Verification of timed circuits with failure-directed abstractions by Myers, Chris J. & Zheng, Hao
IEEE TRANSACTIONS ON COMPUTER-AIDED DESIGN OF INTEGRATED CIRCUITS AND SYSTEMS, VOL. 25, NO. 3, MARCH 2006 403
V e r i f i c a t i o n  o f  T i m e d  C i r c u i t s  W i t h  
F a i l u r e - D i r e c t e d  A b s t r a c t i o n s
Hao Zheng, Member, IEEE , Chris J. Myers, Senior Member, IEEE , David Walter, Student Member, IEEE ,
Scott Little, and Tomohiro Yoneda, Member, IEEE
Abstract—This paper presents a method to address state ex­
plosion in timed-circuit verification by using abstraction directed 
by the failure model. This method allows us to decompose the 
verification problem into a set of subproblems, each of which 
proves that a specific failure condition does not occur. To each 
subproblem, abstraction is applied using safe transformations to 
reduce the complexity of verification. The abstraction preserves 
all essential behaviors conservatively for the specific failure model 
in the concrete description. Therefore, no violations of the given 
failure model are missed when only the abstract description is 
analyzed. An algorithm is also shown to examine the abstract 
error trace to either find a concrete error trace or report that it 
is a false negative. This paper presents results using the proposed 
failure-directed abstractions as applied to several large timed- 
circuit designs.
Index Terms—Abstraction, formal verification, timed circuits.
1. I n t r o d u c t i o n
r p  1MED circuits are defined to be any circuit that is ag-
M gressively optimized using timing assumptions such that 
their correctness is dependent on these assumptions. Utiliz­
ing timing assumptions can produce circuits with a signifi­
cant improvement in speed as demonstrated by their use in 
a gigahertz research microprocessor [gigahertz unit test site 
(guTS)] at International Business Machines (IBM) [1] and by 
the Revolving Asynchronous Pentium Processor Instruction 
Decoder (RAPP1D) instruction-length decoder designed at Intel 
[2], The correctness of these new timed-circuit styles is highly 
dependent upon their timing assumptions. Therefore, extensive 
timing verification is necessary during the design process.
State explosion is a serious challenge for state-space- 
exploration-based verification approaches. Many methods exist 
to address the state explosion problem. Symbolic model check­
ing, as described in [3], represents the state space implicitly 
using binary decision diagrams (BDDs), and is able to handle 
systems with substantially increased sizes. Applying decision
Manuscript received November 18, 2004; revised February 8, 2005. This 
work was supported by the Semiconductor Research Corporation (SRC) 
Contract 2002-TJ-1024, National Science Foundation (NSF) Japan Program 
Award INT-0087281, and Japan Society for the Promotion of Science (JSPS) 
Joint Research Projects. This paper was recommended by Associate Editor 
J. H. Kukula.
H. Zheng is with the Computer Science and Engineering Department, 
University of South Florida, Tampa, FL 33620 USA.
C. J. Myers is with the Electrical and Computer Engineering Department, 
University of Utah, Salt Lake City, UT 84112 USA.
D. Walter and S. Little are with the School of Computing, University of Utah, 
Salt Lake City, UT 84112 USA.
T. Yoneda is with the National Institute of Informatics in Tokyo, Japan.
Digital Object Identifier 10.1109/TCAD.2005.854638
diagrams to timing verification has also been successful [4]—[6]. 
Since interleaving among the concurrent events is the main 
source of state explosion, a number of techniques have been 
proposed to reduce the number of interleavings to be explored 
using partial orders [7], [8], There has also been some success 
in adapting these methods to timing verification [9], [10]. While 
both decision diagrams and partial orders allow the verification 
of larger systems, many practical timed circuits are still too 
large to be efficiently analyzed using these techniques alone.
Compositional reasoning and abstraction are essential to 
verifying large systems. Compositional verification based on 
assume-guarantee style reasoning explores the inherent modu­
lar structure in systems [11]—[15], and it has been applied to the 
verification of timed circuits [16]. Compositional verification 
makes assumptions about the environment with which the 
system interacts, then checks these assumptions later. These 
assumptions are typically generated by hand. Therefore, if the 
system has complex interactions with its environment, it can be 
difficult to make accurate assumptions. Abstraction produces 
the reduced model of a system by abstracting away certain 
details that are unnecessary when reasoning about the system 
[17], [18]. In [19], hand abstractions are used for the verification 
of timed synchronous domino circuits in the guTS design [1], 
In both cases, the assumptions and abstractions are generated 
by hand, making these techniques difficult to apply except by 
an expert user. In [20], an automated approach is described to 
generate the assumptions for compositional verification. This 
approach starts with a set of the weakest assumptions for a com­
ponent, and iteratively refines these assumptions. Although the 
approach guarantees that the iteration terminates, it is not clear 
how efficient the approach would be in terms of iterations nec­
essary to generate a set of assumptions to prove the properties. 
Also, this approach can only handle safety properties. In [21], 
a hierarchical approach similar to that in [22] is presented. In 
this approach, an abstraction for each module in a system is 
found and verification is applied to the composition of those 
abstractions. In [23], a constraint-oriented proof methodology 
is applied to verify infinite systems. Constraints on infinite 
systems are broken into an infinite number of simple con­
straints on finite systems, then these constraints are grouped 
into finite equivalent classes. However, this methodology is not 
complete in that the reduction of infinite systems is not guar­
anteed. In [24], a software model-checking method utilizing 
lazy abstraction is presented to improve performance by adding 
information during abstraction refinement only when necessary. 
It would be interesting to see if this method can be adapted to 
hardware verification. Predicate abstraction has generated a lot
0278-0070/S20.00 © 2006 IEEE
404 IEEE TRANSACTIONS ON COMPUTER-AIDED DESIGN OF INTEGRATED CIRCUITS AND SYSTEMS, VOL. 25, NO. 3, MARCH 2006
Fig. 1. (a) TPN for a self-resetting AND gate; (b) TPN including timing constraints.
of interest [25]—[27]. First described by Graf and Sai'di [25], 
predicate abstraction is a technique that combines theorem 
proving and model checking automatically by mapping an 
unbounded concrete system into an abstract finite state system 
where the states correspond to truth assignments to a set of 
predicates. Recently, predicate abstraction has been applied to 
the verification of timed systems [28]. It would be interesting to 
see how predicate abstraction can be combined with our method 
to further improve performance.
A method that combines compositional reasoning and ab­
straction to reduce the cost of timing verification is presented 
in [29]. By utilizing the inherent modular structure in hardware 
designs, each module in a design is verified individually. Before 
verification, information in the environment that is irrelevant to 
reasoning about the module being verified is abstracted away. 
Then, that module is verified with its abstracted environment. 
While this work has been shown to verify larger circuits, it 
cannot be applied to flat designs or ones where the size of indi­
vidual modules is beyond the capacity of the timing-verification 
tool. In these cases, the module must first be decomposed by 
hand into smaller submodules.
