This paper presents an efficient method for verifying hazard freedom in timed asynchronous circuits. Timed circuits are a class of asynchronous circuits that utilize explicit timing information fur optimization throughout the entire design process. In asynchronous circuits, correct operation requires that there are no hazards in the circuit implementation. Therefore, when designing an asynchronous circuit, each internal node and output of the circuit must be verified for hazard-freedom to ensure correct operation. Current verification algorithms for timed asynchronous circuits require an explicit state exploration often resulting in state explosion for even modest sized examples. The goal of this work is to abstract the behavior of internal nodes and utilize this information to make a conservative determination of hazard-freedom for each node in the circuit. Experimental results indicate that this approach is substantially more efficient than existing timing verification tools. These results also indicate that !his method scales well for large examples. It is capable of analyzing circuits in less than a second that could not be previously analyzed. While this method is conservative in that some false hazards may he reported, our results indicate that the number of false hazards is small.
INTRODUCTION
Timed circuits are a class of asynchronous circuits that use explicit timing information in circuit synthesis. This timing information.
however rough the estimates may be, can potentially reduce the amount of circuitry that would be needed from a design that adheres to speed-independent constraints. The estimates for the timing can he verified once the design is mapped to a library and actual timing values are known. This simplification can lead to significant gains in circuit performance over asynchronous circuits designed without timing assumptions. This was demonstrated in the Intel RAPPID project in which an asynchronous instruction length decoder for an x86 processor was designed using timed circuits. It was found to be three times faster while usinghalf the power of the comparable synchronous design [17].
While timed asynchronous circuits offer potential advantages over synchronous circuits such as faster operation and lower power, these advantages are often offset by the expense of the circuit overhead needed to eliminate hazards. Hazards are conditions generated by the structure of the circuit or timing relationships between inputs and propagation delays that can cause incorrect behavior. Permission to make digital or hard copies of all or pad of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy orhewise, to republish, lo post on servers or lo redistribute Io lists, requires prior specific permission and/or a fee. 
424

Tomohiro Yonedu
National Institute of Informatics Tokyo, Japan yoneda@nii.ac.jp
As synthesized hazard-free logic equations are mapped to a given gate library, new internal nodes are introduced in the circuit netlist. Each new internal node as well as the outputs of the circuit must he verified for hazard-freedom to ensure correct operation of the mapped circuit. T h s verification must be extremely efficient to allow for many altemative designs to be considered during technology mapping. Current timing verification algorithms 113, 3, 14 , 10, 9, 181 often suffer from state explosion problems because each node in the circuit netlist is treated as a new state vxiable, potentially doubling the number of states.
There are numerous methods for verifying hazard-freedom in gate-level speed-independent circuits IS, 6, 2, 8, 7, 15, 161. In speed-independent circuits, no timing assumptions are made about gates or the environment except that wire delays are negligible. An efficient verification method for determinare speed-independent circuits is proposed in 121. Determinate speed-independent circuits allow input choice (conditionals) but not output choice (arbitration). The work in 121 reduces state explosion by examining individual behavior at each internal node and approximating this behavior for each state in the specification. The hazard-freedom of the circuit is then verified by examining this cube appmximarion. When the number of internal signals is high as compared with the number of primary inputs and outputs (a feature common of many circuit design styles), this cube approximation technique has the potential to substantially reduce the complexity of verification as demonslrated in the results shown in [21.
Abstraction of internal nodes to combat state explosion is also performed in IZO, 191. This work, however, is not directed at verification of hazard-freedom and requires the use of rimed Petri Nets for all design descriptions including the gates to be analyzed. Wlule it is potentially possible that this work could be used to verify hazard-freedom, it is not known how successful it would be. It may be interesting in the future to explore combining this approach with the one proposed in t h s paper. The goal of this paper is to extend the work in [2] to verify timed circuits. It is often the case that hazard conditions found in speedindependent circuits do not manifest as glitches in the real circuit implementation due to the actual timing behavior. The reason for this is that internal signals, once enabled, certainly do fire in some finite time. If the time evolution can he tracked in the state space, then it may be possible to identify the stability of internal signals. Using this timed cube appmximarion, a gate-level timed circuit can he rapidly analyzed for hazards. Experimental results show hat this approach can be substantially faster than existing timing verifiers. Thus, the method presented in this paper has the potential to greatly increase the size of circuits that can he verified.
