Level Oriented Formal Model for Asynchronous Circuit Verification and its Efficient Analysis Method

Eric G. Mercer  
eric_mercer@byu.edu

Tomoya Kitai

See next page for additional authors

Follow this and additional works at: https://scholarsarchive.byu.edu/facpub

Part of the Computer Sciences Commons

Original Publication Citation

BYU ScholarsArchive Citation
Mercer, Eric G.; Kitai, Tomoya; Myers, Chris; Oguro, Yusuke; and Yoneda, Tomohiro, "Level Oriented Formal Model for Asynchronous Circuit Verification and its Efficient Analysis Method" (2002). All Faculty Publications. 1069.
https://scholarsarchive.byu.edu/facpub/1069

This Peer-Reviewed Article is brought to you for free and open access by BYU ScholarsArchive. It has been accepted for inclusion in All Faculty Publications by an authorized administrator of BYU ScholarsArchive. For more information, please contact scholarsarchive@byu.edu, ellen_amatangelo@byu.edu.
Authors
Eric G. Mercer, Tomoya Kitai, Chris Myers, Yusuke Oguro, and Tomohiro Yoneda
Level Oriented Formal Model for Asynchronous Circuit Verification and its Efficient Analysis Method *

Tomoya Kitai, Yusuke Oguro
Tokyo Institute of Technology
{kitai, yoguro}@yt.cs.titech.ac.jp

Eric Mercer
Brigham Young University
egm@cs.byu.edu

Tomohiro Yoneda
National Institute of Informatics
yoneda@nii.ac.jp

Chris Myers
University of Utah
myers@vlsigroup.ece.utah.edu

Abstract

Using a level-oriented model for verification of asynchronous circuits helps users to easily construct formal models with high readability or to naturally model datapath circuits. On the other hand, in order to use such a model on large circuits, techniques to avoid the state explosion problem must be developed. This paper first introduces a level-oriented formal model based on time Petri nets, and then proposes its partial order reduction algorithm that prunes unnecessary state generation while guaranteeing the correctness of the verification.

Key words Level-oriented model, timed asynchronous circuits, formal verification, time Petri nets.

1 Introduction

Many formal verification algorithms for asynchronous circuits that are based on the exploration of reachable states use transition-oriented models such as Petri nets and CSP in order to model circuits and specifications [1, 2, 3, 4, 5]. In this approach, the behavior of an asynchronous circuit is represented using transitions of signals. This representation has the potential ability to model the real nature of asynchronous control circuits. It is, however, not easy for nonexpert users to construct good and comprehensive representations on this model. Furthermore, in asynchronous circuit design, control signals are sometimes embedded in data-path circuits. An example of this is a dual-rail encoding, which requires some (abstracted) data-path circuits to be formally modeled for verification. In this type of application, a transition-oriented model is not suitable.

This paper tries to represent the behavior of asynchronous circuits also using values of signals like those used in the synchronous circuit design process. For this purpose, a level-oriented model is first introduced. Our model, which we call LTN (Level Time Petri Net), is obtained by extending time Petri nets such that firing an LTN transition can assign values to a set of boolean variables and that the validity of an expression over the boolean variables is also used as an enabling condition of an LTN transition in addition to the marking. Thus, an LTN can easily model the behavior based on both changes of signals and values of signals.

On the other hand, an approach to analyzing this new model in a traditional total order manner is not acceptable for large circuits due to state explosion. In other words, a new model is useless without an efficient analysis algorithm. For transition-oriented models, two major methods are proposed for this purpose, implicit state space enumeration based on BDDs [3] and partial order reduction [4, 5]. Since our current interest is in verifying timed circuits with bounded delays and the implicit state representation method often fails to efficiently represent timed states (in particular, sets of inequalities), this work chooses the partial order reduction approach.

Timed automata [6] can also be used as a level oriented model, and partial order reduction has been applied to their analysis [7, 8]. Our experience, however, has found that the generality of timed automata comes at an increase in analysis complexity, and this increased generality does not appear to be necessary for verifying asynchronous circuits.

Several alternative level-oriented Petri net models have been proposed such as TEL structures [9], level-ruled Petri nets (LPNs) [10], and an extension of time Petri nets [11]. An LTN is obtained by refining the one proposed in [11]. An LTN is somewhat less expressive than TEL structures and LPNs. In particular, timing annotations and Boolean conditions are placed on the transition in an LTN while they are placed on the edge between the place and transition in TEL structures and LPNs. This increased expressiveness, however, comes at a cost in the analysis algorithm’s complexity. As a result, the algorithms for analysis of these nets have tended to be conservative rather than exact [9, 10].