This paper addresses this problem by dividing the verification 
problem as directed by the failure model rather than by the 
module interface boundaries. Timing verification is utilized 
to show that several different failure conditions cannot arise. 
This paper proposes to decompose the verification problem into 
several subproblems in which each of the failure conditions is 
checked individually. In this form of problem decomposition, 
any information in a model irrelevant to a given failure condi­
tion is a candidate for abstraction. As shown later in the paper, 
each failure condition in our model involves only a very small 
amount of information, which allows abstraction to produce 
a substantial reduction in the size of the verification problem. 
This work extends the method in [29] to allow for abstraction 
independent of the hierarchical structure of the design. In other 
words, the method can now be applied to flat designs or designs 
that include large modules. This is desirable in that it eliminates
the requirement of functionally unnatural partitioning for the 
underlying timing-verification tool and the time spent in search­
ing for such a partition. It also avoids errors incurred during 
decomposition. The decomposition and abstraction method de­
scribed in this paper is proved to never produce a false-positive 
verification result. Although the method can produce a false- 
negative result, this paper describes an algorithm that examines 
the abstract error trace either to determine a concrete error trace 
or report that the result is a false negative. Finally, this paper 
demonstrates the effectiveness of this method by its application 
to several large-scale timed-circuit designs.
II. T i m e d  P e t r i  N e t s  (TPNs)
Our method uses TPNs [30] to specify timed-circuit behav­
iors. Let W  be a finite set of wires in a timed circuit. The 
timed behavior of a circuit is modeled as sequences of rising 
and falling transitions on W.  For any w e W ,  w-\- is a rising 
transition and w — is a falling transition on the wire w. In the 
following definitions, let Q+ and M+ denote the sets of non­
negative rational and nonnegative real numbers, respectively. 
A W -labeled one-safe TPN is a directed bipartite digraph 
described by the tuple N  =  (T, P, P, M 0,1, u,C,L),  where T  
is the set of transitions; P  is the set of places; P  C ( T  x P ) U 
( P x T )  is the flow relation; Mo C P  is the initial marking; 
I : P  —> Q+ is the lower timing-bound function; u : P  —> 
Q+ U {oo} is the upper timing-bound function; C C P  is the 
set of constraint places; and L : T  —> (W  x { + ,—}) is the 
labeling function.
A transistor diagram for a self-resetting AND gate with 
specific timing information and a TPN representing its behavior 
and that of its environment are shown in Fig. 1(a). A self­
resetting AND gate receives a pulse on input il  and i2 and 
generates a pulse on output a. Intuitively, the TPN shows that i 1 
and i2 go high after eleven to fourteen time units. After three to 
four more time units, a goes high. Also, after eight to ten time 
units, i l  and i2 go low. The internal signal x goes low eight
ZHENG et a l : VERIFICATION OF TIMED CIRCUITS WITH FAILURE-DIRECTED ABSTRACTIONS 405
to ten time units after a goes high. This, in turn, resets a one 
to two time units later, which sets x  high after one to two more 
time units, returning the circuit to its initial state.
The self-resetting and  gate is correct if it satisfies the 
following requirements: 1) hold time: the signal a must go high 
one time unit before either i \  or i2 goes low; 2) short circuit: 
the signal x must not go low until one time unit after both i\ 
and i,2 have gone low, and i \  and i,2 must not go high again 
until one time unit after x has gone high. Constraint places are 
used to specify these types of ordering and timing requirements 
between transitions. The constraint places marked with a “C” 
in Fig. 1(b) are used to check the above requirements. For 
example, the hold-time requirement is checked using constraint 
places in the postset of a+.
The remainder of this section describes the formal semantics 
of TPNs in more detail. The state of a Petri net is a marking M,  
which is the set of places that hold tokens. With every transition
t € T, its associated preset is •/ .. {/> c  P | (p,t) E F}.  The
place set of a transition is the restriction of places in its preset 
to ordinary (not constraint) places, i.e., ot =  »t — C. For a tran­
sition t E  T, its associated postset is t»  =  {p E P \ (t, p) E  F } . 
Note that the preset and postset for places are defined in a 
similar manner. A transition is enabled in M  if ot C M.  The set 
of transitions enabled in M  is denoted by X(M) .  Our method 
requires correct nets to be one safe (i.e., each place is allowed 
to contain no more than one token).1
The state of a TPN is a pair (Af, D) where M  is the cur­
rent marking and I) : P • R+ is a clock-assignment function 
assigning nonnegative real numbers to places. For every place 
p, the value D(p) is the value of a clock associated with p 
denoting its age. There are two operations on clocks: advance 
and reset. For some nonnegative real number d E  R+ , D +  d 
advances the clock for every p E P  to the value D(p) +  d. 
For some subset of places P C P ,  [P i—► 0]D resets the clock 
for every place in P  to zero, and agrees with D for every 
place in P — P. The initial clock assignment Do is defined 
such that every clock is zero. The initial state of a TPN is the 
pair (Mo, Do).
The state of a TPN can change by firing a transition or 
advancing time. To fire a transition t at (Af, D), in addition to 
t being enabled, D must satisfy the timing constraints defined 
by I and u. A transition is time enabled if it is enabled and:
1) the clock for each place in its place set is above its low­
er bound [i.e., Vp € ot. D(p) > l(p)]; and 2) there exists a 
clock for a place in its place set that is below its upper 
bound [i.e., 3p' E ot. D(p') < u(p')]. Firing a time-enabled 
transition t from (M.D)  creates the new state (M ' .D '), de­
noted by (M , D)[i)(Af , D'), where M'  =  (M  — »t) U t» and 
D' =  [*• i  ^0]!?.
The state of a TPN can also change by advancing time. 
Advancing time only affects the clock-assignment function in 
the state pair. Advancing time by a delay d E  R+ in (M, D) 
creates a new state (M.D'),  denoted by (M,D)[d)(M,D'),  
where D'  =  D +  d. Time is not allowed to advance beyond
’As described later, our analysis method checks for violations of the one- 
safe property during analysis, and when such a violation is detected, a failure is 
reported and analysis ceases.
the point where it would disable a time-enabled transition. The 
maximum delay advancement, d E  R+ , at state (M, D) is
dumx(M, D) =  min I max (u(p) -  D(p)) ) .
teX(M) \p e ° t  J
After advancing time by the maximum delay, a transition either 
remains not time enabled, becomes time enabled, or is already 
time enabled and remains so.
For example, Fig. 1(a) shows the TPN with the initial mark­
ing for the self-resetting AND gate. Transitions i \+  and i2+ 
are enabled in the initial marking, while o+  is not because two 
places in its preset do not have tokens. After four time units, 
the clock between x+  and o+  expires. This simply means that 
firing o+  is no longer constrained by this place because the 
other two places have not yet acquired tokens. After eleven 
time units, i \+  and i2+ become time enabled because the 
clocks for the places in their presets exceed their lower bounds. 
