Abstract. In this paper we discuss the practical di culty of analyzing the behavior of timed automata and report some results obtained using an experimental bdd-based extension of kronos. W e h a ve treated examples originating from timing analysis of asynchronous boolean networks and CMOS circuits with delay uncertainties and the results outperform those obtained by previous implementations of timed automata veri cation tools.
Introduction
The computational burden associated with the veri cation of discrete systems consists in representing and calculating the set of reachable states of a transition system, usually described as a product of small interacting systems. Timed systems were introduced in order to provide a more detailed level of modeling in which it is possible to re ne a statement such as \a is followed by b" into \a is followed by b within t time units". Timed formalisms for describing systems (timed automata AD94], D89], timed Petri nets BD91], timed transition systems HMP92a] or real-time process algebras NS92]) and for specifying behaviors (real-time temporal logics AH92], timed regular expressions ACM96]) allow the intuitive expression of real-life phenomena. Among these is the hard fact that it takes some time between the initiation and a completion of a change and that quantitative timing information may matter in the future evolution of a system.
In fact, after playing with timed models for some time, one starts wondering about the underlying assumptions that make \classical" untimed reasoning valid and useful. What class of real-timed systems is hiding behind each and every untimed automaton? How are discrete transitions embedded in the real time axis? Without getting too much into the details one can suggest two kinds of answers:
Asynchronous answer: w e assume that changes in various system components may take arbitrary amount of time to be accomplished. From this perspective ? This research w as supported in part by the European Community projects HYBRID EC-US-043 and INTAS-94-697. Verimag is a joint laboratory of cnrs and ujf.
an untimed system can be viewed as a timed system with trivial 0 1] bounds on the duration of a transition. Clearly, such an abstraction will create much more executions than a real system would.
Synchronous answer: certain assumptions are made and certain precautions are taken in order to ensure that most of the timing information can be ignored. This is the principle underlying clocked realization of sequential machines: we a r e not interested in the intermediate states of the next-state logic, nor whether one state variable has changed before the other. What is important i s t h a t e v erybody has stabilized until the next time their values are sampled.
When one is not satis ed with the type of answers suggested by the abstract untimed models or with the performance of clocked systems, timed models seem to be the next logical step (see also BS94]). It has been shown elsewhere ( D89], L89], MP95]) how a v ery general model of non-clocked circuits with delays can be translated into timed automata, on which one can ask all sorts of interesting timing questions ( ACD93], HNSY94] AMP95]). The only problem with these models is the amount of time (and space) that might elapse between posing the question and obtaining the answer. Indeed, it is the performance bottleneck that prevents the transfer of timing veri cation technology from theory to practice. In this paper we describe some attempts to push forward the performance limitations of current timed automata veri cation tools by augmenting the tool kronos DOTY96] with an additional bdd-based capability.
The rest of the paper is organized as follows: in Section 2 we discuss, via generic examples, the computational di culty of timed automata analysis methods and present an alternative data-structure, ndd which is used to analyze the examples in this paper. ndds are essentially nothing more than bdds o ver the bits of discretized clocks. In Section 3 we s h o w the performance of the ndd implementation on benchmark examples coming from asynchronous boolean networks and compare them with other implementations, while in Section 4 we apply ndds to realistic (but small) examples of MOS circuits with up to 5 inputs and 16 transistors, in order to answer a question motivated by noise problems. We assume that the reader is familiar with the basic de nitions of timed automata and with bdds.
The Di culty of Timing Analysis
Consider a system which can generate events out of a set T = f 1 : : : n g, such t h a t e v ery two consecutive occurrences of i must be separated by l i time units, while every occurrence of i must be followed by another one within u i units. Such a system can be modeled by the simple one-state timed automaton A depicted in Figure 1 -a having n clocks and n transitions. Calculating the set of reachable clock con gurations is needed in order to determine which Tsequences are realizable by the system. An illustration of the calculation of the set of reachable clock con gurations for n = 2 i s g i v en in Figure 2 . At the beginning, Time progresses until it reaches the smallest lower-bound (in this case, l 1 ). Since then, until the rst upper-bound is encountered (in this case, u 1 ) the transition In general, the sets of reachable clock con gurations obtained this way c a n b e expressed as a union of zones, that is, convex polyhedra generated by half-spaces of the form C i < k or C i ; C j < k for k in some nite subset of the integers. 3 Zones admit an e cient representation using di erence-bounds matrices (dbm, D89]) on which it is easy to calculate intersection and the progress of time.
