TP1) = fA5g. Combining the results of TP1 and TP2 we get Sx(G) = fA1; A2; A3g, Px (G) = fA4; A5g, and Ix(G) = ffA4; A5g; fA5gg). This result means that if G is the erroneous gate then, fA1; A2; A3g are sure to be extra inputs, while A4 may be an extra input.  12

3.2 Analysis with Non-Detecting Patterns In the previous section we were concerned only with the analysis of the circuit under the application of a test pattern that detects the error. In many situations the applied test patterns don't detect the error, or detect the error on some primary outputs while the other outputs still have the correct values. Circuit analysis starting from those outputs having correct values can also help to exclude some suspected locations.

Proposition 3.3 :

If under the application of a Non-Detecting Pattern TP the current value at the output of a gate G, CV(G,TP), has to be xed to keep the primary output unchanged, then the input set comp(G,CV(G,TP)) represents an impossible extra input combination and must be added to Ix (G). 

Proof:

Since the current value of the gate output must be kept unchanged to maintain the output value correct, then the combination of the inputs of G that generate CV(G,TP), must be kept connected. 

3.3 The Diagnosis Algorithm Based on the above propositions we present here a diagnostic algorithm for locating extralines errors. Given a test pattern TP, the algorithm scans the circuit from the primary outputs backward to the primary inputs. This is made by the recursive function analyzex-cnct described in the algorithm shown below. Initially the Search Space contains all the gates of the circuit that have more than one input. The algorithm diagnose-x-cnct is then executed repeatedly until the error is found or until no more test patterns can be generated. This will be explained later when we talk about the test pattern generation method. algorithm diagnose-x-cnct(TP); begin

apply TP to the inputs of the implementation IMPL; simulate IMPL; for every gate Gy driving a primary output yi 6= X do New Search Space = ; if yi 6= wi then Pat-Type := EDP; i

else Pat-Type := NDP; endif; analyze-x-cnct(Pat-Type,Gy ); if Pat-Type = EDP then Search Space = New Search Space; endif; endfor; end. i

13

procedure analyze-x-cnct(Pat-Type,G); begin if G is a primary input then exit; endif; if Pat-Type = EDP then if (G 2 Search Space) ^ (comp(G,RV(G,TP)) 6= ) then New Search Space = New Search Space [ fGg;

% Proposition 3.1.

S = Sx (G; T P ); P = Px(G; T P ); I = Ix (G; T P );

update-x-cnct(Pat-Type,G; S; P; I );

endif; for every input i 2 Changeable-Inputs(G) do analyze-x-cnct(Pat-Type,i); endfor; else I = Ix (G; T P ); update-x-cnct(Pat-type,G; ?; ?; I ); % `-' means that this parameter is not required. for every input i 2 Fixed-Inputs(G) do analyze-x-cnct(Pat-Type,i); endfor; endif; end.

If a gate G was already treated with other patterns, then it will have associated with it a set of sure extra inputs Sx(G), a set of possible extra inputs Px(G), and a set Ix(G) containing the combinations of the inputs of G that can never be extra. If the same gate G is treated again under the application of a new test pattern TP , then it will have associated with it the new sets Sx(G; TP ), Px(G; TP ), and Ix(G; TP ). This information is combined by the procedure update-x-cnct described in the following. procedure update-x-cnct(Pat-Type,G; S; P; I ); begin if G is already treated then if Pat-Type = EDP then Sx (G) := Sx (G) [ S ; Ix (G) := Ix (G) [ fI g; Px(G) := inputs(G) - Sx (G); if 9Z 2 Ix (G); Z  S then New Search Space = New Search Space - G; % G is not suspected. endif; else if I  Sx (G) then Search Space = Search Space - G; % G is not suspected. else Ix (G) = Ix (G) [ fI g; endif; endif; else if Pat-Type = EDP then Sx (G) := S ;

14

Ix (G) := fI g; Px(G) := inputs(G) - Sx (G);

else

Sx (G) := ; Ix (G) := fI g; Px(G) := inputs(G);

endif; endif; if j I j = 1 then Px(G) := Px (G) - I ; endif; end.

Example 3.3

In this example we show how to apply the diagnosis algorithm to locate an extra line error in the ISCAS'85 benchmark circuit c17. The circuit is shown in gure 3.1. The dotted line is an extra line that should be removed. I1 1 G1

0 O1

1

I5 1 I2 1

G3

G2

1

0

1

O2

I3 0 G4

1

I4 0

Figure 3.1: The circuit c17 of the ISCAS'85 benchmarks TP is I1I2 I3I4I5 = 11001: W (11001) = O1O2 = 11 Y (11001) = O1O2 = 10

We start the analysis from the erroneous output O2, and go backwards towards the primary inputs. The type of the pattern is EDP. Initially, the Search-Space contains all the gates. At the gate O2: RV (O2; TP ) = 1, CV (O2; TP ) = 0, Type(O2) = NAND. Thus sus(G,TP) = 0, which means that O2 can't have extra connections. (Proposition 3.1). The changeable inputs for O2 are G3 and G4. So the search goes back through these gates. 15

At the gate G3 : RV (G3; TP ) = 0, CV (G3; TP ) = 1, Type(G3) = NAND. Thus, sus(G,TP) = 1, and comp(G3; RV (G3; TP )) = fI5; G2g. The three conditions of proposition 3.1 are valid, and thus G3 may have extra connections. By exploiting the proposition 3.2 we get:

Sx(G3; TP ) = fG1g Ix(G3; TP ) = fI5; G2g Px (G3; TP ) = fI5; G2g The meaning of this result is that, if the gate G3 is the erroneous one, then its input G1 is sure to be extra, while any one of the inputs I5, or G2 may be extra, but not both at the same time.

