Automatic derivation of timing constraints by failure analyis by Myers, Chris J. & Yoneda, Tomohiro
Autom atic Derivation of Tim ing Constraints 
by Failure Analysis
Tomohiro Yoneda*1, Tomoya K ita i2, and Chris Myers**'*
1 National Institute of Informatics 
Tokyo 101-8430, Japan 
yonedaOni i.ac.j p 
2 Tokyo Institute of Technology 
Tokyo 152-8552, Japan 
kitai@yt.cs.titech.ac.jp 
3 University of Utah 
Salt Lake City UT 84112, USA 
myers@ece.Utah.edu
A b s tra c t. This work proposes a technique to automatically obtain tim ­
ing constraints for a given timed circuit to operate correctly. A desig­
nated set of delay parameters of a circuit are first set to sufficiently large 
bounds, and verification runs followed by failure analysis are repeated.
Each verification run performs timed state space enumeration under the 
given delay bounds, and produces a failure trace if it exists. The fail­
ure trace is analyzed, and sufficient timing constraints to prevent the 
failure is obtained. Then, the delay bounds are tightened according to 
the timing constraints by using an TLP (Integer Linear Programming) 
solver. This process terminates when either some delay bounds under 
which no failure is detected are found or no new delay bounds to pre­
vent the failures can be obtained. The experimental results using a naive 
implementation show that the proposed method can efficiently handle 
asynchronous benchmark circuits and nontrivial GasP circuits.
Keyw ords: Trace theoretic verification. Failure analysis. Timed circuits.
Timing constraints.
1 In trod u ction
In  order to obta in high performance systems, it  is necessary to design circu its 
w ith  aggressive and complex sets o f tim ing  constraints. GasP circu its [ ] are 
a prim e example o f such h ighly timed circu its , i.e., c ircu its tha t don 't work as 
expected, unless s tric t tim ing  constraints on delay parameters are satisfied. In 
particu la r, the correctness o f GasP circu its depends on the fact tha t (1) no 
hazards occur, (2 ) hold time constraints are satisfied for some signal transitions, 
and (3) short circu its caused by tu rn ing  on all transistors in  the path  between 
the power supply and ground either never occur or occur only for a very short 
time. Tt is, however, not easy to check i f  the c ircu it satisfies a ll these constraints
* This research is supported by JSPS Joint Research Projects.
** This research is supported by NSF CAREER award MTP-9625014, NSF Japan 
Program award TNT-0087281, and SRC grant 99-TJ-694.
D. B rinksm a and  K. G. Larsen (E ds.): CAV 2002. LNCS 2404. pp. 195-208. 2002.
@  Springer-V erlag B erlin H eidelberg 2002
190 Tomohiro Yoneda et al.
by simulation or static tim ing  analysis due to  the complexity of the tim ing  
constraints. Therefore, formal verification is essential.
This work uses a formal verification tool V IN A S -P  [ ]. V IN A S-P  is based on 
a tim ed version o f trace theoretic verification [ ], and tim e Petri nets are used 
for modeling both specifications and circuits. V IN A S-P  checks safety properties. 
Bad behavior such as a hazard, hold tim e vio la tion, and a short c ircu it can be 
detected as safety failures. V IN A S-P  uses partia l order reduction which explores 
only a reduced state space th a t is sufficient to  detect failures, which enables us 
to  verify much larger circuits than a trad itiona l to ta l order method.
A lthough a formal verifier is very effective to  prove a given c ircu it is correct 
w ith  respect to  the specification, for an incorrect c ircu it, i t  sim ply generates a 
failure trace. In the case of V INAS-P, i t  shows for a failure trace a waveform of 
selected signals. This is useful to  understand what is going on in a c ircu it, but, 
i t  is not easy to  see why the failure occurs, or how the failure can be elim inated. 
When we tried to  verify the GasP circuits, failure traces were actually produced 
again and again. A lthough almost all these failures are caused by incorrect delay 
settings, obtaining the appropriate delays or conditions for them is a d ifficu lt 
problem. This motivates th is work, which proposes a way to  obtain sufficient 
t im ing  conditions on delays for correct behavior o f tim ed circu its by analyzing 
failure traces produced by the verifier.
In the proposed method, several delay parameters are selected to  be exam­
ined, and in itia lly , some large integer bounds are set to  them. Then, the model 
is verified. I f  a failure trace is provided by the verifier, then our a lgorithm  ana­
lyzes it ,  and suggests a set o f candidates for additional tim ing  constraints. Those 
tim ing  constraints are sorted using heuristics, and the most appropriate one is 
chosen by the algorithm . The rest o f the constraints are used when backtracking 
occurs. The selected tim ing  constraint is added to  the in itia l tim ing  constraints, 
meaning the delay bounds are tightened. Then, an IL P  (Integer Linear Pro­
gramming) solver is invoked to  update the delay bounds. This new set o f delay 
bounds are used for the next verification run. This process o f verification, analy­
sis of failure traces to  obtain tim ing  constraints, and updating the delay bounds 
are fu lly  automatic, and i t  is repeated un til verification succeeds or no consistent 
tim ing  constraints are found. Integer delay bounds and IL P  are used in order to 
guarantee the term ination o f th is process.