To the best of our knowledge, the work in [10, 12] is the
only one that proposes a partial order reduction for a level-oriented Petri net model, namely the LPN model, though the algorithm is conservative. The goal of this work is to obtain the exact verification results using the LTN model.

This paper is organized as follows. The next section introduces the LTN model. Section 3 briefly reviews the verification method used in this paper. Section 4 proposes the partial order reduction algorithm for an LTN. Section 5 shows the experimental results obtained by verifying several examples with the proposed algorithm. Finally, we summarize our results in Section 6.

2 Level Oriented Model

A traditional time Petri net consists of transitions (thick bars), places (circles), and arcs between transitions and places. A token (large dot) can occupy a place, and when every source place of a transition is occupied, the transition becomes enabled. Each transition has two times, the earliest firing time and the latest firing time. An enabled transition becomes ready to fire (i.e., firable) when it has been continuously enabled for its earliest firing time, and cannot be continuously enabled for more than the latest firing time, i.e., it must fire unless it is disabled. The firing of a transition occurs instantly. It consumes tokens in its source places and produces tokens to its destination places.

In an LTN, two additional functions assign and condition can be associated with a transition. The assign function relates a transition to assignments on Boolean variables, and the condition function relates a transition to an expression over Boolean variables. The enabling condition of an LTN is extended, and a transition is enabled if both the expression given by condition is true and every source place is occupied. For example, in the LTN shown in Figure 1(a), \( t_c \) is enabled only if \( b_1 \land b_2 \) is true. The firing rule of an LTN is also extended in that when a transition fires, the assignments specified by the assign function are done while consuming and producing tokens. For example, in an LTN shown in Figure 1(b), when \( t_a \) fires, \( a_1 \) and \( a_2 \) are set to 1 and 0, respectively. Using assign and condition, a level-oriented model can easily be described.

\[
\begin{align*}
&\begin{array}{l}
\bullet \quad t_c[2,4] \\
\quad (b_1 \land b_2)
\end{array} \\
&\begin{array}{l}
\bullet \quad t_a[3,5] \\
\quad \{a_1 = 1, a_2 = 0\}
\end{array}
\end{align*}
\]

Figure 1. An example of an LTN

2.1 Formal Definitions of LTN

An LTN \( N \) is a ten-tuple, \( N = (P, T, F, \text{Eft}, \text{Lft}, V, \text{assign}, \text{condition}, \mu^0, \text{val}^0) \). The members \( P, T, F, \text{Eft}, \) Lft, and \( \mu^0 \) are the same as those of the time Petri net; although the members \( V, \text{assign}, \text{condition}, \) and \( \text{val}^0 \) are newly added for an LTN, and defined as follows:

- \( V \) is a finite set of Boolean variables.
- \( \text{assign} : T \rightarrow 2^A, \) where \( A = \{ v = b | v \in V, b \in \{0, 1\} \} \).
- \( \text{condition} : T \rightarrow C, \) where \( C = \{ f_1 \land f_2 | f_1, f_2 \in C \cup F \} \) and \( F = \{ g_1 \lor g_2 | g_1, g_2 \in F \cup V \cup \bar{V} \} \). \( \bar{V} \) denotes \( \{ \bar{v_0}, \bar{v_1}, \bar{v_2}, \ldots \} \) if \( V = \{ v_0, v_1, v_2, \ldots \} \).
- \( \text{val}^0 : V \rightarrow \{0, 1\} \) is for the initial values of Boolean variables.

The assign function relates a transition to assignments on Boolean variables performed on the firing of the transition. For example, \( \text{assign}(t) = \{ a = 1, b = 0 \} \). The condition function specifies a Boolean expression that should be true for the transition to be enabled. This expression is represented by a sum-of-products such as,

\[
\text{condition}(t) = a \land b \land c \land d \land \bar{e},
\]

where \( a, b, c, d, e \) are Boolean variables (\( \land \) are omitted here).

An enabled transition is a ten-tuple \( (\mu, I, \text{val}) \), where \( \mu \) is a marking, \( I \) is a set of inequalities, and \( \text{val} \) is an assignment of a value to each Boolean variable. For a transition \( t, \) two kinds of timing variables, a past variable and a future variable are used. A past variable represents its most recent firing time, and a future variable represents its next firing time. This paper uses \( t \) also for the past variable, and \( \bar{t} \) for the future variable. Inequalities in \( I \) are over these variables. For a Boolean expression \( f \) and an assignment \( \text{val} \), \( \text{val}(f, \text{val}) \) denotes the value of \( f \) under \( \text{val} \). Thus, a set of enabled transitions in a state \( s = (\mu, I, \text{val}) \) can be expressed as

\[
\text{enabled}(\mu, \text{val}) = \\
\{ t \mid \bullet \subseteq \mu, \text{val}(\text{condition}(t), \text{val}) = 1 \},
\]

where \( \bullet \) denotes the set of source places of \( t \). A transition is firable, if it is enabled and possible to fire earlier than any other enabled transitions. That is,

\[
\text{firable}(s) = \\
\{ t \mid (I \cup \{ \bar{t} \leq \bar{t}' \mid t' \in \text{enabled}(\mu, \text{val}) \}) \text{ is consistent} \}.
\]

