QDDC is a logic for specifying quantitative timing aspects of synchronous programs. Properties such as worst-case response time and latency (when known) can be specified elegantly in this logic and model checked. However, computing these values require finding by trial and error the least/greatest value of a parameter k making a formula D(k) valid for a program. In this paper, we discuss how an automata theoretic decision procedure for QDDC together with symbolic search for shortest/longest path can be used to compute the lengths of extremal (least/greatest length) models of a formula D. These techniques have been implemented into the DCVALID verifier for QDDC formulae. We illustrate the use of this technique by efficiently computing response and dead times of some synchronous bus arbiter circuits.
Introduction
For synchronous programs (e.g. clocked circuits), execution time is measured in terms of clock ticks, i.e. the notion of time is discrete. For many such programs, it is important to analyse quantitative timing properties such as response time and latency. Doing such quantitative analysis remains a challenging problem before the formal methods community.
Quantified Discrete-time Duration Calculus (QDDC) [12] is a highly expressive logic for specifying properties of finite sequences of states (behaviours). It is closely related to the Interval Temporal Logic of Moszkowski [11] and Duration Calculus of Zhou et al [16] (see [12, 15, 6] for their relationship.) It 1 Email: pandya@tifr.res.in This is a preliminary version. The final version will be published in Electronic Notes in Theoretical Computer Science URL: www.elsevier.nl/locate/entcs provides novel interval based modalities for describing behaviours. For example, the following formula holds for a behaviour σ provided for all fragments σ of σ which have (a) P true in the beginning, (b) Q true at the end, and (c) no occurrences of Q in between, the number of occurrences of states in σ where R is true is at most 3.
2( P
Here, 2 modality ranges over all fragments of a behaviour. Operator is like concatenation (fusion) of behaviour fragments and ¬Q states invariance of ¬Q over the behaviour fragment. Finally, ΣR counts number of occurrences of R within a behaviour fragment. A precise definition of the syntax and semantics of QDDC is given in Section 2.
In spite of its high expressive power QDDC formulae can be model checked. An automata theoretic decision procedure allows converting a QDDC formula into a finite state automaton recognising precisely the models of the formula [12] . The automaton can be used as a synchronous observer for model checking the property of a synchronous program [8] . We have implemented this theory into a tool called DCVALID [12, 13] which permits model checking QDDC properties of synchronous programs written in Esterel [2] , Verilog and SMV [10] notations.
Quantified Discrete-time Duration Calculus, (QDDC), is a logic well suited to specifying quantitative timing properties of synchronous programs. It addresses a qualitatively different class of properties of synchronous programs from those considered earlier. Properties such as worst-case response time and latency (when known) can be specified elegantly in this logic and model checked. However, computing these values require finding by trial and error the least/greatest value of a parameter k making a formula D(k) valid for a program. Such a trial-error technique is inherently incomplete.
In the paper, we propose formulation of many interesting timing properties as lengths of extremal (shortest/longest) sub-execution of a system satisfying a property D written in the logic QDDC. By sub-execution we mean a finite (not necessarily initial) fragment of an execution. For example, response time can be formulated as the length of longest sub-execution during which request ∧ ¬acknowledgement holds invariantly. Logic QDDC is well suited to specify complex timing requirements in this fashion. We call this approach extremal model length based specification.
In the paper, we show how an automata theoretic decision procedure for QDDC together with symbolic search for shortest/longest path can be used to compute the extremal model lengths. These techniques have been implemented into the DCVALID verifier for QDDC formulae. The implementation is built on top of the symbolic search routines for shortest/longest paths available in the NuSMV verifier.
We illustrate the use of our technique by computing response and dead times of some synchronous bus arbiter circuits using our tool DCVALID and NuSMV, with some surprising results. It is our claim these properties are quite difficult to analyse by hand and a system designer's intuition about them can be misleading. Hence, the availability of tools is crucial for the analysis such properties. In the paper, we also provide an experimental comparison of the efficiency of our extremal model length computation with traditional model checking.