G1 is the only changeable input for G3. At the gate G1 : The conditions of proposition 3.1 are not valid for this gate, and thus it is correct. It has no changeable inputs. Now let's return back to the gate G4 At the gate G4 : RV (G4; TP ) = 0, CV (G4; TP ) = 1, Type(G4) = NAND. Thus, sus(G,TP) = 1, and comp(G4; RV (G4; TP )) = fG2g. The three conditions of proposition 3.1 are valid, and thus G4 may have extra connections. By exploiting proposition 3.2, we get:

Sx(G4; TP ) = fI4g Ix(G4; TP ) = fG2g Px (G4; TP ) = fG2g If gate G4 is the erroneous one, then its input I4 is sure to be an extra input. Here Ix(G4; TP ), the input combination that cannot be extra, contains only one element, G2, rather than a combination of inputs; thus this input cannot be an extra input, and G2 is removed from the set of possible extra inputs.

G4 has no changeable inputs, so the analysis stops at this point. 16

The summary of the diagnosis results up till now are shown in the following table: Gate Sx Px Ix G3 fG1g fI5; G2g ffI5; G2gg G4 fI4g fg ffG2gg Only the suspected gates are shown in this table. The other ones can't be erroneous. We now make the analysis starting from the output O1. The type of the pattern becomes NDP. At the output O1: This gate is not suspected, so we propagate backwards directly through the inputs that must keep their value xed.

O1 has a single xed input which is G1 . At the gate G1 : G1 is not suspected. Its xed inputs are I1 and I2 which are primary inputs so the analysis stops here. Now let's apply a second test pattern. TP is I1I2 I3I4I5= 0X0X0: W (0X 0X 0) = O1O2 = 0X Y (0X 0X 0) = O1O2 = 0X

The speci cation and the implementation produce the same output. The analysis is made only for O1 that has a speci ed value (i.e. dierent from X). Proceeding as before, we get the following results: Ix(G3 ; TP ) = fI5g Ix(G4 ; TP ) = fI4g G4 has already been found to have I4 as a sure extra input, and now G4 is found to have I4 as an impossible extra input. This contradiction means that G4 can't be the erroneous gate, and it is thus removed from the Search Space. These data are used to update the ones obtained from the rst test pattern, giving as new results: Gate Sx Px Ix G3 fG1g fG2g ffI5; G2g,fI5gg Now we apply a third test pattern. 17

TP is I1I2I3I4I5= 011X1: W (011X 1) = O1O2 = 00 Y (011X 1) = O1O2 = 00

The speci cation and the implementation produce the same output. Proceeding as before, we get the following results: Ix(G3 ; TP ) = fG2g This new result is used to update the previous ones, and the nal results are shown in the following table. Gate Sx Px Ix G3 fG1g fg ffI5; G2g,fI5g,fG2gg This nal result means that the input connection of gate G3 coming from G1 is an extra connection. This is the actual error.

3.4 Test Pattern Generation The diagnosis algorithm presented in the previous section can analyze the circuit under the application of any test pattern. However, to accelerate the diagnosis process, it is better to use error detecting patterns for the following reasons: each error detecting pattern TPi speci es a set of gates SGi at which extra connections may exist. If the error is detected under the application of n detecting patterns TP1; TP2


TPn, then the error must exist in the intersection of SG1; SG2;


SGn . This intersection operation decreases rapidly the number of suspected locations, especially when the error is detected on dierent outputs in a multi-output circuit. On the other hand, non-error detecting patterns, as we have seen from the previous example, can only specify some correct connections, which may have already been considered as suspected ones. The error detecting patterns can be generated in many ways. The most direct way is to compute the function Y W (X ) = Y (X )  W (X ) and then nd the values of the input vector X that makes Y W (X ) = 1. This computation can be made using symbolic manipulation methods of Boolean functions such as BDD's. The problem with BDD's is that their size may explode exponentially with some functions (e.g. integer multiplication functions), or when the input variables ordering is not well chosen. In our work we use the PODEM algorithm [21] to generate test patterns. This method is based on the topology of IMPL and it can be used to eciently generate patterns for highly complex functions and large circuits. Using this algorithm, we can generate at any node in the implementation a certain value, and propagate its eect to be sensed at at least one of the primary outputs.

18

Proposition 3.4 : A test pattern TP is capable of detecting whether an input i of a

gate G is an extra input or not if, by applying TP at the inputs of IMPL, Forcing(G) is generated at i, while another value V = Forcing(G) is generated at the other inputs of G, and a path is sensitized from the output of G to at least one of the primary outputs. 

Proof:

If the eect of the error at the input of G is to be propagated at one of the outputs, then it must be propagated from the output of G. Now for the propagated value to be an erroneous value, the extra line i must generate an erroneous value at the output of G independently of the other inputs of G. Thus i must be set to Forcing(G), and in this case the output of G will be set to Forced(G). The removal of i must generate Forced(G) at the the output of G, so the other inputs of G must be set to Forcing(G)  In the prototype that we implemented, we start by generating patterns capable of detecting extra connection errors at the gates near the primary inputs. These patterns are also capable of detecting other extra connection errors along the sensitized path. Any gate G on the sensitized path will have an input i that holds the sensitized value, while all its other inputs are set to Forcing(G). This is the necessary condition to propagate the sensitized value. If the sensitized value is equal to Forcing(G), then the applied pattern detects also whether i is an extra connection of G. The diagnosis algorithm is executed under the application of these patterns and the search space is reduced. Extra patterns are generated for the inputs of suspected gates which are nearest to the primary inputs, and the operation is repeated until the error is found. The complete diagnostic algorithm is thus given as follows:

algorithm diagnose-x-cnct; begin

Search Space = All the circuit gates having more than one input; Tested ; while (j Search Space j > 1) and (Search Space 6 Tested) do Let G be a gate in Search Space nearest to primary inputs, and G 2= Tested Tested Tested [ fGg; for every suspected line i of G do TP = Pattern for detecting whether i is extra at G; % Proposition 3.2 diagnose-x-cnct(TP);

endfor enddo for every G Search Space do if Px(G) =  or Sx(G) =  then 2

6

6

write(G,Px (G),Sx(G),Ix(G));

