

## SAT-Based Design Debugging

Sharad Malik Georg Weissenbacher Princeton University

### + Verification vs. Debugging

#### Verification

- Make sure that there are no bugs
- Debugging
  - Observe error
  - What went wrong?
    - Root-cause analysis
- Understanding bugs is often more time consuming than finding them

### + Hardware bugs are expensive



#### $\frac{4195835}{3145727} = 1.333829068960037689$

- Intel Pentium FDIV Bug 1994
  - incorrect results for division
  - due to errors in the entries in the lookup table used by the digital divide operation algorithm
- Total cost associated with replacement: \$475 million

## + Outline



- SAT Background
  - SAT Encoding of Logic Designs
  - Satisfying Assignments for Debugging
  - Unsatisfiable Instances for Debugging
- Pre-Silicon Debug
  - Localizing faults in Register-Transfer-Level (RTL) designs
- Post-Silicon Validation
  - Localizing faults in manufactured prototypes
- Outlook: Fault Localization in Software
- Summary



[Smith, Veneris, Ali, Viglas 2004]

### + Verification Techniques

- Testing
  - White Box Testing
    - Logic Simulation
  - Black Box Testing
- Formal Verification
  - Automated Theorem Proving (ATP)
  - Model Checking
    - (Partial) Specifications in Temporal Logic
    - Bounded Model Checking
  - Equivalence Checking

**—** ...

## + Applicability of Verification Techniques

|                                         | logic simulation                                                                                    | model checking                                                           |
|-----------------------------------------|-----------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------|
| pre-silicon<br>(full observability)     | ✓<br>+ ease of use<br>- limited coverage<br>- simulation is slow                                    | ✓<br>+ complete coverage<br>- scalability issues<br>- complex formalisms |
| post-silicon<br>(limited observability) | <ul> <li>real-time execution</li> <li>still limited coverage</li> <li>manufacturing cost</li> </ul> | <b>X</b><br>not applicable                                               |

### + Find Errors, Localize Faults

#### Error:

Discrepancy between observed and expected behavior

#### Fault:

Abnormal condition, may cause an error

- Electrical: signal interference in manufactured prototypes
- Logical: missing case statement in hardware design
- Temporal and spatial localization of faults "typically dominate[s] the effort expended during the debug process for a bug" [Josephson 2006]

This talk's focus:
 Automated Fault Localization

# + Outline



#### SAT Background

- SAT Encoding of Logic Designs
- Satisfying Assignments for Debugging
- Unsatisfiable Instances for Debugging
- Pre-Silicon Debug
  - Localizing faults in Register-Transfer-Level (RTL) designs
- Post-Silicon Validation
  - Localizing faults in manufactured prototypes
- Outlook: Fault Localization in Software
- Summary

# + Register Transfer Level









[Abramovici, Breuer, Friedman 1990]

# + Iterative Logic Array (Example)



# + Outline



#### SAT Background

- SAT Encoding of Logic Designs
- Satisfying Assignments for Debugging
- Unsatisfiable Instances for Debugging
- Pre-Silicon Debug
  - Localizing faults in Register-Transfer-Level (RTL) designs
- Post-Silicon Validation
  - Localizing faults in manufactured prototypes
- Outlook: Fault Localization in Software
- Summary

- How do we know that the RTL design is correct?
- Check whether certain specified properties hold
- If not, we want a counterexample



Bounded Model Checking Check whether given property holds for k cycles



"output remains 0 as long as initial state (s) and input 1  $(i_1)$  are 0"

$$\left(\overline{s} \cdot \overline{i_1^1}\right) \to \overline{o^1} \qquad \qquad \left(\overline{s} \cdot \overline{i_1^1} \cdot \overline{i_1^2}\right) \to \overline{o^2}$$

