Formalizing Timing Diagram Requirements in Discrete Duration Calulus by Matteplackel, Raj Mohan et al.
Formalizing Timing Diagram Requirements in
Discrete Duration Calulus
Raj Mohan Matteplackel1, Paritosh K. Pandya1, and Amol Wakankar2
1 Tata Institute of Fundamental Research, Mumbai 400005, India.
{raj.matteplackel,pandya}@tifr.res.in
2 Bhabha Atomic Research Centre, Mumbai, India.
amolk@barc.gov.in
Abstract. Several temporal logics have been proposed to formalise tim-
ing diagram requirements over hardware and embedded controllers. These
include LTL [CF05], discrete time MTL [AH93] and the recent industry
standard PSL [EF16]. However, succintness and visual structure of a
timing diagram are not adequately captured by their formulae [CF05].
Interval temporal logic QDDC is a highly succint and visual notation for
specifying patterns of behaviours [Pan00].
In this paper, we propose a practically useful notation called SeCeNL
which enhances negation free fragment of QDDC with features of nomi-
nals and limited liveness. We show that timing diagrams can be naturally
(compositionally) and succintly formalized in SeCeNL as compared with
PSL-Sugar and MTL. We give a linear time translation from timing di-
agrams to SeCeNL. As our second main result, we propose a linear time
translation of SeCeNL into QDDC. This allows QDDC tools such as
DCVALID [Pan00,Pan01] and DCSynth to be used for checking consis-
tency of timing diagram requirements as well as for automatic synthesis
of property monitors and controllers. We give examples of a minepump
controller and a bus arbiter to illustrate our tools. Giving a theoretical
analysis, we show that for the proposed SeCeNL, the satisfiability and
model checking have elementary complexity as compared to the non-
elementary complexity for the full logic QDDC.
1 Introduction
A timing diagram is a collection of binary signals and a set of timing constraints
on them. It is a widely used visual formalism in the realm of digital hardware
design, communication protocol specification and embedded controller specifica-
tion. The advantages of timing diagrams in hardware design are twofold, one,
since designers can visualize waveforms of signals they are easy to comprehend
and two, they are very convenient for specifying ordering and timing constraints
between events (see figures Fig. 1 and Fig. 2 below).
There have been numerous attempts at formalizing timing diagram con-
straints in the framework of temporal logics such as the timing diagram logic
[Fis99], with LTL formulas [CF05], and as synchronous regular timing diagrams
ar
X
iv
:1
70
5.
04
51
0v
1 
 [c
s.L
O]
  1
2 M
ay
 20
17
[AEKN00]. Moreover, there are industry standard property specification lan-
guages such as PSL/Sugar and OVA for associating temporal assertions to
hardware designs [EF16]. The main motivation for these attempts was to ex-
ploit automatic verification techniques that these formalisms support for vali-
dation and automatic circuit synthesis. However, commenting on their success,
Fisler et. al. state that the less than satisfactory adoption of formal methods
in timing diagram domain can be partly attributed to the gulf that exists be-
tween graphical timing diagrams and textual temporal logic – expressing vari-
ous timing dependencies that can exist among signals that can be illustrated so
naturally in timing diagrams is rather tedious in temporal logics [CF05]. As a
result, hardware designers use timing diagrams informally without any well de-
fined semantics which make them unamenable to automatic design verification
techniques.
In this paper, we take a fresh look at formalizing timing diagram requirements
with emphasis on the following three features of the formalism that we propose
here.
Firstly, we propose the use of an interval temporal logic QDDC to specify
patterns of behaviours. QDDC is a highly succinct and visual notation for spec-
ifying regular patterns of behaviours [Pan00,Pan01,KP05]. We identify a quan-
tifier and negation-free subset SeCe of QDDC which is sufficient for formalizing
timing diagram patterns. It includes generalized regular expression like syntax
with counting constructs. Constraints imposed by timing diagrams are straight-
forwardly and compactly stated in this logic. For example, the timing diagram in
Fig. 1 stating that P transits from 0 to 1 somewhere in interval u to u+ 3 cycles
is captured by the SeCe formula [¬ P]^<u>^(slen=3 ∧ [¬P]^[[P]])^[[P]].
The main advantage of SeCe is that it has elementary satisfiability as compared
to the non-elementary satisfiability of general QDDC.
Fig. 1. Timing diagram with a marked position u and a timing constraint.
Secondly, it is very typical for timing diagrams to have partial ordering and
synchronization constraints between distinct events. Emphasizing this aspect,
formalisms such as two dimensional regular expressions [Fis07] have been pro-
posed for timing diagrams. We find that synchronization in timing diagram may
even extend across different patterns of limited liveness properties. In order to
handle such synchronization, we extend our logic SeCe with nominals from hy-
brid temporal logics [FdRS03]. Nominals are temporal variables which “freeze”
the positions of occurrences of events. They naturally allow synchronization
across formulae.
Thirdly, we enhance the timing diagram specifications (as well as logic SeCe)
with limited liveness operators. While timing diagrams visually specify patterns
of occurrence of signals, they do not make precise the modalities of occurrences
of such patterns. We explicitly introduce modalities such as a) initially, a spec-
ified pattern must occur, or that b) every occurrence of pattern1 is necessarily
and immediately followed by an occurrence of pattern2, or that c) occurrence
of a specified pattern is forbidden anywhere within a behaviour. In this, we are
inspired by Allen’s Interval Algebra relations [All83] as well as the LSC opera-
tors of Harel for message sequence charts [DH01]. We confine ourselves to limited
liveness properties where good things are achieved within specified bounds. For
example, in specifying a modulo 6 counter, we can say that the counter will
stabilize before completion of first 15 cycles. Astute readers will notice that,
technically, our limited liveness operators only give rise to “safety” properties
(in the sense of Alpern and Schneider [AS87]). However, from a designer’s per-
spective they do achieve the practical goal of forcing good things to happen.
Putting all these together, we define a logic SeCeNL which includes negation-
free QDDC together with limited liveness operators as well as nominals. The
formal syntax and semantics of SeCeNL formulas is given in §2.3. We claim
that SeCeNL provides a natural and convenient formalism for encoding timing
diagram requirements. Substantiating this, we formulate a translation of timing
diagrams into SeCeNL formulae in §3. The translation is succinct, in fact, linear
time computable in the size of the timing diagram. (A textual syntax is used
for timing diagrams. The textual syntax of timing diagrams used is inspired by
the tool WaveDrom [CP16], which is also used for graphical rendering of our
timing diagram specifications.) Moreover, the translation is compositional, i.e. it
translates each element of the timing diagram as one small formula and overall
specification is just the conjunction of such constraints. Hence, the translation
preserves the structure of the diagram.
With several examples of timing diagrams, we compare its SeCeNL formula
with the formula in logics such as PSL-Sugar and MTL. Logic PSL-Sugar is
amongst the most expressive notations for requirements. Logic PSL-Sugar is
syntactically a superset of MTL and LTL. It extends LTL with SERE (regular
expressions with intersection) which are similar to our SeCe. In spite of this, we
a show natural examples where SeCeNL formula is at least one exponent more
succinct as compared to PSL-Sugar.
