Symbolic Techniques for the Automatic Test Pattern ... - CiteSeerX

Symbolic Techniques for the Automatic Test Pattern Generation for Speed-Independent Circuits Marco A. Pe~na, Enric Pastor and Jordi Cortadella

UPC/DAC Report No. RR-97/4 January 1997

This work has been supported by the Ministry of Education of Spain (CYCIT) under contract TIC 95-0419 the Departament d'Ensenyament de la Generalitat de Catalunya and ACiD-WG (Esprit 21949).

Symbolic Techniques for the Automatic Test Pattern Generation for Speed-Independent Circuits Marco A. Pe~na, Enric Pastor and Jordi Cortadella Department of Computer Architecture Universitat Politecnica de Catalunya 08034 Barcelona, Spain fmarcoa,enric,[email protected]

Abstract

Asynchronous circuits are an emerging alternative to the traditional synchronous systems. Until now, the synthesis and veri cation problems have centered the work of the research community. However, as asynchronous circuits are becoming larger and available for commercial products, testing techniques are becoming more important. No much work has been done in this area. Some synchronous techniques have been adapted with certain degree of success. However, there is a lack of test techniques speci cally tailored for asynchronous circuits. In this sense, this technical report presents a novel approach to the Automatic Test Pattern Generation (ATPG) for speed-independent asynchronous circuits, based on the use of symbolic analysis techniques. In the proposed methodology, a closed system is built by composing the circuit and its speci cation in terms of a Signal Transition Graph (STG). A fault is then injected in the circuit and the closed system is analyzed. The fault is manifested if a discrepancy state is reached, in which the circuit primary outputs dier from those speci ed. Then, a sequence of transitions can be generated in order to reproduce the fault in a real circuit during the test application phase. Finally, such sequences are transformed into test vectors according to the synchronous nature of test machines.

1

Contents

1 Introduction 2 Test De nitions 3 Asynchronous Circuits 3.1 3.2 3.3 3.4

Generalities : : : : : : : : : : : : : : : : Circuit Taxonomy : : : : : : : : : : : : State Transition Diagrams : : : : : : : : Petri Nets and Signal Transition Graphs

: : : :

: : : :

: : : :

: : : :

: : : :

: : : :

: : : :

: : : :

: : : :

: : : :

: : : :

: : : :

: : : :

: : : :

: : : :

: : : :

: : : :

: : : :

: : : :

: : : :

: : : :

: : : :

: : : :

: : : :

: : : :

: : : :

4 Testing Asynchronous Circuits

4.1 Self-Checking Circuits : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 4.2 Design for Testability : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 4.3 Path Delay Fault Testing : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : :

5 ATPG for Speed-Independent Circuits 5.1 5.2 5.3 5.4 5.5

Preliminaries : : : : : : : : : : : : Fundamental Mode : : : : : : : : : Testability : : : : : : : : : : : : : : ATPG Methodology : : : : : : : : Comments on the Implementation

: : : : :

: : : : :

: : : : :

: : : : :

: : : : :

: : : : :

: : : : :

: : : : :

: : : : :

: : : : :

: : : : :

: : : : :

: : : : :

: : : : :

: : : : :

: : : : :

: : : : :

: : : : :

: : : : :

: : : : :

: : : : :

Sets, Relations and Functions : : : : : : : : : : : : : : : : Boolean Algebras : : : : : : : : : : : : : : : : : : : : : : : Logic Functions and Boolean Algebras of Logic Functions Algebra of Classes (Subsets of a Set) : : : : : : : : : : : : Boole's Expansion and Abstractions : : : : : : : : : : : :

: : : : :

: : : : :

: : : : :

: : : : :

: : : : :

: : : : :

: : : : :

: : : : :

: : : : :

: : : : :

: : : : :

: : : : :

: : : : :

: : : : :

: : : : :

: : : : :

: : : : : : :

: : : : : : :

: : : : : : :

: : : : : : :

6 Boolean Algebras 6.1 6.2 6.3 6.4 6.5

: : : : :

: : : : :

: : : : :

: : : : :

: : : : :

: : : : :

: : : : :

: : : : :

7 Modeling Petri Nets and Signal Transition Graphs with Boolean Algebras 7.1 An Isomorphism between Petri Nets and Boolean Algebras 7.2 Characteristic Functions and Binary Relations : : : : : : : 7.3 Transition Firing on Petri Nets : : : : : : : : : : : : : : : : 7.3.1 Topological Image Computation : : : : : : : : : : : 7.3.2 Transition Relation Image Computation : : : : : : : 7.4 Transition Firing on Signal Transition Graphs : : : : : : : : 7.5 Signal Transition Graph Traversal : : : : : : : : : : : : : :

8 Modeling Speed-Independent Circuits

: : : : : : :

: : : : : : :

: : : : : : :

: : : : : : :

: : : : : : :

: : : : : : :

: : : : : : :

: : : : : : :

: : : : : : :

: : : : : : :

: : : : : : :

4 5 6 7 7 8 9

11 11 13 14

15 16 16 18 20 22

22 22 23 23 24 24

25 25 26 27 28 29 30 31

32

2

9 Speci cation and Circuit Composition

36

10 A practical example 11 Conclusions A Another example of Fundamental Mode traversal B Some experimental results about the traversal References

39 41 41 44 46

9.1 Speci cation and Circuit Synchronization : : : : : : : : : : : : : : : : : : : : : : : : : 9.2 System Traversal : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 9.3 Test Sequence Generation : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : :

3

36 37 38

1 Introduction Testing has become an important issue in modern integrated circuit design and fabrication. It consists of two main phases: preparing for testing during the design process (test design ), and actually performing test after fabrication (test application ). Test design includes the selection of a fault model, generation of test vectors under the chosen model, and the use of design methodologies to improve test quality. For complex circuits, the cost of test application can be an important portion of the total fabrication cost. Thus, test design is directly responsible of the test application cost. Moreover, test design itself can be a very time-consuming, resource-demanding process which aects not only the overall production cost, but also the product quality. Given a circuit model, Automatic Test Pattern Generation (ATPG) techniques generate automatically a set of test patterns which allow the detection of physical defects in the circuit. The kind of faults they can test depends on the fault model employed for test generation. The generated test patterns consist not only on the stimuli to be applied to the circuit under test, but also on the expected response of a fault-free circuit. Asynchronous circuits promise certain advantages over synchronous ones. They have no clock skew problems, have potentially low power consumption, high degree of modularity, and can be designed for average case rather than for worst case performance. Major research eorts in the asynchronous eld have been devoted to solve the problems of automatic synthesis [Chu87, Ebe89, Mar90b, Lav92, vB93, PCKR96] and veri cation [Dil89, BMB93, McM93, BCL+ 94, RCP95] of circuits using high-level speci cations. Both problems are of special diculty due to the necessity of considering hazards and races carefully. On the other hand, little attention has been paid to techniques for eciently verify if a fabricated asynchronous circuit has any physical fault. These techniques are becoming critical as asynchronous circuits are becoming larger and start to be used in commercial products. Testing asynchronous circuits is harder than testing synchronous ones. Asynchronous circuits do not have global synchronization signals, like a clock signal. The amount of control over the circuit is drastically reduced as it cannot be easily \single-stepped" through a sequence of states. Therefore, typical synchronous test techniques cannot be directly applied. On the other hand, design techniques to ease testing of asynchronous circuits have revealed to need a high area overhead. Finally asynchronous circuits may have hazards or races when faulty, and these delay faults are very dicult to test. Conversely, other aspects of asynchronous circuits tend to make them easier to test. For example, asynchronous circuits use local handshakes to synchronize operations, due to this a stuck-at fault on the handshake signals will cause communicating modules to wait inde nitely (deadlock), an eect which is easy to detect. Dierent test techniques for speed-independent and delay-insensitive asynchronous circuits have been presented in the last few years. Most of them are devoted to explore the self-checking capabilities of such circuits, while others tend to enhance the testability of the circuits by using design for testability approaches. The test for path delays in circuits with absolute delay assumptions has been also addressed. However, most of these techniques make restrictive assumptions about to which kind of circuits can them be applied. This technical report presents a new ATPG approach for speed-independent circuits, based on symbolic analysis techniques. The methodology considers a closed system, composed by the circuit for which a test is going to be generated, and the circuit speci cation in terms of a Signal Transition 4

Graph (STG1 ). According to the appropriate fault model, a given fault is injected in the circuit. Then the circuit is confronted against its speci cation. By analyzing the closed circuit/speci cation system, a discrepancy state where the primary outputs of the circuit and the speci ed outputs dier, is expected to be found. If such a discrepancy is found in a state of the circuit where the outputs are stable, the fault could be testable (see De nition 5.4). Given the discrepancy state, a back-trace process to the initial state can be performed and a trace of signal transitions is generated. When issued during the test application phase, such sequence will excite and propagate the fault to the primary outputs of the faulty circuit. It constitutes a test sequence for the given fault. Note that this approach generates test patterns for the class of speedindependent asynchronous circuits. Thus, given the synchronous nature of the test machines, special considerations will be required along all the methodology. Both, the absence of ATPG techniques speci cally tailored for speed-independent circuits and the eectiveness shown by similar symbolic approaches in the synchronous eld [Cho93], constitute the main motivations of this work. The technical report is organized as follows. Section 2 introduces some basic testing terminology and de nitions. Section 3 gives a characterization of asynchronous circuits in terms of their delay assumptions and describes some high-level speci cation models. Section 4 surveys several techniques for testing asynchronous circuits. In Section 5 the proposed ATPG methodology is presented. Special emphasis is done in the fundamental mode of operation required for testing asynchronous circuits using a common synchronous test machine. Section 6 surveys the mathematical background required for the following sections. Sections 7 and 8, respectively present a formalism for modeling STGs and speed-independent circuits by means of boolean algebras. Section 9 describes how a closed system composed by the circuit and its speci cation in terms of an STG, is built. It also presents a symbolic traversal of the system in order to obtain a sequence of transitions which excites and propagates a given fault to the primary outputs of the circuit. Section 10 illustrates the presented ATPG methodology with a didactical example. Section 11 gives some conclusions and discusses future work directions. Finally, Appendix A and B are added to present an example and some experimental results about the traverse, respectively.

2 Test De nitions The outputs of the Circuit Under Test are called primary outputs and are easily observable. Similarly, the inputs to the circuit are called primary inputs and are easily controllable.

De nition 2.1 (Controllability, Observability, Testability)

The controllability of a circuit is the ability to establish a speci c value at each node in the circuit by proper setting of the circuit's primary inputs. The observability of a circuit is the ability to determine the value at any node in the circuit by observing the primary outputs while controlling the primary inputs.

1 STGs and Petri nets, are a common formalism

PCKR96]

in specifying asynchronous circuits [Chu87, Lav92, YLSV92, RCP95,

5

The testability of a circuit is a measure that attempts to re ect the ease with which a circuit can be tested. A circuit with high testability generally has a high degree of controllability and observability. 2.1

De nition 2.2 (Failure, Fault)

A failure in a circuit occurs when the circuit deviates from its speci ed behavior. A fault is a physical defect which may or may not result in a failure. 2.2 Fault detection is the process of determining if a given circuit has one or more faults. This is done by applying a sequence of input values (test vectors ) to the circuit and observing the primary outputs. If such outputs dier form the speci cation, a failure has occurred and a fault is present in the circuit.

De nition 2.3 (Test, Fault coverage)

A test consists in the application of a set of test vectors to the circuit in order to detect as many faults as possible. The fault coverage is the ratio of faults potentially detected by the test, to the total number of possible faults in the circuit. It is a measure of the eectiveness of a test. 2.3 Important quality measures for a given test approach are the time required to generate the test vectors, the fault coverage, and the test time , i.e. the time it takes to apply the test vectors and observe the results. The possible overhead introduced by the test such as increased area, decreased operating speed, and added I/O pins also in uences in the suitability of a test for a given circuit. Exhaustive functional testing generally takes a long time. For example, testing a 16-bit adder would take 216 216 test vectors. Thus, a fault model is employed to test a circuit. Such model is an abstraction of the physical faults we try to detect. So, the more accurate the fault model, the more physical faults can be modeled. But a higher precision of the model often means more complex algorithms and longer test times. A fault model can describe the faults at dierent levels, i.e. transistor level, gate level (the most usual), or even higher levels. Most fault models assume the circuit has a single fault, because considering the large amount of multiple fault combinations makes the test generation infeasible. A widely used fault model for synchronous circuits is the stuck-at fault model . In this model a physical fault can be modeled as a signal in the circuit being either stuck-at-0 or stuck-at-1 . In the input stuck-at fault model a gate can have either an input, or an output, stuck-at-0 or stuck-at-1. Thus, a gate with n inputs has 2(n + 1) dierent possible stuck-at faults. Similarly, a wire branching out to n gates also has 2(n + 1) stuck-at faults (see Figure 1 (a)). The output stuck-at fault model is a simpler one which only considers faults on the outputs of the gates. Thus, an n-input gate and an n-branching wire have only two dierent faults, independently of n (see Figure 1 (b)). Note that a fault in this model for a branching wire, corresponds to the entire net being either stuck-at-0 or stuck-at-1.

3 Asynchronous Circuits This section provides basic notions about asynchronous circuits. First, a short study of the dierent delay models and a classi cation of asynchronous circuits is given. Later, two important models for the speci cation and reasoning about them, are introduced. 6

(b) (a) Figure 1: Possible stuck-at faults in the input stuck-at fault model (a) and in the output stuck-at fault model (b), for a gate (up) and a wire branching out to multiple gates (down)

3.1 Generalities

Synchronous circuits are based on the assumption that time is discrete. This fact eases their design by allowing to ignore glitches. That is, unspeci ed changes in a circuit signal are allowed, whenever the signal is stable and has the correct value, at the end of the clock cycle. Asynchronous circuits assume time to be continuous. As a consequence, they present several potential bene ts [BS95]: no clock skew problems, low power consumption, average-case instead of worst-case performance, modularity, better technology migration, etc. On the contrary, due to their sensibility to all signal changes, asynchronous circuits are more dicult to design in an ad hoc fashion than synchronous circuits. The designer must pay great attention to the dynamic states of the circuit, and hazards must be removed from the circuit to avoid incorrect results. To overcome such diculty, several models for asynchronous circuits have been developed. Several speci cation models have been introduced as well: State Transition Diagrams [Var90, YLSV92], Change Diagrams [KKTV94], Petri nets [Mur89] and Signal Transition Graphs [RY85, Chu87], Trace Theory [Ebe89], Process Algebras based on CSP [Hoa89], etc. And nally, several methodologies and CAD algorithms, based on them, have been developed to ease the design, synthesis and veri cation of asynchronous circuits.

