Verification of Timed Systems Using POSETs Wendy Belluomini and Chris J. Myers Computer Science Department Electrical Engineering Department University of Utah Salt Lake City, UT 84112 Abstract. This paper presents a new algorithm for efficiently verifying timed systems. The new algorithm represents timing information using geometric re- gions and explores the timed state space by considering partially ordered sets of events rather than linear sequences. This approach avoids the explosion of timed states typical of highly concurrent systems by dramatically reducing the ratio of timed states to untimed states in a system. A general class of timed systems which include both event and level causality can be specified and verified. This algo- rithm is applied to several recent timed benchmarks showing orders of magnitude improvement in runtime and memory usage. 1 Introduction The fundamental difficulty in verification is controlling the state explosion problem. The state spaces involved in verifying reasonably sized systems are large even if the timing behavior of the system is not considered. The problem gets even more complex when verification is done on timed systems. However, verification with timing is crucial to applications such as asynchronous circuits and real-time systems. A number of techniques have been proposed to deal with state explosion. Ap- proaches have been proposed that use stubborn sets [1], partial orders [2], or unfold- ing [3]. These techniques reduces the number of states explored by considering only a subset of the possible interleavings between events. These approaches have been suc- cessful, but they only deal with untimed verification. The state space of timed systems is even larger than the state space of untimed systems and has been more difficult to reduce. The representation of the timing infor- mation has a huge impact on the growth of the state space. Timing behavior can either be modeled continuously (i.e., dense-time), where the timers in the system can take on any value between their lower and upper bounds, or discretely, where timers can only take on values that are multiples of a discretization constant. Discrete time has the advantage that the timing analysis technique is simpler and implicit techniques can be easily applied to improve performance [4,5]. However, the state space explodes if the delay ranges are large and the discretization constant is set small enough to ensure exact exploration of the state space. This research is supported by a grant from Intel Corporation, NSF CAREER award MIP- 9625014, SRC grant 97-DJ-487, and a DARPA AASERT fellowship.
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Verification of Timed SystemsUsingPOSETs�
WendyBelluomini�
andChrisJ.Myers�
�ComputerScienceDepartment�
ElectricalEngineeringDepartmentUniversityof Utah
SaltLake City, UT 84112
Abstract. This paperpresentsa new algorithmfor efficiently verifying timedsystems.The new algorithmrepresentstiming informationusinggeometricre-gionsandexploresthetimedstatespaceby consideringpartially orderedsetsofeventsratherthanlinearsequences.This approachavoidstheexplosionof timedstatestypical of highly concurrentsystemsby dramaticallyreducingtheratio oftimedstatesto untimedstatesin asystem.A generalclassof timedsystemswhichincludeboth event andlevel causalitycanbe specifiedandverified.This algo-rithm is appliedto severalrecenttimedbenchmarksshowing ordersof magnitudeimprovementin runtimeandmemoryusage.
1 Intr oduction
The fundamentaldifficulty in verification is controlling the stateexplosionproblem.The statespacesinvolved in verifying reasonablysizedsystemsare large even if thetiming behavior of thesystemis not considered.Theproblemgetsevenmorecomplexwhenverificationis doneontimedsystems.However, verificationwith timing is crucialto applicationssuchasasynchronouscircuitsandreal-timesystems.
A numberof techniqueshave beenproposedto deal with stateexplosion. Ap-proacheshave beenproposedthat usestubbornsets[1], partial orders[2], or unfold-ing [3]. Thesetechniquesreducesthenumberof statesexploredby consideringonly asubsetof thepossibleinterleavingsbetweenevents.Theseapproacheshave beensuc-cessful,but they only dealwith untimedverification.
The statespaceof timed systemsis even larger than the statespaceof untimedsystemsandhasbeenmoredifficult to reduce.Therepresentationof the timing infor-mationhasa hugeimpacton thegrowth of thestatespace.Timing behavior caneitherbe modeledcontinuously(i.e., dense-time),wherethe timers in the systemcan takeon any valuebetweentheir lower andupperbounds,or discretely, wheretimerscanonly takeonvaluesthataremultiplesof adiscretizationconstant.Discretetimehastheadvantagethat thetiming analysistechniqueis simplerandimplicit techniquescanbeeasilyappliedto improve performance[4,5]. However, thestatespaceexplodesif thedelayrangesarelargeandthediscretizationconstantis setsmallenoughto ensureexactexplorationof thestatespace.�
This researchis supportedby a grant from Intel Corporation,NSF CAREER award MIP-9625014,SRCgrant97-DJ-487,andaDARPA AASERT fellowship.
