Verification of Timed Systems Using POSETs

Verification of Timed SystemsUsingPOSETs�

WendyBelluomini�

andChrisJ.Myers�

�ComputerScienceDepartment�

ElectricalEngineeringDepartmentUniversityof Utah

SaltLake City, UT 84112

Abstract. This paperpresentsa new algorithmfor efficiently verifying timedsystems.The new algorithmrepresentstiming informationusinggeometricre-gionsandexploresthetimedstatespaceby consideringpartially orderedsetsofeventsratherthanlinearsequences.This approachavoidstheexplosionof timedstatestypical of highly concurrentsystemsby dramaticallyreducingtheratio oftimedstatesto untimedstatesin asystem.A generalclassof timedsystemswhichincludeboth event andlevel causalitycanbe specifiedandverified.This algo-rithm is appliedto severalrecenttimedbenchmarksshowing ordersof magnitudeimprovementin runtimeandmemoryusage.

1 Intr oduction

The fundamentaldifficulty in verification is controlling the stateexplosionproblem.The statespacesinvolved in verifying reasonablysizedsystemsare large even if thetiming behavior of thesystemis not considered.Theproblemgetsevenmorecomplexwhenverificationis doneontimedsystems.However, verificationwith timing is crucialto applicationssuchasasynchronouscircuitsandreal-timesystems.

A numberof techniqueshave beenproposedto deal with stateexplosion. Ap-proacheshave beenproposedthat usestubbornsets[1], partial orders[2], or unfold-ing [3]. Thesetechniquesreducesthenumberof statesexploredby consideringonly asubsetof thepossibleinterleavingsbetweenevents.Theseapproacheshave beensuc-cessful,but they only dealwith untimedverification.

The statespaceof timed systemsis even larger than the statespaceof untimedsystemsandhasbeenmoredifficult to reduce.Therepresentationof the timing infor-mationhasa hugeimpacton thegrowth of thestatespace.Timing behavior caneitherbe modeledcontinuously(i.e., dense-time),wherethe timers in the systemcan takeon any valuebetweentheir lower andupperbounds,or discretely, wheretimerscanonly takeonvaluesthataremultiplesof adiscretizationconstant.Discretetimehastheadvantagethat thetiming analysistechniqueis simplerandimplicit techniquescanbeeasilyappliedto improve performance[4,5]. However, thestatespaceexplodesif thedelayrangesarelargeandthediscretizationconstantis setsmallenoughto ensureexactexplorationof thestatespace.�

This researchis supportedby a grant from Intel Corporation,NSF CAREER award MIP-9625014,SRCgrant97-DJ-487,andaDARPA AASERT fellowship.

Continuoustime techniqueseliminate the needfor a discretizationconstantbybreakingthe infinite continuoustimed statespaceinto equivalenceclasses.All tim-ing assignmentswithin anequivalenceclassleadto thesamebehavior anddonotneedto beexploredseparately. In orderto reducethesizeof thestatespace,thesizeof theequivalenceclassesshouldbeaslargeaspossible.In theunit-cube(or region)approach[6], timedstateswith thesameintegral clock valuesanda particularlinearorderingofthe fractionalvaluesof the clocksareconsideredequivalent.Although this approacheliminatestheneedto discretizetime, thenumberof timedstatesis dependenton thesizeof thedelayrangesandcanexplodeif they arelarge.

Anotherapproachto continuoustimeis to representtheequivalenceclassesascon-vex geometricregions(or zones)[7–9]. Thesegeometricregionscanberepresentedbysetsof linear inequalities(alsoknown asdifferenceboundmatricesor DBMs). Theselargerequivalenceclassescanoftenresultin smallerstatespacesthanthosegeneratedby theunit-cubeapproach.

While geometricmethodsareefficient for someproblems,their complexity canbeworsethaneitherdiscreteor unit-cubemethodswhenanalyzinghighly concurrentsys-tems.Thenumberof geometricregionscanexplodewith theseapproachessinceeachuntimedstatehasat leastonegeometricregion associatedwith it for every firing se-quencethatcanresultin thatstate.In highly concurrentsystemswheremany interleav-ingsarepossible,thenumberof geometricregionsperuntimedstatecanbehuge.Someresearchers[10–12]haveattackedthisproblemby reducingthenumberof interleavingsexploredusingthe partial ordertechniquesdevelopedfor untimedsystems.Theseal-gorithmsreduceverificationtime by exploring only part of the timedstatespace,butthis maylimit thetiming propertiesthatcanbeverified.While reducingthenumberofinterleavingsis useful,in [10,11] oneregion is still requiredfor every firing sequenceexploredto reacha state.If most interleavingsneedto be explored,thesetechniquescouldstill resultin stateexplosion.

Thealgorithmpresentedin [13,14] significantlyreducesthenumberof regionsperuntimedstateby usingpartially orderedsets(or POSETs)of eventsratherthanlinearsequencesto constructthegeometricregions.Using this technique,untimedstatesdonot have an associatedregion for every firing sequence.Instead,the algorithmgener-atesonly onegeometricregion for any setof firing sequencesthat differ only in thefiring orderof concurrentevents.This algorithmis shown in [14] to resultin very fewgeometricregionsperuntimedstate.Theentiretimedstatespaceis explored,soit canbeusedto verify a wide rangeof timing properties.However, it is limited to specifica-tionswherethefiring time of aneventcanonly becontrolledby a singlepredecessorevent(known asthesinglebehavioral place(or rule) restriction). This restrictioncanbeworkedaroundwith graphtransformations,but thegraphtransformationsadd� � newrulesfor eacheventwith � behavioral rules[15,16]. In [17], we presentedanapproxi-matealgorithmfor exploring theentirestatespacewith POSETson a generalclassofspecifications,lifting the singlebehavioral rule restriction.However, it may generateregionsthatarelargerthannecessary.