3.2 Circuit Taxonomy

An asynchronous circuit is built by a network of components (gates ) interconnected by a set of wires . Each component contains a set of discrete input and output variables. The value of an output variable is de ned by the value of the input variables and the internal state of the component. Additionally, the dynamic behavior of a circuit is modeled by placing delays in each gate and wire. A delay simulates the propagation times of the electrical signals. The set of reachable states along which the circuit may evolve completely depends on the type of delays assumed in the circuit [Bur92]. Two delay models specify the amount of \memory" in the delay (the pure and inertial delay models), while two other models de ne the time required to propagate changes through the delay (the unbounded and bounded delay models). With respect to the internal memory, a delay component is: pure , if every pulse in the input is propagated to the output after a certain amount of time; inertial , if pulses in the input that are shorter than the delay magnitude are ltered out. 7

With respect to the delay magnitude, a delay component can be: unbounded , if no bound on the magnitude of the delay is known, except that the delay is nite; bounded , if an upper and a lower bound on the magnitude of the delay are known. Delay-insensitive circuits work correctly independently of the delays of both the gates and the wires in the circuit. That is, pure and unbounded delays are assumed in gates and wires. As a consequence, every transition in the circuit must be acknowledged by the receiver of such transition (acknowledgment property [MH91]). Speci cally, each gate at the destinations of a fork must acknowledge the receipt of a transition, before a new transition can occur on the input of the fork. This makes, a delayinsensitive circuit has to be built only with C-elements and inverters, and therefore the class of such circuits is very small [Mar90a]. Thus, some delay assumptions must be made in order to build useful asynchronous circuits. Speed-independent circuits are a widely used class of asynchronous circuits that assume that the wires of the circuits have negligible delays, while the pure and unbounded delay models are used with its gates [KKL+ 93]. Assuming wire delays to be zero, a transition on the input of a fork needs only to be acknowledged by one of the recipients. Such assumption is equivalent to assuming all forks to be isochronic [Mar90a], i.e. a transition on the input of a fork arrives at the outputs of the fork at the same time. Quasi-delay-insensitive circuits [Mar90a] represent an intermediate between delay-insensitive and speed-independent circuits. This circuits are built of basic elements that have delay-insensitive interfaces, and only use isochronic forks inside such elements. The elements are easy to compose since no constraints are imposed on the interconnections, and the isochronic forks are easy to implement because they are local.

3.3 State Transition Diagrams

State Transition Diagrams constitute the lowest level model to specify the behavior of an asynchronous circuit. It consists in an explicit enumeration of the space of states of the circuit. Major synthesis and veri cation techniques rely on this model. However, speci cations and circuits they can deal with are seriously limited by the well-known state-explosion problem.

De nition 3.1 (State Transition Diagram)

A State Transition Diagram (STD) [Var90, YLSV92] is a quadruple hS; E; A; i, where S is a set of states, E S S is a set of transitions, A is a set of signals, and : S ! BjAj (B = f0; 1g) is a total labeling function that encodes each state with a binary vector of signal values. For a given state, (s )a stands for the value of signal a in state s . The set of signals A = AI [ AO is divided into input signals AI and non-input signals AO . Rising (falling) transitions of signal a are denoted a+ (a?), and generic transitions a. 3.1

Figure 2(b) depicts an example STD. Its set of states is S = fs1; : : :; s22g, the state transitions are E = f(s1 ; s2)(s2 ; s3) : : :g, the set of signals is divided into input signals AI = fa; bg and non-input signals AO = fc; d; eg, and nally the states are encoded (s1) = (0000), (s2) = (1000), and so on. 8

abcde p11

00000 s1 a+

a+ p1 d+

p6 c+

10100 s4 c+

p7

10011 s5 e+

b+ p3

11100 s7

b+

e+

10111 s9

00011 s8

p8

b+

d+

10110 s6

c+

a− e−

a−

c+

10010 s3 e+

p2

10000 s2

d+

c+

a−

d+

c−

11110 s10 b+

c−

00010 s12 p4

p9

00111 s13

c+

00110 s16

e−

c−

c−

e−

e+

11011 s18

01111 s17

b+ p5

a−

d+

11010 s15

11111 s14 b+

e−

11000 s11

c−

e+

a−

01011 s20

01110 s19 c−

e−

b− p10

01010

d−

s21

b−

00010

d−

(a)

s22

(b)

Figure 2: (a) Signal Transition Graph, and (b) its corresponding State Transition Diagram. Signals a and b are inputs, while signals c, d and e are non-input signals An STD must satisfy that for every arc connecting a pair of states s1 and s2 , their labels must dier exactly in one signal value, say signal a. Then, signal a is said to be excited in state s1 (note that several signals can be excited in a state). Signals not excited in a state are said to be stable . An STD is called initialized if it has an explicit initial state s0 2 S . No state in an STD can have two outgoing transitions labeled with the same signal but with dierent signs. Moreover, no state s can have an outgoing transition labeled with a rising (falling) transition of a signal a being the encoding function (s )a = 1 ((s )a = 0). A state s2 of an STD is direct reachable from a state s1 if there is an arc from s1 to s2 . More generally, for any pair of states s1 ; s2 2 S , s2 is reachable from s1 if there is a sequence of transitions leading from s1 to s2 .

3.4 Petri Nets and Signal Transition Graphs

Petri nets where initially proposed in [Pet62] as a graphical and mathematical tool for describing information processing systems, characterized as being concurrent, asynchronous, distributed, parallel, non deterministic and/or stochastic. Many dierent application areas have considered Petri nets for the modeling and analysis of their systems. Petri nets and Signal Transition Graphs have been 9

revealed of special interest for specifying, synthesizing and verifying asynchronous circuits. This is due to the powerful expressiveness of such formalisms which allow the speci cation of concurrency and non-determinacy in a succinct form.

De nition 3.2 (Petri net)

A Petri net (PN) [Mur89] is a 4-tuple, N = hP; T; F; m0i, where P is a nite set of places, T is a nite set of transitions, satisfying P \ T = ; and P [ T 6= ;, F (P T ) [ (T P ) is a nite set of arcs representing the ow relation, and m0 : P ! IN is the initial marking of the Petri net. The pre-set and post-set of a node (place or transition) x 2 P [ T are denoted by x = fy j (y; x) 2 F g and x = fy j (x; y) 2 F g, respectively. 3.2

A marking of a Petri net is an assignment of a nonnegative integer to each place. If k is assigned to place p, we will say that p is marked with k tokens . The structure of a Petri net de nes a set of ring rules that determine the behavior of the net. A transition t is enabled when each p 2 t has at least one token. The Petri net moves from one marking to another by ring one of the enabled transitions. When a transition t res, one token is removed from each place p 2 t and one token is added to each place p 2 t . If m1 and m2 are markings, we will denote by m1 [tim2 the fact that m2 is reached from m1 after transition t is red. In general, a marking m2 is said to be reachable from a marking m1 if there exists a sequence of transition rings that transforms m1 into m2 . The set of reachable markings from a marking m is denoted by [mi. We denote by m(p) the number of tokens in place p for the marking m. A Petri net N = hP; T; F; m0i is said to be safe if for any m 2 [m0i and for any place p 2 P , m(p) 1. Signal Transition Graphs (STGs) where introduced independently in [RY85] and [Chu87] as a tool for modeling the behavior of asynchronous circuits and their environment. An STG is an interpreted Petri net in which transitions describe value changes at the signals of a circuit. A signal transition can be represented by aj + (or aj ?) for the j -th transition of signal a from 0 to 1 (or from 1 to 0), while aj is a generic name for either a rising or a falling transition of signal a.

De nition 3.3 (Signal Transition Graph) A Signal Transition Graph is a triple hN; A; i, where N is a Petri net, A = AI [ AO [ AH

is a set of signals formed by the union of three non-intersecting subsets of input, output and internal signals, and : T ! A f1; 2; : : :g f+; ?g is a labeling function.

3.3

An STG can be directly translated into an STD by transforming the reachable markings into states if the STG has the Consistent State Coding property and the underlying Petri net has a nite number of reachable markings [RY85, Chu87]. Figure 2 shows an STG and its corresponding STD. Note that an interleaving model is used, which allows only one signal to change at a time.

10

4 Testing Asynchronous Circuits This section surveys dierent techniques for checking whether an asynchronous circuit has fabrication defects. Special emphasis is done on delay-insensitive and speed-independent circuits. Most of the presented material has been borrowed from [HBB94]. Several aspects of asynchronous circuits make them harder to test than synchronous circuits. Asynchronous circuits by de nition have no global synchronization signals, like clock signals. This fact makes dicult to \single-step" the circuit through a sequence of states, which is a common way to test synchronous circuits. Also, because asynchronous circuits tend to have more state holding elements than synchronous circuits, generating test vectors is harder and design-for-testability techniques will have a higher area overhead. Finally asynchronous circuits may have hazards or races when faulty, and these delay faults are very dicult to test. On the other hand, some aspects of asynchronous circuits tend to make them easier to test. For example, some asynchronous circuits use local handshakes to synchronize operations. Due to this, a stuck-at fault on the handshake signals will cause communicating modules to wait inde nitely, an eect which is easy to detect.

4.1 Self-Checking Circuits

The lack of global synchronization signals in asynchronous circuits implies that synchronization must be achieved by other means. An early approach used in the design of asynchronous state machines is to make timing assumptions about the delays of gates and wires [Ung69]. In order to avoid critical races and hazards it is often necessary to add extra redundancy and appropriate delays. This makes such class of circuits very dicult to test. For example, it is well known that under the stuck-at fault model, full fault coverage is not possible for a circuit with redundant logic. An alternative is to use handshake signals for local synchronization. Since no timing assumptions are made on the handshake, circuits are robust and easily composable [Ebe89, Mar90b, vB93].

De nition 4.1 (Inhibited transition)

A transition is said to be inhibited if it is supposed to occur according to the circuit speci cation, but it does not occur. 4.1

A fault that causes an inhibited transition will always cause the circuit to halt [MH91], which is an easily detectable situation during the test. The circuit can be tested by issuing the request and waiting a bounded amount of time for the acknowledge. If it is not produced, the circuit has halted and thus, is faulty. The time bound can be determined given the fabrication technology and the circuit speci cation. As a special case, note that for a circuit which contains an arbiter, it may take an unbounded amount of time to resolve.

De nition 4.2 (Self-Checking circuits)

Circuits that halt for all faults are called self-checking. Thus self-checking circuits are fully testable, i.e. 100% of fault coverage is achieved [BM92]. 4.2

11

The self-checking de nition for asynchronous circuits diers from the conventional de nition for their synchronous counterparts. Synchronous circuits use special codes or state assignments, so that the circuit produces an illegal output in the presence of a fault. A separate circuit (checker ) detects the illegal code and produces an error signal. Faults are detected while running the circuit at its operation speed (on-line testing). The rest of this section discusses the classes of asynchronous circuits and fault models under which a faulty circuit always halts. Delay-insensitive circuits work correctly independently of the delays of both gates and wires in the circuit. Due to this, every transition in the circuit must be acknowledged by the receiver of such transition [MH91]. In particular, each gate at the destinations of a fork must acknowledge the receipt of a transition, before a new transition can occur on the input of the fork. This fact makes that any stuck-at fault will cause the circuit to halt because such protocol will not be completed. Thus, delay-insensitive circuits are self-checking under the input stuck-at fault model. On the other hand, speed-independent circuits assume negligible wire delays, hence a transition on the input of a fork needs only to be acknowledged by one of the recipients. This condition is equivalent to assuming all forks to be isochronic [Mar90a], i.e. a transition on the input of a fork arrives simultaneously at the outputs of the fork. As we have seen in Section 2, in the output stuck-at fault model a fork is considered a single node that can be either stuck-at-0 or stuck-at-1. Therefore, a transition on the input of the fork still has to be acknowledged by at least one of the recipients and thus, a speed-independent circuit is self-checking under the output stuck-at fault model [BM92]. Unfortunately, it is questionable if the output stuck-at fault model re ects a reasonable number of faults. However, some speed-independent circuits are self-checking also under the more general input stuck-at fault model [HBB94]. Finally, quasi-delay-insensitive circuits are built of basic elements that have delay-insensitive interfaces, and only use isochronic forks inside such elements. For this type of circuits, the isochronic transition fault model is introduced [RS93], which considers input stuck-at faults for non-isochronic forks and output stuck-at faults for isochronic forks. Under such model, every quasi-delay-insensitive circuit is self-checking. A number of classes of self-checking circuits and their corresponding fault models have been identi ed. However, not all asynchronous circuits are self-checking. For example, quasi-delay-insensitive and speed-independent circuits are not generally self-checking under the input stuck-at fault model. A circuit that is not self-checking may either contain redundant logic (thus not all the faults can be tested) or have premature rings [MH91].

De nition 4.3 (Premature ring)

A premature ring corresponds to a signal that changes too early according to the circuit speci cation. 4.3

As an example, Figure 3 depicts a circuit that sequences two four-phase handshakes, typically called D-element. A handshake is started on li and lo, and before completing this handshake another full handshake is performed on ri and ro. The circuit speci cation is

[[li]; u "; [u]; lo "; [:li]; ro "; [ri]; u #; [:u]; ro #; [:ri]; lo #] 12

l1

ro

u li

=

l2

r1

C

=

u

lo

ri

r2

Figure 3: Implementation of a D-element [MH91] and the environment speci cation is

[li "; [lo]; li #; [ro]; ri "; [:ro]; ri #; [:lo]]: Note that, " and # arrows stand for positive and negative signal transitions, respectively. Expressions in brackets mean preconditions for signal transitions. Under the input stuck-at fault model, l1-stuck-at-0 and r2-stuck-at-0 will cause two premature rings: ro " and lo #, respectively.