BACKGROUND TERMINOLOGY
The verifier described in this paper takes as inputs a time Petri net (TPN) defining the circuit and the behavior of the environment, and a netlist representing the circuit to be verified. The verification procedure also creates and uses a state graph to represent reachable timed states. Tbis section describes each of these formally.
Time Petri nets
Our method uses TPN's [I I ] to model the possible input behaviors and the required output behaviors for timed circuits. Let W be a finite set of wires. The timed behavior of a circuit is modeled as sequences ofrising and falling transitions on W . For any w E W , w+ is a rising transition and w-is a falling transition on the wire w. In the following definitions, let @ and R+ denote the sets of non-negative rational and non-negative real numbers, respectively. A W-labeled one-safe TPN is a directed bipartite graph described by the tuple TPN = (W,T, P, F, M O , SO, I, U, L ) where: e W = I U 0 is the set of wires where 1 is the set of input wires and 0 is the set of output wires;
Tis the set of transitions, 0 P is the set of places;
MO 2 P i s the initial marking; so g W is the set of wires that are initially high; ~( t ) ) . Figure l 
An example TPN is shown in
Netlists
The goal of this work is to verify the correctness of a circuit implementation against a given TPN specification. The circuit Lo be verified is described using a netlist modeled by a directed graph NET= (V, E) where: on the gates could just as easily be shown on the wires. As shown later, the primary concern here is with the maximum delay path from primary inputs to outputs.
The verification method described in this paper requires that the primary outputs must cut the circuit. In other words, if all primary outputs are removed from the netlist. the netlist would become acyclic. Intuitively. this means there can he no intemal cycles in the netlist. Since the god of this work is to use lhis veritier as a hazard checker during technology mapping and the technology mapper that has been developed satisfies this restriction, t h~s seems acceptable. However, in the future, we are interested in generalizing this work to the case where there is intend feedback.
State graphs
In order to check correctness, a verification method typically uses a specification such as a TPN and a representation of the circuit implementation such as a netlist and finds all possible states represented using a state graph (SG). This verification method then checks the SG (often on the fly as the SG is being generated) for various correcmess properties.
A SG is a labeled directed graph whose nodes are states and edges are stare transitions. Formally, a SG is modeled by the tuple S G = ( S, T , 6 ) where:
S is the 5et of states --0 z is a zone representing timing relationships. Timing information is described using zones which are typically represented using difference bound matrices (DBMs) [4]. These matrices represent time differences between recently fired transitions. Each enuy, zij. in the matrix represents a timing relationship of the form re, -rti 5 zij where rki is the time at wluch ta fires. In other words, zij represents the maximum amount of time in which ti fires after tj. An example zone for the point right after a+ fires is given below which represents the relations h i p 2 < r . + -r c -< 5 . IO] , it is possible to derive a SG using aTPN to drive the inputs and check the outputs, and a netlist to drive the outputs. However, the key result of th~s paper is that our method never explicitly Let NET = (V, E ) b e~~a circuit implementing the behavior described by TPN = ( W.T,P,F,Mo,so, l,u,L ). The NET is a correct implementation ofrhe TPN if ( I ) it is complex gate equivalenr to the TPN, and ( 2 ) it sarisfies the acknowledgmenr and monoronicify pmperries.
