Functional test generation based on word-level SAT

Journal of Systems Architecture 51 (2005) 488–511 www.elsevier.com/locate/sysarc

Functional test generation based on word-level SAT Zhihong Zeng, Kesava R. Talupuru, Maciej Ciesielski

q

*

Department of Electrical & Computer Engineering, University of Massachusetts, Amherst, MA 01003, USA Received 28 July 2004; received in revised form 27 September 2004; accepted 15 October 2004 Available online 2 March 2005

Abstract Functional test generation coupled with symbolic simulation offers a good compromise between formal verification and numerical simulation for design validation. The generation of functional test vectors guided by miscellaneous coverage metrics can be posed as a satisfiability problem (SAT). While a number of efficient Boolean SAT engines have been developed for gate level designs, they are not directly applicable to behavioral and RTL designs containing significant arithmetic components. This paper presents two approaches that enhance the capability of functional test generation by preserving arithmetic operators in the design. They are based on word-level SAT techniques: (1) LPSAT, based on integer linear programming, and (2) CLP-SAT, based on constraint logic programming. The proposed SAT solvers allow to efficiently handle the designs with mixed word-level arithmetic operators and bit-level logic gates. The experimental results are quite encouraging compared to traditional CNF-based and BDD-based SAT solvers. The paper also suggests a method to build an integrated SAT solving framework where different SAT solvers work together to provide a more complete solution to functional test generation and other verification applications.
2005 Elsevier B.V. All rights reserved.

1. Introduction Despite recent advances in formal verification, such as symbolic model checking [1] and theorem q This work was sponsored in part by a grant from Avery Design Systems and the National Science Foundation under contract CCR-9901254. * Corresponding author. Tel.: +1 413 545 0401; fax: +1 413 545 1993. E-mail addresses: [email protected] (Z. Zeng), [email protected] (K.R. Talupuru), [email protected] (M. Ciesielski).

proving [2], numerical simulation remains a dominant verification approach in industry. First, simulation techniques do not require expert knowledge in writing complex specifications. Second, formal methods scale poorly with design size and complexity, and suffer from exponential size explosion, resulting in unpredictable run time behavior. On the other hand, simulation, especially when coupled with modern symbolic techniques, scales well with the design complexity [3]. However the quality and efficiency of simulationbased validation, in terms of functional coverage

1383-7621/$ - see front matter
2005 Elsevier B.V. All rights reserved. doi:10.1016/j.sysarc.2004.10.006

Z. Zeng et al. / Journal of Systems Architecture 51 (2005) 488–511

of the design, remains highly dependent on the generated functional test sequences. Extensive research is being conducted to solve the test generation problem to increase efficiency of functional simulation. Three basic methods are used in industry to generate functional test vectors: manual directed testing, pseudo-random testing, and deterministic testing. Each method is characterized by its own efficiency, measured in terms of functional coverage, and hence it is used during different phase of the functional testing process. Fig. 1 shows the different phases of functional testing and gives typical functional coverage that can be obtained with each method as a function of the verification time [4]. Directed testing (also called focused testing) is used during the initial stages of the design development, where the design functionality can be verified by applying manually generated test vectors. This is then followed by random or pseudo-random testing to further increase the functional test coverage. Pure random testing has very low efficiency, and hence the biased pseudo-random testing [5,6] is more widely used in real design validation. When the functional coverage reaches certain level of satisfaction, improving the coverage and discovering corner cases by adding more random or manually generated test vectors becomes very inefficient. At this point, the remaining gap in functionality coverage can be solved by applying deterministic, automatically generated test vectors. The generation of such tests must satisfy a predefined simulation target, such as reaching a partic-

100% Deterministic 80% Pseudo 60% Functional Coverage

Manual directed Test Development Time

Fig. 1. Functional testing approaches.

489

ular state of an FSM, exercising a state transition, or covering a block of the HDL code, and it is guided by miscellaneous coverage metrics and monitors [4]. The functional coverage metrics typically include: state coverage, transition coverage, branch coverage, domain coverage, etc. Several automatic test pattern generation approaches have been developed for both manufacturing testing (to detect manufacturing faults) and functional testing (to verify design functionality). For manufacturing testing, automatic test pattern generation (ATPG) is typically used, while functional testing relies on satisfiability (SAT) tools. Traditionally ATPG has been restricted to gate-level designs, while SAT methods can be expanded to handle designs with word-level, arithmetic functions. The latter approach is the subject of this paper. The generation of functional test vectors to satisfy a given simulation target will be posed as a SAT problem, or, more generally, as a Constraint Satisfaction Problem (CSP). Several tools have been developed in industry and academia to facilitate the generation of deterministic test vectors. For example, [7] performs automatic test vector generation based on Extended Finite State Machine (EFSM) model and [8,9] generate test vectors to exploit a larger state space and check the desired properties. The core algorithm in SIVA [8] uses a combination of BDD-based and ATPG tools to solve satisfiability. Ho et al. [9] presented a hybrid engine that combines random testing, BDD-based symbolic simulation and Boolean SAT checker. These semi-formal approaches tend to improve validation efficiency, compared to simulation or formal verification used alone. However, most of these approaches are based on gate-level representation and rely on BDDs to store the design. In this work we concentrate on functional test generation problem for RTL designs. The goal is to abstract word-level information from the design and generate functional test vectors by solving a word-level SAT problem without resorting to BDD based or Boolean SAT checkers. This is accomplished by using symbolic simulation to generate a set of symbolic expressions that represent the simulation target and transforming the expressions into a SAT instance. A solution to such

490

Z. Zeng et al. / Journal of Systems Architecture 51 (2005) 488–511

generated SAT instance gives an input vector that is guaranteed to exercise the simulation target. Lack of a solution proves that such vectors do not exist, i.e., the problem is not satisfiable, and the required simulation target cannot be reached. In this case the search space has to be expanded (by extending symbolic simulation over additional time frames, etc.) and the process is repeated; or it can be aborted, due to resource limit. In this paper, we tailor the symbolic simulation for RT level designs and investigate two new methods for solving word-level SAT problems, namely LP-based SAT and CSP-based SAT, for RTL designs with both arithmetic and control logic. We also present an attempt to integrate different SAT solvers in a common framework, and show some preliminary experiments supporting this effort. The paper is organized as follows. Section 2 gives the necessary background in Boolean and word-level satisfiability. Section 3 reviews existing SAT solvers. Section 4 shows how a SAT instance is generated through symbolic simulation. Section 5 describe our LP-based SAT solver, while Section 6 introduces a SAT solver based on Constraint Logic Programming. Section 7 reports experimental results for different classes of designs and addresses some of the practical issues encountered in implementing the word-level SAT solvers. Section 8 briefly describes our initial ideas of SAT flow integration, and Section 9 concludes the paper with future research directions. 2. Preliminaries Depending on the abstraction level of the design specification, the design signals and operands can be represented either as Boolean or as word-level variables. If all signal variables of the logic expression are Boolean, the associated SAT problem lends itself to the Boolean domain and is referred to as Boolean Satisfiability (Boolean SAT) problem. Definition 1 (Boolean Satisfiability [10]). Given a Boolean function f(x1, . . . , xn) on n binary variables x1, . . . , xn, the satisfiability problem (SAT) is

concerned with finding an assignment to the variables {x1, . . . , xn} that makes the function equal to constant 1, or proving that the function is equal to the constant 0. In the verification of HDL descriptions the signals are often bit vectors and word-level variables that can be represented in the integer domain. Examples of such variables are arithmetic operands, data inputs and outputs of an ALU, inputs of a comparator, etc. It is of interest to investigate how extracting the word-level information from the HDL descriptions could enhance the efficiency of the SAT problem. Techniques of SAT solving based on word-level information are referred to as Word-Level Satisfiability (word-level SAT). Definition 2 (Word-Level Satisfiability). Given a set of integer variables X, and an integer-valued function F(X), the problem of finding an assignment to each variable x 2 X which makes the function F to evaluate to a particular integer value is called Word-Level Satisfiability. Strictly speaking, both Boolean SAT and wordlevel SAT are special cases of the Constraint Satisfaction Problem (CSP). A set of generic algorithms for CSP problems are reviewed in [11]. Here we use the term word-level SAT to reflect the fact that the scope of our SAT problems is limited to hardware verification. Multi-level circuits are typically modeled as Boolean networks, interconnections of nodes representing single-output Boolean functions. Boolean networks can be conveniently described as directed acyclic graphs (DAG) with nodes representing logic functions and directed edges representing internal signals and interconnections. When each node of a Boolean network is implemented in terms of logic gates, the resulting network is called gatelevel network or a netlist. Example of a gate level network is shown is shown in Fig. 2(a). A multi-valued network (MV-network) is a generalization of the Boolean network. The output of each node in a MV-network can take an integer, rather than a binary value. Most Hardware Description Languages (HDL), such as Verilog, VHDL, or BLIF-MV [12], are able to describe a MV-network. Here, we use the notation for

Z. Zeng et al. / Journal of Systems Architecture 51 (2005) 488–511

a b c

1 0

f

h

h

a b

a>b

a b

g

i

d

c

(a) Boolean network

d

e

1 0

i b+c

491

h

h

g

(b) Multi Valued network

Fig. 2. Gate level network and multi-valued network.