The rest of the paper is organised as follows. A synchronous bus arbiter circuit model is presented in the next subsection. The logic QDDC and its model checking are briefly presented in section 2. The notion of extremal model lengths is defined in section 3. Section 4 presents the main technique used for symbolically computing extremal model lengths. Section 5 briefly describes the implementation of this technique into our tool DCVALID. It also gives the experimental results for the timing analysis of the bus arbiter circuits. The paper ends with a discussion.
Synchronous Bus Arbiter
Example 1.1 A synchronous bus arbiter with n cells has request lines req 1 , . . ., req i , . . ., req n and acknowledgement lines ack 1 , . . . , ack i , . . . , ack n . At any clock cycle a subset of the request lines are high. It is the task of the arbiter to set at most one of the corresponding acknowledgement lines high. Preferably, the arbiter should be fair to all requests.
The bus arbiter circuit of Figure 1 (called MacArbV0) was analysed by McMillan [10] using the pioneering SMV verifier based on symbolic model checking 2 . A variant, MacArbV1, of McMillan's arbiter is given in Figure 2 . (The changes from the original arbiter are highlighted by dotted lines.) Both these arbiters have the property that at most one ack signal can occur at a time.
2 Example 1.2 We consider some quantitative timing properties of the arbiters.
• 3-cycle response time: The least number of cycles for which req i must be held high continuously in the worst case to ensure 3 occurrences of ack i .
• Dead time: The maximum possible number of consecutive lost cycles. A cycle is lost if at least one of the cells has its req high but all the cells have ack low, i.e. lostcycle
2 Quantified Discrete-Time Duration Calculus (QDDC)
Let P var be a finite set of propositional variables representing some observable aspects of system state. VAL(P var) def = P var → {0, 1} be the set of valuations assigning truth-value to each variable. We shall identify behaviours with finite, nonempty sequences of valuations, i.e. VAL(P var) + .
Example 2.1
The following picture gives a behaviour over variables {p, q}.
Each column vector gives a valuation, and the word is a sequence of such column vectors.
The above word satisfies the property that p holds initially and q holds at the end but nowhere before that. QDDC is a logic for formalising such properties. Each formula specifies a set of such words.
Given a non-empty finite sequence of valuations σ ∈ VAL + , we denote the satisfaction of a QDDC formula D over σ by σ |= D
Syntax of QDDC Formulae
Let P var be the set of propositional variables. Let p range over propositional variables, P, Q over propositions and D, D 1 , D 2 over QDDC formulae. Propositions are constructed from variables P var and constants 0, 1 (denote true, f alse) using boolean connectives ∧, ¬ etc. as usual. The syntax of QDDC is as follows. Let σ, i |= P denote that proposition P evaluates to true at position i in σ. We omit this obvious definition. We inductively define the satisfaction of QDDC formula D for behaviour σ and interval [b, e] ∈ Intv(σ) as follows.
Entities η and ΣP are called measurements. Term η denotes the length of the interval whereas ΣP denotes the count of number of times P is true within the interval [b, e] (we treat the interval as being left-closed right-open). Formally,
Call a behaviour σ to be p-variant of σ provided #σ = #σ and for all i ∈ dom(σ) and for all q = p, we have σ(i)(q) = σ (i)(q). Then,
Derived Constructs
We can also define some derived constructs. Boolean combinators ∨, ⇒, ⇔ can be defined using ∧, ¬ as usual.
• def = 1 0 holds for point intervals of the form [b, b] .
• P def = ( P P 0 ) states that proposition P holds invariantly over the extended closed interval [b, e] including the endpoint. Formula P + def = ( P ∨ P 0 ) additionally also holds for point intervals where P is true.
• 3D def = true D true holds provided D holds for some subinterval.
• 2D def = ¬3¬D holds provided D holds for all subintervals.
Decidability of QDDC
The following theorem characterises the sets of models of a QDDC formula. Let pvar(D) be the finite set of propositional variables occurring within a QDDC formula D. Let VAL(P var) = P var → {0, 1} be the set of valuations over P var as before. 
Corollary 2.3 Satisfiability (validity) of QDDC formulae is decidable. 2
DCVALID
The reduction from formulae of QDDC to finite state automata as outlined in Theorem 2.2 has been implemented into a tool called DCVALID [12] , which also checks for the validity of formulae as in Corollary 2.3. This tool is built on top of MONA [9] . MONA is a sophisticated and efficient BDD-based implementation of the automata-theoretic decision procedure for monadic logic over finite words.
