The Saga of Synchronous Bus Arbiter: On Model Checking Quantitative Timing Properties of Synchronous Programs  by Pandya, Paritosh K.
p ( )
URL: http://www.elsevier.nl/locate/entcs/volume65.html 15 pages
The Saga of Synchronous Bus Arbiter: On
Model Checking Quantitative Timing
Properties of Synchronous Programs
Paritosh K. Pandya 1,2
School of Technology and Computer Science
Tata Institute of Fundamental Research
Homi Bhabha Road, Colaba,
Mumbai 400005, India
Abstract
Quantiﬁed Discrete-time Duration Calculus, (QDDC), is a form of interval tem-
poral logic [14]. It is well suited to specify quantitative timing properties of syn-
chronous systems. An automata theoretic decision procedure for QDDC allows
converting a QDDC formula into a ﬁnite state automaton recognising precisely
the models of the formula. The automaton can be used as a synchronous observer
for model checking the property of a synchronous program. This theory has been
implemented into a tool called DCVALID which permits model checking QDDC
properties of synchronous programs written in Esterel, Verilog and SMV notations.
In this paper, we consider two well-known synchronous bus arbiter circuits (pro-
grams) from the literature. We specify some complex quantitative properties of
these arbiters, including their response time and loss time, using QDDC. We show
how the tool DCVALID can be used to eﬀectively model check these properties
(with some surprising results).
1 Introduction
For synchronous programs, execution time is measured in terms of clock ticks,
i.e. the notion of time is discrete. For many such programs, it is important
to analyse quantitative timing properties such as response time and latency.
Unfortunately, such analysis has not received adequate attention from the
program veriﬁcation community.
1 Partially supported by the UNU/IIST oﬀshore project Semantics and veriﬁcation of real-
time programs using Duration Calculus: Theory and Practice
2 Email: pandya@tifr.res.in
c©2002 Published by Elsevier Science B. V.
110
Open access under CC BY-NC-ND license.
Pandya
Quantiﬁed Discrete-time Duration Calculus, (QDDC), is a logic well suited
to specifying such quantitative timing properties. QDDC is a form of interval
temporal logic with primitives which count the number of occurrences of a
signal in a given behaviour fragment. It is a highly expressive logic which
can succinctly specify many complex properties. Thus, QDDC addresses a
qualitatively diﬀerent class of properties of synchronous programs from those
considered earlier [4,18,3,11].
In order to illustrate this, in this paper, we consider two well-known syn-
chronous bus arbiter circuits (programs). Using QDDC, we specify some
complex quantitative properties of these arbiters, including their response time
and loss time.
In spite of its high expressive powerQDDC formulae can be model checked.
An automata theoretic decision procedure allows converting a QDDC formula
into a ﬁnite state automaton recognising precisely the models of the formula
[14]. The automaton can be used as a synchronous observer for model check-
ing the property of a synchronous program [8,15]. We have implemented this
theory into a tool called DCVALID which permits model checking QDDC
properties of synchronous programs written in Esterel, Verilog and SMV no-
tations [13,16].
In the paper, we show how the tool DCVALID can be used to eﬀectively
model check the timing properties of the arbiter circuits, with some surprising
results. It is our claim these properties are quite diﬃcult to analyse by hand
and a system designer’s intuition about them can be misleading. Hence, the
availability of tools is crucial for the veriﬁcation such properties.
The rest of the paper is organised as follows. Some synchronous bus arbiter
circuits are introduced in Section 1.1. A brief overview of logic QDDC is given
in Section 2. The automata theoretic approach to its model checking is also
brieﬂy outlined. Properties of the arbiters are formalised in Section 3. The
analysis of these properties, carried out by our tool DCVALID, is presented
in Section 4. The paper ends with a brief summary.