Continuoustime techniqueseliminate the needfor a discretizationconstantbybreakingthe infinite continuoustimed statespaceinto equivalenceclasses.All tim-ing assignmentswithin anequivalenceclassleadto thesamebehavior anddonotneedto beexploredseparately. In orderto reducethesizeof thestatespace,thesizeof theequivalenceclassesshouldbeaslargeaspossible.In theunit-cube(or region)approach[6], timedstateswith thesameintegral clock valuesanda particularlinearorderingofthe fractionalvaluesof the clocksareconsideredequivalent.Although this approacheliminatestheneedto discretizetime, thenumberof timedstatesis dependenton thesizeof thedelayrangesandcanexplodeif they arelarge.
Anotherapproachto continuoustimeis to representtheequivalenceclassesascon-vex geometricregions(or zones)[7–9]. Thesegeometricregionscanberepresentedbysetsof linear inequalities(alsoknown asdifferenceboundmatricesor DBMs). Theselargerequivalenceclassescanoftenresultin smallerstatespacesthanthosegeneratedby theunit-cubeapproach.
While geometricmethodsareefficient for someproblems,their complexity canbeworsethaneitherdiscreteor unit-cubemethodswhenanalyzinghighly concurrentsys-tems.Thenumberof geometricregionscanexplodewith theseapproachessinceeachuntimedstatehasat leastonegeometricregion associatedwith it for every firing se-quencethatcanresultin thatstate.In highly concurrentsystemswheremany interleav-ingsarepossible,thenumberof geometricregionsperuntimedstatecanbehuge.Someresearchers[10–12]haveattackedthisproblemby reducingthenumberof interleavingsexploredusingthe partial ordertechniquesdevelopedfor untimedsystems.Theseal-gorithmsreduceverificationtime by exploring only part of the timedstatespace,butthis maylimit thetiming propertiesthatcanbeverified.While reducingthenumberofinterleavingsis useful,in [10,11] oneregion is still requiredfor every firing sequenceexploredto reacha state.If most interleavingsneedto be explored,thesetechniquescouldstill resultin stateexplosion.
Thealgorithmpresentedin [13,14] significantlyreducesthenumberof regionsperuntimedstateby usingpartially orderedsets(or POSETs)of eventsratherthanlinearsequencesto constructthegeometricregions.Using this technique,untimedstatesdonot have an associatedregion for every firing sequence.Instead,the algorithmgener-atesonly onegeometricregion for any setof firing sequencesthat differ only in thefiring orderof concurrentevents.This algorithmis shown in [14] to resultin very fewgeometricregionsperuntimedstate.Theentiretimedstatespaceis explored,soit canbeusedto verify a wide rangeof timing properties.However, it is limited to specifica-tionswherethefiring time of aneventcanonly becontrolledby a singlepredecessorevent(known asthesinglebehavioral place(or rule) restriction). This restrictioncanbeworkedaroundwith graphtransformations,but thegraphtransformationsadd� � newrulesfor eacheventwith � behavioral rules[15,16]. In [17], we presentedanapproxi-matealgorithmfor exploring theentirestatespacewith POSETson a generalclassofspecifications,lifting the singlebehavioral rule restriction.However, it may generateregionsthatarelargerthannecessary.
Thispaperpresentsanew algorithmfor timedstatespaceexplorationbasedongeo-metricregionsandPOSETs.Thisalgorithmoperatesonaverygeneralclassof specifi-cations,timedevent/level (TEL) structures[18], which arecapableof directly express-
ing botheventandlevel causality. Throughastraightforwardconstruction(omitteddueto spaceconstraints),it canbeshown thatTEL structuresareat leastasexpressive as1-safetimePetrinets[19]. TEL structurescanalsorepresentsomebehavior morecon-ciselydueto theirability to specifylevelswhicharenotdirectlysupportedin timePetrinets.While they arenotasexpressiveastimedautomata[6], TEL structuresrepresentaninterestingclassof timedautomatasufficient to accuratelymodeltimedcircuit behav-ior. Unlike thepartialordertechniquesdiscussedearlier, thePOSETtiming algorithmdoesexploreevery interleaving betweeneventfirings,andthereforeexploresall statesof thesystem.Thisnew algorithmdramaticallyimprovestheperformanceof geometricregionbasedtechniqueson highly concurrentsystems,makingdense-timeverificationextremelycompetitive with discrete-timewhenthe delayrangesaresmall andfar su-periorwhenthe rangesarelarge.Theperformanceof POSETtiming is demonstratedby ordersof magnitudeimprovementin runtimeandmemoryusageon several recenttiming verificationbenchmarks.
2 Timed systemsand exploration of their timed states
The processof timing verificationbegins with a specificationof a timed systemandpropertiesthat it mustsatisfy. To checkif thesepropertiesaresatisfied,the verifica-tion algorithmexploresthetimedstatespaceallowedby thespecification.Thissectionpresentsour formalismfor modelingtimedsystemsandexploring their statespaces.