An associated tool, called CTLDC [13] , translates the automaton into Esterel, SMV or Verilog module to give a synchronous observer [8] for the property. Using this, DCVALID can model check whether M |= D where M an Esterel, SMV or Verilog program and D is a QDDC formula [13] .
Example 2.4 [Arbiter Specification] We formalise the timing properties of the arbiters from Example 1.2 in QDDC.
• 3-cycle response time: The minimum k such that following is valid for the arbiter.
• Dead time:
The minimum k such that the following is valid for the arbiter.
Note that traditional model checking can verify a property D(k) for a given constant k. In this paper, we propose some techniques which can compute the extremal values of k. Moreover, these techniques are experimentally shown to be effective in solving problems like the dead and response times of the arbiters. The techniques have been built into our model checking tool DCVALID.
Extremal Model Lengths
Definition 3.1 A transition system M = (S, R, L, S 0 ) consists of a set of states S, a set of initial states S 0 ⊆ S, a transition relation R ⊆ S × S and a labelling function L : S → VAL(P var). Here, P var is the set of observable propositions. Let M 1 × M 2 denote the synchronous product of transition systems M 1 and M 2 , as usual. It captures the parallel execution of the two transition system running in synchronous (lock-step) parallel fashion.
An execution of M is a (finite or infinite) sequence of states starting with an element of S 0 where every (tuple consisting of) consecutive pair of states (s i , s i+1 ) ∈ R. A behaviour is a complete execution which is either infinite or ends in state which has no R successor. Let Beh(M ) denote the set of behaviours of M . Let ω denote set of natural numbers and ∅ be the empty set. Let N ⊆ ω. Then max N denotes the least upper bound of N and min N denotes the greatest lower bound of N . Some special cases of these functions are outlined below. Let max ∅ = 0 and max ω = ∞. Let min ∅ = ∞ and min ω = 0.
The elements of subexec(M ) will be called sub-executions. They denote finite fragments of the executions of M . 
Many quantitative features of interest can be specified using the constructs MAXLEN and MINLEN .
Example 3.4 For the arbiters of Example 1.1, we can elegantly formalise the response and dead-time (see Example 2.4) using MAXLEN as follows.
• 3-cycle response time is given by MAXLEN ( req + ∧ (Σack = 2 ack 0 ), Arbiter) The 3-cycle response time is given by the length of longest sub-execution of Arbiter where req is invariantly true, where there are two occurrences of ack in between followed by ack at the end.
• Dead-time is given by MAXLEN ( lostcyle + , Arbiter) The dead-time is given by the length of the longest sub-execution of Arbiter with lostcycle invariantly true. 2
Computing the Lengths of Extremal Models
In this section, we propose techniques for computing MAXLEN (D, M ) and MINLEN (D, M ) using symbolic search.
Symbolic Search for Longest/Shortest Paths
Campos et al have investigated BDD based symbolic techniques for finding lengths of shortest/longest subsequences within the executions of M satisfying some simple conditions [3] , [4] . We give a brief overview of their results.
(Recall that fragments of executions of M are called sub-executions). Consider a transition system M = (S, S 0 , R, L). Let
Then, source ; dest denotes the set of all sub-executions of M which begin in a state from source and end in a state from dest. Also, source ← within denotes the set of all sub-executions of M which begin with a state from source and contain only the states from the set within. Campos et al [3] have defined two algorithms (functions) called MAXDELAY and MINDELAY for computing maximum/minimum delay. These have been implemented in the model checking tool NuSMV 3 [5] . The function MINDELAY [source, dest, M ] returns the step length (i.e. number of edges) in the shortest sub-execution within source ; dest. If source ; dest is empty then the algorithm returns the value ∞. Function MAXDELAY [source, within] in M returns the length (i.e. number of nodes) of the longest sub-execution in source ← within. If there are sub-executions of unboundedly many lengths then the algorithm returns the value ∞. In case the set source ← within is empty the algorithm returns the value 0. Formally, we have the following theorem. We now address the problem of finding the length of the longest subexecution of M which starts with a state in source and ends with a state in dest. Consider a maximal (i.e. one which cannot be extended to another element) sub-execution σ in source ← ¬dest. Then, either σ ends in a state without any successor, or for all s ∈ S, if σ.s ∈ subexec(M ) then s ∈ dest. Hence, computing MAXDELAY [source, ¬dest] does not give the correct answer.
