A Validation Fault Model for Timing …

1 A Theviolationoftimingconstraintsonsignals withina errors are alsonotdetectedbytraditionaltiminganalys isapproachesbecausetheerrorsmayaffect ,theMis-TimedEvent(MTE)faultmodel, useseveralexamplestoevaluate nottargeted INTRODUCTIONT hewidespread useofcomplex hardware systemsincost-criticalandlife-criticalap plications motivates theneedfora verificationcomplexityhasincreasedto thepointthatit dominatesthecostofdesign. Inorder tomanage thecomplexityoftheproblem,weareinvestiga tingvalidationtechniques,inwhichfunction alityis verifiedbysimulating(oremulating)asystem descriptionwitha giventestinput ,verificationtechniqueshavebeenexploredw hichverify functionalitybyusingformaltechniques( checking,equivalencechecking,automaticth eoremproving)to theadvantagethatthey areprecise,wherevalidationcanonlyprovide a degreeofcertaintywhichislessthan100%.How ever, formaltechniquessufferfromhighcomplexity ,sotheverificationoflargedesignsusingfor maltechniquesaloneis testsequenceofreasonablelength, andthedegreeofcertaintyprovidedcanbecome arbitrarilycloseto100%.

2 Weinvestigatevalidationtechniqueswhichca nbeusedinconjunctionwithformalverificati ontechniquestoverifylargehardware practicaldifficultyinthevalidation oflargehardwaresystemsischoosingtheprope rdesignabstraction levelwhichprovidesa tradeoff , validationisperformedat alllevelsofabstractionfrom ,suchasVHDLandVerilog,have onlybeenfullyacceptedbyindustryforlessth anadecade, beenwidelyusedforseveraldecades, , andincludeconcurrency constructssuchastheprocessstatementin ofvalidatinginternaltimingactivityat thebehaviorallevel hasnotbeenadequatelyaddressedin timingconstraintsduringvalidationiscentr altothehardware Validation , , thevalidationofa , thoseerrorswhichdirectlyimpactdatavalues ,independentofthetimebetweentheapplicati on hardwaresystemdependsonthecorrectnessoft hecommunicationbetweenprocesses, different clock, signaltohave anincorrectvaluefora smallwindow arenotsatisfiedbyconventional , Timing -inducederrors mayimpactoutputdatavalueswithout affectingoutputdatatiming, systemdescribedin[25] , performsa computationonit,andoutputstheresulttoa simplifytheexampleweassumethatComputatio n Xproducesanoutput ComputationXcompleteswithina singlesampleperiodthentheoutputis , if a designerrorcausesthecomputationto take longerthana sampleperiod,thenthedataoutput at eachtimeperiod willbetheincorrectsample,andtheoutput signalwillbeincorrect.

3 Noticethatthetimingerrordoesnotnecessari lyeffecttherateat new output at eachsampleperiod,but theoutput referto thiserrorasa Timing -induced functionalerrorbecauseit iscausedbyaninternaltimingproblem,butit manifestsitselfasafunctionalerror [6],[5] detecttheseerrors a new faultmodel is systemtoprocessananalogsignalThepaperiso rganizedasfollows:Previousworkinhardware Validation ispresented PREVIOUSWOR ValidationFaultmodelshave beendevelopedatdifferentlevelsofabstract ion,eachmodel defininga models[16],[1]assumedefectssuchastheuseo fanincorrectgate,insertionofanextraline, deletionofa line,anddeletionofa [16], thedefectmodelisusedtodirectanautomatict estgeneration [15]whichconsiders any defectwhichcanberepairedbyre-synthesizin ga [12]a faultmodelispresentedatthefinitestatemac hinelevelwhichassumesthateacherroraffect seithera singlestatetransitionora [8]and[7]whereafaultmodelassumesthatany singlevariableassignmentin a positiveandnegative thecontrol-flowgraphusinga setoftagpropagation [9],theauthors usethefaultmodelpresentedin[7]tobuilda [13] byconvertinga VHDL programintoa functionallyequivalentFortranprogramandt henusingtheMothra toolforsoftwaremutationanalysis[17].