4.2 Design for Testability

A level of controllability and observability may not be enough to test all possible faults. For instance, to test a premature ring, the circuit must be held in a state where the premature ring occurs and the faulty transition propagates to a primary output. This is not always possible. A solution consists in increasing the testability by adding test circuitry during the design phase, i.e. design for testability . A simple way to increase testability is to introduce test points into the circuit (see Figure 4). An observation point is used to access an internal node by making it a primary output. A control point is used to set the value of an internal node from a primary input. A combination of both is also allowed. Where to insert such test points to minimize the total number is a dicult problem [Haz92]. Inserting test points is usually expensive in terms of I/O pins. However, the number of them used for test points can be reduced at the cost of added test time, by storing the value of the test points in an internal register whose contents can be shifted in and out serially. This scheme requires only a few extra I/O pins regardless of the number of test points. Generalizing this idea leads to the introduction of a so-called scan-path , where the registers in the circuit are extended to be scan-registers . Figure 5 illustrates a conventional clocked scan-register. uo 0

x

x

x

test

uo

ui

1

ui (a)

x

(b)

(c)

Figure 4: Test points for signal x: (a) observation point, (b) control point and (c) both 13

Scan Out out

D

Q

0 1

clk

in Scan in

test mode

Figure 5: Conventional clocked scan-register In normal operation the scan-register works exactly as the original register. In test mode, the scanregisters form a shift-register as the scan-output of one register is connected to the scan-input of the next. Their content can be serially shifted-in to achieve full controllability, and shifted-out to achieve full observability. By transforming all the registers in a circuit to be scan-registers, the circuit is divided into a scan-path with combinational logic blocks in between. Thus the problem of generating test vectors is reduced to such combinational blocks. The cost of so simpler test generation is an area increase and a potentially longer test time because test vectors must be serially shifted in and out. Application of these ideas to asynchronous circuits are found for example in [KLSV91, KB95]. For example, a design for testability approach for quasi-delay-insensitive circuits is described in [RS93]. To make them eciently testable, instead of adding a scan-path to the circuit, a single test signal is added. By introducing the test signal and modifying some of the basic building blocks, a circuit can be tested in linear time regarding its size. Given that the circuit is self-checking under the isochronic transition fault model, it is tested by executing a single computation in test mode. The circuit is fault-free if a full handshake is performed on a particular channel. The cost of this approach is an important area increase due to the extra logic added to the basic building blocks.

4.3 Path Delay Fault Testing

Designing circuits under absolute delay assumptions, can lead presumably to smaller and faster circuits. However, testing these circuits must also check if they have the assumed delay properties. Thus, a fault model that includes delays must be used. Under the path delay fault model , a given path in the fabricated circuit is faulty if it has a delay outside the speci ed interval. Clearly, this model is more general than the stuck-at fault models, because a path with a stuck-at fault has a delay outside any nite interval. To test a circuit under this model, the delay of all paths in the circuit must be determined. The delay of a given path is tested by applying two vectors hV1; V2i at times t0 and t1 , respectively. The time between t0 and t1 is long enough to assure that all nodes are stable at time t1 . The test vector has the property that when V2 is applied after V1, it causes a transition on all nodes along . The output of the circuit is latched at time t2 . If the latched value diers from the speci cation, the delay on is larger than t2 ? t1 and a path delay fault is detected. A circuit can be made path delay fault testable by changing all state holding elements to scan elements. However, in contrast to the scan elements used in the scan-paths, they must be able to hold two values corresponding to a bit in the two vectors hV1; V2i. Figure 6 (a) implements the function F = ab + bc + bc. The delay for a rising transition of the path from a to F can be tested by the two vectors V1 = (0; 0; 0) and V2 = (1; 0; 0). 14

t1

a b

t2

false F

c

(a)

c

F

c

a

a

b

b

(b)

F

(c)

Figure 6: Implementation of the function F = ab + bc + bc (a). Path b made robust path delay fault testable (b) and (c) after removing test signals A robust test is a test for a path delay fault which is independent of delays in gates, but not on the path under test [LR87]. There may exist paths in a circuit that are not robust path delay fault testable. For example, the path from b through the topmost AND-gate in Figure 6 (a) is not robust testable. In order to test this path, the outputs of the other two AND-gates must be kept low and without hazards, but this is not possible because one of them will be momentarily enabled when switching b. In [KLSV91], a technique to make any Boolean function delay fault testable is presented. Let x be an input variable associated with a path that cannot be delay fault tested in function F . F is decomposed in F = xG + xH + R such that x does not occur in G, H , and R. Two test points, t1 and t2 , are introduced that are used to select either the path from R to F or the path from G and H to F . The logic can be simpli ed if both G + R and H + R are path delay fault testable. Then, both test points can be removed. This method is then applied recursively on G, H and R. Clearly, this transformation increases the circuit area and the test time, and decreases the operation speed. However, most functions are robust path delay fault testable without any modi cation [LR87]. In Figure 6 (b) F has been rewrote as F = bc + b(a + c), where x = b, G = c, H = (a + c) and R = false. Figure 6 (c) depicts the same circuit after eliminating the test points. Testing circuits under the path delay fault model is much more expensive than other approaches. The scan-registers must hold two bits, test points are required, and at least twice as many vectors are needed. Furthermore, the skew on the clock to the scan-registers must be accurately controlled.

5 ATPG for Speed-Independent Circuits Given a circuit description, the goal of ATPG techniques is to generate automatically a set of test patterns. These test patterns should excite the major possible number of faults of the circuit, and should propagate the eects of such faults to the primary outputs of the circuit. The compactness of the set of patterns, the time required to generate them, the number of covered faults, and the time of test application, de ne the quality of the test and therefore, the eectiveness of the ATPG methodology applied. This section presents a new ATPG methodology for speed-independent asynchronous circuits, based on symbolic model checking techniques. 15

5.1 Preliminaries

Given the application of input stimuli to an asynchronous circuit, it may evolve through several intermediate unstable states, before nally settling down in a stable state. This observation must be taken into consideration when generating test vectors for asynchronous circuits. Let us consider the behavior of the circuit speci ed by the STD in Figure 2. The ring of input transition a+ causes the ring of non-input transitions c+, d+ and e+, and no other input transition is required to re in between. In terms of states, it means that ring a+ (state s2 is reached) and leaving the circuit stabilize, state s9 will be reached in any case. Three dierent paths can be followed from s2 to s9 , namely fs2 ; s3 ; s5; s9g, fs2 ; s3 ; s6; s9g and fs2 ; s4 ; s6; s9g, corresponding to the dierent possible ring orderings. No assumption can be made about which one of them will be followed. The path followed will depend on the precise delays of the gates and wires that implement the speci ed circuit. In the sequel, states like s9 will be referred as total stable states . On the other hand, synchronous circuits are free from such considerations because all nal states are stable. All state changes occur in synchrony with the global clock, and the circuit behavior is less sensitive to delays. Thus, ensuring a proper clock period and using ip- op elements to break feedbacks, all problems with hazards and races can be eliminated. The global synchronization of synchronous circuits make them easier to test because they can be \single-stepped" through the whole set of states of the circuit. Conversely, not all the states are stable in an asynchronous circuit, and the circuit cannot be stopped in a state unless it is stable.

5.2 Fundamental Mode

Current test machines work synchronously. Therefore, the asynchronous behavior of the circuits under test must be adapted to the synchronous operation mode of test machines. This adaption can be done by imposing fundamental mode of operation [BS95] during test generation. The fundamental mode of operation assumes that the circuit starts in some stable state , i.e. a state in which inputs, internal signals, and outputs of the circuit, all have xed values and have no tendency to change. By de nition, the circuit persists in a stable state until new inputs occur. In such a stable state, the environment is allowed to change the circuit inputs. After that, the environment is not allowed to change the inputs again until the entire circuit stabilizes (a new stable state is reached). According to the fundamental mode, a new method for exploring the set of states of a circuit is de ned. Let hS; E; A; i be an STD specifying the behavior of a speed-independent asynchronous circuit. S corresponds to the set of states through which the circuit can evolve. Again, an interleaving model is assumed to be used.

De nition 5.1 (Total Stable State) A state s 2 S is de ned to be a total stable state if only input transitions are enabled on it. That is, neither internal nor output transitions can re from a total stable state, i.e.

[ 8 (s ; s0) 2 E : (s )a 6= (s0 )a )

a 2 AI

]:

Note that a deadlock state where the system can no longer progress is a special case of total stable state. 5.1

16

abcde

00000 s1 a+

10000 s2

d+

c+

10010 s3 e+

c+

10011 s5

c+

00010 s12

a−

c−

d+

11010 s15

11111 s14 c−

e+

11011 s18

c−

e−

11000 s11

c−

e+

01111 s17

b+

d+

11110 s10 b+

b+ a−

e−

00110 s16

a−

ISS(s9,b+)

01011 s20

01110 s19 c− d−

11100 s7 b+

e+

00111 s13

c+

b+

10111 s9

00011 s8 e−

d+

10110 s6

c+

a−

OBS(s2)

10100 s4

e−

01010

s21

b−

00010

s22

Figure 7: Traversal of the set of states obtained following the Fundamental Mode assumptions. Only boxed states are reached. Total stable states are shaded

De nition 5.2 (Input Successor State) Given a total stable state s 2 S and a transition a of an input signal a 2 AI excited on s , the Input Successor State, ISS(s ; a) = s0 , is the state reached from s by ring a, that is:

[ (s ; s0) 2 E ^ (s )a 6= (s0)a ^

a 2 AI

]:

5.2

De nition 5.3 (Output Burst of States) Given an input successor state s 2 S , the Output Burst of States of s , OBS(s ), is the

maximal connected set of states reached iteratively from s , by just ring any sequence of non-input transitions.

5.3

Figure 7 depicts the set of states of the example in Figure 2. Shaded states correspond to total stable states. All the corresponding ISS and OBS sets are also depicted. For example, ISS(s9 ; b+) = s14 and OBS(s2 ) = fs3 ; s4 ; s5; s6; s9 g are highlighted. A new way for exploring the set of states (S ) of a circuit assuming the fundamental mode of operation, can be easily described in terms of the above de nitions. Let us assume s0 2 S be the 17

initial state, which is also a total stable state2. For this state, and for each input transition a enabled on it, ISS(s0 ; a) is computed. Then, the corresponding OBS set is calculated for each input successor state (note that an OBS set could lead to more that one total stable state in cases of non-determinism, for example). Finally, the process begins again using the total stable states in the computed OBS set. The idea behind this procedure is that given a stable state of the circuit, a single input transition is red (ISS computation). Then, the circuit is left to stabilize (OBS computation). That is, a new input transition is not produced until all possible internal and output transitions have happened. Note that a special case arises when two input transitions, say t1 and t2 , must be produced consecutively. In such case ISS(s ; t1) = s0 is also a total stable state, and thus OBS(s0 ) = ;. Therefore s0 must be used to compute ISS(s0 ; t2) in the next state exploration step, i.e. in such case, total stable states are taken from ISS instead of OBS (see Figure 21). Figure 7 depicts the exploration of the set of states of the example in Figure 2 according to this process. Such exploration fully respects the fundamental mode assumptions already discussed, related to a synchronous operation mode for asynchronous circuits. It is interesting to note that according to the fundamental mode of operation, the set of visited states is a subset of S (see how in Figure 7, states s7 , s8 , s10 , s11 , s12 , s15 and s17 are not visited, for example). This is due to two main factors derived from the fundamental mode assumptions: Only total stable states are used as \source " for further explorations. Given a total stable state, only one input transition is enabled to re at a time. For example, in Figure 7, state s17 is not visited because it will require transitions a? and b+ to re in the same input burst from state s9 . As a more illustrative example, see Figures 20, 21 and 22 for the A to D converter controller example.

5.3 Testability

The synchronous nature of the test machines and the assumption of the fundamental mode of operation, make that only stable states can be observed during the test. Based on this fact we can de ne the fault detectability.

De nition 5.4 (Testable fault)

A fault is testable in an asynchronous circuit if exists a sequence of test vectors = t1; t2; : : :tn such that, from the initial state s0 , all potential sequences of total stable states t1 t2 generated by ( s0 ! s1 ! s2 : : : sm ) end up into a total state sm in which the fault eect can be observed at a primary output of the circuit. 5.4

An important portion of the faults in asynchronous circuits introduce hazards. These hazards are undesired switching activity not considered in the original speci cation of the circuit. Hazards are a potential source of circuit malfunction and |what is more relevant for the test purposes| 2 If s0

is an unstable state, the system must be left to stabilize prior to beginning the state exploration. This means to compute OBS(s0 ) and then use the total stable states in it as a source for the state exploration procedure

18

s0

s0

s0 t1

t1

t1 s1

s1 t2

s1 t2

t2

t2

s2

s2 t3

t3

t2

t2 s4

t3

s2 t3

t3

s3

s3

s3 t4

t4

t4

s4

(a)

(b)

(c)

Figure 8: Testability analysis. Three possible situations non-determinism. A hazardous circuit may or may not deviate from its expected behavior depending on the working conditions and particular delays in the circuit. Figure 8 show several diagrams that pretend to clarify this point. The example in Figure 8 (a) shows a clear example in which a given fault cannot be tested with a test sequence t1 ; t2; t3; t4 . In this example, after applying the test vector t2 from state s1 the circuit may non-deterministically evolve correctly through states s2 , s3 and s4 , or may end up into a discrepancy state. Thus there is no way of ensure the fault detection because it can be done only sometimes. The example in Figure 8 (b) shows a typical example of successful test in presence of hazards. Corresponding to the inherent non-deterministic nature of hazards, from state s1 at every new test vector (t2 and t3 ) the circuit may evolve into a discrepancy state or a correct state, nally ending up into a discrepancy state after vector t4 . The last example is shown in Figure 8 (c). In this example the same test sequence may evolve into two dierent circuit behaviors. After applying the vector t2 the circuit evolves to discrepancy states through state s4 in one case, and states s2 and s3 in the second case. In both examples (b) and (c) the fault can be successfully tested. The basic dierence between asynchronous and synchronous circuits is that in the former, time is continuous, while in the latter time is discrete with the clock period being an indivisible unit of time. This period is chosen in such a way that it is longer than the critical path delay of the combinational logic. A similar reasoning can be done in order to set the clock period of the test machine when testing an asynchronous circuit. In this case, it must be set to the maximum time required for the circuit to stabilize given an input signal transition. This time is related to the length of the sequences of states between two total stable states, and strongly depends on the delays of the gates responsible of the 19

Specification (STG)

Circuit Under Test (CUT)

Insert a fault ’f’ −> CUT f Closed System: STG − CUT f

Fundamental Mode Analysis process

Discrepancy States : Inhibited Transitions & Premature Firings

Back−Trace

Sequence of transitions manifesting the fault: S f

Sequence of test vectors for fault ’f’

Figure 9: ATPG methodology for speed-independent asynchronous circuits state changes along such sequence. Given such considerations the asynchronous circuit under test will be stable at the end of the clock cycle of the test machine. Thus, the fundamental mode assumptions will be met during the test application.