Thispaperpresentsanew algorithmfor timedstatespaceexplorationbasedongeo-metricregionsandPOSETs.Thisalgorithmoperatesonaverygeneralclassof specifi-cations,timedevent/level (TEL) structures[18], which arecapableof directly express-

ing botheventandlevel causality. Throughastraightforwardconstruction(omitteddueto spaceconstraints),it canbeshown thatTEL structuresareat leastasexpressive as1-safetimePetrinets[19]. TEL structurescanalsorepresentsomebehavior morecon-ciselydueto theirability to specifylevelswhicharenotdirectlysupportedin timePetrinets.While they arenotasexpressiveastimedautomata[6], TEL structuresrepresentaninterestingclassof timedautomatasufficient to accuratelymodeltimedcircuit behav-ior. Unlike thepartialordertechniquesdiscussedearlier, thePOSETtiming algorithmdoesexploreevery interleaving betweeneventfirings,andthereforeexploresall statesof thesystem.Thisnew algorithmdramaticallyimprovestheperformanceof geometricregionbasedtechniqueson highly concurrentsystems,makingdense-timeverificationextremelycompetitive with discrete-timewhenthe delayrangesaresmall andfar su-periorwhenthe rangesarelarge.Theperformanceof POSETtiming is demonstratedby ordersof magnitudeimprovementin runtimeandmemoryusageon several recenttiming verificationbenchmarks.

2 Timed systemsand exploration of their timed states

The processof timing verificationbegins with a specificationof a timed systemandpropertiesthat it mustsatisfy. To checkif thesepropertiesaresatisfied,the verifica-tion algorithmexploresthetimedstatespaceallowedby thespecification.Thissectionpresentsour formalismfor modelingtimedsystemsandexploring their statespaces.

2.1 Timed event/level structur es

The algorithmpresentedin this paperis appliedto specificationsin the form of TELstructures[18], anextensionof timedevent-rulestructures[15]. TEL structuresareverywell suitedto describingasynchronouscircuitssincethey allow botheventcausalitytospecifysequencingandlevel causalityto specifybit valuesampling.Thissectiongivesa brief overview of TEL structures.See[18] for a morecompletedescriptionof theirsemantics.A TEL structureis a tuple ���� ������������������������ where:1. is thesetof signals;2. � �!#"%$&��')(%* is theinitial state;3. �,+- /.0"213� 45(76�8 is thesetof atomicactions;4. �9+:�,.<;>=?,"@$&� ')��ACBDBEBE(2F is thesetof events;5. ��+G�9.H�I.J=K.<;>=L6M"2NO(2FP.<;RQ!SC"%$&� 'T(%*OUV"%$&� 'T(2F is thesetof rules;6. �I+G�I.H� is theconflict relation.

Thesignalset, , containsthewiresin thespecification.Thestate� � containstheinitial valueof eachsignalin . Theactionset, � , containsfor eachsignal, W , in ,a rising transition,WX1 , anda falling transition,WY4 . Theset � alsoincludesa dummyevent,$, which is usedto indicateanactionthatdoesnot resultin a signaltransition.The event set, � , containsactionspairedwith occurrenceindices(i.e., ��Z[�]\^� ). Rulesrepresentcausalitybetweenevents.Eachrule, _ , is of theform �R`a��b[��c]�]de��Qf� where:1. `g enablingevent,2. bH enabledevent,3. ��c]�]dX�7 boundedtiming constraint, and4. Qh asum-of-productsbooleanfunctionover thesignalsin .

A rule is enabledif its enablingeventhasoccurredandits booleanfunctionis truein thecurrentstate.A rule is satisfiedif it hasbeenenabledat least c timeunits.A rulebecomesexpiredwhenit hasbeenenabledd time units.Excludingconflicts,aneventcannotoccuruntil every rule enablingit is satisfied,and it mustoccurbeforeeveryrule enablingit hasexpired. If a rule’s booleanfunction becomesfalseafter the rulehasbecomeenabled,but beforeits enabledeventhasoccurred,this indicatesthat theenabledeventhasahazardwhich is considereda failureduringverification.

The conflict relation, � , is usedto modeldisjunctive behavior andchoice.Whentwo events ` and `@i are in conflict (denotedT�3`%i ), this specifiesthat either ` or `@icanoccurbut not both.Taking theconflict relationinto account,if two ruleshave thesameenabledeventandconflictingenablingevents,thenonly oneof thetwo mutuallyexclusiveenablingeventsneedsto occurto causetheenabledevent.Thismodelsaformof disjunctivecausality. Choiceis modeledwhentwo ruleshavethesameenablingeventandconflictingenabledevents.In thiscase,only oneof theenabledeventscanoccur.