2.1 Timed event/level structur es
The algorithmpresentedin this paperis appliedto specificationsin the form of TELstructures[18], anextensionof timedevent-rulestructures[15]. TEL structuresareverywell suitedto describingasynchronouscircuitssincethey allow botheventcausalitytospecifysequencingandlevel causalityto specifybit valuesampling.Thissectiongivesa brief overview of TEL structures.See[18] for a morecompletedescriptionof theirsemantics.A TEL structureis a tuple ���� ������������������������ where:1. is thesetof signals;2. � �!#"%$&��')(%* is theinitial state;3. �,+- /.0"213� 45(76�8 is thesetof atomicactions;4. �9+:�,.<;>=?,"@$&� ')��ACBDBEBE(2F is thesetof events;5. ��+G�9.H�I.J=K.<;>=L6M"2NO(2FP.<;RQ!SC"%$&� 'T(%*OUV"%$&� 'T(2F is thesetof rules;6. �I+G�I.H� is theconflict relation.
Thesignalset, , containsthewiresin thespecification.Thestate� � containstheinitial valueof eachsignalin . Theactionset, � , containsfor eachsignal, W , in ,a rising transition,WX1 , anda falling transition,WY4 . Theset � alsoincludesa dummyevent,$, which is usedto indicateanactionthatdoesnot resultin a signaltransition.The event set, � , containsactionspairedwith occurrenceindices(i.e., ��Z[�]\^� ). Rulesrepresentcausalitybetweenevents.Eachrule, _ , is of theform �R`a��b[��c]�]de��Qf� where:1. `g enablingevent,2. bH enabledevent,3. ��c]�]dX�7 boundedtiming constraint, and4. Qh asum-of-productsbooleanfunctionover thesignalsin .
A rule is enabledif its enablingeventhasoccurredandits booleanfunctionis truein thecurrentstate.A rule is satisfiedif it hasbeenenabledat least c timeunits.A rulebecomesexpiredwhenit hasbeenenabledd time units.Excludingconflicts,aneventcannotoccuruntil every rule enablingit is satisfied,and it mustoccurbeforeeveryrule enablingit hasexpired. If a rule’s booleanfunction becomesfalseafter the rulehasbecomeenabled,but beforeits enabledeventhasoccurred,this indicatesthat theenabledeventhasahazardwhich is considereda failureduringverification.
The conflict relation, � , is usedto modeldisjunctive behavior andchoice.Whentwo events ` and `@i are in conflict (denotedT�3`%i ), this specifiesthat either ` or `@icanoccurbut not both.Taking theconflict relationinto account,if two ruleshave thesameenabledeventandconflictingenablingevents,thenonly oneof thetwo mutuallyexclusiveenablingeventsneedsto occurto causetheenabledevent.Thismodelsaformof disjunctivecausality. Choiceis modeledwhentwo ruleshavethesameenablingeventandconflictingenabledevents.In thiscase,only oneof theenabledeventscanoccur.
If a specificationis cyclic, thentheTEL structurerepresentingit is infinite. How-ever, due to its repetitive nature,this infinite behavior canbe describedwith a finitemodelby addinganadditionalsetof rulesandconflictswhich recursively definestheinfinite structure[15].
2.2 Timed statespaceexploration
Theuntimedstateof a TEL structureis composedof two parts:thesetof ruleswhoseenablingeventshave occurred,�gj , andthestate,�@k , of all thesignalsin the system.Fromthis untimedstate,thesetof enabledrules, �!l]m , canbeconstructedby includingonly thosemembersof � j whosebooleanexpressionsaresatisfiedby � k . In ordertodeterminethesetof satisfiedrules �5n , timing informationis needed.It is referredto asTI andis includedin the timedstate( � j .o� k . TI).
The statespaceof a TEL structureis exploredusinga depthfirst search.In eachstate,thealgorithmchoosesarule from �gn to fire, andplacesontothestackthecurrentstateandtheremainderof � n . It thenfiresthechosenrule,addsit to asetof firedrules,�gp , which is partof thetiming information,anddeterminesthenew timedstate.If �gpcontainsa setof rulessufficient to fire anevent ` , thenew timedstatehasa markinginwhich ` hasfired. If this timedstatehasnot beenseenbefore,it is addedto the statespace,andanew � n is calculated.If a timedstateis reachedthathasbeenseenbefore,thealgorithmpopsoff thestacka timedstateandthelist of rulesthathavenotyetbeenexploredfor thatstate.Whena statethathasbeenseenbeforeis reachedandthestackis empty, theentiretimedstatespacehasbeenfound.
