SUMMARY We present a new framework for checking safety failures. The approach is based on the conservative inference of the internal states of a system by the observation of the interaction with its environment. It is based on two similar mechanisms: forward implication, which performs the analysis of the consequences of an input applied to the system, and backward implication, that performs the same task for an output transition. While being a very simple approach, it is general and we believe it can yield efficient algorithms in different safety-failure checking problems. As a case study, we have applied this framework to an existing problem, the hazard checking in (speed-independent) asynchronous circuits. Our new methodology yields an efficient algorithm that performs better or as well as all existing algorithms, while being more general than the fastest one.
Introduction
There exists general frameworks that formalize the concept of approximation, yielding proved checking algorithms by using approximation and concretization functions which satisfy some given properties (for example [1] , which has still an extensive impact, and [2] for recent applications in checking). Such frameworks are extremely general, and can be used to check any type of liveness or safety property. In this paper, we present a framework that focuses only on the problem of safety-failure checking, which verifies that bad behavior never happens in any reachable state of the system. The loss of generality is compensated by a greater simplicity and a better adequacy to the problem at hand.
To apply our framework to a concrete problem, we need two things to be defined: first, the symbolic representation, which represents sets of implementation states, and implication functions, which must over-approximate the computation of the enabled sequences of internal (and eventually output) transitions in a given symbolic state. Using only this representation and the implication functions, and supposing they satisfy some adequate properties, we can obtain a general means to perform conservative safety-failure checking.
As an example and case study, we apply the framework to the problem of checking hazard-freedom in speed independent asynchronous circuits. As of now, there exists several tools that are able to perform such a task, such as the tool AVER proposed by Dill [3] , TRANAL by Kishinevsky et all [4] , VERSIFY [5] (that performs more extensive verification than simple hazard checking). Some algorithms were used ([6] ) to transform this problem into a general model checking problem. There exist also methods to reduce the cost of checking, including methods based on partial order reduction [7] , [8] . These algorithms perform exact checking.
Most notably, there exists also an algorithm proposed by Beerel et al [9] , that performs checking using an approximation. This algorithm has proved to be extremely fast and, in spite of being conservative, to yield false negatives very rarely.
The algorithm obtained through our framework is as efficient as [9] , which is the fastest algorithm known today for hazard-checking of speed independent circuits. The reason why the two algorithms are fast is that both only require exploration of the specification state space. However, the algorithm in [9] can not handle internal loops, which is a major drawback, while our algorithm can.
The rest of this paper is organized as follows: in Sect. 2, the general framework is introduced. Sections 3 shows the application of the general framework to the problem of hazard checking for speed-independent circuits. Section 4 compares the resulting algorithm with [9] , and finally section 5 contains some experimental results.
A New Framework for Conservative Representation
Before describing the framework itself, a few definitions are necessary. In the specification in Fig. 1 with the implementation given in Fig. 2 , the following holds: In order to apply the proposed framework to a given problem, first, a symbolic representation should be defined, and second, appropriate forward and backward implication functions should be defined. Then, procedure toplevel shown in Algorithm 2.1. can be used. It computes a mapping from ,DS to D#I which is kept in K, which associates exactly one symbolic state to each specification state.
Definitions
•Í a•¸A, a<•¾A (1) (•Ía•¸A,•@ a<b)•Ë•¾A<b,(2)
Application to Speed Independent Circuits
Under the speed-independent assumption, wires are supposed to introduce no delay; operation times of Boolean gates are unbounded. In the rest of this paper, this is modelled as follows: wires have no delay, and a speedindependent gate is composed by a combinatorial gate (which operates instantaneously) followed by a buffer with unbounded delays. Unless specified otherwise, in the rest of this paper, the word gate refers to a speed-independent gate. Concerning memory elements, that is, gates u of which the equation takes the form u=F(u, i1, ..., in) where i1, ..., in are the inputs and the first argument of F indicates feedback, this feedback is made explicit through the insertion of a new wire w. The equations become: v=F(u, i1, ..., in) and u=v (that is, u is a buffered copy of v.
At this point, it is necessary to give a few technical definitions. The set of Boolean values is denoted by B={t, f}. INF. & SYST., VOL.E91-D, NO.3 MARCH 2008 The set Fv of Boolean formulas over a set V of variables is defined inductively as:
The setF+V of positive Boolean functions is defined in- 
The solution set of ƒ¡(S) is ƒ¬ ={(ff), (tf), (tt)}, and the base set is
}, that is, the symbolic state S represents three distinct implementation states: first, (01), in which a is low and b is high (this is the initial state), then, (11), in which a, its rising transition having fired, is now high, and b is still low due to the delay on the gate, and finally, (10), in which both transitions have fired: a is high and b is low. and since now iv(S, a)=1, the following is obtained:
base(S')={(100),(110),(111)}.
That is, in state (100), each wire is at its initial value; then, b can rise, yielding (110), and finally, c can rise, yielding (111).
In this section as well as in the following sections, we compute several times the base set of some symbolic states. Yet, this is only to ease the readers' comprehension, as the efficiency of the proposed framework is that this never needs to be explicitly handled.
Backward Implication
In order to apply our framework, the two implication functions have to be defined.
The simplest to define is the backward implication, as defined in definition 4.
The algorithm is given in Algorithm 3.1. That gives the following base set:
base(S)= {(101000), (111000), (001000), (001100) (011000), (011100), (011110), (011111) Intuitively, a forward implication should add to the set of feasible sequences of transitions all sequences that are newly enabled by an input transition. This is exactly what the algorithm does, by propagating a change from the enabled input to the outputs. Let us consider an attempt of a decomposition of an AND-gate with one of its input negated into an AND-gate and a NOT gate, as in Fig, 7 . We consider the partial specification of an AND-gate, as shown in Fig. 8 . If there was no delay at the output of the NOT gate, then the implementation would conform to the specification, in which no output 
Least Upper Bound
Finally, in order to apply the top-level algorithm of the framework, it is necessary to define the least upper bound of two symbolic states.
Proof of Correctness
Usually, hazard checking is split into two phases: first, Complex Gate Equivalence (CGE) checking, in which all delays in the circuit are considered as nonexistent and the conformance of the reduced circuit is checked against the specification, and then the actual hazard-checking. CGE checking is a simple and fast task to perform, but is the combination of one limited liveness checking with one limited safety checking, thus cannot be expressed in terms of the proposed framework. The rest of this paper only describes actual hazard checking, which is a case of safety failure checking. It is the case, however, that the proposed representation for asynchronous circuits can be used to perform exact CGE checking at the same time as hazard-checking, even though this particular point is not explained in detail in this paper. 
