Abstract
Introduction
Many formal verification algorithms for asynchronous circuits that are based on the exploration of reachable states use transition-oriented models such as Petri nets and CSP in order to model circuits and specifications [1, 2, 3, 4, 5] . In this approach, the behavior of an asynchronous circuit is represented using transitions of signals. This representation has the potential ability to model the real nature of asynchronous control circuits. It is, however, not easy for nonexpert users to construct good and comprehensive representations on this model. Furthermore, in asynchronous circuit design, control signals are sometimes embedded in data-path circuits. An example of this is a dual-rail encoding, which requires some (abstracted) data-path circuits to be formally modeled for verification. In this type of application, a transition-oriented model is not suitable.
This paper tries to represent the behavior of asynchronous circuits also using values of signals like those used On the other hand, an approach to analyzing this new model in a traditional total order manner is not acceptable for large circuits due to state explosion. In other words, a new model is useless without an efficient analysis algorithm. For transition-oriented models, two major methods are proposed for this purpose, implicit state space enumeration based on BDDs [3] and partial order reduction [4, 5] . Since our current interest is in verifying timed circuits with bounded delays and the implicit state representation method often fails to efficiently represent timed states (in particular, sets of inequalities), this work chooses the partial order reduction approach.
Timed automata [6] can also be used as a level oriented model, and partial order reduction has been applied to their analysis [7, 8] . Our experience, however, has found that the generality of timed automata comes at an increase in analysis complexity, and this increased generality does not appear to be necessary for verifying asynchronous circuits.
Several alternative level-oriented Petri net models have been proposed such as TEL structures [9] , level-ruled Petri nets (LPNs) [10] , and an extension of time Petri nets [11] .
An Ä Ì AE is obtained by refining the one proposed in [11] . An Ä Ì AEis somewhat less expressive than TEL structures and LPNs. In particular, timing annotations and Boolean conditions are placed on the transition in an Ä Ì AE while they are placed on the edge between the place and transition in TEL structures and LPNs. This increased expressiveness, however, comes at a cost in the analysis algorithm's complexity. As a result, the algorithms for analysis of these nets have tended to be conservative rather than exact [9, 10] . To the best of our knowledge, the work in [10, 12] is the only one that proposes a partial order reduction for a leveloriented Petri net model, namely the LPN model, though the algorithm is conservative. The goal of this work is to obtain the exact verification results using the ÄÌAE model. This paper is organized as follows. The next section introduces the Ä Ì AEmodel. Section 3 briefly reviews the verification method used in this paper. Section 4 proposes the partial order reduction algorithm for an ÄÌAE. Section 5 shows the experimental results obtained by verifying several examples with the proposed algorithm. Finally, we summarize our results in Section 6.
Level Oriented Model
A traditional time Petri net consists of transitions (thick bars), places (circles), and arcs between transitions and places. A token (large dot) can occupy a place, and when every source place of a transition is occupied, the transition becomes enabled. Each transition has two times, the earliest firing time and the latest firing time. An enabled transition becomes ready to fire (i.e., firable) when it has been continuously enabled for its earliest firing time, and cannot be continuously enabled for more than the latest firing time, i.e., it must fire unless it is disabled. The firing of a transition occurs instantly. It consumes tokens in its source places and produces tokens into its destination places.
In an ÄÌAE, two additional functions ×× Ò and ÓÒ Ø ÓÒ can be associated with a transition. The ×× Ò function relates a transition to assignments on Boolean variables, and the ÓÒ Ø ÓÒ function relates a transition to an expression over boolean variables. The enabling condition of an Ä Ì AE is extended, and a transition is enabled if both the expression given by ÓÒ Ø ÓÒ is true and every source place is occupied. For example, in the ÄÌAE shown in Figure 1 (a), Ø is enabled only if ½ ¾ is true. The firing rule of an ÄÌAE is also extended in that when a transition fires, the assignments specified by the ×× Ò function are done while consuming and producing tokens. For example, in an Ä Ì AE shown in Figure 1(b) , when Ø fires, ½ and ¾ are set to ½ and ¼, respectively. Using ×× Ò and ÓÒ Ø ÓÒ, a leveloriented model can easily be described. 