endif endfor end

19

3.5 Experimental Results To validate the above algorithm, a rst prototype diagnosis system is implemented in PROLOG, including the test pattern generator and the logic simulator. The software is tested on circuits of dierent sizes. These circuits are taken from the ISCAS'85 benchmarks except for DK17 which is taken from the PLA benchmarks of the University of California at Berkeley. For each one of them, extra connections have been inserted at random locations, and the diagnosis algorithm is applied to nd the error. The results obtained on a SPARC-10 workstation with 10 Megabytes of memory are shown in Table 2. The rst 4 columns indicate the circuit name, the number of inputs and outputs, and the number of gates. Column 5, entitled \Number of Experiments" gives the number of diagnostic tests that we made on each one of the circuits. The last three columns give the average number of the test pattern used in each diagnostic experiment, the average CPU times in seconds, and the average number of error candidates proposed by the algorithm. In almost all of the cases, we could precisely locate the gate at which extra connections exist, and also identify which connection is the extra one. In the worst case we got a maximum of 3 candidates. The execution time grows almost linearly with the product of the number of gates and the applied test patterns. The number of applied test patterns, before a diagnostic report is made, depends highly on the topology of the circuit under test. We found that for the circuits with large number of inputs and outputs, (c2670, c5315, and c7552), the average number of applied test patterns is relatively small with respect to other circuits. This is due to the fact that if the error is discovered on a large number of outputs, then the erroneous gate must reside within the common cone of in uence of all these outputs. This will reduce rapidly the search space of the circuit. The obtained results are extremely valuable, and justify the development of a production quality version of the software, written in a more ecient programming language, which will reduce greatly the CPU times shown here. Our prototype diagnosis system is now a part of the PREVAILTM environment [22] and is being tested on industrial applications. Circuit Name c17 DK17 c432 c499 c1355 c1908 c2670 c3540 c5315 c6288 c7552

Number of Inputs Outputs 5 2 10 11 36 7 41 32 41 32 33 25 233 140 50 22 178 123 32 32 207 108

Number of Average of Gates Experiments Pat. used CPU time (sec) Cand. 6 5 3.20 0.11 1.00 54 30 5.31 1.37 1.00 160 115 10.38 34.34 1.11 202 162 8.90 83.27 1.23 546 342 10.83 118.74 1.18 880 449 14.35 233.67 1.16 1193 323 7.23 171.58 1.01 1669 258 16.25 1290.74 1.19 2307 246 16.14 1482.12 1.13 2416 268 20.63 1983.16 1.63 3512 128 10.20 1425.78 1.04

Table 2: Diagnosis results of benchmark circuits

20

Chapter 4 Diagnosis of Missing Connections Errors 4.1 Analysis with Error-Detecting Patterns Proposition 4.1 :

A gate G in IMPL under the application of an error detecting pattern TP is suspected for having a missing connection at its inputs if and only if the following two conditions are valid: 1. G 2 Search Space. 2. sus(G,TP) = 0.

Justi cation:

The rst condition is evident, so we will discuss only the second one.  If Type(G) is AND or NOR:  sus(G,TP) = 0 only in three cases (see the de nition of the \*" operator): 1. RV(G,TP) = 0 and CV(G,TP) = 1 Since 0 is the value obtained at the output of G when any of its inputs is set to Forcing(G), then the connection of any additional input with a value equal to Forcing(G) (0 for AND gates and 1 for NOR gates), will generate RV(G,TP) at the output of G. Thus G may be suspected of having a missing connection. 2. RV(G,TP) = 0 and CV(G,TP) = X The same reasoning used above is also applied in this case. 3. RV(G,TP) = X and CV(G,TP) = 1 Since CV(G,TP) = 1, then all the inputs of G have a value = 1 (resp. 0) if Type(G) = AND (resp. NOR). The connection of any additional input with a value equal to X will generate RV(G,TP) = X. Thus G is suspected gate for having a missing connection.  sus(G,TP) = X only when RV(G,TP) = CV(G,TP). That means there is no need to change the output value of G in order to correct the implementation. Consequently G is not suspected.  sus(G,TP) = 1 in three cases:

21

1. RV(G,TP) = 1 and CV(G,TP) = 0 Since CV(G,TP) = 0, then one or more of its inputs are equal to Forcing(G). The connection of any additional inputs with any value, will never change the 0 obtained at the gate output. Thus G can't be suspected. 2. RV(G,TP) = X and CV(G,TP) = 0 The same reasoning used in the previous case can also be applied here. 3. RV(G,TP) = 1 and CV(G,TP) = X The connection of any extra input will generate either 0, if its value is equal to Forcing(G), or X if its value is not equal to Forcing(G). Thus the required value to correct the output can never be obtained, and G cannot be a suspected gate. Similar reasoning can be used when Type(G) is NAND or OR.  If a gate, G in IMPL under the application of an error detecting pattern TP , is suspected then there will be associated with it a set of nodes Pm (G; TP ), from which the missing connection may originate. By a node we mean any fanout stem.

Proposition 4.2 :

If a gate G in IMPL, under the application of an error detecting pattern TP is suspected for having a missing connection, then:

Pm (G; TP ) = i (i nodes of IMPL) f

j

2

Proof:

^

value(i) = Vcomp (G; RV (G; TP ))g

If RV (G; TP ) is to be generated at the gate output, then a node having a value compatible with RV (G; TP ) must exist at the gate input. So any node having a value equal to Vcomp(G; RV (G; TP )) may be the missing connection of G. 

4.2 Analysis with Non-Detecting Patterns In many cases the applied test patterns don't detect the error, or detect the error on some primary outputs while the other outputs still have the correct values. Circuit analysis starting from those outputs having correct values can also help to exclude some suspected missing connections.