1.1 Synchronous Bus Arbiter
Example 1.1 A synchronous bus arbiter with n cells has request lines req1,
. . ., reqi, . . ., reqn and acknowledgement lines ack1, . . ., acki, . . ., ackn. At any
clock cycle a subset of the request lines are high. It is the task of the arbiter to
set at most one of the corresponding acknowledgement lines high. Preferably,
the arbiter should be fair to all requests. MacMillan [11] proposed the circuit
of Figure 1 for the bus arbiter 3 . He also analysed its basic properties such as
the mutual exclusion of ack signals using the pioneering SMV veriﬁer. This
circuit also can be encoded as an Esterel module. We present two variants
of MacMillan’s arbiter in Figure 4. (The changes from the original arbiter
3 The circuit elements are standard. The square box denotes a D-latch which delays the
signal by one clock cycle.
111
Pandya
Cell Interconnection
E2
Ack−outRequest
Request
En
E1
0
token
in
token
out
Ack−out
ridein
grantin
grantout
Request Ack−out
Over
ride
Over
Cell Circuit
TokenIn
W
T
TokenOut
Request
Ackout
GrantOut
OverrideIn
OverrideOut GrantIn
Fig. 1. MacMillan’s Arbiter: Macarb
are highlighted by dotted lines.) The ﬁrst variant MacarbV1 arose due to a
mistaken translation of the original arbiter code into Verilog and the second
variant MacarbV2 is due to Rahul Jain. A diﬀerent arbiter circuit, shown in
Figure 2, was proposed by de Simone [5] who also gave an Esterel model of
this circuit. All these arbiters have the property that at most one ack signal
can occur at a time. Existing model checkers such as Xeve [5], VIS [3] or SMV
[11] can easily verify this invariance property. ✷
Example 1.2 We consider some complex properties of these arbiters which
have not been investigated before. Many of these refer to quantitative timing
aspects. Each of these properties must be analysed for a given arbiter circuit
112
Pandya
Cell Interconnection
E2
Request
Request
En
E1
token
in
token
out
Request
grantout
grantin
Ackout
Ackout
Ackout
Cell Circuit
Ackout
GrantOut
GrantIn
TokenOut
TokenIn
Request
Fig. 2. de Simone’s Arbiter: Simarb
of n cells for a given constant n.
(i) Response time for cell i: Is the worst case response time of cell i of the
arbiter within m cycles? In other words, given a constant m is it the case
that during any behaviour and in any time interval spanning m cycles
if reqi is continuously high, there must be acki? Find the least such
constant m.
(ii) 3-cycle response time for cell i: Is the worst case response time for getting
3 acki signals within k cycles? Find the least such constant k.
(iii) A cycle is lost if at least one of the cells has its req high but all the cells
have ack low. Can the arbiter loose no more than l consecutive cycles?
Find the least such l.
113
Pandya
(iv) Fifo(i,j) property : If the req for cell i comes before that of cell j (and
persists) will the ack for cell i deﬁnitely occur before that of cell j? In this
case we say that Fifo(i,j) holds. Determine all pairs (i, j) with Fifo(i,j)
property for a given arbiter circuit. ✷
We urge the reader to try to intuitively answer the above questions for the
four synchronous arbiter circuits presented in Example 1.1.
2 Quantiﬁed Discrete-time Duration Calculus
Quantiﬁed Discrete-time Duration Calculus, (QDDC), is an interval temporal
logic for specifying properties of ﬁnite sequences of states (valuations). We
give a brief overview of this logic.
Let Pvar be a ﬁnite set of propositional variables representing some ob-
servable aspects of system state. Let V AL(Pvar)
def
= Pvar → {0, 1} be
the set of valuations assigning truth-value to each variable. We shall identify
behaviours with ﬁnite, nonempty sequences of valuations, i.e. V AL(Pvar)+.
Example 2.1 The following picture gives a behaviour over variables {p, q}.
