From: AAAI-86 Proceedings. Copyright ©1986, AAAI (www.aaai.org). All rights reserved.
Generating
Tests by Exploiting
Mark
Harper
MIT Artificial
Designed
Behavior
Shirley
Intelligence
Laboratory
545 Technology Square
Cambrzdge, MA 02139
(mhs@mit-htvax.arpa)
Abstract
One of the hardest
pattern
generation
problems
for a complex
because it requires reasoning
behavior
can be extremely
operations
that
behavior.
in digital
device.
circuit
design
This is difficult
about how to control
complex.
Knowledge
the device was designed
is test
in part
a device whose
of the specific
to perform
can help solve
this problem.
The key observation
is that a device’s designed
behavior
is often far more limited than the device’s potential behavior.
This limitation
translates
into a reduction
of the search
necessary
to achieve planning
goals. We describe an implemented
program
based
on this idea.
When
this
to generate
tests
where
illustrates
both
We represent
graph,
through
the operations
defined
tion set defined
to be complete.
When
reasoning
specializing
about
how to manipulate
complex
systems (e.g. for test generation
or diagnosis),
system is designed to behave is an important
to apply.
This
used in several
knowing how the
kind of knowledge
paper demonstrates
how this knowledge
can be
ways to produce
an effective problem solver for
one of the hardest
problems
in electronic
design:
generation
for VLSI devices.
Test generation
encounters
several traditional
including
conjunctive
planning,
and remains
test
pattern
AI concerns,
an important,
un-
solved problem:
existing programs
are notably
unsuccessful
large circuits.
Human test programmers
are more successful,
part because
ning
engineered
they use knowledge
from many
on
in
and a variety
sources
of reasoning
techniques.
Here we focus on one kind of knowledge
- designed behavior
- which they find important.
At the core of our test generation
one key observation:
tions that
ited than
of inputs
When
signed
a device’s
a device
is intended
to carry
its potential behavior.
to a disk controller
solutions
behavior,
system
designed
is a planner
behavior,
based
This
to planning
problems
can be found within
this limitation
can translate
into a reduction
Hypothesis:
efficiently
work
that
relies
every
exercised
on what
component
while
staying
deof
compo-
we call the Designed-Behavior
in the device
within
can be fully and
the device’s
designed
This report describes research done at the Artificial Intelligence Laboratory of the Massachusetts
Institute of Technology and at GenRad Inc. Support for the laboratory’s Artificial Intelligence research on digital hardware
troubleshooting
is provided in part by the Digital Equipment Corporation,
and in part by the Advanced Research Projects Agency of the Department
of Defense under Office of Naval Research contract N00014-80-C-0505.
884
National
Conference
/ ENGINEERING
method
is most
interfaces,
ating a behavior
lieve the method
of the building
e.g. the instruc-
The list of operations
value,
a testing
against
matches
to create
appropriate
and
section
for devices
characteristics
of this problem
strategy.
Section 4 introduces
examples
throughout
tails of our method.
This
whose
and
plan-
command
of distinct
operations
they
the non-trivial
effort of cre-
of microprocessor
3 describes
graphs
solutions.
circuits, we betests for many
systems
(e.g. processors,
UART’s, graphics
controllers,
and the like).
The next section gives an overview
of the
problem,
is assumed
goal, like loading
the behavior
graph.
In the domain of digital
is appropriate
when generating
blocks
which
with a behavior
behavior
interfaces
are narrow in the number
admit, since each operation
requires
the
test
generation
consequences
for representation
a simple processor
the paper, while section
The method’s performance
of several
and reasoning
which provides
5 contains the deon the processor
is shown in section 6. Finally, a simple account
of processor
design is presented
in section 7, which provides justification
for the
performance
2
achieved.
on Artificial
intelligence
The
Task
We are interested
in the task
of test
generation
for VLSI com-
ponents.
This task is part of the quality control phase of circuit
manufacturing
where we verify that the physical
circuit in fact
Test generation
takes a design
produces
the designed
behavior.
description
for a circuit and produces
a set of tests.
