Abstract. Timing diagrams are widely used in industrial practice to express precedence and timing relationships amongst a collection of signals. This graphical notation is often more convenient than the use of temporal logic or automata. We introduce a class of timing diagrams called Regular Timing Diagrams (RTD's). RTD's have a precise syntax, and a formal semantics that is simple and corresponds to common usage. Moreover, RTD's have an inherent compositional structure, which is exploited to construct an e cient algorithm for model checking a RTD with respect to a system description. The algorithm has time complexity that is linear in the system size and a small polynomial in the representation of the diagram. The algorithm can be easily used with symbolic (BDDbased) model checkers. We illustrate the workings of our algorithm with the veri cation of a simple master-slave system.
Introduction
The design of hardware systems includes the speci cation of timing behavior for circuit components. In industrial practice, this behavior is most often described graphically by timing diagrams. Timing diagrams are, however, often used informally and without a precise semantics, making it di cult to utilize them for the speci cation and veri cation of correct behavior. We address this issue by introducing the class of Regular Timing Diagrams (RTD's); which have a simple and precise semantics and an e cient, decompositional model checking algorithm. These diagrams describe changes of signal values over a nite time period, and precedence and timing dependencies between such events, such as \signal a rises within 5 time units of signal b falling" and \signal b is low when signal a rises".
The time intervals are speci ed by integer constants, ensuring that the diagram de nes a regular language.
A RTD, like the circuit it describes, may be either asynchronous or synchronous. A synchronous diagram includes one or more \clocks" with xed periods; the time interval between any pair of events is determined up to the clock period. Asynchronous timing diagrams are used to specify handshaking protocols, like bus arbitration and memory access, while synchronous diagrams can specify timing requirements of clocked systems. The ordering between events is partial; such RTD's are called ambiguous. An unambiguous RTD has a total ordering on events (See Figure 1) .
Since a RTD is de ned for a nite time period, an important question that arises in de ning the semantics is the manner in which an in nite computation satis es a timing diagram? Fisler 13] considers two kinds of semantics: in the invariant semantics, the timing diagram must be satis ed at every state of a computation, while in the basic iterative semantics, the diagram must be satis ed iteratively, at points satisfying a precondition of the diagram. Our semantics is a reformulation of the basic iterative semantics, where we permit timing diagrams to be satis ed in an overlapping manner. For simplicity, in our current model, the precondition is a state property. In general, a precondition is a path property; it can be handled by introducing a monitor automaton for the property (see Section 2.2 for a discussion). This permits a system to satisfy diagrams that express the correctness of di erent aspects of its operation. For ambiguous diagrams, we further classify this semantics into a weak aspect, where a fresh linear ordering of the events is chosen for each satisfaction of the diagram, and a strong aspect, where a single linear order is chosen that applies to each satisfaction of the diagram.
The key observation that leads to e cient model checking 5, 22, 6] is that timing diagrams are compositional (conjunctive) in nature. This can be visualized informally as the waveforms acting independently and only interacting with other waveforms through a dependency. Rather than build the single, monolithic NFA (non-deterministic nite state automaton) or the temporal logic formula that corresponds to the entire diagram, we demonstrate that it is possible to decompose the diagram into properties of isolated waveforms and their interactions. This results in a conjunction of simpler properties that can be conveniently represented by a succinct 8-automaton (8FA) 21, 28] . A 8FA (also known as \dual-run" or \universal" automaton) is a nite state automaton that accepts an input i every run of the automaton along the input meets the acceptance criterion. 8FA's can be exponentially more succinct than NFA's and naturally express properties that are conjunctive in nature.