MV-network given in [13,14]. A multi-valued variable (MV-variable) is a variable taking two or more discrete integer values. A multi-valued function is a discrete function whose inputs and output are multi-valued variables. Similarly to Boolean network, a multi-valued network N can be represented as a directed acyclic graph (DAG) with nodes represented by multi-valued relations [15]. In this paper, we use the notation word-level variable, word-level signal and MV-variable interchangeably. Fig. 2(b) shows a MV-network consisting of word-level operators.

3. Previous approaches to SAT Boolean SAT problem is one of the most intensively investigated problems in computer science and rich body of literature exists on the subject. Many practical problems in EDA domain can be formulated into SAT instances and solved using SAT solvers, including logic synthesis, verification, test, place and route, and others. Here we briefly review these SAT techniques that are most relevant to the functional test generation problem considered in this paper. Classical approaches to Boolean SAT are based on variations of the Davis–Putnam procedure [16] which works on Conjunctive Normal Form (CNF) formulae. Early versions of this procedure incorporated a chronological backtrack-based search [17]: at each node in the search tree, the procedure selects an assignment and prunes the subsequent search by iterative application of the unit clause and pure literal rules. More recent approaches

incorporate recursive learning techniques [18] and other conflict analysis procedures with non-chronological backtracks and back-jumping to prune the search space. A representative set of tools in this category includes GRASP [19,20], SATO [21], RelSat [22], and Chaff [23,24]. Boolean SAT solvers continue to be perfected, as documented by a host of recent publications [25–27,24,28,29]. To address problems in sequential circuit verification, where SAT is often insufficient, Quantified Boolean Formula evaluation (QBF) has been proposed [30,31]. Another popular approach to solving the Boolean satisfiability problems is based on Binary Decision Diagrams (BDDs) [32]. Given a circuit for which a SAT instance needs to be solved, a set of BDDs is constructed, representing the output value constraints for each output. The conjunction of all the constraints expressed as a Boolean product of the corresponding BDDs, represents the set of all satisfying solutions [33,34]. However, a major limitation of this approach is the memory explosion problem associated with the construction of the BDDs. A BDD-based SAT technique has been proposed in [35] that tries to overcome the problems related to BDD size by exploiting elements of the unate recursive paradigm. This technique searches for SAT solutions in the cofactors of the individual constraint BDDs, thus restricting the growth of the entire BDD search space. Hybrid approaches that recognize the respective strengths and weaknesses of the CNF and BDD based approaches have been also proposed to deal with memory limitations and to increase efficiency of various instances of Boolean SAT solvers [25,36,37].

492

Z. Zeng et al. / Journal of Systems Architecture 51 (2005) 488–511

The challenge in generating functional test vectors for behavioral/RTL designs is that the designs contain word-level operators and complex arithmetic units, such as multipliers, barrel shifters, comparators, etc., which interface with Boolean logic. Neither Boolean CNF-based nor BDD-based SAT solvers can solve this problem efficiently, since both require the design to be flattened to a gate or bit level. The resulting CNF formulas or the BDDs of bit-level circuits derived from such designs are too complex to handle, either in terms of memory or the CPU time. Furthermore, collapsing the word-level operators into a single CNF formula or a BDD destroys the structure of the problem, making it much harder to solve or impossible to store. To alleviate these problems, a hybrid satisfiability approach, HSAT, was proposed by solving linear arithmetic constraints together with Boolean SAT constraints [38]. Nonlinear functions, such as multiplication, used in a behavioral descriptions are linearized and modeled as integer linear equations. Working on the RTL descriptions, HSAT generates a set of CNF clauses for Boolean logic, and linear arithmetic constraints for arithmetic blocks in the design. Then, a 3-SAT solver is applied to solve SAT for Boolean logic, while a Linear Programming (LP) technique is used to check the feasibility of linear constraints for arithmetic portion of the design. However, the two problems, SAT for Boolean logic and LP for arithmetic blocks, are solved separately, each in its own domain. In such a framework, backtracks between the two engines are inevitable and performed explicitly. As a result, the performance of HSAT is limited by the heuristics that select the set of assignments to Boolean variables. In [39] word-level ATPG and modular arithmetic constraint-solving techniques have been combined to solve the SAT problems for the purpose of test generation and assertion checking in HDL descriptions. During the justifications in the Boolean domain, Boolean constraints are propagated to arithmetic domain using word-level implications. However, the word-level implications on arithmetic operators are much weaker than provided by a generic constraint solving technique. The efficiency of this approach is limited by the heuristics

to guide the constraint propagation in such a framework. In [40], one of the first attempts to generate functional test vectors from HDL descriptions, no distinction was made between Boolean and word-level operators. Furthermore, no modeling of arithmetic operators or interaction between arithmetic and Boolean functions was considered, hence limiting its application to only simple VHDL programs. It would be desirable to use an infrastructure that could represent both the Boolean as well as arithmetic constraints in a single unified domain. By doing so, constraint propagation between the arithmetic and Boolean parts can be handled implicitly, systematically and efficiently. We propose two new, word-level SAT solvers, each operating in a unified domain. The first one, called LPSAT [41], is based on integer linear programming (LP). By generating non-canonical, linear constraints for both the Boolean gates and the arithmetic operators, this approach allows one to solve SAT problems in a unified integer linear programming (ILP) domain. By doing so, LPSAT utilizes the constraint propagation implicit to the ILP solver. This is in contrast to [42,43], which generate integer equations in canonical form. The other approach described in the paper is based on constraint logic programming (CLP). In this approach, both Boolean gates and word-level operators can be directly translated into logic predicates. Any generic state-of-the-art finite domain CLP solvers can be utilized to solve the problem. In our validation framework, the performance of functional test generation is improved not only by means of efficient word-level SAT solvers but also through an enhanced RTL oriented symbolic simulation. In addition, by formulating SAT problems into ILP or CLP domain, any progress in these research areas can be readily applied to our functional test generation framework.

4. Functional test generation as SAT 4.1. Functional test generation framework Fig. 3 illustrates the validation framework in which our Functional Test Generation is embed-

Z. Zeng et al. / Journal of Systems Architecture 51 (2005) 488–511

HDL

Test Bench

493

Coverage Metrics

Directed/Random Simulation

Yes

Coverage Goal Met?

Done No

Symbolic Simulation: generate symbolic expr. (SAT instance)

Formulate the SAT problem

Abort

Pick a missed target, Simulate to seed environment

expand sol. space

No

Yes Satisfiable?

SAT Checking

Fig. 3. The validation framework using functional test generation.

ded. Three elements are required at the beginning of the simulation: HDL designs, test benches, and coverages metrics. The test benches consist of manually derived test vectors and/or the code to control pseudo-random simulation. Functional coverage goals are specified according to the specific coverage metrics. For example, if the design involves an FSM, a coverage goal can be given as 100% state coverage, 100% single-transition coverage, etc. Simulation target is defined as a property to be exercised, or an output value to be reached by applying the derived test vectors. For example, a simulation target for verification driven by state coverage could be a state that was not reached during random testing. Alternatively, a userdefined simulation target could be given as the following property to be checked: ‘‘will the FIFO overflow within 5 clock cycles?’’. These will then be translated into symbolic expressions for the target values (state, an overflow bit, etc.) and the resulting SAT instance will be solved

for the given target to obtain the required test vectors. During the simulation, the status of what has been already covered and what is still missing is being continuously profiled. According to this profile, a missed simulation target is being identified to trigger the functional test generation. In order to facilitate the functional test generation, each run might start at a different system state, called a seed environment. A seed environment can be reached by random simulation or by applying previously generated test vectors. The management of profile-guided simulation varies for different verification systems and is beyond the scope of this work [4]. Starting at a given seed environment, symbolic simulation is invoked to generate a set of symbolic expressions for the target. Symbolic simulation is performed within the bounded time, i.e. the symbolic equations are generated for a fixed number of time frames. Combining the symbolic equations with specific value requirements imposed by the

494

Z. Zeng et al. / Journal of Systems Architecture 51 (2005) 488–511

simulation target, a SAT instance is formed. If the SAT solver returns a solution, this means that a test vector was successfully generated. If the problem is unsatisfiable within a given number of time frames, symbolic simulation can be extended to include more time frames. Otherwise, the SAT searching is aborted due to resource limit. In this case, symbolic simulation is re-invoked in another seed environment, typically obtained by random simulation. The process of deriving test vectors is terminated after the predefined coverage goal is met or the resource limit is reached. 4.2. Symbolic simulation Symbolic simulation combines the features of conventional, numeric simulation with symbol propagation methods. In traditional simulation a single, binary input pattern is propagated from the inputs to the outputs. In symbolic simulation, each input is represented by a symbolic variable, and the input symbols are propagated to the outputs. The symbolic simulator generates symbolic expressions for each symbolic output in terms of the symbolic input variables [3,44–46]. Symbolic simulation has the merit of implicitly simulating all possible input combinations. Most of the current methods use BDD to accumulate the simulation results during symbolic simulation, and hence they are vulnerable to the memory explosion problem. The quasi-symbolic simulation proposed in [47] avoids building BDDs by using a variant of

Davis–Putnam [48] decision procedure. However, it works on a gate-level netlist which decomposes word-level operators into gates, which destroys the regularity of RTL designs. In our work, we store symbolic expressions in non-canonical text format to avoid BDD explosion problems. This format helps us preserve word level operators during the course of symbolic simulation. If needed, the symbolic expressions can be readily transformed into another internal multivalued network representation for later use. By preserving the word-level operators, the symbolic expressions scale well with the size of a RTL design even if the simulation is to be performed over hundreds of time frames. The Cone-of-Influence (COI) rule is applied to further reduce the size of the generated symbolic expressions. Under the COI rule, any set of symbolic sub-expressions which does not have transitive fanout to the given simulation target will be deleted. SAT instances generated by this approach often remain small even for large designs. As an example, consider a four-state FSM for a simple datapath circuit, shown in Fig. 4. Assume that state S3 is reached by applying a sequence of input vectors from the initial state. Starting from state S3 (the seed environment), we want to verify the following (simulation target): ‘‘Is the machine able to reach the initial state S1 in two clock cycles?’’. Saying it differently, our simulation target is state S1 and we want to derive a test vector that will satisfy this target by bringing the machine

Symbolic simulation C=1

Initial

D'[63:0]

S1

A+

B>

Test vector 25

D"[63:0]

A"[31:0]

5

B"[31:0] C"

S4

S2

A B

C

=1

>=

A'[31:0] B'[31:0] C'

S3 (seed)

M(t=1)

M(t=2) S

S

S3 C=0

Symbolic expression to be satisfied

SAT

Fig. 4. A FSM for a simple datapath circuit.