The rest o f th is paper is organized as follows. Section 2 refers to  related 
works. Section 3 briefly introduces the verification method. Section 4 shows an 
example to  explain the proposed method in tu itive ly . In Section 5, the algorithms 
to  analyze a failure trace and obtain tim ing  constraints to  elim inate the failure 
are proposed. The heuristics used for performance improvement, are also shown 
there. Section 0 shows experimental results using a naive implementation. F i­
nally, Section 7 summarizes the discussion.
2 R elated  W orks
The same problem discussed in th is paper is solved by two different but sim­
ila r approaches. In [ ], Negulescu proposes a method where a timed c ircu it is 
represented by an untimed model, called a process, and untimed state space 
enumeration is done. When a failure is detected, they analyze i t  by hand and
Automatic Derivation of Timing Constraints by Failure Analysis 197
construct, a new model th a t avoids the failure. This process o f untimed verifica­
tion and reconstruction o f the model is repeated un til no failure is detected or 
model reconstruction fails due to  inconsistency. Another approach is proposed 
in [ , ]. This approach also uses untimed models and untimed verification. In 
th is approach, all possible failures of a c ircu it are generated by one state enumer­
ation, and then tim ing  constraints are obtained autom atica lly by analyzing the 
state graph. The constraints obtained by th is approach are not those on delays 
b u t those on ordering o f signal transitions. Thus, the ir goal is s ligh tly  different 
from ours.
Another work th a t we need to  mention is a verification o f tim ed systems 
using relative tim ing  method, which is proposed in [ ]. Its goal is to  verify timed 
circuits, not to  obtain tim ing  constraints. B u t, in the ir method, a detected failure 
is checked i f  it  is legal w ith  respect to  the given delay bounds, and i f  so, a new 
model th a t excludes the fa ilure is reconstructed. Verification and reconstruction 
are repeated s im ilarly  to Negulescu's method, bu t automatically. W hile  it  may 
be possible to  combine th is work and Negulescu's work to  achieve the same 
result as ours, i t  is not clear how effective th is would be since it  has not been 
attempted.
The biggest difference between these works and our work is th a t only our 
method uses tim ed state space enumeration. The authors o f the above works 
claim th a t the advantage of the ir works is th a t the verification o f tim ed systems 
can be reduced to  th a t of untimed systems. I t  is apparent th a t the complexity of 
untimed verification is much smaller than th a t o f tim ed verification. O ur claim 
is, however, th a t a huge number of failures may be detected i f  a timed c ircu it 
is analyzed as an untimed c ircu it, i.e., many but unrealistic failure traces can 
be produced by the untimed analysis. This makes the cost to  obtain tim ing  
constraints fa irly  large. I f  the in itia l delay bounds can be su itab ly reduced to 
realistic ones, our method may work more efficiently. Probably, the only way to 
compare both approaches is to  implement our idea and to  compare the results 
for many examples. This is one of the goals of th is paper.
Another difference is in adding tim ing  constraints. O ur method uses updated 
delay bounds. Thus, the cost o f each verification run is almost the same. On the 
other hand, in the method proposed in [ ] and [ ], an additional tim ing  con­
s tra in t is represented by a process or a transition  system, and the composition 
o f the original model and the model for the additional tim ing  constraint is veri­
fied in the next run. I t  is possible th a t th is more complicated model may require 
more BDD nodes and increase the verification cost. The method in [ ] does not 
suffer from th is problem, because no model reconstruction is done. However, 
the ir method does not obtain constraints on delays bu t ordering o f signal transi­
tions, and hence, i t  seems d ifficu lt to  verify, for example, hold tim e vio la tion. In 
order to  obtain constraints on delays, model reconstruction or a re-verification 
step (in our case) is necessary in each ite ra tion, because there are potentia lly  
many constraints th a t elim inate a particu la r failure, and searching appropriate 
combinations o f constraints to  elim inate all possible failures step by step w ith  
backtracking is much easier than obta in ing all possible combinations on the first 
try . For th is reason, our problem cannot be modeled by a uniform  IL P  problem.
It's  also necessary to  mention th a t there are many works[ , , , and others] to 
verify tim ed systems using tim ed automata. A lthough th is work uses tim e Petri 
nets to  model timed circuits, because a tool based on them is available for us, we
198 Tomohiro Yoneda et al.
believe th a t the technique proposed in th is paper can be easily applied to  timed 
automaton based tools. Furthermore, although our tool uses the D B M  analysis 
to  handle real-time constraints, the proposed technique can also be applied to 
discrete-time analysis methods.
3 V erification M ethod
The underlying verification method used in th is work is the tim ed extension 
o f trace theoretic verification [ ]. In our method, each c ircu it element, called a 
module, is modeled by a tim e Petri net.
A tim e Petri net consists of transitions (th ick bars), places (circles), and arcs 
between transitions and places. A token (large dot ) can occupy a place, and when 
every source place o f a transition  is occupied, the transition becomes enabled. 