Taken together the tests must specify sets of inputs and predicted
outputs
such that,
puts
AAAI-86
successful
is shown
tests
fails
how data is supposed
to flow
these graphs by simulation
of
by matching
a certain
neces-
out, is often far more lim-
For example, very few sequences
correspond
to valid commands.
the search necessary
to achieve planning
goals.
In testing,
the goals involve manipulating
individual
nents.
on
i.e. the opera-
operates
with
An example
at the device’s
for a processor.
the search
successfully
generates
is valid, and (quickly)
of designed
a structure
that describes
We generate
the device.
a register
Introduction
we can reduce
it is not.
cases.
the space
The planner
1
is true,
sary to generate
tests. Our program
in situations
where this assumption
match
when
the inputs
the predicted
are applied
values
to the circuit
(i.e. the circuit
we can be confident
the circuit was manufactured
Tests are traditionally
created by partitioning
and all out-
passes
all tests)
correctly.
the design
into
components
and generating
a test for each component
by (1)
working
out how to test the component
as if it were alone, and
(2) working out how to execute that test within the context
larger circuit.
The second problem is conjunctive
planning,
of the
since
it involves
achieving
multiple,
potentially-interacting
have to work out how to manipulate
to cause
a desired
The
classical
pattern
of activity
approaches
goals:
the circuit’s
(e.g.
around
primary
a component.
[Roth66])
use
a combination
of heuristic
search and constraint
propagation
using
representationsof the circuit’s structure
and behavior.
runtimes
are excessive for anything
cuits and simple state machines,
we
inputs
gate-level
Current
other than combinational
cirand we think this is a direct
consequenceof the use of gate-level
representations.
More recent
to hiresearch
(e.g. [SinghG])
appl ies similar search techniques
erarchical
models of device structure
and behavior,
yet still does
not take advantage
of knowing the designed
behavior.
For com-
plex circuits,
the human experts
any existing test generation
than
describes
several
limiting
3
ways
remain
much more successful
program,
and the next section
- inspired
by what
the
experts
Figure
In this
section
of the Problem
we describe
two
domain and the effects
and reasoning
strategy.
they
3.1
Designed
Purposefully
characteristics
have on our choices
designed
bewhich essen-
tially
circuit
are annotated
or the
notion
contain expressions
described
in terms
problem
The point
tained within
of representation
has
been
used
in several
unspecified,
analog
circuit
we need
to
was sufficient
worked.
know what
We require
that
purpose
to aid in determining
more
the relative
algorithms
behavior
of the behavior
graph representation
the set of graphs
are many patterns
information
is, i.e. the tasks
than
sizes of solution spaces
search. The sets contain
graphs
can provide
interfaces.
generated
behavior.
Hence,
dicates that there
this;
the system
the designer
behavior
how an
opergraphs
is this: conof activity
a complete
Because
from them
list of operations
de-
this list is complete,
the
represent
all normal
circuit
failure to find a useful pattern
of activity
is no solution within the normal operations
inof
the circuit.
is
supposed
to accomplish.
Our program
then uses this information
to focus on solutions
to testing problems.
Figure 1 illustrates
different test generation
For efficiency,
with variables in them, e.g. a READ cycle is
of a symbolic address and symbolic data.
fined for the circuit’s
programs
for reasoning
about physical
systems.
In [DeKleer79],
for example, the knowledge
that a device had some purpose, even
though
traces.
and the corresponding
around
every component
in the circuit.
“All our planner
must
do” is find the patterns
of activity that are useful in testing.
We
Systems
of purpose,
simulation
are parameterized,
assume
Teleology,
states
We explicitly
represent
the space of a circuit’s
havior with the behavior
graphs mentioned
above,
ations
Domain
of the
sizes of sets of circuit
do - of
search.
Characteristics
1: Relative
that
pos-
Extreme
3.2
A second
and
Complexity
dominating
characteristic
of this
domain
is the
sible states of a circuit,
i.e. the different
ways of consistently
assigning
values to the circuit’s nodes.
If the components
com-
extremely
complex behavior of modern VLSI components.
Algorithms which manage this complexity
are essential.