Thetiming informationmustbeupdatedat every rule firing duringstatespaceex-ploration.Therefore,it is very importantthat theprocedurefor updatingit is efficient.The timing analysisalgorithmpresentedhereusesgeometricregionsto representthetiming informationwithin a timedstate.Whenever a rule _ q becomesenabled,a clockr q is createdto beusedin timing analysis.Theminimumandmaximumagedifferencesof all theclocksassociatedwith rulesin �gl^m arestoredin a constraintmatrix s . Eachentry t qvu in thematrix s hasthevaluemax; r u 4 r q F , which is themaximumagedif-ferenceof theclocks.A dummyclock r � whoseageis uniquely $ is usedto allow theinclusionof theminimumandmaximumagesof theclocksin s . In otherwords,the
maximumageof r q is in theentry tw� q , andthenegative of theminimumageof r q isin theentry t q � . Note that s only needsto containinformationon the timing of therulesthat arecurrently in �!l]m , not on the whole setof rules.This particularway ofrepresentingtimedregionswasfirst introducedin [7]. Thisconstraintmatrixrepresentsaconvex x � l]m x dimensionalregion.Eachdimensioncorrespondsto aruleandthefiringtimesof therulecanbeanywherewithin thespace.
3 Timed statespaceexploration usingPOSETtiming
While geometricregionsareaneffective way to representdense-timestatespaces,thenumberof geometricregionscanexplodefor highly concurrenttimedsystems[14,5].In [14], analgorithmis describedthatusespartially orderedsets(POSETs)of eventsratherthan linear sequencesto mitigatethis stateexplosionproblem.POSETtimingtechniquestakeadvantageof theinherentconcurrency in theTEL structureandpreventadditionalregionsfrom beingaddedfor differentsequencesof event firings that leadto thesameuntimedstate.This resultsin a compressionof thestatespaceinto fewer,largergeometricregionsthat, taken together, containthe sameregion in spaceasthesetof regionsgeneratedby thestandardgeometrictechnique.Therefore,all propertiesof thesystemthatcanbeverifiedwith thestandardgeometrictechniquecanbeverifiedwith the POSETalgorithm.This combinationof regionscould alsobe doneaseachregion is generatedduring statespaceexploration.However the checkto seeif thecombinationof two regionsis convex takes yJ;z�X{TF time in thenumberof constraintsinthematrix.This checkmustbedonebetweeneachnew region andall theregionsthathavebeengeneratedpreviously, makingthisapproachprohibitively expensive[13].
ThePOSETalgorithmmaintainsa POSETmatrix (alsoknow asa processmatrixin [13,14,17]), in additionto theconstraintmatrix.A POSETis a partiallyorderedsetof eventscreatedfrom a TEL structureanda firing sequence.It is constructedfroma TEL structureas follows: The POSETis initially empty. Eventsare addedin thesameorderasthey occurin thefiring sequence.For anevent in thefiring sequence,acorrespondinglylabeledevent is addedto thePOSET. Rulesareaddedto connectthenewly enabledeventto theeventsin thePOSETthatenabledit.
ThePOSETmatrixstorestheminimumandmaximumpossibleseparationsbetweenthefiring timesof all theeventsin thePOSETthatareallowedby thefiring sequencecurrentlybeingexplored.At eachiteration,the time separationsin thePOSETmatrixarecopiedinto the entriesof the constraintmatrix that restrict the differencesin theenablingtimesof therules.Eventsareprojectedout of thePOSETmatrix whentheirtiming informationis no longerneeded,sothealgorithmonly needsto retainandoper-ateon local timing information.
3.1 Partially orderedsetswithout levels
Whenanew eventfiresandis addedto thePOSETmatrix,theminimumandmaximumtime separationsbetweenits firing time andthe firing timesof all othereventsin thematrix must be determined.This set of separationsmustbe consistentwith the rulefiring sequencethat resultedin thecurrentstate.The rule firing sequenceoften limits
the separationsbetweeneventsthat arepossible.Theremay be separationsbetweeneventsthatarepossibleover all firing sequencesbut arenot possiblegiventhecurrentone.Therefore,theseparationsin thePOSETmatrixmustberestrictedsothatthey arereachablegiventhecurrentrulefiring sequence.
ThePOSETmatrix is keptconsistentwith the currentrule firing sequenceby en-suringthatthetimeseparationsin thematrixreflectthecausalityimpliedby thecurrentrule firing sequence.An event that is enabledby multiple rulesdoesnot fire until allof theseruleshave fired. The last rule to fire actuallycausesthe event to fire, andisreferredto asthecausalrule.More formally, a rule _ j ��R` k ��`a��c^��d|� is causalto event` givena rule firing sequence_ � BDBDB _ m , if thefiring sequence_ � BDBEB _ j!} � doesnot enable` andthe firing sequence_���BEBDB _@j doesenable . A setof rules �5p enablesevent ` if~ _ q ���` q ��`���c]�]dX�7���,S�;z_ q �H�5p�FX��;R��_ u ���` u ��`���c u �]d u �����5pJS)` q �3` u F [15,17].