Proposition 4.3 :

If under the application of a Non-Detecting Pattern TP , the current value at the output of gate G, CV(G,TP), has to be xed to keep the correct primary outputs unchanged, then the set of nodes that cannot be missing inputs for G is given by:

Im (G; TP ) = i CV (G; TP ) (value(i) Forcing(G) Forced(G)) = Forced(G) f

j







g

Proof:

We will show the proof by case analysis on the gate type: 

If Type(G) is AND: Forced(G) = 0, and Forcing(G) = 0. So, Im (G; TP ) = fi j CV (G; TP )  value(i) = 1g

22

{ If CV (G; TP ) = 1 then Im(G; TP ) will contain all the nodes having the value







0 or X (see the de nition of the \*" operator). This is true since the addition on any input having a value 0 or X at the inputs G will change its output value to 0 or X respectively. { If CV (G; TP ) = 0 then Im (G; TP ) will be an empty set. The addition of any extra input to G will not change its output value. { If CV (G; TP ) = X then Im(G; TP ) will contain all the nodes having the value 0. These are actually the nodes which can change the output of G if they are connected to it. If Type(G) is NAND: V = 1, and Forcing(G) = 0. So, Im (G; TP ) = fi j CV (G; TP )  value(i) = 0g { If CV (G; TP ) = 1 then Im(G; TP ) will be an empty set. { If CV (G; TP ) = 0 then Im(G; TP ) will contain all the nodes having the value 0 or X. { If CV (G; TP ) = X then Im(G; TP ) will contain all the nodes having the value 0. If Type(G) is OR: V = 1, and Forcing(G) = 1. So, Im (G; TP ) = fi j CV (G; TP )  value(i) = 0g { If CV (G; TP ) = 1 then Im(G; TP ) will be an empty set. { If CV (G; TP ) = 0 then Im(G; TP ) will contain all the nodes having the value 1 or X. { If CV (G; TP ) = X then Im(G; TP ) will contain all the nodes having the value 1. If Type(G) is NOR: V = 0, and Forcing(G) = 1. So, Im (G; TP ) = fi j CV (G; TP )  value(i) = 1g { If CV (G; TP ) = 1 then Im(G; TP ) will contain all the nodes having the value 1 or X. { If CV (G; TP ) = 0 then Im(G; TP ) will be an empty set. { If CV (G; TP ) = X then Im(G; TP ) will contain all the nodes having the value 1. 

4.3 The Diagnosis Algorithm Based on the above propositions we present here a diagnostic algorithm for locating missingconnections errors. Given a test pattern TP, the algorithm scans the circuit from the primary outputs backward to the primary inputs. This is made by the recursive function analyze-m-cnct described in the algorithm shown below. Initially the Search Space contains all the gates of the circuit except for the inverters which cannot have missing connections. The algorithm diagnosem-cnct is then executed repeatedly until the error is found or until no more test patterns can be generated. This will be explained later when we talk about test pattern generation.

algorithm diagnose-m-cnct(TP); begin

23

apply TP to the inputs of the implementation IMPL; simulate IMPL; for every gate Gy driving a primary output yi 6= X do New Search Space = ; if yi 6= wi then Pat-Type := EDP else Pat-Type := NDP; analyze-m-cnct(Pat-Type,Gy ); if Pat-Type = EDP then Search Space = New Search Space; endif; endfor; end. i

i

procedure analyze-m-cnct(Pat-Type,G); begin if G is a primary input then exit endif; if Pat-Type = EDP then if (G 2 Search Space) ^ (sus(G,TP) = 0) then New Search Space = New Search Space [ fGg;

% Proposition 4.1

Nodes = Pm (G; T P ); update-m-cnct(Pat-Type,G,Nodes);

endif; for every input i 2 Changeable-Inputs(G) do analyze-m-cnct(Pat-Type,i); endfor else Nodes = Im (G; T P ); update-m-cnct(Pat-Type,G,Nodes); for every input i 2 Fixed-Inputs(G) do analyze-m-cnct(Pat-Type,i);

endfor; endif; end. procedure update-m-cnct(Pat-Type,G,Nodes); begin if Pat-Type = EDP then % Nodes is a set of possible missing connection if G is already treated with an EDP then Pm (G) = Pm (G) \ Nodes; elseif G is already treated with an NDP then Pm (G) = Nodes - Im (G); else % The rst time to treat G Pm (G) = Nodes; endif else % Nodes is a set of impossible missing connection if G is already treated with an EDP then Pm (G) = Pm (G) - Nodes; elseif G is already treated with an NDP then Im (G) = Im (G) + Nodes; else % The rst time to treat G Im (G) = Nodes; endif

24

endif; end.

4.4 Test Pattern Generation The diagnosis algorithm presented in the previous section can analyze the circuit under the application of any test pattern. However, to accelerate the diagnosis process, it is better to use error detecting patterns for the same reasons stated in section 3.4. Proposition 4.4 : A test pattern TP is capable of detecting whether a connection from a node i to the input of a gate G is missing or not, if when TP is applied to the inputs of IMPL, the value of i is set to Forcing(G), and all the inputs of G are set to Forcing (G), and a path is sensitized from the output of G to at least one of the primary outputs. 

Proof:

If any of the inputs of G is equal to Forcing(G), then both the good and the faulty implementation will generate the same value at the output of G, and the error will not be detected. So all the inputs of G must be set to Forcing (G). If the value of the missing connection is Forcing(G) then the good and the faulty implementation will generate opposite values at the output of G, which will then be propagated through the sensitized path, and thus the error will be detected.  In the prototype that we implemented, we start by applying a counter example which is an error detecting pattern supplied by the veri er or by any other means. This will limit the number of suspected gates and their possible missing connections. Then for each remaining suspected gate G with possible missing connections n1 ; n2;


nm , test patterns capable of detecting whether ni (i 2 [1; m]) is a missing connection or not, are generated and the diagnosis algorithm is applied to furtherly reduce the search space. The experimental results that we present in the next section shows that with a small number of patterns the exact missing connection is identi ed. The complete diagnostic algorithm is given here:

algorithm diagnose-m-cnct; begin

Search Space = All the circuit gates - fg j Type(g ) = NOTg; Tested ; while (j Search Space j > 1) and (Search Space 6 Tested) do Let G be a gate in Search Space nearest to primary inputs, and G 2= Tested Tested Tested [ fGg; for every suspected line i of G do TP = Pattern for detecting whether i is missing at G; % Proposition 4.2 diagnose-m-cnct(TP);

endfor enddo for every G Search Space do if Px(G) =  then 2

6

write(G,Px (G));