As it often happens in computational geometrical problems, the di culty comes from the need to manipulate non-convex sets. In this case the representation is not canonical and a lot of work is needed in order to determine whether all the reachable states have already been encountered. It may turn out, for example, that a union of zones stored in memory is, in fact, convex and can be replaced by a single zone, but testing this possibility a t e v ery iteration is costly. Some authors ( H93], AIKY95] B96], WD94]) try to use various sorts of approximations, e.g. to use convex hulls instead of unions, but these over-approximations often tend to become too large and hence not useful.
The problem aggravates when the untimed state-space is non-trivial. Consider the two-state automaton B of Figure 1 -(b). Such automaton represents a boolean input signal whose only constraint is that every two c hanges in its value are separated by some time t 2 l i u i ). An array of such automata is an unavoidable component i n a n y model for analyzing the behavior of circuits under all possible inputs. When two s u c h automata work in parallel, the reachable clock c o ngurations are \distributed" among the discrete states f00 01 10 11g as shown in Figure 3 . This raises several problems: there might be a lot of redundancy if we represent reachable con gurations for every state separately because two states might share zones. In addition, if we use symbolic methods ( BCM + 93], McM93]) to overcome the discrete state-explosion problem, how s h o u l d t h e y b e combined 4 with the dbm representation? Finally, the convergence of the set of reachable con gurations into a convex zone is usually slower than in the case of a one-state automaton.
In order to overcome these problems we h a ve d e v i s e d a n d implemented an alternative representation scheme for sets of clock con gurations, the Numerical Decision Diagrams (ndd, ABK + 97]) and tested its performance on these and other examples. This scheme has some major advantages over dbms (canonicity, natural combination with discrete symbolic representations) but, of course, has its own disadvantages, most notably, the sensitivity t o t i m e g r a n ularity.
The idea behind ndds is trivial. Suppose that each clock c a n t a k e v alues in the range 0 k ), and consider a discretization of time such that the possible clock values are K = f0 : : : k ; 1g. E a c h clock can be treated as a bounded integer variable and any of its possible values can be encoded in binary using log k bits. Consequently, a n y subset of K n can be viewed as a subset of f0 1g nlog k and represented by a bdd over n log k boolean variables. Given a xed variable ordering, this representation is canonical regardless of convexity, and it o ers bdd-based boolean operations as well as the calculation of the passage of time by simple arithmetical operations.
For dense time models, two discretization schemes has been proposed in GPV94]. They are based on taking a rational constant , depending on the number of clocks such t h a t b y cutting space and time into a -grid, one obtains a discrete-time automaton which is equivalent (for all interesting purposes) to the given dense-time automaton. These two s c hemes require = 1 =(n + 1) and = ( 1 =2n) respectively, a n d i n volve some distortion of the passage of time or of the reset operator in order to preserve the properties of the original dense-time system (a more detailed description appears in GPV94] and ABK + 97]). We h a ve observed, however, that the special class of automata obtained from circuits ( MP95] ), where all the clock conditions are of the form C l or C < u , admits a slightly simpler and coarser region graph (see also HMP92]). For these automata, a discretization with = 1 =n, where the passage of time is simply t h e a d d i t i o n o f to all the clocks, is su cient.
Consequently, although all the reported experiments have been performed with respect to the discrete time interpretation, they can be viewed as if we used a dense time interpretation with all the constants divided by n. A p p r o ximations a r e u s e d a n yway in order to tackle the complexity of timing analysis ( AIKY95], H93], WD94], B96]), and we believe that playing with the granularity o f t i m e might p r o ve to be an alternative a p p r o ximation strategy.