Each column vector gives a valuation, and the word is a sequence of such
column vectors.
p 1 0 1 1 0
q 0 0 0 0 1
The above word satisﬁes the property that p holds initially and q holds at the
end but nowhere before that. QDDC is a logic for formalising such properties.
Each formula speciﬁes a set of such words. ✷
Given a non-empty ﬁnite sequence of valuations σ ∈ V AL+, we denote the
satisfaction of a QDDC formula D over σ by
σ |= D
We now give the syntax and semantics of QDDC and deﬁne the above satis-
faction relation.
Syntax of QDDC Formulae
Let Pvar be the set of propositional variables. Let p, q range over propo-
sitional variables, P,Q over propositions (boolean combinations of p, q) and
D,D1, D2 over QDDC formulae. Let c range over natural number constants.
The syntax of QDDC is as follows.
<P> | [P] | [[P]] | D1^D2 | D1 && D2 | !D |
ex P. D | slen op c | scount P op c
where
op is in { <=, <, =, >, >= }
114
Pandya
Let σ ∈ V AL(Pvar)+ be a behaviour. Let #σ denote the length of σ
and σ[i] the i’th element. For example, if σ = 〈v0, v1, v2〉 then #σ = 3 and
σ[1] = v1. Let dom(σ) = {0, 1, . . . ,#σ− 1} denote the set of positions within
σ.
Let σ, i |= P denote that proposition P evaluates to true at position i in
σ. We omit this obvious deﬁnition.
The set of intervals in σ is Intv(σ) = {[b, e] ∈ dom(σ)2 | b ≤ e} where
each interval [b, e] identiﬁes a subsequence of σ between positions b and e.
We inductively deﬁne the satisfaction of a QDDC formula D for behaviour
σ and interval [b, e] ∈ Intv(σ) as follows. This is denoted by σ, [b, e] |= D.
σ, [b, e] |= <P> iﬀ b = e and σ, b |= P
σ, [b, e] |= [[P]] iﬀ σ, i |= P for all i : b ≤ i ≤ e
σ, [b, e] |= [P] iﬀ b < e and σ, i |= P for all i : b ≤ i < e
σ, [b, e] |= !D iﬀ σ, [b, e] |= D
σ, [b, e] |= D1 && D2 iﬀ σ, [b, e] |= D1 and σ, [b, e] |= D2
σ, [b, e] |= D1 ^ D2 iﬀ for some m : b ≤ m ≤ e :
σ, [b,m] |= D1 and σ, [m, e] |= D2
Entities slen and scount P are called measurements. Term slen denotes
the length (in number of steps) of the interval whereas scount P denotes the
count of number of times P is true within the interval [b, e] Formally,
eval(slen, σ, [b, e])
def
= e− b
eval(scount P, σ, [b, e])
def
=
∑e
i=b


1 if σ, i |= P
0 otherwise


Let t range over measurements. Then,
σ, [b, e] |= t op c iﬀ eval(t, σ, [b, e]) op c
Note that slen=3 holds for a state sequence with 3 steps, i.e. 4 states. Also
scount P = 3 holds for a sequence where P is true 3 times.
Call a behaviour σ′ to be p-variant of σ provided #σ = #σ′ and for all
i ∈ dom(σ) and for all q = p, we have σ(i)(q) = σ′(i)(q). Then,
σ, [b, e] |= ex p. D iﬀ σ′, [b, e] |= D for some p-variant σ′ of σ
Finally, σ |= D iﬀ σ, [0,#σ − 1] |= D
We can also deﬁne some derived constructs. Boolean combinators ||, =>, <=>
denoting or, implies and equivalence can be deﬁned using &&, ! as usual.
• <>D def= true^D^true holds provided D holds for some subinterval.
• []D def= !<>!D holds provided D holds for all subintervals.
115
Pandya
Example 2.2 We give some examples of QDDC formulae.
• The property of Example 2.1 can be formulated in QDDC as follows. It
speciﬁes behaviours where P holds initially and Q holds at the end but
nowhere before that.