One way to
prising the circuit are disconnected,
then there is no constraint
between their states, and the set of possible circuit states is the
do this is to identify
cross product
of the sets of individual
component
states.
Connecting
the components
together
makes many potential
states
inconsistent,
resulting
in a smaller set of possible states.
This is
one that
focuses
closely
involves
the rest
of the circuit,
the space that a planner
with perfect ability
straints
could search.
Since local constraint
to propagate
con-
propagation tech-
The
traditional
build our problem
ing at a different
micro-planner
useful
abstractions2.
partitioning
of the problem
on a single
into
component
suggests
that
two parts,
and another
we might
that
usefully
solver in two parts, each part potentially
workabstraction
level. And this is what we do: a
is responsible
for solving
conjunctive
goals around
niques are incomplete
in their ability to detect global conflicts,
algorithms
using these techniques
search a somewhat
larger space
individual
components,
and a macro-planner
is responsible
for
taking the output of the micro-planner
and then controlling
grosser
and backtrack
aspects of the circuit
We must describe
when
inconsistencies
are found.
Within the space of consistent
states
space of behaviors
the circuit was designed
of the circuit lies the
to perform.
This is the
space our test generator
searches.
The ratio of designed behavior
to possible behavior
depends upon the particular
circuit, but the
more specialized
and complex
the circuit,
the smaller
it tends
to
be. 1
‘In the case of the MARK-2
processor,
this ratio
is on the order of 22”“.
Naturally this number says nothing about how the spaces are searched nor
about the frequency and distribution
of solutions within the spaces. We
haven’t yet done the performance measurements
for some typical circuits
that would yield these numbers. But, as suggested by the performance
of
our method on a microprogrammed
processor, we expect our method to
be a useful addition to the spectrum of techniques helpful for solving test
generation problems.
state, namely its data registers.
the circuit structure
and behavior
two parts of our program.
system models the circuit
nents,
roughly
for these
For simplicity’s
sake, the prototype
structure
as a flat network of compo-
at the level of the block
diagrams
in databooks.
3
The system uses four levels of behavioral
description.
The
simulation
models for the individual
components
are the foundation.
We only require them to predict
outputs
from inputs,
21n fact, because
are abstractions
designer.
the circuits are designed, it is not surprising
that there
readily available; they are the abstractions
used by the
3Note that, although
individual
gates.
the model is flat, it is considerably
above the level of
AUTOMATED REASONING
I 885
EXAMPLE
INPUT
SEQUENCES
+ COMPONENT
1
VIA
BEHAVIOR
SIMULATION
.
tion after
GRAPHS
~UMMIRIIAT~VIA
REGISTER
accomplished
using Design for Testability
techniques.
The next section introduces
a simple processor
which we use
as an illustration
throughout
the rest of the paper, and the sec-
BEHAVIORS
SUMMARIZATION
COMPONENT
CHANGES
that
4
The
MARK-2
The
circuit
shown
2: Behavior
fictional
Representations
two are summaries
Activation
havior
example,
as Lisp functions.
mentioned
above.
of the behavior
Sunzmary
graphs
directly
graphs
which
links
contain
if the simulator
graphs.
component
notices
that
sometime
during an instruction,
is linked to the behavior
graph
The next
The final
instances
MAC-l
the ALU performs
registers.
Figure 2 shows
tions are generated.
3.3
Summary
When
reasoning
VLSI circuits,
an add
the cuinternal
Characteristics
The first observation
gives us a way to overcome
culties resulting from the second. These observations
implications
which together
guide us to the strategy
representing
5
The
out:
first, that they are engineered
artifacts,
designed to accomplish
a
purpose,
and second, that their behavior
can be extremely
complex.
be controlled
each part
stand
the space of designed
behavior
the diffi-
The
ways
(e.g. by observing
We use simulation
because
which
fails
but
quickly
on the
it is much
amount
worse
of time with
Our
designed
present,
method
rest
so that
it is undesirable
quickly
and
either
terested
simulate
other
methods
can
generator
to fail,
be
and unpredictable
using
could
variables
The inputs
erations
the circuit’s
behavior
for solutions
to testing goals. If a solution is
then our program
will find it, and it does so quickly
and
components.
add,
of be-
flows through
the
it could be done
version
create
of the circuit).
behavior
graphs
we need
only
simulate
Rather
than
of numbers
the instruction
for data.
of operations
are the complete
set of circuit
plus perhaps
provided
inputs
by test
as programs,
experts.
because
op-
some interestthat
We repreworks
well
with another approach
to test generation
discussed in [Shirley85].
