Testing Time – Time to Test?

Testing Time – Time to Test? – Using Formal Methods for the Timing Analysis of Digital Circuits –

Dissertation zur Erlangung des Doktorgrades der Technischen Fakult¨at der Albert-Ludwigs-Universit¨at Freiburg

vorgelegt von

Matthias Sauer

¨ t Freiburg Albert-Ludwigs-Universita

ii

Dean:

Prof. Dr. Yiannos Manoli, Albert-Ludwigs-Universit¨at Freiburg, Germany

First Co-chair:

Prof. Dr. Bernd Becker, Albert-Ludwigs-Universit¨at Freiburg, Germany

Second Co-chair:

Prof. Dr. Sudhakar M. Reddy University of Iowa, USA

Examination Date:

December 16, 2013

iii

iv

Zusammenfassung Testing Time – Time to Test? – Vom Testen des Zeitverhaltens digitaler Schaltungen mit formalen Methoden – Die moderne Mikroelektronik hat in verschiedensten Bereichen neue Technologien und Anwendungen erm¨ oglicht, die das Leben nachhaltig ver¨andern. Schlagw¨orter wie das ”Internet der Dinge” und ”Cloud Computing” stehen nicht mehr nur f¨ ur Zukunftskonzepte, sondern sind in Form von realen Anwendungen in den Alltag u ¨bergegangen. Diese Techniken w¨ aren ohne die fortschreitende Entwicklung von Herstellungsprozessen f¨ ur Halbleiter nicht m¨oglich. Erst dadurch wurden neue Ger¨ate und Anwendungen mit ihren st¨ andigen Bedarf nach abnehmenden Energieverbrauch bei gleichzeitig steigenden Leistungsanspr¨ uchen erm¨ oglicht. Daraus resultieren aber immer komplexere, und damit auch schwerer zu kontrollierende Fertigungstechnologien. Aufgrund der steigenden Komplexit¨at stoßen auch die Testmethoden f¨ ur solche Schaltungen an ihre Grenzen. Eine der gr¨oßten Herausforderungen ist die Prozessvariation aktueller Schaltungen. W¨ahrend in a¨lteren Prozessen die wesentlichen physikalischen Eigenschaften zwischen gefertigten Schaltungsinstanzen relativ stabil waren, ist die Varianz in heutigen Technologien um ein Vielfaches gr¨oßer. Dies f¨ uhrte zu einer Weiterentwicklung von klassischen Testkonzepten hin zu Abstufungstests, die Schaltungen in G¨ utekategorien einteilen (z.B. anhand ihres Stromverbrauchs). Insbesondere das Zeitverhalten von Schaltungen h¨angt sehr stark von statistisch verteilten Eigenschaften ab und ist dementsprechend besonderes von Prozessvariationen betroffen. Dar¨ uber hinaus weist die Modellierung der Fehlerauswirkungen zumeist eine hohe Komplexit¨ at auf, da eine Vielzahl von (teilweise unbekannten) Nebenparametern ber¨ ucksichtigt werden m¨ ussen. Somit entstehen komplexe Optimierungsprobleme in hochdimensionalen L¨osungsr¨aumen, die effizient und effektiv gel¨ost werden m¨ ussen, um die Anforderungen aktueller und zuk¨ unftiger Testmethoden zu erf¨ ullen. Formale Methoden sind f¨ ur die L¨ osung solcher Optimierungsprobleme pr¨adestiniert, da deren interne Strukturen effizient den L¨osungsraum reduzieren und somit auch große Probleme effizient l¨osen k¨onnen. In der Literatur sind verschiedene Ans¨atze beschrieben, die formale Methoden (insbesondere das Boolesche Erf¨ ullbarkeitsproblem) im Testbereich einsetzen. Die Betrachtung des Zeitverhaltens wurde bisher aber nur am Rande formal untersucht, obwohl die L¨osung solcher Probleme h¨ochst relevant ist. Deswegen steht das Testen des Zeitverhaltens von digitalen Schaltungen mit formalen Methoden im Fokus dieser Arbeit. Im Rahmen dieser Arbeit wurden zwei grundlegende Modellierungssysteme (PHAETON und WaveSAT ) entwickelt und deren Anwendung in verschiedensten Bereichen vorgestellt.

v

Zusammenfassung PHAETON ist ein auf dem Konzept von sogenannten sensibilisierbaren Pfaden basierendes Testmustergenerierungssystem. Im Gegensatz zu bisherigen Systemen werden die Berechnungsvorschriften solcher Pfade direkt in eine flexible monolithische Boolesche Problembeschreibung u ¨ berf¨ uhrt. PHAETON erm¨oglicht die Generierung von Gruppen von Pfaden je nach den spezifischen Anforderungen einer Anwendung. Zus¨atzliche Optimierungsm¨oglichkeiten erlauben zum Beispiel die Kompaktierung von Pfadgruppen. Dadurch wurden Konzepte erm¨oglicht (und im Rahmen dieser Arbeit beschrieben), die Pfade in neuen Anwendungsbereichen einsetzen. WaveSAT betrachtet das Zeitverhalten einer Schaltung mit einem Verilog-kompatiblen Zeitmodell, dass die digitalen Signalverl¨ aufe einer Schaltung abbildet. Dadurch wird die Modellierung und Beobachtung von komplexen Signal¨ uberlagerungen erm¨oglicht, die in traditionellen Zeitmodellen der Testmustergenerierung nicht, oder nur ungenau beschrieben sind und somit nur approximativ abgebildet werden k¨onnen. Die Kombination der unterschiedlichen Konzepte von PHAETON und WaveSAT erm¨oglicht Anwendungen, die eine detaillierte Kontrolle u ¨ber das Zeitverhalten einer Schaltung u ¨ber deren Eing¨ange erfordern. Ein Beispiel hierf¨ ur ist die Berechnung von Testmustern, die Fluktuationen in der Verz¨ogerung eines Gatters am Ausgang sichtbar machen. Diese komplexen Testbedingungen waren mit bisherigen Methoden nicht akkurat abbildbar. ¨ Uber alle im Rahmen dieser Arbeit beschriebenen Probleme hinweg m¨ ussen komplexe physikalische Zusammenh¨ange effizient in die eingeschr¨ankten logischen Zusammenh¨ ange einer formalen Beschreibungssprache u ¨berf¨ uhrt werden. Die Umsetzung dieser Transformation erforderte die Anwendung von etablierten formalen Methoden in neuer Art und Weise. ¨ Uber diese Arbeit hinaus wurden dadurch Entwicklungen in diesen Bereichen angestoßen. Zusammenfassend zeigt die Arbeit neue Wege zur Modellierung des Zeitverhaltens auf und er¨offnet somit auch Raum f¨ ur weitere Forschungen. Insbesondere die Kombination von PHAETON und WaveSAT erm¨ oglicht zuk¨ unftige Konzepte, z.B. die genaue Abbildung von kombinatorischen R¨ uckkopplungsschleifen u ¨ ber verschiedene Taktungsbereiche einer Schaltung hinweg, die ohne diese Arbeit nicht m¨oglich w¨aren.

vi

vii

viii

Contents Zusammenfassung

v

1. Introduction 1.1. Contribution and Structure of this Thesis . . . . . . . . . . . . . . . . . . . . 1.2. List of discussed Papers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

1 2 4

2. Preliminaries 2.1. Digital Circuits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.2. Formal Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.2.1. Boolean Satisfiability (SAT) . . . . . . . . . . . . . . . . . . . 2.2.2. Quantified Boolean Formula (QBF) . . . . . . . . . . . . . . 2.2.3. Bounded Model Checking (BMC) and Craig Interpolation . 2.3. Encoding of Digital Circuits using Formal Methods . . . . . . . . . 2.3.1. Tseitin Encoding . . . . . . . . . . . . . . . . . . . . . . . . . 2.3.2. 01X Encoding . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.4. Production of Digital Circuits . . . . . . . . . . . . . . . . . . . . . . 2.5. Test of Digital Circuits . . . . . . . . . . . . . . . . . . . . . . . . . . 2.5.1. Fault Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.5.2. Automatic Test Pattern Generation (ATPG) . . . . . . . . . 2.6. Sensitizable Paths . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . .

. . . . . . . . . . . . .

. . . . . . . . . . . . .

. . . . . . . . . . . . .

. . . . . . . . . . . . .