Moreover, this conjunctivity can be exploited to verify smaller components of the timing diagram in isolation, thus avoiding the construction of the entire 8-automaton. We present e cient algorithms that convert RTD's under the various semantics into 8FA's that are in the worst case of size cubic in the size of the diagram and the largest time constant represented in unary (note that the unary size is exponential in the binary size). These constants are generally performance bounds and tend to be small; thus, we feel justi ed in claiming polynomial complexity. The use of 8FA's permits the e cient use of the automata-theoretic language containment paradigm 29, 19, 20] to model checking. For a system M and RTD T, the veri cation check can be cast as L(M) L(A T ), where A T is the (small, polynomial size) 8FA for the diagram T and L(X) denotes the language of X. This is equivalent to L(M) \ :L(A T ) = ;. The complement language of a 8FA is accepted by a NFA with identical structure but complemented acceptance condition. Hence, complementation (the :L(A T ) term) is trivial, and the complexity of the model checking procedure is linear in the size of the structure and the size of the 8FA A T . In addition, it is often possible to decompose A T itself into a conjunction of smaller 8FA's, which may be checked independently with M. It is also simple to produce a description of :L(A T ) that can be input to a symbolic model checker. To illustrate our method, we show how the behavior of read and write transactions that is described by RTD's can be checked against a simple master-slave memory system.
We believe that this framework permits e cient model checking of timing speci cations that are used in practice. Our review of industrial data books and discussions with engineers indicate that RTD's are su ciently expressive for most industrial veri cation needs. With the exception of Fisler's work 13, 14] , where the model checking algorithms have high complexity, other prior work considers timing diagram models that are at most as expressive as RTD's. The algorithm is linear in the structure size, polynomial in the number of diagram points and dependencies and in the unary size of the constants. The polynomial complexity of our decompositional algorithm is a signi cant improvement over the earlier monolithic approaches 13, 9] , where the size may be exponential in the worst case. Not withstanding the Lichtenstein-Pnueli thesis 20], in practice, as one reaches the limits of applicability of symbolic model checking tools, the size of the speci cation is of importance. A detailed discussion of these points is in Section 5.
The rest of the paper proceeds as follows. In Section 2, we give a precise syntax and semantics for Regular Timing Diagrams. Section 3 outlines the algorithms that convert RTD's into 8FA's and the model checking procedure. Section 4 describes how the algorithms are used with with the model checker VIS 3] for the veri cation of a master-slave system. We conclude with a discussion of related work in Section 5. Notice that for any input string of vectors of signal values, every event has at most one position on the string. This \precise location" property of events is the key to our e cient model checking algorithm. For every event e, it is possible to construct a DFA we call locator(e) that accepts at the position on an input string where the event holds. This DFA essentially encodes the sequence of applications of the rules above that de ne the point e as an event.
A symbolic point of a RTD is either a concurrent dependency or a singleton set containing a point that is not in any concurrent dependency. The set of symbolic points is denoted by SP. Informally, events in a symbolic point should occur simultaneously. The sequential dependencies of a RTD induce the following ordering relation on symbolic points: p q i { (A; i) 2 p and (A; i + 1) 2 q, for points i; i + 1 of waveform A in WF, or { there exist e 2 p and f 2 q such that e ! f is a sequential dependency.
The RTD syntax allows several de nitions that run counter to intuition. For instance, dependencies may be cyclically related, or it may be possible that the location of a dependency is imprecise due to the presence of X (undetermined) parts of a waveform. These cases are ruled out by giving a notion of \well-formed" RTD's, which is de ned below.
De nition 3 (Well-formed RTD) A RTD is well-formed i (i) every point of the RTD is an event and (ii) the transitive closure of ( + ) is not re exive.
The annotated RTD in Figure 2 can be expressed notationally as follows. 
Regular Timing Diagrams: Semantics
The semantics of a RTD is a set of in nite computations over states; each state is a vector indexed by the waveforms of the timing diagram. The set of states is denoted by . The operator v de ned earlier is extended to states as follows: u v w i for each i, u(i) v w(i). A computation of the system to be veri ed consists of an in nite sequence of states from . Since the syntax of a RTD describes only nite sequences of events, a key question is the appropriate extension to in nite computations.