As the second main contribution of this paper, we consider formal verifica-
tion and controller synthesis from SeCeNL specifications. In §3.1, we formulate a
reduction from a SeCeNL formula to an equivalent QDDC formula. This allows
QDDC tools to be used for SeCeNL. It may be noted that, though expressively
no more powerful than QDDC, logic SeCeNL considerably more efficient for
satisfiability and model checking. We show that these problems have elemen-
tary complexity as compared with full QDDC which exhibits non-elementary
complexity. Also, the presence of limited liveness and nominals makes it more
convenient as compared to QDDC for practical use.
By implementing the above reductions, we have constructed a Python based
translator which converts a requirement consisting of a boolean combination
of timing diagram specifications (augmented with limited liveness) and SeCeNL
formulae into an equivalent QDDC formula. We can analyze the resulting formula
using the QDDC tools DCVALID [Pan00,Pan01] as well as DCSynthG for model
checking and controller synthesis, respectively (see Fig. 11 for the tool chain).
We illustrate the use of our tools by the case studies of a synchronous bus arbiter
and a minepump controller in §4. Readers may note that we specify rather rich
quantitative requirements not commonly considered, and our tools are able to
automatically synthesize monitors and controllers for such specifications.
2 Logic QDDC
Let Σ be a finite non empty set of propositional variables. A word σ over Σ is
a finite sequence of the form P0 · · ·Pn where Pi ⊆ Σ for each i ∈ {0, . . . , n}. Let
len(σ) = n+ 1, dom(σ) = {0, . . . , n} and ∀i ∈ dom(σ) : σ(i) = Pi.
The syntax of a propositional formula over Σ is given by:
ϕ := 0 | 1 | p ∈ Σ | ϕ ∧ ϕ | ϕ ∨ ϕ | ¬ϕ,
and operators such as ⇒ and ⇔ are defined as usual. Let ΩΣ be the set of all
propositional formulas over Σ.
Let σ = P0 · · ·Pn be a word and ϕ ∈ ΩΣ . Then, for an i ∈ dom(σ) the
satisfaction relation σ, i |= ϕ is defined inductively as expected: σ, i |= 1; σ, i |= p
iff p ∈ σ(i); σ, i |= ¬p iff σ, i 6|= p, and the satisfaction relation for the rest of the
boolean combinations defined in a natural way.
The syntax of a QDDC formula over Σ is given by:
D := 〈ϕ〉 | [ϕ] | [[ϕ]] | {{ϕ}} | D ^ D | ¬D | D ∨D | D ∧D | D∗ |
∃p. D | ∀p. D | slen ./ c | scount ϕ ./ c | sdur ϕ ./ c,
where ϕ ∈ ΩΣ , p ∈ Σ, c ∈ N and ./∈ {<,≤,=,≥, >}.
An interval over a word σ is of the form [b, e] where b, e ∈ dom(σ) and b ≤ e.
An interval [b1, e1] is a sub interval of [b, e] if b ≤ b1 and e1 ≤ e. Let Intv(σ) be
the set of all intervals over σ.
Let σ be a word over Σ and let [b, e] ∈ Intv(σ) be an interval. Then the
satisfaction relation of a QDDC formula D over Σ, written σ, [b, e] |= D, is
defined inductively as follows:
σ, [b, e] |= 〈ϕ〉 iff σ, b |= ϕ,
σ, [b, e] |= [ϕ] iff ∀b ≤ i < e : σ, i |= ϕ,
σ, [b, e] |= [[ϕ]] iff ∀b ≤ i ≤ e : σ, i |= ϕ,
σ, [b, e] |= {{ϕ}} iff e = b+ 1 and σ, b |= ϕ,
σ, [b, e] |= ¬D iff σ, [b, e] 6|= D,
σ, [b, e] |= D1 ∨D2 iff σ, [b, e] |= D1 or σ, [b, e] |= D2,
σ, [b, e] |= D1 ∧D2 iff σ, [b, e] |= D1 and σ, [b, e] |= D2,
σ, [b, e] |= D1^D2 iff ∃b ≤ i ≤ e : σ, [b, i] |= D1 and σ, [i, e] |= D2.
We call word σ′ a p-variant, p ∈ Σ, of a word σ if ∀i ∈ dom(σ),∀q 6= p : σ′(i)(q) =
σ(i)(q). Then σ, [b, e] |= ∃p. D ⇔ σ′, [b, e] |= D for some p-variant σ′ of σ and,
σ, [b, e] |= ∀p. D ⇔ σ, [b, e] 6|= ∃p. ¬D. We define σ |= D iff σ, [0, len(σ)] |= D.
Example 1. Let Σ = {p, q} and let σ = P0 · · ·P7 be such that ∀0 ≤ i < 7 : Pi =
{p} and P7 = {q}. Then σ, [0, 7] |= [p] but not σ, [0, 7] |= [[p]] as p 6∈ P7.
Example 2. Let Σ = {p, q, r} and let σ = P0 · · ·P10 be such that ∀0 ≤ i < 4 :
Pi = {p}, ∀4 ≤ i < 8 : Pi = {p, q, r} and ∀8 ≤ i ≤ 10 : Pi = {q, r}. Then
σ, [0, 10] |= [p]^[[¬p ∧ r]]
because for i ∈ {8, 9, 10} the condition ∃0 ≤ i ≤ 10 : σ, [0, i] |= [p] and σ, [i, 10] |=
[[¬p ∧ r]] is met. But σ, [0, 7] 6|= [p]^[[¬p ∧ r]] as ¬∃0 ≤ i ≤ 7 : σ, [0, i] |=
[p] and σ, [i, 7] |= [[¬p ∧ r]].
Entities slen, scount, and sdur are called terms in QDDC. The term slen
gives the length of the interval in which it is measured, scount ϕ where ϕ ∈ ΩΣ ,
counts the number of positions including the last point in the interval under
consideration where ϕ holds, and sdur ϕ gives the number of positions ex-
cluding the last point in the interval where ϕ holds. Formally, for ϕ ∈ ΩΣ
we have slen(σ, [b, e]) = e − b, scount(σ, ϕ, [b, e]) = ∑i=ei=b {1, if σ, i |= ϕ,0, otherwise.
}
and
sdur(σ, ϕ, [b, e]) =
∑i=e−1
i=b
{
1, if σ, i |= ϕ,
0, otherwise.
}
In addition we also use the fol-
lowing derived constructs: σ, [b, e] |= pt iff b = e; σ, [b, e] |= ext iff b < e;
σ, [b, e] |= ♦D iff true ^D^true and σ, [b, e] |= D iff σ, [b, e] 6|= ♦¬D.
A formula automaton for a QDDC formula D is a deterministic finite state
automaton which accepts precisely language L = {σ | σ |= D}.
Theorem 1. [Pan01] For every QDDC formula D over Σ we can construct a
DFA A(D) for D such L(D) = L(A(D)). The size of A(D) is non elementary
in the size of D in the worst case.
2.1 Chop expressions: Ce and SeCe
Definition 1. The logic Semi extended Chop expressions (SeCe) is a syntactic
subset of QDDC in which the operators ∃p. D, ∀p. D and negation are not al-
lowed. The logic Chop expressions (Ce) is a sublogic of SeCe in which conjuction
is not allowed.
Lemma 1. For any chop expression D of size n we can effectively construct a
language equivalent DFA A of size Ω(22n).
Proof. We observe that for any chop expression D we can construct a language
equivalent NFA which is at most exponential in size of D including the constants
appearing in it (for a detailed proof see [BP12] wherein a similar result has been
proved). But this implies there exists a DFA of size 22
n
which accepts exactly
the set of words σ such that σ |= D.