4 Researchershaveappliedsoftwarepathtestin gtoVHDL byallowingtheusertoselectcontrol-flowpat hstostimulate,andusingconstraintprogramm ingtoidentifyteststostimulatethechosenpa ths[24].Thetoolpresentedin[11]actasasimu latoranddatacollector, havepreviouslyappliedbothdomaintestingan ddataflow testingmethods to thevalidation ofbehavioralVHDL descriptions[28],[27].Previousworkintimi ngverificationhasstudiedtheimpactofdesig nerrors ontimingcorrectness[3],[19],[26].Researc hershave ValidationSoftwareresearchershave beenstudyingtheproblemofvalidating behavioraldescriptions andhave ,branchcoverage,andpathcoverage[2].State mentcoverageassumesthattheexecutionofa ofcontrol-flowpathsgrowsexponentiallywit hthenumberofconditionalstatements,achiev inghighpathcoverageisa highlycomplex isa structure basedtestadequacy criteriawhichis definitionoccurrenceora [22],[10],[4],[20],[18]identifya subsetofpathsthroughthedataflow [17],[21] issimilartofaultsimulationusinga ,making thisapproachtimeconsuming,butresearchhas beenperformedtolimitthenumberofmutants[2 1],andtoweakenthemutationdetectionrequir ements[14].

5 III. MODELINGTIMINGDESIGNERROR SAdesignerrorisa incorrectfeature ofa singlelineofa designdescription, toa fundamentalmisunderstandingofthedesignsp ecificationwhichmayimpacta large segment , soa methodis neededto reducecomplexitywithout thebehavior ofa setofdesignerrors,allowinga largersetofdesignerrorstobemodeledbya beenproposedpreviouslyintheareaofsoftwar etesting,inthecontext testadequacy criteriabasedondataflow analysishave beendeveloped[22],[10],[20], [18].We proposeto modifyexistingdataflow analysistechniquestocapture willfirstdescribethetraditional dataflowanalysistechniques,andthenwewill describe thenew [27]isconcernedwiththeoccurrencesofvaria blesina isclassifiedaseithera statementwherea variabledescribesa showstheCDFGofa nodeinthegraphcanhavemultipleuseoccurren cesofa variablebut nodecompletes,thenodespointedto byoutgoingsolidedgesbegintoexecuteif theconditionontheedges Begin235 elsethen7810 End graphwithdataflow modelintroducedabove, adefinitionclearpathwithrespecttoa variableXisapathintheflowgraph withoutdefinition (du)pairofa variableXconsistsofadefinitionanda useofvariableXwhichareconnectedbyadefini tionclearpathwithrespecttoX, ,thenthedupairis (du)pairs metric[22]requires thatalldupairsbecoveredbythetestpatterns , toeveryuseofthatdefinition shouldbeexercised.

6 InFigure2, therearefourdupairsofvariableP,(3 8),(3 10),(5 8)and(5 10),andthesedupairsarerequired ModelDesignfaultscanbegroupedintotwo classes,staticfaultswhoseobservationis independentofabsoluteeventtiming,andtimi ngfaultswhoseobservationdependsonaspecif ictimingofevents staticfaultdependsonthesequenceoftestpat ternapplication,butnottheabsolutetimeoft heapplication ofeachpattern. Anexampleofa staticfaultis thereplacementoftheexpressionx y 1 withtheincorrectexpressionx y activated,itseffectscanbeobservedatany signalis assignedtothecorrectvalue, signalvaluetoendure thata timingfaultisactive duringonlya subsetofthetimeperiod betweentwo definitions,whilea staticfaultisactive duringtheentiretimeperiodbetweentwo describe thedetectionpropertiesoftimingfaults,wew illusethesmallexampleshowninFigure3 inwhichProcessXissending datatoProcessYthrougha inputs,(1)datain, whichtakesinput data,(2)write, whichisassertedwhennewdataistobewrittent otheFIFO,and(3) outputs,(1)dataoutwhichis driven withoutputdatawhena readisperformed,(2)emptywhichindicatesth atthebuffercontains nodata,and(3)fullwhichindicatesthatnonew datacanbewrittentothebuffer.

7 Inthefollowingexamplesweassumea discreteeventtimingmodelwhichiscommonlyu sedwithhardwareandhardware-softwaredescr iption modelforexplanationpurposes,thefaultmode lisnotlimitedinthiswayandwewillinvestiga tetheuseofdifferenttimingassumptions XProc. processescommunicating viaa FIFOT hereareseveralsignaltimingrelationshipsw hichmustbemaintainedtoguaranteecorrectco mmunicationbetweenthetwo forFIFO-basedcommunicationinclude themaximumlatencyonoutput assertedlaterthanexpected,thenProcessYma yattempttoreaddatafromanemptybuffer. Figure4 depictsthetimingdetailsinvolved witha oftheemptysignalintheFIFO description whereemptysignalis ,it mustchecktheemptysignalasshowninFigure 4b. Theevent thereisa useoccurrenceduringtheerrorspan,thenthat usewillreceivedifferentdatavaluesintheco rrectandthefaultycircuits, , ,whenProcessX writesdatatotheFIFO thewritesignalmustbeassertedafterthedata inlinesreceive mayoccurbeforedatais ready associatedwiththedupairshowninFigures5aa nd5b.