Recall that CTL logic formula EF dest denotes the set of states of M from which there exists a path to a state in dest. Now, consider source ← EF dest. Let σ be a maximal sub-execution in it. Then, σ begins with a state from source and ends with a state from dest. Hence, we have the following theorem.
Thus, MAXDELAY [source, EF dest, M ] gives the length of the longest sub-execution of M which starts with a state in source and ends with a state in dest. If there are executions of unbounded lengths of this form, the algorithm gives the value ∞. If there is no such sub-execution (i.e the set start ← EF f inish is empty) then the algorithm gives the value 0.
Computing Extremal Model Lengths of QDDC Formulae
Let M = (S, S 0 , R, L) be a transition system. Let m 0 be a fresh propositional variable (not in image of L) and let AnyOnce(m 0 ) be a transition system which nondeterministically sets m 0 to true for at most one position in each of its execution. The SMV code for such a transition is given in Figure 3 .
Let D be a QDDC formula. By Theorem 2.2, we have a finite state automaton A(D ) which precisely accepts the models of D . We can use A(D ) as a synchronous observer for D and run it in synchronous (lockstep) parallel with M giving the transition system M × A(D ). Let end be a fresh propositional variable and (using the labelling function for A(D )) define end be true exactly when A(D ) is its final state. 4 In the following, we use
Consider any sub-execution σ of M which starts with m 0 true and finishes with end. Then, it is obvious that σ |= L D. Hence, MINDELAY [m 0 , end, M ] gives the length of the shortest sub-execution of M satisfying D. Formally, Pandya Theorem 4.3 Let M be as in Equation (1). Then,
We omit the formal proof of this theorem.
2
Consider the product transition system M in Equation (1) . Let endpref be a new propositional letter which is true exactly when the observer automaton A(D ) is in a state from which it is possible for M to reach a final state of A. Thus, define endpref ⇔ (EF end) where end is as before.
Consider a sub-execution of M which begins with m 0 true and which has endpref true throughout. Then, a maximal sub-execution of this form will be one where D holds. Hence, using Theorem 4.2 we have the following result.
Theorem 4.4 Let M be as in Equation (1) and let endpref ⇔ EF end. Then,
We omit the formal proof of this theorem. (1). These reductions have been implemented into the tool DCVALID which takes as input an SMV module for system M as well the specifications consisting of MINLEN (D, M ) and MAXLEN (D, M ) computation commands. It produces a transformed SMV module corresponding to the transformed system M as defined in Equation (1) . It also produces the transformed MINDELAY and MAXDELAY computation specifications as in Theorems 4.3 and 4.4. We call this reduction as observer generation. Next, the generated SMV specification is given to the NuSMV tool to perform required MINDELAY and MAXDELAY computations by symbolic search. We shall call this step as delay time computation. The required answers are obtained at the end of this step. We now give some experimental results obtained using this tool.
Experimental Results
We consider the n-cell synchronous bus arbiters MacArbV0 and MacArbV1 from Example 1.1 with their response time and dead time specifications as extremal model lengths as given in Example 3.4. The exact input to our tool DCVALID as well as the transformed SMV code produced by the tool can be found in the full version of the paper.
In Figure 4 , we summarise the computation results obtained for the two 5-cell arbiters, namely MacArbV0 and MacArbV1. In particular, these show that the dead-time for the 5-cell arbiter MacArbV1 is ∞. Thus, surprisingly, the arbiter MacArbV1 can loose unboundedly many consecutive cycles. Note that this result is impossible to obtain using traditional model checking.
We compare the performances of the timing analysis of the arbiter circuits using (a) the extremal model length computation technique, and (b) traditional model checking of the specification given in Example 2.4. In both cases, first the observers (automata) are generated from QDDC formulae and then symbolic search is carried out. Hence, to measure performance, we give a pair of execution times in seconds. Let ↑ n denote that the execution does not finish within n seconds, let ↓ denote failed execution due to resource overrun (e.g. memory), and let * denote the absence of experiment.