If a specificationis cyclic, thentheTEL structurerepresentingit is infinite. How-ever, due to its repetitive nature,this infinite behavior canbe describedwith a finitemodelby addinganadditionalsetof rulesandconflictswhich recursively definestheinfinite structure[15].

2.2 Timed statespaceexploration

Theuntimedstateof a TEL structureis composedof two parts:thesetof ruleswhoseenablingeventshave occurred,�gj , andthestate,�@k , of all thesignalsin the system.Fromthis untimedstate,thesetof enabledrules, �!l]m , canbeconstructedby includingonly thosemembersof � j whosebooleanexpressionsaresatisfiedby � k . In ordertodeterminethesetof satisfiedrules �5n , timing informationis needed.It is referredto asTI andis includedin the timedstate( � j .o� k . TI).

The statespaceof a TEL structureis exploredusinga depthfirst search.In eachstate,thealgorithmchoosesarule from �gn to fire, andplacesontothestackthecurrentstateandtheremainderof � n . It thenfiresthechosenrule,addsit to asetof firedrules,�gp , which is partof thetiming information,anddeterminesthenew timedstate.If �gpcontainsa setof rulessufficient to fire anevent ` , thenew timedstatehasa markinginwhich ` hasfired. If this timedstatehasnot beenseenbefore,it is addedto the statespace,andanew � n is calculated.If a timedstateis reachedthathasbeenseenbefore,thealgorithmpopsoff thestacka timedstateandthelist of rulesthathavenotyetbeenexploredfor thatstate.Whena statethathasbeenseenbeforeis reachedandthestackis empty, theentiretimedstatespacehasbeenfound.

Thetiming informationmustbeupdatedat every rule firing duringstatespaceex-ploration.Therefore,it is very importantthat theprocedurefor updatingit is efficient.The timing analysisalgorithmpresentedhereusesgeometricregionsto representthetiming informationwithin a timedstate.Whenever a rule _ q becomesenabled,a clockr q is createdto beusedin timing analysis.Theminimumandmaximumagedifferencesof all theclocksassociatedwith rulesin �gl^m arestoredin a constraintmatrix s . Eachentry t qvu in thematrix s hasthevaluemax; r u 4 r q F , which is themaximumagedif-ferenceof theclocks.A dummyclock r � whoseageis uniquely $ is usedto allow theinclusionof theminimumandmaximumagesof theclocksin s . In otherwords,the

maximumageof r q is in theentry tw� q , andthenegative of theminimumageof r q isin theentry t q � . Note that s only needsto containinformationon the timing of therulesthat arecurrently in �!l]m , not on the whole setof rules.This particularway ofrepresentingtimedregionswasfirst introducedin [7]. Thisconstraintmatrixrepresentsaconvex x � l]m x dimensionalregion.Eachdimensioncorrespondsto aruleandthefiringtimesof therulecanbeanywherewithin thespace.

3 Timed statespaceexploration usingPOSETtiming

While geometricregionsareaneffective way to representdense-timestatespaces,thenumberof geometricregionscanexplodefor highly concurrenttimedsystems[14,5].In [14], analgorithmis describedthatusespartially orderedsets(POSETs)of eventsratherthan linear sequencesto mitigatethis stateexplosionproblem.POSETtimingtechniquestakeadvantageof theinherentconcurrency in theTEL structureandpreventadditionalregionsfrom beingaddedfor differentsequencesof event firings that leadto thesameuntimedstate.This resultsin a compressionof thestatespaceinto fewer,largergeometricregionsthat, taken together, containthe sameregion in spaceasthesetof regionsgeneratedby thestandardgeometrictechnique.Therefore,all propertiesof thesystemthatcanbeverifiedwith thestandardgeometrictechniquecanbeverifiedwith the POSETalgorithm.This combinationof regionscould alsobe doneaseachregion is generatedduring statespaceexploration.However the checkto seeif thecombinationof two regionsis convex takes yJ;z�X{TF time in thenumberof constraintsinthematrix.This checkmustbedonebetweeneachnew region andall theregionsthathavebeengeneratedpreviously, makingthisapproachprohibitively expensive[13].

ThePOSETalgorithmmaintainsa POSETmatrix (alsoknow asa processmatrixin [13,14,17]), in additionto theconstraintmatrix.A POSETis a partiallyorderedsetof eventscreatedfrom a TEL structureanda firing sequence.It is constructedfroma TEL structureas follows: The POSETis initially empty. Eventsare addedin thesameorderasthey occurin thefiring sequence.For anevent in thefiring sequence,acorrespondinglylabeledevent is addedto thePOSET. Rulesareaddedto connectthenewly enabledeventto theeventsin thePOSETthatenabledit.

ThePOSETmatrixstorestheminimumandmaximumpossibleseparationsbetweenthefiring timesof all theeventsin thePOSETthatareallowedby thefiring sequencecurrentlybeingexplored.At eachiteration,the time separationsin thePOSETmatrixarecopiedinto the entriesof the constraintmatrix that restrict the differencesin theenablingtimesof therules.Eventsareprojectedout of thePOSETmatrix whentheirtiming informationis no longerneeded,sothealgorithmonly needsto retainandoper-ateon local timing information.