Corollary 1. For any SeCe D of size n we can effectively construct a language
equivalent DFA A of size Ω(222n ).
Proof. Proof follows from the definition of SeCe, lemma 1 and from the fact
that the size of the product of DFA’s can be atmost exponential in the size of
individual DFA’s.
2.2 DCVALID and DCSynthG
The reduction from a QDDC formula to its formula automaton has been im-
plemented into the tool DCVALID [Pan00,Pan01]. The formula automaton it
generates is total, deterministic and minimal automaton for the formula. DC-
VALID can also translate the formula automaton into Lustre/SCADE, Esterel,
SMV and Verilog observer module. By connecting this observer module to run
synchronously with a system we can reduce model checking of QDDC property to
reachability checking in observer augmented system. See [Pan00,Pan01] for de-
tails. A further use of formula automata can be seen in the tool called DCSynthG
which synthesizes synchronous dataflow controller in SCADE/NuSMV/Verilog
from QDDC specification.
2.3 Logic SeCeNL: Syntax and Semantics
We can now introduce our logic SeCeNL which builds upon SeCe by augmenting
it with nominals and limited liveness operators.
Syntax : The syntax of SeCeNL atomic formula is as follows. Let D, D1, D2
and D3 range over SeCe formulae and let Θ, Θ1, Θ2 and Θ3 range over subset
of propositional variables occurring in SeCe formula. The notation D : Θ, called
a nominated formula, denotes that Θ is the set of variables used as nominals in
the formula D.
init(D1 : Θ1 / D2 : Θ2) | anti(D : Θ) | pref(D : Θ) |
implies(D1 : Θ1  D2 : Θ2) | follows(D1 : Θ1  D2 : Θ2/D3 : Θ3) |
triggers(D1 : Θ1  D2 : Θ2/D3 : Θ3)
An SeCeNL formula is a boolean combination of atomic SeCeNL formulae of
the form above. As a convention, D : {} is abbreviated as D when the set of
nominals Θ is empty.
Limited Liveness Operators : Given an word σ and a position i ∈ dom(σ),
we state that σ, i |= D iff σ[0 : i] |= D. Thus, the interpretation is that the past
of the position i in execution satisfies D.
For a SeCe formula D we let Ξ(D) = D ∧ ¬(D^ext), which says that if
σ, [b, e] |= Ξ(D) then σ, [b, e] |= D and there exists no proper prefix interval
[b, e1], (i. e. [b, e1] ∈ Intv(σ) and b ≤ e1 < e) such that σ, [b, e1] |= D. We say
σ′ ≤prefix σ if σ′ is a prefix of σ, and σ′ <prefix σ if σ′ is a proper prefix of σ.
We first explain the semantics of limited liveness operators assuming that no
nominals are used in the specification, i.e. Θ, Θ1, Θ2 and Θ3 are all empty. A set
S ⊆ Σ∗ is prefix closed if σ ∈ S then ∀σ′ : σ′ ≤prefix σ ⇒ σ′ ∈ S. We observe
that each atomic liveness formula denotes a prefix closed subset of (2Σ)+.
– L(pref(D) ) = {σ | ∀σ′ ≤prefix σ : σ′ |= D}. Operator pref(D) denotes
that D holds invariantly throughout the execution.
– L(init(D1/D2)) = {σ | ∀j : σ, [0, j] |= D2 ⇒ ∃k ≤ j : σ, [0, k] |= D1}.
Operator init(D1/D2) basically states that if j is the first position which
satisfies D2 in the execution then there exists an i ≤ j such that i satisfies
D1. Thus, initially D1 holds before D2 unless the execution (is too short and
hence) does not satisfy D2 anywhere.
– L(anti(D)) = {σ | ∀i, j : σ, [i, j] 6|= D}. Operator anti(D) states that there
is no observation sub interval of the execution which satisfies D.
– L(implies(D1  D2)) = {σ | ∀i, j : (σ, [i, j] |= D1 ⇒ σ, [i, j] |= D2)}.
Operator implies(D1  D2) states all observation intervals which satisfy
D1 will also satisfy D2.
– L(follows(D1  D2/D3)) = {σ | ∀i, j : (σ, [i, j] |= D1 ⇒
(∀k : σ, [j, k] |= Ξ(D3)⇒ ∃l ≤ k : σ, [j, l] |= D2))}.
Operator follows(D1  D2/D3) states that if any observation interval [i, j]
satisfies D1 and there is a following shortest interval [j, k] which satisfies D3
then there exists a prefix interval of [j, k] which satisfies D2.
– L(triggers(D1  D2/D3)) = {σ | ∀i, j : (σ, [i, j] |= D1 ⇒
(∀k : σ, [i, k] |= Ξ(D3)⇒ ∃l ≤ k : σ, [i, l] |= D2))}.
Operator triggers(D1  D2/D3) states that if any observation interval [i, j]
satisfies D1 and if [i, k] is the shortest interval which satisfies D3 then D2
holds for a prefix interval of [i, k].
Based on this semantics, we can translate an atomic SeCeNL formula ζ with-
out nominals into equivalent SeCe formula ℵ(ζ) as follows.
1. ℵ(pref(D) ) def≡ ¬((¬D)^true ).
2. ℵ(init(D1/D2)) def≡ pref(Ξ(D2)⇒ D1^true ).
3. ℵ(anti(D)) def≡ ¬(true ^D^true ).
4. ℵ(implies(D1  D2)) def≡ (D1 ⇒ D2).
5. ℵ(follows(D1  D2/D3)) def≡ (¬(D1^(Ξ(D3) ∧ ¬(D2^true )))).
6. ℵ(triggers(D1  D2/D3)) def≡ (D1^true ⇒ (Ξ(D3)⇒ D2^true ))
∧
(D1 ⇒
pref(Ξ(D3)⇒ D2^true )).
Lemma 2. For any ζ ∈ SeCeNL, if ζ does not use nominals then σ ∈ L(ζ) iff
σ ∈ L(ℵ(ζ)).
The proof follows from examination of the semantics of ζ and the definition of
ℵ(ζ). We omit the details.
Nominals : Consider a nominated formula D : Θ where D is a SeCe formula
over propositional variables Σ ∪Θ. As we shall see later, the propositional vari-
ables in Θ are treated as “place holders” - variables which are meant to be true
exactly at one point - and we call them nominals following [FdRS03].
Given an interval [b, e] ∈ Intv(N) we define a nominal valuation over [b, e]
to be a map ν : Θ → {i | b ≤ i ≤ e}. It assigns a unique position within [b, e]
to each nominal variable. We can then straightforwardly define σ, [b, e] |=ν D by
constructing a word σν over Σ ∪ Θ such that ∀p ∈ Σ : p ∈ σν(i) ⇔ p ∈ σ(i)
and ∀u ∈ Θ : u ∈ σν(i) ⇔ ν(u) = i. Then σν , [b, e] |= D ⇔ σ, [b, e] |=ν D.
We state that ν1 over Θ1 and ν2 over Θ2 are consistent if ν1(u) = ν2(u) for all
u ∈ Θ1 ∩Θ2. We denote this by ν1 ‖ ν2.
Semantics of SeCeNL : Now we consider the semantics of SeCeNL where nom-
inals are used and shared between different parts D1, D2 and D3 of an atomic
formula such as implies(D1 : Θ1  D2 : Θ2).