ÓÒ Ø ÓÒ Ì
, where 
In this work, only 1-safe Ä Ì AE s are considered, i.e., in any reachable state × ´ Á Ú Ðµ, no transition Ø such that Øµ Ø¯ is firable. Similarly, it is assumed that no transition has vacuous assignment, i.e., for any variable Ú, and in any reachable state × ´ Á Ú Ðµ with Ú Ð´Úµ These assumptions are just for simplification of our algorithm, and with an increase in complexity they can be removed. is not enabled until goes low. Therefore, a hazard caused by · and before is detected as a failure (as described in the next section). 
Verification Method
This paper uses the timed trace theoretic verification method [13] . A module is a tuple´Á Ç AE µ, where Á and Ç are sets of input and output wires respectively, and AE is an Ä Ì AE . We use a module as a formal model for a circuit element (e.g., a gate) and a specification. Some transitions in AE correspond to wires, and the firing of those transitions change the values of the wires. A transition related to an input wire of the module is called an input transition. An output transition is defined similarly. Moreover, the Boolean variables of an Ä Ì AE correspond to input or output wires. A circuit consists of a set of modules. In a set of modules, input transitions fire only in synchronization with the corresponding output transition with the same wire name in some different module. When an output transition fires, if no input transitions are enabled in a module, a failure occurs. This represents that a module tries to send an output but some other module cannot receive it as a corresponding input. Thus, it is the case that some bad output can be produced. In this sense, our verification method checks safety properties. Note that Boolean variables can be changed at any time without failures.
We define the following, where × ´ Á Ú Ðµ:
ÓÙØ ØÖ Ò×´Øµ is the output transition that corresponds to Ø. If Ø is an output transition, then ÓÙØ ØÖ Ò×´Øµ is Ø itself.
Ò ØÖ Ò×´Øµ is a set of input transitions that correspond to ÓÙØ ØÖ Ò×´Øµ.
Verification Algorithm
The following shows a skeleton of the verification algorithm based on the partial order reduction.
if (× is already visited) then return(true); 4 : if (× is a failure state) then return(false); 5 : Mark × as visited; 6 : forall (Ø ¾ Ö Ý´×µ); return(true); 10 : end Although this algorithm is quite similar to the usual depth-first search algorithm, there are some major differences that characterize the partial order reduction. One is that Ö Ý´Øµ is the subset of firable transitions, and the other is that multiple states are generated at the firing of Ø by ×Ù ××Ó Ö× Ø µ. We show how to construct Ö Ý´×µ and ×Ù ××Ó Ö× Ø µ for an Ä Ì AE in the next subsections. Ô Ò ÒØ´× Ø µ is the smallest set which satisfies the following:
As mentioned later, Ò ×× ÖÝ, Ò ×× ÖÝ and Ô Ò ÒØ contain sets of pairs´Ù µ, where Ù is a transition and is the minimal time necessary to fire Ù. Conditions 2.(e) is for making it easier to decide true parents of newly enabled transitions. A true parent of an enabled transition Ø is a transition that actually makes Ø enabled and hence decides its firing time. For example, since Ø has multiple source places in Figure 4(a) , the transition that produces the final token to the source places of Ø can be a true parent. Moreover, if ÓÒ Ø ÓÒ´Øµ is a simple product as shown in Figure 4(b) , the transition that assigned true to a Boolean variable last can be a true parent. Note that even if Ø ¿ fires last in a firing sequence that enables Ø in Figure 4(a) , it does not mean that only Ø ¿ is a true parent of Ø in that firing sequence. This is because the partial order reduction algorithm does not usually give the ordering relation among concurrent transitions such as Ø ½ , Ø ¾ , and Ø ¿ . Thus, when Ø becomes enabled, the possibilities that each of Ø ½ , Ø ¾ and Ø ¿ is a true parent of Ø is checked, and a new state is generated by giving timing constraints for such a transition to be a true parent. However, if ÓÒ Ø ÓÒ´Øµ contains logical OR operators, true parents should be decided in a different way. For example, in Figure 4 (c), either a transition Ø or Ø that fires earlier than the other can be a true parent of Ø , and the firing of such a transition immediately makes Ø enabled. Therefore, the decision of true parents cannot be postponed until all candidates of true parents fire. Hence, in the case where ÓÒ Ø ÓÒ´Ø µ is a sum of product terms, when one of the product terms becomes true by firing Ø, we check whether other product terms of ÓÒ Ø ÓÒ´Ø µ can be true by firing transitions Ø ¼ , and give the ordering relation between Ø and Ø ¼ . This implies that all of possible true parent candidates of Ø are explicitly ordered, and it allows us to decide true parents of this type according to the firing sequences.