Our verification algorithm to check these correctness conditions is shown in Figure 3 . This algorithm takes as input a TPN representing the possible input behavior and the required output hehavior and a netlist, NET, representing the circuit to he checked. It then determines if the circuit is correct. When the circuit is not correct, this algorithm reports the locations of the errors that it finds. T h s algorithm is described in detail in this section. There are nine states including 0000 and 1000, and ten state transitions including (0000,a+, 1000). One last thing to note is that during the state space exploration to derive this SG, our method checks that the given CGE circuit is equivalent to the desired one. For example, if the CGE circuit given had been the one in Figure 2@ ), after a + fires, the netlist could produce a d+ when one is not expected in the TPN. This complex gate equivalence failure would then be rcponcd to the user. 
VERIFICATION ALGORITHM
In (2, I], the following theorem giving sufficient conditions for correcmess of a speed-independent asynchronous circuit is presented (reworded to match the notation used in this paper). These conditions are also sufficient for correctness of timed circuits. 
Checking equivalence
The c h e c k -e q u i v a l e n c e function forms a CGE netlist, uses this netlist and the given TPN to derive a SG, and checks if the CGE netlist provides outputs only at specified times.
The first step is to derive a CGE netlist in whch there are no intemal signals. In other words, it derives a netlist that has one gate per primary output signal. The Boolean function for this gate is specified only in terms of the primary inputs and outputs. The delay of this gate is set to the minimum and maximum delay from any input to the primary output. Although false paths through the logic may exist, our algorithm need not identify them at this point. Their inclusion results in a higher and thus more conservative maximum delay. At worst, this may result in a node being falsely determined ID he hazardous.
In our example, the CGE representation for the netlists shown an error is reported to the user. Also, if an output is expected and the circuit does not provide one, an error is reported. In our example, if the function fd = AND(a, c ) is used, after a+ and b+, a d+ would be expected, but the circuit would not produce it. This models a progress condition similar lo completeness with respect Io specification 161 and strong conformance 171. When no errors are detected, c h e c k -e q u i v a l e n c e returns a SC.
Finding stable states
After the c h e c k -e q u i v a l e n c e step, our method has shown that the circuit is correct at a complex gate level. By hiding the intemal signals before finding the state space, the state space is potentially reduced from 0(Z1" * ZlOi * 2"') to O(21'1 *'dol). n € N a n d another predicate stable(s,s',n) for each state transition ( 5 , t, s') € 6. This stability information can then he used to determine if there are any hazards in the given netlist. The algorithm to find the stability information is shown in Figure The algorithm next initializes the stability predicates to FALSE to initially indicate that it is not known whether the internal signals are stable or changing. The goal of the rest of the algorithm is to determine stability of the intemal signals, whenever possible. In the next subsection, a brief review of untimed stabilization is given which comes from the work in [Z]. In the following subsection, we d~scuss our new contribution which is timed stabilization, The timed stabilization routine does not need to be iterated, so it is executed first. The untimed stabilization routine may require iteration since stahilizations on one node ofthe network can influence stahilizations on other nodes
Untimed srabilizarion
The objective of stabilization is to show that at some points in the SG. the evaluations of some internal node, n, are certain to be stable. The algorithm to determine untimed stability is shown in Figure 5 . An intemal node is considered untimed stable if a change in evaluation on an intemal node is acknowledged on a primary output. In other words, for a state transition (s, t, s'), if the transition t a u l d only have occurred if the internal node n is stable at its Boolean evaluation, then it can be said that the transition t has acknowledged that the node n is stable.
To determine if an intemal node n is acknowledged to he stable by a state transition ( 8 , t , 8') . it must first be determined if a path exists from n to the output transition under consideration. It must foreach n E N foreach ( s , t , s ' ) E 6 if lexists.path(NET,n.L(t))) and Imustprop INET, s, n, L ( t ) ) and (not srablels,s',n))) then stablels,s',n) = TRUE modified = TRUE return modified
I
Figure 5: Untimed stabilization algorithm. then he determined using the function must-prop if the value at n must propagate through any possible path to the output. This is done by ensuring that all functions in the path from n to the output have non-controlling values on the side inputs. Consider the example netlist in Figure I@ ) and the state transition (1100,d+,1101).