We divide the circuit state into two components:
control
state and data state4.
Control
state is initialized
the same
way for each simulation
variables.
For example,
is an effective test generation
strategy.
shows the performance
of our program
1).
6
a database
data, thus reducing
the number
simulation
we need. For example,
suppose we’re in-
because
the search space is limited.
To the extent
that the
Designed-Behavior
Hypothesis
is true, i.e. that efficient tests for
components
exist within the designed behavior,
then our method
The example in section
on a simple processor.
a working
from the databook,
sent these simulator
searches
is to create
it can easily
to the simulator
collected
ing sequences
way.
exhaustively
busses
inputs
accessible
”
intermediate
in the ADD instruction
of the MARK-2.
the instruction
once for each combination
the processor
-
for a test
for it to run for a large
no result
are not directlv
through
of the preprocessor
once,
Naturally,
23 instructions;
and data
primary
graphs which describe how information
We do this using simulation,
although
some
applied.
nodes
in
in turn.
purpose
in other
graphs
as important
is a lgbitincluding
a
for managing
global aspects of the circuit’s
captured
in the behavior
graphs.
We discuss
solves
- and just
of this circuit
is a sequencer,
implementing
of the
Details
containing
symbolic
runs (or observations)
quickly
portion
portion
indirectly
and of searching
those graphs for solutions
to testing goals.
We recognize that test generation
is a very difficult problem:
partial ‘solutions are likely to be the norm in this field for many
years to come. Consequently,
rather than trying to build a test
generator
which solves all problems,
we are aiming for one which
of the problems
example
Preprocessor
havior
circuit.
have several
of explicitly
with behavior
version
Our method
has’three
parts:
(1) a preprocessor
for creating
the
for finding patterns
of acbehavior
graphs,
(2) a micro-planner
tivity among the behavior
graphs which solve testing goals, and
representa-
two observations
as a teaching
The internal
must
micro-
presented
processor
(3) a macro-planner
state which aren’t
of the Domain
about
behavior
horizontally
modified
80 lines of microcode
and outputs.
For
then the ALU’s add operation
generated
by simulating
that in-
how the various
5 is a simple
It is a slightly
The central
the righthand
ROM holding
to the beof them.
The Register Transfer Summary captures
effects each behavior
graph has on the circuit’s
struction.
mulative
I
and the lefthand portion is a RAM. The address
and their associated
signal lines are this circuit’s
Component
The
operations
one or more
.
of our method.
Microprocessor
in figure
processor.
[Tanenbaum84].
wide datapath;
so we can implement
them
level is the set of behavior
the details
ACTIVATIONS
programmed
Figure
describes
and is left by most
The simulator
run, while
the program
instructions
data state is initialized
with
counter is initialized
to ?PC
holding
itself is event-driven,
the expression
where
an event
(+ ?PC
is a circuit
The question
of what the designer
should do when the test
generator
fails can be answered
by stepping
back from the test
generation
problem
and considering
its place within the larger
and simplifying
symbolic expressions
and (2) recording
justifications between events. These justification
links form a flow graph
context
which
of circuit
but one part
of testability
design
and manufacturing.
of the design task.
against performance
Test
generation
Thus, if generating
tests for a given circuit requires
effort or is impossible,
then the designer can consider
the
886
circuit
to make
the
/ ENGINEERING
problem
is
It is possible to trade off ease
and reliability
considerations.
easier.
Any
redesign
too much
modifying
can
be
node changing
its value.
is one component
Its essential
features
of the behavior
are (1) propagating
graph.
The expressions
‘This division depends on the level at which the circuit is described, but for
any given level it is fairly clear and generally corresponds to the division
of controller
and datapath.