Each transition  has two times, the earliest f ir in g  time  and the latest f ir in g  time. 
In th is work, i t  is assumed th a t these times are integers. An enabled transition  
becomes ready to  fire (i.e., firable) when i t  has been continuously enabled for its 
earliest fir ing  time, and cannot be continuously enabled for more than the latest 
fir ing  time, i.e., i t  must fire unless i t  is disabled. The firing  o f a transition occurs 
instantly. I t  consumes tokens in its  source places and produces tokens in to  its 
destination places.
A module is defined as (T, O, N ). where T and O are sets o f inpu t and output 
wires, respectively, and N  is a tim e Petri net. A fir ing  o f a transition  changes 
the value o f a w ire th a t is related to  the transition , and the direction o f change 
(0 —> 1 or 1 —> 0) is represented by +  or — in its name. A transition th a t is 
related to  an output, w ire o f the module is called an output transition. An input 
transition  is defined sim ilarly.
A timed c ircu it is modeled by a set o f modules. In a set o f modules, an input 
transition fires only in synchronization w ith  the corresponding ou tpu t transition 
in some different, module. Thus, the earliest and latest fir ing  times o f an input 
transition is considered to  be [0, oo]. I f  an ou tpu t transition  is firable and every 
corresponding input transition  is disabled in a module, the state is called a failure- 
state, and the verifier reports a, fa ilu re  trace, which is a sequence o f all transitions 
fired between the in itia l state and the fa ilure state.
A specification is also modeled as a module. I f  a c ircu it behaves differently 
from its  specification, an ou tpu t from a c ircu it module cannot be accepted by 
the specification, and i t  is detected as a failure. In addition, bad behavior such 
as a hazard, hold tim e v io la tion, and a short c ircu it can be detected as failures 
inside c ircu it modules.
4 A Sm all E xam ple
Let's consider a c ircu it shown in Figure 1(a). where the delay bounds o f the 
inverter and OR gate are [di„v , Dinv] and [dor, I)or}. The in itia l state o f th is 
c ircu it is (a ,b ,c ,d ) =  (1 ,0 ,0 ,0 ). and its  behavior is expected as follows (See 
Figure 1(b)): When e is raised, d goes up. Then, a and e are lowered in th is 
order. D uring  these input changes, the c ircu it keeps d high. Finally, when a is 
raised again, d goes down, and the c ircu it goes back to  the in itia l state. Hence,





[10,10] [0,oo[ [10,10] [25,25] [80,80] [0,oo]
(c)
F ig . 1. A  c ircu it and its  environment
d d
(a) (b)
F ig . 2. Two possible cases to prevent the failure
the environment o f th is c ircu it can be expressed by ( |</j . }</•< ). A',), where N s 
is a tim e P e tri net shown in  Figure 1(c) 1. The delay bounds for c+  and f l ­
are [10,10], while those for c— and a +  are [25,25] and [80,80], respectively. Note 
th a t d is an input of th is  environment and i t  fires in  synchronization w ith  the 
c ircu it output.
Assume th a t the follow ing in it ia l constraints for the c ircu it delay bounds are 
given.
5 <  d,nv <  50, 5 <  <  50, 5 <  dor <  50, 5 <  D or <  50, ( )
dinv 2 I)n. r d'hiv +  30, dor +  2 <  Dor <  dor + 3 0   ^U
The constraints of the form  dim, +  2 <  D in v are used to avoid tig h t delay bounds, 
and those of the form  D inv <  dinv +  30 are for reducing the state space. These 
and the lower bounds are also im portant to avoid imbalanced delay assignment 
such as assigning to ta l delay to one gate and zero to  the others. Actually, these 
in it ia l delay bounds should be determined depending on the device technology 
used to  implement the circuits. Now, the problem to be solved is to  find some 
delay bounds, satisfying the above constraints, under which the c ircu it behaves 
correctly w ith  its  environment. A lthough i t  is desired th a t m axim al possible 
delay bounds are found, i t  is beyond the scope of th is paper.
The firs t step of our a lgorithm  is to  obtain in it ia l delay bounds from  (1) using 
a ILP  solver. In  th is  case, they are
dinv =  5, D ir,v =  35, d0r =  5, D 0r =  35.
1 More precisely, this is defined as a m irror of a specification, where their input set 
(output set) is equal to the output set (input set) of the circuit.
200 Tomohiro Yoneda et al.
The details about the IL P  solver and the objective function used are mentioned 
in Section C. Using these delay bounds, the first verification run is done, and the 
follow ing failure is detected: 2
e+; <i+; a - ;  c - ;  h+
This failure means th a t after c—, the OR gate tries to  lower its  ou tpu t d because b 
is low at th a t tim e. But, before its  ou tpu t change, b+ occurs. This violates a 
property called semi-modularity, and is considered to  produce a hazard. This 
failure can be prevented, i f  (a) b+ occurs later than the ou tpu t change d—, or
(b) b+ occurs before the inpu t change c— (See Figure 2(a) and (b)). Note tha t 
the failure is prevented in case (b), because the output o f the OR gate is stable 
d u iing  these input changes. Suppose th a t our a lgorithm  first tries case (a). In 
order to  obtain the constraint for (a), the algorithm  examines the casuals of b+ 
and d—. b+ is caused by a —, while d— is caused by c— and c— is caused by 
a — in the environment. Hence, to  make b+ occur later than d—, the following 
constraint is necessary.