The prede ned initial and nal concurrent dependencies can be viewed as the begin-and end-conditions of the nite sequence of events described by the RTD syntax; the initial concurrent dependency is a state predicate and the nal concurrent dependency is a path predicate. For example, the begin-condition for the RTD in Figure 2 is hA = 1; B = 0i and the end-condition is the locator for the concurrent dependency at the state hA = 0; B = 1i. As another example, if the diagram represents the behavior for a \memory-read" transaction, the beginand end-conditions indicate the states that de ne the extent of this transaction. Clearly, this diagram should be checked only on the nite sub-computation that starts at a state satisfying the begin-condition and ends with a state satisfying the end-condition. It is sometimes necessary to make the begin-condition a path predicate; the path predicate identi es a sequence of states that indicate the start of a transaction. Such a path predicate can be handled in our current framework by constructing a \monitor" automaton that emits a signal whenever the path condition is satis ed; the presence of this signal, which is a state predicate, can be used as the begin-condition of the RTD.
One may thus consider an in nite sequence to satisfy a timing diagram i the dependencies of the diagram are satis ed in each nite sub-sequence de ned by the begin-and end-conditions. This statement, though, is still open to many interpretations, some of which are considered below. We rst de ne what it means for a nite sequence of states to satisfy a timing diagram. Recall that the relation + partially orders the set of symbolic points, SP. In the following de nitions P denotes the set of points in the diagram. De nition 4 (Assignment) An assignment for a string of length n is a function : SP ! 0; n), that is strictly monotonic w.r.t. A notable class of systems where the assumption of non-overlapping transactions does not hold is those that involve some measure of pipelining. We may then consider the following generalization of the weak iterative semantics.
De nition 8 (Overlapping Semantics) An in nite sequence z satis es a RTD T under the overlapping semantics (written as z j = o T) i wherever # holds along z, there exists y such that #y$ is a pre x of the su x computation from that point and for some assignment , #y$ j = T.
For the rest of the paper, we consider only the weak and strong iterative semantics in detail; the algorithm for the overlapping semantics is a slight modi cation of that for the weak iterative semantics and has the same complexity. We consider now an alternative formulation of De nition 5, which forms the basis for the decompositional algorithms for model checking. If #y$ satis es the timing diagram, each event, by De nition 2 may be located precisely on the sequence. The key observation is that, since each dependency consists of precisely located events, it can be checked independently of the others. Let pt be the partial function that de nes the location of events on a nite sequence. { For each sequential dependency e a;bi ! f, (pt(z; f) ? pt(z; e)) 2 a; bi. { For each pair of events e; f in a concurrent dependency, pt(z; e) = pt(z; f).
Notice that the theorem essentially transforms the existential (9) condition of De nitions 6 through 8 into a universal (8) condition; this forms the basis for the decompositional check.
Decompositional Model Checking
Theorem 1 is fundamental to decomposing RTD's into a conjunction of properties of individual waveforms and ordering or timing restrictions on their interactions, which is the key to e cient model checking. In this section, we provide algorithms that translate a RTD under both strong and weak iterative semantics into a 8FA. The basic iterative and overlapping semantics can be similarly handled.
For clarity, we often describe the NFA for the complement language instead of the 8FA. De nition 9 (8FA) A 8FA on in nite strings A = ( ; Q; ; q 0 ; ) has a nite input alphabet , nite state set Q, transition relation Q Q, start state q 0 and acceptance condition .
A run r of A on input x in ! is an in nite sequence of states of A, where r 0 is an initial state, and for each i, (r i ; x i ; r i+1 ) 2 . A accepts x by 8-acceptance according to i every run r on x satis es . We de ne L(A) to be the set of strings accepted by A; L NFA by a 9-acceptance and L NFA by 8-acceptance. In this paper, we consider to be a B uchi acceptance condition. For any 8FA A, let A be the NFA with the same transition relation but complemented acceptance condition : . Theorem 2 ( 21, 28] ) For any 8FA A, :L 8FA (A) = L NFA (A).