- Property holds if unfolding and negated property UNSAT
- Any satisfying assignment is a counterexample to the claim

$$\begin{array}{ccc}
& & & & & & \\
\text{cycle} & (\overline{r}+i_1^1) \cdot (\overline{r}+s) \cdot (\overline{i_1^1}+\overline{s}+r) & (\overline{i_2^1}+o^1) \cdot (\overline{s}+o^1) \cdot (\overline{o^1}+i_2^1+s) \\
\text{cycle} & (\overline{t}+i_1^2) \cdot (\overline{t}+r) \cdot (\overline{i_1^2}+\overline{r}+t) & (\overline{i_2^2}+o^2) \cdot (\overline{r}+o^2) \cdot (\overline{o^2}+i_2^2+r)
\end{array}$$

$$\left(\overline{s} \cdot \overline{i_1^1}\right) \to o + \left(\overline{s} \cdot \overline{i_1^1} \cdot \overline{i_1^2}\right) \to \overline{o^2}$$

Any satisfying assignment is a counterexample to the claim



## + Counterexamples More valuable than correctness proofs?

"One of the most important advantages of model checking [...] is its counterexample facility. [...] The counterexamples can be essential in finding subtle errors in designs."

[Clarke, Grumberg, McMillan, Zhao 1995]

• However, a counterexample still doesn't tell us

- what went wrong, and
- *where* it went wrong.

Root Cause Analysis or Fault Localization

# + Outline

Hardware Design/Verification Flow

#### SAT Background

- SAT Encoding of Logic Designs
- Satisfying Assignments for Debugging
- Unsatisfiable Instances for Debugging
- Pre-Silicon Debug
  - Localizing faults in Register-Transfer-Level (RTL) designs
- Post-Silicon Validation
  - Localizing faults in manufactured prototypes
- Outlook: Fault Localization in Software
- Summary

# + Unsatisfiable Instances

- Constrain a faulty design with the *correct* input/output
- The resulting formula is unsatisfiable
- Locate gates that are inconsistent with desired behavior



# + Minimal Correction Set (MCS)

#### Given an UNSAT instance

- Minimal subset of clauses that must be dropped to make instance satisfiable
  - Any subset of an MCS is not a correction set

$$(\overline{r} + \overline{s} + t)$$
  $(\overline{r} + s)$   $(r)$   $(s)$   $(\overline{t})$ 

dropping both  $(\overline{r} + s)$  and (s) "corrects" the formula

- Remaining clauses are consistent
- Is there more than one MCS in our example?

# Minimal Correction Set (MCS)

The following formula has a single minim*um* MCS:

Least cardinality

$$(\overline{s})$$
  $(\overline{r}+s)$   $(r)$   $(s)$ 

- {(r),(s)} is minimal but not minimum.
- The formula has three different MCSes.

# + MAX SAT



- The complement of a minim<u>um</u> correction set
  - Largest subset of clauses that can be satisfied
- Given an UNSAT instance

$$(\overline{r} + \overline{s} + t) \quad (\overline{r} + s) \quad (r) \quad (s) \quad (\overline{t})$$

What is the largest subset of clauses that can be satisfiable?

- The complement of any MAX-SAT solution is an MCS
- Converse doesn't hold: Complement of MCS is maximal set of satisfiable clauses



Maximum subset of clauses that can be satisfied given certain clauses cannot be dropped

Given an UNSAT instance 
$$(\overline{r} + \overline{s} + t) \quad (\overline{r} + s) \quad (r) \quad (s) \quad (\overline{t})$$

which clauses do we have to drop to make it satisfiable? (the *pinned* clauses can't be dropped)

## Minimal Unsatisfiable Subsets (MUS) and Unsatisfiable Cores

- An unsatisfiable subset is an inconsistent subset of the clauses of the original formula
  - Also, referred to as an UNSAT core

$$(\overline{s})$$
  $(\overline{r}+s)$   $(r)$   $(s)$ 

An unsatisfiable subset is *minimal* if dropping one of its clauses makes it satisfiable





Generate all MCSes for a set of clauses



Each hitting set of the MCSes is an MUS

- Each hitting set of all MUSes is an MCS
- Therefore, dropping the clauses of an MCS "deactivates" all cores

