Verification of timed circuits with failure directed abstractions by Myers, Chris J. & Zheng, Hao
Verification of Timed Circuits with Failure Directed Abstractions *
Hao Z heng^ Chris J. M yers, David W alter, Scott L ittle, and Tom ohiro Yoneda * 
U niversity o f Utah 
Salt Lake City, UT 84112 
{hao,m yers,dw alter, little}®  vlsigroup.ece.utah.edu, yoneda@ nii.ac.jp
Abstract
This paper presents a method to address state explo­
sion in timed circuit verification by using abstraction di­
rected by the failure model. This method allows us to de­
compose the verification problem into a set o f subproblems, 
each o f which proves that a specific failure condition does 
not occur. To each subproblem, abstraction is applied us­
ing safe transformations to reduce the complexity o f veri­
fication. The abstraction p resen ts  all essential behaviors 
conseiratively fo r  the specific failure model in the concrete 
description. Therefore, no violations o f the given failure 
model are missed when only the abstract description is an­
alyzed. An algorithm is also shown to examine the abstract 
error trace to either find  a concrete error trace or report 
that it is a false negative. This paper presents results using 
the proposed failure directed abstractions as applied to two 
large timed circuit designs.
1. Introduction
Timed circuits are defined to be any circuits that are ag­
gressively optimized using timing assumptions such that 
their correctness is dependent on these assumptions. Uti­
lizing timing assumptions can produce circuits with a sig­
nificant improvement in speed as demonstrated by their use 
in a gigahertz research microprocessor (guTS) at IBM [12] 
and by the RAPP1D instruction length decoder designed at 
Intel [24], The correctness of these new timed circuit styles 
is highly dependent upon their timing assumptions. There­
fore, extensive timing verification is necessary during the 
design process.
State explosion is a serious challenge for state space ex­
ploration based verification approaches. Many methods ex­
*This research is supported by SRC contract 2002-TJ-1024, NSi! Japan 
Program award INT-0087281, and JSPS Joint Research Projects.
'''Hao Zheng is with IBM Microelectronics in Burlington, VT.
$ Tomohiro Yoneda is with the National Institute of Informatics in 
Tokyo,Japan.
ist to address the state explosion problem. Symbolic model 
checking [4] represents the state space implicitly using Bi­
nary Decision Diagrams (BDDs), and is able to handle sys­
tems with substantially increased sizes. Applying decision 
diagrams to timing verification has also been successful 
[3,20,16]. Since interleavings among the concurrent events 
are the main source of state explosion, a number of tech­
niques have been proposed to reduce the number of inter­
leavings to be explored using partial orders [27, 8]. There 
has also been some success in adapting these methods to 
timing verification [2, 29]. While both BDDs and partial 
orders allow the verification of larger systems, many practi­
cal timed circuits are still too large to be efficiently analyzed 
using these techniques alone.
Compositional reasoning and abstraction are essential to 
verifying large systems. Compositional verification based 
on assume-guarantee style reasoning explores the inherent 
modular structure in systems [19, 14, 9, 11, 17], and it has 
been applied to the verification of timed circuits [26]. Com­
positional verification makes assumptions about the envi­
ronment with which the system interacts, then checks these 
assumptions later. These assumptions are typically gener­
ated by hand. Therefore, if the system has complex interac­
tions with its environment, it can be difficult to make accu­
rate assumptions. Abstraction produces the reduced model 
of a system by abstracting away certain details that are un­
necessary when reasoning about the system [5, 6]. In [1], 
hand abstractions are used for the verification of timed syn­
chronous domino circuits in the guTS design [12], In both 
cases, the assumptions and abstractions are generated by 
hand, making these techniques difficult to apply except by 
an expert user. In [13], a hierarchical approach similar to 
that in [7] is presented. In this approach, an abstt'action for 
each module in a system is found and verification is ap­
plied to the composition of those abstractions. In [15], a 
constraint oriented proof methodology is applied to verify 
infinite systems. Constraints on infinite systems are broken 
into an infinite number of simple constraints on finite sys­
tems, then these constraints are grouped into finite equiv­
alent classes. However, this methodology is not complete
Proceedings of the 21st International Conference on Computer Design (ICCD'03)
1063-6404/03 $ 17.00 © 2003 IEEE
iii that the reduction of infinite systems is not guaranteed. 
In [10], a software model checking method utilizing lazy 
abstraction is presented to improve performance by adding 
information during abstraction refinement only when nec­
essary. It would be interesting to see if this method can be 
adapted to hardware verification.