Before fourteen time units elapse, both i \+  and i2+ must fire. 
After firing both i \+  and i2+, the tokens are removed from 
their presets and new tokens and clocks are introduced in their 
postsets. At this point, o+  now has all the tokens it needs to fire, 
and o+  fires three to four time units later after i \+  and i2+.
III. T im ed  Trace T heory
This paper uses trace theory to define the semantics for 
TPNs. Trace theory has been used for the verification of both 
speed-independent [22] and timed circuits [10]. Given a TPN 
N,  a trace of N, x =  (e\, e-2 , ■ ■ •), is a sequence of transition­
time pairs, where a  =  (U, Ti). The time, is an absolute time 
stamp for transition ti. The trace (e \ , . . . ,  en) is a valid trace 
if there exists a sequence of states (scb-si; • • • ,*i») such that 
for 1 < i < n,  each s* =  (Mi, Di) and di =  — rj_i (note 
t 0 =  0):
1) 0 ^  di ^  dnlSiX(s i—i)',
2) (M i_ i. Di-i)[di)(Mi-i, D1);
3) ti is time enabled in D 1);
4) (Mi-i ,  D')[ti)(Mi,Di).
The set of all possible valid traces for a TPN N  starting from 
the initial state Mo, D0 is denoted by P(N).  Although this set 
is infinite, there exist numerous algorithms for timed state space 
exploration of Petri-net models that represent this infinite set of 
traces using a finite set of equivalent state classes (see [31]—[34] 
for example).
The delete function, del(D)(:c), removes all transition-time 
pairs of a trace x =  (ei,&2 , ■ ■ •) whose transitions are in V. 
More formally, if x ^  e (i.e., the empty trace), then
del (V)(x)  =  I  {e i'/u )' { U^ V  aei(U)(x)  |  ^  i f t i E
where y =  del(D )(e2 , es ,. . . )  and a  =  (ti, Ti). If x =  e, then 
del(D)(:c) =  {e}. This function is extended naturally to sets 
of traces.
The set of valid traces in a TPN is divided into those that are 
successes and those that are failures. There are three types of 
failures that are considered in this paper: safety, complement, 
and constraint failures. A valid trace is a safety failure if in
406 IEEE TRANSACTIONS ON COMPUTER-AIDED DESIGN OF INTEGRATED CIRCUITS AND SYSTEMS, VOL. 25, NO. 3, MARCH 2006
firing the trace the marking update tries to add to the new 
marking a place that already exists in the current marking. The 
one-safe requirement of TPNs is common for timed state space 
exploration algorithms. An unsafe net (i.e., one that is not one 
safe) typically indicates a problem with the design. Note that 
this definition of safety is on the reachable state space, so while 
the TPN may not be structurally safe in an untimed sense, a 
failure is only reported when a marking is actually reached 
that violates the safety property. A valid trace is a complement 
failure on wire w if there exist two rising (falling) transitions on 
w without a falling (rising) transition in between. Complement 
failures are also a common modeling error typically caused by 
the designer while creating the circuit description when the 
set and reset phases of a signal are similar. A valid trace is 
a constraint failure if it contains a transition or time progress 
that could not have occurred if constraint places are taken 
into account in the definition of enabledness. Constraints are 
used to indicate required ordering and timing relationships, and 
they are the key tool for describing necessary properties of a 
circuit such as hold time, short-circuit avoidance, etc. There are 
three failure conditions for constraints. First, a transition having 
a constraint place in its preset is taken while the constraint 
place is not marked or has not been marked long enough. This 
indicates either a desired ordering of signals that is violated, 
or a minimum time separation between signals does not hold. 
The second part of the definition indicates when a token stays 
in a constraint place beyond its upper bound. This is used to set 
maximum time separations between transitions. The third part 
states the condition when a circuit deadlocks while a constraint 
place is marked. It is used to check that a desired behavior 
occurs before the circuit deadlocks.
In our method, the function fa il(N, W ' , C )  is introduced to 
take a TPN N,  a set of wires W ’, and a set of constraint 
places C', and returns a subset of V(N)  that are either 
safety failures, complement failures on W ' , or constraint fail­
ures involving places in C . In other words, a valid trace 
( ( t i . T i).. . . .  (tn, r„)) is returned by fail(AT, W ' , C )  if, for its 
corresponding state sequence (sq. s i, . . . ,  s„), one of the fol­
lowing conditions is true.
1) Safety failure: there exist s*_i =  (Mi-i ,  Di-i)  and pair 
(t-i. n ) ,  where (M*_i — •ti) fl t-i» /  0.
2) Complement failure: there exist a w € W'  and pairs 
(t-i. r-i) and (tfe. Tfc) such that the following is true:
a) i < k:
b) (L(t-i) =  L(tk) =  vj+)V(L( t-i) =  L(tk) =  to—); and
c) V j  ■ i < j  < k A (L  (ti) =  w +  = >  L  (tj) /  to—) A 
(L (ti) =  to— = >  L (tj) ^  to+).
3) Constraint failure: there exist a e € C', =  
(Mi-i ,  Di-i),  and — Tj_i, such that one of the 
three following conditions hold:
a) e € mt-i A ((e £  M i- 1) V (Di-i(c) + d-i < 1(c)));
b) c  € Mi-i  A Di-i(c)  +  di > u(e); or
c) X(M-i) =  0 A c  € Mi.
If W'  =  0 and C  =  0, fail(AT, 0.0) only returns traces that 
would cause safety failures in N.  Similarly, fail (AT, W ' , 0) only 
returns traces that would cause safety failures or complement 
failures on signals in W \  while fail! A'. (fl. ( ") only returns
traces that would cause safety failures or constraint failures on 
constraint places in C .
IV. Safe  Tr a n sfo rm a tio n s
In [29], we introduced the notion of safe transformations 
that can be used to reduce the size and complexity of TPN 
specifications. In particular, a transformation Ti-i(N) returns a 
new net N \  and it is defined to be safe when the TPN resulting 
from this transformation satisfies the following two properties:
V(N ' )  D d el(T  -  T ') (V(N))  (1)
fail (AT', 0, 0) D del (T  -  T')( fail(N,  0,0)) (2)
where T ' is the set of transitions in N'.  In other words, a net 
produced by a safe transformation produces a superset of the 
timed traces produced by the original TPN when any abstracted 
transition is deleted from these traces, and the transformation 
does not hide a safety failure of the net. As shown in the 
following lemma, the application of a sequence of safe trans­
formations is also a safe transformation.
Lemma 4.1: If TTi(N) and f t j ( N )  are safe transformations, 
then so is ^ ( ^ ( N ) ) .
Proof: Assume N ’ =  Tr-i(N) and N "  =  iij(N').  From the 
definition of a safe transformation, we have
V(N')  D del(T  -  T')(V(N))
V(N ")  D del(T' -  T")(V(N') ).