RTD's under the weak iterative semantics
We describe here the NFA that accepts the complement of the weak-iterative language of a RTD T = (WF; SD; CD). First, construct nite string automata for each waveform and dependency as follows: { Concurrent dependency: The 8FA for a concurrent dependency C checks that for a xed event e in C and every other event f in C, locator(e) and locator(f ) accept at the same position on the input sequence.
The !-NFA for the complement language operates as follows on an innite input sequence: it nondeterministically \chooses" a transaction #y$ on the input, \chooses" which waveform or dependency fails to hold of the transaction, and accepts if the automaton for that entity (de ned as given above) rejects. Notice that each automaton de ned above is either a DFA or a 8FA, both of which can be trivially complemented. The 8FA obtained from this NFA 
RTD's under the strong iterative semantics
Under the strong iterative semantics, every transaction on an input computation has to satisfy the RTD w.r.t. a single event ordering. The NFA for the complemented language accepts a computation i { Some transaction violates a waveform or dependency constraint. This is checked by the automaton de ned for the weak-iterative semantics. Or, { There is a transaction and a pair of events that occur in a di erent order from that in the rst transaction. This is done by an automaton that \chooses" a pair of events unordered by + , executes the locator DFA's for these events in parallel on the rst transaction to determine their order, then \chooses" a subsequent transaction and executes the locator DFA's of the same events on that transaction to determine the new order, and accepts if the orders di er. Let A T denote the 8FA obtained from this NFA by complementing the acceptance condition. The size of A T is cubic in jTj and L for the rst case; for the second, it is quadratic in jTj and L with a multiplicative factor of the number of event pairs (which is bounded by (#points) 2 ). Theorem 4 (Correctness) For any RTD T and x 2 ! , x j = s T i x 2 L(A T ). The size of the 8FA A T is polynomial in jTj and L.
Model Checking
The translation of a RTD to a small 8FA implies that the language containment approach to model checking based on 29] gives an e cient algorithm. We need to check that L(M) L(A T ), where M is the system to be veri ed and A T is the 8FA for the RTD T. This is equivalent to L(M)\:L(A T ) = ;. Complementation (the :L(A T ) term) is trivial for a 8FA; the complemented automaton (a NFA) has the same structure but complemented acceptance condition. Hence, the emptiness check can be done in time linear in the size of the structure and a small polynomial in the size of T. The space complexity, by the results of 25], is logarithmic in the sizes of both M and T.
Theorem 5 For a transition system M and a RTD T, the time complexity of model checking is linear in the size of M and a small polynomial in the size of T and the unary size of the largest constant in T.
An alternative way of utilizing the 8FA construction is to note that, for the weak iterative semantics, the automaton essentially de nes a language ( + _ Lemma 1 For nite-string languages L i (i 2 0; n)) which are subsets of + ,
By this lemma, one can construct smaller !-automata, one for each dependency, and check that the language of each has an empty intersection with L(M).
This is often more e cient than the combined check, and may lead to quicker detection of any errors. We refer to this as the \decompositional" approach.
Applications
We demonstrate the use of these algorithms in the veri cation of a master-slave memory system using the model checker VIS, which is based on the automatatheoretic (language containment) approach to model checking. This example is small and is intended only as an illustration of how our algorithms may be used. In the master-slave system (Figure 3) , the master issues a read or a write instruction by asserting the corresponding line, and the slaves respond by accessing memory and performing the operation. The master chooses the instruction, puts the address on the address bus and then asserts the req signal. The slave whose tag matches the address awakens, services the request, then asserts the ack line on completion. Upon receiving the ack signal the master resets the req signal, causing the slave to reset the ack signal. Finally, the master resets the address and data buses. The memory read ( Figure 4 ) and write cycles are speci ed as RTD's (interpreted under the weak iterative semantics).