A method that combines compositional reasoning and 
abstraction to reduce the cost of timing verification is pre­
sented in [30], By utilizing the inherent modular structure 
in hardware designs, each module in a design is verified in­
dividually. Before verification, information in the environ­
ment that is irrelevant to reasoning about the module being 
verified is abstracted away. Then, that module is verified 
with its abstracted environment. While this work has been 
shown to verify larger circuits, it cannot be applied to flat 
designs or ones where the size of individual modules is be­
yond the capacity of the timing verification tool. In these 
cases, the module must first be decomposed by hand into 
smaller submodules
This paper addresses this problem by dividing the verifi­
cation problem as directed by the failure model rather than 
the module interface boundaries. Timing verification is uti­
lized to show that several different failure conditions cannot 
arise. This paper proposes to decompose the verification 
problem into several subproblems in which each of the fail­
ure conditions is checked individually. In this form of prob­
lem decomposition, any information in a model irrelevant 
to a given failure condition is a candidate for abstraction. 
As shown later in the paper, each failure condition in our 
model involves only a very small amount of information 
which allows abstraction to produce a substantial reduction 
in the size of the verification problem. This work extends 
the method in [30] to allow for abstraction independent of 
the hierarchical structure of the design. In other words, the 
method can now be applied to flat designs or designs which 
include large modules. This is desirable in that it eliminates 
the requirement of functionally unnatural partitioning for 
the underlying timing verification tool and the time spent in 
searching for such a partition. It also avoids errors incurred 
during decomposition. The decomposition and abstraction 
method described in this paper is proven to never produce a 
false positive verification result. Although the method can 
produce a false negative result, this paper describes an algo­
rithm that examines the abstract error trace either to deter­
mine a concrete error trace or report that the result is a false 
negative. Finally, this paper demonstrates the effectiveness 
of this method by its application to two large-scale timed 
circuit designs.
2. Timed Petri-Nets
Our method uses timed Petri nets [23] to specify timed 
circuit behaviors. Let IF  be a finite set of wires in a timed
circuit. The timed behavior of a circuit is modeled as se­
quences of rising and falling transitions on IF . For any 
w  € IF , w+  is a rising transition and w — is a falling 
transition on the wire w. In the following definitions, 
let and K+ denote the sets o f non-negative rational 
and non-negative real numbers, respectively. A IF-labeled 
one-safe timed Petri net (TPN) is a directed bipartite di­
graph described by the tuple AT = (T. P. F. M 0,1, u, C. L) 
where T  is the set of transitions; P  is the set of places; 
F  C (T x P ) U (P  x T )  is the flow relation; M 0 C P  
is the initial marking; I : P  (Q  ^ is the lower timing 
bound function; u : P  —¥ U {oc} is the upper timing 
bound function; C  C P i s  the set of constraint places', and 
L : T  —¥ (IF  x { + , —}) is the labeling function.
A transistor diagram for a self-reseting AND gate with 
specific timing information and a TPN representing its be­
havior and that of its environment are shown in Figure 1(a). 
A self-reseting AND gate receives a pulse on input i l  and 
/2 and generates a pulse on output u. Intuitively, the TPN 
shows that i l  and /2 go high after 11 to 14 time units. After 
3 to 4 more time units, u goes high. Also, after 8 to 10 time 
units, i l  and /2 go low. The internal signal x  goes low 8 to 
10 time units after u goes high. This in turn resets a 1 to
2 time units later which sets x  high after 1 to 2 more time 
units returning the circuit to its initial state.
The self-reseting AND gate is correct if it satisfies the 
following requirements; (1) hold time; the signal u must 
go high 1 time unit before either i l  or /2 goes low; (2) short 
circuit; the signal x  must not go low until 1 time unit af­
ter both il  and /2 have gone low, and i l  and /2 must not go 
high again until 1 time unit after x  has gone high. Constraint 
places are used to specify these types of ordering and tim­
ing requirements between transitions. The constraint places 
marked with a ’C’ in Figure 1(b) are used to check the above 
requirements. For example, the hold time requirement is 
checked using constraint places in the postset of u+ .
The remainder of this section describes the formal se­
mantics of TPNs in more detail. The state of a Petri net 
is a marking, M , which is the set of places that hold to­
kens. With every transition t  € T , its associated preset is 
• t  = {p  € P  | (p. t)  £ F} .  The place-set of a transition is 
the restriction of places in its preset to ordinary (not con­
straint) places, i.e., P(t )  = »t — C.  For a transition t  € T, 
its associated postset is t» = {p  € P  | (t .p)  C F } . Note 
that the preset and postset for places are defined in a similar 
manner. A transition is enabled in M  if P(t )  C M.  The 
set of transitions enabled in M  is denoted by X ( M ) .  Our 
method requires correct nets to be one-safe (i.e., each place 
is allowed to contain no more than one token.).1
The state of a TPN is a pair (M .D ) where M  is the
'As described later, our analysis method checks for violations of the 
one-safe property during analysis, and when such a violation is detected a 
failure is reported and analysis ceases.