25 +  I)or <  dinv (2)
Note th a t the largest delay is used for the OR gate, while the smallest delay 
is used for the inverter. This ensures the above ordering (d—; b+) even in the 
worst case.
For constraints (1) and (2), the TLP solver gives the delay bounds
dinv =  33, l ) inv =  50, do,- =  5, D or =  7,
and the second verification run w ith  these delay bounds produces the following 
failure.
e+; d+; a —; c—; d—
This failure occurs, because the c ircu it produces d— although i t  is not expected 
in the environment (i.e., d— is not enabled after c—). In other words, to  prevent 
th is failure, d— should be prevented. This is possible i f  b+ occurs before c—. 
Again, the algorithm  checks th e ir casuals, and finds th a t both b+ and c— are 
caused by a —. Hence, the follow ing constraint is obtained.
Dinv < 2 5  (3)
For constraints (1), (2), and (3), however, the TLP solver gives no solution due 
to  inconsistency.
Now, the algorithm  backtracks to  the most recent selection point, and chooses 
case (b) instead. This constraint is actually the same as the above one, and 
constraint (3) is obtained. For constraints (1) and (3), the TLP solver gives
di„v =  5, Dinv =  24, do,- = 5, Dor = 35,
and the th ird  verification run reports no failure. Hence, the above delay bounds 
are the solution o f our problem.
2 Every gate is modeled by a time Petri net [ ], and it contains internal transitions 
other than input or output transitions. A failure trace includes internal transitions, 
but here, they are omitted for simplicity.
Automatic Derivation of Timing Constraints by Failure Analysis '201
The main technical issue of our a lgorithm  is to  autom atica lly obtain a con­
s tra in t to  prevent the given failure by analyzing the failure trace and the struc­
ture o f the Petri nets. Another issue is th a t the correctness of the algorithm  
depends on the backtracking. In the above example, one backtrack occurs. Many 
backtrackings, of course, decreases the performance o f the algorithm . O ur algo­
r ithm  uses a heuristic to  choose appropriate constraints, which is simple, but 
very effective. These issues are discussed in the fo llow ing section.
5 Failure A nalysis
This section presents the algorithm  th a t is used to  perform analysis to  derive 
sufficient tim ing  constraints to  avoid failures.
5.1 F in d in g  A  a nd  B  E ve n ts
When a failure trace is given, our a lgorithm  firs t finds two events, called event A  
and event B , such th a t the failure is caused because event A  occurs before 
event B , and th a t the failure may be prevented by firing  event B  before event A. 
For a failure trace, there can exist several event A !s and B 's. Tn the above 
example, for case (a), A  is h+  and B  is d—, and for case (b), A  is c— and B  is 
b+. Tn order to  handle cases where event B  may not be even enabled, event A  
and B  are extended so th a t they have an offset. T ha t is, an AB-candidate  w ith  
respect to a failure trace T  is a three tuple (t-A, ts ,  o ff)j? , where t-A is a transition 
th a t fires in T , ts  is a transition  th a t is enabled in the state where t-A fires, such 
th a t fir ing  t s  certa in ly o ff tim e units earlier than t-A may be able to  prevent T . 
T  is om itted from th is  notation i f  there is no confusion.
Let's consider modules M -\, M-j shown in Figure 3 and the ir failure trace T  =  
« + ; 11; t 2! 11; b +  (out). This failure trace starts when an ou tpu t transition  u +  
(out) o f M -2 fires in its  in itia l m arking /in =  {piupz,} as well as the corresponding 
inpu t transition u +  ( in )  o f M i . The failure occurs in a m arking /j.3 =  {p 3,p4,p r }  
because b +  (out) of M-\ fires before its  input transition b +  (m ) o f M -2 becomes 
enabled. Thus, one way to  prevent th is failure is to  fire ta before b +  (out). Note 
th a t an inpu t transition  is assumed to  have [0 , oc] bound, and so i t  becomes 
ready to fire imm ediately when i t  is enabled. Tn th is example, however, ta is 
not yet enabled when b +  (out) o f M-\ fires. Thus, the net is traversed upward, 
and an enabled transition tr, is found. Since ta takes Dq tim e units to  fire in a 
worst case, i t  is necessary to  fire Dq tim e units earlier than b +  (out). Hence, 
(b +  (out), tr,, I ) 6) is obtained. This AB-candidate is computed by force_fire(6 +  
(in ) ,b  +  (out), 0, ps, 0), where force_fire(t, t-A, o ff, p, T d)  obtains a set o f A B -  
candidates in a m arking (j to force t  to  fire certa inly o ff tim e units earlier 
than t-A w ithou t fir ing  transitions in T d, and i t  is defined as follows.
1. Tf t  E T d , then force_fire(t, t-A, o ff ,( j,T d )  =  0- T d  is used to  term inate loop­
ing.