The master-slave system was simpli ed by abstracting away some inessential details. First, the address bus was simpli ed to the tag of the slaves. Since VIS does not allow variables to be both input and output, the bidirectional data bus is represented as two 1-bit boolean variables, Idata and Odata that denote the input and output data buses respectively. The begin-condition for the read RTD The simpli ed master-slave system is represented in Verilog. For both RTD's, we created (as Verilog modules) both the complement of the 8FA and the complement NFA for individual dependencies and waveforms. The language emptiness check passed for both the ambiguous read and write RTD translations. The results in Table 1 show that the decompositional procedure is indeed feasible and that the size of the system to be veri ed together with a single dependency automaton may not be signi cantly larger, in terms of BDD variables, than the system itself.
Conclusions and Related Work
Several researchers have investigated timing diagrams and their use in automated veri cation. Boriello 2] proposes an approach to formalizing timing diagrams. Timing diagrams are described informally as regular expressions but no speci c details or translation algorithms are given. Many other researchers 1, 26, 23, 4] have formalized timing diagrams and translated them to other formalisms (interval logics, trigger graphs etc.). Cerny et al. present a procedure 18] for verifying whether the nite behavior of a set of action diagrams (timing diagrams) is consistent; 17] uses constraint logic programming to check if a system satis es nite action diagram speci cations. Formal notions of timing diagrams have also proved to be useful in test generation and logic synthesis (cf. 27, 15, 12] ). Fisler 13, 14] proposes a timing diagram syntax and semantics that allows non-regular languages, and nds that these languages occur at all levels of the Chomsky hierarchy. The paper 14] provides a decision procedure that determines whether a regular language is contained in an unambiguous timing diagram language, and 13] provides an algorithm that translates a certain class of timing diagrams into CTL 5] . A key di erence with our work is that this algorithm is restricted to a subset of unambiguous timing diagrams under the basic invariant semantics (our algorithms under both iterative and invariant semantics are de ned for all types of diagrams). The regular containment procedure 14] has a high complexity (in PSPACE), while our algorithms have polynomial time complexity in the diagram size.
An important contribution in this area is the work done by Damm and colleagues at the University of Oldenburg on Symbolic Timing Diagrams (STD's) 9, 24, 8, 16, 7] . STD's may be compiled into rst-order temporal logic formulae which are then used for model checking. STD's are extended in 11, 10] to RTSTD's (Real-time STD's), where a translation into a timed propositional temporal logic TPTL is provided. Both these research e orts consider in nite languages and ambiguity. A key di erence with our work lies in the fact that their translation is monolithic, in the sense that all dependencies are considered together; this can result in an exponential blowup in the size of the resulting formulae when the diagram is highly ambiguous. While it is possible to model check the rst order temporal logic presented in 9, 10], the procedure is not very e cient. This paper presents \regular" timing diagrams (RTD's), which have a simple syntax and precise, simple semantics that closely corresponds to common usage. From our discussions with engineers, we are led to believe that RTD's are expressive enough to represent many timing diagrams that arise in practice. As mentioned earlier, the algorithms proposed in this paper can also be used with synchronous RTD's.
Noteworthy contributions of this paper include polynomial time, decompositional algorithms for model checking timing diagram speci cations, which are based on a decomposition of the RTD semantics into properties of each waveform and the way they interact. Such decompositions may also provide a way of composing RTD's and thereby building new RTD's hierarchically. Our algorithms generate a 8FA (NFA) corresponding to the RTD (the negation of the RTD). We can choose to use either the 8FA (by splitting it into smaller 8FA's) or its complement NFA in verifying that a system satis es a RTD. These algorithms are a signi cant improvement over the earlier possibly exponential, monolithic translations. We have shown how our algorithms may be used in conjunction with a symbolic model checker such as VIS, to verify systems with speci cations formulated as RTD's.
We are currently working on a tool that implements these translation and veri cation algorithms. We also intend to test the e ciency of our algorithms on industrial strength examples.