Proceedings of the 21 st International Conference on Computer Design (ICCD’03)
1063-6404/03 $ 17.00 © 2003 IEEE
Figure 1. (a) TPN for a self-reseting AND gate, (b) TPN including tim ing constraints.
current marking and D : P  —^ R+ is a clock assignment 
function assigning nonnegative reals to places. For every 
place p. the value D(p)  is the value of a clock associated 
with p  denoting its age. There are two operations on clocks: 
advance and reset. For some non-negative real number d  G 
R+ , D  + d  advances the clock for every p  G P  to the value 
D(p)  + d. For some subset of places P  C P,  [P ^  0]£> 
resets the clock for every place in P  to zero and agrees with 
D  for every place in P  — P. The initial clock assignment, 
Do. is defined such that every clock is zero. The initial state 
of a TPN is the pair (Al0, D 0).
The state of a TPN can change by firing a transition or 
advancing time. To fire a transition, t, at (A l .D ), in ad­
dition to t  being enabled, D  must satisfy the timing con­
straints in I and u. A transition is time-enabled if it is en­
abled and: (1) the clock for each place in its place-set is 
above its lower bound (i.e., Vp G P( t )  . D(p)  >  I(/>)); and
(2) there exists a clock for a place in its place-set that is 
below its upper bound (i.e., 3p'  G P( t )  . D(p' )  <  u(//)). 
Firing a time-enabled transition, t, from (Al, D)  creates the 
new state (Al ' , D' )  denoted by ( M , D )  [/:) ( Al 1, D' ) ,  where 
A l' = (Al -  •*) U U  and D ' = [*• ^  0}D.
The state of a TPN can also change by advancing time. 
Advancing time only affects the clock assignment func­
tion in the state pair. Advancing time by a delay d  G 
E+ in (A l .D ) creates a new state (Al . D' ) ,  denoted by 
(A l .D ) [d) ( A l . D 1), where D ' = D + d. Time is not al­
lowed to advance beyond the point where it would disable a 
time-enabled transition. The maximum delay advancement, 
d  G R+ , at state ( Al . D)  is
A A 1 . D ) =  min ( m ax (u (p) — D(p))
tex(M) \peP(t)
After advancing time by the maximum delay, a transition 
either remains not time-enabled, becomes time-enabled, or 
is already time-enabled and remains so.
This paper uses trace theory to define semantics for 
TPNs. Trace theory has been used for the verification of 
both speed-independent [7] and timed circuits [29]. Given a 
TPN Ar, a trace of N  is a sequence of transition-time pairs, 
(ti,Ti).  The time, r*, is an absolute time stamp for f,. The 
tt'ace (( f i , n ) , . . . ,  (tn , t„  )) is a valid trace if there exists a 
sequence of states (so, s i , . . . ,  ,sn ) such that for 1 <  i < n  
each Hi = (A l i . D i ) and d; =  r* — t ;_ i  (note To =  0),
1. 0 < di < dmax(,s'j_i);
2 . (!/(_!,£)(_!) [di) (Ali-i,D')
3. ti is time-enabled in D')  \ and
4. ( A I i ^ D ' ) [ t i ) ( A I u Di)
The set of all possible valid traces for a TPN N  starting 
from the initial state (Al0, D 0) is denoted by 'P(AT).
The delete function, d e l (D)(x) ,  removes all transition­
time pairs of a trace x  = (r\,  e-2. ...) whose transitions are 
in ZX More formally, if x  ^  e (i.e., the empty tt'ace), then
del('P )(:r) = (di.y)
(V)
if h  & V  
if h  G V
where y  =  d e l( 'P )(e2, a?,, ■■■) and e, =  (ti,Ti).  I f .r  =  e, 
then del('P )(:r) =  {e}. This function is extended naturally 
to sets of traces.
The set of valid traces in a TPN is divided into those 
that are successes and those that are failures. There are 
three types of failures that are considered in this paper:
Proceedings of the 21st International Conference on Computer Design (ICCD'03)
1063-6404/03 $ 17.00 © 2003 IEEE
safety, complement, and constraint failures. A valid trace 
is a safety failure if in firing the trace the marking update 
tries to add to the new marking a place that already exists in 
the current marking. The one-safe requirement of TPNs is 
common for timed state space exploration algorithms. An 
unsafe net (i.e., one that is not one-safe) typically indicates 
a problem with the design. Note that this definition of safety 
is on the reachable state space, so while the TPN may not 
be structurally safe in an untimed sense, a failure is only 
reported when a marking is actually reached that violates 
the safety property. A valid trace is a complement failure 
on wire w  if there exists two rising (falling) transitions on 
w  without a falling (rising) transition in-between. Comple­
ment failures are also a common modeling error typically 
caused by the designer while creating the circuit descrip­
tion when the set and reset phase of a signal are similar. A 
valid trace is a constraint failure if it contains a transition 
or time progress that could not have occurred if constraint 
places are taken into account in the definition of enabled­
ness. Constraints are used to indicate required ordering and 
timing relationships, and they are the key tool for describ­
ing necessary properties of a circuit such as hold time, short 
circuit avoidance, etc. There are three failure conditions for 
constraints. First, a transition having a constraint place in 
its preset is taken while the constraint place is not marked 
or has not been marked long enough. This indicates either 
a desired ordering of signals that is violated, or a minimum 
time separation between signals does not hold. The second 
part of the definition indicates when a token stays in a con­
straint place beyond its upper bound. This is used to set 
maximum time separations between transitions. The third 
part states the condition when a circuit deadlocks while a 
constraint place is marked. It is used to check that a desired 
behavior occurs before the circuit deadlocks.