3. PHAETON - SAT-based Generation of Sensitizable Paths 3.1. Conceptional PHAETON Overview . . . . . . . . . . . . . . . . . . . . . . . . 3.2. Path Generation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.2.1. Encoding of the Relevant Circuit Logic . . . . . . . . . . . . . . . . . 3.2.2. Path Sensitization Constraints . . . . . . . . . . . . . . . . . . . . . . 3.2.3. Timing Model and Encoding of Circuit Timing . . . . . . . . . . . . 3.2.4. Supported Path Generation Requirements . . . . . . . . . . . . . . . 3.3. Multiple Path Generation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.3.1. Caching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.3.2. Information Forwarding . . . . . . . . . . . . . . . . . . . . . . . . . . 3.4. Reference Application: K-Longest Paths through each Gate (KLPG) . . . . 3.5. Experimental Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.5.1. KLPG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.5.2. Performance Impact of Broadside-compatible Test Pattern Generation 3.5.3. Rounding Effectiveness . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.5.4. Performance Impact of the Delay Model . . . . . . . . . . . . . . . . 3.5.5. Performance Impact of Path Sensitization Rules . . . . . . . . . . . .

7 7 8 8 9 10 11 11 11 12 12 14 15 17 21 23 24 24 26 27 33 35 35 36 36 37 37 38 39 40 40

ix

Contents 3.5.6. Delay Distribution Histogram . . . . . . . . . . . . . . . . . . . . . . . 3.6. Discussion of related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.7. Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4. Extended Path Properties 4.1. Compaction . . . . . . . . . . . . . . . . . . 4.1.1. Encoding of Path Sensitization . . 4.1.2. Experimental Results . . . . . . . . 4.1.3. Discussion of related Work . . . . . 4.2. Optimal Test Cube Generation . . . . . . 4.2.1. Accurate X-Reasoning using QBF 4.2.2. Dynamic Test Cube Generation . . 4.2.3. Static Test Cube Generation . . . 4.2.4. Experimental Results . . . . . . . . 4.2.5. Discussion of related Work . . . . . 4.3. Sequentially Reachable Path Generation . 4.3.1. Reachability of Sensitizable Paths 4.3.2. Targeting Modes . . . . . . . . . . . 4.3.3. Experimental Results . . . . . . . . 4.3.4. Discussion of related Work . . . . . 4.4. Chapter Summary . . . . . . . . . . . . . .

41 42 43

. . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . .

53 55 56 59 60 60 61 62 64 66 69 69 69 70 71 74 75

5. Applications of PHAETON 5.1. Post-Silicon Validation . . . . . . . . . . . . . . . 5.1.1. Post-Silicon Delay Characterization Flow 5.1.2. Importance of Test Pattern Selection . . 5.1.3. Test Generation . . . . . . . . . . . . . . . 5.1.4. Experimental Results . . . . . . . . . . . . 5.1.5. Yield-Performance Curve Generation . . 5.1.6. Discussion of related Work . . . . . . . . . 5.2. Sequential ATPG . . . . . . . . . . . . . . . . . . . 5.2.1. Sequential Detection Invalidation . . . . . 5.2.2. Generation of the BMC Instance . . . . . 5.2.3. Experimental Results . . . . . . . . . . . . 5.2.4. Discussion of related Work . . . . . . . . . 5.3. Chapter Summary . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . .

. . . . . . . . . . . . .

. . . . . . . . . . . . .

. . . . . . . . . . . . .

. . . . . . . . . . . . .

. . . . . . . . . . . . .

. . . . . . . . . . . . .

. . . . . . . . . . . . .

. . . . . . . . . . . . .

. . . . . . . . . . . . .

. . . . . . . . . . . . .

. . . . . . . . . . . . .

. . . . . . . . . . . . .

. . . . . . . . . . . . .

. . . . . . . . . . . . .

. . . . . . . . . . . . .

81 83 84 84 86 86 88 89 90 92 92 96 98 98

. . . . . . . .

103 104 105 107 108 108 110 110 111

. . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . .

6. WaveSAT 6.1. Timing Model . . . . . . . . . . . . . . . . . . . . . 6.2. SAT Encoding . . . . . . . . . . . . . . . . . . . . 6.2.1. Glitch Filtering . . . . . . . . . . . . . . . 6.2.2. Identification of Stable Timepoints . . . . 6.2.3. Cone of Timing Influence . . . . . . . . . 6.3. Reference Application: SDF ATPG . . . . . . . . 6.3.1. ATPG and Simulation . . . . . . . . . . . 6.3.2. Relationship to Path Sensitization Rules

x

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

Contents 6.4. Experimental Results . . . . . . . . . . . . . . . . 6.4.1. Analysis of traditional Path-based ATPG 6.4.2. Maximization of the Detection Interval . 6.5. Discussion of related Work . . . . . . . . . . . . . 6.6. Chapter Summary . . . . . . . . . . . . . . . . . .

. . . . . . . Accuracy . . . . . . . . . . . . . . . . . . . . . .

. . . . .

. . . . .

. . . . .

. . . . .

7. Combination of Path-based and Waveform-accurate ATPG 7.1. Small-Delay Fault ATPG under Variation . . . . . . . . . . . . . . . 7.1.1. SDF Fault Detection under Variations . . . . . . . . . . . . . 7.1.2. Statistical Coverage Metrics . . . . . . . . . . . . . . . . . . . 7.1.3. Test Generation for Individual Circuit Instances . . . . . . . 7.1.4. Experimental Results . . . . . . . . . . . . . . . . . . . . . . . 7.1.5. Improved Fault Sampling . . . . . . . . . . . . . . . . . . . . 7.1.6. Statistical SDF Coverage Evaluation . . . . . . . . . . . . . . 7.1.7. Statistical SDF Validation Evaluation . . . . . . . . . . . . . 7.1.8. Discussion of related Work . . . . . . . . . . . . . . . . . . . . 7.2. Early-Life Failure ATPG . . . . . . . . . . . . . . . . . . . . . . . . . 7.2.1. ELF Signature: Changes in Delay before Functional Failure 7.2.2. Detection of ELF-induced Changes in Delay . . . . . . . . . 7.2.3. ELF ATPG Tool Flow . . . . . . . . . . . . . . . . . . . . . . 7.2.4. Waveform-accurate Transition Tracking . . . . . . . . . . . . 7.2.5. Experimental Results . . . . . . . . . . . . . . . . . . . . . . . 7.2.6. Discussion of related Work . . . . . . . . . . . . . . . . . . . . 7.3. Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . .

. . . . . . . . . . . . . . . . .

. . . . .

. . . . . . . . . . . . . . . . .

. . . . .

. . . . . . . . . . . . . . . . .

. . . . .

. . . . . . . . . . . . . . . . .

. . . . .

112 112 113 114 114

. . . . . . . . . . . . . . . . .

121 122 123 124 125 126 128 131 132 132 133 134 134 135 137 141 147 147

8. Summary

151

Appendix

155

A. Experimental Setup A.1. Solver Descriptions . . . . . . . . . . . A.2. Benchmark Descriptions . . . . . . . A.3. Compute Server Description . . . . . A.4. List of Gate Symbols and Functions B. Complete List of Authors Publications

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

157 157 157 159 159 163

xi

xii

1. Introduction Miniaturized electronic devices have changed the habits of people worldwide and led to the development of a connected world with data access everywhere and every time. In order to handle the enormous amounts of data, new concepts like cloud computing have been developed. Such a development is, among others, powered by the needs of resourcelimited but highly mobile devices outsourcing tasks that exceed their own capacities over a network. Nowadays, centralized cloud computing data centers are combined with local mobile energy-efficient devices. Such innovations would not be possible without the increased capabilities of current production processes. During the last years, industry has managed to keep the famous Moore’s law still in place and succeeded in cutting power consumption while at the same time reducing the cost of each transistor. However, these improvements in the production processes also lead to increased challenges and costs connected with the testing of these devices. Current processes have even reached a point, where many classical pass/fail testing methods were replaced by grading based techniques, assessing the quality of a circuit with regards to, e. g., circuit timing or power consumption. One predominant driver to that raise in complexity is the raise of so-called process variations that statistically affect major process characteristics. For instance, the thickness of the isolation layers of a transistor has reached a thickness of only a few atoms in current production processes. It is therefore technically impossible to produce devices with exactly the same thickness in each and every transistor. Instead, the number of atoms turns into a random variable and therefore may be different for each individual transistor for all produced devices. Consequently, electrical characteristics of a circuit are governed by probability distributions and cannot be considered as static and, even more important, known values. In addition to process variations, subtle manufacturing errors add up to unavoidable variations leading to a masking of faulty behavior. Testing the correct functionality of a device is therefore an essential step as typical yield rates (i. e. the fraction of devices that perform properly) may reach numbers in the 50% range. Thus, one cannot expect a produced circuit to work properly without intensive testing. The consequences of a failing circuit depend on its intended use case. An entertainment device that fails due to a manufacturing error may only lead to a customer return with rather limited financial consequences. However, failing chips in safety-critical environments like medical devices or transportation systems may cause fatal outcomes with danger for human lives. While in early technology nodes, most of the production errors were explainable (and therefore testable) using rather simple models, current production processes lead to complicated faulty behavior that needs specific side-conditions to be active. The timing of a circuit is particularly influenced by process variations and hence increasingly contributes to malfunctioning circuits escaped during testing, causing them to fail in the field. Industrial test flows traditionally employed only rather simple timing tests

1

1. Introduction to save test application time. However, current processes (and predictably future processes as well) progressively include advanced tests for timing, targeting small variations in delay despite their significantly increased complexity. Generally, the assessment of the timing of a circuit is a challenging task that has not been solved yet and is hence the focus of research for many academical and industrial projects. Especially the test for small delay changes is demanding, as specific and complex test conditions over multiple clock cycles have to be considered. However, production processes and testing techniques are connected in some form of co-evolution and may limit each other without coordinated development. Thus, further improvements and research leading to a better understanding and control of circuit timing is mandatory to provide the technical foundation that enable today’s and future applications.