<P>^[!Q]^<Q>
• The following formula holds for a behaviour σ provided for all fragments σ′
of σ which have (a) P true in the beginning, (b) Q true at the end, and (c)
no occurrences of Q in between, the number of occurrences of states in σ′
where R is true is at most 3.
[] (<P>^[!Q]^<Q> => (scount R <= 3)) ✷
QDDC can specify safety and bounded-liveness properties of systems. Since
it only speciﬁes ﬁnite sequence of states, it cannot deal with general liveness
properties. There are many extensions addressing this problem [15].
2.1 Model Checking QDDC
An execution α of a synchronous program P is a ﬁnite or inﬁnite sequence of
valuations (states). A QDDC formula D holds (is valid) for an execution if
all ﬁnite preﬁxes of α satisfy D. Finally, the formula is valid for program P if
D is valid for all executions of D. Let α[i] denote the ith element of sequence
α and let α[i : j] denote the subsequence between positions i to j (inclusive).
Deﬁnition 2.3 [Preﬁx Validity] Let α |= D iﬀ α[0 : e] |= D for all e ∈
dom(α). Let P |= D iﬀ α |= D for all executions α of P
The model checking problem is to determine by an algorithm whether P |=
D. We outline an automata theoretic approach to model checking QDDC
below.
The following theorem characterises the sets of models of a QDDC formula.
Let pvar(D) be the ﬁnite set of propositional variables occurring within a
QDDC formula D. Let V AL(Pvar) = Pvar → {0, 1} be the set of valuations
over Pvar.
Theorem 2.4 For every QDDC formula D, we can eﬀectively construct a
ﬁnite state automaton A(D) over the alphabet V AL(pvar(D)) such that for
all σ ∈ V AL(pvar(D))∗,
σ |= D iﬀ σ ∈ L(A(D))
We refer the reader to [14] for a proof of this theorem. This construction
has been implemented into a tool called DCVALID [13,14].
Example 2.5 The ﬁrst property of Example 2.2 can be stated in QDDC as
the formula <P>^[!Q]^<Q>. The automaton corresponding this formula is
given below. Each edge is labelled with a column vector giving truth values
of variables P,Q as in Example 2.1. Also, letter X is used to denote either 0
or 1. Note that the automaton is minimal, deterministic and total.
116
Pandya
4
2XX
1
0 1
X,1
3
1
0
X
X
X
1
X
0
From this automaton, we can see that a model and a counter model of least
length for the formula are as follows. (Empty words are not considered models
in QDDC.)
model counter-model
P 1 X P 1
Q 0 1 Q 0
Given a QDDC formula D, we can use the automaton A(!D), obtained as
in Theorem 2.4, as a synchronous observer for determining the violation of D
during an execution. The basic idea is that the system M and the observer
A(!D) are executed in synchronous parallel (lock-step) mode. This means we
consider the execution of the transformed system
M ′ def= M ‖ A(!D)
The observer is a total, deterministic automaton. It does not aﬀect or con-
strain the activity of M in any way. At any point in an execution of M ′, the
observer will have observed the state sequence arising in the M component.
If this state sequence satisﬁes !D then the observer will be in its ﬁnal state,
otherwise the observer will be in its non-ﬁnal state. Thus, M violates D if and
only if there is some execution of M ′ during which the observer for !D enters
its ﬁnal state. (See Halbwachs et al [8] for details of the observer approach to
veriﬁcation.)
Theorem 2.6 M |= D iﬀ
A ﬁnal state of A(!D) cannot be reached in (M ‖ A(!D))
We omit the proof of this theorem which can be found elsewhere [15].
If M is a ﬁnite state system then so is (M ‖ A(!D)). For such systems, the
reachability of ﬁnal states can be analysed by symbolic breadth-ﬁrst search
[11]. There are now many mature model checking tools which can perform
this search quite eﬃciently. For example, if M and A(!D) are given as Es-
terel modules, the Esterel veriﬁcation tool Xeve [5] can perform this search.