There exists a path between node e and the output d . In state 1100, node e evaluates to 1. This value at e must propagate to the output because d cannot go high until e has gone high. More succinctly, output d switched from low to high as a direct consequence of node e going high and the side input, c being at 0. Therefore, stable(ll00,llOl.e) is set toTRUE.
Next, the distribute function is used to copy this stahilization forward in the state graph until a change in evaluation is encountered. In particular, stable(1100, 1101, e) implies the following stability conditions are TRUE stable(ll01,e). stable(llOl,lIll.e), stable(llll,e), stable(llll,lllO, e), stable(lllO,e), and stable(1110,0110,e). Tlus distrihution of stability informalion halts when it reaches state 0110 since the Boolean evaluation of e in this state changes from 1 to 0.
The other transition in the SG that could possibly indicate an untimed stabilization for node e is the state transition (1111, d-,  1110) . In this case, however, the input c i s 1 (a controlling value), prohibiting the propagation of node e to the output d. Thus, no stabilization can be assumed for the falling transition of e. As explained later, this lack of stabilization on the falling transition of e indicates a hazard on node e.
A similar analysis done on the circuit in Figure I (c) shows that the rising transition on node e is acknowledged by df and the falling transition is acknowledged by d-since b is high (anoncontrolling value) when d goes low. As a result, this circuit can he shown to he hazard-free under the speed-independent model.
Timed stobilizorion
When timing information is taken into account, the haLard found for the netlist shown in Figure I (h) may not actually manifest. If this is the case, then node e is hazard-free. This subsection describes our new method to determine stabilization using timing information. Timed stabilization attempts to show further stability in the state graph by calculating the maximum possible time through the network to the node of interest, n, and comparing this against the minimum time spent traversing the state graph. When it can be shown that in the worst-case a sufficient amount of time has elapsed, node n can he stabilized.
The algorithm to determine timed stabilization is shown in Figure 6 . For each node n, the algorithm first measures the longest path delay from any primary input or output to the node n. This must he done because the actual signal that causes n to change evaluation may not he known due to differences in path lengths. For our example netlist in Figure l(h), this delay is determined to be 2. Next, the algorithm initializes the visit m a y which is used to let the recursion know when a state has been visited along multiple paths when determining stabilization of node n. At this point, the algorithm finds state transitions, ( 5 , t ; , s ' ) , where the Boolean evaluation of n changes. This indicates locations in the state graph where the node n becomes unstable. The algorithm then takes the zone z associated with state s and updates it to include the transition t i . The reason this is done rather than taking the zone associated with s' is that ti may have been pNned from this zone. It is important that t i is in the zone that is used for timed stabilization as t i serves as a reference transition as the algorithm moves forward in the state graph. Finally, the algorithm initializes a p a t h array which is used to terminate cycles during the analysis of a path in the SG. The update-zone algorithm shown in Figure 7 adds a new transition to a given zone. The first step is to extend the zone to include a new row and column for the new transition, t . Next, it searches the zone starting with the transitions that have been added most recenlly for transitions that enable t; (i.e.. t j E e ti). The first such transition that it finds is the causal transition for t i . The upper bound of the firing time for t, should be set in reference to this transition. The upper bound is either taken from the TPN when t i is a transition on an input wire or it is taken as the maximum delay in the netlist generating ti when it is a transition on an output wire. For all transitions that enable t i . a lower bound must be set between t , and ti. For all transitions that do not enable ti. the timing relationstups arc initially set to he unbounded. At this point, the zone is recanonicalized using Floyd's all-pairs shortest path algorithm to tighten any loose inequalities. Ths recanonicalization step is necessary because tightened bounds increase accuracy. In addition, there are often cases where no timing relationship is known between a newly entered transition and the other entries in the zone. Recanonicalization creates these entries in the zone. As an example, the zone found for the state 11 10 in our example is shown in Figure 8(a) . The new zone after adding the transition ais shown in Figure s@) .