In this work, only 1-safe LTNs are considered, i.e., in any reachable state \( s = (\mu, I, \text{val}) \), no transition \( t \) such that \( (\mu - \bullet) \cap t \neq \emptyset \) is firable. Similarly, it is assumed that no transition has vacuous assignment, i.e., for any variable \( v \), and in any reachable state \( s = (\mu, I, \text{val}) \) with \( \text{val}(v) = b \), no transition \( t \) such that \( "v = b' \in \text{assign}(t) \) is firable. These assumptions are just for simplification of our algorithm, and with an increase in complexity they can be removed.

Figure 2(a) shows a NOR gate model with a hazard detection mechanism represented by a time Petri net. The
marking shown in this figure represents the state with input $a = 0, b = 0$ and output $c = 1$. If $a$ or $b$ goes high, $c$ is enabled. However, after $a$ goes high, $a$ is not enabled until $c$ goes low. Therefore, a hazard caused by $a +$ and $a -$ before $c -$ is detected as a failure (as described in the next section). Figure 2(b) shows the corresponding NOR gate model by a LTN. In this model, the enabling conditions are straightforwardly represented by condition functions. When a hazard occurs, a dummy transition $err +$ is enabled, and it immediately fires resulting in a failure, because the corresponding input transition is always disabled. It can be seen that an LTN represents a model more concisely than a time Petri net.

![Figure 2. NOR gate models expressed by a time Petri net and an LTN.](image)

3 Verification Method

This paper uses the timed trace theoretic verification method [13]. A module is a tuple $(I, O, N)$, where $I$ and $O$ are sets of input and output wires respectively, and $N$ is an LTN. We use a module as a formal model for a circuit element (e.g., a gate) and a specification. Some transitions in $N$ correspond to wires, and the firing of those transitions change the values of the wires. A transition related to an input wire of the module is called an input transition. An output transition is defined similarly. Moreover, the Boolean variables of an LTN correspond to input or output wires. A circuit consists of a set of modules. In a set of modules, input transitions fire only in synchronization with the corresponding output transition with the same wire name in some different module. When an output transition fires, if no input transitions are enabled in a module, a failure occurs. This represents that a module tries to send an output but some other module cannot receive it as a corresponding input. Thus, it is the case that some bad output can be produced. In this sense, our verification method checks safety properties. Note that Boolean variables can be changed at any time without failures.

We define the following, where $s = (\mu, I, val)$:

- $\text{out}_{\text{trans}}(t)$ is the output transition that corresponds to $t$. If $t$ is an output transition, then $\text{out}_{\text{trans}}(t)$ is $t$ itself.
- $\text{in}_{\text{trans}}(t)$ is a set of input transitions that correspond to $\text{out}_{\text{trans}}(t)$.
- $\text{sync}_{\text{trans}}(s, t) = \{ \text{out}_{\text{trans}}(t) \} \cup (\text{in}_{\text{trans}}(t) \cap \text{enabled}(\mu, val))$.

4 Verification Algorithm

The following shows a skeleton of the verification algorithm based on the partial order reduction.

1: $\text{verify}(s)$
2: begin
3: if $(s$ is already visited) then return(true);
4: if $(s$ is a failure state) then return(false);
5: Mark $s$ as visited;
6: forall $(t_f \in \text{ready}(s))$;
7: forall $(s' \in \text{successo}(s, t_f))$;
8: if $(\text{verify}(s')$ is false) then return(false);
9: return(true);
10: end

Although this algorithm is quite similar to the usual depth-first search algorithm, there are some major differences that characterize the partial order reduction. One is that $\text{ready}(t)$ is the subset of firable transitions, and the other is that multiple states are generated at the firing of $t_f$ by $\text{successo}(s, t_f)$. We show how to construct $\text{ready}(s)$ and $\text{successo}(s, t_f)$ for an LTN in the next subsections.