S1 (target)

Z. Zeng et al. / Journal of Systems Architecture 51 (2005) 488–511

from the seed state S3 to the target state S1. The test vector must be specified in terms of the primary inputs At=1, Bt=1, Ct=1 for the first clock cycle, and At=2, Bt=2, Ct=2 for the second clock cycle. We can formally solve this problem through a combination of symbolic simulation and SAT checking. First, we generate a symbolic trace for the FSM unrolled over two clock cycles, as shown symbolically in Fig. 4. Then, the SAT problem to satisfy the state target S1 is solved. The result is a test vector [At=1, Bt=1, Ct=1, At=2, Bt=2, Ct=2] that, for a fixed seed state S3, will bring the machine to the target state S1. 4.3. Word-level SAT flow A SAT instance formulated for the purpose of functional test generation corresponds to a combinational MV-network with properly generated output requirements. In our case, an annotated BLIF format, a variant of BLIF [49], has been chosen as the intermediate format. It facilitates the extraction of word-level information from the design by annotating word-level operators with equation comments. These comments contain information about the operator type and the width of the operands and the output. For example, an annotated BLIF file for a 4-bit multiplier will have the header (# in0 * in1) indicating that this is a multiplier, followed by the declarations of word-widths (# in0 : 4bits, # in1 : 4bits, # out0 : 8bits, etc.) The Boolean logic for the word-level operator, is omitted. This way the parser can easily identify the word-level operators without dealing with the bit-level details. The annotated blif format supports a subset of MV-functions, including adder, subtractor, multiplier, shifter, comparators, etc.; All the simple and complex Boolean gates are also supported. This format has been chosen for the convenience of interfacing with other tools and with the VIS framework [50].

495

expansion and/or control signals. For example, the inputs of a comparator come from datapath and its Boolean output drives control logic; on the other hand, a 2-to-1 multiplexor has a Boolean control signal as the selecting port with inputs/outputs being word-level signals. In our SAT flow, shown in Fig. 5, a SAT instance is required to be first partitioned into arithmetic component and Boolean logic portions. The arithmetic portion includes word-level operators. The Boolean portion consists of control logic and any word-level operators that need to be expanded into bit-level modules. During the partitioning step, signal relations are stored and will become relation constraints in a final problem. Fast logic simplification is applied to optimize the Boolean portion. Low-effort simplification techniques include constant propagation, buffer removing, equivalent sweeping and quick factoring. We found that the simplification is very useful in reducing the problem size and hence the final SAT run time.

A SAT Instance

Partitioning Boolean

Arithmetic

Simplification

Model Boolean Constraints

Model Arithmetic Constaints

Combined w/ Value Requirements & Relation Constraints

4.4. Design representation and partitioning Constraint Solving Eninge

In a MV-network, it is common that word-level operators interface with Boolean logic through bit-

Fig. 5. Word-level satisifiablity flow.

Z. Zeng et al. / Journal of Systems Architecture 51 (2005) 488–511

After partitioning, the arithmetic portion is modeled into a set of arithmetic constraints, according to the requirements of the underlying constraint solving framework used (LP-based or CLP-based). The Boolean portion is also modeled into a set of constraints, fully compatible with the arithmetic constraints of the arithmetic portion. There are two types of additional constraints: output requirements and relational constraints that reflect physical connections between different signals and variables. These are combined with arithmetic and Boolean constraints and sent to the constraint solving engine. Two constraint solving frameworks have been used in our experiments: one utilizes a mixed integer linear programming (ILP) solver, while the other is based on constraint logic programming (CLP). The criterion for partitioning the design into arithmetic and Boolean parts is dictated by the general structure of the design. Such a partitioning is not unique; different partitioning schemes may result in varying CPU time needed to solve the resulting SAT problem. An important task of the partitioning is to define the interfacing between the word-level and binary signals of the respective portions. The general rule is to assign as large a portion of the design as possible to the arithmetic part, and avoid expanding the word-level signals into bits, unless necessary. An example of an unavoidable signal expansion is ‘‘bit nibbling’’ which requires extraction of a portion of the word as a bit vector to interface with the Boolean logic. Relation constraints come from the word-level signals with bit-level expansions.

As an example of partitioning into arithmetic and Boolean components, consider the design in Fig. 6. Here the adder, the multiplier, the mux, and the two comparators belong to the arithmetic portion; the logic gates belong to the Boolean part (shaded). In principle, the multiplexor can be classified into either form. However, since one of the multiplexor
s inputs, ina[7 : 0], is also an input to other arithmetic blocks, it should be treated as an arithmetic operator. The signals in the partitioned circuit can be classified into several types: • Word-level signals. These signals correspond to bounded integer variables. In Fig. 6, ina[7 : 0], wb and wc are integer variables. Depending on their interaction with other signals, some of those variables can be declared as continuous variables with integer bounds when modeled in the LP framework; they will assume integer values automatically by the virtue of the mathematical modeling of the constraint solving problem (refer to Section 5). • Word-level signals with bit-level expansion. Signals of this type typically exist at the interface of the arithmetic blocks and Boolean logic. Depending on the type of the interface, the expansion may be full or partial. If the entire word interfaces with Boolean logic as a bit vector, the word must be fully expanded into individual bits, and each bit declared as a binary variable. For example, signal wc2 in Fig. 6, interfacing with the adder, will be fully expanded as follows: D

wb2[7:0]

ina[7:0]

inb[15:8]

inb[15:0]

inb[7:0]

A B

*

wb

> we

A wc2[7:0]

E

ina[7:0]

496

B

+

wd wc

<

1 out2[7:0] 0

Fig. 6. A SAT instance with mixed arithmetic and Boolean logic

Z. Zeng et al. / Journal of Systems Architecture 51 (2005) 488–511

wc2 ¼ wc2½0
þ 21  wc2½1
þ    þ 27  wc2½7
; where wc2[i], i = 0, . . . , 7, are binary variables, and wc2 is an implicit integer variable bounded above by [0, 127]. Partial expansion occurs in the case of bit nibbling. In this case a word is broken into several parts at the boundaries defined by the nibbling bits. Each portion of the word can still be viewed as a symbolic variable and expressed as an integer, with the nibbling bits being considered as binary variables. Signal inb[15 : 0] in Fig. 6 belongs to this category. • Single-bit signals. These are typically the control or decision signals, and as such they are declared as binary variables. For example, we and wd in Fig. 6 are binary decision variables. It should be noted that their nature is different than the Boolean variables (data bits) which are a part of the data word; typically the decision variables are the ones responsible for high computational complexity of the combinatorial programs employed to solve the SAT problem. In our system, the circuit partitioning into arithmetic and Boolean parts and the generation of the respective constraints is done by the parser. It is fully automatic, and does not require any user intervention. 5. LPSAT: a linear programming based SAT solver In this section we describe the use of LP techniques to model and solve the SAT problem for designs composed of arithmetic and Boolean logic blocks. We show how to linearize arithmetic operators and Boolean gates for the purpose of LP modeling of the SAT problem. We do not consider modulo semantics, discussed in [51]. The resulting technique is referred to as LPSAT (for LP-based Satisfiability). 5.1. Modeling of arithmetic operators Basic arithmetic word-level operators include: adders, subtractors, comparators, multiplexers, shifters, and multipliers. Any other word-level operator can be represented in terms of these using Boolean connectors (AND, OR, NOT). Most of the

497

following linearization techniques of the wordlevel operators can be found in [52]. Adder/Subtractor. Addition and subtraction are both linear operators and can be trivially represented as equality constraints: C = A ± B, where A, B, C are all word-level variables. Comparators. There are six types of comparison operators: 6, <, >, P, 5, and =. Consider, as an example, s = A < B, where the s is a binary (decision) variable. It can be modeled as follows:
A  B  L  ð1  sÞ 6 1 ð1Þ ABþLsP0 Here L is a large constant, L P max(A, B). When s = 1, the first inequality is active, forcing A < B, while the other constraint is redundant. When s = 0, the second constraint is active, A P B, while the first becomes redundant. All other types of comparison operators can be derived similarly. Multiplexor. In principle, the multiplexor can be treated as Boolean logic. However, if the inputs to the multiplexor are word-level signals, it is more efficient to represent it as an arithmetic operator. Consider Z = ITE(s, A, B), where A, B and Z are word-level variables and the selection signal s is a binary variable. For s = 1, Z = A, otherwise Z = B. The ILP constraints for the multiplexor are: 8 Z  A  L  ð1  sÞ 6 0 > > > > < A  Z  L  ð1  sÞ 6 0 ð2Þ > ZBLs60 > > > : BZLs60 with constant L P max(A, B). Multiplier (Z = X * Y). Since multiplication is a non-linear operator, one of its input word-level operands, X or Y, has to be expanded in terms of binary variables. The choice of which operand to expand is dictated by its interaction with the rest of the circuit. The best candidate is the one which is driven by the Boolean part, such as port B of the multiplier in Fig. 6. In the following, let X be an nbit variable to be expanded and Pi = Xi · Y be a partial product. Note that each Xi has to be declared as a binary variable, but Pi is left as a continuous variable because Pi will take integer value automatically. The ILP constraints for the multiplier are:

498

Z¼

Z. Zeng et al. / Journal of Systems Architecture 51 (2005) 488–511 n1 X

2i  P i

ð3Þ

i¼0

and for each i 2 [0, . . . , n  1], 8 Pi  L  Xi 6 0 > > < P i  Y þ L  ð1  X i Þ P 0 > > : 0 6 Pi 6 Y

ð4Þ

5.2. Modeling of Boolean logic We originally developed three different models for Boolean logic, termed flow model, mux model, and structured model [53]. The structured model described here proved the most efficient from the computational complexity point of view. It allows to model the Boolean logic in terms of ILP constraints so they are compatible with the ILP constraints derived for the arithmetic portion of the circuit. All the inputs and outputs of the Boolean portion are declared as binary, while the remaining intermediate nodes are left as continuous variables. Due to the binary nature of the Boolean network the continuous variables will be automatically confined to binary values. INVERT gate. A NOT gate with input a and output z can be trivially modeled as z = 1  a. AND gate. Consider a 2-input AND gate with inputs a, b and output c. According to its truth table, the following is always true: c 6 a and c 6 b. Output c takes value 1 when both inputs are 1, hence c P a + b  1. Constraint c P 0 is implicit in LP. In summary, the linear constraints for the 2-input AND gate are as follows: 8 c6a > < c6b ð5Þ > : cPaþb1 This can be readily extended to an AND gate with an arbitrary number of inputs. Let z be an output and Ai be an i-th input of an AND gate. Then: 8 > < z 6 Ai 8i 2 f1; . . . ; ng nP 1 ð6Þ > Ai  ðn  1Þ :z P i¼0

OR gate. Similarly, an n-input OR gate can be linearized as follows. Here z is the output and Ai is the ith input of the gate. 8 z P Ai 8i 2 f1; . . . ; ng > > > < n1 P ð7Þ z6 Ai > i¼0 > > : z61

Complex gates. A complex gate is a single-output combinational block that implements an arbitrarily logic function. It can be directly linearized, without being transformed into a network of basic gates. We introduce an intermediate variable for each product term in the truth table so that the on-set of the function is the conjoin of all those intermediate variables. Consider a block with 3 inputs {a, b, c} and one output z, whose truth table is shown in Table 1. Let an intermediate variable f1 denote cube ½ab
c
, and let f2 denote cube [bc], then a complex gate can be expressed in term of linear constraints as follows: 8 f1 6 a; f 1 6 b; f 1 6 1  c; > > > > > < f1 P a þ b  c  1 > f2 6 b; f 2 6 c; f 2 P b þ c  1 > > > > : z P f1 ; z P f2 ; z 6 1;

z 6 f1 þ f2 ð8Þ

We now state the theorem that allows us to relax integrality constraints for some of the binary variables, resulting in performance improvement of the LPSAT solver. Theorem 1. Given a Boolean network composed of basic AND, OR and NOT logic gates. If the gates of the Boolean network are modeled by linear equations (5)–(8), all the primary inputs are defined as binary variables, then all the output variables and the internal variables will either take a binary value, or no possible value assignment exists for them. Table 1 Truth table of a complex gate a

b

c

z

1 –

1 1

0 1

1 1

Z. Zeng et al. / Journal of Systems Architecture 51 (2005) 488–511

Proof. First, it is easy to see that if the input variable(s) of an AND, OR or NOT gate take only value 1 or 0, then according to Eqs. (5), (6) or Eq. (7), respectively, the output variable of the gate also assumes a binary value. In other words, the binate property of a gate propagates from its input to its output. Starting from the primary inputs of a Boolean network, the binate property will propagate to the remaining variables (internal and output signals) in topological order. As a result, every internal variable or output variable will automatically assume a binary value, if no conflict occurs after the constraint propagation. h 5.3. Heuristics to improve LPSAT performance We found that the following heuristics work well in the context of LPSAT: • During partition of the SAT problem, keep arithmetic portion as large as possible. • For non-linear operators, such as MULT, use global structure information to choose which word-level input to expand into binary variables. • Remove unnecessary binary variables, including primary inputs/outputs. For example, if a set of primary inputs fans out only to an arithmetic operator, the binary variables for these inputs will not appear in the MILP program, only the corresponding vector (continuous variable) will. • Provide user-defined priority order to guide a MILP solver. During the branch & bound decision process (inherent in every MILP solver), decisions are made to choose which variable to branch on. The ordering of the decision variable could have a major impact on the solution time—just imagine a magic ordering that will never need a backtrack. Unfortunately, it is rarely possible to know which variable is favored without going through a ‘‘trial and error’’ process. A general guideline is to give binary variables, which control the flow of data path, higher priority. For example, the selecting signal of a multiplexor and outputs of comparators (driving other logic gates) are such variables. As shown in Section 7.3, a specialized

499

heuristic ordering geared toward arithmetic designs, can significantly improve performance of the SAT solver.

6. CLP-SAT: SAT engine based on constraint logic programming This section describes another approach to solving word-level SAT problems, based on Constraint Logic Programming (CLP), and compares it with the LPSAT described earlier. There are several factors that motivated us to explore CLP as an alternative SAT engine to LPSAT. First, the word-level SAT problem derived from functional test generation belongs to a constraint satisfaction problem over finite domains. Hence it would be interesting to develop constraint logic programming platform which supports constraint solving over finite domains and compare it against LPSAT. Second, generic LP solvers (such as CPLEX, employed in LPSAT) are based on numerical procedures that are designed predominantly to solve optimization problems, rather than satisfiability. As a result they tend to be inefficient in solving problems that naturally fall in the category of constraint satisfaction. In particular, the LP solvers tend to be inefficient in the branch and bound part of solving the decision problems, inherent to SAT. In addition, LP solvers suffer from numerical convergence problems and are sensitive to a number of internal parameters, which have to be custom adjusted. In contrast, SAT solvers based on constraint satisfaction or constraint logic programming rely on a different, and potentially more efficient representation, geared toward constraint satisfaction. Compared to LP-based solvers, the modeling of integer domain constraints (for both arithmetic and Boolean logic) with constraint logic programming (CLP) is simpler and more natural than with ILP. Another important aspect of CLP approach is that it allows to generate multiple solutions, something that is difficult to achieve with LP solvers. Among a large number of available CLP systems, the state-of-the-art commercial solver from ILOG [54] has been selected. ILOG Solver uses a C++ compiler with constraint solving over the

500

Z. Zeng et al. / Journal of Systems Architecture 51 (2005) 488–511

finite domain. This makes it especially suitable for solving our SAT problems. The SAT engine based on CLP is termed as CLP-SAT. 6.1. Modeling in CLP The initial step of translating a SAT instance onto a CLP is similar to LPSAT; symbolic expressions of the SAT instance are first translated into a multi-valued network, using annotated BLIF format, with the annotation applied to all word-level modules. The BLIF file is then transformed into an ILOG solvable C++ program. The ILOG Solver supports many built-in operators in finite domain which make this translation task quite straightforward. Fig. 7 shows the modeling of a SAT instance derived from a simple RTL design. In the program, IloEnv env, is the initialization of the environment

which creates internal data structures to be used in the rest of the code. After this, IloModel model (env), is created to which modeling objects (constraints) are added. The variables in the design are declared using IloIntVar. After declaration of the variables and addition of constraints, the problem is passed to the solver by calling the function solver.solve().

7. Implementation and experimental results The word-level SAT solvers, LPSAT and CLPSAT, were incorporated into a commercial HDL verification framework from Avery Design Systems [4]. The entire process of reading the RTL Verilog design, decomposing wide operators, generating symbolic expressions, and solving SAT is done automatically, without any human interven-

#include ILOSTLBEGIN

A[0]

A[2:0] B[3:0]

Z

E

+

< C[4:0] D[4:0]

−

F

G

int main() { IloEnv env; IloModel model (env); IloIntVar A (env, 0, 7); IloIntVar B (env, 0, 15); IloIntVar C, D, E (env, 0, 32); IloIntVar F (env, 0, 64); IloIntVar G (env, 0, 1); IloIntVar Z (env, 0, 1); // Constraints model.add (E == A + B); model.add (F == C + D); model.add (G == E < F); model.add (Z == A[0] & G); model.add (Z == 1); IloSolver solver (model); // Search for a solution if(solver.solve()) solver.out() << solver.getValue(A); else solver.out() << "Un Satisfiable"; env.end(); return(); }

(a)

(b)

Fig. 7. Model of a SAT instance using ILOG-Solver: (a) SAT instance of an RTL design, (b) the corresponding ILOG-Solver program.