In our method, the function fail(Ar. IF '. C )  is intro­
duced to take a TPN Ar, a set of wires IF ', and a set 
of constraint places C ,  and returns a subset of P ( A T) 
that are either safety failures, complement failures on IF ', 
or constraint failures involving places in C .  In other 
words, a valid trace ( ( t i , n ) , . . . ,  (tn , t„ )) is returned by 
fail( A'. IF '. C )  if for its corresponding state sequence (s0, 
.s’i , . . . ,  n„.) one of the following conditions is true:
1. Safety failure: there exist Sj_i =  and 
pair- (ti ,Ti) where (M j_i — • t i ) f i ^ »  ^  0.
2. Com plem ent failure: there exist a w  G IF ' and pahs 
(t i , Ti) and ( tk, Tk) such that the following is true:
(a) i < k:
(b) (L(t i)  = L( t k ) = w+)  V (L(t i )  = L ( t k ) = w - ) ;
(c) Vj . i < j  < k  A (L(t i )  = w+  =>■ L( t j )  ^  
w —) A (L(t i)  = w — ==^ L( t j )  ^  u>+).
Proceedings of the 21st International Conference on Computer Design (ICCD'03)
1063-6404/03 $ 17.00 © 2003 IEEE
3. C onstraint failure: there exist a c G C ,  Sj_i =  
and d; =  r* — Tj_i, such that one of 
the three following conditions hold:
(a) c. G »ti A ((c $ M j_ i )  V + di <  1(e)));
(b) c G M i - 1  A Di - i ( c )  + di >  u(r-); or
(c) X ( M i )  0 A r f  Mi.
3. Failure Directed Abstraction
A timed circuit description is defined to be correct if 
fail(Ar. IF. C) = 0. This section presents an approach to 
proving fail ( A'. IF. C) = 0 by showing that:
1. f a i l ( A 'J J )  =  0 ,
2. Vu> e  IF  . fail (A'. {«>}, 0) =  0, and
3. W- € C  . fail(Ar. 0. {<••}) =  0.
Now, instead of one verification run, our method performs 
1 +  |TF| +  |C | runs. Note that fail(Ar. 0.0) checks safety 
properties explicitly, but when | IF  | +  |C | >  1, this does 
not need to be done as a separate step since it is checked 
implicitly during the other checks.
At this point, each run is nearly as complex as the orig­
inal run, but for each subproblem, not all transitions in Ar 
are required to determine if failure tt'aces exist. Therefore, 
in the second step, our method constructs a set of transi­
tions that can be safely abstracted based on the given failure 
definition. The function D( N,  IF '. C )  takes a set of wires 
(IF ' C IF ) and a set of constraint places ( C  C C),  and it 
returns the following set:
{t  G T  | (Vu> G IF ' . L(t )  #  w +  A L(t )  #  w - )  A
( V c G C " . f ^ . c U c ) }
Finally, the third step of our method is to apply safe 
transformations to the net to remove these transitions and 
the related places, whenever possible. A transformation, 
7T;(Ar), returns a new net Ar', and it is defined to be safe 
when the TPN resulting from this transformation satisfies 
the following two properties:
■P(N') D del(T  — T' ) ( ' P(N) )  
fail(A r'. 0.0) D d e l(T  — T ')(fa il(A r. 0.0))
where T ' is the set of transitions in Ar'. In other words, 
a net produced by a safe transformation produces a super­
set of the timed tt'aces produced by the original TPN when 
any abstracted transitions are deleted from these traces, and 
the transformation does not hide a safety failure of the net. 
As shown in the following lemma, the application of a se­
quence of safe transformations is also a safe transformation.
C o m p u t e r
s o c i e t y
Lem m a 3.1 I f n i ( A7) and irj(A7) are safe transformations, 
then so is n j (n i (A7)).
Proof: Assume AT' = 7T;(Ar) and AT" = TTj(AT'). From the 
definition of safe transformation, we have:
’P(N' )  D del(T  — T')('P(Ar))
V ( N " )  D del ( T1 - T " ) ( P ( N ' ) )
Combining these two equations, we get:
'P(A7") D del(T ' -  T ")(d e l(T  -  T' ) (P(AT)))
= del ( T - T " ) ( P ( N ) )
This proves the first half of the definition of safe transfor­
mation. The second half (i.e., fail(A r", 0 ,0) D d e l (T — 
T ")(fa il(A r, 0 ,0))) is proven similarly. I
We define a function abs(A r, W " , C")  that takes a TPN 
AT, a set of wires W " ,  and a set of constraint places C ", and 
applies a sequence of safe transformations to remove, when 
possible, transitions in V (A 7, W " , C ") from AT to obtain a 
new TPN AT' . The safe transformations used are restricted 
such that T  -  V  C V{ A\  W " , C")  and for all c G C " , c 
is in the initial marking of the new net, M'0, if and only if 
c is in initial marking of the original net, Mo- The result 
after applying this function to a net is typically a net that 
is substantially simpler and thus results in a much smaller 
state space. The main theorem can now be presented.