4.1 $\text{ready}(s)$

$\text{ready}(s)$ is the set of output transitions firable and necessary to fire in $s$ in order to determine if a circuit is correct. For a firable output transition $t$ and a state $s$, if $\text{dependent}(s, t)$ denotes the set of output transitions (including $t$) such that the interleaving of the firings of those transitions should be considered, $\text{ready}(s)$ is defined as

$\text{ready}(s) = \begin{cases} \text{firable}(s) & \text{if } m > 0 \\ \text{def}\text{dependent}(s, t) \subseteq \text{firable}(s) & \text{otherwise} \end{cases}$

where

$\{\pi_1, \ldots, \pi_m\} = \{\text{dependent}(s, t) | t \in \text{firable}(s), \text{dependent}(s, t) \subseteq \text{firable}(s)\}$. 

---


Authorized licensed use limited to: Brigham Young University. Downloaded on August 16, 2010 at 17:29:19 UTC from IEEE Xplore. Restrictions apply.
mindset(σ₁, σ₂, ...) chooses the set with smallest cardinality from σ₁, σ₂, ... . Since dependent(s, t) may include transitions which are not firable, those dependent sets are not chosen.

dependent(s, t_f) is the smallest set which satisfies the following:

1. t_f ∈ dependent(s, t_f).
2. If t ∈ dependent(s, t_f), then
   a. ∀ ρ ∈ SyncTrans(s, t) conflict(t') ∧ active(s, t, necessary(ρ, t), {t}) ⊆ dependent(s, t_f).
   b. ∀ ρ ∈ SyncTrans(s, t) hide fail(t') ∧ active(s, t, necessary(ρ, t), {t}) ⊆ dependent(s, t_f).
   c. ∀ ρ ∈ SyncTrans(s, t) ac_conf(s, t') ∧ active(s, t, necessary(ρ, t), {t}) ⊆ dependent(s, t_f).
   d. ∀ ρ ∈ SyncTrans(s, t) condition(t') ⊆ dependent(s, t_f).
   e. ∀ ρ ∈ SyncTrans(s, t) ac_dependent(s, condition(t), t) ⊆ dependent(s, t_f).

As mentioned later, necessary, ac_necessary and ac_dependent contain sets of pairs (u, τ), where u is a transition and τ is the minimal time necessary to fire u. Thus, if τ is large enough, the algorithm does not have to consider the firing order of t_f and u because u is enabled too late. Those transitions which fire too late are omitted from the sets by active. In other words, active(s, t, TT) represents a set of transitions u such that (u, τ) ∈ TT and u can fire τ time units earlier than t. Therefore, dependent(s, t_f) includes only those active transitions.

Now, we explain each of the above conditions using examples. Conditions 2.a and 2.b are the same as those for the transition-oriented model, so we omit them here. The details can be found in [14]. Condition 2.c states that the firing order of t and t_f should be considered, if t is in the dependent set and t makes the condition of t_f false. In this condition,

ac_conf(s, t) = {t_c | eval(condition(t_c), val) = 1, eval(condition(t_c), newval(s, t)) = 0},

where newval(s, t) represents the assignment of variables after t fires. Consider the case shown in Figure 3(a). If t and t_1 are fired only in this order and the initial value of a is 0, the firing of t_2 is missed. However, t_2 can actually fire, if t_1 and t_2 fire earlier than t. If the firing of t_2 causes a failure, omitting Condition 2.c implies that the algorithm misses a failure that may actually occur. Thus, if t is in the dependent set, the algorithm must obtain t_1 by using necessary(s, t, {t}) so that the chance that t_f fires earlier than t is covered.

necessary(s, t, T_D) contains the set of pairs (u, τ), where u is an output transition enabled in s which must fire in order to fire t under the condition that transitions in T_D are not fired, and τ is the minimal time difference between the firings of u and t. necessary(s, t, T_D) is defined as follows. Note that t_out = out_trans(t), because if t is an input transition, its corresponding output transition should be considered.

1. If t_out ∈ T_D, then necessary(s, t, T_D) = ∅.
2. If t_out ∈ enabled(μ, val), then
   necessary(s, t, T_D) = \{(t_out, 0)\}.
3. Otherwise,
   necessary(s, t, T_D) = \{(t_1, Eft(t_1) + τ_1), \ldots, (t_n, Eft(t_n) + τ_n)\},
   where
   \{(τ_1, \ldots, τ_n) = \{u ∈ SyncTrans(s, t)\} ∪ \{(t, 0)\} \mid \tau ∈ \text{out}(s) \mid t, T_D ∪ \{t_out\} \mid
   \text{ac_necessary}(s, \text{condition(t), T_D}) \mid
   \text{ac_necessary}(s, f, b, T_D) also contains a set of pairs (u, τ). The difference from necessary(ρ, s, T) is that u is the transition enabled in s = (μ, f, val), of which firing is necessary to let the expression f take value b. necessary(ρ, s, f, b, T_D) is defined as follows, where assign_trans(v, b) = \{t | “v = b” ∈ assign(t)\}:

   1. If b = eval(f, val), then ac_necessary(s, f, b, T_D) = ∅.
   2. If f is a positive form of variable v, then
      ac_necessary(s, f, b, T_D) = \bigcup_{\text{assign_trans(v, b)} \mid \text{necessary}(s, t', T_D)} necessary(s, t', T_D).
   3. If f is the negative form of variable v, then
      ac_necessary(s, f, b, T_D) = \bigcup_{\text{assign_trans(v, b)} \mid \text{necessary}(s, t', T_D)} necessary(s, t', T_D).
   4. If f is f_1 ∧ f_2 ∧ \ldots ∧ f_n with b = 1, or f_1 ∨ f_2 ∨ \ldots ∨ f_n with b = 0, then
      ac_necessary(s, f, b, T_D) = \text{mindset}(\pi_1, \ldots, \pi_m),
      where \{\pi_1, \ldots, \pi_m\} = \{\pi_i \mid 1 \leq i \leq n, \pi_i = \text{ac_necessary}(s, f_i, b, T_D), \pi_i \neq 0\},
   5. If f is f_1 ∧ f_2 ∧ \ldots ∧ f_n with b = 0, or f_1 ∨ f_2 ∨ \ldots ∨ f_n with b = 1, then
      ac_necessary(s, f, b, T_D) = \bigcup_{i=1, n} \text{ac_necessary}(s, f_i, b, T_D).

On the other hand, for a transition t in the dependent set, Condition 2.d of dependent(s, t_f) checks the fireability of transitions that make the condition of t false. For example,
in Figure 3(b), if the output transition $t_{\text{out}}$ fires, the corresponding input transition $t_{\text{in}}$ also fires synchronously, and no failure occurs. However, if $t_1$ fires earlier than $t_{\text{in}}$, then $t_{\text{in}}$ is disabled, and a failure occurs when $t_{\text{out}}$ fires. If $t_{\text{out}}$ is always fired earlier than $t_1$, this failure is missed. Thus, we need Condition 2.(d) in order to fire transitions which make conditions of other transitions false. This is done by ac
ecessary

Conditions 2.(e) is for making it easier to decide true parents of newly enabled transitions. A true parent of an enabled transition $t$ is a transition that actually makes $t$ enabled and hence decides its firing time. For example, since $t$ has multiple source places in Figure 4(a), the transition that produces the final token to the source places of $t$ can be a true parent. Moreover, if condition($t$) is a simple product as shown in Figure 4(b), the transition that assigned true to a Boolean variable last can be a true parent. Note that even if $t_3$ fires last in a firing sequence that enables $t$ in Figure 4(a), it does not mean that only $t_3$ is a true parent of $t$ in that firing sequence. This is because the partial order reduction algorithm does not usually give the ordering relation among concurrent transitions such as $t_1$, $t_2$, and $t_3$. Thus, when $t$ becomes enabled, the possibilities that each of $t_1$, $t_2$, and $t_3$ is a true parent of $t$ is checked, and a new state is generated by giving timing constraints for such a transition to be a true parent. However, if condition($t$) contains logical OR operators, true parents should be decided in a different way. For example, in Figure 4(c), either a transition $t_6$ or $t_7$ that fires earlier than the other can be a true parent of $t_c$, and the firing of such a transition immediately makes $t$ enabled. Therefore, the decision of true parents cannot be postponed until all candidates of true parents fire. Hence, in the case where condition($t_c$) is a sum of product terms, when one of the product terms becomes true by firing $t$, we check whether other product terms of condition($t_c$) can be true by firing transitions $t'$, and give the ordering relation between $t$ and $t'$. This implies that all of possible true parent candidates of $t_c$ are explicitly ordered, and it allows us to decide true parents of this type according to the firing sequences.

In Condition 2.(e),

\[
\text{affected}(t) = \{t_c \mid \text{var(assign}(t)) \cap \text{var(condition}(t_c)) \neq \emptyset \}
\]

and

\[
\text{var}(f) = \{v \mid v \text{ is a variable included in } f\).
\]

By using ac_dependent($s, f, t$), which is defined below, Condition 2.(e) checks the fireability of the transitions that makes the other products true.

1. If $f = f_1 \lor f_2 \lor \cdots \lor f_n$ and eval($f, val$) = 0 and eval($f, \text{newval}(s, t)$) = 1, then...
\[ \text{ac\_dependent}(s, f, t) = \bigcup_{i=1, n} \text{ac\_necessary}(s, f_i, 1, \{ t \}) \]

2. Otherwise,
\[ \text{ac\_dependent}(s, f, t) = \emptyset. \]

### 4.2 successo \(s, t_f\)

When we fire \(t_f\) such that \(t_f \in \text{ready}(s)\) in \(s = (\mu, I, val)\), the following processes are needed.

