On the Duality between Vacuity and Coverage

Sanity checks such as vacuity and coverage are used to evaluate the quality of both implementations and specifications. We show formally that vacuity and coverage are dual concepts, studying them in a setting in which both the implementation and the specification are given by circuits. To formalize the duality, we present a range of mutations that one can apply to a circuit and partition them into mutations that add, remove, and modify behaviors. Many mutations correspond to physical and design faults, such as ones in which signals are ignored, flipped, delayed, or stuck at a value, and combinations thereof. For most of the mutations, we exhibit corresponding mutations also in the case where the specification is given as a temporal logic formula. We introduce and study the notion of dual mutations. A mutation μ that adds or modifies behaviors is dual to a mutation μ̃ that removes or modifies behaviors if, for all implementations I and specifications S , satisfaction of S by a mutant implementation Iμ, obtained from I by applying μ, is related to satisfaction by I of a mutant specification Sμ̃, obtained from S by applying μ̃. Thus, the low coverage of I by S , which causes Iμ to satisfy S , is related to the vacuous satisfaction of S by I, which causes I to satisfy Sμ̃. The notion of dual mutations also applies in a setting in which the specification is a temporal logic formula. Beyond the clean theoretical picture that the duality suggests, it offers important applications. First, we obtain new coverage metrics and new definitions of vacuity that have so far been used only in one of the sanity checks. Second, when low coverage is detected with a mutation, a tighter specification can be automatically obtained by applying its dual mutation to the original specification. We present experimental results showing the relevance of tightening specifications to self-checking circuits.