Theorem  3.1 Let N  be A TPN. fail( Ar, W, C) =  0 i f  the 
following three conditions are true:
1. fail(abs(A r, 0 ,0 ), 0 ,0) =  0,
2. Vu> G VF . fa il(abs( A . {u>}, 0), {u>}, 0) =  0,
3. W- G C . fail(abs(A r, 0, {<••}), 0, {<••}) =  0.
Proof: We break up this proof into three cases.
Case 1: (safety failures) Assume there is a trace x  that 
causes a safety failure in AT, and that AT' is the TPN returned 
by the function abs(Ar, 0 ,0 ). Since x  G fail(Ar, 0 ,0), there 
must also exist a trace y  G del(T  — T ')(fail(A r, 0 ,0)). We 
know that y  must also be in fail(Ar', 0,0) since safe trans­
formations are required not to hide safety violations. There­
fore, a safety failure is detected on the abstracted net.
Case 2: (com plem ent failures) Assume there is a trace 
x  that causes a complement failure on signal w  in A7, and 
that AT' is the TPN returned by the function abs(Ar, {u>}, 0). 
Since x  G P ( A T), there must also exist a trace y  G del(T  — 
T ' ) ( P( A7)). We know that y  must also be in P ( A 7') since 
safe transformations do not hide any timed traces. From 
the definition of complement failure, there exists two tran­
sitions t-i and t-it on signal w  that create the complement 
failure. In fact, only transitions on w are required to show 
if a trace is or is not a complement failure. By the definition 
of abs, the trace y  must include all transitions on signal w in
trace x  with some additional transitions from V ( A 7, {u>}, 0) 
which could not be abstracted. Since a complement failure 
is detected by only examining those transitions on signal w 
and x  is a complement failure, y  is also a complement fail­
ure because removing transitions not on w  does not change 
whether a trace is a complement failure or not.
Case 3: (constraint failures) Assume there is a trace 
x  that causes a constraint failure on constraint place c 
in A7, and that A7' is the TPN returned by the function 
abs(Ar, {u>}, 0). Since x  G P ( A 7), there must also exist 
a trace y  G del(T  — T ' ) ( P ( A 7)). This trace consists of all 
transitions in •(: U plus some additional transitions from 
T>( A7, 0, {<••}) which could not be abstracted. Traces x  and 
y  agree on the timing of all transitions in •(: U cm. There 
are three reasons that trace x  is a constraint failure (cases 
3(a), 3(b), and 3(c) shown above). For case 3(a), since all 
transitions in »c are preserved as is the initial marking of c, 
the value of the predicate c ^  M ,_ i is preserved at the time 
of firing t-i (a transition which is also preserved). The value 
of Di - i ( c )  is also preserved for this reason. Therefore, if 
trace x  violates 3(a), so does trace y. If trace x  violates case 
3(b), this means a transition from •(: fired to put a token into 
c, then either a transition in fired but fired too late (in this 
case it is preserved in y,  so it is okay) or a transition outside 
•c  U fired to cause the failure. In this case, that transi­
tion is not necessarily preserved in y. However, either there 
exists another transition in y  that causes the upper bound vi­
olation, or if the trace is finite and ends with no transitions 
being enabled, y  is a failure due to case 3(c). In either case, 
the failure is found examining y. Finally, case 3(c) is pre­
served from x  to y  as in both the trace ends with no enabled 
transitions and the constraint place in the marking.
Therefore, if there exists a failure trace in the concrete 
description, it is found by an analysis of one of the abstract 
descriptions. |
In the rest o f this section, we discuss the safe transforma­
tions that can be used in the third step of the above method. 