Similarly, if they are given as SMV modules then the SMV tool [11] can per-
form the search and if they are given as Verilog modules the VIS tool [3]
can perform the search. Note that the modelling languages of all these tools
support synchronous parallel composition permitting the observer to be run
117
Pandya
synchronously with the system. Exploiting these search procedures, we have
constructed a model checking tool for checking QDDC properties of Esterel,
SMV and Verilog designs.
2.2 Tool DCVALID
The reduction from formulae of QDDC to ﬁnite state automata, as outlined
in Theorem 2.4, has been implemented into a tool called DCVALID [13,14].
The tool generates a total, deterministic and minimal automaton for a formula
and it can also checks for the validity of the formula by searching for rejecting
paths in the automaton. The automaton in Example 2.5 was automatically
generated from the formula by the tool DCVALID.
An associated tool, called CTLDC, translates the automaton into Esterel,
SMV or Verilog module to give a synchronous observer for the property. It also
connects the module to run synchronously with a given system module. The
resulting program can be analysed for reachability of accepting/rejecting states
using existing tools such as Xeve [5], SMV [11] and VIS [3]. This determines
whether a QDDC property is valid for the given system module as stated in
Theorem 2.6. Thus, DCVALID can determine whether M |= D where M a
(pure) Esterel, SMV or Verilog program and D is a QDDC formula. If the
veriﬁcation fails the tool generates a counter-example.
The details of logic QDDC, the architecture of tool DCVALID and some
performance statistics are described elsewhere [14,16] and omitted here for
brevity. Basically, DCVALID is built on top of MONA [7]. MONA is an
eﬃcient and sophisticated implementation of the automata-theoretic decision
procedure of Buchi and Elgot for monadic logic over ﬁnite words (MLSTR).
DCVALID works by translating a QDDC formula into a boolean combination
of MLSTR formulae. Each component is then translated into an automaton
by MONA. Although the worst-case complexity is non-elementary the tool is
often able to handle reasonably large formulae [14].
3 Speciﬁcation of Synchronous Bus Arbiter in QDDC
We now formalise in QDDC the four properties of a synchronous bus arbiter
which where given earlier in Example 1.2.
(i) Response Time for cell i Is the worst case response time of cell i of an
arbiter less than or equal to m cycles? Formally, is the following formula
valid for a given arbiter circuit?
[] ( [[Reqi]] && (slen = m-1) => <><Acki> )
Find the minimum m which makes this formula valid for a given arbiter.
(ii) 3-cycle Response Time for cell i Is the worst case response time for ob-
taining 3 acki signals less than or equal to k cycles? Formally is the
following formula valid for the arbiter?
[] ( [[Reqi]] && (slen = k-1) => (scount Acki >= 3))
118
Pandya
Find the minimum k which makes this formula valid for a given arbiter.
(iii) Loss-time Can the arbiter loose no more than l consecutive cycles? For-
mally, is the following formula valid for the arbiter?
[] ([[lostcycle]] => slen <= l-1 )
Find the minimum l which makes the formula valid for a given arbiter.
(iv) FIFO(i,j) property Find (i,j) pairs such that the following formula is valid
for the given arbiter. This formula states that if request for cell i arrives
before that of cell j and it persists, then the acknowledgement for cell j
must not occur before that of cell i.
[]( (<!reqj>^[[reqi && !acki]]) => !<><ackj>)
4 Model Checking of Arbiter Properties
A model checker for QDDC was described in Section 2.2. For a given n cell
arbiter with ﬁxed constant n, the DCVALID tool (together with a reachability
analysis tool such as Xeve), can check whether a formula such as
[] ( [[Reqi]] && (slen = k-1) => (scount Acki >= 3))
is valid for the arbiter for a given value of constant k. In order to ﬁnd the
minimum k making this formula valid, we must try diﬀerent values of k.