5.4 ATPG Methodology

This section presents an novel approach to the automatic generation of test patterns for speedindependent circuits. The input stuck-at fault model is used, but unlike in other typical ATPG algorithms for synchronous circuits (PODEM [Goe81], FAN [FS83], : : : ), the structure of the circuit is not used. The functional equivalence of the stuck-at faults is used instead, and the test pattern generation is driven by the circuit speci cation. The ATPG methodology we present is based on the use of symbolic model checking techniques for speed-independent circuits [RCP95]. We consider a closed system composed by the circuit and its speci cation in terms of an STG (see Figure 15). An scheme of the proposed methodology is depicted in Figure 9. Provided the input stuck-at fault model, the approach begins by choosing a possible fault f . Such a fault is injected in the circuit model. A new circuit Cf is obtained, which is confronted against the 20

/* Let C be the circuit for which ATPG is performed, and G the STG speci cation. */ ATPG for Speed-Independent circuits (C , G) f

repeat f

Choose an unprocessed fault f (SAT-0 or SAT-1) using the input stuck-at fault model. Build the closed system composed by Cf and G. Traverse in fundamental mode looking for a discrepancy in a total stable state between the speci ed behavior in G and the faulty circuit Cf . if (a discrepancy state is found ) then f Fault f is covered. Back-trace from the discrepancy state to the initial state. A sequence of transitions, Sf , that excites and propagates the fault to the primary outputs of the faulty circuit, is generated. /* Check whether Sf covers other faults. */ foreach (unprocessed fault f ) f Build the closed system composed by Cf 0 and G. Simulate the system under Sf . if (a discrepancy is found ) f is covered. 0

0

0

g

g

g

0

g until (all faults are processed ); Transform the set of test sequences of transitions into sequences of test vectors. Figure 10: A pseudo-code algorithm implementing the proposed ATPG methodology

speci cation for the fault-free circuit. The detection of so-called discrepancy states , is related to the presence of fault f , which causes either a premature ring or an inhibited transition. In both cases the outputs of the circuit Cf will dier from those speci ed. The detection of both possible situations is subject to the fact that the fault eect f is observable at the primary outputs of the circuit, in a total stable state (see De nition 5.4). Detecting a discrepancy between the behavior of the faulty circuit Cf and the speci cation of the fault-free circuit, is not useful if we cannot extract information about how to reproduce the discrepancy. Hence, test patterns which detect the presence of such fault in the circuit under test, must be generated. A back-trace process performed from the discrepancy state to the initial one, generates a sequence Sf of transitions reproducing the fault eect. Such sequence constitutes a set of test vectors for fault f . Finally, remark that confronting the faulty circuit against the speci cation is, in general, a timeconsuming process. Conversely, simulating a given sequence of transitions over a circuit can be done in a more ecient way. Provided this fact, the eciency of our methodology is improved by checking whether an obtained sequence for a given fault, also covers other faults. In such a way, the closed system traversal can be skipped for a large number of faults. Figure 10 describes a pseudo-code algorithm implementing the proposed methodology.

21

5.5 Comments on the Implementation

The speci cation of the circuit is given in terms of an STG. In the proposed implementation, it is symbolically modeled by means of boolean algebras [Bro90]. Characteristic functions are associated to sets of markings, and the use of transition functions and/or transition relations allow us to eciently do a symbolic traversal of the set of reachable states. Similarly, the circuit is also modeled as a boolean algebra, and transition functions and/or transition relations are associated to transitions in the circuit gates. The closed system is then traversed by synchronically ring both the circuit and the speci cation. Discrepancy situations reveal that the circuit implementation does not respect the speed-independence conditions stated by the speci cation. Such a discrepancy is caused by the presence of a fault in the circuit implementation. The representation of the system by means of boolean algebras, transition functions, transition relations, and the fundamental mode traversal, provide a methodology to generate a sequence of transitions that reproduce the fault eect. A backward traversal can be performed for this purpose, from the discrepancy state to the initial state.

6 Boolean Algebras In this section we brie y sketch the basic theory on boolean algebras required for the development of this work. Most of the fundamental concepts presented here can be reviewed in [Bro90].

6.1 Sets, Relations and Functions

A set is a collection of objects called elements , typically indicated by braces, e.g. A = fa; b; c; dg. The cardinality of a set A is the number of elements in the set and it is indicated jAj. When an element a is in a set A it is indicated a 2 A. In the sequel we will only consider nite sets. The empty set, indicated ;, is the set with no element. Typical operations on sets are inclusion , complementation , intersection , union , and dierence . Of particular interest is the power set of a set A, indicated 2A , and de ned as the set of all subsets of A: 2A = fC j C Ag . Given two sets A and C , the cartesian product A C is de ned by: A C = f(a; c) j a 2 A ^ c 2 C g . The de nition of cartesian product is easily extended to more than two sets. Given two sets A and C , a relation R between A and C is a subset of the cartesian product A C . This de nition easily generalizes to more than two sets. Two elements a 2 A, c 2 C are in relation, indicated aRc or (a; c) 2 R i a and c are in the relation R, i.e. aRc , (a; c) 2 R A C . The elements in a relation are ordered pairs from A into C . A relation is always invertible, i.e. R?1 = f(a; c) j (c; a) 2 Rg . A function f from set A to set C , written f : A ! C , is a rule that maps every element of A into some element of C . The set A is called the domain of the function, while C is the co-domain or range of f . If y = f (x) : A 7! C , we say that y is the image of x (under f ). Given a domain subset D A, the set Img(f; D) = fy 2 C j 9x 2 D : y = f (x)g is called the image of D under the mapping f . A function can be viewed as a specialized relation. That is, f : A ! C is a relation from A to C in which each element of A appears as a rst element in exactly one of the ordered pairs in f . Thus, f (a) = c and (a; c) 2 f are equivalent formulas. Not all functions have an inverse. 22

6.2 Boolean Algebras

A boolean algebra is a fth-tuple (A; +; ; 0; 1) , where A is a set called the carrier , + and are binary operations on A, and 0 and 1 are elements of A such that 8a; b; c 2 A the following postulates are satis ed (Huntington): 1. Commutative Laws: a + b = b + a; and a b = b a. 2. Distributive Laws: a + (b c) = (a + b) (a + c); and a (b + c) = (a b) + (a c). 3. Identities: a + 0 = a; and a 1 = a. 4. Complement. 8a 2 A; 9a 2 A called the complementary such that: a + a = 1; a a = 0. As it is well known, the system (f0; 1g; +; ; 0; 1) , with + and de ned as the logic OR and logic AND operations respectively, is a boolean algebra (also known as the switching algebra ). Since we will limit our scope to logic functions , from now on we will assume that the set B is composed of the boolean elements f0; 1g.

6.3 Logic Functions and Boolean Algebras of Logic Functions

An n-variable logic function f : Bn ! B (also called boolean function ) is a rule that transforms each element (x1 ; : : :; xn) 2 Bn into its image f (x1 ; : : :; xn ) 2 B. Let Fn (B) be the set of n-variable logic functions on B, or power set of Bn . Then, the system (Fn (B); +; ; 0; 1) , is also a boolean algebra, in which \+" and \" stand for addition and multiplication of n-variable logic functions, and 0 and 1 stand for the n\zero" and \one" functions (f (x1; : : :; xn) = 0 and f (x1 ; : : :; xn) = 1). The cardinality of Fn (B) is 22 ; that is, the number of dierent n-variable logic functions. The de nition of boolean functions is recursive, given: 1. an element b 2 B, the constant function is de ned f (x1; : : :; xn ) = b; 8(x1; : : :; xn ) 2 Bn : 2. a variable xi , the identity function is de ned f (x1 ; : : :; xn) = xi ; 8(x1; : : :; xn ) 2 Bn : 3. two n-variable boolean functions g and h, then g + h, g h, and g are logic functions de ned (g + h)(x1; : : :; xn ) = g (x1; : : :; xn ) + h(x1 ; : : :; xn) (g h)(x1; : : :; xn ) = g (x1; : : :; xn ) h(x1; : : :; xn ) (g)(x1; : : :; xn ) = (g (x1; : : :; xn ))

for all (x1 ; : : :; xn) 2 Bn . Given the boolean algebra of n-variable logic functions, with n symbols x1; : : :; xn , we call a vertex each element of Bn . A literal is either a variable xi or its complement xi . A cube c is a set of literals, such that if xi 2 c then xi 62 c and vice versa. A cube is interpreted as the boolean product of its literals. Note that the cubes with n literals are in one-to-one correspondence with the vertices of Bn .

23

6.4 Algebra of Classes (Subsets of a Set)

The algebra of classes of a set S consists of the set 2S (the set of subsets of S) and two operations on 2S : [ (union) and \ (intersection). This algebra satis es the postulates for a boolean algebra and the system (2S ; [; \; ;; S ) is a boolean algebra. The Representation Theorem (Stone, 1936) establishes the basis of the symbolic techniques used in this work; that is, the set of reachable markings of a Petri net is isomorphic to a boolean algebra. Theorem 6.1 Stone's Representation Theorem Every nite boolean algebra is isomorphic to the boolean algebra of subsets of some nite set S. 6.1 Consequently, Stone's theorem states that reasoning in terms of concepts such as union , intersection , empty set , etc : : : , in a nite set of elements is isomorphic to performing logic operations (+, ) with logic functions. Furthermore, from Stone's theorem it can be easily deduced that the cardinality of the carrier of any boolean algebra must be a power of two. In particular, the algebra of classes of a set S (jS j = 2n ) is isomorphic to the boolean algebra of n-variable logic functions.

6.5 Boole's Expansion and Abstractions

The following boolean functions respectively denote the positive and negative cofactors of f with respect to xi : fxi = fjxi =1 = f (x1; : : :; xi?1; 1; xi+1; : : :; xn); (1) fxi = fjxi =0 = f (x1; : : :; xi?1; 0; xi+1; : : :; xn): Theorem 6.2 Boole's Expansion If f : Bn ! B is a n-variable boolean function, then f (x1; : : :; xn) = xi fxi + xi fxi = [xi + fxi ] [xi + fxi ] ; for all (x1 ; : : :; xn ) 2 Bn . 6.2 The de nition of cofactor can also be extended to cubes. Given a cube c = x^1 c1 composed of a literal x^1 (either x1 or x1) and another cube c1, then the cofactor of a function with respect to c is recursively de ned as: fc = (fx^1 )c1 : Abstractions have a direct correspondence to the existential and universal quanti ers applied to predicates in boolean reasoning. The existential and universal abstractions of a boolean function f (x1 ; : : :; xn) with respect to a variable xi are de ned as (2) 9xi f = fxi + fxi and 8xi f = fxi fxi ; respectively. As an example, let us consider the function: f = bc + abc + ac . The cofactors with respect to a and a are: fa = bc + bc and fa = c . The abstractions with respect to a are: 9a f = fa + fa = b + c and 8a f = fa fa = bc . The existential abstraction 9a f is the function that evaluates to 1 for all those values of b and c such that there is a value of a for which f evaluates to 1. The universal abstraction 8af is the function that evaluates to 1 for all those values of b and c such that f evaluates to 1 for any value of a. 24

7 Modeling Petri Nets and Signal Transition Graphs with Boolean Algebras In this section an isomorphism between functions and sets of markings of a Signal Transition Graph is presented.

7.1 An Isomorphism between Petri Nets and Boolean Algebras

Let N = hP; T; F; m0i be a safe Petri net. A marking in [m0i can be represented by a set of places m P , where pi 2 m denotes the fact that there is a token in pi . Therefore, any set of markings in [m0i can be represented by a set M of subsets of P . If MP is the set of all potential sets of places representing markings of a safe PN with jP j places (jMP j = 2jP j ), the system (2MP ; [; \; ;; MP ) is the boolean algebra of sets of markings. This system is isomorphic with the boolean algebra of n-variable logic functions, where n = jP j. In the sequel we will in-distinctively use pi to denote either a place in P , or a variable in the boolean algebra of n-variable logic functions; and M to indicate either a reachable marking or the corresponding set of places that hold tokens. Therefore, there is a one-to-one correspondence between markings of MP and vertices of B n [PRCB94]. For simplicity we have only considered safe PNs. A marking m 2 MP is represented by means of an encoding function E : MP ! B n , where the image of a marking m 2 MP is encoded into a vertex (p1; : : :; pn ) 2 B n , such that:

pi =

(

1 if pi 2 m 0 if pi 62 m

As an example, both the vertex (0; 1; 0; 0; 1; 0; 0) 2 B 7 and the cube p1 p2 p3 p4 p5 p6 p7 represent the marking in which p2 and p5 are marked and p1, p3 ,p4 , p6 and p7 are not marked (see Figure 11). p1

x+ p2

p1

p3

y−

p2 p5 z+

y+

y+

z+

x+

p5

p3 p5

p2 p6

p6

z+

x−

y−

p7

y+

x−

p3 p6

p4 p5 x−

p4

y+

p4 p6 z−

z−

p7

(a) (b) Figure 11: Petri net (a) and its reachable markings (b)

25

7.2 Characteristic Functions and Binary Relations

Let V B n be a set of vertices in the boolean algebra of n-variable logic functions. The characteristic function V of the set V is de ned as the logic function that evaluates to 1 for those vertices of Bn that are in V , i.e. formally 8v 2 Bn : v 2 V , V (v) = 1 : (3) Extending the use of the previously introduced encoding function E , each set of markings M 2 2MP has a corresponding characteristic function EM : Bn ! B, that evaluates 1 for those vertices that correspond to markings belonging to M . The image of M 2MP according to E is the set V Bn , de ned by: V = fv 2 Bn j 9m 2 MP : v = E (m)g : (4) We de ne the characteristic function of M according to E as the characteristic function of the set V , that is, EM = V . Whenever the encoding is understood, we will simply write M . For example, given the PN of Figure 11 (a), the characteristic function of the set of markings

M = ffp2; p5g; fp2; p3; p5g; fp1; p2; p5g; fp1; p2; p3; p5g; fp1; p2; p3; p4; p5; p7gg is calculated as the disjunction of each boolean code E (m); m 2 M . The resulting function

M = p1 p2 p3 p5 p6 + p2 p4 p5 p6 p7 represents the set of markings in which p1 , p2, p3 and p5 are marked, and p6 is not marked, or p2 and p5 are marked and p4, p6 and p7 are not marked. For sake of simplicity we will indistinctively use M and M to denote the characteristic function of a set of markings M .