The significantdifferencebetweenthe POSETtechniquedescribedhereand theworkpresentedin [13,14] is themethodusedtocomputethePOSETmatrix.In [13,14],it is notnecessarytouseexplicit causalityinformationsincethecausalruleis alwaysthebehavioral rule.With multiplebehavioral rules,causalitymustbeconsideredin ordertocomputea correctPOSETmatrix.Assumethat �fm is a correct,maximallyconstrainingsetof inequalitiesthatrelatethefiring timesof a setof events��m . Whena new event `fireswith causalrule _����`%k@��`���c]�]dX� , anew new setof correct,maximallyconstraininginequalities�fm)� � can be computedfrom �fm . Initially, �fmT� � is set to equal �fm . Then,� mT� � is updatedwith the inequalities��;R`TF74-��;�` k F5�,d and ��;R` k F�4���;R`TF5��4�c . Theseinequalitiesarealwaystruesinceno rule candelaythefiring of ` onceits causalrulehasfired.Next, for eachrule _ q����`%q���`���c�q]�]d|qR� in � p , theinequality ��;�`%q�F[4���;�`TFP��4�c�qneedstobeaddedbecauseeachruleenabling mustbesatisfied.Thesenew inequalitiesmay causeother inequalitiesin � mT� � to no longer be maximally constraining.Thisoccurswhenthereexistsasubsetof � mT� � of theform "@��;R`TF[4���;�` k FP�-de����;R`@q�F[4���;�`TFP�4�c q ����;R` q F�4���;R`@k�F��O��( whered�4�c q7� � . All of theinequalitiesin �fm)� � canbemademaximallyconstrainingby runningFloyd’sall pairsshortestpathalgorithm[7].
After the all pairsshortestpathalgorithmis run, ��mT� � containsa maximallycon-strainingsetof inequalitiesthat includesall the constraintsthat result from firing ` .However, minimum andmaximumconstraintbetween andall of the eventsin ��mmust also be included in �fmT� � . Theseadditionalconstraintsare immediatelyderiv-able from the constraintsalreadyin �fmT� � . The maximumconstraintsareas follows:��;�`TFC4w��;�` u F���d�1HtoZ�W�;R��;�`%k�FC4w��;�` u F]F . This inequalityholdssincethemaximumsepa-rationbetween u and ` occurswhen ` u happensasmuchbefore ’scausaleventaspos-sible.If thereis a rule _ u I�R` u ��`���c u �]d u � thatrelates u and ` , thentheminimumcon-straintis ��;�`�u%F24���;�`TF��-tH\��7;^4�cEuT��4�;Rc�4�tHZ�We;���;�`�u@F%4���;R` k F�F]F]F . Thisinequalityholdsbe-causetheminimumseparationbetweenfu and ` occurswhen `�u happensasmuchafter` ’scausaleventaspossible,butmustbenolessthantheminimumontherulerelating�uand ` . Theinequalities��;�`�u%F)43��;R`TFP��4�cEu areaddedto � mT� � beforetheall pairsshortestpathstep,andareconstrainedfurtherto ��;R`�u%F�4���; b¡F��¢4�;�cY4�tHZ�W�;R��;�`�u%F74<��;R`TF]F]F , ifnecessary. If thereis not a rule _ u £�R` u ��`���c u ��d u � that relates u and ` , theminimumconstraintis simply ��;R` u F�4O��;�`TFw�¤4�;�c74-toZ�W�;���;R` u F�4O��;�`%kfF]F�F . �fmT� � now containsa correct,maximally constrainingsetof inequalitiesthat representthe minimum andmaximumseparationsbetweenall theeventsin ��mT� � ���m�6¥` . Note thatasanop-
timization, inequalitiesthat are no longer neededto computefuture inequalitiesareremovedfrom �fm . Sincethebasecaseis simply ����¢¦ , this procedurecanbeusedtoconstructcorrectsetsof inequalitiesfor anarbitraryrulefiring sequence.
A geometricregion representingthe differencesin the agesof a setof clocksas-sociatedwith a setof enabledrules �gl^m caneasilybecomputedgivena POSETma-trix usinga methodsimilar to theonedescribedin [13,14]. Themaximumdifferencein the agesof the two clocks r q and r u associatedwith rules _ q §��` q ��b q ��c q ��d q � and_ u ¨��` u ��b u ��c u �]d u � is simply themaximumdifferencein thefiring timesof ` q and ` uwhich is in thePOSETmatrixas ��;�` q FY4¥��;R` u F�� max. TheminimumlikewiseexistsinthePOSETmatrix as ��;�` u F74���;�` q F5�¢4 min. Theseconstraintsaresimply copiedintothematrix representingthegeometricregion.Theminimumandmaximumboundsofthe rulesareusedto set the minimum andmaximumagedifferencesbetweenr q andr � . Floyd’salgorithmis thenrunontheconstraintmatrix resultingin amaximallycon-strainingsetof inequalities.This may furtherconstrainsomeof the inequalitiessincethePOSETinequalitiesdo not take into accountthefactthata clock associatedwith arule maynot beolderthanthemaximumboundon therule. Additionally, thenormal-izationalgorithmdescribedin[13] to ensurethestatespaceremainsfinite.