Combining these two equations, we get
V(N")  D del(T' -  r")(del(T  -  T')(V(N)))
=  del(T  — T")(V(N)) .
This proves the first half of the definition of a safe transfor­
mation. The second half [i.e., fail(Ar". 0.0) D del(T  — T") 
(fail(AT, 0.0))] is proven similarly. ■
In the rest of this section, we present some TPN reductions 
that satisfy the safe-transformation properties. Murata [35] 
presents several transformations on untimed Petri nets that pre­
serve the safety properties of the original net. We have extended 
these transformations and developed others for TPNs [29], 
Two example safe transformations are shown in Figs. 2 
and 3. More information on safe transformations can be found 
in [29], If our method is working on a net N  and finds a portion 
of the net that resembles that shown in Fig. 2(a), and t is a 
transition that can be abstracted, it can transform N  to a new 
net N ' in which t has been removed, as shown in Fig. 2(b), 
where the timing bounds have been combined, as shown, to 
preserve the timing behavior. Note that, although shown with 
only two places in the preset of t, this transformation is valid 
for any number of places in the preset of t as long as there is 
only one place in the postset of t. While the places in the preset 
of t can have any number of transitions in their presets, they 
must only have transition t in their postset [i.e., (•£)• =  {£}]. 
Similarly, the place in the postset of t can have any number of 
transitions in its postset, but it must only have transition t in its 
preset [i.e., •(£•) =  {£}]. In a similar fashion, if transition t has
ZHENG et al.: VERIFICATION OF TIMED CIRCUITS WITH FAILURE-DIRECTED ABSTRACTIONS 407
(a) (b)
Fig. 2. Safe transformation 1.
(a) (b)
Fig. 3. Safe transformation 2.
only a single place in its preset and satisfies similar restrictions, 
it can again be removed, as shown in Fig. 3. The application of 
these transformations is polynomial in the size of the net.
V. F a i l u r e - D i r e c t e d  A b s t r a c t i o n
A timed-circuit description is defined to be correct if 
fail (TV, W, C) =  0. This section presents an approach to prov­
ing fail (TV, W, C) =  0 by showing that:
1) fail(TV,0,0) = 0 ;
2) Vw <e W.fail(TV,{w},0) = 0 ;
3) Vc G C.  fail (TV, 0, {c}) =  0.
Now, instead of one verification run, our method performs 
1 +  | W\ +  \C\ runs. Note that fail (TV, 0, 0) checks safety prop­
erties explicitly, but when \W\ +  \C\ > 1, this does not need 
to be done as a separate step since it is checked implicitly 
during the other checks.
At this point, each run is nearly as complex as the original 
run, but for each subproblem, not all transitions in TV are 
required to determine if failure traces exist. Therefore, in the 
second step, our method constructs a set of transitions that 
can potentially be abstracted safely without causing failures 
to be missed. The function X>(TV, W ' , C') takes a set of wires 
{W' C W)  and a set of constraint places (C" C C), and it 
returns the following set:
{t G T\(\/w  G W f. L(t) + AL(t)  /  w - )
A (Vc e Cf. t ^  U <:•)}.
Intuitively, X>(TV, W ' , C') returns a set of transitions in TV 
such that they are not transitions on wires in W ' , and not 
in the preset and postset of constraint places in C'. For ex­
ample, let TV denote the TPN shown in Fig. 1, and pi  and 
p2 denote the constraint places in the postset of a+ . Then, 
X>(TV, { il, i2}, {_pl,_p2}) =  {x-\-yx —, a —}.
Finally, the third step of our method is to apply safe trans­
formations to the net to remove the transitions returned by
X>(TV, W ' , C") and the related places, whenever possible. Note 
that not all transitions returned by V(N,  W ' , C") can be safely 
removed, but only those that can be removed via safe trans­
formations. We define a function abs(TV, W " , C") that takes 
a TPN TV, a set of wires W ", and a set of constraint places 
C", and applies a sequence of safe transformations to remove, 
when possible, transitions in X>(TV, W " , C") from TV to obtain 
a new TPN TV'. The safe transformations used are restricted 
such that T  — T ' C V{1V, W ", C") and for all c G C", c is in 
the initial marking of the new net Mq if and only if c is in the 
initial marking of the original net M 0. The result after applying 
this function to a net is typically a net that is substantially 
simpler, and thus, results in a much smaller state space. The 
main theorem can now be presented.
Theorem 5.1: Let TV be a TPN. fail (TV, W, C) =  0 if the 
following three conditions are true:
1) fail(abs(TV, 0, 0), 0, 0) =  0;
2) Mw G W. fail(abs(TV, {^}, 0), {^}, 0) =  0;
3) Vc G C. fail(abs(TV, 0, {c}), 0, {c}) =  0.
Proof: We break up this proof into three cases.
Case 1) (Safety failures) Assume there is a trace x that 
causes a safety failure in TV, and that TV' is the 
TPN returned by the function abs(TV, 0,0). Since 
x G fail(TV, 0,0), there must also exist a trace 
y =  d e l(T -  T')(x) such that y G del(T  -  T 1) 
(fail(TV, 0, 0)). According to property (2), y G fail 
(TV', 0, 0). Therefore, a safety failure is detected on 
the abstracted net.
Case 2) (Complement failures) Assume there is a trace x 
that causes a complement failure on signal w in TV, 
and that TV' is the TPN returned by the function 
abs(TV, {w }, 0). Since x G V(N),  there must also 
exist a trace y =  del(T  — T')(x)  such that y G 
del(T  — T f)(V(N)).  From property (1), we know 
safe transformations do not hide any timed traces, 
so y must also be in V(N').  From the definition 
of complement failure, there exist two transitions 
U and tk on signal w that create the complement 
failure. In fact, only transitions on w are required 
to show if a trace is or is not a complement failure. 
By the definition of abs, the trace y must include 
all transitions on signal w in trace x with some 
additional transitions from X>(TV, {w}, 0) that could 
not be abstracted. Since a complement failure is 
detected by only examining those transitions on 
signal w and x is a complement failure, y is also 
a complement failure because removing transitions 
not on w does not change whether a trace is a 
complement failure or not.