In 
×Ù ××Ó Ö× Ø µ
When we fire Ø such that Ø ¾ Ö Ý´×µ in × ´ Á Ú Ðµ, the following processes are needed.
For each Ù ¾ Ö Ý´×µ, the constraint Ø Ù is added to Á, where Ù is the future variable of Ù.
For a transition Ø Ò newly enabled by firing of Ø , its true parent is decided, and the appropriate constraints for it are added to Á.
We can consider two types of true parents for Ø Ò , the transitions that produce tokens in source places of Ø Ò , and the transitions that satisfy ÓÒ Ø ÓÒ´Ø Ò µ. The former are called place-related true parents, and the latter are called condition-related true parents. In order to decide true parents of Ø Ò , ØÖÙ Ô Ö ÒØ´× Ø Ò µ, which is actually defined in 4.2.1, denotes a set of pairs´Ø Ô Á Ô µ, where Ø Ô is a true parent of Ø Ò , and Á Ô is a set of inequalities that are necessary for Ø Ô to be a true parent. Note that if adding Á Ô to Á of the current state makes Á inconsistent, such´Ø Ô Á Ô µ is discarded during the state generation process. 
2.
¼ ¼¼ Ø ¯. 
In 7., since more than one true parent assignment, 
Experimental Results
We have naively implemented the proposed method in the C language. Here, we demonstrate the verification of the STARI example [15, 16, 14] by using Ä Ì AE models. In these experiments, the time Petri net models used in [14] are just replaced with ÄÌAE models, e.g., a NOR gate is modeled as shown in Figure 2 (b) instead of Figure 2 (a). The remaining verification settings are not changed.
In Table 1 , the column labeled "Partial" shows the number of generated states, CPU times (Pentium III, 866MHz, 360MB, on VMware), and memory amount required for the verification of various sizes of STARI circuits. For comparison, the results by the total order algorithm where the set of all firable transitions is used as a ready set are also shown in the column labeled "Total". The results show a significant performance improvement of the partial order reduction algorithm over the total order algorithm. Table 2 shows the performance comparison between the level-oriented method and the transition-oriented method. For this experiment, VINAS-P[17], which works for time Petri net models, is used as the transition-oriented method. Both methods use a partial order reduction algorithm. Since the ÄÌAE models are much simpler than the time Petri net models as shown in Figure 2 , our naive implementation outperforms VINAS-P.
Conclusion
This paper proposes a level-oriented model, Ä Ì AE , for formal verification that naturally models the behavior of asynchronous circuits. This new model allows for the specification of causality through both transitions and signal values. This paper also develops a partial order verification algorithm for this new model. In particular, the ready set construction is enhanced to be aware that disablings can now occur not only as a result of conflict in the net but also through the change of signal values in the level. The calculation of true parents in disjunctive conditions must also be considered in the calculation of the ready set. Finally, the necessary set construction used in the ready set calculation must be updated to allow for the recursion to proceed from a condition to the transition that assigns to the variables used in the condition. The zone construction used by the timing analysis algorithm must also be enhanced. In particular, true parents may now be found in conditions and more care must be taken in deciding when transitions can be safely pruned from the zone. This updated algorithm has been implemented and applied to the the timed circuit benchmark, STARI, and it has been found to outperform a verifier based on the time Petri net model.