Note that the ndd-based method is di erent from calculating the region graph of the timed automaton and then trying to encode its transition relation using some choice of boolean state variables (see also AK96] C C 9 5 ]). We build a uniform discretized state-space which happens to contain one or more concrete representative o f e v ery region, and on which the passage of time is calculated by adding a time unit to every clock v ariable simultaneously.
We h a ve implemented ndd-based veri cation algorithms for timed automata by using a system developed at Verimag for representing and manipulating communicating automata augmented with bounded integer variables BFK96].
This system takes such automata and translates them into bdds using one of several publicly-available bdd packages. We h a ve used the CUDD package S95] of Colorado University. T h e experimental results are reported in the following sections.
Asynchronous Boolean Circuits
With the ndd representation we w ere able to calculate within 12 hours all reachable states of the automaton A (Figure 1-a) with 18 clocks and transitions, while a dbm-based implementation could not treat more than 5 clocks. The relative weakness of dbm in this apparently-trivial example is due to the fact that the s e t o f r e a c hable con gurations of this automaton converges nally to the whole clock space, by accumulating more and more zones. We w ere able to treat products of up to 9 B automata (Figure 1-b) . The results 5 are illustrated in A more complicated example is the family of circuits depicted in Figure 5 .
For every i 2 f0 : : : n ; 1g we let the XOR of x i and x i;1 pass through a non-deterministic inertial delay bu er (the exact de nitions and the translation procedure from circuits to timed automata are described in MP95]). Every such gate is modeled by the four-state timed automaton appearing in Figure 6 . The states are encoded using two Boolean variables v i and v i , the former denoting the value observed at the exit of the delay element while the latter represents the \hidden" value of the XOR. When both variables are equal we s a y that the state is stable and that it is excited otherwise.
5
Unless otherwise stated, all the results reported here were obtained using a SUN Ultra-Sparc 1 with 256MB of memory. When n such automata are composed together we obtain a timed automaton C with 4 n discrete states and n clocks, which we let range in f0 : : : 7g. Note that the feed-back loops make this class of automata rather hard to analyze as all the variables depend on each other. We have managed to calculate all the states reachable from the unstable state (1 1 : : : 1) for a cascade of up to 10 components in less than 2 hours. These results outperformed those of the dbm implementation which could handle only up to 6 gates, using the clock minimization techniques described in DY96]. Note that in both implementations it was easier to treat the more logically-involved XOR network C than the n \independent" inputs of B. This can be explained by the fact that in timed systems, independence of components is an illusion as there is a common shared variable, Time, observed and manipulated by all the components. This explains why the bdd results were more modest than initially expected. Nevertheless, the ability t o a n a l y z e s u c h a non-trivial circuit is remarkable and we could verify that under certain l and u parameters, the stable state (0 0 : : : 0) is never reached.
Concerning variable-ordering, we h a ve found it most e cient to arrange the variables by component s u c h t h a t e v ery discrete variable is followed by the bits of its associated clock with the most signi cant bit rst.
MOS Circuits
The next example, motivated by problems related to noise and power consumption, illustrates some pragmatic trade-o s between accuracy and e ciency as well as the e ect of other simplifying assumptions on veri cation performance.
Consider a 4-AND gate implemented by the MOS circuit of Figure 7 . We assume that the system is governed by a c l o c k with a period u X and that the inputs are static, or more precisely: each o f t h e inputs can change its value at most once in the sub-interval 0 l X ) and remain constant in the sub-interval l X u X ). Concerning the transistors, we assume that they change their states t pico-seconds after the change of their inputs where t 2 l P u P ) for the P-MOS elements (A,B,I and J) and t 2 l N u N ) for the N-MOS elements (C,D,L and K).
A 4-state timed automaton, similar to the one of Figure 6 can be constructed to model every such transistor.
Although such a circuit is supposed to work in a synchronous environment, some practical problems motivate us to look at what happens on a smaller time scale. A particular question one might w ant to ask is: \what is the maximal (over all legal input patterns) number of transitions that may t a k e p l a c e simultaneously?" By a transition we mean the opening or closing of a transistor, which i s the main energy consumer. When two many transitions occur simultaneously, i t might create noise a ecting the behavior of the chip.