Case 3) (Constraint failures) Assume there is a trace x 
that causes a constraint failure on constraint place 
c in TV, and that TV' is the TPN returned by the 
function abs(TV, 0, {c}). Since x G V(N),  there 
must also exist a trace y =  del(T  — T')(x) such 
that y G del(T  — T')(T(N)).  This trace consists 
of all transitions in »c U c» plus some additional 
transitions from X>(TV, 0, {c}) that could not be
408 IEEE TRANSACTIONS ON COMPUTER-AIDED DESIGN OF INTEGRATED CIRCUITS AND SYSTEMS, VOL. 25, NO. 3, MARCH 2006
i2+
[3,4]
Fig. 4. TPN for checking safety.
abstracted. Traces x  and y agree on the timing of all 
transitions in «c U c*. There are three types of con­
straint failure defined in Section III. For type 3a), 
since all transitions in •c are preserved as is the 
initial marking of c, the value of the predicate 
c ^ i is preserved at the time of firing ti (a tran­
sition that is also preserved). The value of Z^_i(c) 
is also preserved for this reason. Therefore, if trace 
x  violates 3a), so does trace y. If trace x  violates 
type 3b), this means a transition from »c fired to 
put a token into c, then either a transition in c» 
fired but fired too late (in this type, it is preserved 
in y, so it is okay) or a transition outside •cUc«  
fired to cause the failure. In this type, that transition 
is not necessarily preserved in y. However, either 
there exists another transition in y that causes the 
upper bound violation, or if the trace is finite and 
ends with no transitions being enabled, y is a failure 
due to type 3c). In either case, the failure is found 
examining y. Finally, type 3c) is preserved from x 
to y as in both traces end with no enabled transitions 
and the constraint place in the marking.
Therefore, if there exists a failure trace in the concrete 
description, it is found by an analysis of one of the abstract 
descriptions. ■
Suppose that we would like to check if the TPN for the self­
resetting AND gate shown in Fig. 1 has safety failures. First, 
all constraint places in the TPN are removed because they are 
only needed for checking constraint failures. Since only safety 
failures are checked, all transitions in the TPN are candidates 
for removal. After applying safe transformations such as those 
described earlier, as well as those from [29], the TPN in Fig. 1 is 
reduced to the one shown in Fig. 4. A timing analysis of this net 
shows that i2-\- fires after 19 to 24 time units, followed by a+  
after three to four time units, which enables il-\- to fire again 
after another 19 to 24 time units. Notice that the self-loop on 
a+ is never constraining.
Note that the reduced TPN contains complement failures on 
signals i l  and a, but they are ignored during this particular 
verification run because the reduced TPN is generated only for 
checking safety failures. Separate verification runs are required 
to check complement and constraint failures as described at the 
beginning of this section and formalized in Theorem 5.1. In 
particular, this example has four wires, and its TPN contains six 
constraint places. The decomposition method described in this 
paper would verify this example using 11 verification runs, one 
for each wire and constraint place, and another one for checking 
safety failures. This example illustrates how failure-directed
if ( ( £ ,r )  i s  t i m e - e n a b l e d  i n  s)  then
else return f a l s e  n e g a t i v e  
Fig. 5. Algorithm to find concrete trace.
abstraction is applied to reduce net complexity, but breaking 
the verification into 11 runs is clearly overkill for such a small 
example. However, for large examples, as shown in Section VII, 
this type of decomposition can improve the overall verification 
time significantly and allow the verification of designs that 
cannot be handled previously. In particular, the state space that 
must be explored for each subproblem is usually exponentially 
smaller than the original due to the net reductions, and each 
subproblem is constructed with an algorithm that is polynomial 
in the size of the original net.
VI. H a n d l i n g  F a l s e  N e g a t i v e s
The verification method just described is conservative in that 
false negatives are possible and false positives never occur. 
Consider again the transformation shown in Fig. 3. In this case, 
the summing of the timing bounds as shown in the figure may 
actually result in new timed traces. For example, in the new 
net, the trace ((ti, 0), (£2, h  + +  ^3)) is possible,
while this is not possible in the original net. It does, however, 
produce all the timed traces of the original net, so it is a safe 
transformation. If this extra timing introduces new timed traces 
and one of those introduced traces causes a failure, this failure 
is a false negative. Therefore, when an error trace is reported 
from an analysis of the abstracted net, it is not known whether 
this is a real error trace or a false one. Also, it is difficult for a 
designer to analyze the error trace to find the problem as it only 
includes the transitions that have not been abstracted.
To address both of these problems, this paper introduces the 
algorithm shown in Fig. 5. This algorithm uses the abstract error 
trace to perform a guided simulation of the original TPN to 
find a concrete error trace. This is done by attempting to fire
ZHENG et al.: VERIFICATION OF TIMED CIRCUITS WITH FAILURE-DIRECTED ABSTRACTIONS 409
 ^ else return { c h o o s e _ o n e  ( t i m e - e n a b l e d  { s ) —T' ) }  
Fig. 6. Algorithm to find a necessary set.
transitions from the abstract error trace, and when one of these 
transitions is not fireable, it examines the TPN to determine 
an abstracted transition to fire, which contributes toward the 
enabling of the next transition in the abstract error trace. In 
general, multiple such transitions may exist and the algorithm 
may need to explore multiple paths to find a valid concrete error 
trace. When no concrete error trace can be found, it is reported 
that the abstract error trace is false. In this case, abstraction can 
be performed again using a smaller subset of transformations by 
removing transformations known to add behavior. This process 
can be repeated until all behavior-adding transformations are 
removed from the subset of transformations used. While in the 
worst case, disallowing transformations that add timed traces 
can result in a flat verification, we have not seen this happen 
in practice.
The guided simulation used in the algorithm for find­
ing a concrete trace is based upon methods developed for 
partial-order state-space exploration [10]. In particular, the 
find_concrete_trace algorithm calls two functions used during 
a typical partial-order state exploration, necessary_set and 
dependent. The necessary_set algorithm in Fig. 6 is used to 
determine which transitions must fire before transition t can 
fire. This algorithm takes the transition to fire £, a timed state 
5, a set of transitions that should not be fired T;, and the set 
of transitions visited so far Tjj. The necessary_set algorithm 
proceeds in the following manner. First, it checks if t is in 
the set of visited transitions Tjj. If it is, a cycle is detected, 
and necessary_set returns the empty set. If t is a time-enabled 
transition, then it returns t. If t is enabled but not time enabled, 
then there must exist some other time-enabled transition that 
must fire first. Therefore, one time-enabled transition is chosen 
at random to fire to allow time to move forward. If t is not 
enabled, then the algorithm must look backward in the Petri 
net to determine which transitions must fire in order to enable t. 
This is done by finding all of the unmarked places p in the preset 
of t and then calling necessary_set on each transition t! that is 
in the preset of p and not a member of the set of transitions that 
should not be fired T'. The result of this operation for each p 
forms the set of transitions that are necessary to fire in order to 
allow t to fire. The smallest of these sets is returned.
The dependent algorithm shown in Fig. 7 is used to find 
a set of transitions that must be interleaved. Transitions must 
be interleaved because they are in conflict. Transitions conflict 
when they share a common preset place (i.e., conflict(t) =
Fig. 7. Algorithm to find a dependent set.
{£' G T  | • t n •£' /  0}). The dependent algorithm takes a 
seed transition £, a timed state 5, and a set of transitions that 
should not be fired V . The dependent-set calculation begins 
with an initial dependent set consisting of just the transition t. 