Murata and others [21] present several transformations on 
untimed Petri nets that preserve the safety properties of the 
original net. We have extended these transformations and 
developed others for TPNs [30], Two example safe trans­
formations are shown in Figures 2 and 3. If our method is 
working on a net A7 and finds a portion of the net that resem­
bles that shown in Figure 2(a) and t  can be abstracted, it can 
transform it to a new net A7' in which t  has been removed as 
shown in Figure 2(b) in which the timing bounds have been 
combined as shown to preserve the timing behavior. Note 
that although shown with only two places in the preset of t, 
this transformation is valid for any number of places in the 
preset of t  as long as there is only one place in the postset of 
t. While the places in the preset of t  can have any number 
of transitions in their presets, they must only have transition 
t  in their postset (i.e., (•£)• =  {£}). Similarly, the place
Proceedings of the 21st International Conference on Computer Design (ICCD'03)
1063-6404/03 $ 17.00 © 2003 IEEE
iii the postset of t  can have any number of transitions in its 
postset, but it must only have transition t  in its preset (i.e., 
•  (£•) =  {£}). In a similar fashion, if transition t  has only 
a single place in its preset and satisfies similar restrictions, 
it can again be removed as shown in Figure 3. The appli­
cation of these transformations is quite efficient. Most have 
complexity that is linear in the size of the net while some 






Figure 2. Safe transform ation 1.
a
[ ( l+ (2 ,
ul+u2
, .11+13, Q u 1 +u 31
t3^_ Na_t4
(a) (b)
Figure 3. Safe transform ation 2.
The TPN to check for safety failures in our self-reseting 
AND gate example after applying safe transformations is 
shown in Figure 4. A timing analysis of this net shows that 
/2+ fires after 19 to 24 time units, followed by u+ after
3 to 4 time units which enables /2+ to fire again after an­
other 19 to 24 time units. Notice that the self-loop on u+ 
is never constraining. This shows how close the original 
TPN is to having a safety failure. If the maximum delay 
on any transition on signal a or x  is increased by one time 
unit, there is a safety failure. Note that the complement 
failures on signals /2 and a are ignored during the safety 
failure check verification inn. The decomposition method 
described in this paper would verify this example using 11 
verification runs which is clearly overkill for such a small 
example. For large examples such as the RAPPID example 
described later, the substantial net reductions possible are 
quite beneficial to improving overall verification time.
The verification method just described is conservative in 
that false negatives are possible though false positives never 
result. Consider again the transformation shown in Fig­
ure 3. In this case, the summing of the timing bounds as 
shown in the figure may actually result in new timed traces. 
For example, in the new net, the trace ( (f i ,0) ,  (t-2 , h  +
h ) i (#4 • ui  + « 3)) is possible, while this is not possible in the 
original net. It does, however, produce all the timed traces 
of the original net, so it is a safe transformation. If this extra 
timing introduces new timed traces and one of those intro­
duced traces causes a failure, this failure is a false negative. 
Therefore, when an error trace is reported from an analysis 
of the abstracted net, it is not known whether this is a real 
error trace or a false one. Also, it is difficult for a designer 
to analyze the error trace to find the problem as it only in­
cludes the transitions which have not been abstracted.
To address both of these problems, this paper introduces 
the algorithm shown in Figure 5. This algorithm uses the 
abstract error trace to perform a guided simulation of the 
original TPN to find a concrete error trace. This is done by 
attempting to fire transitions from the abstract error trace, 
and when one of these transitions is not fireable, it exam­
ines the TPN to determine an abstracted transition to fire 
that contributes toward the enabling of the next transition in 
the abstract error trace. In general, multiple such transitions 
may exist and the algorithm may need to explore multiple 
paths to find a valid concrete error trace. When no con­
crete error trace can be found, it is reported that the abstract 
error trace is false. In this case, abstraction is performed 
again without using transformations such as the one shown 
in Figure 3 that are known to add timed traces. While in the 
worst-case this can result in a flat verification, we have not 
seen this happen in practice.
4. Experimental Results
We have incorporated the method described in this pa­
per into the compiler front-end of the ATACS tool [22], 
This tool also includes the modular verification method 
from [30], In the following experiments, the flat, modular, 
and failure directed approaches use the same explicit-state 
reachability analysis engine and parameter settings [18]. 
This section describes the application of our method to two 
large examples, and the results are shown in Table 1.
The first is Inters RAPPID circuit which is a fully asyn­
chronous instruction-length decoder for the Pentiumll 32- 
bit MMX instruction set [24], In this 11151111011011 set, each 
instruction can be from 1 to 15 bytes long, depending on a 
large number of factors. In order to allow concurrent ex-
Proceedings of the 21st International Conference on Computer Design (ICCD’03)
1063-6404/03 $ 17.00 © 2003 IEEE
























RAPPID >160,000 >576 >130 20,120 76 6.2 234 11 2.2
TTTAC.2 >226,000 >576 >360 n/a n/a n/a 120 30 23
find_concrete_trace (N , D , x }
.s =  ( M o ,  Do )
(t , r ) =  h ea d (x )  
x =  t a i l ( x )  
x' = € 
do
if ( ( t . r )  i s  t im e - e n a b le d  in  .s) then
( t ' , T ' ) = ( t , T )
(t ,  t ) =  head  (x) 
x =  t a i l ( x )  
else
E =  n e c e s s a r y _ s e t  [t ,  $)  D V  
if  (E  =  0} then
if ( s ta c k  n o t em pty) then 
pop (.s, x , x ' , E )  
else return f a l s e  n e g a t iv e  
(■f ' .r ' ) =  ch oose_on  e { E )
E  =  E - { ( t ' , T ' ) }
if  { E  /  0} then p u sh  { s , x , x ' , E )
$ =  f i r e  ((£'. r '), .s)
X' = (x',(t',T'))
while (x i s  n o t em pty) 
return x'
Figure 5. Algorithm to find concrete trace.