1.1. Contribution and Structure of this Thesis As shown in previous works, formal methods are advantageous over traditional methods for complex and hard to solve instances. The question of how to consider delay information during test generation (also known as timing-aware test generation) has been an outstanding problem for long with various contributions. However, prior to this thesis, timing-aware test generation using formal methods has not been thoroughly considered. Therefore, this thesis focuses on new methodologies to improve test and analysis of the timing of digital circuits using formal methods. The general challenge is to encode complex problems and applications, mapping physical behavior and restrictions, within the restrictive and stringent semantics of formal methods. The basic concepts of testing, circuit timing and formal methods, which are essential for understanding this thesis, are introduced in Chapter 2. Then, the timing-aware SAT-based test pattern generation system PHAETON is presented. It is the first tool which directly combines the encoding of delay information and complex test requirements based on the concept of paths sensitization in a single monolithic formalized problem description. Such a setting is beneficial in situations, where demanding requirements are imposed on such paths, especially, if these requirements are hard to meet or even cannot be met at all (cf. Chapter 3). PHAETON also supports techniques beyond the generation of specific paths (cf. Chapter 4). The tool includes a dynamic compaction method that searches for test patterns considering as many target paths at the same time as possible. This has been formalized by encoding a maximization over secondary objectives directly into the problem description (cf. Section 4.1). The concept of maximizing secondary objectives has also been used to find partiallyspecified test patterns (i. e. test cubes) that still guarantee the sensitization of a given path. Consequently, unspecified inputs have to be accurately considered in the instances as well. By employing the theory of Quantified Boolean Formulas, for the first time, an optimal solution to the test cube generation problem has been developed. In addition, heuristics that provide high-quality results in a reasonable time are presented (cf. Section 4.2). PHAETON further utilizes the formal framework of Bounded Model Checking to generate paths, that can be reached from a given initial state by using only functional input assignments. Such paths represent the functional characteristics of a circuit and hence

2

1.1. Contribution and Structure of this Thesis avoid phenomena, like over-testing, that result from operating a circuit in non-functional test modes (cf. Section 4.3). By combining compaction and test cube generation with the flexibility of PHAETON, high-quality test sets are generated that are readily applicable in a variety of industrial settings and also remove some of the traditional weaknesses of ATPG based on formal methods. PHAETON was designed to work as a flexible framework that can be incorporated into application-specific flows by supporting a flexible and feature-rich requirement system. This is demonstrated by the presentation of applications discussing different timing-related questions beyond classical path-based applications (cf. Chapter 5). Before the mass production of a circuit, first samples are produced to gather accurate physical measurements. This step is referred to as post-silicon validation. However, the quality of the measurements depends on the input stimuli that are used. This work presents a light-weighted method that works on a simplified and therefore scalable delay model to help the efficient selection of effective test patterns (cf. Section 5.1). As a further application, a sequential and functional test generation system is presented that, for the first time, targets small-delay faults. Based on the generation of functional paths, the aim is to generate a single functional test sequence that provokes a faulty circuit behavior and transports its fault effect to an observation point (cf. Section 5.2). Up to this point, timing-aware test generation only has been scalable using delay models working with the initial and the final stabilization logic value of a circuit line. This thesis introduces the SAT-based test pattern generation system WaveSAT that removes these limitations by efficiently supporting a Verilog-compatible timing model based on digital waveforms. WaveSAT is utilized to, for the first time, quantify the fractions of false-negatives and false-positives of classical path models supported by, e. g., PHAETON and hence to demonstrate their trade-offs (cf. Chapter 6). Like PHAETON, WaveSAT is designed to work as a framework inside an application combining the accurate model of WaveSAT with the path generation approach of PHAETON (cf. Chapter 7). This is demonstrated by an application, considering the impact of physical variations of each produced circuit on the test process and its test quality metrics (cf. Section 7.1). Finally, the concepts of PHAETON and WaveSAT are combined in a single formal instance allowing to control the timing of a circuit by applying specific input patterns, on a level that has not been possible before. One example, presented in this thesis, is the detection of so-called early-life failures (ELF) by transporting delay fluctuations of a single gate to an observation point (cf. Section 7.2). A summary of the work presented in this thesis is given in Chapter 8 together with an outlook on possible future research directions. Finally, information on the experimental setup (cf. Appendix A) as well as a complete list of the author’s papers (cf. Appendix B) supplement this thesis.

3

1. Introduction

1.2. List of discussed Papers This thesis is based in parts on the following publications. In order to support readability of this thesis, citations of publications by the author are replaced with a general summarizing reference at the beginning of each chapter whenever contents from the respective publication have been used. [J1] M. Sauer, A. Czutro, T. Schubert, S. Hillebrecht, I. Polian, and B. Becker, “SAT-based Analysis of Sensitizable Paths”, IEEE Design & Test of Computers, vol. 30, no. 4, pp. 81–88, 2013. doi: 10.1109/MDT.2012.2230297 [C1] M. Sauer, A. Czutro, T. Schubert, S. Hillebrecht, I. Polian, and B. Becker, “SATBased Analysis of Sensitisable Paths”, in IEEE Design and Diagnostics of Electronic Circuits and Systems, Best Paper Award in the Test Category, 2011, pp. 93–98. doi: 10.1109/DDECS.2011.5783055 [C2] M. Sauer, J. Jiang, A. Czutro, I. Polian, and B. Becker, “Efficient SAT-Based Search for Longest Sensitisable Paths”, in IEEE Asian Test Symp., 2011, pp. 108–113. doi: 10.1109/ATS.2011.43 [C3] J. Jiang, M. Sauer, A. Czutro, B. Becker, and I. Polian, “On the Optimality of K Longest Path Generation Algorithm Under Memory Constraints”, in Conf. on Design, Automation and Test in Europe, 2012, pp. 418–423. doi: 10.1109/DATE. 2012.6176507 [C4] M. Sauer, S. Reimer, T. Schubert, I. Polian, and B. Becker, “Efficient SAT-Based Dynamic Compaction and Relaxation for Longest Sensitizable Paths”, in Conf. on Design, Automation and Test in Europe, 2013, pp. 1530–1591. doi: 10.7873/DATE. 2013.100 [C5] M. Sauer, S. Reimer, I. Polian, T. Schubert, and B. Becker, “Provably Optimal Test Cube Generation Using Quantified Boolean Formula Solving”, in ASP Design Automation Conf., Best Paper Award Candidate, 2013, pp. 533–539. doi: 10.1109/ ASPDAC.2013.6509651 [C6] M. Sauer, S. Kupferschmid, A. Czutro, S. M. Reddy, and B. Becker, “Analysis of Reachable Sensitisable Paths in Sequential Circuits with SAT and Craig Interpolation”, in Int’l Conf. on VLSI Design, 2012, pp. 382–387. doi: 10.1109/VLSID.2012.101 [C7] M. Sauer, A. Czutro, B. Becker, and I. Polian, “On the Quality of Test Vectors for Post-Silicon Characterization”, in IEEE European Test Symp., 2012. doi: 10.1109/ ETS.2012.6233027 [C8] M. Sauer, S. Kupferschmid, A. Czutro, I. Polian, S. M. Reddy, and B. Becker, “Functional Test of Small-Delay Faults using SAT and Craig Interpolation”, in Int’l Test Conf., 2012, pp. 1–8. doi: 10.1109/TEST.2012.6401550 [C9] M. Sauer, A. Czutro, I. Polian, and B. Becker, “Small-Delay-Fault ATPG with Waveform Accuracy”, in Int’l Conf. on CAD, 2012, pp. 30–36. doi: 10 . 1145 / 2429384.2429391

4

1.2. List of discussed Papers [C10] A. Czutro, M. Imhof, J. Jiang, A. Mumtaz, M. Sauer, B. Becker, I. Polian, and H.-J. Wunderlich, “Variation-Aware Fault Grading”, in IEEE Asian Test Symp., 2012, pp. 344–349. doi: 10.1109/ATS.2012.14 [C11] M. Sauer, Y. M. Kim, J. Seomun, H.-O. Kim, K.-T. Do, J. Y. Choi, K. S. Kim, S. Mitra, and B. Becker, “Early-Life-Failure Detection using SAT-based ATPG”, in Int’l Test Conf., 2013, pp. 1–10. doi: 10.1109/TEST.2013.6651925 [W1] J. Jiang, M. Sauer, A. Czutro, B. Becker, and I. Polian, “On the Optimality of K Longest Path Generation”, in Workshop on RTL and High Level Testing, 2011 [W2] M. Sauer, S. Kupferschmid, A. Czutro, I. Polian, S. M. Reddy, and B. Becker, “Functional Justification in Sequential Circuits using SAT and Craig Interpolation”, in GI/ITG Workshop “Testmethoden und Zuverl¨ assigkeit von Schaltungen und Systemen”, 2012

5

6

2. Preliminaries This chapter introduces basic concepts and ideas that are essential for the understanding of this thesis at a fundamental (and sometimes oversimplified) level. For a more advanced discussion on the presented concepts, the interested reader is pointed to the cited details in the existing literature. The foundation of digital circuits, as used in this thesis, are introduced in Section 2.1 followed by a brief introduction of the used formal methods (cf. Section 2.2) and the encoding of circuits using these methods (cf. Section 2.3). The chapter is concluded by an overview of testing techniques (cf. Section 2.5) and an introduction to the concept of sensitizable paths (cf. Section 2.6).