The arbiter MacArbV0 from Figure Many interesting properties of a discrete time systems such as response time and latency can be conveniently specified as finding extremal (least/greatest) value of a parameter k making a parameterised QDDC formula D(k) valid over the system M . Here, QDDC is a rich interval temporal logic which incorporates features (called durations) to count the number of occurrences of events within an interval.
To characterise such properties, in the paper we have proposed constructs (terms) MAXLEN (D, M ) and MINLEN (D, M ). It is easy to see from their definitions that they capture extremal solutions of the following parameterised QDDC specifications:
In the paper, we have also proposed a technique to compute the values these terms MAXLEN and MINLEN . The technique makes use of the automata theoretic decision procedure for logic QDDC [12] and the symbolic search technique (called Delay computation) for shortest/longest path in M between specified sets of states start and end [3] . The technique has been implemented into the model checker DCVALID for checking QDDC properties of SMV programs.
Note that the traditional "yes/no" model checking can verify a property D(k) for a given constant k. However, finding extremal values of k requires trial-and-error with different values of k. Such a method is inherently incomplete and it can only be partially successful. If D(k) is unsatisfiable for all k, the trial-and-error method of finding minimum k will not terminate. Moreover, trial-and-error cannot determine the maximal k in general. At best, if the property is downward closed w.r.t k (i.e. D(k) ⇒ j<k D(j)) and we find least k s.t. D(k + 1) is violated then we can claim to have found maximal k. If there are unboundedly many k satisfying D(k), again the trial-error method will not terminate. By contrast, our MAXLEN and MINLEN computation algorithms always give the answer. While the worst case theoretical complexity is high (non-elementary [12] ), in practice the technique seems to be reasonably efficient as illustrated by our experiments.
In the paper, we have presented the results of experiments with our tool DCVALID to compute properties like 3-cycle response time and dead-time for circuits such as 20 to 200 cell bus-arbiters. Using the MAXLEN computation method, we managed to establish for the first time that the arbiter MacArbV1 can loose unboundedly many cycles in sequence.
Our experiments show that response time calculation using extremal model length computation can be orders-of-magnitude faster as compared with the traditional model checking of given response time value. In fact, the performance results tabulated in Section 5 show that traditional model checking is unable to handle problems like response and dead-time for circuits larger than 5-10 cells. By comparison the extremal model length computation technique seems to work for circuits with over 200 cells. This trend is also borne out by some preliminary experiments with other problems like the job shop scheduling. Thus, we believe that the technique proposed in this paper represents a useful advance in our ability to carry out timing analysis. Even the dense-time systems can be analysed using these techniques by first digitizing them and then carrying out a discrete time analysis of their timing properties (see [6] ).
Related Work and Comparison
Parameterised temporal logics have been studied by many researchers [7, 1] and the question of finding optimal parameters has also been looked at [1] . These techniques rely on checking D(k) for some values of k up to some (typically large) theoretical bound m based on the model and the formula sizes. By contrast, the techniques based on symbolic search for the shortest/longest paths in M seem to be much more efficient in practice.
In their pioneering work, Campos et al first formulated the DELAY algorithms for symbolically computing the lengths of the shortest/longest paths within a transition system M between two specified sets of states, source and dest [3] . Campos, Clarke and Grumberg extended this by additionally specifying a LTL formula which must hold for the interval between start and dest [4] . The model checker NuSMV allows specification of sets source and dest by CTL formulae [5] .
In this paper, we have generalised the method of Campos et al to compute the lengths of extremal sub-executions satisfying a formula of the logic QDDC. Note that the 3-cycle response time specification of our logic (Example 3.4) cannot be specified purely using the original MAXDELAY construct, and our extension is needed. Because of its ability to count events, logic QDDC can elegantly specify complex transactions and schedulability constraints. Hence we envisage that our techniques will be useful in analysing timing problems related to schedulability and planning.
&& !(e1.ackout || e2.ackout || e3.ackout || e4.ackout || e5.ackout ) ; req := e4.Request ; ack := e4.ackout ; .
B.1 Arbiter Module
This model of synchronous arbiter, originally due to MacMillan [10] , is distributed with the NuSMV tool [5] . 