3.1 Partially orderedsetswithout levels

Whenanew eventfiresandis addedto thePOSETmatrix,theminimumandmaximumtime separationsbetweenits firing time andthe firing timesof all othereventsin thematrix must be determined.This set of separationsmustbe consistentwith the rulefiring sequencethat resultedin thecurrentstate.The rule firing sequenceoften limits

the separationsbetweeneventsthat arepossible.Theremay be separationsbetweeneventsthatarepossibleover all firing sequencesbut arenot possiblegiventhecurrentone.Therefore,theseparationsin thePOSETmatrixmustberestrictedsothatthey arereachablegiventhecurrentrulefiring sequence.

ThePOSETmatrix is keptconsistentwith the currentrule firing sequenceby en-suringthatthetimeseparationsin thematrixreflectthecausalityimpliedby thecurrentrule firing sequence.An event that is enabledby multiple rulesdoesnot fire until allof theseruleshave fired. The last rule to fire actuallycausesthe event to fire, andisreferredto asthecausalrule.More formally, a rule _ j ��R` k ��`a��c^��d|� is causalto event` givena rule firing sequence_ � BDBDB _ m , if thefiring sequence_ � BDBEB _ j!} � doesnot enable` andthe firing sequence_���BEBDB _@j doesenable . A setof rules �5p enablesevent ` if~ _ q ���` q ��`���c]�]dX�7���,S�;z_ q �H�5p�FX��;R��_ u ���` u ��`���c u �]d u �����5pJS)` q �3` u F [15,17].

The significantdifferencebetweenthe POSETtechniquedescribedhereand theworkpresentedin [13,14] is themethodusedtocomputethePOSETmatrix.In [13,14],it is notnecessarytouseexplicit causalityinformationsincethecausalruleis alwaysthebehavioral rule.With multiplebehavioral rules,causalitymustbeconsideredin ordertocomputea correctPOSETmatrix.Assumethat �fm is a correct,maximallyconstrainingsetof inequalitiesthatrelatethefiring timesof a setof events��m . Whena new event `fireswith causalrule _����`%k@��`���c]�]dX� , anew new setof correct,maximallyconstraininginequalities�fm)� � can be computedfrom �fm . Initially, �fmT� � is set to equal �fm . Then,� mT� � is updatedwith the inequalities��;R`TF74-��;�` k F5�,d and ��;R` k F�4���;R`TF5��4�c . Theseinequalitiesarealwaystruesinceno rule candelaythefiring of ` onceits causalrulehasfired.Next, for eachrule _ q����`%q���`���c�q]�]d|qR� in � p , theinequality ��;�`%q�F[4���;�`TFP��4�c�qneedstobeaddedbecauseeachruleenabling mustbesatisfied.Thesenew inequalitiesmay causeother inequalitiesin � mT� � to no longer be maximally constraining.Thisoccurswhenthereexistsasubsetof � mT� � of theform "@��;R`TF[4���;�` k FP�-de����;R`@q�F[4���;�`TFP�4�c q ����;R` q F�4���;R`@k�F��O��( whered�4�c q7� � . All of theinequalitiesin �fm)� � canbemademaximallyconstrainingby runningFloyd’sall pairsshortestpathalgorithm[7].

After the all pairsshortestpathalgorithmis run, ��mT� � containsa maximallycon-strainingsetof inequalitiesthat includesall the constraintsthat result from firing ` .However, minimum andmaximumconstraintbetween andall of the eventsin ��mmust also be included in �fmT� � . Theseadditionalconstraintsare immediatelyderiv-able from the constraintsalreadyin �fmT� � . The maximumconstraintsareas follows:��;�`TFC4w��;�` u F���d�1HtoZ�W�;R��;�`%k�FC4w��;�` u F]F . This inequalityholdssincethemaximumsepa-rationbetween u and ` occurswhen ` u happensasmuchbefore ’scausaleventaspos-sible.If thereis a rule _ u I�R` u ��`���c u �]d u � thatrelates u and ` , thentheminimumcon-straintis ��;�`�u%F24���;�`TF��-tH\��7;^4�cEuT��4�;Rc�4�tHZ�We;���;�`�u@F%4���;R` k F�F]F]F . Thisinequalityholdsbe-causetheminimumseparationbetweenfu and ` occurswhen `�u happensasmuchafter` ’scausaleventaspossible,butmustbenolessthantheminimumontherulerelating�uand ` . Theinequalities��;�`�u%F)43��;R`TFP��4�cEu areaddedto � mT� � beforetheall pairsshortestpathstep,andareconstrainedfurtherto ��;R`�u%F�4���; b¡F��¢4�;�cY4�tHZ�W�;R��;�`�u%F74<��;R`TF]F]F , ifnecessary. If thereis not a rule _ u £�R` u ��`���c u ��d u � that relates u and ` , theminimumconstraintis simply ��;R` u F�4O��;�`TFw�¤4�;�c74-toZ�W�;���;R` u F�4O��;�`%kfF]F�F . �fmT� � now containsa correct,maximally constrainingsetof inequalitiesthat representthe minimum andmaximumseparationsbetweenall theeventsin ��mT� � ���m�6¥` . Note thatasanop-

timization, inequalitiesthat are no longer neededto computefuture inequalitiesareremovedfrom �fm . Sincethebasecaseis simply ����¢¦ , this procedurecanbeusedtoconstructcorrectsetsof inequalitiesfor anarbitraryrulefiring sequence.