2.1. Digital Circuits a

b

g1

c

g2

d

Figure 2.1.: Half-adder example circuit A combinational digital circuit C, as considered in this thesis, is a physical implementation of a Boolean function fC ∶ Bn → Bm where n is the number of inputs of the circuit and m is the number of outputs of the circuit. Figure 2.1 illustrates such a circuit C given in gate-level representation consisting of two inputs (a and b), two gates (c and d) and two outputs (e and f ). C implements the Boolean function fC ∶ B2 → B2 = {a ⊕ b, a ∧ b} (2.1) which is equal to a so-called half adder. A circuit that contains memory elements like flip-flops is called a sequential circuit. Such a sequential circuit is illustrated in Figure 2.2 consisting of a combinational core without memory elements and the memory part. The combinational core implements a Boolean function fC ∶ Bn+k → Bm+k where n is the number of non-sequential circuit inputs (i. e. primary inputs) and m is the number of non-sequential circuit outputs (i. e. primary outputs). The k inputs and outputs of the sequential part are called secondary inputs and secondary outputs, respectively. The memory elements (e. g. flip-flops) store the results of

7

2. Preliminaries

n

m C

k

k

Combinational Core Q

S SET CLR

R

Q

Memory

Figure 2.2.: Combinational core the secondary outputs upon an activation signal (e. g. a clock) and apply their values as secondary inputs of the circuit. Hence, each application of the activation signal may change the contents of the memory elements and hence may lead to new secondary input values. Such a step in time that gets triggered by the activation signal of a sequential circuit is called a time frame. A complete list of the used gate symbols and their respective functions can be found in Section A.4.

2.2. Formal Methods Formal methods are algorithms relying on a restricted, but mathematically sound set of operations to solve a well-formed and adequate problem description with respect to the employed method. In the following sections the formal methods applied in this thesis are briefly introduced. For further reading the reader is referred to [1].

2.2.1. Boolean Satisfiability (SAT) An instance of the Boolean satisfiability problem (i. e. a SAT instance) is given by a propositional formula Φ over a set of Boolean variables V. Φ = ( (a ∨ b ∨ ¬c) ∧ (¬a ∨ ¬b ∨ ¬c) ∧ (a ∨ ¬b ∨ c) ∧ (¬a ∨ b ∨ c) )

(2.2)

Φ = { {a, b, ¬c} , {¬a, ¬b, ¬c} , {a, ¬b, c} , {¬a, b, c} }

(2.3)

An example for such an instance in conjunctive normal form is given Equation 2.2 using the variables a, b, c. A literal is a positive variable v or its negation ¬v (e. g. a or ¬c in the example). A clause is a disjunction of literals (e. g. (a ∨ b ∨ ¬c)). Finally, a conjunctive normal form (CNF ) is a conjunction of clauses. An alternative (more compact) notation

8

2.2. Formal Methods for the same instance is shown in Equation 2.3. In this thesis, parametric SAT instances will be denoted with Φ(Parameters) to indicate that they are specifically generated with respect to the passed parametric information. The encoding of a certain object, e. g., a gate g will be denoted as Φg or gΦ . The SAT problem asks, if an assignment A ∶ V → {0, 1} for each variable in Φ exists, such that each clause in Φ is satisfied. A clause is satisfied, if and only if at least one literal of the clause is assigned to 1. Otherwise Φ is called unsatisfiable. An assignment A(Φ) for a SAT instance Φ is defined as the assignment for each of the variables in Φ. A SAT solver computes and returns an assignment, if and only if Φ is satisfiable (such an assignment is also called model of Φ). In general this problem is NP-complete [2]. Modern SAT solvers, such as [3], [4] are based on the DLL algorithm [5], which decides (i. e. guesses the assignment of) literals and propagates resulting implications, until either all clauses are satisfied or the solver identifies a clause that cannot be satisfied anymore. In this case, a conflict (i. e. a reason) is generated, identifying responsible assignments for the conflict and the solver tries to change them. If the conflict cannot be resolved by changing decisions, the SAT instance is shown to be unsatisfiable. During the solving, a clause c becomes an empty clause if all literals in c are assigned to 0. A literal is open if it is neither assigned to 0 nor to 1. A unit clause cu is a clause that consists of exactly one open literal l and all other literals are assigned to 0. Then l will be assigned to 1. This is also called implication or cu implies l. In case of the example instance in Equation 2.2, the following satisfying assignments exist: ▸ a → 0, b → 0, c → 0 ▸ a → 0, b → 1, c → 1 ▸ a → 1, b → 0, c → 1 ▸ a → 1, b → 1, c → 0 All other combinations lead to an empty clause. For instance, it is not possible to assign each variable to 1, as in that case the clause {¬a, ¬b, ¬c} would not be satisfied. Hence, the example instance describes the logic function of an XOR gate as only assignments are allowed, that are consistent with the logic definition of such a gate.

2.2.2. Quantified Boolean Formula (QBF) A Quantified Boolean Formula (QBF) Ψ is an extension of SAT problem such that every variable in V is bounded by an existential (∃) or a universal (∀) quantifier. A QBF instance is given in prenex form if all quantifiers are declared outside the propositional part, i. e., Ψ = Q1 V1 . . . Qn Vn .Φ, where Q ∈ {∃, ∀} and V1 , . . . , Vn are pairwise disjoint sets of variables with V1 ⋃ . . . ⋃ Vn = V. Q1 V1 . . . Qn Vn is called the prefix and Φ the matrix of Ψ. By convention, the prefix is restricted to a sequence of alternating quantifiers such that Qi ≠ Qi+1 , ∀i ∈ {1, . . . , n − 1} and Q1 = ∃, Q2 = ∀, etc., is assumed. A QBF extension of the previous example instance in prenex form is given in Equation 2.4. Ψ = ∃a ∀b ∃c . { {a, b, ¬c} , {¬a, ¬b, ¬c} , {a, ¬b, c} , {¬a, b, c} }

(2.4)

9

2. Preliminaries The QBF problem is valid or satisfiable, if there exists at least one assignment of all variables in V1 , such that for every assignment of all variables in V2 , there exists one assignment of all variables in V3 , and so forth, such that Φ is satisfied. In this case Ψ is satisfied, otherwise unsatisfied. In general, the QBF problem is PSPACE complete [6]. The example given in Equation 2.4 is satisfiable as it is possible to find an assignment for a such that for each of the possible assignments for b (i. e. 0 and 1) the remaining instance is satisfied. As a consequence of the alternating quantifier structure, the model for a QBF is a tree with a size that may be exponential in the number of universally quantified variables. Classical QBF solvers focus on deciding the QBF problem and do not return such a model. However, modern QBF solvers (e. g. [7]) are able to return a model for all variables in V1 if and only if Ψ is satisfied.

2.2.3. Bounded Model Checking (BMC) and Craig Interpolation A further formal technique used in this thesis is the concept of Bounded Model Checking (BMC). Traditionally, BMC is employed to verify properties in sequential transition systems (e. g. a sequential circuit). For instance, to validate that a certain error state cannot be reached. A BMC problem can be encoded as a SAT instance [8] of the form BM Ck = I0 ∧ T0,1 ∧ . . . ∧ Tk−1,k ∧ Pk .