- For each \(u \in \text{ready}(s)\), the constraint \(t_f \leq \bar{u}\) is added to \(I\), where \(\bar{u}\) is the future variable of \(u\).
- For a transition \(t_n\) newly enabled by firing of \(t_f\), its true parent is decided, and the appropriate constraints for it are added to \(I\).

We can consider two types of true parents for \(t_n\), the transitions that produce tokens in source places of \(t_n\), and the transitions that satisfy condition\(\text{true}(t_n)\). The former are called place-related true parents, and the latter are called condition-related true parents. In order to decide true parents of \(t_n\), \text{true\_parent}(s, t_n)\), which is actually defined in 4.2.1, denotes a set of pairs \((t_p, I_p)\), where \(t_p\) is a true parent of \(t_n\), and \(I_p\) is a set of inequalities that are necessary for \(t_p\) to be a true parent. Note that if adding \(I_p\) to \(I\) of the current state makes \(I\) inconsistent, such \((t_p, I_p)\) is discarded during the state generation process.

When a true parent \(t_p\) of newly enabled transition \(t_n\) is decided, the following constraint
\[ \text{Eft}(t_n) \leq t_n - t_p \leq \text{Lft}(t_n) \]
is added to \(I\). In this case, if \(t_p\) does not become a true parent of any other transitions, \(t_p\) can be removed from \(I\) by \text{delete}(I, D). \text{delete}(I, D)\) removes from \(I\) the inequalities including variables in the set \(D\) without affecting the solution set projected to the remaining variables. Since the behavior of the transition \(t_n\) can be represented by a future variable \(t_n\), failures are not missed by removing \(t_p\). Furthermore, if \(t_p\) is not removed, the state enumeration process may not terminate.

On the other hand, for a transition \(t\) which is not enabled in \(s\), it is possible that \(I\) contains the past variables of transitions that can be true parents of \(t\) when it becomes enabled, e.g., the transitions which produce tokens in the source places of \(t\). Such past variables must not be removed in general. \text{need\_to\_keep}(s, t)\) shown in 4.2.3 denotes the set of such transitions. Using this, the set of variables that can be removed is defined as \(T = \{ t \mid \exists t' \in T - \text{enabled}(\mu, val), t \in \text{need\_to\_keep}(s, t') \}\), where \(T\) is the set of all output transitions.

From these definitions, \text{successo} \(s, t_f\) consists of states \(s' = (\mu', I', val')\) that satisfy the following conditions.

1. \(\mu'' = \mu - \bullet t_f\).
2. \(\mu' = \mu'' \cup t_f \bullet\).
3. \(val' = \text{newval}(s, t_f)\).
4. Obtain \(J_0\) from \(I\) by replacing the future variable \(t_f\) with the past variable \(t_f\).
5. \(J_1 = J_0 \cup \{ \{, t \leq \bar{u} \mid u \in \text{ready}(s) \}\}.
6. \(J_2 = \text{delete}(J_1, \{ t \mid \text{enabled}(\mu, val) - \text{enabled}(\mu'', val') \})\).

For the set of newly enabled transitions by firing \(t_f\), \(E = \text{enabled}(\mu', val') - \text{enabled}(\mu'', val') = \{ t_n, \ldots, t_n \}\), the true parent assignment, \(\{ t_{p_1}, \ldots, t_{p_i} \}\) such that \((t_{p_1}, I_{p_1}) \in \text{true\_parent}(s, t_{n})\) for \(1 \leq k \leq I\) is valid if \(J_2 \cup \bigcup_{k=1, I} I_{p_k}\) is consistent, and in this case obtain \(J_3\) as follows.

\[ J_3 = J_2 \cup \bigcup_{k=1, I} [I_{p_k} \cup \{ \text{Eft}(t_{n_k}) \leq t_{n} - t_{p_k} \leq \text{Lft}(t_{n_k}) \}] \]

8. For \(s' = (\mu', J_3, val')\) and \(D = T - \{ t \mid \exists t' \in T - \text{enabled}(\mu', val'), | t \in \text{need\_to\_keep}(s', t') \}\), let \(t' = \text{delete}(J_3, D)\).

In 7., since more than one true parent assignment, \(\{ t_{p_1}, \ldots, t_{p_i} \}\) can exist, \text{successo} \(s, t_f\) can contain more than one state. We define \text{true\_pa\_rent}(s, t_n) and \text{need\_to\_keep}(s, t) in the following subsections.

