Discussion about Final Decision Tree - EFFICIENT VALIDATION INPUT GENERATION IN

CHAPTER 3 EFFICIENT VALIDATION INPUT GENERATION IN

4.8 Discussion about Final Decision Tree

In GoldMine, when all assertions on decision tree are true assertion, the decision tree converges to final decision tree (FDT) and represents the function of target

output.

As an alternative to FDT, binary decision diagrams (BDD) [99] is widely adopted to compactly represent Boolean function. However, FDT is dynamically and incre- mentally constructed from concrete simulation data while BDD is statically built from logic function. This dynamic and incremental building characteristic gives rise to FDT several unique characteristics in this special context of assertion/test generation.

Due to the dynamic building characteristic, FDT is able to include the reachable states in the function of target output and each generated assertion can be triggered by at least one reachable state. In addition, as an implementation optimization, we can prune the subtree with all true assertions on leaf nodes during the incremental construction process of FDT. In this section, we first compare BDD and FDT in terms of reachable states computation and then give formal proofs of the FDT characteristic of including reachable states and finally describe the dynamic pruning process of FDT.

4.8.1 Reachable States of Sequential Design

For the target output in a sequential design, FDT actually reconstructs one logic function from dynamic simulation data. The primary input and state variables within the output’s logic cone consist of parameters of this logic function. Mean- while, we can use BDD to represent the output’s logic function in design in terms of the same parameters. The difference between these two logic functions lies in the including of reachable states.

In sequential design, not all states are reachable from initial states. Using BDD to compute reachability states involves the fix point computation [100]. Unfortunately, this fixpoint computation always suffers from state space explosion. Without this fix point computation, simply using BDD to build the function of target output is not able to include the reachable states. If we view each path from root to terminal node in BDD as one assertion, some assertions may correspond to unreachable states and are thus vacuous. However, FDT is capable of automatically including the reachable states constraints (theorem 5) and all generated assertions are non- vacuous (theorem 6).

The advantage of FDT in this context comes from the using of dynamic simulation data and formal verifier. The decision tree partitions the simulation traces

based on splitting variables. Finally, each leaf node of FDT corresponds to at least one concrete and reachable states.

Given one target output z = f (x1,x2...xm,s1,s2...sn) in sequential design, where x1,x2,...xmand s1,s2...snare input variables and state variables in the logic cone of z, the set of reachable states of the design is represented as R(s1,s2 . . . sn), which can be calculated using fixpoint computation [5]. Note that we simply discard other state variables outside the logic cone of z. Each satisfiable assignment of R(s1,s2. . . sn)is a reachable state of the design. In symbolic model checking [5], the transition relation and initial state are all encoded into BDD and fixpoint computation is done based on BDD operation [101].

For the target output z, we denote the represented function by FDT as zf dt (x1,x2,. . . xm, s1,s2 . . . sn). For each generated assertion, there are two kinds of consequent: zf dt=0 and zf dt=1. We denote the set of assertions with output equal to zero as A = {A1, A2 . . . Ap} and the set of assertions with output equal to one as B = {B1, B2 . . . Bq}. We use the Ante operator to represent the antecedent of assertion. The function zf dtcan then be defined as:

zf dt(x1,x2,. . . xm, s1,s2 . . . sn) = _ 16r6q Ante(Br). (4.2) Theorem 5 ∀ c∈{0, 1}, (f (x1,x2,. . . xm,s1,s2. . . sn)=c)V R(s1,s2. . . sn)⇒ (zf dt (x1,x2,. . . xm,s1,s2 . . . sn)=c).

Proof intuition: Given one group of concrete values on primary input and state variables, if the concrete state does not satisfy R(s1,s2. . . sn), the theorem is true. If the concrete state satisfies R(s1,s2. . . sn), what we should prove now is that f and zf dtproduce the same value c. (1) For the given input and state satisfying Ante(Br), the value c predicted by zf dtis 1. If f compute c = 0 for the given input and state, Br will be a spurious assertion on the design. This contradicts with the definition of FDT: all assertions are true. (2) For the given input and state not satisfying any Ante(Br), then there exists one assertion Atto predict the value c to 0. Similarly, If f compute c = 1 for the given input and state, Atwill be a spurious assertion on the design.

The theorem 5 implies that FDT precisely represents the primary output function. For each reachable state and any value on primary input, the FDT is able to produce the same value as the output function in the design. For unreachable state, the FDT is allowed to produce an arbitrary value. However, if we use BDD to represent f ,

BDD is required to produce exactly the same value as the circuit on any given state and primary inputs regardless of whether the state is reachable or not.

Theorem 6 ∀i∈{1, 2 . . . p}, Ante(Ai)V R(s1,s2 . . . sn) is always satisfiable. Like- wise,∀i∈{1, 2 . . . q}, Ante(Bi)V R(s1,s2 . . . sn) is also always satisfiable.

Proof intuition: FDT is built from concrete simulation data. Each path from root to leaf node corresponds to a set of simulation data which means these simulation data will satisfy Ante(Ai) or Ante(Bi). On the other hand, since these concrete simulation data are from the computation of the design, they will satisfy R(s1,s2. . . sn).

The theorem 6 implies that all assertions generated from final decision tree are non-vacuous. In other words, the antecedent of each assertion is able to cover at least one reachable state and each reachable state is able to trigger one assertion. Comparing with the BDD representation of f , each path from root node to leaf node in BDD can be considered as an assertion for corresponding output. As a result, some generated assertions from BDD are vacuous since the antecedent of these assertions corresponds to unreachable state. If these assertions are output for verification, it will lower the assertion coverage.

4.8.2 Dynamic Subtree Pruning

As an implementation optimization, decision tree can prune subtree with all true assertions on leaf nodes during the incremental construction process. Since the incremental decision tree algorithm will stop splitting on the nodes with true assertions and only continue to split on spurious assertions, it is unnecessary to keep the true assertions subtree in memory. It is possible to apply a memory optimization strategy to dynamically prune the subtree with all true assertions in each refinement iteration step. In contrast to BDDs, this dynamical pruning effectively walks around the problem of memory explosion in this context. Moreover, removing the subtree with true assertions does not compromise the functionality of the corresponding output.

In document Harmonizing data mining and static analysis to tackle hardware and system level verification (Page 93-97)