(2.5)

I0 encodes the initial state set of the problem, e. g., the initial contents of the flip-flops. The terms of the form Ti,i+1 represent the transfer function or transition relation that defines one step from time point i to time point i + 1 in the encoded transition system. The last predicate Pk stands for a desired property whose satisfiability after k steps is to be verified. If the property never holds independently of the value of k, BM Ck is unsatisfiable, whereas BM Ck is satisfiable if there exists a path in the transition system that starts at I0 and, after k transition steps, reaches a state in which Pk holds. If BM Ck is satisfied, a model of the instance can be returned by the solver that is defined just as in the SAT case. The BMC approach searches for the smallest k for which the desired property holds by attempting to solve a series of problem instances. The first one is BM C0 = I0 ∧ P0 (cf. Equation 2.5). It is satisfiable if the property holds for the initial state. If the instance is not satisfiable, BMC tests whether taking one more step into consideration will satisfy the property, i. e., whether the formula BM C1 = I0 ∧ T0,1 ∧ P1 is satisfiable. This is repeated until BM Ck holds (and therefore Pk ) for some k, or until a user-defined maximal bound is reached. In order to prove that a certain target property of a transition system cannot be reached independently of k, i. e., that the desired property never holds, the circuit can be unfolded until reaching its diameter (i. e. the longest sequence of consecutive unique states). However, very large k-values may be reached necessitating approaches aiming at an earlier decision. Among others including k-induction [9] and BDD-based approaches [10], there are methods based on the theory of Craig interpolation [11]. Intuitively, a Craig interpolant represents an over-approximation of all reachable states after a certain number of transition steps. This over-approximation is recomputed by an

10

2.3. Encoding of Digital Circuits using Formal Methods

c ⇔(a⊕b)

{{a,b,-c},{-a,-b,-c}, {a,-b,c},{-a,b,c}} a

b

g1

c

g2

d

d ⇔(a∧b) {{a,-d},{b,-d},{-a,-b,d}} Figure 2.3.: Tseitin encoding of a half-adder circuit iterative algorithm until a fixed point is reached (i. e. the BMC problem is unsatisfiable) or the problem has been identified as satisfiable. This concept has been efficiently integrated into the tool CIP [12] (“Craig Interpolant Prover”, cf. Section A.1) which is employed for all BMC-related tasks in this thesis. The CIP solver is complete and hence guaranteed to either find a solution if one exists or prove the unsatifiability of an instance (provided CIP is allocated unlimited solving time and memory).

2.3. Encoding of Digital Circuits using Formal Methods The formal methods used in this work, require either a SAT (Φ) or a QBF (Ψ) representation of the problem. In this section, a brief overview of different circuit encodings that yield such representations is given.

2.3.1. Tseitin Encoding By using a Tseitin encoding [13], a SAT instance (as CNF representation) ΦC of a circuit C can be generated, whose size is linear in the circuit size. Figure 2.3 shows the encoding of a half adder using the same circuit structure as in Figure 2.1. A Tseitin encoding of a circuit defines a Boolean variable for each line. These variables are used to represent the function of each gate based on its inputs using a two-valued logic (01 logic). For instance, the AND gate in Figure 2.3 d has the inputs a and b and the logical function is given as d ↔ a ∧ b. The corresponding encoding Φd for this gate d would be Φd = {{a, ¬d}, {b, ¬d}, {¬a, ¬b, d}}.

(2.6)

2.3.2. 01X Encoding In extension to the two-valued Tseitin encoding of a circuit, the three-valued 01X encoding based on [14] is used to represent unknown (X) values.

11

2. Preliminaries

c ⇔(a⊕b) (a1,a2)

(c1,c2)

(d1,d2)

(b1,b2)

d ⇔a∧b⇔(d 1 =( a1∨b1) , d 2=(a 2∧b2 )) Figure 2.4.: 01X encoding of a half-adder circuit The 01X logic consists of three values {0, 1, X}, which are encoded using two Boolean variables as follows: 0 = (1, 0), 1 = (0, 1), X = (0, 0). The combination (1, 1) is not allowed. Figure 2.4 shows the encoding of the same half adder as in the previous examples using a 01X encoding with two Boolean variables defined for each line. The 01X encoding for the AND gate d Φd would be Φd = {{¬a1 , d1 }, {¬b1 , d1 }, {a1 , b1 , ¬d1 }, {a2 , ¬d2 }, {b2 , ¬d2 }, {¬a2 , ¬b2 , d2 }}.

(2.7)

In comparison to a standard Tseitin encoding, the support for the X-symbol leads to larger SAT instances and hence usually harder instances but at the same time allows reasoning about unknown values. A drawback of this formulation is its pessimism that may incorrectly predict unspecified values on path reconvergencies. [15]

2.4. Production of Digital Circuits The mass manufacturing of digital circuits is a yield process that consists of hundreds of steps which each produced wafer needs to undergo. A major characteristic of a manufacturing process is the feature size, as it directly or indirectly determines most of the relevant quality metrics (e. g. transistor density, power consumption and propagation delay). With each new manufacturing process, the feature size gets smaller leading to an improved performance of the produced circuits. However, the processes also get increasingly complicated and expensive. As a result, the fraction of correctly produced circuits (i. e. the yield ) is substantially below 100%. Especially for larger circuits using a rather-new production process the production yield can drop to numbers below 30%. Hence, each produced circuit needs to be tested for function before it gets shipped to prove the absence of defects, i. e., physical production flaws which lead to a malfunction of the produced circuit. More details on digital circuits and its manufacturing process can be found in [16].

2.5. Test of Digital Circuits The purpose of the test process is to decide whether a produced circuit has been produced without defects and hence its function is identical to the specification.

12

2.5. Test of Digital Circuits

Circuit model

Model-based

Fault model

Fault list

ATPG

test pattern generation Test set

Test pattern

Test pattern application on physical circuit

ATE

Circuit response

Circuit under Test (CUT)

Figure 2.5.: Test concept overview The general test flow is shown in Figure 2.5 and starts with the fault model -based (cf. Section 2.5.1) generation of test patterns. Based on the fault model, a fault list is defined, containing the locations and the faults which need to be tested for. The task of the ATPG (Automatic Test Pattern Generation) (cf. Section 2.5.2) process is to generate a test pattern for each fault, that proves (or disproves) the absence of the targeted fault. A test pattern is an assignment to the inputs of a circuit. A consecutive sequence of test patterns of over one or more time frames is called a test sequence. The combination of all test patterns is called test set and forms the final product of the test generation process. This final test set is applied to each produced circuit after the fabrication using Automatic Test Equipments (ATE). The test patterns are applied to the Circuit Under Test (CUT) and the circuit’s response is compared to the expected reference response. If these responses show a fault effect (i. e. an observable mismatch between the measured circuit response and the expected response) for any applied test pattern, the circuit is assumed to be faulty. Otherwise, it passes the test process. The ATPG process has to consider the environment of the chip. Depending on the capabilities of the ATE and the on-chip Design for Test (DFT) infrastructure, the test

13

2. Preliminaries patterns that can be applied to a circuit are restricted. Most notable, in a circuit without scan chains, sequential elements like flip-flops are neither observable nor accessible. By using full scan, each flip-flop can be observed and controlled by a special test mode that sequentially shifts in new values while at the same time shifting out the old flip-flop values. A test pattern that is generated for a full scan architecture is also called broadsidecompatible. An extension to full scan is enhanced full scan, where two values can be stored and consecutively applied to the circuit for each flip-flop. This structure allows to apply arbitrary two input patterns while in a full scan environment, the flip-flop contents of the second pattern result in the circuit function of the first pattern. Hence, by applying scan chains, sequential circuits can be considered as combinational ones during most parts of the test generation process. A more detailed discussion on the testing process can be found in [17], [18].

2.5.1. Fault Models Fault models abstract from physical defects by describing their influence on the circuit’s function. This abstraction is essential, as there are an infinite number of defects due to their analog parametric originating from real physical properties. An instance of a fault model is called a fault f which alters the function of a circuit C to Cf . Fault models try to group defects that change the circuit function in the same way into clusters that are represented by a single fault. Therefore, a significant reduction in complexity is achieved, as both, the number of considered problems decreases and additionally, each fault is of less complexity. The most popular fault model is the stuck-at fault model that describes a defect as a circuit line having its value fixed to either 1 or 0 independent of the correct value. Hence, this model tests the ability of a line to switch at all. Although most defects result in much more complex fault effects, this model is still able to catch many of those complex defects [19]. In contrast to static fault models, that are defined independent of the circuit timing, this thesis concentrates on dynamic fault models, and more specifically on delay fault models where the circuit timing is relevant. A delay fault model defines a fault based on the time a transition (i. e. a change of the logic value of a line) needs to propagate through the circuit. If this propagation time exceeds a certain threshold (e. g. the clock length), the transition arrives too late leading to a malfunction of the circuit. The transition-delay fault model [20] is the most popular dynamic fault model. It is closely related to the static stuck-at fault model but defines a fault as a line that takes an infinite time to switch. Small-delay faults (SDFs) [21] extend the basic transition-delay fault by defining the fault as an increase in the delay of a specific gate g by a certain parametric value d. d is set to a rather small value, such that this additionally delay may lead to a fault effect on some propagation path, but not on all. This results in a great increase in the complexity of the test generation as, unlike in the transition fault model, the detection of the fault depends on the delay of the propagation path. This fault model is related to the path delay fault model [22] where the additional delay is not allocated at a specific gate, but along a predefined path of the circuit. In order to accurately generate tests for SDFs, the delay of each gate needs to be known.