All set manipulations can be directly performed by using the characteristic functions. For example, given the sets of markings M1 ; M2 2 MP :

M1[M2 = M1 + M2 ; M1 \M2 = M1 M2 ; M 1 = M1 MP :

(5)

When implemented with BDDs [Bry86], characteristic functions provide, in general, compact and ecient representations. Characteristic functions can also be used to represent binary relations between sets of markings. Given two sets of markings M1 and M2 , to represent the binary relation R M1 M2 , it is necessary to use dierent sets of variables to identify the elements of each set. For example, variables p1 ; : : :; pn for M1 and variables q1 ; : : :; qn for M2 . We can therefore write

R(p1 ; : : :; pn ; q1; : : :; qn ) M1 (p1; : : :; pn) M2 (q1; : : :; qn) ;

(6)

noting that the cartesian product of two sets is obtained by taking the product of the respective characteristic functions, when they have disjoint support. Thus,

R (p1 ; : : :; pn; q1; : : :; qn) = 1 () 9(m1; m2) 2 R : E (m1) = (p1; : : :; pn) ^ E (m2) = (q1; : : :; qn) : 26

(7)

Given the binary relation R between sets M1 and M2 , the set of elements of M1 that are in relation with at least one element of M2 , is formally de ned by the set: V = fm1 2 M1 j 9m2 2 M2 : (m1; m2) 2 Rg ; (8) and using the characteristic function of R, the characteristic function of V is computed as: V (p1; : : :; pn) = 9q1;:::;qn R(p1 ; : : :; pn ; q1; : : :; qn ) : (9) Finally, as a generalization, consider the set of elements of M1 that are in relation with at least one element of the restricted set N2 M2, de ned by V = fm1 2 M1 j 9m2 2 N2 : (m1; m2) 2 Rg : (10) Given the characteristic functions of R and N2, the characteristic function of V is computed as: V (p1; : : :; pn) = 9q1 ;:::;qn (R (p1; : : :; pn; q1; : : :; qn) N2 (q1 ; : : :; qn)) : (11)

7.3 Transition Firing on Petri Nets

The structure of a PN, de nes a set of ring rules that determine the behavior of the net. We de ne the transition function of a transition as a function (12) N : MP T ! MP ; that transforms a marking m 2 MP into a new marking m0 2 MP by ring the transition t 2 T (m0 = N (m; t)), assuming that t is enabled in m. Otherwise, the empty marking N (m; t) = ; is generated. This concept is equivalent to the one-step reachability in PNs; m0 is reachable from m in one step if there is one transition t 2 T such that m0 = N (m; t). According to this objective, the transition function N = (1; : : :; jP j) for a transition t 2 T is de ned for each place pi : 8 > < 1 if pi 2 t i (p1 ; : : :; pjP j; t) = Et > 0 if pi 2 t and pi 62 t (13) : pi otherwise; where Et Qis the characteristic function of the set of markings in which transition t is enabled, de ned as: Et = pi 2t pi. Extending the concept to k-steps reachability, a marking mk is reachable in k steps from the initial marking m0 if there is a sequence of markings m1; m2; : : :; mk?1 and a sequence of transitions t1 ; t2; : : :; tk , such that, N (m0 ; t1) = m1 ,..., and N (mk?1 ; tk ) = mk . Following the example in Figure 11, the transition function for the transitions in the Petri net are the functions:

N (M; x+) N (M; y+) N (M; z+) N (M; x?) N (M; z?) N (M; y?)

= = = = = =

( ( ( ( ( (

1

0;

p1p5 ; p1p2 ; p1p3 ; p1p4 p6 ; p7 ;

2 p1 ; p2p5 ; 0; p2p3 ; p2p4 p6 ; p2p7 ;

3 p1 p3 ; p3 p5 ; p2 ; 0; p3p4 p6 ; p3 p7 ; 27

4 p1p4 ; p4p5 ; p2p4 ; p3 ; 0; p4p7 ;

5 p1 ; 0; p2 p5 ; p3 p5 ; p4 p5p6 ; p5 p7 ;

6 p1 p6 ; p5 ; p2 p6 ; p3 p6 ; 0; p6 p7 ;

7 p1 p7 p5 p7 p2 p7 p3 p7 p 4 p6 0

); ); ); ); ); ):

Thus obtaining and

p1 p2 p3 p4 p5 p6 p7 = N (p1 p2 p3 p4 p5 p6 p7;

x+);

p1 p2 p3 p4 p5 p6 p7 = N (p1 p2 p3 p4 p5 p6 p7;

x+)

since transition x+ is not enabled in that marking. In order to manipulate the ring of transitions in sets of markings rather than using a markingper-marking basis, the transition function of a transition can be rede ned as a function (14) N : 2MP T ! 2MP ; that transforms, for each transition, a set of markings M1 into a new set of markings M2 as follows: N (M1; t) = M2 = fm2 2 MP j 9m1 2 M1 : m1 [tim2g : (15) Transition functions for net transitions can be further generalized to be the transition function of the whole PN: (16) N : 2MP ! 2MP ; where all the transitions are processed in the same function. Equation (16) transforms a set of markings M1 into the set of markings M2 that can be reached from M1 in one step. In a non-interleaving model several transitions can be simultaneously red. Hence (16) is obtained by computing:

N (M ) =

[

8ti2T

N (M; ti ) :

(17)

Conversely, in an interleaving model only one transition can be red at the same time. Therefore, when computing (16) it must be imposed that ti is the unique transition to be red, i.e. N (M ) =

[ h

8ti2T

N (M; ti )

\

8tj 6=ti

i

N (M; tj ) :

(18)

Using the terminology for veri cation of sequential machines, function performs the constrained image computation of the net [CBM89, CBM90]. There are two dierent techniques to implement the constrained image computation for transitions using BDDs: topological image computation , and transition relations associated to function N .

7.3.1 Topological Image Computation Constrained image computation for transitions can be eciently implemented by using the topological information of the Petri net and the characteristic functions of sets of markings [PRCB94]. In addition to Et, we present the characteristic function of some important sets related to a transition t 2 T :

Et

=

NPMt =

Y

pi 2 t Y pi 2 t

pi

(t enabled),

pi

(no predecessor marked), NSMt =

ASMt =

28

Y

pi 2t Y pi 2t

pi

(all successors marked),

pi

(no successor marked).

Given these characteristic functions, the constrained image computation for transitions is reduced to calculating: (19) N (M; t) = (MEt NPMt)NSMt ASMt : Thus, given a set of markings M , N (M; t) calculates all the markings that can be reached from M by ring only transition t. Given the set of markings M = p1 p2 p3 p4 p5 p6 p7 + p1 p2 p3 p4 p5 p6 p7 + p1 p2 p3 p4 p5 p6 p7 for the example of Figure 11, we calculate M1 = N (M; y+). First, MEy+ (boolean cofactor of M with respect to Ey+ = p5) selects those markings in which y+ is enabled and removes the predecessor places from the characteristic function (MEy+ = p1 p2 p3 p4 p6 p7 + p1 p2 p3 p4 p6 p7 ). Then the product with NPMy+ = p5 eliminates the tokens from the predecessor places (MEy+ NPMy+ = p1 p2 p3 p4 p5 p6 p7 + p1 p2 p3 p4 p5 p6 p7 ). Next, the cofactor with respect to NSMy+ = p6 removes all the successor places, obtaining (MEy+ NPMy+ )NSMy+ = p1 p2 p3 p4 p5 p7 + p1 p2 p3 p4 p5 p7. Finally, the product with ASMy+ = p6 adds a token in all the successor places of y+ (M1 = p1 p2 p3 p4 p5 p6 p7 + p1 p2 p3 p4 p5 p6 p7 ).

7.3.2 Transition Relation Image Computation

The transition function relates sets of markings M2 = N (M1; t) such that the markings in M2 are reachable from M1 after ring transition t. The relation de ned by N can also be represented by a characteristic function in which two dierent sets of variables are used, fp1; : : :; pn g for M1 and fq1 ; : : :; qn g for M2 respectively (n = jP j). According to the de nition of function N (13), its characteristic function is described by the binary relation:

Rt(q1; : : :; qn; p1; : : :; pn) =

jP j Y i=1

qi i (p1; : : :; pn; t) :

(20)

Finding the set of markings M2 that can be reached after ring transition t from any marking in the set M1 (the constrained image computation for transitions) is reduced to compute:

M2 = 9p1 ;:::;pn Rt(q1 ; : : :; qn; p1; : : :; pn) M1 :

(21)

As an example, we compute the characteristic function for the transition relation of x+ in Figure 11:

Rx+(q1; : : :; q7; p1; : : :; p7) = (q1 0) (q2 p1) (q3 p1 p3) (q4 p1 p4) (q5 p1 ) (q6 p1 p6 ) (q7 p1 p7) = q1 (q2 p1 + q2 p1) (q3 p1 p3 + q3 (p1 + p3)) (q4 p1 p4 + q4 (p1 + p4 )) (q5 p1 + q5 p1 ) (q6 p1 p6 + q6 (p1 + p6)) (q7 p1 p7 + q7 (p1 + p7 )) : The main computational problem in image computation with the transition relation method apQjP j pears when taking the conjunction i=1 . Even if the BDDs for (qi i ) and the nal result Rt are small, the product may be too large in some intermediate result. A substantial increase in eciency is obtained using partitioned image computation as described in [BCM+90]. 29

7.4 Transition Firing on Signal Transition Graphs

In the previous sections we have concentrate in modeling PNs with boolean functions and how to simulate the ring of transitions using such functions. In this section we present a way of extending those concepts to STGs. This extension is required since STGs include the notion of signals of a circuit associated to the transitions of the underlying PN. Let G = hN; A; i be an STG, where N = hP; T; F; m0i is the underlying PN. Let also D = hS; E; A; i be the STD corresponding to the STG G, and C = fx 2 BjAj j 9s 2 S : x = (s)g be the set of state codes of the states of D. Since there is a direct correspondence between markings of N and states of D, we can represent the full state of the STG by the vector (m; c) where m 2 [m0i is a marking of N and c = (s ) 2 C is the code of state s 2 S of D, respectively. The transition function for a transition in (12) can now be extended for STGs as a function

G : MP C T ! MP C; (22) that transforms a full state (m; c) 2 MP C into a new full state (m0; c0) 2 MP C by ring the transition t 2 T . Now G = (1 ; : : :; jP j ; jP j+1; : : :; jP j+jAj ) for a transition t 2 T is de ned for each place pi (i.e. 1 ; : : :; jP j) in the same way as stated in equation (13), and for each signal (i.e. jP j+1 ; : : :; jP j+jAj ) as follows 8 > < i (c1; : : :; cjAj; t) = > :

1 if (t) = ci j + 0 if (t) = ci j ? ci otherwise:

(23)

According to this, the transition function for the transitions in the STG in Figure 11 (a) is extended with the functions

Thus obtaining, for example

G (M; x+) G (M; y+) G (M; z+) G (M; x?) G (M; z?) G (M; y?)

= = = = = =

( ( ( ( ( (

8 9 10 ; 1 ; y ; z ; x ; 1 ; z ; x ; y ; 1 ; 0 ; y ; z ; x ; y ; 0 ; x ; 0 ; z

); ); ); ); ); ):

p1 p2 p3 p4 p5 p6 p7 x y z = G (p1 p2 p3 p4 p5 p6 p7 x y z;

x+):

Again, in order to manipulate the ring of transitions in sets of states rather than using a stateper-state basis, the transition function of a transition, presented in equation (14), can be rede ned

G : 2MP C T ! 2MP C : Now, given a set MF of full states of the STG, G is de ned as follows: G (MF ; t) =

(

(N (MF ; t))a a if (t) = ai + (N (MF ; t))a a if (t) = ai ? 30

(24) (25)

Finally equations (16), (17) and (18) can be rewritten in the obvious way, by just renaming N by G , and N by G . Section 7.3.1 presented an implementation of the constrained image computation, by rewriting N in terms of characteristic functions and cofactors. Such method is still applicable in a direct manner, given the extension G of equation (25). On the other hand, in Section 7.3.2 we used transition relations to compute the image of a transition given a set of states. Now, the new transition function G relates sets of full states MF2 = G (MF1 ; t) such that the states in MF2 are reachable from MF1 after ring transition t. The relation de ned by G is represented by a characteristic function using two dierent sets of variables, fp1; : : :; pjP j; c1; : : :; cjAjg for MF1 and fq1; : : :; qjP j; d1; : : :; djAjg for MF2 respectively. According to the de nition of function G (23), its characteristic function is described by the binary relation:

Rt(q1; : : :; qjP j; d1; : : :; djAj; p1; : : :; pjP j; c1; : : :; cjAj) = j+jAj i h jP Y

jP j hY i=1

qi i (p1 ; : : :; pjP j; t)

i=jP j+1

di i(c1; : : :; cjAj; t)

i

:

(26)

Thus, nding the set of states MF2 that can be reached after ring transition t from any state in the set MF1 (the constrained image computation for transitions) is reduced to compute:

MF2 = 9p1;:::;pjP j ;c1 ;:::;cjAj Rt(q1 ; : : :; qjP j ; d1; : : :; djAj; p1; : : :; pjP j; c1; : : :; cjAj) MF1 :

(27)

7.5 Signal Transition Graph Traversal

This section presents algorithms for the symbolic traversal of the space of reachable states of an STG. First, an algorithm for a complete traversal is presented. After that, an algorithm implementing a traversal based on the fundamental mode assumption required for testing, is also presented.

