Abstract. This paper presents a methodology for the veri cation of speed-independent asynchronous circuits against a Petri net speci cation. The technique is based on symbolic reachability analysis, modeling both the speci cation and the gate-level network behavior by means of boolean functions. These functions are e ciently handled by using Binary Decision Diagrams. Algorithms for verifying the correctness of designs, as well as several circuit properties are proposed. Finally, the applicability of our veri cation method has been proven by checking the correctness of di erent benchmarks.
Introduction
During these last few years, asynchronous circuits have gained interest due to their promising advantages, such as local synchronization, elimination of the clock skew problem, faster and less power-consuming circuits, and high degree of modularity.However, the concurrent nature of asynchronous circuits makes them di cult to design because all transitions must be taken into account and hazards (voltage glitches) avoided. To solve this problem, several automatic synthesis techniques based on process-algebra models such as CSP 18], on event-based models such as Petri nets 29, 15] , or techniques based on state graphs 1] have been proposed.
The inherent concurrence of asynchronous circuits makes them also di cult to verify. When the circuit components are switching concurrently, the number of execution paths can be very large because of the variation of the component delays. Thus, a proper circuit behavior must be assured for all the possible execution paths. Since the number of possible executions may be exponential in the number of components, it is desirable to automate the veri cation process, otherwise designers would probably be unable to face the problem.
The veri cation of asynchronous circuits has been studied by several authors with di erent approaches. When using theorem proving 9], the asynchronous system and the speci cation are modeled in an appropriate logic and a proof is built as the circuit implies the speci cation. Although this is a exible and powerful approach, the procedure is di cult to automate and might need to demonstrate a great number of theorems, which makes this methodology inecient in practice, even for designers with good mathematical skills. The following approaches are included in what has been called model checking, i.e. a description of the circuit (often complex) is checked to satisfy or not the speci cation of the circuit (usually expressed with some simple formalism). Model checking was originally introduced in 5, 25] . The original method consisted in building the state graph and verifying properties of the system by using temporal logic. A common problem when using the state graph is the state explosion problem, i.e. the number of states grows exponentially with the size of the system. Burch et al. 3] proposed using Binary Decision Diagrams (BDDs) 2] to represent the state graph, introducing symbolic model checking, much more e cient than the previous approach. Other authors modeled circuit and speci cation as separated automata that interact with each other. In 13], language containment techniques are proposed to verify that the language generated by the circuit is included in the language of the speci cation. Later, the same author proposed homomorphic reductions to simplify the problem 14]. Trace theory 28, 7] has been used to keep the history of the system. Then, properties of the system can be veri ed on the state graph by using temporal logic. More recently, 20] has modeled both circuit and speci cation as Petri nets 22], mitigating the state explosion problem by means of Petri net unfolding. Similarly, 10] also represents circuit and specication as Petri nets, but the states are represented with BDDs and temporal logic is used to check some properties. Finally, other authors 11] proposed using Change Diagrams, a formalism that can easily express or-causality, and verify the semi-modularity of the circuits. In our approach, we model the speci cation of the circuit as an interpreted Petri net. This Petri net implicitly expresses both the expected behavior of the circuit and the way the environment reacts to the events generated by the circuit. Commonly, the Petri net will be a Signal Transition Graph (STG) 26, 4] , since transitions are usually interpreted as signal switches. However, the speci cation can also have internal transitions with di erent and more abstract meanings. The isomorphism between sets of markings and boolean algebras presented in 24] is used to represent the Petri net by using boolean functions. The circuit is described as a gate-level network, where each component implements a logic function. The model assumed for the circuit is the unbounded gate delay model, i.e. the delay of the gates is unbounded but nite. The circuits that properly work under this model are called speed-independent circuits. An example of a closed environment-circuit system is depicted in Fig. 1 (note that 1-input 1-output places are not explicitly drawn, and their tokens are placed on the arcs). Since the whole system can be described by using boolean functions, we can use powerful BDD techniques to e ciently represent the circuit, the environment and the set of reachable states of the system.
The veri cation methodology is based on the reachability analysis of the closed system formed by a circuit and its environment. We propose an algorithm for symbolic traversal, that can detect whether or not the circuit conforms to the speci cation 7]. We also provide means to give a sequence of events from the initial state up to the failure one. This trace can help designers to debug their circuits and nd out those situations that produce an undesired behavior. In addition we propose algorithms to verify properties of the system, such as circuit deadlock or semi-modularity.