### 4.2.1 true\_pa\_rent\(s, t_n\)

Let \text{ruler}(t_n, I) = \bigbullet t_n \cap \text{var}(I)\) denote a set of candidates of place-related true parents for \(t_n\), and a set of the pairs of place-related true parents and their necessary constraints is denoted by
\[ \text{true\_parent\_place}(s, t_n) = \bigcup_{p \in \text{true\_pa\_rent}(s, t_n)} \{ (t_p, I_p) \mid \text{Eft}(t_n) \leq t_n - t_p \leq \text{Lft}(t_n) \}. \]

Furthermore, for condition-related true parents, \text{true\_parent\_cond}(s, f)\) denotes a set of pairs \((t_p, I_p)\), similarly. The definition of \text{true\_parent\_cond}(s, f)\) is given in the next subsection.

From these definitions, for cases where a place-related true parent becomes the actual true parent, \(t_p \leq t_{p}'\) is necessary for each \((t_p, I_p) \in \text{true\_pa\_rent}(s, t_n)\) and \((t_p', I_p') \in \text{true\_parent\_cond}(s, \text{condition}(t_n))\)

\[ TP_1 = \{ (t_p, \{ t_p \leq t_p \} \cup I_p \cup I_p') \mid (t_p, I_p) \in \text{true\_parent\_place}(s, t_n), (t_p', I_p') \in \text{true\_parent\_cond}(s, \text{condition}(t_n)) \} \]

is obtained. Similarly, for cases where a condition-related true parent becomes the actual true parent, \(t_p \leq t_{p}'\) is necessary, and

\[ TP_2 = \{ (t_p', \{ t_p \leq t_p \} \cup I_p \cup I_p') \mid (t_p', I_p') \in \text{true\_parent\_place}(s, t_n), (t_p', I_p') \in \text{true\_parent\_cond}(s, \text{condition}(t_n)) \} \]
is obtained. Therefore, true_parent\((s, t_n)\) can be defined as follows:

1. If condition\(t_n\) = \(\emptyset\), only place-related true parents exist, and hence true_parent\((s, t_n)\) = true_parent_place\((s, t_n)\) holds.
2. Otherwise, by considering both cases, true_parent\((s, t_n)\) = \(TP_1 \cup TP_2\) holds.

4.2.2 true_parent_cond\((s, f)\)

The candidates of true parent for the condition of the form "\(v = b\)" is denoted byvruler\((v, b, I) = \{\text{assign}\_\text{trans}(v, b) \cap \text{var}(f)\}. A set of pairs of the condition-related true parents for \(f\) and their necessary constraints is obtained as follows:

1. If \(f\) is a positive form of variable \(v\), then true_parent\(\text{cond}(s, f)\) = \(\{(t_p, 0) \| t_p \in \text{vruler}(v, 1, I)\}\).
2. If \(f\) is the negative form of variable \(v\), then true_parent\(\text{cond}(s, f)\) = \(\{(t_p, 0) \| t_p \in \text{vruler}(v, 0, I)\}\).
3. If \(f\) is \(f_1 \land f_2\), then true_parent\(\text{cond}(s, f)\) = \(\{(t_p, 0) \| t_p \in \text{vruler}(v, 1, I)\}\).
4. If \(f\) is \(f_1 \lor f_2\), then
   - If eval\((f_1, val)\) = 1 and eval\((f_2, val)\) = 0, then true_parent\(\text{cond}(s, f)\) = \(TT_1\).
   - If eval\((f_1, val)\) = 0 and eval\((f_2, val)\) = 1, then true_parent\(\text{cond}(s, f)\) = \(TT_2\).
   - If eval\((f_1, val)\) = 1 and eval\((f_2, val)\) = 1, then true_parent\(\text{cond}(s, f)\) = \(TT_1 \cup TT_2\).

Note that if \(f\) consists of more than two terms in (3) or (4), true_parent\(\text{cond}(s, f)\) is applied recursively.

Consider the example shown in Figure 5. Suppose that the state \(s_1\) is obtained by the firing sequence \(t_0, t_1, t_2, t_1, t_1\). In this case, for \(f = a \lor b\), we have \(TT_1 = \{(t_a, 0)\}\) and \(TT_2 = \{(t_b, 0) \| \{t_b \geq t_c\}\), \(t_c \{t \geq t_b\}\)}). Thus, true_parent\(\text{cond}(s_1, a \lor b)\) = \(\{(t_a, 0) \| t_a \leq t_b\}\), \(\{(t_b, 0) \| t_b \leq t_a\}\), \(\{(t_c, 0) \| t_c \leq t_a\}\)} holds.

![Figure 5. Example of true_parent\(\text{cond}(s, f)\)](image)

4.2.3 need_to_keep\((s, t)\)

For a disabled transition \(t\), need_to_keep\((s, t)\) is a set of transitions that can be true parents of \(t\). First, let

\[\text{last}(T_p, I) = \{t \| t \in T_p, (\{t \geq t' \| t' \in T_p \} \cup I) \text{ is consistent}\}\]

denote the set of transitions which can fire later than any other transitions in \(T_p\).