14

2.5. Test of Digital Circuits However, as gate delays in real circuits are affected by process variations, these values are statistical variables that depend on the physical characteristic of the circuit. Hence, there exists an infinite number of possible delay configurations for each circuit, leading to an infinite number of possible circuit instances. The collection of all these instances forms the population of a circuit. The nominal delay of a gate is the delay with the expected values and is typically used as the delay of a gate in this thesis. The nominal instance of a circuit has all delays set to respective nominal delays. Given a circuit, a Monte Carlo Experiment can generate a desired number of circuit instances, according to the distribution. This set of instances, PN , is representative for a number N of manufactured circuits. Dynamic fault models are generally more complex compared to static ones, as considering circuit timing requires at least a test pair (i. e. a test pattern that contains input values for two consecutive time frames) as the switching of a line is asserted and additional timing constraints need to be considered. The choice of the fault model(s) to go for in the actual test results in a tradeoff between complexity and performance. Usually, the less complex a fault model is, the faster it is to compute test for, but also the more likely defects are actually missed by the generated test set. A more detailed discussion on fault models can be found in [23].

2.5.2. Automatic Test Pattern Generation (ATPG) The task of the Automatic Test Pattern Generation (ATPG) is to generate an assignment to the inputs of the circuit (i. e. a test pattern), such that the circuit response of the circuit given a fault f is different to the reference response if the fault f is present. More formally, a test (or test pattern) t for a fault f in a circuit C is the solution to the following equation: C(t) ≠ Cf (t)

(2.8)

where C(t) represents the logic function of the fault-free circuit and Cf (t) the logic function of the faulty one. An ATPG flow aims at generating a test for each fault in the fault list and combines them to a test set. In addition to the detection of the fault, such test sets often have secondary objectives and properties. For instance, technical requirements and limitations of the test infrastructure of the target circuit have to be considered. Additionally, the number of test patterns in a test set highly influences the test application time (i. e. the time an ATE needs, to apply the test set to an individual circuit), which directly influences test economics. Depending on the outcome of the ATPG, a fault f is classified as follows. If a test t for a fault f exists, the fault is called testable and additionally called detected if t is also part of the final test set. Whereas if the ATPG process could show that no such test exists f is said to be redundant or untestable. Based on these classifications, the effectiveness of the test set is also measured: The fault coverage (FC) of a test set T S is defined as FC =

∣t ∈ T S∣t is detected∣ . ∣T S∣

(2.9)

15

2. Preliminaries The related fault efficiency (FE) of a test set T S is defined as FC =

∣t ∈ T S∣t is detected∣ . ∣t ∈ T S∣t is testable∣

(2.10)

Hence, the fault coverage shows the fraction of the detected faults based on the total amount of faults in the fault list, and therefore an estimation for the quality of the test set. The fault efficiency focuses on quality of the ATPG process by identifying the fraction of testable faults that are actually detected. The following sections will introduce classical structural ATPG algorithms (2.5.2.1) and also introduce the foundations of SAT-based ATPG (2.5.2.2) which this thesis is based on. 2.5.2.1. Structural ATPG Structural ATPG algorithms directly work on the circuit structure. The first complete structural ATPG is known as the D-Algorithm [24]. It is based on a four-valued logic (0,1,D,D) where D and D denote lines carrying a different value in the faulty and fault-free case (i. e. a fault effect). Lines without a fault effect are represented using the usual logic symbols 0 or 1. The key idea of the D-algorithm is to propagate a fault effect, using assignments to circuit lines, from the fault location to an observable circuit output. If this is possible without conflicting assignments, a justification phase tries to assign values to all supporting lines to find a consistent (i. e. conflict-free) assignment for each relevant line in the circuit. If a conflicting assignments has been identified, these assignments are reverted until either a consistent assignment has been found, or the complete search space has been covered. Major successors of the D-Algorithm are PODEM [25] and FAN [26] which offer some advantages, but still work with the same principles. The advantage of structural methods, namely to directly work on the circuit structure, is also their weakness as reasoning is not that efficient as in other data structures like in a SAT instance. This results in a reduced performance for hard to solve problems, especially if the fault turns out to be untestable [27], [28]. 2.5.2.2. SAT-based ATPG SAT-based ATPG methods encode the ATPG problem as a SAT instance and thus, in contrast to structural ATPG methods, do not directly work on the circuit structure. The fundamental concept of the SAT instance encoding is the Miter circuit shown in Figure 2.6. Given a reference circuit C and a faulty circuit model Cf , the miter structure XORs each corresponding circuit output of C and Cf and combines them using an OR tree to a single output. Additionally, C and Cf are connected with the same inputs. If the miter output is set to 1, at least one of the circuit outputs carries a fault effect. The assignments to the inputs are therefore a test for f . As with each circuit, also the Miter circuit can be encoded as a SAT instance ΦMiter (e. g. by the Tseitin encoding). In order to require a test, the miter output additionally has to be forced to 1 by a triggering clause (i. e. a unit clause on the miter output). If such an instance MiterΦ is passed to a SAT solver, the solver will return an assignment or proof that the instance is unsatisfiable. In the earlier case, the test pattern can be

16

2.6. Sensitizable Paths

Miter C

Cf

Figure 2.6.: Miter circuit concept extracted from the assignment by identifying the logic values of the input variables. In the latter case, the fault is untestable. While the Miter concept and therefore SAT-based ATPG has been known for some time ([13], [29], [30]) they have been mainly of purely academical use. However, advances in SAT-solving algorithms [3], [4], [31], [32] have recently steered interest and made SAT-based ATPG viable, especially for hard and complex instances as reasoning on a SAT instance is very efficient. This also led to the recent development of several SAT-based ATPG systems including, e. g., PASSAT [33], TransGen [34] but also the in-house tool TIGUAN [27] that has been the technical foundation for the work presented in this thesis. A more detailed discussion on SAT-based ATPG can be found in [35].

2.6. Sensitizable Paths A structural path in a circuit C, is a sequence of gates g1 , . . . , gn such that the output of gj−1 drives an input of gj for all 1 < j ≤ n. This input of gj is called the on-path input of gj , all other inputs are called off-path inputs. If g1 is an input of C and gn is an output of C the path is called complete, otherwise the path is called partial. Figure 2.7 shows an example of such complete paths given by the gates a − g1 − g3 − d (red path p1 ) and c − g2 − g3 − d (yellow path p2 ). Intuitively, a path is sensitized by a test pair t = {t1 , t2 } if a transition at its input propagates to its output, thus exposing delays along the path. If no such test pattern pair exists the path is called a false path. The length (i. e. delay) of a sensitized path is defined as the sum of the delays of its gates. Intuitively, the length of a path describes the time, a transition needs to propagate along the path from the first gate to the last gate. In the example, the delays of each gate is given as an integer number next to its inputs leading to a length of 5 and 3 for p1 and p2 , respectively. The actual length of paths through a gate depends on the paths that are sensitized under a given test pattern. However, the length of these paths is bounded by structural properties. The earliest arrival time (EAT) of a gate describes the time the first transition can arrive at the gate. Related to the EAT defines the latest arrival time (LAT) the time of

17

2. Preliminaries

a

3 g1 2 g3

b c

d

1 g2 p1

p2

Figure 2.7.: Example circuit with sensitizable paths the last transition. In the example, EAT(g3 ) would be 1 due to the transition coming from gate g2 and LAT(g3 ) would be 3 due to the transition coming from gate g1 . The earliest stabilization time (EST) and the latest stabilization time (LST) define the time of the first and last transition at the output of the gate. Hence, EST(g3 ) and LST(g3 ) are set to 3 and 5. One major use-case for sensitizable paths is the detection of small-delay faults. Consider the SDF f = (g, ) at a gate g with an additional delay of . Under the classical notion of SDF detection, f is detected at the output of a sensitized path p by a test pattern T P if and only if g is a gate of p and delay(p) +  > tobs holds. tobs is the observation time at which the fault effect at the output of p needs to be observed. If the equation holds, the propagation has not yet reached the observed output line and the old logic value is captured indicating a fault. The difference between a given observation time tobs and the path’s delay is called slack of the path. It represents the maximum amount of time by which the path may be delayed without leading to a transition arriving after tobs which is, e. g., to condition to result in a fault effect. Hence, the longer the path, the smaller small-delay fault sizes can be detected and the higher the quality of the path in that context. Path sensitization is directly connected with a hierarchy of path sensitization rules. Table 2.1 shows the individual requirements for several common types [36] in greater details for an AND/NAND gate. The requirements for other gate types are defined likewise. Path sensitization rules are defined on a per-gate base without the need to know the exact arrival times of transitions at the side inputs of a gate. Therefore, they represent approximations of the exact timing (cf. Section 6.4). Restricted-functional sensitization just requires the possibility of a transition under the assumption that side-input transitions do not overlap with the on-path transition. Therefore, such sensitization rules represent paths under worst-case timing conditions and lead to the overall longest path length. Strong non-robust is more stringent and requires a non-controlling side-input value in the second time frame and have a reasonable chance to be actually sensitized. Robust paths are sensitized regardless of the arrival times at side input transitions and additionally guarantee a glitch-free behavior after the path length. Therefore such paths are highly suitable for SDF testing as no invalidations due to side-input transitions and glitches may happen. The most stringent definition is hazard-free robust which guarantees that only a single glitch-free transition runs along the path. Compared to other sensitization models such