In [18], we extendeda geometricregionbasedtimedstatespaceexplorationalgorithmto TEL structureswhichincludearbitrarylevel annotations.ThePOSETalgorithmpre-sentedin the previous sectioncanalsobe extendedto TEL structureswith a limitedclassof level annotations.Thealgorithmis basedontheability to determinewhichpre-viouseventfiring is causalto eachnew eventfiring. Recallthat in our algorithm,rulesfire independentlyof events,andaneventfireswhenasetof rulessufficient to enableithavefired.Whenthereareno level expressions,thecausaleventis simply theenablingeventof thecausalrule. However, if therearelevel expressions,this is not necessarilythecase.With levels,a rule doesnot alwaysbecomeenabledwhenits enablingeventfires.A rule only becomesenabledwhenits enablingeventhasfired and its level ex-pressionevaluatesto true.Therefore,anevent ` is causalto event b if thefiring of event` enablesb ’scausalruleeitherbecauseit is its enablingeventor becauseit changesthevalueof thestatesuchthat b ’s causalrulebecomesenabled.
Determiningthiscausalityis straightforwardduringstatespaceexploration.When-ever a rule fires, its causalevent is recorded.Thenwhenan event fires, a proceduresimilar to the onedescribedin the previous subsectionis usedto determinethe newsetof inequalitiesthatbelongin thePOSETmatrix. Themajordifferenceis thatnowany event in theTEL structuremaybecausalto thefiring eventandall eventsneedtobecheckedfor causality. Additionally, thecausalityrelationshipmayimply othertimerelationshipsbetweenevent firings. Due to spaceconstraints,they arenot describedhere.However, all of the constraintscanbe easilycomputedas long as the booleanexpressionsarerestrictedto pureand andpureor expressions.This limited classofTEL structuresis expressive enoughto modelall TEL structuressincemorecomplexexpressionscanbemodeledthroughgraphtransformations.
4 Resultsand conclusions
ThePOSETalgorithmdrasticallyreducesthenumberof geometricregionsgeneratedduring statespaceexplorationof highly concurrentsystems.We have alsomadead-ditional optimizationsto thestatespaceexplorationprocesssuchaseliminatingtimedstatesto beexploredfrom thestackif a region that is a supersetof previousregionsisfound,andreducingthenumberof interleavingsbetweenrulefirings.Thisnew POSETtiming algorithmalongwith theseoptimizationshasbeenimplementedwithin theCAD
Thefirst two, theAlpha andBetaexamples,arefrom [5]. Eachstageof theAlphaexampleis composedof asingleeventwhichcanfire repeatedlyata giveninterval andis not effectedby any othereventsin the system.In [5], they showed that techniquesbasedonDBMs (i.e.,geometricregions)couldonly handle5 stagesof thishighly con-currentexamplewhile theirsymbolicdiscrete-timetechniqueusingnumericaldecisiondiagrams(NDDs)couldhandle18stagesin 12hoursonaSUNUltraSparcwith 256MBof memory. A loglog plot of theresultsfrom [5] andourresultsusingPOSETtiming onaSPARC 20with 128MB of memoryareshown in Figure2.TheseresultsindicatethatPOSETtiming is ordersof magnitudefasterandmorememoryefficient. In fact,ourtechniquesfound the reachablestatesspacefor 512 stagesin about73 minutesusing112MB of memory. Thissimpleexampleclearlyhasonly oneuntimedstateregardlessof thenumberof stages,andPOSETtiming canrepresentthe timedstatespaceusingonly onegeometricregion.Our techniquedoesnot find theregion in its first iteration,however. It first findsanumberof smallerregionsbeforefinding thefinal regionthatisa supersetof all therest.Therefore,althoughits performanceis very good,it doesnotanalyzetheexampleinstantaneously.
100
101
102
103
10−3
10−2
10−1
100
101
102
103
104
105
Comparative Runtime Performance for the Alpha Example
Number of Stages
time
(in s
econ
ds)
POSETSNDD DBM
100
101
102
103
101
102
103
104
105
106
mem
ory
(in k
byte
s)
Number of Stages
Comparative Memory Performance for the Alpha Example
One stageof the Beta exampleis composedof one statebit per stagewith twoevents,oneto setandoneto resetthebit. In [5], they showed that DBMs couldonlyhandle4 stageswhile their techniquecould handle9 stages.A semilogplot of theirresultsandoursareshown in Figure3. POSETtiming canhandle14stagesin 108MBof memoryin just 16 minutes.For the Betaexample,the numberof statesis exactlyA m where � is thenumberof stages,soPOSETtiming couldhandleanexamplewith A timesmoreuntimedstatesthanin [5]. Again,POSETtiming is ableto representallthe timing behavior in this exampleusingonegeometricregion perstate.Clearly, the
AlphaandBetaexamplesareideallysuitedto ouralgorithm,but they areusedin [5] todemonstratetheweaknessof traditionalgeometricregionbasedmethods.