There are two cases to consider: first, a place-related true parent becomes the actual true parent; and second a condition-related true parent becomes the actual true parent. The set of place-related true parents is \(TP_1 = \text{last}(\text{ruler}(t, I), I)\), and the set of condition-related true parents is \(TP_2 = \text{need}\_\text{cond}(s, \text{condition}(t))\), where need\_\text{cond}(s, f) is obtained as follows:

1. If \(f\) is the positive form of variable \(v\), and
   - If eval\((v, val)\) = 1, then need\_\text{cond}(s, f) = \{\text{vruler}(v, 1, I)\}
   - Otherwise, need\_\text{cond}(s, f) = \emptyset
2. If \(f\) is the negative form of variable \(v\), and
   - If eval\((\overline{v}, val)\) = 1, then need\_\text{cond}(s, f) = \{\text{vruler}(v, 0, I)\}
   - Otherwise, need\_\text{cond}(s, f) = \emptyset
3. If \(f\) is of the form \(f_1 \land f_2 \land \cdots \land f_n\), then need\_\text{cond}(s, f) = \text{last}\(\bigcup_{i=1}^{n}\\text{need}\_\text{cond}(s, f_i), I\)
4. If \(f\) is of the form \(f_1 \lor f_2 \lor \cdots \lor f_n\), then need\_\text{cond}(s, f) = \bigcup_{i=1}^{n}\\text{need}\_\text{cond}(s, f_i)\)

The set of true parents can be obtained by applying last to the union of these two sets, that is, \(\text{last}(TP_1 \cup TP_2, I)\). However, in order to make \(t\) enabled, the firings of other transitions \(t'\) are necessary, and if \(t_p \in \text{last}(TP_1 \cup TP_2, I)\) cannot fire later than those transitions, \(t_p\) cannot be the actual true parent. can\_fire\_last\((s, t, t_p, T_d)\) checks this possibility.

Therefore, need_to_keep\((s, t)\) can be defined as follows

\[\text{need_to_keep}(s, t) = \{t_p \| t_p \in \text{last}(TP_1 \cup TP_2, I),\ \text{can}\_\text{fire}\_\text{last}(s, t, t_p, 0)\}\]
can_fire_last(s, t, t', T_D) checks all enabled transitions t'', and returns true if it is possible that t' can fire later than any other descendant transitions of t'' that make t enabled. can_fire_last(s, t, t', T_D) is similar to necessary, but can_fire_last(s, t, t', T_D) considers all t'', while necessary checks some selected paths using minset.

5 Experimental Results

We have naively implemented the proposed method in the C language. Here, we demonstrate the verification of the STARI example [15, 16, 14] by using LTN models. In these experiments, the time Petri net models used in [14] are just replaced with LTN models, e.g., a NOR gate is modeled as shown in Figure 2(b) instead of Figure 2(a). The remaining verification settings are not changed.

In Table 1, the column labeled “Partial” shows the number of generated states, CPU times (Pentium III, 866MHz, 360MB, on VMware), and memory amount required for the verification of various sizes of STARI circuits. For comparison, the results by the total order algorithm where the set of all firable transitions is used as a ready set are also shown in the column labeled “Total”. The results show a significant performance improvement of the partial order reduction algorithm over the total order algorithm.

Table 2 shows the performance comparison between the level-oriented method and the transition-oriented method. For this experiment, VINAS-P[17], which works for time Petri net models, is used as the transition-oriented method. Both methods use a partial order reduction algorithm. Since the LTN models are much simpler than the time Petri net models as shown in Figure 2, our naive implementation outperforms VINAS-P.

6 Conclusion

This paper proposes a level-oriented model, LTN, for formal verification that naturally models the behavior of asynchronous circuits. This new model allows for the specification of causality through both transitions and signal values. This paper also develops a partial order verification algorithm for this new model. In particular, the ready set construction is enhanced to be aware that disablings can now occur not only as a result of conflict in the net but also through the change of signal values in the level. The calculation of true parents in disjunctive conditions must also be considered in the calculation of the ready set. Finally, the necessary set construction used in the ready set calculation must be updated to allow for the recursion to proceed from a condition to the transition that assigns to the variables used in the condition. The zone construction used by the timing analysis algorithm must also be enhanced. In particular, true parents may now be found in conditions and more care must be taken in deciding when transitions can be safely pruned from the zone. This updated algorithm has been implemented and applied to the timed circuit benchmark, STARI, and it has been found to outperform a verifier based on the time Petri net model.

References