# + Outline



- SAT Background
  - SAT Encoding of Logic Designs
  - Satisfying Assignments for Debugging
  - Unsatisfiable Instances for Debugging
- Pre-Silicon Debug
  - Localizing faults in Register-Transfer-Level (RTL) designs
- Post-Silicon Validation
  - Localizing faults in manufactured prototypes
- Outlook: Fault Localization in Software
- Summary



### + Pre-Silicon Debug Problem Definition



### + Test Case as Circuit Constraints

Test scenario is modeled as constraint for iterative logic array



## + Test Scenarios as Constraints Example



### + Test Scenarios as Constraints Example

- Add test-scenario as constraints to circuit
- The corresponding CNF formula is inconsistent



### + Test Scenarios as Constraints Example

- Detecting the error is only half the story
- Manually localizing the fault causing a known error is tedious



### + Fault Localization Using MCSes

Example

Use MCSes to id

 Input/output val (we're not intere



$$(\overline{s}) (\overline{i_1^1}) (\overline{i_2^1}) (\overline{o^1}) \qquad (\overline{t}) (\overline{i_1^2}) (\overline{i_2^2}) (\overline{o^2})$$

## + Fault Localization Using MCSes General Methodology

- Generate ILA constrained with test case (in CNF)
- Compute all MCSes: Each MCS represents a set of potential fault locations



# + Outline



- SAT Background
  - SAT Encoding of Logic Designs
  - Satisfying Assignments for Debugging
  - Unsatisfiable Instances for Debugging
- Pre-Silicon Debug
  - Localizing faults in Register-Transfer-Level (RTL) designs

#### Post-Silicon Validation

- Localizing faults in manufactured prototypes
- Outlook: Fault Localization in Software
- Summary



### + Post-Silicon Validation Problem Definition



#### + Post-Silicon Validation

#### What has changed compared to pre-silicon?

- Include a different class of faults: electrical faults
  - Not in every time-frame: may be *transient* or *intermittent*
- The *test result* represents the erroneous behavior
- The net-list is the fault-free golden model
  - We assume functional correctness when considering electrical bugs



### + Post-Silicon Validation What has changed compared to pre-silicon?

- Limited observability of signals in manufactured chip
  - Trace buffers: Limited recording of select signals
  - Scan chains: Read-out after chip execution stopped



#### + Test Results as Circuit Constraints

- Test results used as constraint for iterative logic array
- ? = information was not recorded



### + Test Results as Constraints Example



### + Test Results as Constraints Example

Add test results as constraints to circuit

The corresponding CNF formula is inconsistent



#### + Fault Localization Using MCSes

Example

• Use MCSes to id s -

Recorded test re



$$(\overline{s}) (\overline{i_2^1}) (\overline{o^1}) \qquad (\overline{i_2^2}) (o^2)$$

### + Post-Silicon Faults and MCSes Limits of Scalability

- Limited observability results in harder decision problems
  - In Pre-Silicon: Full information about signals in *each* cycle
- Analysing ILA with thousands of time-frames becomes computationally infeasible



### + Post-Silicon Faults and MCSes Limits of Scalability

- Analysis limited to small (contiguous) sequence of cycles
- Scalability of decision procedure determines window size
- Slide window backwards in time to cover different cycles



# + Sliding Windows Example



- Sliding windows may fail to locate fault
- Approach is incomplete due to limited information
  - In this particular example: we don't know the value of r



Would like to propagate information across windows

- At a reasonable computational cost
- Maybe we can infer the value of *r* in the first window?