The paper is organized as follows. In Sect. 2 the isomorphismbetween boolean functions and sets of markings of a Petri net is presented. Section 3 explains how the gates of a circuit are represented by means of boolean excitation functions. Section 4 presents the composition of the environment with the circuit, and the conditions to detect errors in the circuit implementation. Section 5 describes the algorithms for symbolic reachability analysis and error diagnosis. Section 6 illustrates how properties of the environment and the circuit can be veri ed. As application examples, several speed-independent circuits are veri ed in Sect. 7. Finally some conclusions are presented in Sect. 8. If M P is the set of all markings of a safe Petri-net with n places (n = jPj; jM P j = 2 n ), the system (2 MP ; ; \; ;;M P ) is the boolean algebra of sets of markings. This system is isomorphic to the boolean algebra of n-variable logic functions, therefore there is a one-to-one correspondence between markings of M P and vertices of B n 10, 24], with B = f0; 1g. For simplicity we have only considered safe Petri nets, although k-bounded Petri nets (i.e. places can have up to k tokens) can be modeled similarly by representing unsafe places by several boolean variables.
We use p i both to denote a place in P and the variable in the boolean algebra of n-variable logic functions. A marking of N can be represented by a subset m P, where p i 2 m denotes p i is marked. A marking m 2 M P is represented by means of an encoding function E : M P ! B n , where the image of m is encoded into a vertex (p 1 ; : : :; p n ) 2 B n , such that:
0 if p i 6 2 m : As an example, the marking m = fp 1 ; p 3 g in Fig. 2 The representation and manipulation of boolean functions are e ciently handled by Binary Decision Diagrams 2].
The structure of a Petri net de nes a set of ring rules that determine the behavior of the net. We de ne the transition function of a transition as a function N : 2 MP T ! 2 MP ; that transforms, for each transition, a set of markings M 1 into a new set of markings M 2 as follows:
This concept is equivalent to the one-step reachability in Petri nets, also called image computation when using functions.
Image computation for transitions can be e ciently implemented by using the topological information of the Petri net. First of all, we will present the characteristic function of some important sets related to a transition t 2 T: Given the above characteristic functions, the image computation for transitions is reduced to calculating:
Thus, given a set of markings M, N (M; t) calculates all the markings that can be reached from M by ring only transition t.
As an example, we will show how the transition t 1 in Fig. 2 3 Modeling Speed-Independent Circuits
In clocked digital systems, the state is determined by the value of the so called state variables. The order of the transitions along the combinational logic is not relevant, and the only restriction is that those transitions must occur within the clock period. In contrast, all the transitions in an asynchronous circuit have a meaning, and therefore, hazards, i.e. undesired or spurious signal transitions, must be avoided. Since all possible execution paths have to be explored to detect possible hazards, the state of an asynchronous circuit will depend on all the signals.
We model a particular class of asynchronous circuits, speed-independent circuits, which correctly operate regardless of the delays of their components. In this type of circuits, the next state depends only on the present state, since once a gate is excited, that gate will eventually switch in the future. Henceforth we will denote by S the set of signals of a circuit. This set is divided into three subsets, S I , S O and S H , which respectively denote input, output and internal (or hidden) signals.
The states of a speed-independent circuit can be represented by boolean functions, with one boolean variable for each signal. We use s i to indistinctively denote the circuit signal and the variable that represents that signal. The set of all possible states of a circuit with the set of signals S is denoted as C S . The state of a circuit with v signals (v = jSj; jC S j = 2 v ) is determined by the value of its signals and that state can be represented by a minterm of a v-variable logic function. That minterm is the characteristic function of a state of the circuit. Sets of states can be represented as the disjunction of the minterms representing those states.
Gate switching is also simulated with boolean functions. Let us assume a gate that implements the function f sk and has s 1 ; : : :; s j as inputs and s k as output.