The four properties of synchronous bus arbiters given in Section 3 were
checked for various 5-cell arbiter circuits. The properties were veriﬁed for
de Simone’s arbiter (Simarb), MacMillan’s arbiter (Macarb) as well as two
variants of MacMillan’s arbiter, respectively called MacarbV1 and MacarbV2.
The circuit diagrams of these arbiters have been given earlier in Example 1.1.
The veriﬁcation experiments were carried out using the tools DCVALID
and Xeve/SMV and the properties were checked against both Esterel and
SMV code for the circuits. de Simone’s arbiter was coded only in Esterel as
it is not possible to code this circuit directly into notations such as Verilog or
SMV. This circuit contains a potential combinational cycle and a sophisticated
causality analysis [2] of Esterel is needed to handle it.
We present the results of model checking below. In each case the minimum
constant making the formula valid is given. This was found by trial and error.
(The reader may refer to Section 3 for the deﬁnitions of the veriﬁed properties.)
Property 1: Response time m for cell i
Simarb: m = 5 cycles for cells i = 1 to 5
Macarb: m = 5 cycles for cell i = 1
Macarb: m = 10 cycles for cells i = 2 to 5
MacarbV1: m = 5 cycles for cell i = 1
MacarbV1: m = 6 cycles for cells i = 2 to 5
MacarbV2: m = 5 cycles for cell i = 1
MacarbV2: m = 10 cycles for cells i = 2 to 5
119
Pandya
MacarbV1
W
T
TokenOut
Request
Ackout
GrantOut
OverrideIn
OverrideOut GrantIn
TokenIn
MacarbV2
TokenIn
W
T
TokenOut
Request
Ackout
GrantOut
OverrideIn
OverrideOut GrantIn
Fig. 3. Variants of MacMillan’s Arbiter
Property 2: 3-cycle Response time k for cell i
Simarb: k = 15 cycles for cells i = 1 to 5
Macarb: k = 15 cycles for cell i = 1
Macarb: k = 20 cycles for cells i = 2 to 5
MacarbV1: k = 15 cycles for cell i = 1
MacarbV1: k = 16 cycles for cells i = 2 to 5
MacarbV2: k = 15 cycles for cell i = 1
MacarbV2: k = 20 cycles for cells i = 2 to 5
120
Pandya
Property 3: Maximum Number l of Consecutive Lost Cycles
Simarb: l = 0, i.e. no lost cycles.
Macarb: l = 5, i.e. at most 5-cycles lost in a row.
MacarbV2: l = 0, i.e. no lost cycles.
In case of MacarbV1 for all large values of l tried the property fails or the
checker runs out of time/memory. Thus, no upper bound on l could be found.
Property 4: Fifo(i,j) Pairs
We list exactly those (i,j) pairs for which Fifo(i,j) property holds.
Simarb: (1,2), (2,3), (3,4), (4,5), (5,1)
Macarb: (1,2), (1,3), (1,4), (1,5), (2,3), (3,4), (4,5)
MacarbV1: (1,2), (1,3), (2,3), (3,4), (4,5)
MacarbV2: (1,2), (1,3), (1,4), (1,5), (2,3), (3,4), (4,5)
A signiﬁcant aspect of this model checking is that if the veriﬁcation con-
cludes that the property is not valid then a counter example scenario is gen-
erated. For example, if Property 3 is checked for MacMillan’s 5-cell arbiter
with value of l = 4, the tool reports that the property is not valid and gives an
execution of the arbiter which violates the property. Such a counter example,
generated using DCVALID and Xeve, is given below. If we simulate the arbiter
on this input we ﬁnd that in fact more than 4 cycles are lost consecutively.
req1 ;
req1 req2 ;
req1 req2 req3 ;
req1 req2 req3 req4 ;
req1 req2 req3 req4 req5 ;
req2 req3 req4 req5 ;
req3 req4 req5 ;
req4 req5 ;
req5 ;
req4 ;
Performance
QDDC is a highly expressive logic which can succintly specify complex
properties. In the worst case, the complexity of the automaton A(D) can be
non-elementary in the size of D, although this is rarely observed in practice.