0 2 4 6 8 10 12 1410
−3
10−2
10−1
100
101
102
103
104
105
Number of Stages
time
(in s
econ
ds)
Comparative Runtime Performance for the Beta Example
0 2 4 6 8 10 12 1410
2
103
104
105
106
Comparative Memory Performance for the Beta Example
Number of Stages
mem
ory
(in k
byte
s)
Fig.3. Comparative performancefor theBetaexample.
Thenext exampleis an-bit synchronouscounter. Thebasicoperationof thecounteris that when the clock goeshigh, the next valueof the count is determinedin fromthepreviousvalue.Whentheclock goeslow, thenew valueis latchedandfed backtodeterminethenext count.Thisexamplehasseveraleventswhichareenabledby multi-ple behavioral rules.In [15], graphtransformationsaredescribedthatcancreatea newspecificationwhich satisfiesthesinglebehavioral rule restrictionallowing verificationbyOrbits [13,14].Usingthesegraphtransformations,Orbits couldonly analyzea3-bit counterbecauseit required10,222geometricregionsto find the64untimedstates.With our new POSETtiming algorithm,it only requires294geometricregionsto rep-resentthe entire timed statespacefor the 3-bit counter. In fact, our algorithmcouldanalyzeup to a6-bit counter. Thisdrasticdifferencein regioncountoccursbecausethegraphtransformationadds� � new rulesfor eacheventthathas� behavioral rules.In the3-bit countermostof theeventshad4 behavioral rules,causinga hugecombinatorialexplosionin thenumberof regions.
Thelastexampleis a STARI communicationcircuit describedin detail in [20,21].TheSTARI circuit is usedto communicatebetweentwo synchronoussystemsthatareoperatingat thesameclock frequency, ® , but areout-of-phasedueto clockskew whichcan vary from 0 to skew. The environmentof this circuit is composedof a clk pro-cess,a transmitter, andareceiver. TheSTARI circuit is composedof anumberof FIFOstagesbuilt from 2 C-elementsand1 NOR-gateperstagewhich eachhave a delayofc to d . Thereare two propertiesthat needto be verified: (1) eachdatavalueoutputby the transmittermustbe insertedinto the FIFO beforethe next one is output (i.e.,ack ;]'%F�4 precedesW�;R$�F�B ��4 and We;�$�F�B be4 ) and(2) a new datavaluemustbeoutputbytheFIFObeforeeachacknowledgmentfrom thereceiver(i.e., W�;���F�B �]1 or W�;���F�Bvb¡1 pre-cedesZ r ¯ ;z�¬1G'2F�4 ) [22]. To guaranteethesecondproperty, it is necessaryto initializetheFIFOto beapproximatelyhalf-full [21]. In additionto thesetwo properties,
verifiedthateverygateis hazard-free(i.e.,onceagateis enabled,it cannotbedisableduntil it hasfired).
Therehavebeentwo niceproofsof STARI’scorrectness[21,23],but they havebeenonabstractmodels.In [22], theauthorsstatethatCOSPANwhichusestheunit-cube(orregion) techniquefor timing verification[24] ranout of memoryattemptingto verifya 3 stagegate-level versionof STARI on a machinewith 1 GB of memory. This papergoeson to describean abstractmodelof STARI for which they could verify 8 stagesin 92.4MB of memoryand1.67hours.We first verifiedSTARI at thegate-level withdelaysfrom [22] (i.e., ®�9'%A , skew�' , c�9' , and d¥,A ). UsingPOSETtiming, wecanverify a3 stageSTARI in 0.74MB in only 0.40seconds.For an8 stageSTARI, theverificationtook 11 MB andonly 55 seconds.In fact,POSETtiming couldverify 10stagesin 124MB of memoryin lessthan20 minutes.This shows a nice improvementovertheabstractionmethodandadramaticimprovementoverthegate-levelverificationin COSPAN. For 10stages,POSETtiming found14,531untimedstatesandonly needed14,859geometricregionsto describethe timed statespace.This representsa ratio ofonly 1.02geometricregionsperuntimedstate.