A geometricregion representingthe differencesin the agesof a setof clocksas-sociatedwith a setof enabledrules �gl^m caneasilybecomputedgivena POSETma-trix usinga methodsimilar to theonedescribedin [13,14]. Themaximumdifferencein the agesof the two clocks r q and r u associatedwith rules _ q §��` q ��b q ��c q ��d q � and_ u ¨��` u ��b u ��c u �]d u � is simply themaximumdifferencein thefiring timesof ` q and ` uwhich is in thePOSETmatrixas ��;�` q FY4¥��;R` u F�� max. TheminimumlikewiseexistsinthePOSETmatrix as ��;�` u F74���;�` q F5�¢4 min. Theseconstraintsaresimply copiedintothematrix representingthegeometricregion.Theminimumandmaximumboundsofthe rulesareusedto set the minimum andmaximumagedifferencesbetweenr q andr � . Floyd’salgorithmis thenrunontheconstraintmatrix resultingin amaximallycon-strainingsetof inequalities.This may furtherconstrainsomeof the inequalitiessincethePOSETinequalitiesdo not take into accountthefactthata clock associatedwith arule maynot beolderthanthemaximumboundon therule. Additionally, thenormal-izationalgorithmdescribedin[13] to ensurethestatespaceremainsfinite.

Figure1 showstiminganalysisbasedonPOSETsappliedto thesmallTEL structureshown at thetopof thefigure.Thisexampleshowshow ouralgorithmsolvestwo of theproblemsthat occurwhenusinggeometricregionsfor timed statespaceexploration:region splitting andmultiple behavioral rules.In this example,initially the � l^m setis"�������©���� �R����ª���( , indicatingthatevent � hasjust fired.ThePOSETmatrix containsasingleevent, � . Theconstraintmatrix shows thatthemaximumtime since � hasfiredis 5. If morethan5 time unitshadpassed,therule �R����ª�� would have beenforcedtofire. Sinceboththerulesin �!l]m areenabledby � , thedifferencein theirenablingtimesmustbe0, andtheregion in spacethatshowsthis is a45degreeline.

Fromthis timedstate,eitherevent © or event ª canfire. In this example, © firesnext. The POSETmatrix now containsthe minimum and maximumseparationsbe-tweenthe firing timesof � and © . The valuesarecopiedinto the constraintmatrix.After the all pairsshortestpathalgorithmis run, the separationof 7 that is possiblebetweenthefiring of � andthefiring of © in thePOSETmatrix is reducedto 5 in theconstraintmatrix sincerule �R����ª�� hasa maximumboundof 5 andthereforeits clockcannotbemorethan5 timeunitsolderthananotherclock.

In thisstateevent ª or rule ��©���«�� canfire next and ª is chosen.When ª fires,thePOSETmatrix no longerneedsto contain � sinceall eventsit hasenabledhave fired.ThePOSETmatrix shows that © couldhave fired at most5 time unitsafter ª and ªcould have fired at most A time units after © . Now therearethreerulesenabledandthe region is 3-dimensional.In the figure,a two dimensionalprojectionof the regioninto the � ªg��«��f� �R©¬��«w� planeis shown.Thisregionshowstheadvantageof thePOSETtechnique.Even thoughin this particularfiring sequence© firesbefore ª , the regionproducedherecontainstiming assignmentswhere ª fires before © . Since © and ªoccurin parallel,all of thesetiming assignmentsareallowedby therulefiring sequencethat producedthis state.The dashedline in the middle of the region shows the tworegionsthat would be generatedby standardgeometrictechniques.The upperregion

0 [A, B] [A, C]0

[A,B]

[A,C]

0 5 5

0 0 0

0 0 0

A

B C

D

A 0

A

0

B C

B

C

5

2 0

C

D

0 -6

7 0

10

4

[C,E]

[D,A]

[A, B]

[A, C]

5

5

[2,5]

[2,5][3,7]

[1,2]

E

[6,10][2,10]

0

[B,D]

0 [B, D] [C, D] [C, E]

[C,D]

0 2 7 7

0 2 0 0

0 2 0 0

0 0 5 5

(Projected onto 2 dimentions)

POSET Matrix Constraint Matrix Geometric Region

A 0

A B

B

-3

7 0

POSET Matrix Constraint Matrix Geometric Region

POSET Matrix Constraint Matrix Geometric Region

POSET Matrix Constraint Matrix Geometric Region

2

[C,D]

[B, D]

7

[C,E]

(C is causal)

C D

C

D

0 -6

10 0

(C is causal)

(B is causal)

C D (B is causal)

00 [C, E] [D, A]

[C, E]

[D,A]

0 0 -6

00 [C, E] [D, A]

[C, E]

[D,A] 0 10 0

0 10 4

0 0 -6

0 10 4

0 7 0

(C is causal)

(B is causal)

10

4

[C,E]

[D,A]

5[A, C]

[B, D]

2

0

[B,D]

0 5 2

-3 0 -3

0 5 0

0 [A, C] [B, D]

[A,C]

Ren={[A, B], [A,C]} Current firing sequence={A}

Ren={[A,C], [B,D]} Current firing sequence={A,B}

Ren={[B,D], [C,D], [C,E]} Current firing sequence={A,B,C}

Ren={[D,A], [C,E]} Current firing sequence={A,B,C,D}

Fig.1. Exampleof timing with partiallyorderedsets.

containstiming assignmentswhere © fired first, andthe lower region containstimingassignmentswhereª firedfirst.