25

endif endfor end

4.5 Experimental Results The above algorithm is also implemented in PROLOG. The software is tested on the same benchmark circuits as in chapter 3. In each experiment, a gate with more than one input is selected randomly, and one of its input is selected randomly and disconnected. The diagnosis algorithm is then applied to nd the error. The results obtained on a SPARC-10 workstation with 10 Megabytes of core memory are shown in Table 3. This table can be read exactly as Table 2. Circuit Name c17 DK17 c432 c499 c1355 c1908 c2670 c3540 c5315 c6288 c7552

Number of Average of Experiments Pat. used CPU time (sec) Cand. 6 3.50 0.08 1.00 34 6.38 2.15 1.26 92 13.28 72.43 1.63 152 28.00 195.18 1.25 464 24.00 633.99 1.19 184 24.29 890.34 1.12 272 12.76 409.05 1.54 87 18.86 2681.60 1.46 98 13.26 806.03 1.06 38 22.63 7016.23 1.00 49 18.53 4762.11 1.27

Table 3: Diagnosis results of benchmark circuits

Discussion: Under this hypothesis of missing connection errors, we also nd that the execution time grows almost linearly with the product of the number of gates and the applied test patterns. For the same reasons mentioned in section 3.5, we nd that the average number of test patterns applied for the diagnosis, is found to be relatively small for the circuits c2670, c5315, and c7552. In almost all of the cases, we could precisely locate the gate at which the missing connection exists, and also identify the node from which the missing connection must originate. In the worst case we got a maximum of 7 candidates (in a circuit of 1193 gates). In almost all of the cases the dierent candidates given by the diagnoser, if there exists more than one, are all valid. The correction of any one of them is sucient to correct the faulty implementation. This is due to the nature of the missing connection problem itself. For instance a missing connection at the input of an AND gate in a succession of n AND gates, can be corrected by connecting the missing node to the input of any one of the n gates. This is illustrated in gure 4.1. In this case the diagnoser will give n error candidates. Similar situations may arise where only one gate is found as the gate with missing input

26

Missing Node

G1 G2 G3 Gn

Figure 4.1: Connecting the missing connection to G1, G2, ... or Gn will give the same function but several connections to it are suggested. These situations arise when several nodes in the circuit represent the same function (the input and the output of a buer for example).

27

Chapter 5 Diagnosis of Bad Connections Errors The problem of bad connection errors is more complicated than the problem of extra/missing connection errors. Assume that an implementation IMPL contains n gates, and the number of fan-ins of each gate is m on the average. Under the hypothesis of a single extra connection error, each one of the n gates may have m extra connections. The number of possible errors is thus O(m  n). In practice m is a small number (less than 10). In the case of a missing connection error, any one of the n gates may have a missing connection from any one of the other gates, so the size of the search space is O(n2). In the case of bad connection error, any input of any one of the n gates may be removed, and replaced by a connection from any one of the other gates. The size of the search space is thus O(m  n2 ).

5.1 Analysis with Error-Detecting Patterns Proposition 5.1 :

A gate G in IMPL under the application of an error detecting pattern TP is suspected for having a bad connection if, and only if, G is in the Search Space, and one of the following three conditions is valid: 1. sus(G,TP) = 0. 2. sus(G,TP) = 1 and RV(G,TP) 6= X and 9i; i 2 inputs(G); value(i) = Vcomp (G; CV (G; TP )) ^ 8j 6= i; j 2 inputs(G); value(j ) = Forcing (G) 3. sus(G,TP) = 1 and RV(G,TP) = X and 9i; i 2 inputs(G); value(i) = Vcomp (G; CV (G; TP )) ^ 8j 6= i; j 2 inputs(G); value(j ) 6= Forcing (G)

Proof: 

If Type(G) is AND or NOR: 

sus(G; TP ) = 0 only in three cases (see the de nition of the \*" operator):

28

1. RV(G; TP ) = 0 and CV(G; TP ) = 1 For both the AND gate and the NOR gate, Forced(G) = RV(G; TP ) = 0. The replacement of any input of G by a connection C (G1; G) where value(G1) = Forcing(G) will generate RV(G; TP ) at the output of G. Thus G is suspected of having a bad connection at its input. 2. RV(G; TP ) = 0 and CV(G; TP ) = X The same reasoning used above can also be applied in this case. 3. RV(G; TP ) = X and CV(G; TP ) = 1 Since CV(G; TP ) = 1, then all the inputs of G have a value equal to 1 (resp. 0) if Type(G) = AND (resp. NOR). The replacement of any input of G by a connection C (G1; G) where value(G1) = X will generate RV(G; TP ) = X . Thus G is suspected for having a bad connection error.  sus(G; TP ) = X only when RV(G; TP ) = CV(G; TP ). That means there is no need to change the output value of G in order to correct the implementation. Consequently G is not suspected.  sus(G; TP ) = 1 in three cases: 1. RV(G; TP ) = 1 and CV(G; TP ) = 0 (i.e. RV(G; TP ) 6= X ) To generate RV(G,TP) (which is Forced(G) in this case), all the inputs of G must be set to Forcing (G). Under the single error hypothesis, G is suspected if it is possible to generate RV(G; TP ) by replacing only one of its inputs. So G is suspected if all its inputs, but one, are equal to Forcing(G), while the remaining input is equal to Vcomp (G; 0) (since CV(G; TP ) = 0). 2. RV(G; TP ) = 1 and CV(G; TP ) = X (i.e. RV(G; TP ) 6= X ) Using the same reasoning as the previous case, we conclude that G is suspected only if all its inputs, but one, are equal to Forcing (G), while the remaining input is equal to Vcomp (G; X ) (since CV(G; TP ) = X ). 3. RV(G; TP ) = X and CV(G; TP ) = 0 To generate RV(G; TP ), all the inputs of G must be set to a value dierent than Forcing(G). Using the same reasoning as above we conclude that G is suspected only if all its inputs, but one, have values dierent than Forcing (G), while the remaining input is equal to Vcomp (G; 0) (since CV(G; TP ) = 0). Similar reasoning can be used when Type(G) is NAND or OR. If Type(G) is NOT, then any RV(G; TP ) can be obtained by replacing the input of G by a connection from any node having the value RV (G; TP ). So G is always suspected. This case is covered by the condition number one of the proposition.  If a gate, G in IMPL under the application of an error detecting pattern TP , is suspected then there will be associated with it two sets of signals: 1. Pbad (G; TP ) is a subset of the inputs of G that may be bad connections, and must be replaced to correct the circuit output. 2. Pgood (G; TP ) is a subset of the implementation nodes that may be connected to the inputs of G after the removal of the bad connection to correct the implementation output.