Z. Zeng et al. / Journal of Systems Architecture 51 (2005) 488–511

tion. The experimental results are quite encouraging compared to other SAT solvers. All experiments were conducted on a Pentium IV/2.4GHz PC with 1 GB memory and running Linux operating system. Before presenting experimental results we briefly comment on some of the implementation issues that arise during translation of the SAT instance (the RTL design) into a set of constraints for LPSAT and CLP-SAT tools. These issues include handling modular arithmetic, wide word-level operators, and implementing the constraints in the ILOG Solver. 7.1. Handling modular arithmetic Because of the fixed width of data path operands in RTL designs, arithmetic operators should be handled in a modular rather than an integral number system. Consider, for example, a saturated adder C = A + B, with 16-bit vectors A and B and an 8-bit output C. The circuit implementation of the adder yields C = (A + B) mod 28, with the output value implicitly confined to integer domain [0, 255]). Assume we want to satisfy output value C = 255. In the integral number system, the maximum value of either A or B is limited to 255. However, in the modular number system, implicitly implemented by the hardware, A = 511, B = 0 is a valid solution since (A + B) mod (256) = 255. To fix the problem, we have to expressly modify the constraints so they can properly model the modular arithmetic. This can be achieved by introducing an intermediate integer variable to the adder equation. For the above example this gives: C + 28 Æ D = A + B, where D 2 [0, 29]. During the vector recombination step, vectors are analyzed to determine whether dummy variables are needed based on the relations between the modules. For example, a multiplier with two 16-bit input vectors expect a 32-bit output vector while an adder with same inputs produces 17-bit output vector.

sentation of current MILP solvers, such wide operators cannot be handled directly and need to be decomposed into operators with fewer bits. Furthermore, numerical problems might occur for signals wider than 28 bits (as is the case with CPLEX [55]). To address this problem, all wide operators are decomposed in our system into smaller modules with bit-width of 28 bits or less. Fig. 8 shows how to decompose a 32-bit comparator c = (A[31 : 0] < B[31 : 0]) into three smaller arithmetic operators and two Boolean gates to meet this constraint. Unfortunately, those decomposition operations add to the complexity of the underlying SAT problem. Another reason to decompose wide operators into smaller ones is that numerical instability might occur during LP solution for large coefficients, which is introduced in modeling integer variables with large domains, see Section 6. 7.3. Ordering heuristic for ILOG solver A straightforward transformation of design constraints into ILOG format, as described in Section 6, did not produce the expected results. ILOG uses internally a branch-and-bound like decision scheme for solving the constraints and reducing the domains of the variables on which the decisions are made. However this branching scheme seems to be random, and independent of the type of signal variables used in the design, resulting in a very long execution time for designs with multi-bit variables and wide signal vectors. In order to improve the results, we added a simple decision ordering heuristic, termed Spread, to provide guidance for ILOG Solver. The ordering

A[31:28] B[31:28] A[31:0]

Practical designs often contain operands wider than 32 bits. Due to an inherent 32-bit word repre-

m c

c

==

B[31:0]

7.2. Handling wide word-level operators

501

n l

A[27:0]

k

B[27:0]

Fig. 8. Decomposing a wide word-level comparator.

502

Z. Zeng et al. / Journal of Systems Architecture 51 (2005) 488–511

7.4. Experimental analysis: mixed, arithmeticBoolean designs

heuristic is based on the knowledge of the design and the size (bit-width) of its internal signals. In practical designs, it is common to have input vectors of varying bit widths. These signals include one-bit Boolean variables, some two- and four-bit vectors, as well as datapath operands of size 16, 32 bits and larger. It is obvious that when the size of the vector variable increases, its domain (the range of values it takes) increases exponentially. As a result, the number of choices (decision points) also increases at similar rate. Hence, the performance of the Solver is affected by the order in which it selects the decision variables. Our heuristic, Spread [56], addresses this drawback by ordering the decision variables as follows. First, a set of variables is randomly selected among variables with different bit widths (1, 4, 16, etc.); then for the selected variables, the decisions are made based on the variables with smallest domain. This is based on the observation that best decision variables (that is those that prune the solution space faster) are control variables with a single bit or only a few bits, while data variables are typically larger. The idea is to make a decision of the control variables, and randomize the data variables (once a legal choice is made, a large number of choices is available for the leaf data nodes). The experimental results show that such an ordering heuristic drastically improves the performance of the ILOG Solver when solving SAT problems for RTL designs with arithmetic and datapath components.

Our word-level SAT solvers are compared to CNF-based solver, Chaff [23], over a range of benchmarks. In this section we present the results for RTL designs containing a mix of arithmetic operations and Boolean logic. The overhead associated with transforming a SAT instance into CNF formulas is not reported here. The experimental results for this group of circuits are shown in Table 2. 7.4.1. Description of benchmarks The circuit square corresponds to a design whose output asserts high if (Z2 = X2 + Y2), where X, Y and Z are 16-bit wide operators. The SAT instances square(1) and square(0) correspond to the two different output requirements. Examples linear(1) and linear(2) are circuits with a relatively simple structure (a chain of comparators) but with a large number of primary inputs (over 1200). The two instances differ in their size. Circuits gcd20 and gcd40 are extensions of the greatest common divisor (GCD), a 24-bit input sequential circuit. They are generated by symbolic simulation of GCD circuit over 20 and 40 time frames, respectively. Circuit m13 · 13 and m16 · 16 are 13-bit and 16-bit multipliers. Two different SAT instances for each were created: (sat) with a feasible solution, and (non) with a non-satisfiable requirement. It should be emphasized, that all the test cases were comprised of both, the arithmetic and the

Table 2 Comparison of SAT results—Platform: Linux, Pentium IV/2.4GHz, 1 GB memory Benchmark

m13 · 13 (sat) m13 · 13 (non) m16 · 16 (sat) m16 · 16 (non) linear(1) linear(2) gcd20 gcd40 square(1) square(0)

ILOG-SAT

LPSAT

Chaff

# constr

Time (s)

# constr

Time (s)

# clauses

Time (s)

2 2 60 60 910 780 6550 9500 135 134

0 0.01 0.01 0.45 0.01 1.12 0.05 0.10 0.02 0.02

68 68 149 149 878 878 9012 19246 453 453

0.01 0.36 1.55 169.96 0.13 0.05 0.45 3.06 0.01 0.01

8411 8411 12119 12119 42183 42183 60273 128553 42664 42664

0.32 3.12 0.01 13.82 0.14 0.07 0.06 0.13 0.03 0.03

Z. Zeng et al. / Journal of Systems Architecture 51 (2005) 488–511

Boolean parts, including the 16-bit multiplier circuits (the structure of unsigned multipliers was obtained by a recursive set of adders, and required certain amount of connecting Boolean logic due to wide operator decomposition). In Table 2, columns 2 and 4 (# constr) give the number of constraints generated by ILOG-SAT and LPSAT, respectively, while column 6 gives the number of clauses in the CNF formula. Columns 3, 5, and 7 show the CPU time, to solve the SAT problem by ILOG-SAT, LPSAT, and Chaff, respectively. The results clearly indicate that ILOG-SAT compares favorably with the LPSAT and Chaff solvers. The argument for CLP-based SAT solver is that the constraint logic programming provides a natural way of solving satisfiability problems, while mixed integer linear programming stresses more the optimization problems. Fortunately, we are recently seeing convergence of these two techniques: a MILP solver employs constraint propagation algorithms either during preprocessing or during branch & cut process, while a CLP system also employs linear constraints solving mechanisms [57]. The modeling mechanism in our word-level SAT solvers enables us to readily incorporate any progress in these areas into functional test generation. Unfortunately, no other word-level SAT solvers were available for comparison. The results reported in [39] describe proprietary industrial designs that were not available to us (despite our request). Others, like [38], performed experiments on simple, mainly arithmetic circuits. It should also be pointed out that the largest circuit tested with HSAT, mult16, as reported by [38], is a purely arithmetic circuit, with no Boolean component. In contrast, our m16 · 16 multiplier contains certain amount of connecting Boolean logic. The earlier attempts to test vector generation based on logic programming [58,40] do not provide reproducible examples or commonly available testbenches. These results were not compared to other approaches, and their performance is unknown.

503

8 to 64 bits. The number of clock cycles required to complete the multiplication operation depends on the input bit-width. In general, for the n-bit operand, the multiplication operation is completed in 2n clock cycles. Table 3 shows the experimental results for several SAT instances for the sequential multiplier with operands ranging from 8 to 64 bits. A set of four random output requirements are specified for each multiplier, two of which are satisfiable and two non-satisfiable (labeled sat and non in the table). Columns 3 and 5 represent the number of constraints in the design for ILOG-SAT and LPSAT, respectively, and column 7 represents the number of clauses for CNF to satisfy. The CPU run time is given for solving the constraints by each of the solvers. The –
in the table indicate that the SAT instance was not solvable in the timeout limit of 900 seconds. The results indicate that all three SAT tools can easily solve the 8 · 8 multiplier. However, as the bit-width of the operands increases, the CPU time of LPSAT and Chaff deteriorates faster than that of the ILOG-SAT solver; ILOG-SAT is aborted in only one instance, whereas LPSAT and Chaff failed in 11 and 4 instances, respectively. These results further strengthen the argument that constraint logic programming provides a natural way of solving constraint satisfiability problems. 7.6. Experimental analysis: a DSP design with input constraints We tested our SAT solvers on a realistic DSP design under input constraints, imposed by working environment. The design implements a reconfigurable low power core for Graphics Shading [59]. In this experiment, we are verifying the module that computes lighting equation in the Gouraud shading scheme [60]. I ¼ Ka  Ia þ

4 X

I i ½K a ðN  Li Þ þ K s ðN  H i Þ


ð9Þ

i¼1

7.5. Experimental analysis: sequential multiplier Experiments were conducted on a sequential multiplier design with input vectors ranging from

The block diagram of the lighting module is sketched in Fig. 9(a), where Ks is set to 0 so that only Gouraud shading is used. Each block V.D.P

504

Z. Zeng et al. / Journal of Systems Architecture 51 (2005) 488–511

Table 3 SAT results for sequential multiplier—Platform: Linux, PIV/2.4GHz, 1 GB Sequential multiplier

Output requir.