Example 3 (lags). Let D1 : {u, v} be the formula (<u> ^ [[P]] ∧ ((slen=n)
^ <v> ^ true) which holds for an interval where P is true throughout the inter-
val and v marks the n+ 1 position from u denoting the start of the interval. Let
D2 : {v} be the formula true ^ <v> ^ [[Q]]. Then, implies(D1 : {u, v}  
D2 : {v}) states that for all observation intervals [i, j] and all nominal valuations
ν over [i, j] if σ, [i, j] |=ν D1 then σ, [i, j] |=ν D2. This formula is given by live
timing diagram in Fig. 2 below. 3
Fig. 2. Live timing diagram.
We now give the semantics of SeCeNL.
– L(pref(D : Θ) ) = {σ | ∀σ′ ≤prefix σ : ∃ν. σ′ |=ν D}.
– L(init(D1 : Θ1 / D2 : Θ2)) = {σ | ∀j∀ν : σ, [0, j] |=ν D2 ⇒ ∃k ≤ j∃ν2 :
ν1 ‖ ν2 ∧ σ, [0, k] |=ν2 D1}.
– L(anti(D : Θ)) = {σ | ∀i, j∀ν : σ, [i, j] 6|=ν D}.
– L(implies(D1 : Θ1  D2 : Θ2)) = {σ | ∀i, j∀ν1 : (σ, [i, j] |=ν1 D1 ⇒ ∃ν2 :
ν1 ‖ ν2 ∧ σ, [i, j] |=ν2 D2)}.
3 Here we wish to point out that the illustration was made with the timing diagram
editor WaveDrom and due to its limitation on naming nominals we were forced to
rename the nominal v appearing in D2 as a.
– L(follows(D1 : Θ1  D2 : Θ2/D3 : Θ3)) =
{σ | ∀i, j∀ν1 : (σ, [i, j] |=ν1 D1 ⇒ (∀k∀ν2 ‖ ν1 : σ, [j, k] |=ν2 Ξ(D3) ⇒ ∃l ≤
k∃ν3 : ν3 ‖ ν1 ∧ ν3 ‖ ν2 ∧ σ, [j, l] |=ν3 D2))}.
– L(triggers(D1 : Θ1  D2 : Θ2/D3 : Θ3)) =
{σ | ∀i, j∀ν1 : (σ, [i, j] |=ν1 D1 ⇒ (∀k∀ν2 ‖ ν1 : σ, [i, k] |=ν2 Ξ(D3)⇒
∃l ≤ k∃ν3 : ν3 ‖ ν1 ∧ ν3 ‖ ν2 ∧ σ, [i, l] |= D2))}.
Based on the above semantics, we now formulate a QDDC formula equivalent
to a SeCeNL formula. We define the following useful notations ∀1Θ : D and ∃1Θ : D
as derived operators. These operators are essentially relativize quantifiers to
restrict variables to singletons.
∀1Θ : D ⇔ ∀u1. · · · .∀un((scount u1 = 1 ∧ · · · ∧ scount un = 1) ⇒ D).
∃1Θ : D ⇔ ∃u1. · · · .∃un((scount u1 = 1 ∧ · · · ∧ scount un = 1) ∧ D).
From SeCeNL to QDDC : We now define the translation ℵ from SeCeNL to
QDDC.
1. ℵ(pref(D : Θ) ) def≡ ¬(∃1Θ : ¬D^true ).
2. ℵ(init(D1 : Θ1 / D2 : Θ2)) def≡ pref(∀1Θ2 : (D2 ⇒ ∃1Θ1−Θ2 : D1^true )).
3. ℵ(¬∃D : Θ) def≡ ¬(∃1Θ : true ^D^true ).
4. ℵ(implies(D1 : Θ1  D2 : Θ2)) def≡ (∀1Θ1 : (D1 ⇒ ∃1Θ2−Θ1 : D2)).
5. ℵ(follows(D1 : Θ1  D2 : Θ2/D3 : Θ3)) def≡
(∀1Θ1 : ∀1Θ3−Θ1 : ∃1Θ2−(Θ1∪Θ3) : ¬(D1^(Ξ(D3) ∧ ¬(D2^true )))).
6. ℵ(triggers(D1 : Θ1  D2 : Θ2/D3 : Θ3)) def≡
(∀1Θ1 : (D1^true ⇒ (∀1Θ3−Θ1 : (Ξ(D3)⇒ ∃1Θ2−(Θ1∪Θ3) : D2^true ))))
∧
(∀1Θ1 : (D1 ⇒ pref(∀1Θ3−Θ1 : (Ξ(D3)⇒ ∃1Θ2−(Θ1∪Θ3) : D2^true )))).
Theorem 2. For any word σ over Σ and any ζ ∈ SeCeNL we have that σ ∈
L(ζ) iff σ ∈ L(ℵ(ζ)). Moreover, the translation ℵ(ζ) can be computed in time
linear in the size of ζ.
The proof follows from the semantics of ζ and the definition of ℵ(ζ).
Lemma 3. Let ζ = implies(D1 : Θ1  D2 : Θ2) and let |A(Di)| = mi for
i ∈ {1, 2}. Then there exists a DFA A(ζ) of size at most 22m1m2 for ζ.
Proof. The formula ζ can be written in terms of a negation and two existential
quantifiers. Note that each application of existential quantifier will result in an
NFA and each time we determinize we get a DFA which is at most exponential
in the size of NFA. Since that both A(D1) and A(D2) are DFA’s to start with,
this implies we can construct a DFA A(ζ) of size at most 22m1m2 for ζ.
In an similar way we can show that the size of formula automata for other
SeCeNL atomic formulae are also elementary.
Lemma 4. For any ζ ∈ SeCeNL the size of the automaton A(ζ) for ζ is ele-
mentary.
3 Formalizing timing diagrams
In this section we give a formal semantics to timing diagrams and formula trans-
lation from timing diagrams to SeCeNL. We begin by giving a textual syntax for
timing diagrams which is derived from the timing diagram format of WaveDrom
[CP16,Wav16].
The symbols in a waveform come from Λ = {0, 1, 2, x, 0|, 1|, 2|, x|} and Θ, an
atomic set of nominals. Let Γ = Θ ∪ Λ. The syntax of a waveform over Γ is
given by the grammar:
pi := 0 ‖ 1 ‖ 2 ‖ x ‖ 0| ‖ 1| ‖ 2| ‖ x| ‖ u : pi ‖ pi1pi2,
where u ∈ Θ and pi ∈ Λ. We call the elements in Θ the nominals. As we shall
see later, when we convert a waveform to a SeCeNL formula the nominals that
appear in the formula are exactly the nominals in the waveform and hence the
name. Let Wf be the set of all waveforms over Γ .
An example of a waveform is 01a:2x011xb:x2|220c:00 with Θ = {a,b,c}. Intu-
itively, in a waveform 0 denotes low, 1 high, 2 and x don’t cares (there is a subtle
difference between 2 and x though) and “|” the stuttering operator.
Let Σ be a set of propositional variables. A timing diagram over Σ is a tuple
〈W, Σ,C,Θ〉 where W = {Wp ∈ Wf | p ∈ Σ} and C ⊂ Θ × Θ × Intv(N) a set
of timing constraints.