#### + **Reconstructing Information** With Inferred Values r=1 $i_{1}^{2}$ tr = l(2) Ω I I 0

#### + Backbones

#### Inferring "Fixed" Signals for Satisfiable Instances

 Backbone of a satisfiable formula: Set of variables that have same value in all satisfying assignments

Consider the satisfiable formula

$$(r \oplus t) \cdot (r + s) \cdot (r)$$

Satisfying assignments:



# + Computing Backbones

Given a Boolean formula F

- 1. Obtain initial satisfying assignment  $A_0$
- 2. For each literal p such that  $A_0[p]=1$ 
  - variable of p is part of backbone iff  $(F \cdot \overline{p})$  is UNSAT

Optimization (Filtering):

- 1. If  $(F \cdot \overline{p})$  is satisfiable, look at this satisfying assignment  $A_1$
- 2. Variables differing in value in  $A_0$  and  $A_1$  are not in backbone

[Marques-Silva, Janota, Lynce 2010]

# + Propagating Backbones

**Across Sliding Windows** 



[Zhu, Weissenbacher, Sethi, Malik 2011]

# + Propagating Backbones

#### **Across Sliding Windows**



# +Outline



- SAT Background
  - SAT Encoding of Logic Designs
  - Satisfying Assignments for Debugging
  - Unsatisfiable Instances for Debugging
- Pre-Silicon Debug
  - Localizing faults in Register-Transfer-Level (RTL) designs
- Post-Silicon Validation
  - Localizing faults in manufactured prototypes

#### Outlook: Fault Localization in Software

Summary

### + Fault Localization in Software Methodology

- 1. Observe an assertion violation
- 2. Unwind loops of the program, obtain symbolic representation
- 3. Constrain program with *expected* input/output values
- 4. Compute MCSes to locate faults

[Jose, Majumdar 2011]

### ÷ Fault Localization in Software **Problem Definition Golden Model Specification** Assertions in Program e.g., requirements Consistent?

Software Implementation

Unwinding

Symbolic Representation

# + Symbolic Representation of Software



### + Computing MCSes for Program





### + MCSes Indicate Potential Errors

```
- -
🖻 main.c 🛛
  int Array[3];
  int testme(int index)
   Ł
       if (index != 1)
    index = 2;
       else
           index = index + 2;
       i = index;
       assert (i >= 0 && i < 3); // array bounds
       return Array[i];
  }
```

# +Outline



- SAT Background
  - SAT Encoding of Logic Designs
  - Satisfying Assignments for Debugging
  - Unsatisfiable Instances for Debugging
- Pre-Silicon Debug
  - Localizing faults in Register-Transfer-Level (RTL) designs
- Post-Silicon Validation
  - Localizing faults in manufactured prototypes
- Outlook: Fault Localization in Software

#### Summary

# + Summary



Locating faults is tedious

- Minimal Correction Sets enable fault localization in
  - logic design
  - manufactured chip prototypes
  - software
- Backbones enable partial recovery of information

### + References (for Hardware)

- [Abramovici, Breuer, Friedman 1990]
   Digital Systems Testing and Testable Design Computer Science Press
- [Smith, Veneris, Ali, Viglas 2004]
   Fault Diagnosis and Logic Debugging Using Boolean Satisfiability IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems
- [Josephson 2006]
   The Good, the Bad, and the Ugly of Silicon Debug Design Automation Conference
- [Liffiton, Sakallah 2009]
   Generalizing Core-Guided MAX-SAT Theory and Applications of Satisfiability Testing
- [Chen, Safarpour, Marques-Silva, Veneris 2009]
   Automated Design Debugging with Maximum Satisfiability
   IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems
- [Marques-Silva, Janota, Lynce 2010]
   On Computing Backbones of Propositional Theories European Conference on Artificial Intelligence
- [Zhu, Weissenbacher, Sethi, Malik 2011] Post-Silicon Fault Localisation Using Maximum Satisfiability and Backbones Formal Methods in Computer-Aided Design, 2011

### + References (for Software)

- [Clarke, Kroening, Lerda 2004]
   A Tool for Checking ANSI-C Programs
   Tools and Algorithms for the Construction and Analysis of Systems
- [Groce, Chaki, Kroening, Strichman 2006]
   Error Explanation with Distance Metrics
   International Journal on Software Tools for Technology Transfer
- [Jose, Majumdar 2011] (Tool paper) BugAssist: Assisting Fault Localization in ANSI-C Programs Computer Aided Verification

[Jose, Majumdar 2011]
 Clause Cue Clauses: Error Localization Using Maximum Satisfiability
 Programming Languages Design and Implementation