8 Thedatainlinesaredefinedinthecodeshownin Figure5a,andthedatainlinesareinsertedint othebufferinthecodeshowninFigure5b. cannowdefinea faultmodel whichdescribesthesetoftimingfaultspotent iallycontainedina todoso,wemustmakeclearthedistinctionbetw eena definition(use)statementanda definition (use)occurrenceinourterminology. Astatementreferstoa statementintheoriginalproceduralspecific ationofthehardware-softwaresystem,whilea noccurrencereferstotheexecutionofa timesduringsimulation, andmaythereforebeassociatedwithmany Adefinition occurrenceis a tupledo ds t anda useoccurrenceis a tupleuo ! us t :"ds#Ds, whereDsisthesetofallstatementsinthehardw are-softwaredescriptionwhichassigna valuetosignals."us#Us, whereUsisthesetofallstatementsinthehardw are-softwaredescriptionwhichusethevalueo fsignals."tisa non-negative (MTE)faulttobeassociatedwitheachpairofde finitionandusestatementpairsona givensignals#S, whereSis thesetofallsignalsusedin thedesign.

9 TheexistenceofanMTEfaultindicatesthatthe associatedsignaldefinitionoccurs attheincorrecttimeandcausestheassociated useto receive typesofMTEfaultscanexist,MT Eearlywherethedefinitionoccursearliertha nthecorrecttime,andMT AnMT Eearly(MT Elate) faultisa tuplem empty <= 1;FIFO descriptionDef >DefUseLateerror spanDefCorrectProc. Y description(b)(a)(c)timeUse >x := ReadFromFIFO();if (empty != 1) is assertedlate,(a)a sectionoftheFIFO description,(b)a sectionoftheProcessYdescription,(c)event trace witherrorspanhighlighted.$ds%us&.Forexam ple,Figure4showsanMT ElatefaultandFigure5 showsanMT and5 demonstratethatatimingfaultassociatedwit ha signalisdetectedonlyifthereis a , theprecisepositionoftheerrorspanis ,however, thattheerror spanmustextend,eitherforwardorbackwardin time, useoccurrenceiswithintheerrordatain <= x;Def ->Proc. X descriptionbuffer[i] <= datainUse ->FIFO description(c)timeDeferror span(b)(a) assertedearly, (a)a sectionoftheProcessXdescription,(b)a sectionoftheFIFO description,(c)eventtrace Fault ,theuseoccurrencemustbeclosetotheco rresponding ,a ,ineachcase,theuseoccurrenceisimmediatel yadjacent Elatefaultisaccomplishedbytheusebeforeth eerroneoustimestep,andtheMT Eearlyfaultis statethesefaultdetectionrequirementsgive na AnMT Eearlyfault,m')(ds*us+, isdetectedif thereexists(ds*t1+-, *(us*t2+-,U *suchthatt2/t10.))

10 Definition- AnMT Elatefault,m'1(ds*us+, isdetectedif thereexists(ds*t1+-, *(us*t2+-,U *suchthatt1/t20 . istheerrorspanthreshold, a non-negative integerrepresentingthemaximumtimebetween thedefinitionanduseoccurrence. is alsotheminimum sizeofanerror spanwhichis TIMINGFAULTSIMULATIONWe definefaultsimulationastheprocessofdeter miningthenumber ofMTEfaultsdetectedbysimulatingthedesign witha given usedtheSystemClanguage[23] whichisfreelyavailableandallowssimulatio nbycompilationtoa C++ pairs identification. Thedetection ofMTEfaultsrequiresa dataflowinadefinition-usepairanda use-definition pair. ,if a definitionoccurstogeneratesomeconditionu nderwhicha usewillneveroccur, thenthisdupaircannever occur. AnMTEfaultwhichcanneveroccuris thesimulationin theform ofa Coverage Computation. Thetimedtraceisanalyzed executedwithindeltatimeunitsofeachother, thentheMTEfaultis considered EXPERIMENTALRESULTST oevaluatetheMTEfaultmodel,wehaveusedSyst emCasthehardware-softwarelanguage,althou ghanylanguage whichsupportsdiscreteeventsimulationmigh thave [23].)))