Automatic Generation of Functional Coverage Models from Behavioral Verilog Descriptions

Shireesh Verma
shireesh@ics.uci.edu

Ian G. Harris
harris@ics.uci.edu

Kiran Ramineni
kiran@ics.uci.edu

Department of Computer Science
University of California Irvine
Irvine, CA 92697, USA

ABSTRACT

As an industrial practice, the functional coverage models are developed based on a high-level specification of the Design Under Verification (DUV). However, in the course of implementation a designer makes specific choices which may not be reflected well in a functional coverage model developed entirely from a high-level specification. We present a method to automatically generate implementation-aware coverage models based on the static analysis of a HDL description of the DUV. Experimental results show that the functional coverage models generated using our technique correlate well with the detection of randomly injected errors into a design.

1. INTRODUCTION

Functional verification is known to be a difficult task accounting for 70% of the development time [22, 3]. Simulation-based verification and formal verification are two vehicles used for this task. Simulation-based verification is the principle means of verification well accepted in the industry [8, 9, 7, 23, 17] due to the tractability and usability of the simulation process. Simulation-based verification involves several steps, such as test generation and response evaluation, but coverage models [10] are central to all steps in the simulation process. A coverage model defines a set of criteria that are used to determine which design errors are detected by a test sequence. A coverage model provides an empirical measure of the completeness of a test sequence [11] and the error detection criteria can be used to direct the test generation process[5].

Most behavioral coverage metrics focus on the syntactic properties of a design [4], placing little emphasis on coverage from a functional standpoint. For example, statement coverage seeks maximum number of statements be executed, the number depending on the adequacy criteria being considered. Similarly, branch and path coverage criterion seek adequate coverage on branches and paths [14]. These metrics do not ensure completeness with respect to the implementation. In order to install a measure of coverage confidence with respect to the functionality, a functional coverage model is required. The construction of such a coverage model is an entirely manual process [12, 21] even with the state of art in industry today. The development of a functional coverage model is done based on a thorough study of the high-level design specification documents written in English. A list of design features is extracted thereafter. Each of these features is interpreted in terms of a relation between signals in the executable design description. These relationships are expressed in terms of coverage monitors written in a Hardware Verification Languages (HVLs) such as c, SystemC, and Vera. These coverage monitors keep track of coverage of design functionality and provide a numerical measure for it.

A major downside to using such a model emanates from the inherent gap between specification and implementation. A hardware designer interprets an abstract specification and makes choices which culminate in an implementation [24]. In the course of this process the designer may introduce some restrictions on the behavior otherwise allowable from interpretation of only the specification. A functional coverage model derived only from specification is bound to miss such fine granular intricacies introduced in the behavior.

To the best of our knowledge there is no general approach to generate functional coverage models automatically based on the implementation. In this work we propose a method which allows generation of a functional coverage model based on a static analysis of the HDL description of the DUV, which allows us to obtain for every signal, a dependency chain of signals and the restrictions imposed on their values domains. The output of our technique is a set of coverage groups in Vera [13] which collectively describe the functional coverage model. Each coverage group specifies a function of a set of signals in the design. The function is evaluated at each clock cycle during simulation. Functional coverage is the fraction of coverage groups whose functions evaluate to TRUE at some point during simulation. The coverage groups are defined so that satisfying all coverage functions during simulation indicates that the test stimuli thoroughly explore the functionality as it related to the given signals. Functional coverage using our technique is well correlated to error detection.

The remainder of the paper is organized as follows. An example illustrating the need of an precise method for development of implementation-cognizant coverage models is shown in Section 3. The Overview of our approach is summarized in Section 4. The construction and algorithm for our static analysis approach is explained in Section 5. The experimental infrastructure required is discussed in Section 6. The
technique used to simulate real design errors is presented in Section 7. The results are presented in Section 8 and conclusions are described in Section 9.