Fig. 3 shows an example timing diagram T = 〈{Wp,Wq}, {(a, b, [10 : 10]), (a,
d, [1 : 8]), (c, d, [20 : 30])}, {a, b, c, d, e, f}〉 along with its rendering in WaveDrom.
The shared nominals have to be renamed in WaveDrom as commented in §2.3,
in this case a and c in Wq have been renamed g and h respectively. As in the case
with SeCeNL formulas, nominals act as place holders in timing diagrams which
can be shared among multiple waveforms. For example, in the figure Wp and
Wq share the nominals a and c. As a result a timing constraint in one timing
diagram can implicitly induce a timing constraint in the other. For instance,
even though there is no direct timing constraint between a and c in Wp the
constraints between a and d, and d and c together impose one on them.
waveform Wp - 01a : 2x011xb : x2|220c : 00
waveform Wq - 00a : 0|d : 11|e : xxx|f : 01c : 11
timing constraints: d-a∈[1:8], c-d∈[20:30], b-a∈[10:10]
Fig. 3. Timing diagram T and its WaveDrom rendering.
Let T = 〈W, Σ,C,Θ〉, W = {Wp ∈ Wf | p ∈ Σ}, be a timing diagram. Let
ν : Θ → [b, e] be a nominal valuation. Let σ : [0, n]→ 2Σ be a word over Σ and
for all p ∈ Σ let σp : [0, n] → {0, 1} given by σp(i) = 1 iff p ∈ σ(i). Then the
satisfaction relation σp over a waveform W under the valuation ν is defined as
follows.
σp, [b, e] |=ν 0 iff e = b+ 1 and σp(b) = 0,
σp, [b, e] |=ν 1 iff e = b+ 1 and σp(b) = 1,
σp, [b, e] |=ν λ iff e = b+ 1 and λ ∈ {2, x},
σp, [b, e] |=ν 0| iff ∀b ≤ i < e : σp(i) = 0,
σp, [b, e] |=ν 1| iff ∀b ≤ i < e : σp(i) = 1,
σp, [b, e] |=ν 2| iff ∀b ≤ i < e : σp(i) ∈ {0, 1},
σp, [b, e] |=ν x| iff ∀b ≤ i < e : σp(i) = 1 or ∀b ≤ i < e : σp(i) = 0,
σp, [b, e] |=ν u : W iff ν(u) = b and σp, [b, e] |=ν W,
σp, [b, e] |=ν VW iff ∃b ≤ i < e : σp, [b, i] |=ν1 V and σp, [i, e] |=ν2 W,
and ν1||ν and ν2||ν.
We say ν |= C iff ∀(a, b, 〈l, r〉) ∈ C : ν(b) − ν(a) ∈ 〈l, r〉. We define σ, [b, e] |=ν
〈W, Σ,C,Θ〉 iff ∀p ∈ Σ : σp, [b, e] |=ν Wp and ν |= C.
3.1 Waveform to SeCeNL translation
We translate a waveform Wp to SeCeNL as follows: every 0 occurring in P is
translated to {{¬ P}}, 1 to {{P}}, 2 and x to slen=1, 0| to pt∨[¬ P], 1| to
pt∨[P], 2| to true, and x| to pt∨[P]∨[¬ P]. A nominal u that is appearing in Wp
is translated to <u>. For instance, the waveform Wp=01a:2x011xb:x2|220c:00 in
T of Fig. 3 will be translated to SeCeNL formula as below.
({{¬ P}}ˆ{{P}}ˆ<a>ˆ(slen=1)ˆ(slen=1)ˆ{{¬ P}}ˆ{{P}}ˆ{{P}}ˆ(slen=1)ˆ<b>ˆ
(slen=1)ˆtrueˆ(slen=1)ˆ(slen=1) ˆ{{¬ P}}ˆ<c>ˆ{{¬ P}}ˆ{{¬ P}}).
We denote the translated SeCeNL formula by ξ(T,Wp). Similarly we can trans-
late Wq to get the formula ξ(T,Wq). The timing constraints in C is roughly
translated to the SeCeNL formula ξ(T,C) as follows.
((trueˆ<a>ˆ((slen≥ 1) ∧ (slen≤ 8))ˆ<d>ˆtrue) ∧
(trueˆ<d>ˆ((slen≥ 20) ∧ (slen≤ 30))ˆ<c>ˆtrue) ∧
(trueˆ<a>ˆ(slen=10)ˆ<b>ˆtrue)).
We define ξ(T ) = ξ(T,Wp) ∧ ξ(T,Wq) ∧ ξ(T,C). For a timing diagram T =
〈W, Σ,C,Θ〉, W = {Wp | p ∈ Σ} we define ξ(T ) =
∧
p∈Σ ξ(T,Wp)
∧∧ξ(T,C).
Theorem 3. Let T be a timing diagram. Then, for all σ ∈ Σ∗, for all [b, e] ∈
Intv(σ) and for all nominal valuation ν over [b, e], σ, [b, e] |=ν T iff σ, [b, e] |=ν
ξ(T ) : Θ. Also, the translation ξ(T ) : Θ is linear in the size of T .
Proof. Proof is not difficult and is by induction on the length of the waveform.
Due above theorem we can now use timing diagrams in place of nominated
formulas with liveness operators. We call such timing diagrams live timing dia-
grams. For an example of a live timing diagram see Fig. 2.
3.2 Comparision with other temporal logics
In previous section, Lemma 3 showed that timing diagrams can be translated to
equivalent SeCeNL formulas with only linear blowup in size. In this section we
compare our logic SeCeNL with other relevent logics in the literature viz, LTL,
discrete time MTL, and PSL-Sugar. Of these, PSL-Sugar is the most expressive
and discrete time MTL and LTL are its syntactic subset. We show by examples
that SeCeNL formulae are more succint (smaller in size) than PSL-Sugar and we
believe that they capture the diagrams more directly. Appendix A gives several
more examples which could not be included due to lack of space.
Example (Ordered Stack) Let us now consider the timing diagram in Fig. 4
adapted from [CF05]. Rise and fall of successive signals follow a stack discipline.
The language described by it is given by the SeCeNL formula:
Fig. 4. Example 1.
([¬a] ˆ<ua> ˆ [a] ˆ <va> ˆ [¬a]) ∧ ([¬b] ˆ<ub> ˆ [b] ˆ <vb> ˆ [¬b]) ∧
([¬c] ˆ<uc> ˆ [c] ˆ <vc> ˆ [¬c]) ∧ ([¬d] ˆ<ud> ˆ [d] ˆ <vd> ˆ [¬d]) ∧
([¬e] ˆ<ue> ˆ [e] ˆ <ve> ˆ [¬e]) ∧ (ext ˆ <ua> ˆ ext ˆ <ub> ˆ ext ) ∧
(ext ˆ <ub> ˆ ext ˆ <uc> ˆ ext ) ∧ (ext ˆ <uc> ˆ ext ˆ <ud> ˆ ext ) ∧
(ext ˆ <ud> ˆ ext ˆ <ue> ˆ ext ) ∧ (ext ˆ <va> ˆ ext ˆ <vb> ˆ ext ) ∧
(ext ˆ <vb> ˆ ext ˆ <vc> ˆ ext ) ∧ (ext ˆ <vc> ˆ ext ˆ <vd> ˆ ext ) ∧
(ext ˆ <vd> ˆ ext ˆ <ve> ˆ ext ).
Note that first five conjuncts exactly correspond to the five waveforms. The last
constraint enforces the ordering constraints between waveforms. In general, if n
signals are stacked, its SeCeNL specification has size O(n).