Complete Traversal Once the image computation has been de ned, the set of reachable states of an STG can be calculated by symbolic traversal . The approach we present is similar to symbolic breadth- rst traversal for Finite State Machines [CBM89] and was proposed in [PRCB94]. This method allows to process several states simultaneously by using their characteristic function and the image computation. The algorithm presented in Figure 12 traverses the Signal Transition Graph and calculates the set of reachable states. The union and dierence of sets are eciently performed by manipulating their characteristic functions. Each iteration of the traversal obtains all the states reachable from the set \From" in one step. Only those states that are \New" in the set of reachable states are considered for the next iteration. The algorithm iterates until no new states are generated. This algorithm uses G to perform the image computation, but the same results may be obtained using transition relations. Figure 2 depicts an STG and its set of reachable states (only the binary codes of the states are depicted). Figure 11 shows another STG and its set of reachable states (now, the marking information of the states is depicted). In both cases, the nodes represent states and the edges the ring transitions. 31

traverse STG ( G ) f Reached := From := fs0 g;

repeat f To := ;; foreach (transition t 2 T ) To := To [ G (From ; t); New := To ? Reached ; From := New ; Reached := Reached [ New ; g until (New = ;); return (Reached ); /* Set of reached states from s0 . */

g Figure 12: Algorithm for symbolic traversal of a Signal Transition Graph using G

Fundamental Mode Traversal

As we have discussed previously, the synchronous nature of the test machines imposes the use of the fundamental mode along the test. That is, given a test vector, a new one cannot be issued until the entire circuit is stabilized. Such assumption must be moved to the early stages of the ATPG procedure, in order to generate test vectors accordingly to such operation mode. Thus, given an STG specifying the behavior of a circuit, a new method for traverse the set of reachable states is de ned. As an example, Figure 14 depicts the symbolic traversal of the set of states for the STG of Figure 2 (a). Note that only the marking information of the states is depicted. Shaded states correspond to total stable states. Thus, for example, OBS(fp1; p6g) = ffp2; p6g; fp1; p7g; fp3; p6g; fp2; p7g; fp3; p7gg and ISS(fp3; p7g; b+) = ffp3; p8gg . Figure 13 depicts a symbolic algorithm implementing the traversal of a Signal Transition Graph according to the fundamental mode of operation. Note that, for eciency, in each traverse step, more than one OBS or ISS sets can be computed at the same time. Each of them corresponds to one total stable state in the From set. For example, see in Figure 14 how the sets OBS(fp4; p7g) and OBS(fp3; p8g) are computed simultaneously. Finally, say that in each iteration of the main loop, two sets of states are computed. To1 corresponds to the union of the ISS sets of each total stable state, and To2 corresponds to the union of the OBS sets of states in To1. Again, this algorithm uses G to perform the image computation, but the same results may be obtained using transition relations.

8 Modeling Speed-Independent Circuits In previous sections we have introduced a formalism to relate Signal Transition Graphs with boolean algebras. Moreover, a symbolic traversal of the space of reachable states, according to the fundamental mode, has been de ned. In this section a formalism to relate speed-independent asynchronous circuits with boolean algebras is presented. A circuit is composed of a set of signals = I [ O [ H , in which any non-input signal is driven by some gate. We denote by I , O and H the sets of input, output and internal (hidden) signals respectively. In a synchronous circuit the state is completely determined by the values of the input and state signals. In contrast, the state of a speed-independent circuit depends on all the signals, 32

traverse step (G, From , Reached ) f Reached 1 := ;; foreach (input transition t 2 Ta ; a 2 AI ) FM traverse STG (G) f Reached 1 := Reached 1 [ G (From ; t); Reached := From := fs0 g; From := Reached 1 ; repeat f Reached 2 := Reached [ Reached 1 ; (To1 , To2 ) := traverse step (G, From , Reached ); repeat f New := (To 1 [ To 2 ) ? Reached ; To := ;; Reached := Reached [ New ; foreach (non-input transition t 2 Tb ; b 2 AO [ AH ) From := total stable states (To 1 [ To 2); To := To [ G (From ; t ); g until (New = ;) or (From = ;); New := To ? Reached 2 ; return (Reached ); Reached 2 := Reached 2 [ New ; g From := New ; g until (New = ;); return (Reached1 , Reached2 ? (Reached [ Reached1 ) ) ; 0

0

g Figure 13: Algorithm for symbolic traversal of a Signal Transition Graph according to the Fundamental Mode assumptions

p 11 ISS(p11,a+)

a+

p1 p6

d+

c+

OBS(p1p6)

p2 p6

p1 p7

e+

c+

p3 p6

b+

e+

p3 p7

p4 p6 e−

c+

b+

p3 p8 c−

p4 p8

p5 p7 b+

p4 p9

p5 p8

d−

p1 p9

e+

d+

p2 p9

p3 p9 c−

e−

c−

c−

c−

e+

b+ a−

e−

d+

p2 p8

a−

p4 p7

c+

p1 p8

p2 p7 c+

a−

p5 p6

b+

d+

a−

OBS(p4p7) U OBS(p3p8)

e−

p5 p9 b−

ISS(p5p7,b+) U ISS(p3p9,a−)

p 10

Figure 14: Symbolic traversal of the reachable states obtained with the Fundamental Mode algorithm 33

because these circuits work under the unbounded gate delay model. Thus the future behavior of the circuit depends only on the present value of the signals and not on the gate delays. The set of all possible states of a circuit, denoted by C , is symbolically modeled as a boolean algebra , with each signal si 2 represented by a variable. From now on, we will indistinctly use si to denote a signal and the variable that represents that signal. The value of the input, output and internal signals determines the state of the circuit:

= (s1 ; : : :; sn); si 2 f0; 1g; n =j j :

(28)

Each state of a circuit can be represented by a minterm of B n . A set of circuit states C 2 2C is represented by a characteristic function, i.e. a logic function that evaluates 1 for those vertices in B n that represent a state in C . The state of a gate is determined by the value of its inputs (s1; : : :; si ) and output (sk ). Given the gate that implements function sk = fsk (s1; : : :; si ; sk ), we de ne the characteristic function of the positive excitation region, i.e. the set of states in which the gate output sk is enabled to rise, as

fs+k (s1 ; : : :; si ; sk ) = sk fsk (s1 ; : : :; si; sk );

(29)

and the characteristic function of the negative excitation region, i.e. the set of states in which sk is enabled to fall, as fs?k (s1 ; : : :; si ; sk ) = sk fsk (s1 ; : : :; si; sk ): (30) Above de nitions are taken from [RCP95] and are analogous to the ow tables presented in [DC86]. Other authors have proposed to model gates with Petri nets [McM92]. However, each gate results in a net with several places and transitions that causes a more complex model. Next we show, as examples, those characteristic functions for an AND gate and a Muller's C element:

sk = fsk (si ; sj )

(

= si sj

sk = fsk (si ; sj ; sk ) = si sj + sk (si + sj )

(

fs+k (si; sj ; sk ) = sk si sj fs?k (si; sj ; sk ) = sk (si + sj ) fs+k (si; sj ; sk ) = sk si sj fs?k (si; sj ; sk ) = sk si sj

We de ne the transition function of a non-input signal of the circuit as a function:

C : 2C (O [ H ) ?! 2C ;

(31)

that given a set of states in C1 where the signal sk is excited, computes a new set of states C2 in which only the signal sk has switched. The transition function of the signal is computed using the characteristic functions of the excitation regions:

C2 = C (C1; sk ) = (C1 fs+k )sk sk + (C1 fs?k )sk sk :

(32)

Note that C1 fs+k stands for the case in which sk is enabled to rise. Thus, (C1 fs+k )sk sk stands for the case in which sk has risen. A similar reasoning can be done for the falling transition. 34

To illustrate this, we calculate the new set of states C2 after switching signal s4 using the transition function C (C1; s4). Let us assume that C1 = s1 s2 s3 s4 s5 + s1 s2 s3 s4 s5 + s1 s2 s3 s4 s5 , and that s4 is the output of an AND gate with inputs s1 and s3 . The products:

C1 fs+4 = C1 s4 s1 s3 = s1 s2 s3 s4 s5 ; C1 fs?4 = C1 s4 (s1 + s3 ) = s1 s2 s3 s4 s5 ;

give the states in which the signal can rise or fall, respectively. The nal set of new states C2 is the union of the states where signal s4 has already risen or fallen: C2 = (C1 fs+4 )s4 s4 + (C1 fs?4 )s4 s4 = (s1 s2 s3 s4 s5 )s4 s4 + (s1 s2 s3 s4 s5 )s4 s4 = s1 s2 s3 s4 s5 + s1 s2 s3 s4 s5 : In the same way as we used binary relations to model the transition ring on a PN and an STG, we can also apply such a mathematical tool to model the behavior of a circuit. Transition function seen above relates sets of states of the circuit, C2 = C (C1; sk ) such that the states in C2 are reachable from the states in C1 after switching signal sk . The relation de ned by C can also be represented by a characteristic function using two dierent sets of variables, fs1 ; : : :; sn g for C1 and fr1; : : :; rn g for C2, respectively (n = jj). Provided the function each gate implements sk = fsk (s1 ; : : :; si; sk ), the characteristic function of the relation de ned by C can be described by the binary relation:

Rsk (r1; : : :; rn; s1; : : :; sn) = rk fsk (s1; : : :; si; sk)

jj Y j =1; j 6=k

(rj sj ) :

(33)

Thus, nding the set of states C2 that can be reached after switching signal sk from any state in C1 is reduced to compute:

C2 = 9s1 ;:::;sn Rsk (r1; : : :; rn; s1; : : :; sn ) C1 :

(34)

Following the same example above, we can calculate the set of states C2 after switching the output signal s4 of and AND gate with inputs s1 and s3 , from the set of states C1 = s1 s2 s3 s4 s5 + s1 s2 s3 s4 s5 + s1 s2 s3 s4 s5. Given

Rs4 (r1; : : :; r5; s1; : : :; s5) = (r1 s1) (r2 s2) (r3 s3) (r4 s1 s3) (r5 s5) ; we obtain:

C2 = 9s1 ;:::;s5 Rs4 (r1; : : :; r5; s1; : : :; s5) C1 = 9s1 ;:::;s5 r1 r2 r3 r4 r5 s1 s2 s3 s4 s5 + r1 r2 r3 r4 r5 s1 s2 s3 s4 s5 + r1 r2 r3 r4 r5 s1 s2 s3 s4 s5 = r1 r2 r3 r4 r5 + r1 r2 r3 r4 r5 + r1 r2 r3 r4 r5 : Note that state s1 s2 s3 s4 s5 , in which signal s4 was not excited, is kept in the new set of states C2.

Therefore the computation using transition relations (with no other consideration) is slightly dierent from that with transition functions. Such a dierence can be obviously avoided by restricting C1 to just those states in which signal sk is excited, prior to applying the corresponding transition relation. 35

SPECIFICATION (STG) a+

CIRCUIT

I

A

o

I

Ao

a 0

1

Figure 15: Speci cation-circuit system

9 Speci cation and Circuit Composition

In previous sections we have seen how to model Signal Transition Graphs and circuits by means of boolean algebras. Moreover, we have studied their dynamic behavior and have presented algorithms for reachability analysis. Until now, such analysis has been done separately for STGs and circuits. This section describes how to build a system composed by a circuit and its speci cation in terms of an STG, in order to study the relation between both at the same time. Such system is the basis of our ATPG methodology. For each fault f , the corresponding model for the faulty circuit Cf is composed with the fault-free circuit speci cation. Then, the system is traversed according to the fundamental mode, as discussed in Section 5.2. We look for discrepancy states, where the value of the circuit signals dier from those speci ed, due to the presence of fault f . If discrepancy states are found, a sequence Sf of transitions that reproduce such defect in a faulty circuit, can be generated. This sequence constitutes the basis for the obtainment of test vectors for detecting fault f .

9.1 Speci cation and Circuit Synchronization

As shown in Figure 15, we consider a closed system composed by a circuit and its speci cation in terms of an STG. Note that an STG speci cation not only models the behavior of the circuit, but also the behavior of the environment in which that circuit will work. In this system, we establish a relationship between the interface signals of the circuit and its speci cation, i.e. input and output signals of the circuit (I , O ) and those of the STG (AI , AO ). Thus a circuit signal sa 2 I [ O will be identi ed with the STG signal a 2 AI [ AO in a one-to-one fashion. Given a signal a 2 AI [ AO , we denote by Ta+ (Ta? ) the set of transitions in the STG that specify a rising (falling) transition of circuit signal sa . The idea of synchronization between the speci cation and the circuit in the closed system is quite simple. It is assumed the initial state of the STG is consistent with that of the circuit, and it is stable3 . Consistency refers to the fact that values of the input and output signals of the STG are equal to those of the corresponding signals of the circuit. We begin by ring an input transition as it is expected to be speci ed. For example, transition t 2 Ta+ , with a 2 AI , is thus red in the STG and a corresponding input signal sa 2 I in the circuit will rise (similarly for falling transitions). Therefore input signals 3 If the initial

states of the circuit and the speci cation are not stable, we must proceed to their stabilization prior to begin traversing the system.