18

2.6. Sensitizable Paths

Table 2.1.: Sensitization conditions for AND/NAND gates Sensitization type

On-path transition

Off-path inputs

Hazard-free robust

0→1 1→0

Stable 1 Stable 1

Robust

0→1 1→0

Settle at 1 Stable 1

Strong non-robust

0→1 1→0

Settle at 1 Unstable 1

Restricted-functional

0→1 1→0

Settle at 1 Initially 1

paths are rare and harder to find (cf. Section 3.5.6) but allow to specifically pin-point circuit timing and to observe specific timings. Therefore, such a model is highly suitable for, e. g., debug and diagnostic tasks. If a path p is sensitizable, its sensitization can be guaranteed by a set of sensitization p requirements r1p , . . . , rm where each requirement rip restricts the logic value of a single line of the circuit to a certain value. All requirements together form the set of necessary p requirements Rp = r1p , . . . , rm with respect to a path p and the chosen sensitization criteria (e. g. robust or non-robust).

19

20

3. PHAETON - SAT-based Generation of Sensitizable Paths This section presents the SAT-based path generation system PHAETON and introduces the general concepts of mapping the generation of sensitizable paths to SAT instances. PHAETON is designed to work as a tool inside an application-specific flow and supports a variety of flexible path constraints an application may impose. This is demonstrated by a reference application using PHAETON to compute longest paths through each gate. Based on this reference application, the experimental results demonstrating the applicability of PHAETON are given. This chapter is partially based on: [J1] M. Sauer, A. Czutro, T. Schubert, S. Hillebrecht, I. Polian, and B. Becker, “SAT-based Analysis of Sensitizable Paths”, IEEE Design & Test of Computers, vol. 30, no. 4, pp. 81–88, 2013. DOI: 10.1109/MDT.2012.2230297 [C1] M. Sauer, A. Czutro, T. Schubert, S. Hillebrecht, I. Polian, and B. Becker, “SAT-Based Analysis of Sensitisable Paths”, in IEEE Design and Diagnostics of Electronic Circuits and Systems, Best Paper Award in the Test Category, 2011, pp. 93–98. DOI: 10.1109/DDECS.2011.5783055 [C2] M. Sauer, J. Jiang, A. Czutro, I. Polian, and B. Becker, “Efficient SATBased Search for Longest Sensitisable Paths”, in IEEE Asian Test Symp., 2011, pp. 108–113. DOI: 10.1109/ATS.2011.43 [C3] J. Jiang, M. Sauer, A. Czutro, B. Becker, and I. Polian, “On the Optimality of K Longest Path Generation Algorithm Under Memory Constraints”, in Conf. on Design, Automation and Test in Europe, 2012, pp. 418–423. DOI: 10.1109/DATE.2012.6176507 [W1] J. Jiang, M. Sauer, A. Czutro, B. Becker, and I. Polian, “On the Optimality of K Longest Path Generation”, in Workshop on RTL and High Level Testing, 2011 The contributions of this chapter mainly conducted by myself are the development of PHAETON based on the existing stuck-at-fault ATPG system TIGUAN [27] provided by Alexander Czutro. The employed SAT solver antom has been developed by Tobias Schubert while the analysis of the limitations of the classical KLPG algorithms have been mainly done at the University of Passau.

21

3. PHAETON - SAT-based Generation of Sensitizable Paths The concept of paths (cf. Section 2.6) serves as vital source of information for nearly all timing related tasks in the design and test of digital circuits due to their ability to capture the timing behavior along a defined physical connection. Usually, the exact timing information of a produced circuit is not known as only the outputs can be observed. However, from the time a transition needs to run along such a path, partial information on the circuit timing can be interfered. In order to do so, a test pattern sensitizing a path is applied to the inputs of the circuit and the time difference between the application of the pattern and the transition arriving at the circuit output is captured. When multiple paths are exercised (e. g. by multiple several test patterns) more information can be obtained and combined to a reasonable good approximation of the timing behavior of a circuit [37], [38]. Although structurally longest paths can be easily identified using graph-traversal algorithms, many structural paths are false paths and hence of limited use for practical applications [39]. Identifying longest sensitizable paths is significantly more challenging, as these paths must satisfy a large number of interdependent logical constraints on their side inputs. Additionally, on top of the generation of the sensitizable path itself, different properties of sensitized paths are desired depending on the demands of an application. One property of particular interest is the length of a sensitizable path. The longer the path is, the more likely this path represents the worst-case time a transition needs to run through the circuits and hence, e. g., it may reveal the maximal frequency a circuit may run at. Therefore, long sensitizable paths are particularly interesting for testing smalldelay faults ([40]) and post-silicon characterization (cf. Section 5.1). On the other hand, it is also important to identify paths that are too short, which are relevant for hold-time violations [41], [42] and in Razor-like [43] designs. Hence, sensitizable paths play an essential role, both during the design phase of a circuit, but also when the actual circuits have been produced. In this chapter, the tool PHAETON (PatH Analysis and Enumeration on top of Test generatiON), which implements a SATbased approach to identify sensitizable paths in a circuit, is introduced. The key idea of PHAETON is to formulate the generation of sensitizable paths through a given gate as a SAT instance and to provide an application-oriented interface such that the generated paths can be used in a surrounding application-specific flow. The information on path connectivity and length is encoded directly into the SAT instance allowing to search for paths with the requested requirements. Therefore, the concept is different to previous traditional methods, which are identifying structural path candidates first and try to sensitize them in a second separated step. The remainder of this chapter is structured as follows: Section 3.1 offers an overview of the various components of the PHAETON path generation system. Details on the SAT instance generation describing the conditions needed to generate a single path are given in Section 3.2. When multiple paths are required, learning and caching techniques are employed to simplify the resulting SAT instance. The details on these techniques are given in Section 3.3. Based on the general path generation techniques, an example application generating the K-Longest Paths through a Gate (KLPG) is presented in Section 3.4 and evaluated in Section 3.5. A discussion of related work (Section 3.6) and a summary (Section 3.7) conclude the chapter.

22

3.1. Conceptional PHAETON Overview

3.1. Conceptional PHAETON Overview

Interactive application PHAETON

Application requirements

Instance generation

SAT solver

Simplify instance

Knowledge storage

Solution analysis

Path information

Learning

Figure 3.1.: PHAETON tool flow

Figure 3.1 shows the general concept of PHAETON and its basic components. The PHAETON path generation system is designed to be embedded efficiently into an applicationspecific tool flow and supports a large number of different path-related requirements such as sensitization rules or a minimal path delay (cf. Section 3.2.4). The process starts with an application demanding one or more paths with a set of application-specific requirements R. Based on such a set of requirements R and a target gate g a monolithic SAT instance Φ(g, R) (cf. Section 3.2) is generated, that is satisfiable if and only if a sensitizable path through g exists that complies with the requirements imposed by R. While generating the SAT instance the information gathered earlier in the program flow is reused to simplify it (cf. Section 3.3.2). This instance is then passed to the SAT solver and the result is analyzed. If the instance is determined to be satisfiable, the path information and the corresponding sensitizing test pattern are extracted from the model of the instance. Otherwise, no path meeting the requirements R exists. In either case, the knowledge storage (cf. Section 3.3) is updated with the learned information and the results are returned to the application. If additional paths through g are requested, the process is repeated with the paths being already found excluded from Φ(g, R) by adding specific conflict clauses.