2. Otherwise, i f f  is enabled in /j., then
fo rceJ\re (t,tA , o f f , ij.,Td ) =  { ( tA , t ,  o ff )}.




o+ (out) b+ (*")
14 ts tfi
P2 6+ (out)
° +  ( * " )  B o u n d s  f o r  t ,
ti are Di]t
bounds for a + (otz£) 
Po are [da+, £>a+],
Mi ({a}, {6}, Ni} *2 P3 *3 and so on.
Fig. 3. An example of a module set
3. Otherwise, for some empty place p  €  • t  — fi.
force_fire(M,4, off,i_i,TD) =
U*'e«p f° rce_fire( ° ut_trans(#''),#,4 , o ff +  U t ( t ) ^ i ,T D U {#}),
where out_trans(tf') is the output transition  tha t corresponds to t '  ( if  t '  is 
an ou tpu t transition, then out_trans(#') =  t ') ,  and Lft(#) is the latest firing  
time of t. Note tha t i t  is sufficient to check some empty source place p o f t  
because at least p needs a token in  order to enable t. On the other hand, 
a ll source transitions of p should be checked, because i t  is unknown which 
source transition  produces a token to p.
There are, however, other ways to prevent the above failure. For example, 
i f  t-s fires before #1 , this fa ilure is prevented, because the ou tpu t transition  b +  
(out) is 110 longer enabled. Furthermore, i f  # 7  fires before t.\ and b +  (out), this 
failure is prevented. The method used in  our work to cover a ll these cases is 
to try  every transition  t c tha t lost the chance to fire in  the failure trace, i.e., 
our method obtains every AB-candidate for firing  transition  t c such tha t t c € 
conflict(f) where t  is a transition  tha t fired in  the failure trace and conflict(f) is 
a set of transitions tha t are in  conflict w ith  t. Since this method may produce 
unnecessary AB-candidates, removing them is probably necessary in  order to 
improve the performance, but this is left as fu ture  work. Hence, the following 
obtain_AB(.F) obtains a set of a ll AB-candidates for a failure trace T , where 
in_trans(^, M )  is a set of input transitions of module M  tha t correspond to output 
transition  t, M i„  is the module whose input transition  causes a failure, 1 =  \ f \ ,  U 
is the i-th  transition  in  T  (i.e., #/_ 1 is the failure transition), and /i,: is the m arking 
where t i  fires (i.e., /io is the in it ia l marking).
obtain_AB(J7) =  [ J  fo rce_ fire (# \# /_ i,0 ,^ /_ i,0 ) U
t f £\r\Jtrans(t 1 — 1  tM in )
1-2
U ( U force-f ire(out_trans(#/),# j, 0,/U.j, 0))
* = 0  t'econflictft,)
Automatic Derivation of Timing Constraints by Failure Analysis 203
a +  (out)
I:; ti i i tr
ts b +  (out) tr,
F ig . 4. T im ing  relations implied by the failure trace J-
5.2 O b ta in in g  C o n s tra in ts
Once /i/i-cand ida tes are found, the next step is to  construct tim in g  constraints 
for each /i/i-cand ida te . This is done based on the tim ing  relations implied by 
the given failure trace. A  failure trace gives two kinds o f tim in g  relations, called 
causal relation  and preceding relation.
I f  transition u is the unique parent of transition  t, i.e., the fil in g  of u causes t  
to  become enabled, the fil in g  tim e of t, denoted by T (t) ,  must satisfy the fo l­
lowing relation.
E ft(f) <  T (t)  -  T (u )  <  L ft(f)
This is a causal relation. I f  t  has two or more parents u j . //•_.. • • •, the verification 
algorithm  chooses one parent, say up, th a t decides the firing  tim e of t. Such a 
parent is called a true parent. Since a true parent must fire later than the other 
parents in order to actually cause its child transition , the follow ing relation is 
also necessary besides the above causal relation.
T(u-i) < T (up), T(-Un) <  T (u p), ■ ■ ■
These are called preceding relations. Furthermore, i f  two or more transitions 
t i J i , - - -  are in conflict, and </,. wins the conflict, then the follow ing relation is 
necessary to  express th a t </,. fires earlier than any other conflicting transitions.
T(tk)  < T(tk) <  T(tn),  ■ ■ ■
These are also preceding relations. Precisely, th is  relation is necessary for all 
transitions in a ready set [ ], which is a set of transitions th a t should be in ter­
leaved in the state.
Consider again the modules shown in Figure 3 and the failure trace J- =  
«+ ; <4; <2: b +  (out). The tim in g  relations implied by th is  failure trace 
can be illustrated as shown in Figure 4. In th is figure, which is called a fa ilure  
graph, a node represents a transition  th a t fires or gets enabled in the failure 
trace. A  normal arrow from u to  t, indicates the causal relation (i.e., Eft(<) <  
T(i) — T (u ) <  L ft(f)), while a dotted arrow indicates the preceding relation (i.e., 
T (u ) <  T(t)).