ecution of instructions, it is necessary to rapidly determine 
the positions of each instruction in a cache line. Tnstruction- 
length decoding was a critical performance bottleneck in the 
Pentium!! architecture at the time when RAPPID was being 
designed. The RAPPID circuit is shown to perform three 
times faster while using half the power of the comparable 
synchronous design. This performance improvement is due 
in large part to the highly timed nature of the circuits in this 
design. Therefore, the correctness of this design is highly 
dependent on timing parameters. The block diagram for the 
portion of the RAPPID design that we verified is depicted in 
Figure 6. The TPN description of the RAPPID circuit has 
115 transitions on 49 signal wires. Flat analysis runs out 
of memory after two hours on a 650 MHz Pentium!!! with 
576 megabytes of memory (the stack depth was in excess of 
33,000 entries and climbing indicating that it had a long way 
to go). The modular approach [30] decomposes the verifi­
cation problem into 10 subproblems, one for each module 
shown in Figure 6. The total verification time is 6.2 min­
utes for all 10 verification runs. The largest module is IR 
which takes 5.2 minutes to explore 20,120 timed states us­
ing 76 MB of memory. Our failure model directed approach 
presented in this paper decomposes the verification problem 
into 50 subproblems to check for safety, complement, and 
constraint failures. The total verification time is 2.2 minutes 
for all 50 verification runs. The largest verification run is for 
checking complement failures on the signal TagOut4 which 
takes 3.2 seconds to explore 234 timed states using 11 MB 
of memory.
Figure 6. Block diagram for RAPPID circuit.
Our second example is the line fetch module of 
TITAC2*s instruction cache system [25] which is repre­
sented using a TPN with 156 transitions derived from a 
high-level specification [28]. Verification of this one mod­
ule did not complete after running for 4 hours after explor­
ing more than 226,000 timed states. This example is a sin­
gle flat module, so the modular approach cannot be used. 
The failure model approach decomposes the verification of 
this module into 62 verification runs each with less than 120 
timed states with a total verification time of 23 minutes.
Proceedings of the 21st International Conference on Computer Design (ICCD'03)
1063-6404/03 $ 17.00 © 2003 IEEE
This paper describes a new method to deal with state ex­
plosion by decomposing the timing verification problem as 
directed by the given failure model. This decomposition 
allows for a significant reduction in the size of the model 
for each subproblem using an automatic abstraction method 
based on safe transformations. It no longer requires that 
a design is properly partitioned for successful verification. 
This method has been applied to two large timed circuit de­
signs including one that could not previously be verified. 
Overall, this method scales very well in that the size of the 
individual verification problems are only dependent on the 
complexity associated with a single signal or a single con­
straint place. This new method can also be built on top of 
any reachability analysis algorithm for timed Petri nets, and 
benefit from any improvements in the underlying analysis 
algorithm. In particular, our preliminary analysis has shown 
that combining abstraction with a partial order based analy­
sis technique can bring even further improvements.
References
P I W. Belluomini and C. J. Myers. Timed circuit verification 
using tel structures. IEEE Transactions on Computer-Aided 
Design, 20(1): 129-146, Jan. 2001.
[21 J. Bengtsson, B. Jonsson, J. Lilius, and W. Yi. Partial order 
reductions for timed systems. In International Conference 
on Concurrency Theory, pages 485-500, 1998.
[31 M. Bozga, O. Maler, A. Pnueli, and S. Yovine. Some 
progress in the symbolic verification of timed automata. In 
Proc. Int. Conf. on Computer A ided Verification, 1997.
[41 J. R. Burch, E. M. Clarke, D. E. Long, K. L. McMillan, 
and D. L. Dill. Symbolic model checking for sequential cir­
cuit verification. IEEE Transactions on Computer-Aided- 
Design, pages 401 —424, April 1994.
[51 E. Clarke, O. Grumberg, and D. Long. Model checking and 
abstraction. ACM  Transactions on Programming Languages 
and Systems, 16(5): 1512-1542, 1994.
[61 D. Dams, R. Gerth, and O. Grumberg. Abstract interpreta­
tion of reactive systems. ACM  Transactions on Program­
ming Languages and Systems, 19(2):253—291, 1997.
[71 D. L. Dill. Trace Theory for Automatic Hierarchical Verifi­
cation o f  Speed-Independent Circuits. ACM Distinguished 
Dissertations. MIT Press, 1989.
[81 P. Godefroid. Using partial orders to improve auto­
matic verification methods. In International Conference on 
Computer-Aided Verification, pages 176-185, June 1990.