The do-timed algorithm shown in Figure 9 is used to recursively explore the SG, attempting to accumulate sufficient time to stabilize a given node n before reaching a termination condition. This algorithm first marks the current state s as visited in the v i s i t and p a t h arrays described earlier. Next, it considers each state transition ( 8 , t i , 8 ' ) . First, it adds the transition, tii, to the zone. Next, it checks the zone to determine if enough time has accumulated from the reference transition ti to the new transition t h such that the node of interest n has certainly stabilized. If it has, it must also check that the state s' has not been visited along a different path. It must be the case that the minimum time upon reaching a state along all paths to that state has exceeded the maximum logic delay d. Therefore, if this state is encountered along a different path and did not stabilize, then this state transition cannot stabilize the node n. If the amount of accumulated delay does not exceed the delay d, then the algorithm must determine if it is going to recurse down this state transition. lf this state has been seen previously upon this path, the algorithm has encountered a cycle of states and must not recurse. If the Boolean evaluation of the node n has changed, then again the algorithm must not recurse. If this is a new state on ths path and the Boolean evaluation is maintained, then the algorithm recursively visits the state s'. Note that t h s edge may have been found to be stable along a different path. but it is not stable along the path the algorithm is currently working on. Therefore, the algorithm must say this edge is not stable before recursing. Upon retuming from recursion, the path variable is set to false to allow other potential paths to visit the state s. 8 ' ) ) then stahlels,s',n) = TRUE elseif (not pathls') and eva1ls.n) == eval(s',n)) then stable(s,s',n) = FALSE dofimed ( TPN, SG. NET, n , d , 2 , t, ,   d .visit.path) path(s) i FALSE 1 Figure 9 Timed stabilization recursion.
Our algorithm has the potential for requiring the exploration of a large number of paths, although experimental results have not shown this to happen. The funher the algorithm recurses through the state graph, the more potential side paths there are to explore. Typically, the length of the paths explored is very short as the recursion terminates quickly. If in the future, examples are found where this is not the case, the algorithm can be changed to limit the path length. This can improve efficiency at the potential cost of more false negative results.
Let us consider again the example netlist in Figure I@) . A change in evaluation on node e occurs between states 11 10 and 01 10. As mentioned previously, the do-timed function is called with the zone shown in Figure 8b ). As the SG is traversed, the next transition encountered is 6-. Since b-fires 2 to 5 time units after a-, these entries are entered into the appropriate rows and columns as shown in Figure 8(c) . The timing of the other nondiagonal entries are set to 05. The zone is then recanonicalired and the resulting zone is shown in Figure 8(d) . The parameter of interest is the minimum elapsed time between the last transition entered, 6-, and the initial transition a-whjch is 2 in this case. Note that lower bounds appear as negative values in a DBM. Since two time units is insufficient time to say with certainty that node e has stabilized, the algorithm considers recursing on state 0010. Since this state has not yet been explored on this path, and since node e still evaluates to 0 in tlus state, the algorithm recurses to state 0010. Upon recursion, the algorithm adds transition c-to the zone as shown in Figure &e ) and recanonicalires to obtain the zone shown in Figure 8 (0. The new minimum time elapsed from a-till c-is 4 time units. Since this number is larger than the maximum delay of the AND gate (2 time units), the algorithm can mark this edge as stabilized. The d i s t r i b u t e function then copies this stabilization onto states WOO, 0100, and 1000 and edges (0000, b+/l,0100), (0100,c+/1,0110), (0000,a+, 1000). and (1000, b+f2,1100). This is significant in that the hazard condition that existed after untimed stabilization cannot manifest because of the timing relationships between the circuit and the SG.
Checking for hazard-freedom
Hazards can manifest in asynchronous circuits due to violations in the acknowledgmenr or monoranicity properties 121. This section gives an explanation of how OUT method checks for violations in acknowledgment and monotonicity. This explanation though is brief since it is essentially the same as that in 121.