Now, consider an /i/i-can d id a te  (6  +  (out). <5 , D q) to  construct its tim ing  
constraints for fir ing  <e, certa in ly earlier than b +  (out). The firs t step to obtain 
the constraints is to  find the common ancestor of <5 and b +  (out) in the failure 
graph. In th is example, it 's  u +  (out). This means th a t u +  (out.) determines the 
firing  times of both <5 and b +  (out), and so the constraints should be related to
204 Tomohiro Yoneda et al.
minimal delay T {y ) +  Eft(u) maximal delay T(y) +  Lft(u) 
x y ux y u
t t
t u t u
T(u) < T ( t ) ^  T (x) +  Eft(t) T (t)  < T(u) ^  T(.r) +  Lft(f)
F ig . 5. Paths by preceding relation
the delays between a +  (out) and those two events. Next, in  order to  guarantee 
the above relation between f© and b +  (out), the m axim al delay from a +  (out) 
to  t i, plus D q must be smaller than the m in im al delay from  u +  (out) to  b +  (out). 
From the causal relation of 'J-, th is is expressed as follows.
Note th a t bounds for ti are denoted by [di,Di], bounds for a +  (out) are 
[d0+,D 0+], and so on. In  addition to  the above constraint, the effect of the 
preceding relation should be considered. When computing m in im al delay up 
to  t, suppose th a t there is a preceding relation T (u ) <  T(t)  as shown in  F ig­
ure 5(a). Due to  th is constraint, i f  u fires late enough, the earliest fir ing  time 
of t  is not decided by T (x )  +  E ft(t), bu t decided by T (y )  +  Eft('u). This means 
th a t the path  shown by the dotted arrow in  the figure should also be considered 
for the m in im al delay path. Since it is d ifficu lt to  check i f  u certa in ly fires late 
enough, bo th  paths (i.e., x  —> t  and y —> u —> t) need to  be considered. S im ilarly, 
for the m axim al delay computation, the dotted arrow in Figure 5(b) should be 
considered. Hence, another constraint like
is also necessary.
5.3 H e u r is t ic s  to  S e lect C o n s tra in ts
Since the algorithms shown in  the previous sections obtain constraints for con­
sidering a ll possibilities to  prevent the given failure, many constraints are often 
generated, Thus, i t  is very im portant to select an appropriate one from them. 
This subsection shows simple heuristics for th is purpose.
Let t'(d) be a value assigned to  a delay d by the TLP solver for the most 
recent verification run, and for an expression E  =  d\ +  +  • • •* let v (E )  be 
v (d i)  +  v(dn) +  • • •. A weight of a constraint L <  H is v (L ) — t'(H ), where L 
and H are expressions. The idea is th a t the weight of a constraint implies how 
much effort is necessary to satisfy the constraint based on the current delay 
assignment. For example, for the current delay assignment such as v (d i)  =  10, 
t<(do) =  50, and v(D :i) =  00, i t  may be easier to satisfy a constraint £ > 3  <  do 
rather than to  satisfy D :} <  d \, because do should be increased by more than 10 
for the former, while 1Z3 should be increased by more than 50 for the la tte r. This
Automatic Derivation of Timing Constraints by Failure Analysis '205
is represented by the weights 10 and 50, respectively. Note th a t a constraint w ith  
negative weight is illegal, because such a constraint is supposed to  be already 
satisfied under the current delay assignment, and it  cannot prevent the given 
failure.
I f  a constraint th a t is too strong is selected, an inconsistency may be detected 
after several verification runs, and backtracking occurs. On the other hand, even 
i f  a constraint th a t is too weak is selected, a stronger constraint can be added 
later to  obtain a suitable constraint set. Hence, our heuristics select a constraint 
w ith  the smallest nonnegative weight.. For the example shown in Section 4, the 
weight, of constraint (2) is 55, and th a t of (3) is 10. Hence, i f  th is heuristic is 
used, case (b) is selected firs t, and no backtracking occurs.
5 .4  O v e ra ll P ro c e d u re
The whole procedure th a t repeats the verification runs and adds new constraints 
is shown in Figure 6 . This procedure takes two inputs, M  and conse t. M  is 
a set. o f tim e Petri nets representing the c ircu it and its specification. When 
the procedure is called for the firs t time, the in itia l constraints for the c ircu it 
delay bounds like (1) in Section 4 is set. to  co rise t. Th is procedure first, calls 
an ILP  solvei" (line 3). Currently, we use a public domain ILP  solver called 
lp_solve (ver 3.1a, f tp : / / f tp . ics.e le.tue.nl/pub/lp_solve/). An IL P  solvei" computes 
an optim al integer assignment, to  variables for m axim izing or m in im izing an 
objective function under a given set. of constraints. For delays d i.D i.d n ,  Dn, ■ ■ ■ 
where dk is a lower bound of the delay and D i is an upper bound, our a lgorithm  
uses the follow ing objective function /  and tries to  maximize it.