(See [14] for some statistics.) Here, we give raw performance ﬁgures for the
veriﬁcation of Property 3 for MacMillan’s arbiter, Macarb. For an n-cell ar-
biter the property was veriﬁed with m = 2n for the cell i = 3. The tests
were carried out on a 1.4GHz Pentium 4 processor machine with 512 Mbytes
of Ram running Linux 2.4.16 kernel. Esterel V5.92 and SMV Version 2.5.4.3
were used in the tests. All the time values are in seconds.
121
Pandya
Cells SMV Esterel
n Observer Veriﬁcation Observer Compilation Veriﬁcation
Generation Generation (checkblif)
5 0.06 0.01 0.06 0.15 1.27
10 0.13 0.07 0.07 0.28 35.21
100 1.06 3.51 1.06 3.09 **
200 4.67 140 – – –
** Esterel veriﬁcation for 100-cell arbiter was aborted after 8 hours due to
memory overrun.
5 Summary
QDDC is a highly expressive logic which allows complex properties of syn-
chronous programs to be conveniently speciﬁed. It is especially suited to speci-
ﬁcation of quantitative timing properties such as the response time. Moreover,
QDDC is supported by a model checking tool DCVALID which can eﬀectively
analyse these properties. QDDC is a discrete-time version of the dense time
logic Duration Calculus [19,9]. The logic is expressive enough to allow us to
write a compositional semantics of a synchronous language like pure Esterel
in it [17].
We have shown that circuits/synchronous programs such as the synchronous
bus arbiters of Example 1.1 embody a fair degree of complexity in their be-
haviour. The surprising values of the response and the loss times for MacMil-
lan’s Arbiter and its two variants should convince the reader that these prop-
erties are quite hard to analyse by hand. Similarly, the values of (i,j) satisfying
the Fifo(i,j) property for various arbiters are also strange. Hence, logics and
model checkers for timing properties of synchronous programs deserve serious
investigation. Logic QDDC and tool DCVALID allow such analysis to be
performed.
QDDC is a discrete-time interval temporal logic for specifying timing prop-
erties of synchronous programs. Other such logics include the RTCTL [6] of
Emerson et al and the Synchronous Regular Timing Diagrams [1] of Amla et
al. A tool set called TEMPEST has been developed by Jagadeesan et al for
verifying safety and some response properties of Esterel programs [10].
It should be noted that all the timing properties veriﬁed in this paper
have the form that M |= D(l) holds for a given constant (natural number) l.
For example, Property 3 states that no more than l consecutive cycles can be
lost. The real question is to ﬁnd the least value of l for which the property
holds. Methods presented in this paper allow such least/greatest values to be
found only by trying out diﬀerent values of l. This can be cumbersome and
122
Pandya
sometimes impossible. For example, in verifying Property 3 for the arbiter
MacarbV1, we found that the property does not hold for any possible value
of constant l tried. However, is it possible that the property does hold for
some very large untried value of l. Recently, we have extended our tool DC-
VALID with methods which can “compute” the least/greatest values of these
constants. Using these methods we have determined that Property 3, in fact,
does not hold for any value of constant l and the arbiter MacarbV1 can loose
unboundedly many consecutive cycles. A separate paper, in preparation, will
present these techniques and results.
References
[1] Amla, N., E. Allen Emerson, R.P. Kurshan and Kedar S. Namjoshi, Model
checking synchronous timing diagrams, in Proc. FMCAD, LNCS 1954, Springer-
Verlag, 2000.