ILOG-SAT

Seq. m8 · 8

sat sat non non

175 42 175 175

0.01 0.00 0.04 0.03

77 77 77 77

Seq. m16 · 16

sat sat non non

363 363 369 367

0.01 0.00 0.03 0.01

Seq. m32 · 32

sat sat non non

3442 3429 3422 3433

Seq. m64 · 64

sat sat non non

422 422 3277 422

# constr

LPSAT Time (s)

# constr

Chaff Time (s)

# clauses

Time (s)

0.03 0.03 0.23 0.12

1917 1917 1917 1917

0.01 0.00 0.03 0.03

486 486 486 486

– – – –

7941 7941 7941 7941

18.07 13.17 22.86 34.13

16.38 0.06 30.86 0.07

3965 3965 3965 3965

– – – –

33377 33377 33377 33377

50.67 43.67 – –

– 0.00 0.15 0.005

4627 4627 4627 4627

– – 0.22 –

136235 136235 136235 136235

0.10 – – 0.34

computes N * Li. Fig. 9(b) shows a sample of input constraints—the conjunction of them always evaluates to 1 during the SAT checking. All the adders used in this design are 18-bit saturated adders, which never overflow; they are described as follows: Z[17 : 0] = (A[17 : 0] + B[17 : 0]) > 0x3FFFF ? 0x3FFFF : (A[17 : 0] + B[17 : 0]). Functional test generation was performed on four different sets of input constraints and four random output requirements, summarized as 16 SAT instances shown in Table 4. Columns 1 and 2 show different sets of input constraints and output requirements. Columns 3 and 5 (# constr) give the number of constraints generated by ILOGSAT and LPSAT, respectively; The number of clauses in the CNF formula is given in column 7. The other columns give CPU time for Chaff, ILOG-SAT, and LPSAT solvers, respectively. The –
in the table means that the program could not finish within the time limit of 900 seconds. The results clearly indicate that ILOG-SAT outperforms LPSAT and Chaff on all the instances. LPSAT failed on five instances, where as ILOG-SAT and Chaff failed on none. Both, ILOG-SAT and Chaff were faster than LPSAT, despite the ‘‘arithmetic‘‘ nature of the design. The reason for lower performance of LPSAT can

be attributed to the algorithmic issues; an optimization oriented Branch & Cut algorithm in CPLEX is typically not well tuned to handle difficult feasibility problems. It should be noted that BDD-based SAT could not solve any of the instances, and hence it was not reported here.

8. Toward an integrated SAT flow In this paper we discussed two basic word-level SAT solving methodologies, LP-SAT, and CLPSAT, and compared them with CNF-based Boolean SAT. Each of these methods has its strengths and weaknesses. Word-level SAT methods are efficient at solving SAT problems containing regular, word-level operators, but are not efficient for bitlevel designs and instances dominated by Boolean logic. CNF-based SAT solvers are very effective in solving Boolean constraints with manageable space requirement; but they are known to be time-bound, and are less efficient for circuits with datapaths. Finally, BDD-based methods, that have not been discussed in this paper, provide an efficient way to deal with large Boolean functions. The canonical property of BDDs helps uncover functionally equivalent nodes, hence reducing the

Z. Zeng et al. / Journal of Systems Architecture 51 (2005) 488–511

Kd

N L1

L2

L3

L4

V.D.P

V.D.P

V.D.P

V.D.P

*

*

*

*

0

Ii

0

0

6/10 bits 0

+

+

+

+

*

*

*

*

cfg

18/18 bits

N L1 L2 ...

Ka Ia

mux

Constraints: L1 < L2 and Nx < 201 and ...

*

+ cfg

10/10 bits

8/10 bits

+

+

505

mux +

==1

I

(a)

(b)

Fig. 9. Hardware implementation of lighting equations in Gouraud shading: (a) design structure, (b) input constraints.

Table 4 SAT results for benchmark Lighting—Platform: Linux, PIV/2.4GHz, 1 GB Input constraint

Output requir.

ILOG-SAT

LPSAT

Chaff

# constr

Time (s)

# constr

Time (s)

# clauses

Time (s)

c1

r1 r2 r3 r4

275 275 275 275

0.003 0.001 0.000 0.003

707 707 707 707

0.10 0.73 4.19 –

37777 37777 37777 37777

0.12 0.12 0.15 0.13

c2

r1 r2 r3 r4

378 378 378 378

0.001 0.003 0.001 0.003

784 784 784 784

– 0.18 – 0.75

39296 39296 39296 39296

0.11 0.08 0.08 0.09

c3

r1 r2 r3 r4

362 362 362 362

0.001 0.003 0.005 0.003

785 785 785 785

0.02 0.01 0.01 0.02

39409 39409 39409 39409

0.07 0.07 0.07 0.07

c4

r1 r2 r3 r4

422 422 422 422

0.005 0.007 0.005 0.005

846 846 846 846

0.11 – 0.02 –

39047 39047 39047 39047

0.45 0.19 0.49 0.34

506

Z. Zeng et al. / Journal of Systems Architecture 51 (2005) 488–511

complexity of the underlying SAT problem. Their power of encoding all the satisfying solutions makes it suitable for control logic; however, BDDs are memory-bound and suffer from memory explosion problem. In general, different verification scenarios require different approach to SAT. This section describes some preliminary ideas that could lead to the construction of an integrated SAT framework. By combining strengths of the individual SAT solvers, such a framework would provide a more complete solution to functional test generation and other SAT-based problems (such as synthesis and formal verification). We developed a score-based metric whose goal is to pick the ‘‘right’’ SAT solver at the beginning of the SAT process. Our preliminary results show that the metric correlates well with the results obtained by comparing different solvers and requires small time overhead [53].

Structural Analysis

Word_Level SAT?

Yes

Word_Level SAT timeout

No

+(pass knowledge)

BDD _Based SAT w/ Learning timeout

CNF _Based SAT timeout

aborted

solved

Fig. 10. Integration of three SAT approaches.

8.1. Integration of different SAT solvers The proposed solution to integrate the different approaches together is shown in Fig. 10. First Structural Analysis is performed to decide whether it is makes sense to start with the word-level SAT solver. In some cases, where there are no wordlevel operators in a SAT instance, word-level SAT should not be invoked at all. If a word-level SAT is chosen, it is allowed to run within a prespecified time limit. When the time limit is reached and the solution has not been found, Boolean methods are invoked in the following order: first the BDD-based SAT, then the CNF-based SAT. During the BDD-based SAT solving, learning by means of merging equivalent nodes can be used. In this way, even if the BDD-based SAT is also aborted an easier SAT problem is generated and passed to the CNF-based SAT. Finally, the entire SAT process is terminated when the CNF-based SAT solves the problem or it is aborted due to a timeout. This combined approach is more robust in solving difficult problems than a Boolean approach alone. The key ingredient toward building a more intelligent SAT framework is through learning, such that when a SAT process is aborted, it is not fruitless, instead, the knowledge is passed to

the next level SAT engine. Under this guideline, several possible improvements are expected to the integration shown in Fig. 10. One is that learning from an aborted word-level SAT solver should be passed down to the subsequent Boolean SAT methods. Another is that there should be a link between CNF-based SAT and word-level SAT such that, a CNF-based SAT solver is allowed to pass the learned clauses to a word-level SAT. The link is shown as the dotted line in Fig. 10. 8.2. Metric to guide the selection of the SAT solver The proposed heuristic to guide the selection of the ‘‘right’’ SAT solver is based on the structural information gathered from the design. Even if this information does not directly imply the difficulty of the associated SAT problem, it provides some useful information on the design composition, in terms of the number and complexity of word-level operators, relative to the size of the Boolean logic. The goal is to develop formulas (quantifying metrics) that will help decide whether to select the word-level SAT or the Boolean SAT. The detailed analysis of all the factors involved in such analysis is beyond the scope of this paper.