/  =  (Di — 2ch) +  (D,  -  2d2) + ■■■
From our experience, the most, suitable solutions such th a t the difference between 
lower bounds and upper" bounds are large and th a t lower" bounds are fa irly  small 
are obtained by th is  objective function, stat in line 3 indicates “ infeasible” , i f  the 
constraint set. is inconsistent.. In th is case, the procedure returns w ith  “ impossi­
ble” fo r backtracking (line 4). Otherwise, bounds contains an optim al assignment, 
to  the delay bounds. In line 5, the bounds of M  are modified according to  th is  de­
lay assignment., and M ' is obtained. This M ' is used for the verification in line 6 . 
I f  the verifier returns “success” , th is means th a t a set. of tim ing  constraints under 
which the c ircu it works as expected are obtained, and so, the procedure te rm i­
nates (line 7). Otherwise, the verifier produces a failure trace fa ilure. In line 8 , 
th is  fa ilu re  is analyzed as mentioned in the previous subsections, and a set. o f new 
tim ing  constraints are obtained. Those tim ing  constraints are sorted based on 
the ir weights (line 9), and each constraint con w ith  a nonnegative weight, is added 
to  conset in th is order fo r the recursive call o f “ obt.ain_timing_constraint.s,: (line 
11). I f  it. returns, it. means th a t no solution is obtained under" conset U {con}, 
and so, the next, constraint in the new-con is tried by the foreach loop (line 1 0  
and line 11). I f  every constraint causes inconsistency, the procedure returns w ith  
“ impossible” for backtracking (line 1 2 ).
By selecting a constraint w ith  a nonnegative weight., it. is guaranteed tha t 
the constraint certa in ly reduces the space of the delay bounds. Therefore, since 
the earliest and latest, fir ing  times are integer", th is procedure always terminates.
200 Tomohiro Yoneda et al.
1 : obtain_timing_eonstraints(Af, c o n s e t )
2: b e g in
3 : (s ta t, bounds) =  TLP(con—set):
4: i f  (s ta t  = =  infeasible) th en  return(impossible);
5: M ' =  modify_bounds(Af, bounds):
0 : (s ta t, fa ilu re )  =  verify(Af/ ):
7: i f  (stat = =  success) th en  exit(success):
8 : new-con =  analyze_failure(/aii«re);
9: neui-con  =  sort (ne«;_con):
10: fo r e a c h  con. €  n ew -co n
11 : i f  weight (con) >  0 th en  obtain J:iming_eonstraints(Af, co n -se t  U {con});
12: return(impossible);
13: e n d
F ig . 6 . Overall procedure
On the other hand, when the procedure term inates w ith  “ impossible’',  is it 
really impossible to elim inate the failure? I f  so, the procedure is called complete. 
Tn order to prove its completeness, it  is necessary to show tha t the algorithm  
to find an / 1 /i-candidate covers a ll cases to elim inate failures, and tha t the 
constraints obtained are not unnecessarily s tric t. This is not yet proven formally. 
The selection of objective function as well as errors in  the IL P  solutions certa inly 
affect the performance (i.e., the number of backtrackings) and the qua lity  of the 
results (i.e., the w id th  of the delay bounds), but we do not believe tha t the 
completeness is affected by them.
6 E xperim en ta l R esu lts
Tn order to demonstrate the proposed method, the VTNAS-P verifier has been 
modified so tha t it  produces a set of tim ing  constraints for a detected failure 
trace. This program corresponds to lines 0 • • • 8  in Figure 0. Then, a Perl script 
has been developed to naively implement the rest of the procedure.
Tn this section, two sets of experimental results are shown. The firs t set of ex­
periments have been done using some asynchronous benchmark circuits from [ ]. 
The second and th ird  columns of Table 1 show the number of signals and the 
number of gates in  each c ircu it. “# tim e d  states’’ shows the number of timed 
states in the circuits w ith  the final bounds (i.e., the circu its tha t pass verifi­
cation). The next two columns show the number of verification runs and the 
number of backtracks needed to obtain the final constraint sets. The CPU times 
for the overall procedure are shown in the column “ C PU ’'(a ll CPU times are 
shown in  seconds). The column “CPU-[ ]’’ is quoted from [ ], where the experi­
ments were done on a 450MHz 1GB U ltra  SPARC60 machine. According to the 
authors of tha t paper, the data comes from a proof-of-concept prototype that 
is not yet optim ized for run-tim e and thus does not incorporate many of the 
known speed-up techniques and optim izations for untim ed analysis. Tn addition, 
the m a jo rity  of the the run-tim e is taken up in  the process for optim izing con­
s tra in t sets tha t can be made much more efficient. Our experiments have been 
performed on a Pentium  TT 333MHz, 128MB L inux machine, and as mentioned,
Automatic Derivation of Timing Constraints by Failure Analysis 207
T ab le  1. Experim ental results ( 1 )
name ^signals Agates #tim ed states ^verify ^backtracks CPU CPU-[ ]
alloc-outbound 15 11 85 4 0 1.36 13.08
m p- for ward- pk t 13 1 0 57 3 0 0.93 0.89
dff 8 6 67 6 0 1.48 27.17
sbuf-send-pkt‘2 17 13 113 7 0 2.69 69.97
converta 14 1 2 98 7 0 2.36 113.12
ram-read-sbuf 2 2 16 161 7 0 3.08 127.98
T ab le  2. Experim ental results (2)
name ^signals #gates #tim ed states #verify ^backtracks CPU CPU (last)
gasp4 27 32 817 9 0 2.07 0 .1 1
gasp8 51 64 65147 1 0 0 752.17 717.77
square9 82 81 3017 11 2 21.26 2.04
our current im plem entation is also very naive. Thus, we consider th a t these data 
demonstrate th a t the performance o f our method based on tim e analysis is at 
least comparable to  those o f the ir method based on untimed analysis.