For the MARK-2, the control state is the
microprogram
counter and the micro-instruction
register, and the data
state is everything
else (e.g. the accumulator
and the program counter).
Specific
Patterns
IrJPUT-1 II/PUT-2
0
65535
65535
0
1
65535
2
65535
4
65535
8
65535
16
65535
<more patterns>
A composite event
with subevents:
AT ?Time
= :PLUS
OP
IIIPUT-1 = ?Value-1
AT ?Time
Ilr'PUT-2
= ?Value-2 AT ?Time
OUTPUT = ?Output AT ?Time
and constraints:
(and (controllable? ?Value-1)
(controllable? ?Value-2)
(observable?
?Output))
Time
-------------
----------_
98
99
100
-> 101
?AC)
102
:PLUS
cuit
the values
inputs
the data
during
registers.
to say where
another,
are functions
simulation
The variables
they
much
of nodes
the
originated,
simplified,
the
initial
in these expressions
consequently,
flow graph
node back to primary
inputs.
of these two flow graphs.
5.2
of the values
run and
The behavior
.----------_
---------???
?Addend
OUTPUT
i+ ?Addend
?AC
of
of ADDD’s
Figure 4: Portion
behavior
graph
(shown
as a table)
are marked
the values
graph
form
at each
is the union
the matcher
and irrelevant
The Micro-Planner
The micro-planner’s
II:PUT-2
on cir-
states
the expressions
linking
IrlPUT-1
??? indicates an unknown value
.
indicates an unchanged value (i.e. ditto)
-> indicates the match
?Addend = Contents(RAId,?ADDR)
Figure 3: An event pattern
describing
OP
to divide the set of behavior
subsets depending
on whether
graphs into relevant
the component
“did
anything
interesting”
during a particular
behavior.
then tries each potentially
relevant behavior graph
task is to take a test for a single component,
The matcher
in turn until it
expressed
in terms of the component’s
I/O pins, and to rewrite
it in terms of the circuit’s
pseudo-inputs
and outputs
(i.e. pri-
The matching
finds a situation
which meets all of the constraints.
process itself is straightforward
unification
augmented
to check
mary
the additional
I/O
pins
plus data
registers).
The core of this planner
is
a matcher
which takes component
tests and finds
them in the behavior
graph database.
If successful,
instances
of
this planner
produces
will do most
a sequence
of the work
needed
of inputs
to cause
The remainder
of the work
Where do the component
two sources:
for standard
devices, we ask the domain
for the circuit
which
the test to occur
within
though we have not yet tried to do this.
Component
tests are expressed
in two parts:
of prototypical
operations
that the component
(e.g. a register
test data
provide
(e.g. have
must
try to load these
language
data
are just
sequences
in figure
3 describes
The pattern
for describing
and (b) actual
numbers).
prototypical
We
operations;
of numbers.
a prototypical
of the MARK-~‘S ALU. The four subevents
between place, value and time that define
tion. The additional
match only instances
we could
method,
(a) descriptions
must be able to
be able to load data)
the register
a rich
the actual
from
combinational
devices and sequential
experts.
For other combinational
de-
vices, we use a conventional
test generator.
In principle,
also use a recursive
application
of our test generation
perform
the circuit.
is done by the macro-planner.
tests come from? We get them
constraints
further
of add operations
pattern
The matcher
constraints.
finds numerous
havior graphs
i.e. when the
the behavior
graph
(ADDD)
, which
amount
stored
in main
?Time
?Value-1
?Value-2
?Output
specialize this pattern
to
that are useful for test-
inputs.
As
The
program
portion
to apply
matching
binding
pattern
by an
of this
In all of
specific test data
an event pattern
environment.
The
in figure 3 against
75
Contents(RAId, ?Addr)
?AC
(+ Contents(RAM, ?Addr) ?AC)
address
set up so that
from section
3.2 allows
which
At this point
determine
what
inverse function
came out of the ALU, by applying
the
that we observe at the circuit output.
can then
(i.e. ?Value-2)
instruction
Moreover,
Summary
relevant
==
==
==
back-solve
to determine
properly.