29

Proposition 5.2 :

If a gate G in IMPL, under the application of an error detecting pattern TP is suspected for having a bad connection, then:

8 > if sus(G; TP ) = 0 < i i inputs(G) Pbad (G; TP ) = > i i inputs(G) : value(i) = Vcomp(G; CV (G; TP )) Otherwise: f

j

2

f

j

2

g

^

g



Proof: 





sus(G; TP ) = 0: sus(G; TP ) is equal to zero in the following three cases: 1. RV (G; TP ) = Forced(G), CV (G; TP ) = Forced(G): In this case all the inputs of G have a value equal to Forcing (G). Any one of these inputs can be replaced by another line having the value Forcing(G) to generate RV (G; TP ). 2. RV (G; TP ) = Forced(G), CV (G; TP ) = X : In this case all the inputs of G have a value equal to either Forcing (G), or X . Any one of these inputs can be replaced by another line having the value Forcing(G) to generate RV (G; TP ). 3. RV (G; TP ) = X , CV (G; TP ) = Forced(G): In this case all the inputs of G have a value equal to Forcing (G). Any one of these inputs can be replaced by another line having the value X to generate RV (G; TP ). sus(G; TP ) = X : In this case the gate is not suspected, and Pbad is not computed. sus(G; TP ) = 1: sus(G; TP ) is equal to 1 in the following three cases: 1. RV (G; TP ) = Forced(G), CV (G; TP ) = Forced(G): In this case, one of the inputs of G has a value equal to Forcing(G). To generate RV (G; TP ) this input must be removed. Note that Forcing(G) is compatible with CV (G; TP ). 2. RV (G; TP ) = Forced(G), CV (G; TP ) = X : In this case one of the inputs of G has a value equal to X . To generate RV (G; TP ) this input must be removed. Note that X is compatible with CV (G; TP ). 3. RV (G; TP ) = Forced(G), CV (G; TP ) = Forced(G): In this case one of the inputs of G has a value equal to Forcing(G). To generate RV (G; TP ) this input must be removed. Note that Forcing(G) is compatible with CV (G; TP ). 

Proposition 5.3 :

Let G be a gate in IMPL, and let Nodes = fi j i 2 IMPL ^ i 2= successor(G)g. If under the application of an error detecting pattern TP, G is suspected for having a bad connection, then:

30

RV (G; TP ) = X then Pgood = j j Nodes value(j ) = Vcomp (G; RV (G; TP )) elseif i inputs(G), value(i) = X then Pgood = j j Nodes value(j ) = Forcing(G)

if

6

9

else

f

j

2

^

f

j

2

^

g

2

6

Pgood = j j Nodes value(j ) = X f

j

2

^

g

g 

Proof: RV (G; TP ) 6= X : After the removal of the bad connection from the input of the suspected gate, there will be two possibilities: either its output is equal to RV (G; TP ), and in this case the new connection must not change this output value, or its output is dierent than RV (G; TP ) and in this case the new connection must generate the required value. In both cases the value of the new connection must be compatible with RV (G; TP ).  RV (G; TP ) = X , and 9i 2 inputs(G), value(i) = X : Since G is suspected, then after the removal of the bad connection, the inputs of G will be either X or Forcing (G). The new connection must have a value dierent than Forcing(G) otherwise, Forced(G) will be generated at the output of G.  RV (G; TP ) = X , and 8i 2 inputs(G), value(i) 6= X : If we want to generate X at the output of G, then there must be at least one X at its inputs. Thus the missing connection must have a value equal to X .  If the gate G is analyzed under the application of several error detecting patterns TP1; TP2;


TPn then: 

Pgood (G) = Pgood (G; TP1) Pgood (G; TP2) Pbad (G) = Pbad (G; TP1) Pbad(G; TP2) \

\

Pgood (G; TPn) Pbad (G; TPn)

\




\




5.2 Analysis with Non-Detecting Patterns Proposition 5.4 :

If under the application of a test pattern TP the current value at the output of gate G, CV (G; TP ), has to be xed to keep the value of a correct primary output unchanged, then the set Igood (G; TP ) of impossible good connections to G is computed as follows: if CV (G; TP ) = Forced(G) then Igood (G; TP ) = fj j j 2 IMPL ^ value(j ) 6= Forcing(G)g elseif CV (G; TP ) = Forced(G) then if j Pbad (G) j = 1 ^ fi j i 2 inputs(G) ^ value(i) = Forcing (G)g = Pbad (G) then Igood (G; TP ) = fj j j 2 IMPL ^ value(j ) 6= Forcing(G)g

31

else

Igood (G; TP ) = 

endif otherwise Igood (G; TP ) =  endif 

Proof: 



CV (G; TP ) = Forced(G):

In this case all the inputs of G will be equal to Forcing (G). If we want to keep the output of G unchanged after the replacement of one of its inputs by a new connection, the value of the new connection must be equal to Forcing (G). A connection with any other value cannot be a good connection for this gate. CV (G; TP ) = Forced(G): In this case one or more inputs of G may be equal to Forcing (G). If more than one input is equal to Forcing (G) then we cannot de ne a set of impossible good connections. The replacement of any of the inputs by a connection of any value will not change the output value of the gate, because the other inputs which are equal to Forcing(G) will maintain its output unchanged. On the other hand if only one input is equal to Forcing(G), and it is the only suspected bad input, then if it is removed, it must be replaced by a connection having the value Forcing (G), otherwise the value Forced(G) at the output of G will not be maintained. So if Pbad (G) contains only one input which is the only input of G having the value Forcing (G), then any connection having a value dierent than Forcing (G) cannot be the good connection.