Z. Zeng et al. / Journal of Systems Architecture 51 (2005) 488–511

It can be found in the seminal work of Zeng [53]. The analysis takes into consideration the following factors: How many Boolean variables are there in a nonlinear operator; How an operator interacts with other operators; What is the relative efficiency of the word-level SAT w.r.t. the Boolean SAT; What is the relative size of the Boolean and arithmetic portions of the design, etc. For example, when a word-level variable is fully or partially expanded into bits, the resulting constraints tend to be more difficult to solve than with the word-level vectors. Bit-expansion destroys the regularity of the word-level computation, which subsequently decreases the suitability for a wordlevel SAT solver. At the same time, the suitability of a Boolean SAT solver increases with the level of bit-expansion. To help quantify some of these factors, we introduce parameter qi to denote the level of bitexpansion for an operator i. It is simply defined for a given operator as a ratio of the number of sub-vectors that the operands is broken into, to the sum of bits in all the input operands of that operator. We introduce two additional parameters, a and b, to measure the efficiency of different SAT approaches w.r.t. an arithmetic or Boolean operator. Parameter a denotes the speedup of using the word-level SAT over the Boolean SAT for a given arithmetic operator. Similarly when considering a Boolean logic gate, we use b to denote the speedup of using the Boolean SAT over the word-level SAT. These parameters are then used in the score-based heuristic to properly bias the difficulty of the SAT problem toward the word-level SAT (parameter a) or the Boolean SAT (parameter b) [53]. In a circuit with mixed arithmetic operators and Boolean logic, the larger the Boolean portion is, the less favorable it is to use the word-level SAT. To indicate the difficulty of the constraint propagation, weight Wi is associated with each component i of the design. This parameter reflects the overall importance of the component in a SAT problem and how it contributes to the difficulty of solving the SAT problem. For example, a simple logic gate has weight 1; a comparator is given the weight that is quadratic in the bit-width of its input operands; a multiplier has the weights that

507

is exponential in the bit-width of its smaller inputs, etc. In our score-based metric, the score is calculated for each of the basic SAT methods (word-level SAT and Boolean SAT), during the structural analysis. A SAT solver with the higher score is then selected. One can think of such a score as the measure of the suitability of a SAT solver for a given design. Given a multi-valued network with N arithmetic operators and M Boolean gates, the following equation gives the score SWL for the word-level SAT: S WL ¼

N X i¼1

ð1  qi Þ  W i þ

N M 1X 1X qi  W i þ Wj a i¼1 a j¼1

ð10Þ where qi indicates the level of bit-expansion associated with operator i. Similarly, we can compute the score of the Boolean SAT, SBL: S BL ¼

N N M X X 1X ð1  qi Þ  W i þ qi  W i þ Wj b i¼1 i¼1 j¼1

ð11Þ The score-based metric uses fast structural analysis of the network to determine the scores. The algorithm to compute the scores is presented in [53]. 8.3. Initial experimental analysis The purpose of this set of experiments was to test how well the score-based metric chooses the right type of solver. In these experiments, the parameters a and b were set to 20 and 10. These values were experimentally derived based on our experience with LPSAT/CLP-SAT (word-level SAT) and the Chaff solver (Boolean SAT). Table 5 shows the experimental results, where the column 2 and 4 show the scores of the word-level SAT p and Boolean SAT, respectively. The symbol ‘‘ ’’ in the table indicates that the metric favors the corresponding type of SAT. The first three benchmarks, C5315, C3540 and des, contain pure Boolean logic. Hence the winner is clearly Boolean

508

Z. Zeng et al. / Journal of Systems Architecture 51 (2005) 488–511

Table 5 Scores for word-level SAT and Boolean SAT solvers Test

Word-level SAT

Boolean SAT

Scores

Time (s)

200 144 68 p ( ) 45,831 p ( ) 8978 p ( ) 69,017 p ( ) 2381 3480 p ( ) 1176 p ( ) 2360 p ( ) 3780 p ( ) 3568

149.00 0.10 0.55

Scores p ( ) 2007 p ( ) 1446 p ( ) 681

Time (s)

C5315 C3540 des

3286 1815 12,822 2372 p ( ) 14,042 58 118

>3600 169 1.5 14.1 16.1 90.3 670

377 1240

3.89 0.92

gcd20 square linear(2) mdpe(1) mdpe(2) m13 · 13 m16 · 16 lighting(c1) lighting(c4)

0.04 0.12 1.28 0.12 1.03 0.51 26.7 1.09 0.18

0.01 0.01 0.02

SAT. In other benchmarks containing mixed arithmetic and Boolean logic, the choice apparently favors the word-level SAT, except the testcase mdpe(2), which contains a large portion of Boolean logic. The CPU times are consolidated from the previous experimental results, shown in Table 2. They are derived by picking the best time among the same type of SAT solver. By comparing the scores and the actual CPU time between wordlevel SAT and Boolean SAT in Table 5, one can see that the score-based metric predicts correctly in most of the cases except mdpe(2).

ously developed, our word-level SAT solving framework allows any progress in those areas to be readily adopted for the purpose of functional verification and test generation. We also proposed a method to integrate the SAT flow by combining different SAT solvers: word-level, Boolean CNF, and BDD based. A new metric to guide the selection of the SAT solver for the given design has been proposed. It reflects a suitability of the word-level vs. Boolean SAT solver for the user design. The proposed approach is by no means comprehensive; it hopes to attract future research from both academia and industry. For example, in the current approach no information is passed from the aborted word-level SAT solver to Boolean SAT solvers. Future work is needed to determine how this learned information can be passed on to the next generation SAT tools. We plan to continue our work in modeling word-level SAT problems into other constraint solving frameworks in order to improve the efficiency of underlying models and SAT engines. Furthermore, we shall work on the fundamentals of constraint solving techniques and their applications to other verification scenarios, such as sequential equivalence checking or other problems where general SAT problem is applicable. Finally, the development of efficient models of symbolic expressions, such as BMD [61], K*BMD [62], PHDD [63], and TED [64] that will enable efficient representation of large RTL designs is desired.

9. Conclusions and future work This paper presented a functional test generation framework based on symbolic simulation and word-level satisfiability. By using symbolic simulation, SAT problems can be formulated at a higher level of abstraction. As a result, those methods scale well with the RTL design size. We investigated two new word-level satisfiability solvers, LPSAT and CLP-SAT, each of them based on distinct algorithmic framework. The preliminary experimental results demonstrated that the presented word-level SAT solvers perform well in verifying RTL designs with mixed arithmetic and Boolean logic. With the ILP and CLP techniques drawing wide research interests and being continu-

Acknowledgment The authors would like to acknowledge the help of Dr. Chilai Huang from Avery Design Systems, who provided the industrial framework for our experiments and offered excellent suggestions and directions for research.

References [1] J.R. Burch, E.M. Clarke, K.L. McMillan, D.L. Dill, Sequential circuit verification using symbolic model checking, in: 27th ACM/IEEE Design Automation Conference, 1990, pp. 46–51.

Z. Zeng et al. / Journal of Systems Architecture 51 (2005) 488–511 [2] E.M. Clarke, O. Grumberg, D.A. Peled, Model Checking, The MIT Press, Cambridge, MA, 2000. [3] A. Kolbl, J. Kukula, R. Daminao, Symbolic RTL simulation, in: Proc. of DAC, 2001, pp. 47–52. [4] Test Wizard, ‘‘Avery Design Systems’’. [5] J. Yuan, K. Shultz, C. Pixley, H. Miller, A. Aziz, Modeling design constraints and biasing in simulation using BDDs, in: Proc. of ICCAD 1999, pp. 584–589. [6] Richard Lee, Benjamin Tsien, Presilicon verification of the Alpha 21364 microprocessor error handling system, in: Proc. DAC, 2001, pp. 822–827. [7] Kwang-Ting Cheng, A.S. Krishnakumar, Automatic generation of functional vectors using the extended finite state machine model, ACM Transactions on Design Automation of Electronic Systems (January) (1996) 57– 79. [8] M.K. Ganai, A. Aziz, A. Kuehlmann, Enhancing simulation with BDDs and ATPG, in: Proc. of Design Automation Conf., June 1999, pp. 385–390. [9] Pei-Hsin Ho, Thomas Shiple, et al., Smart simulation using collaborative formal and simulation engines, in: Proc. of ICCAD, 2000, pp. 120–126. [10] J.P. Marques, K.A. Sakallah, GRASP—A search algorithm for propositional satisfiability, IEEE Transactions on Computers 48 (May) (1999) 506–521. [11] Vipin Kumar, Algorithms for constraint-satisfaction problems: a survey, A.I. Magazine 13 (1992) 32–44. [12] R.K. Brayton et al., VIS: A system for verification and synthesis, in: Proceedings of the Computer Aided Verification Conference, 1996, pp. 428–432. [13] R.K. Brayton, S.P. Khatri, Multi-valued logic synthesis, in: Proc. VLSI Design, 1999, pp. 196–206. [14] S. Hassoun, T. Sasao (Eds.), Logic Synthesis and Verification, Kluwer Academic Publishers, 2002. [15] A. Mishchenko, R. Brayton, Simplification of non-deterministic multi-valued networks, in: Proc. Intl. Conf. on Computer-Aided Design, 2002, pp. 557–562. [16] M. Davis, H. Putnam, A computing procedure for quantification theory, Journal of the ACM 7 (1960) 201– 215. [17] J.W. Freeman, Improvements to propositional satisfiability search algorithms, Ph.D. Dissertation, Department of Comp. and Inf. Sci., University of Penn., May 1995. [18] W. Kunz, D.K. Pradhan, Recursive learning: a new implication technique for efficient solutions to CAD problems—test, verification and optimization, September 13 (1994) 1143–1158. [19] J. Marques-Silva, K.A. Sakallah, GRASP—A new search algorithm for satisfiability, in: International Conference on Computer-Aided Design (ICCAD
96), 1996, pp. 220– 227. [20] L.G. Silva, L.M. Silvera, J. Marques-Silva, Algorithms for solving boolean satisfiability in combinational circuits, in: Proc. DATE
99, March 1999, pp. 526–530. [21] H. Zhang, SATO: an efficient propositional prover, in: Proc. of 14th Conference on Automated Deduction, 1997, pp. 272–275.