An equivalent MTL (or LTL) formula is given by:
[¬a ∧ ¬b ∧ ¬c ∧ ¬d ∧ ¬e] UU [a ∧ ¬b ∧ ¬c ∧ ¬d ∧ ¬e] UU
[a ∧ b ∧ ¬c ∧ ¬d ∧ ¬e] UU [a ∧ b ∧ c ∧ ¬d ∧ ¬e] UU
[a ∧ b ∧ c ∧ d ∧ ¬e] UU [a ∧ b ∧ c ∧ d ∧ e] UU
[a ∧ b ∧ c ∧ d ∧ ¬e] UU [a ∧ b ∧ c ∧ ¬d ∧ ¬e] UU
[a ∧ b ∧ ¬c ∧ ¬d ∧ ¬e] UU [a ∧ ¬b ∧ ¬c ∧ ¬d ∧ ¬e] UU
[¬a ∧ ¬b ∧ ¬c ∧ ¬d ∧ ¬e]
where a UU b is the derived modality a ∧ X(aUb). For a stack of n signals,
the size of the MTL formula is O(n2).
Above formula is also a PSL-Sugar formula. We attempt to specify the pat-
tern as a PSL-Sugar regular expression as follows:
((¬a ∧ ¬b ∧ ¬c ∧ ¬d ∧ ¬e; )[+]; (a ∧ ¬b ∧ ¬c ∧ ¬d ∧ ¬e; )[+];
(a ∧ b ∧ ¬c ∧ ¬d ∧ ¬e; )[+]; (a ∧ b ∧ c ∧ ¬d ∧ ¬e; )[+];
(a ∧ b ∧ c ∧ d ∧ ¬e; )[+]; (a ∧ b ∧ c ∧ d ∧ e; )[+];
(a ∧ b ∧ c ∧ d ∧ ¬e; )[+]; (a ∧ b ∧ c ∧ ¬d ∧ ¬e; )[+];
(a ∧ b ∧ ¬c ∧ ¬d ∧ ¬e; )[+]; (a ∧ ¬b ∧ ¬c ∧ ¬d ∧ ¬e; )[+];
(¬a ∧ ¬b ∧ ¬c ∧ ¬d ∧ ¬e; )[+]
For a stack of n signals, the size of the PSL-Sugar SERE expression is O(n2).
We believe that there is no formula of size O(n) in PSL-Sugar which can express
the above property. Compare this with size O(n) formula of SeCeNL.
Example (Unordered Stack) In ordered stack signal a turns on first and turns
off last followed by signals b, c, d, e in that order. We consider a variation of the
ordered stack example above where signals turn on and off in first-on-last-off
order but there is no restriction on which signal becomes high first. This can be
compactly specified in SeCeNL as follows.
([¬a] ˆ<ua> ˆ [a] ˆ <va> ˆ [¬a]) ∧ ([¬b] ˆ<ub> ˆ [b] ˆ <vb> ˆ [¬b]) ∧
([¬c] ˆ<uc> ˆ [c] ˆ <vc> ˆ [¬c]) ∧ ([¬d] ˆ<ud> ˆ [d] ˆ <vd> ˆ [¬d]) ∧
([¬e] ˆ<ue> ˆ [e] ˆ <ve> ˆ [¬e]) ∧ (ext ˆ <u1> ˆ ext ˆ <u2> ˆ ext ) ∧
(ext ˆ <u2> ˆ ext ˆ <u3> ˆ ext ) ∧ (ext ˆ <u3> ˆ ext ˆ <u4> ˆ ext ) ∧
(ext ˆ <u4> ˆ ext ˆ <u5> ˆ ext ) ∧ (ext ˆ <v5> ˆ ext ˆ <v4> ˆ ext ) ∧
(ext ˆ <v4> ˆ ext ˆ <v3> ˆ ext ) ∧ (ext ˆ <v3> ˆ ext ˆ <v2> ˆ ext ) ∧
(ext ˆ <v2> ˆ ext ˆ <v1> ˆ ext ) ∧
Bijection(ua, ub, uc, ud, ue, va, vb, vc, vd, ve, u1, u2, u3, u4, u5, v1, v2, v3, v4, v5)
where formula Bijection below states that there is one to one correspondence be-
tween positions marked by ua, ub, uc, ud, ue, va, vb, vc, vd, de and positions marked
by u1, u2, u3, u4, u5, v1, v2, v3, v4, v5. Moreover, it states that if ua maps to say
u3 than va must map to v3 and so on.
[[(u1 ∨ u2 ∨ u3 ∨ u4 ∨ u5)⇔ (ua ∨ ub ∨ uc ∨ ud ∨ ue)]] ∧ [[∧1≤i,j≤5,i6=j ¬(ui ∧ uj)]]
[[(v1 ∨ v2 ∨ v3 ∨ v4 ∨ v5)⇔ (va ∨ vb ∨ vc ∨ vd ∨ ve)]] ∧ [[∧1≤i,j≤5,i6=j ¬(vi&vj)]]∧
1≤i≤5,j∈a,b,c,d,e (true ˆ <ui ∧ uj> ˆ true⇔ true ˆ <vi ∧ vj> ˆ true)
Note that, in general, if n signals are stacked, then the above SeCeNL specifica-
tion has size O(n2).
Now we discuss encoding of unordered stack in PSL-Sugar. In absence of
nominals, it is difficult to state the above behaviour succinctly in logics PSL-
Sugar even using its SERE regular expressions. Each order of occurrence of
signals has to be enumerated as a disjunction where each disjunct is as in the
example ordered stack (where the order was a, b, c, d, e). As there are n! orders
possible between n signals, the size of the PSL-Sugar formula is also O(n!). We
believe that there is no polynomially sized formula in PSL-Sugar encoding this
property. This shows that SeCeNL is exponentially more succint as compared to
PSL-Sugar.
In general, presence of nominals distinguishes SeCeNL from logics like PSL-
Sugar. In formalizing behaviour of hardware circuits it has been proposed that
regular expressions are not enough and operators such as pipelining have been
introduced [CF05]. These are a form of synchronization and they can be easily
expressed using nominals too.
4 Case study: Minepump Specification
We first specify some useful generic timing diagram properties which would used
for requirement specification in this (and many other) case studies.
– lags(P,Q, n): it is defined by Fig. 5. It specifies that in any observation
interval if P holds continuously for n + 1 cycles and persists then Q holds
from (n+ 1)th cycle onwards and persists till P persists.
– tracks(P,Q, n): defined Fig. 6. In any observation interval if P becomes true
then Q sustains as long as P sustains or upto n cycles whichever is shorter.
– sep(P, n): Fig. 7 defines this property. Any interval which begins with a
falling edge of P and ends with a rising edge of P then the length of the
interval should be at least n cycles.
– ubound(P, n): Fig. 8 defines the property. In any observation interval P can
be continuously true for at most n cycles.
Note that we have presented these formulae diagrammatically. The textual ver-
sion of these live timing diagrams can be found in Appendix C.
We now state the minepump problem. Imagine a minepump which keeps the
water level in a mine under control for the safety of miners. The pump is driven
by a controller which can switch it on and off. Mines are prone to methane
leakage trapped underground which is highly flammable. So as a safety measure
if a methane leakage is detected the controller is not allowed to switch on the
pump under no circumstances.