2. PREVIOUS WORK

Previous research has explored the development and use of functional coverage models. Research presented in [6] proposes manual extraction of an FSM based coverage model from design specification. Work described in [12, 25] introduces a manually developed coverage model based on cross-product combinations of signal values. In [24] constraints specified as boolean expressions are used for generating coverage model for interface protocols. Research presented in [19] builds a hierarchical temporal event relation graph for constraints described in FLTL [22] and an event coverage model is generated by an eliminative traversal of the graph.

In [16] authors propose a way to measure completeness of a set of properties expressed in CTL [20]. For each signal involved in the set of properties, they find the set of design states, where changing the value of that signal could invalidate a property from the given set of properties under verification. A union of all such design state sets is taken over all such signals. The number of states in the union expressed as a percentage of the total number of design states is considered an indicator of property coverage. However, the complexity of this process is same as that of model checking. The work described in [18] outlines a formal method to compare a specification to its corresponding implementation. They lay down four criteria for detecting a slack between specification and implementation. If any of these criteria is found to be a non-empty set then either the specification is under-specified or implementation is not in compliance with the intent of specification. But, the complexity of this process is worse than that of model checking.

3. FUNCTIONAL COVERAGE PROBLEM

A complete functional coverage model must consider details of the implementation because the implementation can include relationships between signals which are not described in the specification. Consider a small Verilog design example shown in Figure 1 consisting of three boolean signals $a$, $b$ and $wr_en$. Assume that the specification requires the CTL property in Equation 1 must always hold in order for the design to be functionally correct.

$$AG(a \to b) \quad (1)$$

The property in Equation 1 requires that if the value of $a$ is 1 then the value of $b$ must be 1. Any deviation from this will be considered an erroneous behavior. This property involves only the signals $a$ and $b$. Each of the two signals has a domain of $\{0, 1\}$. Hence, a total of following four valuations exist.

$$(a, b) = \{(0, 0), (0, 1), (1, 0), (1, 1)\}$$

Of the four possible valuations, three of them are legal $\{(0, 0), (0, 1), (1, 1)\}$, and one is illegal $\{(1, 0)\}$. However, the analysis of implementation in Figure 1 reveals an additional dependency on the signal $wr_en$. In this case, a total of following eight valuations exist.

$$(a, b, wr_en) = \{(0, 0, 0), (0, 0, 1), (0, 1, 0), (0, 1, 1), (1, 0, 0), (1, 0, 1), (1, 1, 0), (1, 1, 1)\}$$

Of the eight possible valuations, seven of them are legal $\{(0, 0, 0), (0, 0, 1), (0, 1, 0), (0, 1, 1), (1, 0, 0), (1, 1, 0), (1, 1, 1)\}$, and one is illegal $\{(1, 0, 1)\}$. It can be noticed that the new legal valuation $(a, b, wr_en) = (1, 0, 0)$ violates the property depicted in Equation 1 since $(a, b) = (1, 0)$. In this case if the design is not analyzed and coverage model is developed only from the high level property, the simulation results will indicate a false design error.

Figure 1: Functional Coverage Example

Here, each valuation of the signals will become a coverage monitor. The set of coverage monitors will be divided into two groups.

- **Good Points** - These are valuations which legal and are allowed to occur during simulation. A coverage monitor will be created for each good point to detect whether or not it occurs during simulation. The fraction of good points which occur during simulation is the reported functional coverage value.

- **Bad Points** - These are valuations which are illegal and must never occur. A coverage monitor will also be created for each bad point, but if a bad point is found to occur then simulation is halted because an error has been detected. Bad points are equivalent to assertions.

Once the good points and bad points have been identified, the VERA language is used to implement coverage monitors using its coverage_group [13] construct. The coverage groups are added to the testbench and their conditions are checked during simulation. The functional coverage value is the fraction of good points whose coverage groups have detected at least one occurrence during simulation.

4. SYSTEM OVERVIEW

The input to our coverage model generation engine is a description of the DUV in Verilog HDL. The output is a functional coverage model expressed as a set of VERA coverage groups [13].