For combinationalgates f sk depends only on the inputs, but for memory elements ( ip-ops, Muller The function C can be computed by using excitation functions as follows:
To illustrate this, we calculate the new set of states C 1 after switching signal s 4 using the transition function C (C; s 4 Petri nets are a powerful formalism for specifying asynchronous circuits and, in addition, there are several methodologies that use Petri nets for automatic synthesis of circuits. Thus, it is very attractive to use the same formalism for describing a circuit to be synthesized and afterwards for verifying that circuit against its speci cation. As shown in Fig. 3 , we consider a closed system composed by a circuit and a Petri net modeling the behavior of the environment of that circuit. Examples of a circuit and its speci cation (environment) can be found in Figs. 1 and 11 .
Given a Petri net that interacts with a circuit, there is a relationship between the interface signals and some Petri net transitions. We denote by T s + (T s ?) the set of transitions in the Petri net that specify a rising (falling) transition of signal s. We use T s to denote either T s + or T s ? .
The set of states of a environment-circuit system is a subset of the Cartesian product of the sets of states of each subsystem, M P C S . Therefore, the state of such a system is de ned by the ordered pair (m; c), where m is a marking of the Petri and c represents a state of the circuit.
The previously de ned image computation formulae, N and C , can be extended for the environment-circuit system as: The Petri net \decides" when an input signal of the circuit has to switch. Thus, when a transition in T s is red, signal s must switch accordingly. The Note that if more than one transition t 2 T s is enabled in a given state, it may indicate non-determinism or a bad environment speci cation. This can be reported as a warning. In fact, the veri cation procedure checks that the events generated by the circuit are accepted by the environment, whereas the circuit accepts any event from the environment. In addition, a malfunction in the circuit behavior can appear when hazards are produced. A hazard is a short undesired transition 0 ! 1 ! 0 or 1 ! 0 ! 1 that can cause a gate to enter in a metastable state or simply an unexpected circuit behavior. Hazards can be produced when an excited internal or external gate becomes stable without switching the gate output. This property is called non semi-modularity 30], and it can be checked at each image computation step.
System Traversal
The problem of symbolic model checking is solved by computing all the reachable states of the environment-circuit system, and by proving that no failure states can occur. Then we can say that the circuit is a speed-independent implementation of its speci cation, or that the circuit conforms to the environment.
The set of reachable states can be calculated by using a Breadth First Search (BFS) algorithm, similar to those used for traversing FSMs 6] . The basic algorithm works as follows. As a rst step, the initial set of states, Q 0 (often, having more than one initial state makes the algorithm converge faster), is assigned to the sets of states Reached and From. Then, at each iteration, all the states reachable from From by ring one transition or by switching a gate are computed by using transition functions. The new states are assigned to From and added to Reached. This procedure continues until a xed point is reached, i.e. all the new states generated are already in Reached. Although this algorithm for symbolic traversal is e cient, we propose two di erent improvements to reduce BDD size and CPU time: This technique drastically reduces the number of traversal iterations. For medium sized examples, the CPU time can be reduced up to two orders of magnitude, and this di erence might be even more important for larger examples, although we have not checked it for obvious reasons. Let us assume that s 1 is an input signal of the gate that drives signal s 2 . A simple BFS algorithm would switch s 1 from the set of states Q 1 and calculate a new set of states Q 2 . Until the next iteration, this change will not propagate through the gate driving s 2 . However, if Q 2 is calculated and added to Q 1 , then s 2 is switched from Q 1 Q 2 , and the change is propagated in the same iteration. By switching all the gates in the circuit in an appropriate order, the time consumed by the traversal algorithm can be reduced considerably. Figure 5 illustrates the di erence between chaining or not. Figure 6 shows a modi ed BFS algorithm that includes the above modi cations. First the traversal of the environment is performed, and thus transition functions that use input signals are modi ed. Then at each iteration, given a set of states (From), the algorithm calculates the new states reached by switching all the internal circuit gates and by synchronically ring input and output signals and their enabled associated transitions. Before ring the associated transitions of output signals, the error condition is checked. Finally, the algorithm halts when no new states are generated.
Error Diagnosis
When the circuit does not conform to the environment, it is interesting to provide some means to help designers to nd errors. The algorithm in Fig. 8 gives a sequence of events that can produce a failure state.