36

m c m c

γ Inputs fire synchronically

γ

Outputs and internals fire separately

γ

m c m c

Binary codes verification

γ

Figure 16: System traversal: input signals re synchronically, outputs and internals re separately and synchronization for checking binary codes switch in a synchronic manner. Both, the STG and the circuit are left to stabilize separately according to the fundamental mode of operation. Therefore output and internal signals of the circuit will switch independently of those of the STG. The synchronization is then produced by comparing the values of the interface signals in the total stable states reached4 . If a discrepancy is found we can stop here and go backwards to generate a sequence of transitions which reproduce the fault eect. If no discrepancy was found the process continues by ring a new input transition. As can be deduced from the above discussion the state of the speci cation and the circuit are kept separately. As stated in Section 7.4, the state of the speci cation STG is represented by a vector (m; c) 2 MP C , where each ci in c = (c1; : : :; cjAj), represents the value of signal ai 2 A of the STG. In the same way, the state of the circuit (Section 8) is represented by a vector 2 C , where each si in = (s1; : : :; sjj ) represents the value of signal si 2 of the circuit. Synchronizations between the speci cation STG and the circuit are produced when switching input signals and, on the other hand, when checking the binary codes of the total stable states reached after the separated stabilization (Figure 16).

9.2 System Traversal

Traversing the system composed by a circuit with a fault and the speci cation of the fault-free circuit, should manifest the fault in the form of a discrepancy state. This situation perfectly models both possible fault eects discussed previously, i.e. the presence of a premature ring or an inhibited transition (see Section 4). In the rst case the discrepancy state is produced by a non-speci ed signal transition in the circuit. That is, some output signal of the circuit (sa 2 O ) switched, while its corresponding output signal in the STG (a 2 AO ) did not. In other words, some si in switched while the corresponding cj in c did not. In the second case the discrepancy state arises because the circuit did not produce a speci ed signal transition. That is, some output signal of the circuit (sa 2 O ) did 4 Comparison

of the values of the output signals should suce for our purposes.

37

a+

a+

b+

c+

a b

1

1

c

b+

c+

1

a b

1

0

c

1

Figure 17: Stable AND gate becoming excited by backward switching not switch, while its corresponding output signal in the STG (a 2 AO ) did. In other words, some cj in c switched while the corresponding si in did not. It is important to note that in a typical traversal for the veri cation of the speed-independence of a circuit against its speci cation, a complete state exploration is done [RCP95]. Conversely, in our methodology, even being based in similar principles, provided the synchronous nature of the test machines the check for discrepancy states is done only on total stable states at each traverse step. In the rest of states no check is done, because such states will not be able to be observed during the test application. This means an important improvement in computational cost. Moreover, provided that such intermediate unstable states are no longer needed, we only keep at any time the set of total stable states. This re ects in an improvement in memory requirements, too.

9.3 Test Sequence Generation

The eects of a fault injected in the circuit are detected along the system traversal in the form of discrepancy states. The formalisms presented to model Signal Transition Graphs and speed-independent circuits by means of boolean algebras, use transition functions and transition relations. Transition functions can be transformed into backward transition functions that allow a backward search along the space of reachable states. On the other hand, relations are \bi-directional " by de nition, thus to go backwards we just need to properly select the set of variables in the existential abstraction. Therefore, given a discrepancy state, a backward traversal can be done to the initial state, and a sequence of signal transitions can be obtained. If such sequence is applied to a circuit, the fault will be manifested by means of a discrepancy in the values of the circuit signals in the total stable state, with respect to that expected by the speci cation. The sequences obtained by the fundamental mode traversal of the system for the set of testable faults, are essentially synchronous. Thus, they can be transformed in the form of test vectors to make them suitable for a conventional synchronous test machine. From the discrepancy total stable state, it is performed a backward traversal, restricted to the set of states that had been visited during the forward traversal, obtaining a trace from the initial state until the discrepancy state. To perform this backward traversal, we de ne backward transition functions for a PN and an STG as follows: (35) Nb (M; t) = MASMt NSMt NPM Et ; t

38

b

c

C

k

d a j

e

Figure 18: Speed-independent circuit implementation for the STG of Figure 2 and

(

(Nb (MF ; t))a a if (t) = ai + (36) (Nb (MF ; t))a a if (t) = ai ? that intuitively is equivalent to changing the direction of the arcs of the PN and the STG. On the other hand, a gate will commute backwards by switching the output when it is stable. The backward transition function of a circuit signal is computed as:

Gb (MF ; t) =

Cb (C; sk) = C fs1k

s + C fs0k sk k

s sk k

;

(37)

where fs0k and fs1k respectively represent the states in which sk is stable at 0 or 1, i.e. sk = fsk (s1; : : :; si; sk ). Function Cb changes sk into sk in those states in which the gate driving sk is stable at 1, and vice versa for the states with sk stable at 0. Figure 17 illustrates how a stable gate switches backwards to an excited state. By restricting Gb and Cb to the reached set of states we assure the existence of the backward trace. Similar de nitions can be done in a more simple way if we use transition relations instead of transition functions. Thus, the equivalent for equation 35 is obtained by abstracting (q1 ; : : :; qn ) instead of (p1 ; : : :; pn ) in equation 21. Moreover, the equivalent for equation 36 is obtained by abstracting (q1 ; : : :; qjP j ; d1; : : :; djAj) instead of (p1; : : :; pjP j; c1; : : :; cjAj) in equation 27. Finally the equivalent for equation 37 is obtained by abstracting (r1; : : :; rn ) instead of (s1 ; : : :; sn ) in equation 34.

10 A practical example Figure 18 depicts an speed-independent circuit implementation for the STG speci cation of Figure 2. Recall that signals a and b are inputs, while c, d and e are non-input signals. Based on this example, we are going to illustrate our methodology by showing how test patterns are generated for two dierent fault eects: an inhibited transition and a premature ring. First, suppose we want to generate a test pattern for a stuck-at-0 fault on internal node k. Such a fault is injected in the circuit model which is then confronted against the STG speci cation. Provided the initial state, input transition a+ can re. If we left the circuit stabilize, output transitions c+, d+ and e+ can re according to three dierent orders as shown earlier in Section 5.1. Thus, total stable state s9 is reached which corresponds to the circuit state (10111). In this state two input transitions may re, namely a? and b+. Let us assume b+ res. In such a case, the speci cation expects output 39

00000 s1 abcde

a+ d+

10000 s2

c+

10010 s3 e+

10100 s4 c+

10011 s5

d+

10110 s6

c+

e+

10111 s9 b+

11111 s14

2 6 6 6 6 4

d+ # e+ # c+

a+ # d+ # c+ # e+ # b+ # c-

c+ # d+ # e+

3 7 7 7 7 5

00000 s1 abcde a+ [d+ : e+ : c+]

10111 s9

ab cde

< 00 000 > b+ [c−]

a+ < 10 111 > b+ < 11 011 >

11011 s18

c−

11011 s18

(a)

(b)

(d) (c) Figure 19: Test pattern generation for a stuck-at-0 fault on node k of Figure 18. (a) Set of visited states, (b) sequence of transitions generated by the back-trace process, (c) after removing unstable states, and (d) sequence of test vectors transition c? to occur, but it will never happen in the faulty circuit, because the NOT-AND gate will never switch due to the stuck-at-0 on node k (transition c? is inhibited). In other words, according to the speci cation the circuit should have reached total stable state s18 = (11011). Instead of this, it has been halted (i.e. stabilized) in state s14 = (11111). Several states have been visited along the above traversal (see Figure 19 (a)). Using this set of states, a back-trace process is done from the expected nal state s18 to the initial state s1 . Such a process yields a possible sequence of signal transitions which reproduce the fault eect of node k stuck-at-0 in a faulty circuit. See Figure 19 (b) where subsequences in brackets represent the three possible alternatives discussed previously. If the unstable states are removed from this sequence, the sequence of Figure 19 (c) is obtained, which can be directly used to calculate test vectors for checking a stuck-at-0 on internal node k. Figure 19 (d) depicts a sequence of test vectors for testing such a fault. The fault will be detected during the test by comparing the expected value of signal c against the value of that signal in the circuit under test. As an example of premature ring detection, consider test pattern generation for a stuck-at-0 fault on internal node j of the circuit in Figure 18. As in the example above, transition a+ can re from the initial state and total stable state s9 = (10111) is reached after stabilizing the circuit (see Figure 2). In this state, input transitions a? or b+ can re. If b+ res, output transition c? should occur, reaching total stable state s18 = (11011) according to the speci cation. Instead of this, the faulty circuit stabilizes not only producing transition c?, but also transitions d? and e?, and reaching state (11000). That is, transitions d? and e? re prematurely according to the speci cation, because e? requires transition a? to happen before, and d? requires b?, and none of them have red yet. Since the same state traversal than in the above example has been done before nding a discrepancy state 40

(see Figure 19 (a)), the same set of test vectors will allow the detection of the stuck-at-0 fault on internal node j (see Figure 19 (d)).

11 Conclusions The report has presented a novel approach for the automatic generation of test patterns for speedindependent circuits. The proposed ATPG methodology is based in a symbolic model checking strategy, and employs native asynchronous techniques along all its steps. Provided the synchronous nature of the current test machines, and the fact that asynchronous circuits can only be stopped in their stable states, the fundamental mode of operation is assumed along the test. A complete theoretical study about the analysis of speed-independent circuits under this conditions has been presented. The methodology presented uses the input stuck-at fault model, but unlike in other typical ATPG approaches, the structure of the circuit is not employed. The functional equivalence of the stuck-at faults is used instead, and test generation is driven by the circuit speci cation. The circuit and its speci cation in terms of an STG, are represented by means of boolean functions and relations, allowing an ecient processing by using BDDs. Signal Transition Graphs are a common formalism used by several synthesis and veri cation tools. STGs have been also used for testing in our approach, allowing the completion of such tools. Future work includes the development of a CAD tool implementing the proposed methodology. The reliability of our approach is expected to be proved over a complete set of benchmarks.

Acknowledgments This work has been supported by the Ministry of Education of Spain (CYCIT) under contract TIC 95-0419, Departament d'Ensenyament de la Generalitat de Catalunya, and ACiD-WG (Esprit 21949). We are also indebted to Oriol Roig and Joan Figueras for many valuable discussions at the early stages of this work.

A Another example of Fundamental Mode traversal This appendix simply shows several gures related to an example of traversal of the set of states of a Signal Transition Graph. Figure 20 depicts an STG for the A to D converter controller and its underlying State Transition Diagram. Figure 21 shows the space of states and the sets de ned on it by the Fundamental Mode of operation. It is important to note in this gure that some ISS sets are composed by just a total stable state. Such situation arises when sequences of input transitions are present in the original STG. For example, see how state s7 = ISS(s5 ; la?) is in between of two input transitions, i.e. la? and da+. Finally, Figure 22 depicts the symbolic traversal of the space of states obtained with the fundamental mode algorithm. Note how in each traverse step, several ISS and OBS sets are computed simultaneously.

41

la lr da dr za zr x

0100000 s1 la+

1100000 s2 dr+

la+

1101000 s3 da+

dr+

1111000 s4

1001000 s5

lr−

lr−

da+

lr−

da+

1011000 zr+

la−

zr+

za+

1011110 x+

x+ zr−

zr−

1011101 s14

dr−

za−

x−

zr+ s11

za+ s13

x+

0011111 s15

la−

1011001 s16

da−

la−

0011110

la−

da+

0011000 s9

0011010

s10

la−

1011111 s12

za−

la−

1011010 s8

za+

la−

0001000 s7

s6

zr−

0011101 s17

la−

za−

0011001

s18

dr−

lr+

dr−

0010101 s19 za−

0010001 s20 da−

(a)

da−

0000101 s21 za−

0000001 s22 x−

x−

0000100 s23 za−

lr+

0000000 s24

(b) Figure 20: A to D converter controller: (a) Signal Transition Graph, and (b) its corresponding State Transition Diagram. Signals la, da and za are inputs; signals lr, dr and zr are outputs; and signal x is internal

42

la lr da dr za zr x

0100000 s1 la+

1100000 s2 dr+

1101000 s3 da+

lr−

1111000 s4

1001000 s5

lr−

da+

1011000 s6 zr+

1011110 x+

1011111 s12 zr−

la−

s13

x+

0011111 s15

la−

1011001 s16

zr+ s11

za+

0011110

la−

1011101 s14 za−

0011010

la−

da+

0011000 s9

la− s10

0001000 s7

la−

1011010 s8 za+

la−

zr−

0011101 s17 za−

0011001 s18 dr−

dr−

0010101 s19 za−

0010001 s20 da−

da−

0000101 s21 za−

0000001 s22 x−

x−

0000100 s23 za−

lr+

0000000 s24

Figure 21: A to D converter controller: ISS and OBS sets according to the Fundamental Mode assumptions. Total stable states are shaded

43

la lr da dr za zr x

0100000 s1 la+

1100000 s2 dr+

1101000 s3 da+

lr−

1111000 s4

1001000 s5

lr−

da+

1011000 s6 zr+

1011110 x+

1011111 s12 zr−

la−

0011001

zr+ s11

s13

x+

0011111 s15

la−

1011001 s16

s9

za+

0011110

la−

1011101 s14 za−

0011010

la−

da+

0011000

la− s10

0001000 s7

la−

1011010 s8 za+

la−

zr−

0011101 s17 za− s18

dr−

dr−

0010101 s19 za−

0010001 s20 da−

da−

0000101 s21 za−

0000001 s22 x−

x−

0000100 s23 za−

lr+

0000000 s24

Figure 22: A to D converter controller: Symbolic traversal of the reachable states obtained with the Fundamental Mode algorithm

B Some experimental results about the traversal This section summarizes several results about the traversal of an STG obtained with an experimental tool. Data for each benchmark is organized as follows. Second column of the tables contains the total number of states, i.e. the states reached by a typical traversal like that depicted in Figure 12. Third column contains the number of states reached by the fundamental mode traversal algorithm (Figure 13), and forth column contains the number of total stable states. Note that an important reduction in the number of visited states is achieved by the fundamental mode algorithm and the reduction is even greater if only total stable states are considered. Thus, in Table 1, visited states and total stable states of the fundamental mode, represent the 27:28% and the 7:52% of the total number of states, respectively. On the other hand Table 2 contains data for some benchmarks with a high number of states. 44