The coverage points allow us to measure the degree of exploration of design behavior pertaining to associated signals and in the functional vicinity of aggregate of those signals. In order to keep this discussion independent of any particular verification language, we will refer to a VERA coverage group as a coverage monitor for the rest of this paper. A functional coverage model is a set of coverage monitors which correspond to the HDL code in question.

Figure 2 illustrates the structure of our functional coverage model generation engine.
5. FUNCTIONAL COVERAGE MODEL GENERATION

Each of the important components highlighted in Figure 2 will be described in the following sections.

5.1 Control-Data Flow Graph Generation

A Verilog design D can be specified as a tuple \((V, E)\), where:

- \(V\) is the set of signals in the design, where \(v \in V\) has an associated finite domain of values.
- \(E\) is a set of statement blocks each of which contain procedural statements.

Let us assume \(G\) is the set of Control-Data Flow Graphs (CDFGs) \(g\) corresponding to each of the processes \(b \in B\). Let us also assume that \(C(b)\) is the set of all conditional constructs in the process \(b\). A CDFG \(g\), for a process \(b\), can be defined as a tuple \((N_C, N_D, E)\), where:

- \(N_C\) is a set of nodes that represent control flow in the graph such that for every \(n, c \in N_C\) there is exactly one \(c, c' \in C(b)\).
- \(N_D\) is a set of nodes that represent only the data flow in the graph.

We assume that assignments to a signal are performed only in a single process. Let \(Graph(v)\) be the graph for the process in which the assignments to signal \(v \in V\) are made such that \(|Graph(v)| \leq 1\). Let \(A_v\) be of all the assignments made to signal \(v\). Hence, \(A(m) \cap A_v\) is the set of assignments made to a signal \(v\) in a node \(m \in N_D\). We assume that \(|A(m) \cap A_v| \leq 1\) such that at most one assignment made to signal \(v\) in node \(m\).

Let \(A_p(v)\) be an assignment to a signal \(v \in V\) such that it is made in a node \(N_p(v) \in N_D\) which is closest to the terminal node on a control flow path \(p, p \in P\).

Let us define a set \(Dom(n, p)\) which contains all the nodes preceding the node \(n\) on a path \(p\) in the graph, where \(Dom(n, p) \subseteq N\). Let \(COND(n)\) be the conditional construct \(c\) corresponding to the node \(n\), such that \(c \in C(b)\) and \(COND(n) = \bot\). We define \(Dom(n, p)\) as the set of nodes such that

\[
COND(n) = \bigcup_{l \in Dom(m, p)} COND(l)
\]

Let \(Dom_{var}(n, p)\) be set of variables representing the values of conditional predicates such that there is exactly one \(c_{var,c_{var}} \in Dom_{var}(n, p)\) for every \(c, c \in C(dom(n, p))\).

Let \(Dom_{val}(n, p)\) be set of values of the variables of conditional predicates such that there is exactly one \(c_{val,c_{val}} \in Dom_{val}(n, p)\) for every \(c, c \in C(dom(n, p))\).
5.2 Dependency Analysis

We need to determine data and control dependencies between signals across all Verilog processes. This dependency information is required to build a coverage model based on cross product of signals. Let us define a function $\text{Rhs}(a)$ which returns the expression on the RHS of an assignment $a$. In case, the expression is a constant, the constant value is returned. Let $\text{Expr}(c)$ be a function which returns the expression corresponding to the predicate of the conditional construct $c$. Let $\text{Var}(E)$ be the set of signals involved in an expression $E$.

Let $q_{wp}$ be a variable such that for every $(A_p(v)) \exists q_{wp} \in \{0,1\}$ such that

$$q_{wp} = \begin{cases} 1 & : v = \text{Rhs}(A_p(v)) \\ 0 & : v \neq \text{Rhs}(A_p(v)) \end{cases}$$

Let $L_{id}$ and $L'_{id}$ be a set of signals/variables and $L_{val}$ and $L'_{val}$ be the set of values for these signals/variables such that there is a one-to-one correspondence between these two sets. This pair represents a coverage point.