Similarly,
there must be a output
of the circuit which
is an invertible
function
of the ALU's output. With that we can
Activation
The
==
some
into the two primary
test data moves through
the circuit to the ALU, it is
back to the desired value, thus exercising
the ALU
The Component
memory.
instruction
of the accumulator
add operation
describe the relations
the ALU’s add opera-
then
actually
to data
the value
Recall that our purpose
here is
to the ALU. An additional
result of
against
a behavior
graph is a variable
bindings
resulting
from matching
the
the behavior
graph in figure 4 are:
isters in order to apply
In this case, one addend
data
be-
graph appears
in figure 4, displayed
in tabular
form.
the other potential
matches
the ALU is either incrementing
the
in all of these cases, one
program
counter
or the stack pointer:
of the ALU’s inputs is a constant,
and thus is not controllable.
of two distinct
primary
inputs.
This allows us to apply test data
to the ALU by transforming
the data using the inverse functions,
the inverted
the MARK-~‘S
for the ADD-Direct-from-memory
increments
environment
feeding
where
many situations
in which the ALU performs
an addition.
But
only one of these potential
matches meets the additional
restrictions needed for it to help test the ALU. This match occurs in
ing the ALU. In order to help, the expressions
on the two input
nodes must be controllable,
i.e. they must, be invertible
functions
the inverted
transformed
places
match the subevents
of the pattern
in figure 3,
processor
is “put through
its paces,”
there are
must
the equations
in this binding
how it must set up the circuit’s
regparticular
values to the ALU’s inputs.
(i.e. ?Value-1) must be in the RAM at
can be specified
later,
and the other
addend
be in the accumulator.
the micro-planner
has now identified
the ADDD
as the one to use to test the ALU’s addition operation.
it has also determined
how the data registers must be
the ADDD
instruction
the job of the macro-planner
operations which will initialize
can do this job.
It is now
to work out a sequence of circuit
the data registers
properly.
AUTOMATED
REASONING
/ 887
5.3
The Macro-Planner
The
purpose
of the
operations
macro-planner
(in this case
the circuit’s
micro-planner
descriptions
is to generate
sequences
of
set up
leave important
data in one or more registers
the ALU’s output in the accumulator),
a sec-
ond job of the macro-planner
to one of the circuit’s
is to work out how to move
outputs
The macro-planner
where
searches
based
on the sequence
contained
through
length
in the registers.
results
it can be observed.
the space
sequences
to find one which moves data
planner is implemented
as straightforward
a metric
which
state so that the single test operation
found by the
will start with the right data. Since a test opera-
tion will sometimes
(e.g. ADDD leaves
data
sequences
of instructions)
and
pattern
designed
simulation
method)
(a well-behaved
operations
for testing
macro-planner,
set up circuit
The
with
of useful
descriptions
(i.e.
6
inputs
,I
II
5
---->
on an Example
Figure
6 shows the fault
achieves with the MARK-2
The
chose the ADDD
information
for the
program
coverage
that
processor6.
was able to generate
while
to
(PRELOAD-IIEIYIORY
?Ac ?ADDR)
(LODD ?ADDR)
(PRELOAD-MEMORY ?vAm
?ADDR)
(ADDD ?ADDR)
(STOD ?ADDR)
(OBSERVE-14~140~~(+ ?VALUE ?AC) ?ADDR)
Performance
components,
of all of this is the sequence
which subsequently
included three operations
state and two operations
to observe it.
1:
2:
3:
Test ------------> 4:
Observe outputs
-> 5:
1,
6:
Setup
it failed
our
7
Explaining
Circuit
prototype
system
method
operations
Note
We believe
Consider
starts
testing
the datapath
to realize
despite
trolled almost completely
of the program’s
success
that
the fact
the program
that
should
of the
some
ality.
of the mapping
is easily
between
able to
component
following
account
a specification
of processor
for an abstract
registers
abstract
design:
machine
and’the
machine
a designer
which
includes
instruction
set. His
in hardware
while
is con-
by 80 lines of intricate
microcode.