The controller has two input sensors - HH2O which becomes 1 when water
level is high, and HCH4 which is 1 when there is a methane leakage; and can
generate two output signals - ALARM which is set to 1 to sound/persist the
alarm, and PUMPON which is set to 1 to switch on the pump. The objective of
the controller is to safely operate the pump and the alarm in such a way that
the water level is never dangerous, indicated by the indicator variable DH2O,
whenever certain assumptions hold. We have the following assumptions on the
mine and the pump.
Fig. 5. lags(P,Q, n). Fig. 6. tracks(P,Q, n).
Fig. 7. sep(P, n). Fig. 8. ubound(P, n).
- Sensor reliability assumption: pref([[DH2O ⇒ HH2O]]) . If HH2O is false
then so is DH2O.
- Water seepage assumptions: tracks(HH2O,DH2O, κ1). The minimum no. of
cycles for water level to become dangerous once it becomes high is κ1.
- Pump capacity assumption: lags(PUMPON,¬HH2O, κ2). If pump is switched
on for at least κ2 + 1 cycles then water level will not be high after κ2 cycles.
- Methane release assumptions: sep(HCH4, κ3) and ubound(HCH4, κ4).
The minimum separation between the two leaks of methane is κ3 cycles
and the methane leak cannot persist for more than κ4 cycles.
- Initial condition assumption: init(<¬HH2O>∧<¬HCH4>, slen = 0). Ini-
tially neither the water level is high nor there is a methane leakage.
Let the conjunction of these SeCeNL formulas be denoted as MINEASSUME.
The commitments are:
- Alarm control: lags(HH2O,ALARM,κ5) and lags(HCH4, ALARM,κ6)
and lags(¬HH2O ∧ ¬HCH4,¬ALARM,κ7). If the water level is dangerous
then alarm will be high after κ5 cycles and if there is a methane leakage then
alarm will be high after κ6 cycles. If neither the water level is dangerous nor
there is a methane leakage then alarm should be off after κ7 cycle.
- Safety condition: pref([[¬DH2O ∧ (HCH4⇒¬PUMPON)]]) . The wa-
ter level should never become dangerous and whenever there is a methane
leakage pump should be off.
Let the conjunction of these commitments be denoted as MINECOMMIT .
Then the requirement over the minepump controller is given by the formula
MINEASSUME ⇒MINECOMMIT . A textual version of this full minepump
specification, which can be input to our tools is given in Appendix C. Note that
the require consists of a mixture of timing diagram constraints (such as pump ca-
pacity assumption above) as well as SeCeNL formulas (such as Safety condition
above).
We can automatically synthesize a controller for the values say κ1 = 10, κ2 =
2, κ3 = 14, κ4 = 2, and κ5 = κ6 = κ7 = 1. The tool outputs a SCADE/SMV
controller meeting the specification. A snapshot of SCADE code for the controller
synthesized by DCSynthG for minepump can be found in Appendix D. If the
specification is not realizable we output an explanation.
A second case study of synchronous bus arbiter specification can be found
in Appendix. E. We can automatically synthesize a property monitor for such
requirement and use it to model check a given arbiter design; or we can directly
synthesize a controller meeting the requirement. The appendix gives results of
both these experiments.
References
AEKN00. Nina Amla, E. Allen Emerson, Robert P. Kurshan, and Kedar S. Namjoshi.
Model checking synchronous timing diagrams. In Warren A. Hunt Jr.
and Steven D. Johnson, editors, Formal Methods in Computer-Aided De-
sign, Third International Conference, FMCAD 2000, Austin, Texas, USA,
November 1-3, 2000, Proceedings, volume 1954 of Lecture Notes in Computer
Science, pages 283–298. Springer, 2000.
AH93. Rajeev Alur and Thomas A. Henzinger. Real-time logics: Complexity and
expressiveness. Inf. Comput., 104(1):35–77, 1993.
All83. James F. Allen. Maintaining knowledge about temporal intervals. Commun.
ACM, 26(11):832–843, 1983.
AS87. Bowen Alpern and Fred B. Schneider. Recognizing safety and liveness.
Distributed Computing, 2(3):117–126, 1987.
BP12. Ajesh Babu and Paritosh K. Pandya. Chop expressions and discrete dura-
tion calculus. In Modern Applications of Automata Theory, pages 229–256.
2012.
CF05. Hana Chockler and Kathi Fisler. Temporal modalities for concisely captur-
ing timing diagrams. In Dominique Borrione and Wolfgang J. Paul, editors,
Correct Hardware Design and Verification Methods, 13th IFIP WG 10.5 Ad-
vanced Research Working Conference, CHARME 2005, Saarbru¨cken, Ger-
many, October 3-6, 2005, Proceedings, volume 3725 of Lecture Notes in
Computer Science, pages 176–190. Springer, 2005.
CP16. Aliaksei Chapyzhenka and Jonah Probell. Wavedrom: Rendering beautiful
waveforms from plain text. Synopsys User Group, 2016.
DH01. Werner Damm and David Harel. Lscs: Breathing life into message sequence
charts. Formal Methods in System Design, 19(1):45–80, 2001.
EF16. Cindy Eisner and Dana Fisman. Temporal logic made practical. Handbook
of Model Checking. Springer (Expected 2016), http://www. cis. upenn. edu/˜
fisman/documents/EF HBMC14. pdf, 2016.
FdRS03. Massimo Franceschet, Maarten de Rijke, and Bernd-Holger Schlingloff. Hy-
brid logics on linear structures: Expressivity and complexity. In 10th In-
ternational Symposium on Temporal Representation and Reasoning / 4th
International Conference on Temporal Logic (TIME-ICTL 2003), 8-10 July
2003, Cairns, Queensland, Australia, pages 166–173. IEEE Computer Soci-
ety, 2003.
Fis99. Kathi Fisler. Timing diagrams: Formalization and algorithmic verification.
Journal of Logic, Language and Information, 8(3):323–361, 1999.
Fis07. Kathi Fisler. Two-dimensional regular expressions for compositional bus
protocols. In Formal Methods in Computer-Aided Design, 7th International
Conference, FMCAD 2007, Austin, Texas, USA, November 11-14, 2007,
Proceedings, pages 154–157. IEEE Computer Society, 2007.
KP05. Yonit Kesten and Amir Pnueli. A compositional approach to CTL* verifi-
cation. Theor. Comput. Sci., 331(2-3):397–428, 2005.
Pan00. Paritosh K. Pandya. Specifying and deciding quantified discrete-time dura-
tion calculus formulae using DCVALID. Technical report, Tata Institute of
Fundamental Research, Mumbai, 2000.
Pan01. Paritosh K. Pandya. Model checking ctl*[dc]. In Tiziana Margaria and
Wang Yi, editors, Tools and Algorithms for the Construction and Analysis
of Systems, 7th International Conference, TACAS 2001 Held as Part of the
Joint European Conferences on Theory and Practice of Software, ETAPS
2001 Genova, Italy, April 2-6, 2001, Proceedings, volume 2031 of Lecture
Notes in Computer Science, pages 559–573. Springer, 2001.
Wav16. WaveDrom. Wavedrom user manual. http://wavedrom.com/tutorial.html,
2016.
A Examples of Comparision with other logics
Example 1 (Ordering with timing) Consider the timing diagram in Fig. 9 which
says that a holds invariantly in the interval [0, i] where i ≥ 1, b holds invariantly
in the interval [i, j], j ≥ i+ 1, and c holds at j and j ≤ n.