[91 O. Grumberg and D. Long. Model checking and modular 
verification. ACM  Transactions on Programming Languages 
and Systems, 16:843-872, 1994.
[101 T. A. Henzinger, R. Jhala, R. Majumdar, and G. Sutre. Lazy 
abstraction. In The 29th Symposium on Principles o f  Pro­
gramming Languages, pages 58-70, Jan. 2002.
[111 T. A. Henzinger, S. Qadeer, and S. K. Rajamani. You as­
sume, we guarantee: Methodology and case studies. In Proc.
5. Conclusions and Future Work
Proceedings of the 21st International Conference on Computer Design (ICCD'03)
1063-6404/03 $ 17.00 © 2003 IEEE
Int. Conf. on Computer A ided Verification, pages 440-451. 
Springer-Verlag, 1998.
[121 H. P. Hofstee, S. H. Dhong, D. Meltzer, K. J. Nowka, J. A. 
Silberman, J. L. Burns, S. D. Posluszny, and O. Takahashi. 
Designing for a gigahertz. IEEE MICRO, May-June 1998.
[131 H. E. Jensen, K. G. Larsen, and A. Skou. Scaling up uppaal 
automatic verification of real-time systems using composi- 
tionality and abstraction. In FTRTFT, pages 19-30, 2000.
[141 C. Jones. Tentative steps toward a development for interfer­
ing programs. ACM TOPLAS, 5(4):596—619, 1983.
[151 K. Larsen, B. Steffen, and C. Weise. A constraint oriented 
proof methodology. In Formal Systems Verification, volume 
1169 of LNCS, pages 405-435. Springer-Verlag, Nov. 1996.
[161 K. G. Larsen, C. Weise, Y. Wang, and J. Pearson. Clock dif­
ference diagrams. Nordic Journal o f  Computing, 6(3):271 — 
298, 1999.
[171 K. L. Mcmillan. A methodology for hardware verification 
using compositional model checking. Technical report. Ca­
dence Berkeley Labs, 1999.
[181 E. Mercer, C. Myers, and T. Yoneda. Improved poset tim­
ing analysis in timed petri nets. In The 10th Workshop on 
Synthesis and System Integration o f  M ixed Tech., Oct. 2001.
[191 J. Misra and K. M. Chandy. Proofs of networks of processes. 
IEEE Trans, on Software Eng., SE-7(4):417^26, 1981.
[201 J- M0ller, J. Lichtenberg, H. R. Andersen, and H. Hulgaard. 
Difference decision diagrams. In Computer Science Logic, 
The IT University of Copenhagen, Denmark, Sept. 1999.
[211 T. Murata. Petri nets: Properties, analysis, and applications. 
In Proceedings o f  the IEEE 77(4), pages 541-580, 1989.
[221 C. J. Myers, W. Belluomini, K. Killpack, E. Mercer, E. Pe- 
skin, and H. Zheng. Timed circuits: A new paradigm for 
high-speed design. In Proc. o f  Asia and South Pacific De­
sign Automation Conference, pages 335-340, Feb. 2001.
[231 C. Ramchandani. Analysis of asynchronous concurrent sys­
tems by timed Petri nets. Technical Report Project MAC 
Tech. Rep. 120, MIT, Feb. 1974.
[241 K- S. Stevens, S. Rotem, R. Ginosar, P. Beerel, C. J. Myers, 
K. Y. Yun, R. Koi, C. Dike, and M. Roncken. An asyn­
chronous instruction length decoder. IEEE Journal o f  Solid- 
State Circuits, 36(2):217-228, Feb. 2001.
[251 A. Takamura, M. Kuwako, M. Imai, T. Fujii, M. Ozawa,
I. Fukasaku, Y. Ueno, and T. Nanya. TITAC-2: An asyn­
chronous 32-bit microprocessor based on scalable-delay- 
insensitive model. In Proc. International Conf. Computer 
Design (ICCD), pages 288-294, Oct. 1997.
[261 S. Tasiran and R. K. Brayton. Stari: A case study in com­
positional and heirarchical timing verification. In Proc. Int. 
Conf. on Computer Aided Verification, 1997.
[271 A. Valmari. A stubborn attack on state explosion. In Inter­
national Conference on Computer-Aided Verification, pages 
176-185, June 1990.
[281 T. Yoneda and C. Myers. Synthesizing timed circuits from 
high level specification languages. N il Technical Report, 
NII-2003-003E, 2003.
[291 T. Yoneda and H. Ryu. Timed trace theoretic verification 
using partial order reduction. In Proc. Int. Sym. on Asyn­
chronous Circuits and Systems, pages 108-121, Apr. 1999.
[301 H. Zheng, E. Mercer, and C. J. Myers. Modular verification 
of timed circuits using automatic abstraction. IEEE Trans­
actions on Computer-Aided Design, 22(9), Sept. 2003.
C o m p u t e r
s o c i e t y