In this timedstate,rules ��©���«�� , �Rªg��«w� , and � ªg����� areenabled.Oncebothof therulesthatenable« fire, event « canfire. When « fires,informationonevent © canberemovedfrom thePOSETmatrix,but sinceª enablesanotherevent, � , it remains.Twodifferentmaximumseparationsbetweenª and « arepossibledependingon whetherevent ª or event © wascausalto « , andtwo differentgeometricregionsresult.In thisexample,oneregion is a subsetof theother, but this is notalwaysthecase.

3.2 Partially orderedsetswith levels

In [18], we extendeda geometricregionbasedtimedstatespaceexplorationalgorithmto TEL structureswhichincludearbitrarylevel annotations.ThePOSETalgorithmpre-sentedin the previous sectioncanalsobe extendedto TEL structureswith a limitedclassof level annotations.Thealgorithmis basedontheability to determinewhichpre-viouseventfiring is causalto eachnew eventfiring. Recallthat in our algorithm,rulesfire independentlyof events,andaneventfireswhenasetof rulessufficient to enableithavefired.Whenthereareno level expressions,thecausaleventis simply theenablingeventof thecausalrule. However, if therearelevel expressions,this is not necessarilythecase.With levels,a rule doesnot alwaysbecomeenabledwhenits enablingeventfires.A rule only becomesenabledwhenits enablingeventhasfired and its level ex-pressionevaluatesto true.Therefore,anevent ` is causalto event b if thefiring of event` enablesb ’scausalruleeitherbecauseit is its enablingeventor becauseit changesthevalueof thestatesuchthat b ’s causalrulebecomesenabled.

Determiningthiscausalityis straightforwardduringstatespaceexploration.When-ever a rule fires, its causalevent is recorded.Thenwhenan event fires, a proceduresimilar to the onedescribedin the previous subsectionis usedto determinethe newsetof inequalitiesthatbelongin thePOSETmatrix. Themajordifferenceis thatnowany event in theTEL structuremaybecausalto thefiring eventandall eventsneedtobecheckedfor causality. Additionally, thecausalityrelationshipmayimply othertimerelationshipsbetweenevent firings. Due to spaceconstraints,they arenot describedhere.However, all of the constraintscanbe easilycomputedas long as the booleanexpressionsarerestrictedto pureand andpureor expressions.This limited classofTEL structuresis expressive enoughto modelall TEL structuressincemorecomplexexpressionscanbemodeledthroughgraphtransformations.

4 Resultsand conclusions

ThePOSETalgorithmdrasticallyreducesthenumberof geometricregionsgeneratedduring statespaceexplorationof highly concurrentsystems.We have alsomadead-ditional optimizationsto thestatespaceexplorationprocesssuchaseliminatingtimedstatesto beexploredfrom thestackif a region that is a supersetof previousregionsisfound,andreducingthenumberof interleavingsbetweenrulefirings.Thisnew POSETtiming algorithmalongwith theseoptimizationshasbeenimplementedwithin theCAD

tool ATACS andproduceverygoodresultsasillustratedwith theparameterizedtimingverificationbenchmarksin thissection.

Thefirst two, theAlpha andBetaexamples,arefrom [5]. Eachstageof theAlphaexampleis composedof asingleeventwhichcanfire repeatedlyata giveninterval andis not effectedby any othereventsin the system.In [5], they showed that techniquesbasedonDBMs (i.e.,geometricregions)couldonly handle5 stagesof thishighly con-currentexamplewhile theirsymbolicdiscrete-timetechniqueusingnumericaldecisiondiagrams(NDDs)couldhandle18stagesin 12hoursonaSUNUltraSparcwith 256MBof memory. A loglog plot of theresultsfrom [5] andourresultsusingPOSETtiming onaSPARC 20with 128MB of memoryareshown in Figure2.TheseresultsindicatethatPOSETtiming is ordersof magnitudefasterandmorememoryefficient. In fact,ourtechniquesfound the reachablestatesspacefor 512 stagesin about73 minutesusing112MB of memory. Thissimpleexampleclearlyhasonly oneuntimedstateregardlessof thenumberof stages,andPOSETtiming canrepresentthe timedstatespaceusingonly onegeometricregion.Our techniquedoesnot find theregion in its first iteration,however. It first findsanumberof smallerregionsbeforefinding thefinal regionthatisa supersetof all therest.Therefore,althoughits performanceis very good,it doesnotanalyzetheexampleinstantaneously.

100

101

102

103

10−3

10−2

10−1

100

101

102

103

104

105

Comparative Runtime Performance for the Alpha Example

Number of Stages

time

(in s

econ

ds)

POSETSNDD DBM

100

101

102

103

101

102

103

104

105

106

mem

ory

(in k

byte

s)

Number of Stages

Comparative Memory Performance for the Alpha Example

POSETSNDD DBM

Fig.2. Comparative performancefor theAlphaexample.