The algorithm then looks for additional transitions that conflict 
with those already in the dependent set. These transitions may 
not yet be enabled, so this algorithm uses the necessary_set 
algorithm to find those transition firings that would lead to 
the enabling of the conflicting transition. Each time through 
the loop, newly found transitions are added to the set and this 
loop continues until no new transitions are found. The set of 
transitions dependent on t are then returned.
The find_concrete_trace algorithm takes as input the initial 
Petri net before abstraction TV, the set of transitions in the 
abstracted net T;, and an abstract trace x, and it proceeds in 
the following manner. First, it sets the current state 5 to the 
initial state (Mo, Do). The first item (£, r)  is removed from the 
abstract error trace x. If t is time enabled in the current state, 
then the dependent-set information is calculated and pushed on 
the stack for backtracking purposes. Next, t is fired and added to 
the concrete error trace x'. A new t is selected from the abstract 
error trace and the process continues. If t is not time enabled, 
then the set of transitions necessary for it to become time 
enabled is calculated. For each of these necessary transitions, 
the set of transitions that must be interleaved with each of them 
is calculated and added to the set of necessary transitions. If 
this set E  is empty, then we have reached a dead path. If more 
possible interleavings are on the stack, then the algorithm backs 
up to the point at which the last choice was made. If the stack 
is empty, then a false negative has been found. If the set E  is 
not empty, then a transition from the set is selected, and if any 
transitions remain, they are pushed on the stack for possible 
backtracking. The selected transition is fired and added to the 
concrete trace and control loops back to the beginning.
The main idea behind the concrete-trace algorithm is to use 
the abstract trace to guide a search through the state space of the 
flat design, using a partial-order reduction-based reachability 
algorithm, to confirm or refute the existence of a concrete trace 
containing the abstract trace. Since a reachability algorithm is 
used, it is possible that searching for a concrete error trace 
could result in a full state-space exploration of the flat design. 
We have, however, not seen this behavior in practice. As with 
partial-order methods, this trace-generation method works well 
with designs that have a high degree of concurrence. In designs 
with more conflict than concurrence, the chance of seeing worst 
case behavior increases.


















































RAPPID 50 114 2 60 7.16 1835 27.40 45.13
TITAC2 63 231 2 26 14.60 112 1.45 83.88
IIR1 129 331 3 11 59.61 49 0.84 429.05
IIR2 133 323 3 11 60.07 29 0.86 429.71
FIR1 296 781 3 12 673.32 105 1.72 8349.87
FIR2 296 757 3 11 720.05 57 1.99 8776.39
In the self-resetting AND gate example shown in Fig. 1, two 
of the eleven verification runs fail initially. The two runs that 
fail are for the two constraint places in the postset of a+. 
In both cases, no concrete error trace is found, so these are 
false-negative results. After disallowing one very conservative 
transformation that removes self-loops, these two verification 
runs succeed. In the experimental results described in the next 
section, only one false negative is encountered.
VII. E x p e r i m e n t a l  R e s u l t s
We have incorporated the method described in this paper 
into the compiler front end of the AT ACS tool [36], and we 
have applied it to several examples. The AT ACS tool can per­
form flat verification, modular verification [29], and the new
failure-directed method. In the following experiments, the flat, 
modular, and failure-directed approaches use the same explicit- 
state reachability analysis engine and parameter settings [37]. 
All results are obtained on a 1.7-GHz Pentium M with 1 GB 
of memory.
The first is Intel’s RAPPID circuit, which is a fully asyn­
chronous instruction-length decoder for the Pentium II 32-bit 
MultiMedia extensions (MMX) instruction set [2]. In this 
instruction set, each instruction can be from 1- to 15-B long, 
depending on a large number of factors. In order to allow 
concurrent execution of instructions, it is necessary to rapidly 
determine the positions of each instruction in a cache line. 
Instruction-length decoding was a critical performance bottle­
neck in the Pentium II architecture at the time when RAPPID 
was being designed. The RAPPID circuit is shown to perform,
ZHENG eta l: VERIFICATION OF TIMED CIRCUITS WITH FAILURE-DIRECTED ABSTRACTIONS 411
on average, three times faster, while using half the power of 
the comparable synchronous design. This performance im­
provement is due, in large part, to the highly timed nature of the 
circuits in this design. Therefore, the correctness of this design 
is highly dependent on timing parameters. The block diagram 
for the portion of the RAPPID design that we verified is de­
picted in Fig. 8. The TPN description of the RAPPID circuit 
has 114 transitions on 49 signal wires with no constraint places. 
Our second example is the line fetch module of TITAC2’s 
instruction cache system [38], which is represented using a 
TPN with 231 transitions derived from a high-level specifica­
tion [39]. The final four examples (IIR1, IIR2, FIR1, and FIR2) 
are timed signal transition graph (STGs) used in [40], which are 
obtained from high-level specifications for an HR filter and an 
FIR filter by doing resource allocation under several resource 
constraints and generating the corresponding STGs with timing 
based on a 0.25-^m gate library. The TPN representations for 
the HR examples have more than 300 transitions while those 
for the FIR examples have more than 700 transitions. These 
examples have constraint places to check the correctness of the 
resource allocation, i.e., each resource is used only sequentially.
Table I shows the reduction and runtime results for our 
examples. Column 2 of Table I shows the total number of 
analysis runs necessary to verify the circuit. Column 3 shows 
the total number of transitions in the design before transforma­
tion, column 4 shows the average number of transitions that 
would remain if all abstractable transitions were removable, 
and column 5 shows the actual average number of transitions 
remaining after transformation. Column 6 shows the amount of 
time devoted to performing net transformations across all runs 
of each design. The maximum number of states visited during 
verification is shown in column 7 and the total amount of time 
necessary to perform all verification runs is shown in column 8. 
Finally, column 9 shows the total time for verifying each design.
For all the examples, fiat analysis runs out of memory. The 
modular approach is only applicable for the RAPPID example, 
since all the other examples do not contain any hierarchy. For 
the RAPPID example, the modular approach decomposes the 
verification problem into ten subproblems, one for each module 
shown in Fig. 8. However, as described in [29], the IR module 
is too large and has to be further decomposed by hand into 
seven smaller modules. The final verification time for this hand- 
decomposed design is reported to be 618.3 s.
The failure-directed approach succeeded in verifying all the 
examples. Over all examples, only one false negative is found, 
which is in the complement-failure check for one signal in 
the RAPPID design. Again, by removing one transformation, 
this false negative is removed and verification can complete 
successfully. In the failure-directed approach, the net size is 
decreased by 95% on average. The time required for these 
reductions is never more than 15 min total over all the necessary 
runs. The result of these reductions is that the state space 
that is explored is always less than 2000 timed states and 
often significantly fewer, with a total verification time over all 
runs never exceeding a minute and normally taking just a few 
seconds. The majority of the time spent is simply parsing the 
large nets and creating the data structures necessary to represent 
the original very large Petri net.