While this question might be answered manually for a small circuit, it is not at all clear how to do it for a 8-AND made of 28 transistors, not to mention a 16-AND with 60 transistors, where the internal elements can \change their mind" several times within a clock cycle. It should be emphasized that unlike commonly-used SPICE simulations, where the simulation is done once for each input pattern, here the results of the calculations cover all possible legal input patterns and all delay uncertainties.
We h a ve transformed the 4-AND circuit into 16 timed automata: 12 for the transistors and 4 for the inputs (the latter share the same clock in the range 0 to u X ), and attempted to calculate the set of reachable clock con gurations.
We have kept (l N u N ) = (8 16) throughout the experiments. By taking (l P u P ) = (10 20) and dividing all the constants by lcmf10 20 8 16g = 2 we had to code all the transistor clocks using 4 bits. Changing l P from 10 to 8, the lcm becomes 4 and we could use only 3 bits for the clocks. Another factor which in uenced performance was the partition of the central clock period into active and non-active phases. Not surprisingly, the results were much better for (l X u X ) = ( 2 0 60) than for (l X u X ) = (40 60).
We have constructed an auxiliary automaton for counting the number of transitions taking place at the same time and could test whether there is an input pattern generating more than a given numb e r o f s i m ultaneous transitions. For example, concerning the 4-AND circuit, under the parameters (l P u P ) = ( 8 20) and (l X u X ) = ( 4 0 56) we a s k ed whether 9 simultaneous transitions are possible starting from the initial stable state where all the inputs are 0. The system gave (in 1:15 hours) a positive a n s w er and provided the following witness sequence:
where each p a i r o f t h e f o r m ( S t) indicates the occurrence of the event (or set of events) S after t pico-seconds since the beginning. The results of the experiments with 3-AND, 4-AND and 5-AND circuits are given in Table 4 . 6 We have also detected the possibilities of short-cuts (a wire connected to both 0 and 1) as we did in MY96] for a simpler example of a MOS circuit 6 The results for the 5-AND circuit (17 clocks!) were obtained on a 200MHz PentiumPro with 512MB of memory. t h e t i m e i t t a k es to answer whether there exist a sequence of n simultaneous transitions { a positive answer is indicated by ( ) and MO denotes memory over ow.
using the dbm version of kronos. While some of the assumptions we m a d e i n the modeling of transistors deviate from the physical reality (for example, we have adopted a \lazy evaluation" approach concerning transistors whose input becomes \ oating", that is, they maintain their previous status), we believe that the approach presented here can be integrated into the design methodology of MOS circuits. Once a suspicious input pattern has been detected by a tool like ours, a full-edged SPICE simulation, focused around that pattern, can be invoked in order to determine whether or not the alarm is false.
Additional Examples
Other experimental results will be reported elsewhere due to lack of space. They include Fischer's mutual exclusion protocol which has become a traditional benchmark for timed automata veri cation tools ( DOY94], WD94], LPY95], B96]). We managed to calculate the reachable states for 14 such processes. We have also veri ed (in few minutes) the manufacturing example due to A. Puri, described in DY95], where timed automata are used as an abstraction of hybrid systems.
Conclusions
We h a ve suggested, implemented and tested an alternative method for e cient veri cation of timed automata. The essence of this method is a canonical representation of discretized sets of clocks con gurations using bdds. This method can take advantage of the symbolic representation of the untimed state-space. We were able to treat some examples that could not be treated by state-of-the-art dbm-based tools. Looking more closely at the \bit-structure" of the clock-space allows us to make an informed choice concerning the trade-o between model accuracy and computational hardness, as was demonstrated in the CMOS casestudy. Notwithstanding the achievements, this is still not the breakthrough in timed veri cation. The main reason, as mentioned in this paper, is the hidden dependency between \syntactically-independent" components, which makes the bdds of the clock part of a system rather big.