An acknowledgment violation occurs when an intemal node becomes excited to change to a new value, but its excitation changes value before it can be shown to have stabilized. The algorithm shown in Figure 10 uses the stability information found earlier to check for acknowledgment on all excited nodes. The algorithm examines each node n and each state transition (s, t, S I ) in which n changes Boolean evaluation. If n is not stable before it changes Boolean evaluation, then an acknowledgment hazard is reported. For the netlist shown in Figure I@) causing a glitch on the output of the AND gate. The algorithm to check for monotonicity violations is given io Figure 11 . The definitionsofpotentialhazardand f o r c i n g a r e a b i t involved and can be found in [2] . 
EXPE-NTAL
RESULTS
The gate-level timing verification method described in this paper has been implemented and tested on numerous examples. Table l compares our new gate-level timing verification method us- an enuy of n/a indicates that t h s example has an intemal cycle and cannot he analyzed using our new method. For the smaller examples, our method has comparable and usually better runtimes than the other methods. However, for larger examples with more concurrency such as trimos-send, our method is more than two orders of magnitude faster than KRONOS, twenty-five times faster than Pena's tool. and twice as fast as the explicit state method in AT-ACS. In addition, our new method shows some reduction in memory usage as compared to the ATACS explicit state timing verifier. This reduction in run-time and memory usage is directly related to the reduced complexity of the SG as stated earlier.
Since our goal is to determine which gates have hazards on their outputs, the explicit method in ATACS is configured to confinue after finding one hazard and identify all hazards. It should be noted that KRONOS did not check for hazards, but instead was only checking conformance while Pena's tool halts after a hazard is found. The last column of the table indicates the number of gates that have hazards found by the explicit state method and our new method. Despite being a conservative approximation, our method found the exact number of hazards in most cases. However, in three examples, rpdji, sbuf-ram-write, and sbuf-send-pkr2, our new method found one additional false hazard.
The key advantage of our new method is its ability to be able to efficiently verify circuits with a large number of internal signals. In order to demonstrate ths, a few of OUT benchmark circuits derived from a variety of sources were selected, and gate-level circuits were derived for them that use only 2-input NAND gates and inverters. Our results are shown in Table 2 . In all the examples, our method is still able to check for hazards in 1.2 seconds or less wlule for the largest examples the explicit state method cannot complete.
CONCLUSIONS
This paper presents a new method for efficiently checking hazardfreedom in gate-level timed circuits. This method uses a cube approximation of the intemal signal behavior in order to avoid generating an explicit state graph representing the switching behavior of the intemal signals. Our experimental results show that t h s new method can be substantially faster than previous gate-level timing verification tools. While this method is conservative and thus can report some incorrect hazards, the number of such false negative results appears to be small. This method has been shown to scale very well in that it can verify examples with more than 150 gates in less than a second while previous methods fail to complete. In the future, we plan to develop techniques to evaluate if a hazard is false or not. When an acknowledgment hazard is found on a node n, the state transition, (s,t,s'), where the hazard occurs is reponed. For monotonicity hazards, the state s and input v that cause the monotonicity violation are reponed. In either case, this information can be used to create an error trace from the initial state. This error trace can then be used to perform a guided simulation of the circuit to detect if the hazard can occur or not. Whle in theory, this simulation could result in a full state space exploration, it is likely only 10 require exploration of a small subset of the state space to determine if it is false or not.
In the future, we also plan to utilize this hazard analyzer to implement a technology mapper for timed circuits. In asynchronous circuits, hazards mnst he avoided and care must he taken during technology mapping to not introduce hazards in the design. Therefore, an asynchronous technology mapper requires a method to rapidly determine when a transformation of the netlist has introduced a hazard. The hazard analyzer described in this pacer ad-. . dresses this need making efficient technology mapping of timed circuits possible.