This paper describes a new method to deal with state ex­
plosion by decomposing the timing-verification problem as 
directed by the given failure model. This decomposition allows 
for a significant reduction in the size of the model for each 
subproblem using an automatic abstraction method based on 
safe transformations. It no longer requires that a design is 
properly partitioned for successful verification. This method 
has been applied to several large timed-circuit designs, most 
of which could not previously be verified. Overall, this method 
scales very well in that the size of the individual verification 
problems are only dependent on the complexity associated with 
a single signal or a single constraint place. This new method 
can also be built on top of any reachability analysis algorithm 
for TPNs, and benefit from any improvement in the underlying 
analysis algorithm. In particular, our preliminary analysis has 
shown that combining abstraction with a partial-order-based 
analysis technique can bring even further improvements.
R e f e r e n c e s
[1] H. P. Hofstee, S. H. Dhong, D. Meltzer, K. J. Nowka, J. A. Silberman, 
J. L. Bums, S. D. Posluszny, and O. Takahashi, “Designing for a giga­
hertz,” IEEE Micro, vol. 18, no. 3, pp. 66-74, May/Jun. 1998.
[2] K. S. Stevens, S. Rotera, R. Ginosar, P. Beerel, C. J. Myers, 
K. Y. Yun, R. Koi, C. Dike, and M. Roncken, “An asynchronous 
instruction length decoder,” IEEE J. Solid-State Circuits, vol. 36, no. 2, 
pp. 217-228, Feb. 2001.
[3] J. R. Burch, E. M. Clarke, D. E. Long, K. L. McMillan, and
D. L. Dill, “Symbolic model checking for sequential circuit verification,” 
IEEE Trans. Comput.-Aided Des. Integr. Circuits Syst., vol. 13, no. 4, 
pp. 401-424, Apr. 1994.
[4] M. Bozga, O. Maler, A. Pnueli, and S. Yovine, “Some progress in the 
symbolic verification of timed automata,” in International Conference 
on Computer-Aided Verification, ser. LNCS, vol. 1254. London, U. K.: 
Springer-Verlag, 1997, pp. 179-190.
[5] J. M0ller, J. Lichtenberg, H. R. Andersen, and H. Hulgaard, “Difference 
decision diagrams,” in Computer Science Logic. Copenhagen, Denmark: 
IT Univ. Copenhagen, Sep. 1999.
[6] K. G. Larsen, C. Weise, Y. Wang, and J. Pearson, “Clock difference 
diagrams,” Nord J. Comput., vol. 6, no. 3, pp. 271-298, 1999.
[7] A. Valmari, “A stubborn attack on state explosion,” in International Con­
ference on Computer-Aided Verification, ser. LNCS, vol. 531. London, 
U. K.: Springer-Verlag, Jun. 1990, pp. 156-165.
[8J P. Godefroid, “Using partial orders to improve automatic verification 
methods,” in International Conference on Computer-Aided Verification, 
ser. LNCS, vol. 531. London, U.K.: Springer-Verlag, 1990, pp. 176-185.
[9] J. Bengtsson, B. Jonsson, J. Lilius, and W. Yi. (1998). “Partial order 
reductions for timed systems,” in Int. Conf. Concurrency Theory, 
Nice, France, pp. 485-500. [Online]. Available: citeseer.nj.nec.com/ 
bengtsson98partial.html
[10] T. Yoneda and H. Ryu, “Timed trace theoretic verification using partial 
order reduction,” in Proc. Int. Symp. Advanced Research Asynchronous 
Circuits and Systems, Barcelona, Spain, Apr. 1999, pp. 108-121.
[11] J. Misra and K. M. Chandy, “Proofs of networks of processes,” IEEE 
Trans. Sqftw. Eng., vol. SE-7, no. 4, pp. 417-426, Jul. 1981.
[12] C. Jones, “Tentative steps toward a development for interfering pro­
grams,” ACM Trans. Program. Lang. Syst., vol. 5, no. 4, pp. 596-619, 
Oct. 1983.
[13] O. Grumberg and D. Long, “Model checking and modular verifica­
tion,” ACM Trans. Program. Lang. Syst., vol. 16, no. 3, pp. 843-872, 
May 1994.
[14] T. A. Henzinger, S. Qadeer, and S. K. Rajamani, “You assume, we guaran­
tee: Methodology and case studies,” in Proc. Int. Conf. Computer-Aided 
Verification, Vancouver, B.C., Canada, 1998, pp. 440-451.
[15] K. L. Mcmillan, “A methodology for hardware verification using com­
positional model checking,” Science o f Computer Programming, vol. 37, 
no. 1-3, pp. 279-309, May 2000.
[16] S. Tasiran and R. K. Brayton, “Stari: A case study in compositional 
and hierarchical timing verification,” in International Conference on
V I I I .  C o n c l u s i o n  a n d  F u t u r e  W o r k
412 IF.F.F. TRANSACTIONS ON COMPUTER-AIDED DF.SIGN OF INTEGRATED CIRCUITS AND SYSTEMS. VOT.. 25. NO. 3. MARCH 2006
Computer-Aided Verification, ser. I.NCS, vol. 1254. London, U. K.: 
Springer-Verlag, 1997, pp. 191-201.
117] B. Clarke, O. Grumberg, and D. Long, "Model checking and abstrac­
tion,” ACM Trans. Program. Ixmg. Syst., vol. 16, no. 5, pp. 1512-1542, 
Sep. 1994.
1181 D. Dams, R. Gerth, and O. Grumberg, "Abstract interpretation of reactive 
systems,” ACM Trans. Program. l.ang. Syst., vol. 19, no. 2, pp. 253-291, 
Mar. 1997.
119) W. Relluomini and C. J. Myers, "Timed circuit verification using TBI. 
structures,” IEEE Trans. Comput.-Aided Des. Integr. Circuits Syst., 
vol. 20, no. I, pp. 129-146, Jan. 2001.
|20| J. M. Jensen, D. Giannakopoulou, and C. S. Pasareanu, "Learning 
assumptions for compositional verification,” in I.NCS, vol. 2619. Berlin, 
Germany: Springer-Verlag, 2003, pp. 331-346.
1211 H. B. Jensen, K. G. Larsen, and A. Skou. (2000). "Scaling up uppaal 
automatic verification of real-time systems using compositionality and 
abstraction,” in Formal Techniques Real-Time and Fault-Tolerant Sys­
tems (FTKTFT), Pune, India, pp. 19-30. |Online|. Available: citeseer.nj. 
nec.com/jensen00scaling.html
1221 D. Dill, Trace Theory fo r Automatic Hierarchical Verification o f 
Speed-Independent Circuits, ser. ACM Distinguished Dissertations. 
Cambridge, MA: MIT Press, 1989.
1231 K. I.arsen, R. Steffen, and C. Weise, "A constraint oriented proof 
methodology,” in Formal Systems Verification, ser. I.NCS, vol. 1169. 