23

A1

A2 A2

A1

Primary outputs

Primary inputs

3. PHAETON - SAT-based Generation of Sensitizable Paths

Target gate g

Figure 3.2.: Circuit coloring

3.2. Path Generation The input of the SAT instance generation algorithm consists of the gate-level net list, the real-valued delays assigned to each gate, a target gate g and a set of requirements R. The aim is to construct a SAT instance Φ = Φ(Circuit) ∧ Φ(Sensitization) ∧ Φ(Timing) ∧ Φ(Requirements)

(3.1)

which is satisfiable if and only if a sensitizable path through g meeting each of the requirements in R exists. The SAT instance is composed of several parts encoding various aspects of the path generation process which are generated depending on the position of the target gate g in the circuit as shown in Figure 3.2. A1 represents the input and output cone of influence (COI ) of g. This area will contain the resulting path if existing and hence needs an extended encoding. A2 is the support of A1 and contains lines which may influence A1 logically, but there is no structural path through g. Both regions together form the relevant part of the circuit, that needs to be considered. The rest of the circuit is ignored since no signal value outside A1 and A2 influences g’s output signal or vice versa. The details of the encoding of the individual parts of the SAT instance are given in the following sections: ▸ Φ(Circuit): Encoding of the relevant circuit logic (cf. Section 3.2.1) ▸ Φ(Sensitization): Path sensitization constraints (cf. Section 3.2.2) ▸ Φ(Timing): Timing model and encoding of circuit timing (cf. Section 3.2.3) ▸ Φ(Requirements) : Encoding of path length and sensitization requirements (cf. Section 3.2.4)

3.2.1. Encoding of the Relevant Circuit Logic Φ(Circuit) defines the circuit logic for the relevant part of the circuit. Logic variables L1g and L2g for each encoded gate g are defined to describe the logic stabilization values of g’s output line after applying the first and second test pattern respectively, using Tseitin

24

3.2. Path Generation

a

L1a L2a

1 3

b

L1b L2b

1 3

c

d

1 3 1 3

g2

L13 L23

e

L11 L21

g1

L1c L2c

L1d L2d

g3

g4

L14 L24

f

L12 L22

Ignored side branch

Figure 3.3.: Example instance transformation. Thus, a difference between L1g and L2g represents a falling or rising transition at the output of g. Figure 3.3 shows an example circuit instance consisting of the inputs a, . . . , d, gates g1 , . . . , g4 and outputs e, f . Gate g1 is the target gate (marked by the “X”) that each solution path must pass. This example also serves as running example and will be extended in the following sections. The individual variables defined while generating the logic of the SAT instance are given in the boxes next to the lines. In the example circuit Φ(Circuit) is given by the logic description of the output lines of the gates g1 , . . . , g4 for each of the two time frames as follows: Φ(Circuit) = Φ(L11 ) ∧ Φ(L21 ) ∧ Φ(L12 ) ∧ Φ(L22 ) ∧ Φ(L13 ) ∧ Φ(L23 ) ∧ Φ(L13 ) ∧ Φ(L23 ) = { {L1b , ¬L11 }, {L1c , ¬L11 }, {¬L1b , ¬L1c , L11 } } ∧ { {L2b , ¬L21 }, {L2c , ¬L21 }, {¬L2b , ¬L2c , L21 } } ∧ { {L1c , ¬L12 }, {L1d , ¬L12 }, {¬L1c , ¬L1d , L12 } } ∧ { {L2c , ¬L22 }, {L2d , ¬L22 }, {¬L2c , ¬L2d , L22 } } ∧ { {L1a , ¬L13 }, {L11 , ¬L13 }, {¬L1a , ¬L11 , L13 } } ∧ { {L2a , ¬L23 }, {L21 , ¬L23 }, {¬L2a , ¬L21 , L23 } } ∧ { {L11 , ¬L14 }, {L11 , ¬L14 }, {¬L11 , ¬L12 , L14 } } ∧ { {L21 , ¬L24 }, {L21 , ¬L24 }, {¬L21 , ¬L22 , L24 } } (3.2) In order to allow the SAT solver to choose any input pattern, no logic restrictions are encoded on the input variables L1a , . . . , L1d , L2a , . . . , L2d . The implementation natively supports the encoding of the basic standard gate types (N)AND,(N)OR and X(N)OR. Buffers and inverters are not explicitly encoded in the instance, but they are represented by reusing the input variable, or the inversion thereof, respectively. More complex gates need to be mapped either to these basic gates or to a logic formula Φ(gate) to represent that gate’s function accordingly.

25

3. PHAETON - SAT-based Generation of Sensitizable Paths

a

L1a L2a

1 3

b

L1b L2b Vb

1 3

c

d

1 3 1 3

g2

L13 L23 V3

e

L11 L21 V1

g1

L1c L2c Vc

L1d L2d

g3

g4

L14 L24 V4

f

L12 L22

Ignored side branch

Figure 3.4.: Extended example instance with V-variables

3.2.2. Path Sensitization Constraints The variables created to describe Φ(Circuit) are used to encode the path sensitization rules in Φ(Sensitization). For each pin p of each gate in the circuit area that possibly contains the solution path, a variable Vp is created defining whether p is valid, i. e., is part of a complete sensitizable path through g. The definition of Vp differs for a gate’s input or output pins and is defined as follows: ⎧ ⎪ Vp ⎪⋁ Vp = ⎨ psucc ∈Succ(p) succ ⎪ ⎪ ⎩Vpout ∧ Sp ,

if p is a gate’s output pin, otherwise.

(3.3)

For a gate’s output pin, Vp is set to 1 if and only if there exists at least one successor pin in Succ(p) which is valid as well. If Vp represents an input pin of a gate, Vp is set to 1 if the output of the same gate is valid and the pin complies with the imposed sensitization conditions which are represented by the Sp variable. For instance, for a restricted-functional sensitization (cf. Section 2.6), a transition at p and the output of the gate pout is required and therefore Sp is set to 1 if there is a transition at the respective line. The extended example circuit shown in Figure 3.4 assumes restricted-functional sensitization and defines the V -variables for each line within the cone of influence of g1 according to Equation 3.3. Given the example input pattern, the output of g3 is a gate output but is not valid as there is no transition on that line. Analogously, the output of g4 is valid due to the transition. The target gate g1 undergoes a transition and has a valid successor input g4 and is therefore valid. Finally, b and c are considered as a gate’s output pin and are both valid as one of the fan out stems, g1 , is valid. All these sensitization rules are directly embedded into the SAT instance and therefore the SAT solver can directly reason on them. PHAETON supports (hazard-free) robust, strong non-robust and restricted-functional path sensitization models. Details on the properties of these models are given in Section 2.6.

26

3.2. Path Generation

Encoded

Decimal

0 + T1 T2 T3 T4 T5

[0 - 5]

3 + T1 T2 T3 T4 T5

3 + [0 - 5]

0 + T1 T2 T3 T4 T5

0+4

4 + T1 T2 T3 T4 T5

4+3

Figure 3.5.: IntΦ representation of integers

3.2.3. Timing Model and Encoding of Circuit Timing In order to support restrictions on the path length within PHAETON, it is necessary to directly encode a timing model into the SAT instance. 3.2.3.1. Integer Arithmetic in SAT Figure 3.5 illustrates the basic representation of an integer number inside the SAT instance using the new IntΦ number format that serves as the foundation for the following operations. An IntΦ number dΦ is composed of the offset encoding the static part of the number, and the dynamic part encoded as a series of Boolean variables T1 , . . . , Tk . Depending on the assignments of the dynamic number part, the decimal value d of such a number is within a range of given by offset ≥ d ≥ offset + k. This is also illustrated by the upper two examples in Figure 3.5. The value of the dynamic part of the number depends on the assignment of the Boolean variables. In the figure, example assignments are illustrated by black bars above and below the boxes representing an assignment of 1 or 0 respectively. If an assignment is given, the complete number is defined by the index of the first variable assigned to 1 counted from right to left. In the lower part of the example, the numbers are given by 0 + 4 = 4 and 4 + 3 = 7. The IntΦ number format allows to encode integer math operations into a SAT instance and therefore enables ATPG and reasoning on mathematical constraints. The supported basic IntΦ -operations are listed in Table 3.1. These basic operations are extended to form the more advanced operations shown in Table 3.2. In the following sections, these operations will be used to encode and compute the length information of sensitizable paths. 3.2.3.2. Complexity-aware Line-Depth Encoding The unary IntΦ representation of numbers serves as the foundation to represent delays along a sensitized path directly in the SAT instance. In this section, a delay model where each gate is assigned a single integer delay value, is assumed. A further generalization is done in the following two Sections 3.2.3.3 and 3.2.3.4.

27

3. PHAETON - SAT-based Generation of Sensitizable Paths

Table 3.1.: Description of basic IntΦ operations Operation

Illustration

Static(AΦ )

Returns the static offset of AΦ as an integer value.

Dynamic(AΦ )

Returns the dynamic part of AΦ as a variable array.

Fill(AΦ )

Fills the dynamic part of AΦ with positive assigned variables while leaving the value of the number unchanged to create a unified representation where the value is also given by the number of positive variables.

Int(AΦ , A(AΦ ))

Interprets AΦ as an integer value with respect to the given model for AΦ .

A′Φ = AΦ {&, ∣}B

A′Φ = AΦ {&, ∣}BΦ

A′Φ = AΦ