[2] Berry, G., The constructive semantics of Esterel, 1999.
[3] Bryton, R.K., G.D. Hatchtel et al, VIS: A system for veriﬁcation and synthesis,
in Proc. Computer Aided Veriﬁcation, CAV’96, Lecture Notes in Computer
Science 1102, Springer-Verlag, 1996.
[4] Bouali, A., J.P. Marmorat, R. de Simone and H. Toma, Verifying Synchronous
Reactive Systems Programmed in Esterel, in Proc. of FTRTFT’96, LNCS,
Springer-Verlag, 1996.
[5] Bouali, A., XEVE: An Esterel Veriﬁcation Environment, Proc. Computer Aided
Veriﬁcation, CAV’98, Lecture Notes in Computer Science, Springer-Verlag,
1998.
[6] Emerson, E.A., A.K. Mok, A.P. Sistla and J. Srinivasan, Quantitative temporal
reasoning, In Proc. CAV’90, LNCS, Springer-Verlag, 1990.
[7] Henriksen, J.G., J. Jensen, M. Jorgensen, N. Klarlund, B. Paige, T. Rauhe, and
A. Sandholm, Mona: Monadic Second-Order Logic in Practice, in Tools and
Algorithms for the Construction and Analysis of Systems, First International
Workshop, TACAS ’95, LNCS 1019, 1996.
[8] Halbwachs, N., F. Lagnier and P. Raymond, Synchronous observers and
the veriﬁcation of reactive systems, in Proc. Third Int. Conf. on Algebraic
Methodology and Software Technology, AMAST’93, Twente, Springer-Verlag,
1993.
[9] Hansen, M.R. and Zhou Chaochen, Duration Calculus: Logical Foundations,
Journal of Formal Aspects of Computing 9, 1997.
[10] Jagadeesan, L.J., C. Pouchol and J.E. Von Olnhausen, Safety property
veriﬁcation of ESTEREL programs and appliactions to telecommunications
software. In Proc. CAV’95, LNCS 939, Springer-Verlag, 1995.
123
Pandya
[11] McMillan, K., Symbolic Model Checking, Kluwer Academic Publisher, 1993.
[12] Moszkowski, B., A Temporal Logic for Multi-Level Reasoning about Hardware,
in IEEE Computer, 18(2), 1985.
[13] Pandya, P.K., DCVALID User Manual, Tata Institute of Fundamental
Research, Bombay, 1997. (Available in revised version at
http://www.tcs.tifr.res.in/∼pandya/dcvalid.html).
[14] Pandya, P.K., Specifying and Deciding Quantiﬁed Discrete-time Duration
Calculus Formulae using DCVALID: An Automata Theoretic Approach, In
Proc. Workshop on Real-time Tools (RTTOOLS’2001), Aalborg, Denmark,
August 2001.
[15] Pandya, P.K., Model checking CTL*[DC], In Proc. TACAS 2001, Genova, Italy,
LNCS 2031, Springer-Verlag, 2001.
[16] Pandya, P.K., Model checking CTL[DC] speciﬁcations of SMV, Verilog
and Esterel Designs, Technical Report, TCS-00-PKP-3, Tata Institute of
Fundamental Research, September 2000.
[17] Pandya, P.K., Y.S. Ramakrishna and R.K. Shyamasundar. A Compositional
Semantics of Esterel in Duration Calculus. In Proc. Second AMAST workshop
on Real-time Systems: Models and Proofs, Bordeux, June, 1995.
[18] Raymond, P., Recognizing Regular Expressions by means of Dataﬂows
Networks, In Proc. 23rd International Colloquium on Automata, Languages,
and Programming, (ICALP’96), LNCS 1099, Springer Verlag. Paderborn
(Germany), July 1996.
[19] Zhou Chaochen, C.A.R. Hoare and A.P. Ravn, A Calculus of Durations, Info.
Proc. Letters, 40(5), 1991.
124