Let $M$ be a set consisting of pairs ($X,Y$) such that $X$ is a set of signals, $v \in V$ (or variables) and $Y$ is a set containing their corresponding values. Hence, every $m, m \in M$ corresponds to a coverage point. Let $M$ correspond to the set of good coverage points and assume a set $M'$ which represents bad coverage points.

Figure 5 shows the algorithm for our coverage model generation approach. We use a Verilog process shown in the Figure 3 and its corresponding CDFG in the Figure 4 in order to illustrate our algorithm. The rectangular nodes are data nodes whereas oval nodes represent control nodes. We initialize the sets $L_{id}, L_{val}, L'_{id}, L'_{val}, M, M'$. Lets say we pick the signal $b$, and find $\text{Graph}(v)$, which gives the graph corresponding to the process in which $b$ is being assigned, as shown in line 01 of $\text{ProcessSig}$.

There are 3 control flow paths in the $\text{Graph}(v)$, let us call them $p1, p2, p3$. We start with path $p1$. $A_p(v)$ corresponds to the assignment $b = 3$. So $\text{Rhs}(A_p(b)) = 3$. Here, $N_{val}(v)$ is the terminal node of the graph. We have $\text{Cdom}_{val}(N_{val}(v), p1) = \{a, w, w\cdot w\}$ and the corresponding

\text{ProcessSig}(\text{Signal } v, \text{ Set } G)
01:  foreach ($\text{Graph}(v) \in G$)
02:     foreach ($p \in P$
03:         if ($\text{Rhs}(A_p(v)) == \text{constant}$)
04:             $L_{id} = L_{id} \cup \text{Cdom}_{id}(N_{val}(v), p) \cup \{q_{wp}\}$
05:         else
06:             $L_{id} = L_{id} \cup \text{Cdom}_{id}(N_{val}(v), p) \cup \{1\}$
07:         $L_{val} = L_{val} \cup \text{Cdom}_{val}(N_{val}(v), p) \cup \{0\}$
08:     else
09:         $L_{id} = L_{id} \cup \text{Cdom}_{id}(N_{val}(v), p)$
10:         $L_{val} = L_{val} \cup \text{Cdom}_{val}(N_{val}(v), p)$
11:     $M = M \cup \{L_{id}, L_{val}\}$
12:     $M' = M' \cup \{L_{id}, L_{val}\}$
13:     foreach ($c \in \text{Cdom}_{id}(N_{val}(v), p)$
14:         $\text{ProcessSig}(c, G)$
15:     $\text{ProcessSig}(v, G)$
16:     return ($M, M'$);

\text{BuildModel}()
01:  $M \leftarrow \emptyset; M' \leftarrow \emptyset$
02:  foreach $v \in V$
03:     $L_{id} \leftarrow \emptyset; L_{val} \leftarrow \emptyset; L'_{id} \leftarrow \emptyset; L'_{val} \leftarrow \emptyset$
04:     $\text{ProcessSig}(v, G)$
05:  return ($M, M'$);

5.3 Coverage Code Generation

The process discussed in Section 5.2 is repeated for the paths $p2$ and $p3$ and we obtain the following set of coverage points. $M = \{(a = 1, w, w\cdot w = 1, q_{wp} = 1), (a = 1, w, w\cdot w = 0, q_{wp} = 0)\}$, $M' = \{(a = 0, w, w\cdot w = 1, q_{wp} = 0), (a = 0, w, w\cdot w = 0, q_{wp} = 0)\}$. The coverage monitor tracks the occurrences of these points. Occurrence of a point from the set $M$ signifies coverage of that point from functional standpoint while occurrence of a point from the set $M'$ indicates a functional error. Figure 6 shows the VERA coverage group for the above obtained functional coverage model.