One stageof the Beta exampleis composedof one statebit per stagewith twoevents,oneto setandoneto resetthebit. In [5], they showed that DBMs couldonlyhandle4 stageswhile their techniquecould handle9 stages.A semilogplot of theirresultsandoursareshown in Figure3. POSETtiming canhandle14stagesin 108MBof memoryin just 16 minutes.For the Betaexample,the numberof statesis exactlyA m where � is thenumberof stages,soPOSETtiming couldhandleanexamplewith­ A timesmoreuntimedstatesthanin [5]. Again,POSETtiming is ableto representallthe timing behavior in this exampleusingonegeometricregion perstate.Clearly, the

AlphaandBetaexamplesareideallysuitedto ouralgorithm,but they areusedin [5] todemonstratetheweaknessof traditionalgeometricregionbasedmethods.

0 2 4 6 8 10 12 1410

−3

10−2

10−1

100

101

102

103

104

105

Number of Stages

time

(in s

econ

ds)

Comparative Runtime Performance for the Beta Example

0 2 4 6 8 10 12 1410

2

103

104

105

106

Comparative Memory Performance for the Beta Example

Number of Stages

mem

ory

(in k

byte

s)

Fig.3. Comparative performancefor theBetaexample.

Thenext exampleis an-bit synchronouscounter. Thebasicoperationof thecounteris that when the clock goeshigh, the next valueof the count is determinedin fromthepreviousvalue.Whentheclock goeslow, thenew valueis latchedandfed backtodeterminethenext count.Thisexamplehasseveraleventswhichareenabledby multi-ple behavioral rules.In [15], graphtransformationsaredescribedthatcancreatea newspecificationwhich satisfiesthesinglebehavioral rule restrictionallowing verificationbyOrbits [13,14].Usingthesegraphtransformations,Orbits couldonly analyzea3-bit counterbecauseit required10,222geometricregionsto find the64untimedstates.With our new POSETtiming algorithm,it only requires294geometricregionsto rep-resentthe entire timed statespacefor the 3-bit counter. In fact, our algorithmcouldanalyzeup to a6-bit counter. Thisdrasticdifferencein regioncountoccursbecausethegraphtransformationadds� � new rulesfor eacheventthathas� behavioral rules.In the3-bit countermostof theeventshad4 behavioral rules,causinga hugecombinatorialexplosionin thenumberof regions.

Thelastexampleis a STARI communicationcircuit describedin detail in [20,21].TheSTARI circuit is usedto communicatebetweentwo synchronoussystemsthatareoperatingat thesameclock frequency, ® , but areout-of-phasedueto clockskew whichcan vary from 0 to skew. The environmentof this circuit is composedof a clk pro-cess,a transmitter, andareceiver. TheSTARI circuit is composedof anumberof FIFOstagesbuilt from 2 C-elementsand1 NOR-gateperstagewhich eachhave a delayofc to d . Thereare two propertiesthat needto be verified: (1) eachdatavalueoutputby the transmittermustbe insertedinto the FIFO beforethe next one is output (i.e.,ack ;]'%F�4 precedesW�;R$�F�B ��4 and We;�$�F�B be4 ) and(2) a new datavaluemustbeoutputbytheFIFObeforeeachacknowledgmentfrom thereceiver(i.e., W�;���F�B �]1 or W�;���F�Bvb¡1 pre-cedesZ r ¯ ;z�¬1G'2F�4 ) [22]. To guaranteethesecondproperty, it is necessaryto initializetheFIFOto beapproximatelyhalf-full [21]. In additionto thesetwo properties,

verifiedthateverygateis hazard-free(i.e.,onceagateis enabled,it cannotbedisableduntil it hasfired).

Therehavebeentwo niceproofsof STARI’scorrectness[21,23],but they havebeenonabstractmodels.In [22], theauthorsstatethatCOSPANwhichusestheunit-cube(orregion) techniquefor timing verification[24] ranout of memoryattemptingto verifya 3 stagegate-level versionof STARI on a machinewith 1 GB of memory. This papergoeson to describean abstractmodelof STARI for which they could verify 8 stagesin 92.4MB of memoryand1.67hours.We first verifiedSTARI at thegate-level withdelaysfrom [22] (i.e., ®�9'%A , skew�' , c�9' , and d¥,A ). UsingPOSETtiming, wecanverify a3 stageSTARI in 0.74MB in only 0.40seconds.For an8 stageSTARI, theverificationtook 11 MB andonly 55 seconds.In fact,POSETtiming couldverify 10stagesin 124MB of memoryin lessthan20 minutes.This shows a nice improvementovertheabstractionmethodandadramaticimprovementoverthegate-levelverificationin COSPAN. For 10stages,POSETtiming found14,531untimedstatesandonly needed14,859geometricregionsto describethe timed statespace.This representsa ratio ofonly 1.02geometricregionsperuntimedstate.

Finally, the complexity of POSETtiming is relatively independentof the timingboundsused.We alsoran our experimentsusing c�¤°�± and d�²AT$³' , skewL' $³' ,and ®¥�'a' ° ­ which foundmoreuntimedstates.With cY�' $aA , we foundlessuntimedstates.Bothcaseswith higherprecisiondelaynumbershadcomparableperformancetothe onewith lower precisiondelaynumbers.This shows that higherprecisiontimingboundscanbeefficiently verifiedandcanleadto differentbehaviors. It would not bepossibleto usethis level of precisionwith adiscrete-timeor unit-cubebasedtechnique,sincethenumberof stateswouldexplodewith suchlargenumbers.