5.3 The Diagnosis Algorithm Based on the above propositions we present here a diagnostic algorithm for locating bad connection errors. Given a test pattern TP, the algorithm scans the circuit from the primary outputs backward to the primary inputs. This is made by the recursive function analyze-b-cnct described in the algorithm shown below. Initially the Search Space contains all the gates of the circuit. The algorithm diagnose-b-cnct is then executed repeatedly until the error is found, or until no more test patterns can be generated.

algorithm diagnose-b-cnct(TP); begin

apply TP to the inputs of the implementation IMPL; simulate IMPL; for every gate Gy driving a primary output yi 6= X do New Search Space = ; if yi 6= wi then Pat-Type := EDP else Pat-Type := NDP; analyze-b-cnct(Pat-Type,Gy ); if Pat-Type = EDP then Search Space = New Search Space; endif; endfor; i

i

32

end. procedure analyze-b-cnct(Pat-Type,G); begin if G is a primary input then exit endif; if Pat-Type = EDP then if G is suspected then % Proposition 5.1. New Search Space = New Search Space [ fGg; Bad = Pbad (G; T P ); Good = Pgood (G; T P ); update-b-cnct(Pat-Type,G,Bad,Good,-);

endif; for every input i 2 Changeable-Inputs(G) do analyze-b-cnct(Pat-Type,i); endfor else

% `-' means unused parameter.

Nodes = Igood (G; T P ); update-b-cnct(Pat-Type,G,-,-,Nodes); for every input i 2 Fixed-Inputs(G) do analyze-b-cnct(Pat-Type,i);

endfor; endif; end. procedure update-b-cnct(Pat-Type,G,Bad,Good,Impossible); begin if Pat-Type = EDP then if G is already treated with an EDP then Pbad(G) = Pbad (G) \ Bad; Pgood (G) = Pgood (G) \ Good; elseif G is already treated with an NDP then Pbad(G) = Bad; Pgood (G) = Good - Igood (G);

else

Pbad(G) = Bad; Pgood (G) = Good;

% The rst time to treat G

endif else if G is already treated with an EDP then Pgood (G) = Pgood (G) - Impossible; elseif G is already treated with an NDP then Igood (G) = Igood (G) + Impossible; else % The rst time to treat G Igood (G) = Impossible; endif endif; end.

33

5.4 Test Pattern Generation

Proposition 5.5 :

A test pattern TP is capable of detecting whether a node i is wrongly connected to the input of a gate G instead of another node j if when TP is applied to the input of IMPL, value(i) is equal to value(j ), and any other input k 2 inputs(G); k 6= i has a value equal to Forcing (G), and a path is sensitized from the output of G to at least one of the primary outputs. 

Proof:

If all the inputs of G, but one, are set to Forcing (G), then the output of G will depend on the value of the remaining input. If the remaining input is set to Forcing (G), the output of G will be Forced(G). If the remaining input is set to Forcing (G), the output of G will be Forced(G). So if i and j are set to opposite values, the output of G will generate a wrong value (equal to the complement of the correct value), if i is connected instead of j to the input of G. If there is a sensitized path from the output of G to some primary outputs, the wrong value will propagate and be detected at these primary outputs.  In the prototype that we implemented, we start by applying a counter example which is an error detecting pattern supplied by the veri er or by any other means. This will limit the number of suspected gates and their possible bad and good connections. Then for each remaining suspected gate, G, test patterns capable of detecting whether G has bad connections are generated and the diagnosis algorithm is applied to furtherly reduce the search space. These generated patterns can also detect some errors along the sensitized path since all the gates along this path are sure to have all inputs, but one, set to Forcing (G). This operation is repeated until the error is found, or until no test patterns can be generated for the gates in the search space. The complete algorithm is thus given as follows:

algorithm diagnose-b-cnct; begin

Search Space = All the circuit gates; Tested ; while (j Search Space j > 1) and (Search Space 6 Tested) do Let G be a gate in Search Space nearest to primary inputs, and G 2= Tested Tested Tested [ fGg; for every suspected input line i of G do TP = Pattern for detecting whether i is badly connected at G; % Proposition 5.2 diagnose-b-cnct(TP);

endfor enddo for every G Search Space do if Pbad(G) =  and Pgood(G) =  then 2 6

6

write(G,Pbad (G),Pgood(G));

endif endfor end

34

5.5 Experimental Results The above algorithm, implemented in PROLOG, was tested on the same set of benchmarks. In each experiment a gate is selected randomly, one of its inputs is selected randomly and replaced by a connection from another node. The diagnosis algorithm is then applied to nd the error. The results obtained on a SPARC-10 workstation with 10 Megabytes of core memory are shown in Table 4. Circuit Name c17 DK17 c432 c499 c1355 c1908 c2670 c3540 c5315 c6288 c7552

Number of Average of Experiments Pat. used CPU time (sec) Cand. 6 5.00 0.15 1.00 35 9.77 2.84 1.00 119 27.29 110.12 1.01 159 26.54 176.69 1.01 500 46.14 653.35 1.08 600 31.29 1345.77 1.76 390 19.85 602.13 1.07 106 33.36 4462.18 1.31 227 22.56 2319.41 1.01 41 32.37 7515.72 1.10 56 12.13 1661.92 1.00