I f  the sorting by the constraints' weights (line 9 o f Figure C) is turned off, 
10 verification runs and 5 backtrackings are needed for the “ a lloooutbound” 
c ircu it. This shows the effectiveness o f the heuristics shown in  Section 5.3.
The second set o f experiments 3 use several GasP circuits shown in  [ ] 
and [11]. These circuits have fa irly  large state spaces, but our method can handle 
them  as shown in  Table 2. A lm ost a ll CPU times are spent for the fina l verifi­
cation of the correct circuits as shown in  the last column (CPU (last)), and the 
process to  obta in the tim ing  constraint sets is performed w ith in  a rather short 
tim e. These experiments have been performed on a Pentium  I I I  1GHz, 2MB 
L inux machine. In  these experiments, the CPU times for ILP  is negligible com­
pared w ith  those for state space enumeration. Thus, from  a performance point 
o f view, using IL P  instead of LP is not too costly.
7 C onclusion
This paper describes a new method for the derivation of tim ing  constraints 
th a t guarantee the correctness o f tim ed c ircu it implementations. This approach 
uses an autom atic technique in  which a failure trace is analyzed to  find pairs 
o f events and obta in associated new tim ing  constraints th a t can elim inate the 
failure trace. This method has been automated around the V IN A S-P  tool, and 
our in it ia l verification results are very promising.
In  the future, we plan to  develop better heuristics to  avoid generating useless 
AB-candidates. We also plan to  perform  a form al analysis to  show th a t our 
method is complete in  th a t when no constraints can be found, no solution can 
exist.
3 The source files and results of these experiments can be downloaded from 
h ttp :/ /y o n e d a -w w w .c s .t i te c h .a c .jp /~ y o n e d a /tc s -d a ta /d a ta .ta r .g z .
208 Tomohiro Yoneda et al.
A cknow ledgem ent
The authors would like to  thank Peter Beerel and Hoshik K im  for helping us 
to  understand the ir method and giving the ir latest experimental results, and to 
thank B ill Coates and Tan Jones for helpful comments to  model GasP circuits.
R eferences
1. Ivan Sutherland and Scott Fairbanks. GasP: A minimal FIFO control. In Proc. 
International Symposium on Advanced Research in Asynchronous Circuits and Sys­
tems, pages 46 53. IEEE Computer Society Press, March 2001. 195, 207
2. http://yoneda-www.cs.titeeh.ae.jp/~yoneda/pub.htm]. 196
3. Tomohiro Yoneda and Hiroshi Ryu. Timed trace theoretic verification using partial 
order reduction. In Proc. of Fifth International Symposium on Advanced Research 
in  Asynchronous Circuits and Systems, pages 108 1 2 1 , 1999. 196, 198, 200, 203
4. Radu Neguleseu and Ad I Veter-. Verification of speed-dependences in single-rail 
handshake circuits. In Proc. International Symposium on Advanced Research in 
Asynchronous Circuits and Systems, pages 159 170, 1998. 196, 197
5. Hoshik Kim. Relative timing based verification of timed circuits and systems. In 
Proc. International Workshop on Logic Synthesis, June 1999. 197
6 . Hoshik Kim, Peter A. Beerel, and Ken Stevens. Relative timing based verification 
of timed circuits and systems. In Proc. International Symposium on Advanced 
Research in Asynchronous Circuits and Systems, pages 115 124, 2002. 197, 206, 
207
7. Marco A. Pena, Jordi Cortadella, Alex Kondratyev, and Enrie Pastor. Formal 
verification of safety properties in timed circuits. In Proc. International Symposium 
on Advanced Research in  Asynchronous Circuits and Systems, pages 2 11. IEEE 
Computer Society Press, April 2000. 197
8 . Rajeev Alur and David Dill. Automata for modeling real-time systems. LNCS 600 
Real-time: Theory in Practice, pages 45 73, 1992. 197
9. Marius Rozga, Oded Maler, and Stavros Tripakis. Efficient Verification of Timed 
Automata Using Dense and Discrete Time Semantics. In Proc. of 10th 1F1P 
WGt 0.5 Advanced Research Working Conference on Correct Hardware Design and 
Verification Methods, LNCS 1703, pages 125 141, 1999. 197
10. Marius Minea. Partial order reduction fo r verification of timed systems. PhD 
thesis, Carnegie Mellon University, 1999. 197
11. Jo Ebergen. Squaring the FIFO in GasP. In Proc. International Symposium on 
Advanced Research in Asynchronous Circuits and Systems, pages 194 205. IEEE 
Computer Society Press, March 2001. 207