Ourresultsclearlyshow thatPOSETtiming candramaticallyimprovetheefficiencyof timing verificationallowing larger, moreconcurrenttimedsystemsto beverified.Itdoessowithout eliminatingpartsof thestatespace,so it doesnot limit thepropertiesthat canbe verified. In the future,we plan to further increasethe sizeandgeneralityof the specificationsthatcanbe verifiedwith thePOSETmethod.We believe the ab-stractiontechniquefrom [22] andPOSETtiming methodsareorthogonal,andwe areinterestedin trying to combinethemfor further improvement.Finally, our algorithmcurrentlyrepresentsthestatespaceexplicitly, andweareworkingonapplyingimplicittechniques.Ourpreliminaryresultsshow thatthiscanleadto asignificantimprovementin memoryperformance[25].

Acknowledgments

We would like to thankMark Greenstreetof theUniversityof British Columbia,Bran-don Bachman,Eric Mercer, andRobertThacker of the University of Utah andTomRokicki of Hewlett Packardfor theirhelpfulcomments.

References

1. A. Valmari.A stubbornattackonstateexplosion.In InternationalConferenceonComputer-AidedVerification, pages176–185,June1990.

2. P. Godefroid. Usingpartial ordersto improve automaticverificationmethods.In Interna-tional Conferenceon Computer-AidedVerification, pages176–185,June1990.

3. K. McMillan. Usingunfoldingsto avoid thestateexplosionproblemin theverificationofasynchronouscircuits.In G.v. BochmanandD. K. Probst,editors,Proc.InternationalWork-shopon ComputerAidedVerification, volume663 of Lecture Notesin ComputerScience,pages164–177.Springer-Verlag,1992.

4. J.R. Burch. Modelingtiming assumptionswith tracetheory. In ICCD, 1989.5. M. Bozga,O.Maler, A. Pnueli,andS.Yovine. Someprogressin thesymbolicverificationof

timedautomata.In Proc. InternationalConferenceonComputerAidedVerification, 1997.6. R. Alur. Techniquesfor AutomaticVerificationof Real-TimeSystems. PhDthesis,Stanford

University, August1991.7. D. L. Dill. Timing assumptionsandverificationof finite-stateconcurrentsystems.In Pro-

ceedingsof theWorkshoponAutomaticVerificationMethodsfor Finite-StateSystems, 1989.8. B. BerthomieuandM. Diaz. Modeling andverificationof time dependentsystemsusing

timepetri nets.IEEETransactionson SoftwareEngineering, 17(3),March1991.9. H. R. Lewis. Finite-stateanalysisof asynchronouscircuits with boundedtemporaluncer-

tainty. Technicalreport,HarvardUniversity, July 1989.10. T. Yoneda,A. Shibayama,B. Schlingloff, andE. M. Clarke. Efficientverificationof parallel

real-timesystems.In CostasCourcoubetis,editor, ComputerAidedVerification, pages321–332.Springer-Verlag,1993.

11. A. Semenov andA. Yakovlev. Verificationof asynchronouscircuits using time Petri-netunfolding. In Proc.ACM/IEEEDesignAutomationConference, pages59–63,1996.

12. E. Verlind,G. deJong,andB. Lin. Efficientparialenumerationfor timing analysisof asyn-chronoussystems.In Proc.ACM/IEEEDesignAutomationConference, 1996.

13. T. G. Rokicki. RepresentingandModelingCircuits. PhDthesis,StanfordUniversity, 1993.14. T. G. Rokicki andC. J. Myers. Automaticverificatonof timed circuits. In International

Conferenceon Computer-AidedVerification, pages468–480.Springer-Verlag,1994.15. C. J.Myers. Computer-AidedSynthesisandVerificationof Gate-LevelTimedCircuits. PhD

thesis,StanfordUniversity, 1995.16. C. J. Myers, T. G. Rokicki, andT. H.-Y. Meng. Automaticsynthesisof gate-level timed

circuitswith choice.In 16thConferenceonAdvancedResearch in VLSI, pages42–58.IEEEComputerSocietyPress,1995.

17. W. Belluomini andC. J. Myers. Efficient timing analysisalgorithmsfor timed statespaceexploration.In Proc.InternationalSymposiumonAdvancedResearch in AsynchronousCir-cuitsandSystems. IEEEComputerSocietyPress,April 1997.

18. W. Belluomini andC. J. Myers. Timedevent/level structures.In collectionof papersfromTAU’97.

19. P. Merlin andD. J. Faber. Recoverability of communicationprotocols. IEEE TransactionsonCommunications, 24(9),1976.

20. M. R. Greenstreet.STARI: A Techniquefor High-BandwidthCommunication. PhD thesis,PrincetonUniversity, 1993.

21. M. R. Greenstreet.Stari:Skew tolerantcommunication.unpublishedmanuscript,1997.22. S. TasiranandR. K. Brayton. Stari:A casestudyin compositionalandheirarchicaltiming

verification.In Proc.InternationalConferenceon ComputerAidedVerification, 1997.23. H. Hulgaard,S.M. Burns,T. Amon, andG. Borriello. Practicalapplicationsof anefficient

timeseperationof eventsalgorithm.In ICCAD, 1993.24. R. Alur andR. P. Kurshan. Timing analysisin cospan. In Hybrid SystemsIII . Springer-

Verlag,1996.25. R. A. Thacker. Implicit methodsfor timedcircuit synthesis.Master’s thesis,Universityof

Utah,1998.