Benchmark States Visited Stable Benchmark States Visited Stable alloc-outbound.g 21 21 8 pe-rcv-ifc.g 65 63 15 atod.g 24 23 10 pe-send-ifc.g 117 81 37 c-elem.g 8 8 6 ptf-master-read.csc.g 18856 3982 768 chu133.g 24 23 10 qr42.g 18 16 8 chu150.g 26 20 8 qr42 nousc.g 64 30 8 chu172.g 12 12 6 ram-read-sbuf.g 39 37 17 converta.g 18 16 8 rcv-setup.g 14 14 8 dlatch.g 10 10 8 rlm.g 12 12 6 ebergen-b.g 18 16 12 roberto.g 66 36 30 ebergen-c.g 18 18 16 rpdft.g 22 22 16 ebergen-x.g 18 18 16 sbuf-ram-write.g 64 43 18 ebergen.g 18 16 8 sbuf-read-ctl.g 19 19 7 fc.det.g 15 13 3 sbuf-read-ctl.old.g 21 21 7 fo.g 8 8 6 sbuf-send-ctl.g 27 27 10 full.g 16 16 8 sbuf-send-pkt2.g 28 28 13 full1.g 20 16 8 sendr-done.g 9 9 5 full2.g 14 13 7 sis-master-read.csc.g 2254 1107 333 glc.g 17 16 8 sm.g 8 8 5 half.g 14 13 7 t1.g 151 113 37 hazard.g 12 12 8 trimos-send.g 336 199 54 hybridf.g 80 56 20 tsbmSIBRK.g 4730 1328 432 i2c.g 28 28 14 tsbmsi.g 1024 752 432 i2c.ptf.g 22 22 14 vbe10b.g 256 192 64 imec-master-read.csc.g 21848 4200 768 vbe4a.g 20 16 8 input.g 16 16 10 vbe5a.g 44 28 13 irred.no1token.g 324 82 20 vbe5b.g 24 18 11 luciano.g 16 16 12 vbe5c.g 24 20 12 master-read.g 8932 2520 768 vbe6a.g 192 160 64 master-read.small.g 2108 1092 333 wrdata.g 24 13 4 meng7.g 32 26 10 wrdatab.g 216 170 66 meng9.g 32 26 10 wxyz.g 11 8 6 mp-forward-pkt.g 22 22 8 xyz-x.g 8 8 5 nak-pa.g 58 36 12 xyz-y.g 8 6 4 nowick.ass.g 23 23 7 xyz-z.g 8 7 5 nowick.g 20 20 7 TOTAL 62671 17096 4712

Table 1: Experimental results about the traversal

45

Benchmark States Visited Stable par 4.csc.g 1303 319 82 par 8.csc.g 1679870 42066 6562 par 16.csc.g 2.82111E+12 5.02343E+08 4.30467E+07 phil 2.g 108 56 12 phil 3.g 864 200 32 phil 4.g 9072 912 112 phil 5.g 85536 3472 352 phil 10.g 7.43734E+09 2.36339E+06 125952 phil 15.g 6.41332E+14 1.23565E+09 4.46956E+07 phil 20.g | 5.79398E+11 1.58618E+10 phil 25.g | 8.35675E+11 2.29554E+10

Table 2: More results about the traversal for benchmarks with a high number of states

References

[BCL+ 94] Jerry R. Burch, Edmund M. Clarke, D. E. Long, Kenneth L. McMillan, and David L. Dill. Symbolic model checking for sequential circuit veri cation. IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems, 13(4):401{424, 1994. [BCM+ 90] Jerry R. Burch, Edmund M. Clarke, Kenneth L. McMillan, David L. Dill, and L. J. Hwang. Symbolic model checking: 1020 states and beyond. In Proceedings of the Fifth Annual Symposium on Logic in Computer Science, June 1990. [BM92] Peter A. Beerel and Teresa H.-Y. Meng. Semi-modularity and testability of speedindependent circuits. Integration, the VLSI journal, 13(3):301{322, September 1992. [BMB93] Peter A. Beerel, Teresa H.-Y. Meng, and Jerry R. Burch. Ecient veri cation of determinate speed-independent circuits. In Proc. of the IEEE/ACM International Conference on Computer Aided Design, pages 261{267. IEEE Computer Society Press, November 1993. [Bro90] F. M. Brown. Boolean Reasoning: The Logic of Boolean Equations. Kluwer Academic Publishers, 1990. [Bry86] R.E. Bryant. Graph-based algorithms for boolean function manipulation. IEEE Transactions on Computers, C-35(8):677{691, August 1986. [BS95] Janusz A. Brzozowski and Carl-Johan H. Seger. Asynchronous Circuits. Monographs in Computer Science. Springer-Verlag, 1995. [Bur92] Jerry R. Burch. Delay models for verifying speed-dependent asynchronous circuits. In ACM Int. Workshop on Timing Issues in the Speci cation and Synthesis of Digital Systems, March 1992. 46

[CBM89] O. Coudert, C. Berthet, and J. C. Madre. Veri cation of sequential machines using boolean functional vectors. In Proc. IFIP Int. Workshop on Applied Formal Methods for Correct VLSI Design, pages 111{128, Leuven, Belgium, November 1989. [CBM90] O. Coudert, C. Berthet, and J. C. Madre. Formal boolean manipulations for the veri cation of sequential machines. In Proc. European Conference on Design Automation (EDAC), pages 57{61, March 1990. [Cho93] Hyunwoo Cho. Reachability Analyses and their Applications in Test Generation and Logic Optimization for Sequential Circuits. PhD thesis, Deptartement of Electrical and Computer Engineering, University of Colorado, 1993. [Chu87] T.-A. Chu. Synthesis of Self-timed VLSI Circuits from Graph-theoretic Speci cations. PhD thesis, MIT, June 1987. [DC86] David L. Dill and Edmund M. Clarke. Automatic veri cation of asynchronous circuits using temporal logic. IEE Proceedings, Part E, Computers and Digital Techniques, 133:272{282, September 1986. [Dil89] David L. Dill. Trace Theory for Automatic Hierachical Veri cation of Speed-Independent Circuits. ACM Distinguished Dissertations. MIT Press, 1989. [Ebe89] J. C. Ebergen. Translating programs into delay-insensitive circuits, volume 56 of CWI Tract. Centre for Mathematics and Computer Science, 1989. [FS83] H. Fujiwara and T. Shimono. On the acceleration of test generation algorithms. IEEE Transactions on Computers, C-32(12):1137{1144, 1983. [Goe81] P. Goel. An implicit enumeration algorithm to generate tests for combinational logic circuits. IEEE Transactions on Computers, C-30(3):215{222, 1981. [Haz92] Pieter J. Hazewindus. Testing Delay-Insensitive Circuits. PhD thesis, California Institute of Technology, 1992. [HBB94] Henrik Hulgaard, Steven M. Burns, and Gaetano Borriello. Testing asynchronous ciruits: A survey. Technical Report FR-35, Dept. of Comp. Sc. and Eng., Univ, of Washington, Seattle, March 1994. [Hoa89] C.A.R. Hoare. Communicating Sequential Processes. Prentice Hall International, 1989. [KB95] Ajay Khoche and Erik Brunvand. Testing self-timed circuits using partial scan. In Proc. of the 2nd Working Conference on Asynchronous Design Methodologies, pages 160{169, London, May 1995. [KKL+ 93] A. Kondratyev, M. Kishinevsky, B. Lin, P. Vanbekbergen, and A. Yakovlev. On the conditions for gate-level speed-independence of asynchronous circuits. In ACM Int. Workshop on Timing Issues in the Speci cation and Synthesis of Digital Systems, 1993. 47

[KKTV94] M. Kishinevsky, A. Kondratyev, A. Taubin, and V. Varshavsky. Concurrent Hardware. The Theory and Practice of Self-timed Design. Series in Parallel Computing. John Wiley & Sons, 1994. [KLSV91] K. Keutzer, Luciano Lavagno, and A. Sangiovanni-Vincentelli. Synthesis for testability techniques for asynchronous circuits. In Proc. of the IEEE/ACM International Conference on Computer Aided Design, pages 326{329. IEEE Computer Society Press, November 1991. [Lav92] Luciano Lavagno. Synthesis and Testing of Bounded Wire Delay Asynchronous Circuits from Signal Transition Graphs. PhD thesis, University of California at Berkeley, 1992. [LR87] Chin J. Lin and Sudhakar M. Reddy. On delay fault testing in logic circuits. IEEE Transactions on Computer-Aided Design, 6(5), September 1987. [Mar90a] Alain J. Martin. The limitations to delay-insensitivity in asynchronous circuits. In William J. Dally, editor, Sixth MIT Conference on Advanced Research in VLSI, pages 263{278. MIT Press, 1990. [Mar90b] Alain J. Martin. Programming in VLSI: From communicating processes to delay-insensitive circuits. In C. A. R. Hoare, editor, Developments in Concurrency and Communication, UT Year of Programming Series, pages 1{64. Addison-Wesley, 1990. [McM92] Kenneth L. McMillan. Using unfoldings to avoid the state explosion problem in the veri cation of asynchronous circuits. In G. v. Bochman and D. K. Probst, editors, Proc. International Workshop on Computer Aided Veri cation, volume 663 of Lecture Notes in Computer Science, pages 164{177. Springer-Verlag, 1992. [McM93] Kenneth L. McMillan. Symbolic Model Checking. Kluwer Academic Publishers, 1993. [MH91] Alain J. Martin and Pieter J. Hazewindus. Testing delay-insensitive circuits. In Carlo H. Sequin, editor, Advanced Research in VLSI: Proceedings of the 1991 UC Santa Cruz Conference, pages 118{132. MIT Press, 1991. [Mur89] Tadao Murata. Petri nets: Properties, analysis and applications. Proceedings of the IEEE, 77(4):541{574, April 1989. [PCKR96] Enric Pastor, Jordi Cortadella, Alex Kondratyev, and Oriol Roig. Structural methods for the synthesis of speed-independent circuits. In Proc. European Design and Test Conference (EDAC-ETC-EuroASIC), pages 340{347, Paris(France), March 1996. [Pet62] C. A. Petri. Kommunikation mit Automaten. PhD thesis, Bonn, Institut fur Instrumentelle Mathematik, 1962. (technical report Schriften des IIM Nr. 3). [PRCB94] Enric Pastor, Oriol Roig, Jordi Cortadella, and Rosa Badia. Petri net analysis using boolean manipulation. In 15th International Conference on Application and Theory of Petri Nets, volume 815 of Lecture Notes in Computer Science, pages 416{435. SpringerVerlag, June 1994. 48

[RCP95] Oriol Roig, Jordi Cortadella, and Enric Pastor. Veri cation of asynchronous circuits by BDD-based model checking of Petri nets. In 16th International Conference on Application and Theory of Petri Nets, volume 935 of Lecture Notes in Computer Science, pages 374{ 391, Torino, June 1995. Springer-Verlag. [RS93] Marly Roncken and Ronald Saeijs. Linear test times for delay-insensitive circuits: a compilation strategy. In S. Furber and M. Edwards, editors, Asynchronous Design Methodologies, volume A-28 of IFIP Transactions, pages 13{27. Elsevier Science Publishers, 1993. [RY85] L. Ya. Rosenblum and A. V. Yakovlev. Signal graphs: From self-timed to timed ones. In International Workshop on Timed Petri Nets, pages 199{206, July 1985. [Ung69] S. H. Unger. Asynchronous Sequential Switching Circuits. Wiley Interscience, 1969. [Var90] Victor I. Varshavsky. Self-Timed Control of Concurrent Processes. Kluwer Academic Publishers, 1990. [vB93] K. van Berkel. Handshake Circuits: an Asynchronous Architecture for VLSI Programming, volume 5 of International Series on Parallel Computation. Cambridge University Press, 1993. [YLSV92] A. Yakovlev, L. Lavagno, and A. Sangiovanni-Vincentelli. A uni ed signal transition graph model for asynchronous control circuit synthesis. In Proc. of the IEEE/ACM International Conference on Computer Aided Design, pages 104{111. IEEE Computer Society Press, November 1992.

49

Symbolic Techniques for the Automatic Test Pattern ... - CiteSeerX

Symbolic Techniques for the Automatic Test Pattern ... - CiteSeerX

Suggest Documents

Deterministic Test Pattern Generation Techniques for ... - CiteSeerX

Pattern recognition techniques for automatic detection of ... - CiteSeerX

Pattern recognition techniques for automatic detection of ... - CiteSeerX

Analog Automatic Test Pattern Generation for Quasi-Static ... - CiteSeerX

New Techniques for Deterministic Test Pattern Generation - CiteSeerX

Automatic Gait-Pattern Adaptation Algorithms for ... - CiteSeerX

Image Processing Techniques for Unsupervised Pattern ... - CiteSeerX

Automatic filtering techniques for three-dimensional ... - CiteSeerX

Three Machine Learning Techniques for Automatic ... - CiteSeerX

Machine Learning Techniques for Automatic Opinion ... - CiteSeerX

Three Machine Learning Techniques For Automatic ... - CiteSeerX

Automatic Test Pattern Generation for Resistive Bridging Faults

Automatic Test Pattern Generator for Fuzzing Based on Finite State ...

An Automatic Test Pattern Generator for Large ... - Semantic Scholar

Using UML for Automatic Test Generation - CiteSeerX

Test-Pattern Grading and Pattern Selection for Small ... - CiteSeerX

symbolic dynamic filtering for data-driven pattern recognition - CiteSeerX

Techniques for Managing a Usability Test - CiteSeerX

High-level Symbolic Construction Techniques for High ... - CiteSeerX

Symbolic pattern recognition for sequential data

Regression Test Selection Techniques - CiteSeerX

A Symbolic Java Virtual Machine for Test Case Generation - CiteSeerX

A Symbolic Java Virtual Machine for Test Case Generation - CiteSeerX

Understanding Anomaly Detection Techniques for Symbolic Sequences