Table 4: Diagnosis results of benchmark circuits

35

Chapter 6 CONCLUSION In this report new algorithms for diagnosing connection errors in combinational circuits are presented. The error model includes missing, extra and bad connection errors, and as special cases the extra and bad connections to 1 or 0. This model represents a real industrial request. A prototype software is implemented and the results obtained from its application to benchmark circuits shows that the exact location of the error is always found using a small number of specially generated test patterns. The CPU time is almost proportional the product of the circuit size and the number of used patterns. The use of this diagnosis tool, combined with the use of our previous software that identi es and corrects functional gate errors, can eectively reduce design time, by either nding errors, or eliminating the single erroneous gate hypothesis. The overall system examines in turn each possible error, and applies the corresponding program, until one or more correction is suggested, or all error hypotheses are found impossible. For human eciency reasons, we believe that every step of manual modi cation in a design should be followed by a step of formal veri cation. Whenever equivalence between the initial and modi ed design (for a manual optimization), or the modi ed speci cation and the modi ed design (for a functional change in the speci cation) is denied, the diagnosis system is invoked. If few changes have been made, industrial experience shows that the single error hypothesis is realistic, and the correction can be obtained automatically.

36

Bibliography [1] L. Yang, D. Gao, J. Mostou , R. Joshi, and P. Loewenstein, \System Design Methodology of UltraSPARCTM -I," Proceedings of the 32nd Design Automation Conference DAC'95, pp. 7-12, 1995. [2] T. W. Albrecht, \Concurrent Design Methodology and Con guration Management of the SIEMENS EWSD-CCS7E Processor System Simulation," Proceedings of the 32nd Design Automation Conference DAC'95, pp. 222-227, 1995. [3] A. Aharon, D. Goodman, M. Levinger, Y. Lichtenstein, Y. Malka, C. Metzger, M. Molcho, and G. Shurek, \Test Program Generation for Functional Veri cation of PowerPC Processors in IBM," Proceedings of the 32nd Design Automation Conference DAC'95, pp. 279-285, 1995. [4] M. S. Abadir, J. Ferguson, and T. E. Kirkland, \Logic Design Veri cation via Test Generation," IEEE Transactions on Computer-Aided Design, Vol. 7, No. 1, pp. 138-148, January 1988. [5] G. Odawara, M. Tomita, O. Okuzawa, T. Ohta, and Z.-Q. Zhuang, \A Logic Veri er Based on Boolean Comparison," Proceedings of 23rd Design Automation Conference (DAC'86), pp. 208-214, 1986. [6] R. Reiter, \A Theory of Diagnosis from First Principles," Arti cial Intelligence, No. 32, pp. 57-95, Elsevier Science Publishers, 1987. [7] K. A. Tamura, \Locating Functional Errors in Logic Circuits," Proceedings of 26th Design Automation Conference (DAC'89), pp. 185-191, 1989. [8] J. C. Madre, O. Coudert, J. P. Billon, \Automating the Diagnosis and the Recti cation of Design Errors with PRIAM," Proceedings of ICCAD'89, pp. 30-33, 1989. [9] H.-T. Liaw, J.-H. Tsaih, C.-S. Lin, \Ecient Automatic Diagnosis of Digital Circuits," Proceedings of ICCAD'90, pp. 464-467, 1990. [10] M. Marzouki, B. Courtois, \Debugging Integrated Circuits: A.I. can Help!," Proceedings of 1st European Test Conference ETC'89, pp. 184-191, 1989. [11] M. Tomita, and H. H. Jiang, \An Algorithm for Locating Logic Design Errors," Proceedings of ICCAD'90, pp. 468-471, 1990. [12] M. Tomita, T. Yamamoto, F. Sumikawa, and K. Hirano, \Recti cation of Multiple Logic Design Errors in Multiple Output Circuits," Proceedings of the 31st Design Automation Conference DAC'94, pp. 212-217, 1994. [13] P.-Y. Chung, I. N. Hajj, \ACCORD: Automatic Catching and CORrection of Logic Design Errors in Combinational Circuits," Proceedings of International Test Conference ITC'92, pp. 742-751, 1992. [14] P.-Y. Chung, Y. M. Wang, I. N. Hajj, \Diagnosis and Correction of Logic Design Errors in Digital Circuits," Proceedings of 30th Design Automation Conference DAC'93, pp. 503-508, 1993.

37

[15] Q. H. Zhang, C. Trullemans, \Logic Veri cation of Incomplete Functions and Design Error Location," Proc. Correct Hardware Design and Veri cation Methods, CHARME'93, Lecture Notes in Computer Science No. 683, Springer Verlag, pp. 68-79, May 1993. [16] Q. Zhang, \Logic Veri cation and Design Error Diagnosis for CombinationalCircuits," Ph.D. Thesis, Universite Catholique de Louvain, Belgium, Feb. 1995. [17] A. Wahba, and D. Deharbe, \Design Error Diagnosis in Logic Circuits using Ternary Test Sets," Research Report RR-928-M, ARTEMIS-IMAG, Grenoble, France, Dec. 1993. [18] A. Wahba, and D. Borrione, \Design Error Diagnosis in Logic Circuits using Diagnosis-Oriented Test Patterns," Research Report RR-940-I, ARTEMIS-IMAG, Grenoble, France, June 1994. [19] A. Wahba, and D. Borrione, \Design Error Diagnosis in Sequential Circuits," Proc. Correct Hardware Design and Veri cation Methods, CHARME'95, Lecture Notes in Computer Science No. 987, pp. 171-188, Springer Verlag, Oct. 1995. [20] A. M. Wahba, E. J. Aas, \Veri cation and Diagnosis of Digital Systems by Ternary Reasoning," Lecture Notes on Computer Science No. 683, Springer Verlag, pp. 55-67, May 1993. [21] P. Goel, \An Implicit Enumeration Algorithm to Generate Tests for Combinational Logic Circuits," IEEE Transactions on Computers, Vol. C-30, No. 3, pp. 215-222, March 1981. [22] D. Borrione, L. Pierre, and A. Salem, \Formal Veri cation of VHDL Descriptions in the Prevail environment," IEEE Design & Test of Computers, Vol. 9, No.2, pp. 42-56, June 1992.

38