Part
can be attributed
to its use of abstract
describing
capabilities
of the tester
two special operations
oper .ations
and observe-memory
hardware. These are the preload-memory
which write data into and read data from the RAM.
has 1G components
and 91 nodes.
Each simulation
run is
approximately
50 clock cycles long, taking about 10 seconds of real time on
a Symbolics 3640. Generation
of prototype tests, i.e. tests with symbolic
data, for this circuit takes 1 minute, including both the time taken for
successfully creating tests for some components and failing to do so for
instruction,
from
register
these
describing
how data
to register.
dataflow
graphs
Naturally
directly
To do this, he adds
identity
transformations.
in one graph
in hardware:
as
can’t
without
boxes
gle multiplexor.
collects
to the graphs components
which perform
For example,
he might insert a reg-
to shift
allowing
some
components
via time-multiplexing.
of its operations
to be shared
In another
into two graphs
When
all the control
signals
from
By this account,
tal refinement
controller
chine).
and
them
large
portions
the fact
of individual
plus
that
is designed
different
change
means
existing
components
that many datapath
processor
the merging
and creates
a
these signals at the right
any one of the well-known
from
is designed
(stylized
implementation
The availability
of components
which
chips),
a sin-
the designer
all the graphs
is very
graph
introduce
using
fit together,
the way the datapath
merging)
in time,
another
he might
and implement
the flow graphs
later
with
situation,
finite state machine
(FSM) to provide
times. This FSM is implemented
using
methods
(e.g. with a PLA).
ment
is transformed
the designer
sharing
there would be a wasteful
duplication
of functionSo he looks for ways of merging
the graphs together.
identity
in
‘We include
GThis circuit
the circuit
varies over different
parts of the circuit,
is a direct result of the design process.
the programmer
accessible
job is to implement
this
implement
that
succeeds
the datapath
the directness
the
with
thereby
It is also important
between
of the components
that implement
between
the more “direct” the relationship
operations
and circuit operations,
the bet-
and circuit operations
and that this variation
ister
be modified.
Thus our program’s
failure points out areas
circuit that a redesign program
should focus on.
on the relationship
of the processor,
and consequently,
our method
solve testing goals involving
that ALU operation.
the expert
but really
depends
ter our method
performs.
For example,
the ADD operation
of
the ALU very directly implements
part of the ADDD instruction
since data paths are typically
much wider than control paths.
’
Our program
also quickly fails on the controller,
an area which
with effort,
the Performance
and the operations
one for each
for the highlighted
to do so for the others.
testable
to solve problems
side.
meeting myriad performance,
reliability,
and cost constraints.
The specification
can be viewed as a set of dataflow
graphs,
the program
can quickly work out how to test virtually
all of the
datapath,
which includes more than half of the physical circuit,
says is partially
on the other
method
is that it
components
using
Why is there a radical
difference
in coverage
between
the datapath
and the controller ? We conjecture
that the performance
it moves
tests
through
of instruction
and the amount
below. The micro-planner
the ALU and provided
reasoning
the components
them. In particular,
individual
component
of circuit
operation
use of simulation
backwards
of our
complex
from the behavior
graphs.
the
reasoning
would try to do. A clear advantage
can work forward
through
extremely
of our
of the end product
Also,
is critical:
sequencer
is very difficult, yet this is exactly what
planners
and classical
test generation
algorithms
descriptions
of the effects of instructions)
are contained
in the
Register Transfer Summaries,
which are generated
by our system
An example
behavior.
matching
the microcode
goal-directed
involving
around
properly.
best-first
search
The operator
of the circuit’s
behavior
(e.g. while controlling
the
The program
generates
these abstract
descrip-
register
state).
tions from the
(incrementhe way the
of a state madirectly
imple-
operations
process
doesn’t
(it just adds new identity
component
operations
tend
(e.g. ALU
normally
boxes),
to “very
directly
implement”
circuit operations.
The state machine
design process,
however,
need yield no such simple relationships.