Finally, the complexity of POSETtiming is relatively independentof the timingboundsused.We alsoran our experimentsusing c�¤°�± and d�²AT$³' , skewL' $³' ,and ®¥�'a' ° which foundmoreuntimedstates.With cY�' $aA , we foundlessuntimedstates.Bothcaseswith higherprecisiondelaynumbershadcomparableperformancetothe onewith lower precisiondelaynumbers.This shows that higherprecisiontimingboundscanbeefficiently verifiedandcanleadto differentbehaviors. It would not bepossibleto usethis level of precisionwith adiscrete-timeor unit-cubebasedtechnique,sincethenumberof stateswouldexplodewith suchlargenumbers.
Ourresultsclearlyshow thatPOSETtiming candramaticallyimprovetheefficiencyof timing verificationallowing larger, moreconcurrenttimedsystemsto beverified.Itdoessowithout eliminatingpartsof thestatespace,so it doesnot limit thepropertiesthat canbe verified. In the future,we plan to further increasethe sizeandgeneralityof the specificationsthatcanbe verifiedwith thePOSETmethod.We believe the ab-stractiontechniquefrom [22] andPOSETtiming methodsareorthogonal,andwe areinterestedin trying to combinethemfor further improvement.Finally, our algorithmcurrentlyrepresentsthestatespaceexplicitly, andweareworkingonapplyingimplicittechniques.Ourpreliminaryresultsshow thatthiscanleadto asignificantimprovementin memoryperformance[25].
Acknowledgments
We would like to thankMark Greenstreetof theUniversityof British Columbia,Bran-don Bachman,Eric Mercer, andRobertThacker of the University of Utah andTomRokicki of Hewlett Packardfor theirhelpfulcomments.
References
1. A. Valmari.A stubbornattackonstateexplosion.In InternationalConferenceonComputer-AidedVerification, pages176–185,June1990.
3. K. McMillan. Usingunfoldingsto avoid thestateexplosionproblemin theverificationofasynchronouscircuits.In G.v. BochmanandD. K. Probst,editors,Proc.InternationalWork-shopon ComputerAidedVerification, volume663 of Lecture Notesin ComputerScience,pages164–177.Springer-Verlag,1992.
4. J.R. Burch. Modelingtiming assumptionswith tracetheory. In ICCD, 1989.5. M. Bozga,O.Maler, A. Pnueli,andS.Yovine. Someprogressin thesymbolicverificationof
timedautomata.In Proc. InternationalConferenceonComputerAidedVerification, 1997.6. R. Alur. Techniquesfor AutomaticVerificationof Real-TimeSystems. PhDthesis,Stanford
University, August1991.7. D. L. Dill. Timing assumptionsandverificationof finite-stateconcurrentsystems.In Pro-
ceedingsof theWorkshoponAutomaticVerificationMethodsfor Finite-StateSystems, 1989.8. B. BerthomieuandM. Diaz. Modeling andverificationof time dependentsystemsusing
timepetri nets.IEEETransactionson SoftwareEngineering, 17(3),March1991.9. H. R. Lewis. Finite-stateanalysisof asynchronouscircuits with boundedtemporaluncer-
tainty. Technicalreport,HarvardUniversity, July 1989.10. T. Yoneda,A. Shibayama,B. Schlingloff, andE. M. Clarke. Efficientverificationof parallel
11. A. Semenov andA. Yakovlev. Verificationof asynchronouscircuits using time Petri-netunfolding. In Proc.ACM/IEEEDesignAutomationConference, pages59–63,1996.
13. T. G. Rokicki. RepresentingandModelingCircuits. PhDthesis,StanfordUniversity, 1993.14. T. G. Rokicki andC. J. Myers. Automaticverificatonof timed circuits. In International
Conferenceon Computer-AidedVerification, pages468–480.Springer-Verlag,1994.15. C. J.Myers. Computer-AidedSynthesisandVerificationof Gate-LevelTimedCircuits. PhD
thesis,StanfordUniversity, 1995.16. C. J. Myers, T. G. Rokicki, andT. H.-Y. Meng. Automaticsynthesisof gate-level timed
circuitswith choice.In 16thConferenceonAdvancedResearch in VLSI, pages42–58.IEEEComputerSocietyPress,1995.
17. W. Belluomini andC. J. Myers. Efficient timing analysisalgorithmsfor timed statespaceexploration.In Proc.InternationalSymposiumonAdvancedResearch in AsynchronousCir-cuitsandSystems. IEEEComputerSocietyPress,April 1997.
18. W. Belluomini andC. J. Myers. Timedevent/level structures.In collectionof papersfromTAU’97.
19. P. Merlin andD. J. Faber. Recoverability of communicationprotocols. IEEE TransactionsonCommunications, 24(9),1976.
20. M. R. Greenstreet.STARI: A Techniquefor High-BandwidthCommunication. PhD thesis,PrincetonUniversity, 1993.
21. M. R. Greenstreet.Stari:Skew tolerantcommunication.unpublishedmanuscript,1997.22. S. TasiranandR. K. Brayton. Stari:A casestudyin compositionalandheirarchicaltiming