509

[22] R. Bayardo Jr., R. Schrag, Using CSP look-back techniques to solve real-world SAT instances, in: Proc. of the 14th National Conf. on AI, July 1997, pp. 202–208. [23] M. Moskewicz, C. Madigan, L. Zhang Y. Zhao, S. Malik, Chaff: engineering an efficient SAT solver, in: Proc. of 38th Design Automation Conf., June 2001, pp. 530–535. [24] L. Zhang, C. Madigan, M. Moskewicz, S. Malik, Efficient conflict driven learning in a Boolean satisfiability solver, in: Proceedings of the International Conference on Computer Aided Design (ICCAD-01), November 2001. [25] F. Aloul, I. Markov, K. Sakallah, Faster SAT and smaller BDDs via common function structure, in: Proc. International Conference on Computer Aided Design (ICCAD01), November 2001. [26] F. Aloul, B. Sierawski, K. Sakallah, Satometer: how much have we searched? in: Proc. Design Automation Conference (DAC-2002), June 2002, pp. 737–742. [27] F. Aloul, A. Ramani, I. Markov, K. Sakallah, Solving difficult SAT instances in the presence of symmetry, in: Proc. Design Automation Conference (DAC-2002), June 2002, pp. 731–736. [28] L. Zhang, S. Malik, The quest for efficient Boolean Satisfiability solvers, in: Proc. 14th Conference on Computer Aided Verification (CAV2002), July 2002. [29] L. Zhang, S. Malik, Validating SAT Solvers using an independent resolution-based checker: practical implementations and other applications, in: Proc. Design, Automation and Test in Europe (DATE-2003), March 2003. [30] L. Zhang, S. Malik, Conflict driven learning in a quantified Boolean Satisfiability solver, in: International Conference on Computer-Aided Design (ICCAD-02), November 2002. [31] L. Zhang, S. Malik, Towards symmetric treatment of conflicts and satisfaction in quantified Boolean Satisfiability solver, in: Proc. of the 8th International Conference on Principles and Practice of Constraint Programming (CP2002), September 2002. [32] R.E. Bryant, Graph based algorithms for boolean function manipulation, IEEE Transactions on Computers C-35 (August) (1986) 677–691. [33] S. Jeong, F. Somenzi, A new algorithm for the binate covering problem and its application to the minimization of Boolean relations, in: ICCAD, 1992. [34] T. Villa et al., Explicit and implicit algorithms for binate covering problems, IEEE Transactions on CAD 16 (July) (1997) 677–691. [35] P. Kalla, Z. Zeng, M.J. Ciesielski, C. Huang, A BDDbased satisfiability infrastructure using the unate recursive paradigm, in: Proc. Design, Automation and Test in Europe, DATE-2000, 2000. [36] A. Gupta, Z. Yang, P. Ashar, L. Zhang, S. Malik, Partition based decision heuristics for image computation using SAT and BDDs, in: International Conference on Computer Aided Design (ICCAD-01), November 2001. [37] M. Ganai, L. Zhang, P. Ashar, A. Gupta, S. Malik, Combining strengths of circuit-based and CNF-based algorithms for a high-performance SAT solver, in: Design Automation Conference (DAC-2002), June 2002, pp. 747–750.

510

Z. Zeng et al. / Journal of Systems Architecture 51 (2005) 488–511

[38] F. Fallah, S. Devadas, K. Keutzer, Functional vector generation for HDL models using linear programming and 3-satisfiability, in: Proc. Design Automation Conference, 1998, pp. 528–533. [39] C.-Y. Huang, K.-T. Cheng, Using word-level ATPG and modular arithmetic constraint-solving techniques for assertion property checking, IEEE Transactions on CAD 20 (March) (2001) 381–391. [40] R. Vemuri, R. Kalyanaraman, Generation of design verification tests from behavioral VHDL programs using path enumeration and constraint programming, IEEE Trans. on VLSI Systems 3 (June) (1995) 201–214. [41] Z. Zeng, P. Kalla, M. Ciesielski, LPSAT: A Unified Approach to RTL Satisfiability, in: Proc. DATE, pp. 398– 402, March 2001. [42] B. Alizadeh, M.R. Kakoee, Using integer equations for high level formal verification property checking, in: Proc. of the Fourth International Symposium on Quality Electronic Design (ISQED), 2003, pp. 69–74. [43] B. Alizadeh, Z. Navabi, Property checking based on hierarchical integer equations, in: Proc. of the Fourth International Conference on Application of Concurrency to System Design (ACSD), 2004, pp. 26–35. [44] J.A. Darringer, J.C. King, Applications of symbolic execution to program testing, IEEE Computer 11 (1978) 51–60. [45] V. Bertacco, M. Damiani, S. Quer, Cycle-based symbolic simulation of gate-level synchronous circuits, in: Proc. of DAC, 1999, pp. 391–396. [46] R.E. Bryant, Symbolic simulation—techniques and applications, in: Proc. of 27th Design Automation Conf., June 1990, pp. 517–521. [47] C. Wilson, D.L. Dill, Reliable verification using symbolic simulation with scalar values, in: Proc. of DAC, 2000, pp. 124–129. [48] M. Davis, G. Logemann, D. Loveland, A machine program for the theorem proving, Communications of the ACM 5 (1962) 394–397. [49] E. Sentovich et al., SIS: a system for sequential circuit synthesis, Technical Report UCB/ERL M92/41, ERL, Department of EECS, University of California, Berkeley, 1992. [50] R.K. Brayton, G.D. Hachtel, A. Sangiovanni-Vencentelli, F. Somenzi, A. Aziz, S.-T. Cheng, S. Edwards, S. Khatri, Y. Kukimoto, A. Pardo, S. Qadeer, R. Ranjan, S. Sarwary, G. Shiple, S. Swamy, T. Villa, VIS: a system for verification and synthesis, in: Proceedings of the Computer Aided Verification Conference, 1996, pp. 428–432. [51] R. Brinkmann, R. Drechsler, RTL-Datapath verification using integer linear programming, in: Proc. Very Large Scale Integration Design (VLSID), 2002. [52] F. Fallah, Coverage directed validation of hardware models, Ph.D. thesis, MIT, 1999. [53] Z. Zeng, Functional test generation based-on word-level satisfiability, Ph.D. thesis, Dept. of Electrical and Computer Engineering, University of Massachusetts, Amherst, February 2003.

[54] Solver Reference Manual, ILOG, Inc. . [55] ‘‘CPLEX Reference Manual, ILOG’’, 1999. [56] Kesava Talupuru, Functional test generation based on constraint logic programming, Master
s thesis, Department of Electrical and Computer Engineering, University of Massachusetts, Amherst, February 2004. [57] I.J. Lustig, J.F. Puget, Program != Program: constraint programming and its relationship to mathematical programming. , 2000. [58] A.K. Chandra, V.S. Iyengar, Constraint solving for test case generation: a technique for high-level design verification, in: Proc. of Intl. Conf. on Computer Design: VLSI in Computers and Processors, 1992, pp. 245–248. [59] Arun Ramanathan et al., Low power core for 3D graphics shading, Private communication, 2001. [60] H. Gouraud, Continuous shading of curved surfaces, IEEE Transactions on Computers (1971) 623–629. [61] R.E. Bryant, Y.-A. Chen, Verification of arithmetic functions with binary moment diagrams, in: Design Automation Conference, 1995. [62] R. Drechsler, B. Becker, S. Ruppertz, The K*BMD: a verification data structure, IEEE Design & Test (1997) 51–59. [63] Y. Chen, R.E. Bryant, PHDD: an efficient graph representation for floating point circuit verification, in: Proc. International Conference on Computer-Aided Design (ICCAD), 1997, pp. 2–7. [64] M. Ciesielski, P. Kalla, Z. Zeng, B. Rouzeyre, Taylor expansion diagrams: a compact canonical representation with applications to symbolic verification, in: Design Automation and Test in Europe, DATE-02, 2002, pp. 285–289.

Dr. Zhihong Zeng received M.S. from Microelectronics R&D Center of Chinese Academy of Sciences in 1996 and Ph.D. from ECE Department in University of Massachusetts at Amherst in 2002. Currently he serves as an R&D engineer at Avery Design Systems.

Kesava R. Talupuru received the B.Tech. degree in electronics and communications engineering from the Nagarjuna University, India, in 2001, the M.S. degree in electrical and computer engineering from University of Massachusetts, Amherst, MA, in 2004. Currently he is working as a CAD engineer at LogicMill Technology, LLC.

Z. Zeng et al. / Journal of Systems Architecture 51 (2005) 488–511 Maciej Ciesielski received M.S. in Electrical Engineering from Warsaw Technical University in 1974, and Ph.D. in Electrical Engineering from the University of Rochester in 1983. From 1983 to 1986 he was a Senior Member of Technical Staff at GTE Laboratories, Waltham, MA, where he worked on silicon compilation and layout synthesis projects. Currently he

511

is Professor in the Department of Electrical and Computer Engineering at the University of Massachusetts, Amherst. He has been performing research in the area of CAD for VLSI systems and circuit. His specific research interests include: logic synthesis and optimization from behavioral and logic specifications; design validation and verification; VLSI layout synthesis; and algorithms and mathematical optimization methods. He is a senior member of the IEEE, Circuits and Systems Society.