Heidelberg, Germany: Springer-Verlag, Nov. 1996, pp. 405-435.
124] T. A. Henzinger, R. Jhala, R. Majumdar, and G. Sutre, "Lazy abstrac­
tion,” in 29th Symp. Principles Programming languages, Portland, OR, 
Jan. 2002, pp. 58-70.
1251 S. Graf and H. Saidi, "Construction of abstract state graphs with pvs,” 
in Conf. Computer Aided Verification, Haifa, Israel, Jun. 1997, vol. 1254, 
pp. 72-83.
126) T. Rail and S. Rajamani, "A model and process for software 
analysis,” Microsoft Research, Redmond, WA, Tech. Rep. 20(H)-14, 
Feb. 2000.
127| ------ , "Automatically validating temporal safety properties of interfaces,”
in SPIN Workshop, Toronto, Canada, May 2001, vol. 2057, pp. 103-122.
1281 M. Moller, H. ReuB, and M. Sorea, "Predicate abstraction for dense 
real-time systems,” Electron. Notes Theor. Comput. Sci., vol. 65, no. 6, 
pp. 1-20, Jun. 2002.
1291 H. Zheng, B. Mercer, and C. Myers, "Modular verification of timed 
circuits using automatic abstraction,” IEEE Trans. Comput.-Aided Des. 
Integr Circuits Syst., vol. 22, no. 9, pp. 1138-1153, Sep. 2003.
130) C. Ramchandani, "Analysis of asynchronous concurrent systems by timed 
Petri nets,” Massachusetts Inst. Technol., Cambridge, MA, Project MAC 
Tech. Rep. 120, Feb. 1974.
1311 D. Dill, S. Nowick, and R. Sproull, "Specification and automatic ver­
ification of self-timed queues,” Stanford Univ. Press, Stanford, CA, 
Tech. Rep. CSL-TR-89-387, Aug. 1989.
1321 T. G. Rokicki and C. J. Myers, "Automatic verification of timed circuits,” 
in Proc. Int. Conf. Computer Aided Verification, Stanford, CA, 1994, 
pp. 468-480.
1331 T. Yoneda and R. Schlingloff, "Bfficient verification of parallel real-time 
systems,” in Formal Methods in System Design, C. Courcoubetis, Bd. 
Roston, MA: Kluwer, 1997.
134] W. Relluomini and C. J. Myers, "Timed state space exploration using 
posets,” IEEE Trans. Comput.-Aided Des. Integr. Circuits Syst., vol. 19, 
no. 5, pp. 501-520, May 2000.
1351 T. Murata, "Petri nets: Properties, analysis, and applications,” Proc. IEEE, 
vol. 77, no. 4, pp. 541-580, Apr. 1989.
136) C. Myers, W. Relluomini, K. Killpack, B. Mercer, B. Peskin, and
H. Zheng, "Timed circuits: A new paradigm for high-speed design,” 
in Proc. Asia and South Pacific Design Automation Conf., Yokohama, 
Japan, Feb. 2001, pp. 335-340.
137| B. Mercer, C. Myers, and T. Yoneda, "Improved POSBT timing analysis 
in timed Petri nets,” in 10th Workshop Synthesis and System Integration 
Mixed Technologies (SASIMI). Nara, Japan, Oct. 2001', pp. 151-158.
1381 A. Takamura, M. Kuwako, M. Imai, T. Fujii, M. Ozawa, 1. Fukasaku, 
Y’. Ueno, and T. Nanya, "T1TAC-2: An asynchronous 32-bit microproces­
sor based on scalable-delay-insensitive model,” in Proc. Int. Conf Com­
puter Design: VISI Computers and Processors, Austin, TX, Oct. 1997, 
p p .288-294.
139) T. Yoneda and C. Myers, "Synthesizing timed circuits from high 
level specification languages,” Nat. Inst. Informatics, Tokyo, Japan, 
Nil Tech. Rep. NII-2003-003B, 2003.
140| T. Yoneda, A. Matsumoto, M. Kato, and C. Myers, "High level synthesis 
of timed asynchronous circuits,” in Proc. Int. Symp. Advanced Research 
Asynchronous Circuits and Systems, New York, Mar. 2005, pp. 178-189.
Hao Zheng (M'05) received the M.S. and Ph.D. de­
grees in electrical engineering from the University of 
Utah, Salt I.ake City, in 1998 and 2001, respectively.
Currently, he is an Assistant Professor in the Com­
puter Science and Bngineering Department of the 
University of South Florida, Tampa. His research 
interests include the application of formal methods 
in the computer system design, devising abstraction 
techniques to improve the capability of model check­
ing, and advanced architectures for low power and 
high performance.
Chris J. Myers (S '91-M ,96-SM,04) received the 
R.S. degree in electrical engineering and Chinese 
history in 1991 from the California Institute of 
Technology, Pasadena, and the M.S.L.L. and Ph.D. 
degrees from Stanford University, Stanford, CA, in 
1993 and 1995, respectively.
He is an Associate Professor in the Department 
of Blectrical and Computer Bngineering, University 
of Utah, Salt I.ake City. He is the author of over 
50 technical papers and the textbook Asynchronous 
Circuit Design. He is also a coinventor of 4 patents. 
His current research interests are algorithms for the computer-aided analysis 
and design of real-time concurrent systems, analog error control decoders, 
formal verification, asynchronous circuit design, and modeling of biological 
networks.
Dr. Myers received a National Science Foundation (NSF) Fellowship in
1991, an NSFCARBBR Award in 1996, and a Rest Paper Award at Async99.
David W alter (S'05) received the R.S. degrees in 
computer science and computer engineering from 
the University of Utah, Salt I.ake City, in 2001. He 
is currently pursuing the Ph.D. degree in computer 
science at the University of Utah.
His current research interests are in the formal 
verification of analog and mixed-signal systems.
Scott Little received the R.S. degree in computer 
engineering in 2003 from the University of Utah, Salt 
Lake City. He is currently an SRC Fellow working 
toward the Ph.D. degree in computer science at the 
University of Utah.
His current research interests include formal ver­
ification of embedded systems and analog/mixed- 
signal circuits.
Toinohiro Yoneda (M'85) received the R.B., M.B., 
and Dr. ling, degrees in computer science from the 
Tokyo Institute of Technology, Tokyo, Japan in 1980, 
1982, and 1985, respectively.
In 1985, he joined the staff of Tokyo Institute 
of Technology, and he moved to National Institute 
of Informatics, Tokyo, Japan, in 2002, where he is 
currently a Professor. He was a Visiting Researcher 
of Carnegie Mellon University from 1990 to 1991. 
His research activities currently focus on formal 
verification of hardware and synthesis of asynchro­
nous circuits.
Dr. Y’oneda is a member of the Institute of Blectronics, Information, 
and Communication Bngineers of Japan, and Information Processing Society 
of Japan.