From a failure state, it is performed a backward traversal, restricted to the states that had been visited during the forward traversal, and a trace from the initial state until the failure state is given. To perform this backward traversal, we need to de ne backward transition functions. The backward transition function for transitions is computed as follows:
that intuitively is equivalent to changing the direction of the arcs of the Petri net. A gate will switch backwards by changing the output value when it is stable and, therefore, becoming excited. In the diagnosis algorithm on Fig. 8 , we assure that the given trace will not be an impossible trace by restricting b to the reached set of states. By eliminating the visited states we ensure the algorithm to converge.
Veri cation of Properties
Usually there are two questions that must be answered when verifying a system. First, we must check that the circuit satis es its speci cation. Second, there is a need to prove that a design has properties like safeness, persistence or di erent levels of liveness. In this section we present, as examples, algorithms for proving safeness of the speci cation, as well as deadlock freeness and the home state property 22] of the whole system. Veri cation of other properties of the Petri net speci cation, using boolean reasoning, can be found in 24, 12] .
Given a set of states Q, safeness of the speci cation can be assured by checking that the following formula does not hold for any transition t 2 N:
In other words, that no successor place of an enabled transition is marked, unless that place is a self-loop. This formula can be easily extended to k-bounded nets.
system deadlock (S = fs1;:::;svg;N = hP;T; F; m0i) f /* Let TI be the set of transitions associated to circuit inputs */ Fig. 9 . Algorithm for checking deadlock freeness Figure 9 shows how deadlock freeness can be easily tested. A deadlock state is a state from which the system cannot make any progress. In a deadlock state neither any transition is enabled nor a gate is excited. States in which a transition t is not enabled are found by the formula Q E 0 t . Similarly, the product Q f The algorithm in Fig. 10 The state q 0 will be a home state if performing a backward traversal we reach the same states that going forward. Nevertheless, we restrict the states found backwards to the forward reached set, because of the inherent non-determinism when going backward. The algorithm is similar to a normal Breadth First Search, but at each step the new states are removed from the reachable set of states. The backward traversal completes when no more states can be removed. Only if Removable becomes the empty set, q 0 will be a home state.
Application Examples
This section illustrates the power of our approach verifying circuits of moderate size against their speci cation. We have chosen scalable examples in order to verify circuits with few hundreds of gates and millions of states, but we have not intentionally exploited this regularity. We have veri ed the following circuits:
{ Distributed Mutual Exclusion (DME) arbiter: Ring of N DME cells, originally due to Martin 17] . It has also been studied by several authors 8, 7, 20, 3] with di erent approaches. Figure 11 depicts this example. { Tree arbiter: Tree of arbiter cells proposed by Seitz 27] and modi ed by Dill 7] . Figure 1 depicts one of these cells and its speci cation. { Martin's FIFO: This circuit was proposed by Martin 19] . We have checked 1-bit FIFOs with di erent depths. The main drawback seen on this benchmark is the required CPU time, since BDD size keeps moderate. In this case, giving more than one initial state, i.e. considering that all cells initially can be empty or full, will reduce drastically the number of iterations and, consequently, the execution time. { Muller's pipeline: Non-dense asynchronous pipeline proposed by Muller 21] .
The results indicate similar behavior as in the previous example. The solution can be the same.
{ Two port register: Multi-port register used in the data path of TITAC quasidelay-insensitive microprocessor 23]. Table 1 present the results obtained in terms of number of states and number of signals of each system, peak size of the BDD Reached, the number of iterations needed in the traversal algorithm, and the CPU time spent by the algorithms. Safeness of the speci cation and absence of deadlock of the whole system have been veri ed as well. All CPU time values have been obtained by executing the algorithms on a Sun SPARCstation 10, with 64Mb of memory. We have used the Carnegie Mellon University BDD package 16], which allows dynamic reordering of variables.
Some examples have polynomial BDD size in the number of variables, while in others this size grows exponentially. We have considered undesirable a BDD size greater than the square of the number of variables (including signals and places). Thus, in the tree and register examples dynamic reordering is done when the Reached BDD size grows in excess. Dynamic reordering takes a signi cant time, therefore it must be used only if it is strictly necessary. In the rest of examples the given variable order is good enough not to need changing it.
Interestingly, it can be observed that for some examples, larger circuits result in smaller BDDs. This is probably the e ect of the greedy strategy used by the reordering algorithm, which does not behave monotonically.