The behavior
of the whole
different
from the behavior
register,
888 / ENGINEERING
ROM,
or MUX).
controller
(a state machine)
of any controller
component
is very
(e.g. a
CA
I
MFIRK-2
Figure
5: The MARK-2
Processor
HA ,I I,
1 1 I
MARK-2
Figure
6: Coverage
of processor
components
AUTOMATED
REASONING
/ 889
This account
also suggests
a difference
between
References
our approach
to test generation
and the classical approaches.
The usual result
of the design process, a circuit topology, is the superposition
of
the dataflow graphs, plus the identity boxes added to allow sharing, plus the controlling
state machine.
include the list of operations
the circuit
This topology doesn’t
can perform,
nor does
it make explicit
the circuit,
how data
moves through
e.g. timing
[DeKleer79]
[Roth661
attempt
nents
to generate
and topology.
tests
Testing
directly
experts
from the circuit
perform
compo-
well, because
8
are an approximation
of the flow graphs.
[Shirley851
they
8
Conclusion
We have demonstrated
how knowledge of a system’s designed behavior can help solve test generation
problems, or more generally,
problems involving manipulation
The key to our method is that
be far more limited
can translate
planning
than
of complex engineered systems.
a device’s designed behavior can
its potential
into a reduction
behavior.
of the search
This limitation
necessary
to achieve
goals.
A prototype
system has been implemented
and run on a small
number of examples.
This system has 3 components:
(1) a preprocessor to create the behavior graphs using symbolic simulation of input sequences out of the databook;
(2) a micro-planner
to match
simulation
tivation
aspects
planner’s
testing goals gotten
runs (the matcher
from domain experts against
is guided by the Component
the
Ac-
to control,global
Summaries);
and (3) a macro-planner
of the circuit’s state (the behavior graphs also supply the
operator
descriptions).
The system has generated
tests for a simple
apath.
It was successful despite the fact that
processor’s
datthe datapath
is
controlled
by 80 lines of intricate microcode.
A clear advantage
of our method is that it can, by using simulation,
reason forward
through complex components,
such as the controller,
in order
solve problems involving the components
on the other side.
9
to
Acknowledgments
The following
to the contents
Yehudah
people
have read
of this paper:
Freundlich,
drafts
Randall
Jeff Van Baalen,
or otherwise
Davis,
Walter
contributed
Gordon
Kramer,
Howard Shrobe,
Ralil ValdCs-Perez,
Brian
Peng Wu. I would especially like to thank Gordon
who is the testing
expert
whose
methods
Robinson,
Hamscher,
inspired
Glenn
Williams,
Robinson,
much
of this
work.
‘The domain experts report an interesting dichotomy. They say that, for
humans, test generation problems are either very easy or very hard. The
problems are easy when they can see clearly which manipulations
of the
device’s interfaces are useful for exercising components inside the circuit,
and hard otherwise. In our work, we have have made some effort, albeit
informally, to match the performance of our test generation system to the
expert’s intuitions about which problems are easy for humans and which
are hard. And the expert does report that the results on the MARK-2
match his expectations fairly closely.
890
/ ENGINEERING
of Technology,
Roth,
J. P., “Diagnosis
1979, AI-TR-529.
of Automata
Failures:
A
278-291.
Shirley,
M.,
“An Automatic
proach to Testing,”
IEEE
lation and Test Generation
know the same things designers know and can reconstruct
and
use the designer’s flow graphs. Finally, our program is successful
for the same reason, it reconstructs
and uses behavior
graphs,
which
stitute
Calculus and a Method,”
IBM Journal
of Research and Development, Vol. 10, July 1966, pp.
and selection relationships,
both of which were explicit in the
flow graphs before they were merged.
Classical test generation
algorithms
perform poorly, because
they
de Kleer, J., Causal and Teleological Reasoning
in Circuit Recognition, Diss., Massachusetts
In-
Programming
Ap-
Workshop on SimuSept
Environments,
1985.
[Singh85]
Singh, N., Exploiting Design Morphology to Manage Complezity, Diss., Stanford
Department
of
Electrical Engineering,
April 1985.
[Tanenbaum841
Tanenbaum,
A. S., Structured
nization, Prentice-Hall,
NJ, 1984.
Inc.,
Computer
Englewood
OrgaCliffs,
