INDRADEEP GHOSH & MASAHIRO FUJITA Automatic Test Bench Generation for Equivalence Checking of C Programs Based on ATPG Techniques INDRADEEP GHOSH & MASAHIRO FUJITA Fujitsu Labs. Of America Sunnyvale, California USA Dept. of Electrical Engr. University of Tokyo Tokyo, Japan

Outline Problem Specification Motivation Overview of method assumptions Motivation Overview of method ATPG algorithm Code Coverage technique Experimental Results Conclusions and Future directions

Problem Specification Given 2 different C programs first one a golden model second one a variation of the first corresponding inputs and outputs of the two programs Check whether the two programs are functionally equivalent Functionally equivalent means output values of corresponding outputs in the 2 programs are equal in a sequential manner under simulation with any test bench

Motivation C programs extensively used as firmware; e.g. embedded and portable systems for hardware/software co-design initial specification of ASICs Either synthesized to RTL or compiled to assembly code Manual revisions of C code inevitable for size optimization of resultant assembly code performance optimization of assembly code better end result during hardware synthesis from C Equivalence checking guarantees correctness of revision

Definition of Equivalence b b’ c’ c Test Bench a = 5; b = 10; c = 13; a = 15; Optimized C Program Golden C Program o1’ o2’ o1 o2 val1’ val2’ val3’ out1’ out2’ out3’ val1 val2 val3 out1 out2 out3 ==

Current Assumptions Relatively simple C code Preferable to have no complicated data structures no pointers no recursion Preferable to have synthesizeable C code or code that can be easily translated to assembly code Complete formal equivalence not targeted validation based technique based on simulation code coverage metrics for confidence

Overview of Method Revised C Golden C C to VHDL commercial tool VHDL YXI HLS Tool Assignment Decision Diagrams ADD ATPG OCCOM OCCOM + Instrumented Code Test Bench 1 Test Bench 2 Instrumented Code Simulate Simulate Compare Outputs Tag Cov. % Tag Cov. % == ?

Assignment Decision Diagrams Can represent RTL or behavioral description Previously proposed for high-level synthesis by Chaiyakul et.al. (DAC 93) Currently incorporated in XE tool from YXI, Inc. Irvine a 7 STATE St3 P Q Assignment Value = < + - & v v c switch(state) { case st3: if ( a < 7) R = P + Q; else R = P - Q; break; ..... } ADN ! Assignment Condition c Assignment Target R &

ATPG Technique Convert HDL file into a series of ADDs each process converted to an ADD seq/combinational process for FSMs combined to single ADD ADDs connected together by read and write nodes Infer structural components from ADDs Each inferred component is fed its logic-level stuck-at test ADN node : 4 vectors Read/Write node : 2 / 4 vectors logic module : well known test set arrays : checker board test arithmetic module : precomputed test an universal test set preferable random logic / test set unavailable excite HDL code and observe effect at system primary output PI PI < PO

Justification/Propagation on ADDs e f m Stuck-at Test s b c 0 xxxx 1111 0 1111 0000 1 1111 xxxx 1 0000 1111 g 4 1 s a ADD b RTL 4 b c s c 1 b c 4 4 = if (s == 1) a = b else a = c 1 s 4 not a Structure VHDL a Objective - 0 at s; All ones at c; Observe a -> . . . . -> 1 at input m; 0 at e; observe g

Nine Valued Algebra Cg : ability to control an n-bit bus to any of 2n value C0 : ability to control a variable to the 0 value C1 : ability to control a variable to the 1 value Ca1 : ability to control a variable to the all ones vector CA1 of 1 bit variable is C1 Cq : ability to control a variable to any constant Cs : ability to control a state variable to a particular ……...state value Cz : ability to control to high-impedance state O : ability to observe an any fault on multi-bit ……...variable or an 1/0fault on a single-bit variable O : ability to observe a 0/1 fault only for a single-bit variable

Justification/Propagation Record A six valued set the ATPG objective, variable name, upper and lower bit index of the variable, time frame value, and a state value (only in case of Cs) Cg(a[7:0], 0, -) : a[7:0] should be generally controllable in time frame 0. Cs(Curr, 3, S0) : Curr needs to be S0 in time frame 3. An objective is justified or propagated through RTL constructs. c = a + b : Cg(c) -> (Cg(a) and Cq(b)) or (Cq(a) and Cg(b)) Only few symbolic constants are represented as they are sufficient to transfer test data across all HDL operations

Transformation Rules For arithmetic/logic modules construct look up tables using behavior + , CG(output) -> CG(leftin) and CQ(rightin) or vice versa *, O(input) -> O(output) and C1(other input) etc Propagate across ADN nodes justify control value and propagate output variable Objectives are transformed until a input/output variable or constant is reached Maintain search frontier Drop objectives already satisfied Backtrack if conflict

Code Coverage Estimation Use RTL code coverage techniques: Fallah and Devadas, DAC 98 Example: Does test vector set propagate an erroneous value on variable A to an observable output? This coverage notion includes observability unlike other methods

Tag Injection/Propagation HDL description is viewed as a series of assignments to variables. Possibility of an assignment error is represented by tagging the variable in left-hand side by +D or -D Errors in design are modeled as errors in assignment statements. This method confirms that these design errors are detected if the vector set activates and propagates the error.

Coverage Analysis Tags can be positive or negative Single error assumption is made Example: - RTL description modified to collect simulation trace information - this information is used on the CDFG for concurrent tag propagation - step repeated for each vector and a % is calculated

Implementation C to VHDL VHDL to ADD ADD to test bench ART Builder from EDA Direct VHDL to ADD YXI high-level synthesis tool ADD to test bench HTEST : RTL ATPG tool (Fujitsu internal) Simulate on C with GNU complier compare output values Code coverage on VHDL file currently OCCOM tool (Fujitsu internal)

Experimental Results - Size # lines CPU time (sec) Tag Cov. (%) Program # vectors Sim. Results C1 40 - 1080 205 100 C2 36 1256 211 100 No Mismatch C3 42 1167 198 100 No Mismatch C4 41 1193 197 100 Mismatch (146) Program is computation intensive part of DSP software C1 - Original Golden Circuit C2 - manually optimized for better assembly code C3 - manually optimized for better hardware synthesis C4 - deliberate subtle error introduced in C3

Conclusions Technique proposed for simulation based equivalence checking of C programs Technique uses RTL ATPG techniques to generate test benches Observability based code-coverage techniques for measuring test bench quality Currently some limitations are present on the subset of C that can be tackled Preliminary results are encouraging

Future Work Automate the complete framework Reduce the number of restrictions in the C code C to HDL translation needs to be removed ATPG needs to be enhanced to tackle C constructs Code coverage algorithm needs slight modification Experiment with real life industrial programs Replace deterministic ATPG with simulation based test generation and compaction

Thank You