6. EXPERIMENTAL SETUP

In order to illustrate our approach we built the following experimental infrastructure.

Benchmark Design. The most challenging issue for any functional verification technique is its scalability. With this caveat in consideration we decided to use design of an industrial scale microprocessor for the purpose of demonstrating our approach. We chose a Verilog description of a DLX processor available from
7. ERROR INJECTION

Error injection is required to demonstrate the efficacy of our approach for generating functional coverage model. An efficient error injection mechanism is needed which is capable of injecting errors which successfully mimics real design errors. We chose to randomly change the values of signals during the simulation. Even in case of non-boolean signal values, our coverage function required either the signal has a specified value or it has any other value. So the random value injection is essentially boolean in nature.

We use the following mechanism for error injection. It employs three levels of randomization. We exploit VERA's randomization and constraint solving capabilities for this purpose.

Signals A list of signals satisfying the criteria mentioned later in this section is prepared. A signal is chosen at random for injecting error for each simulation run.

Values A value domain for each signal is specified. It is effectively reduced to a boolean domain for all signals as discussed in this section earlier. A value is chosen at random for the signal chosen in the previous step for each simulation run.

Time For every simulation run, the random signal and value selected in the previous steps is injected during simulation at a random simulation time.

During any single simulation run only one randomly error generated is injected. Errors are only injected on signals which are involved in the generated coverage model. Error injection is restricted in this way in order to focus on errors which impact the developed coverage model. The coverage monitors generated by our technique are meant to depict the developed coverage model. If an error does not impact the coverage model then there is no guarantee that is will be captured by our coverage monitors. For this reason we need to inject errors which have a high likelihood of impacting the coverage model.

8. EXPERIMENTAL RESULTS

We evaluate the effectiveness of our technique by computing functional coverage for the DLX benchmark and comparing functional coverage to error coverage, the fraction of injected errors actually detected. The measure of the effectiveness of our functional coverage is to see how closely functional coverage predicts the error detection rate. An optimal functional coverage model would exactly match the error coverage.

We generated our coverage model in 37 seconds on a 1503 MHz Sun UltraSpark cpu with SunOS version 5.9. Our coverage model consisted of a total of 7887 coverage points.
out of which 5349 were good points and 2538 were bad points. These constitute a small percentage (<1% of the total number of points in the coverage space.

Figure 7 shows a graphical representation of the evaluation results. It shows two sets of points, 1. Functional Coverage based on our functional coverage values, and 2. Statement Coverage. A total of 20 DLX programs generated as described in Section 6 were used. Each of the 20 DLX programs were executed before any error injection. The coverage monitors generated as described in Section 4 provided the functional coverage and the percentage functional coverage for each of these correct executions was computed. A total of 100 errors were then injected as explicated in Section 7 for each program. The number of injected errors detected was recorded for each DLX program and error detection percentage was computed. The line labeled Perfect Coverage shows where all points would lie for a perfect coverage metric which is always exactly equal to error coverage.

It is clear at a glance that the points for our functional coverage are closer to the perfect line than those for statement coverage. This improvement can be seen formally by evaluating the average coverage difference, the difference between functional/statement coverage and error coverage. A small difference indicates a more accurate metric. The average coverage difference for our functional coverage is 7.9% as compared to 41.4% for statement coverage. We also compute the standard deviation for coverage difference for both functional and statement coverage. It is 5.5% for our functional coverage as compared to 10.7% for statement coverage.


text

9. CONCLUSIONS

We have successfully performed automatic generation of coverage monitors representing a functional coverage model for the design of industrial scale DLX processors from a static analysis of the HDL description of its design. The design was simulated with randomly generated valid DLX programs. Functional coverage was computed from the data collected by coverage monitors. Errors were then injected and percentage error detection was computed. The computed functional coverage was found to closely track error detection percentage than the statement coverage tracked, which is a testimony to the quality of the coverage model generated.

10. REFERENCES