Fig. 9. Example 1.
– The language described by the above timing diagram is given by the SeCeNL
formula ([a∧¬b] ˆ [b∧¬a∧¬c] ˆ <c>) ∧ (slen ≤ n) which is of size O(log(n)).
It is assumed that all timing constants such as n are encoded in binary and
hence they contribute size log(n).
– An equivalent MTL formula is
∨i=n−1
i=1 (a ∧ ¬bU[i, i](b ∧ ¬aU[1, n − i] c))
whose size is O(n log(n)).
– Equivalent LTL formula is
∨i=n−1
i=1
∨j=n−i
j=1 (a UX
i(b UXj c)) where Xk =
X · . . . ·X︸ ︷︷ ︸
k times
, whose size is O(n2).
– Equivalent PSL-Sugar formula is (a∧¬b[+]; b∧¬a∧¬c[+]; c)∧((a|b)[< n]; c)
with size O(log(n)).
We also give examples of complex dependancy constraints. Consider the tim-
ing diagram in Fig. 10. In this diagram, ua occurs before ub and uc, and uc
occurs before ud and ue. The point vc occurs after vd and ve, and va occurs
after vb and vb.
Fig. 10. Example 3.
The behaviour is described straightforwardly by the SeCeNL formula:
([¬a] ˆ<ua>ˆ [a] ˆ<va>ˆ [¬a]) ∧ ([¬b] ˆ<ub> ˆ [b] ˆ<vb>ˆ[¬b]) ∧
([¬c] ˆ <uc> ˆ [c] ˆ <vc> ˆ [¬c]) ∧ ([¬d] ˆ <ud> ˆ [d] ˆ<vd> ˆ [¬d]) ∧
([¬e] ˆ <ue> ˆ [e] ˆ <ve> ˆ [¬e]) ∧ (ext ˆ <ua> ˆ ext ˆ <ub> ˆ true) ∧
(ext ˆ <ua> ˆ ext ˆ <uc> ˆ true) ∧ (ext ˆ <uc> ˆ ext ˆ <ud> ˆ true) ∧
(ext ˆ <uc> ˆ ext ˆ <ue> ˆ true) ∧ (ext ˆ <ve> ˆ ext ˆ <vc> ˆ true) ∧
(ext ˆ <vd> ˆ ext ˆ <vc> ˆ true) ∧ (ext ˆ <vc> ˆ ext ˆ <va> ˆ true) ∧
(ext ˆ <vb> ˆ ext ˆ <va> ˆ true).
This formula is linear in the size of the timing diagram. Unfortunately, specifying
these dependancies in PSL-Sugar is complex and formula size blows up at least
quadratically.
B Implementation
We propose a textual framework with a well defined syntax and semantics for
requirement specification (of the form assumptions⇒ commitments). Our frame-
work is heterogeneous in the sense that it supports both SeCeNL formulas and
timing diagrams with nominals for system specification. It can also handle all of
our limited liveness operators. (see Appendix. C for the code for minepump in
our framework).
We have also developed a Python based translator which takes requirements
in our textual format as input and produces property monitors as well as con-
trollers as output. Fig. 11 gives a broad picture of the current status of our tool
chain.
requirement
specification:
timing diagrams
+SeCeNL
+liveness
Python
translator
QDDC
DCVALID
DCObs
DCSynthG
system
property monitors Model
checker
synthesized controller
Fig. 11. Our tool chain.
C Minepump Code
The example code for minepump is written using textual syntax for QDDC which
can be found in [Pan00,Pan01].
#lhrs ”minepump”
interface
{
input HH2O, HCH4;
output ALARM monitor x, PUMPON monitor x;
constant delta = 1, w = 10, epsilon=2 , zeta=14, kappa=2;
auxvar DH2O;
softreq (!YHCH4)||(!PUMPON);
}
#implies lag(P, Q, n)
{
td lagspeclet1(P, n)
{
P:<u>1|<v>1|;
@sync:(u, v, n);
}
td lagspeclet2(Q)
{
Q: 2|<v>1|;
}
}
#implies tracks(P, Q, n)
{
td tracksspeclet1(P, n)
{
P: 0<u>1|<v>1|;
@sync: (u,v,[n,));
}
td tracksspeclet2(Q)
Q: 2<u>1|<v>0|;
}
#implies tracks2(P, Q, n)
td tracks2speclet1(P, n)
{
P: 0<u>1|<v>0|;
@sync: (u,v,[,n]);
}
td tracks2speclet2(Q)
Q:2<u>0|<v>2|;
}
#implies sep(P, n)
{
td sepspeclet1(P)
P: 1<u>0|<v>1;
td sepspeclet2(n)
{
@null: 2<u>2|<v>2;
@sync: (u, v, (n,]);
}
}
#implies ubound(P, n)
{
td boundspeclet1(P)
P: <c>1|<d>1;
td boundspeclet2(n)
{
@null: <c>2|<d>2;
@sync: (c, d, [,n));
}
}
dc safe(DH2O) {
pt || [!DH2O && ((HCH4||!HH2O) =>!PUMPON)];
}
main()
{
assume (<!HH2O> ˆ true);
assume (pt || [DH2O =>HH2O]);
assume tracks(HH2O, !DH2O, w);
assume tracks2 (HH2O, DH2O, w);
assume lag(PUMPON, !HH2O, epsilon);
assume sep(HCH4, zeta);
assume ubound(HCH4, kappa);
req (<!ALARM> ˆ true);
req lag(HH2O, ALARM, delta);
req lag(HCH4, ALARM, delta);
req lag(!HCH4 && !HH2O, !ALARM, delta);
req safe(DH2O);
}
D Synthesized controller for minepump
A snapshot of a controller synthesized from the minepump requirement in §4.
The controller had approximately 140 states and it took less than a second for
synthesis.
node minepump ( HH2O, HCH4:bool) returns ( ALARM, PUMPON:bool)
var cstate: int;
let
ALARM, PUMPON, cstate =
( if true and not HH2O and not HCH4 then ( false, false, 2)
else if true and not HH2O and HCH4 then ( false, false, 4)
else if true and HH2O and not HCH4 then ( false, false, 4)
else if true and HH2O and HCH4 then ( false, false, 4)
else ( dontCare, dontCare, 1)) ⇒
if pre cstate = 1 and not HH2O and not HCH4 then ( false, false, 2)
else if pre cstate = 1 and not HH2O and HCH4 then ( false, false, 4)
else if pre cstate = 1 and HH2O and not HCH4 then ( false, false, 4)
else if pre cstate = 1 and HH2O and HCH4 then ( false, false, 4)
else if pre cstate = 2 and not HH2O and not HCH4 then ( false, false, 2)
else if pre cstate = 2 and not HH2O and HCH4 then ( false, false, 7)
else if pre cstate = 2 and HH2O and not HCH4 then ( false, false, 9)
else if pre cstate = 2 and HH2O and HCH4 then ( false, false, 11)
else if pre cstate = 4 and not HH2O and not HCH4 then ( false, false, 4)
else if pre cstate = 4 and not HH2O and HCH4 then ( false, false, 4)
..............................
..............................
else if pre cstate = 309 and HH2O and not HCH4 then ( false, true, 4)
else if pre cstate = 309 and HH2O and HCH4 then ( false, true, 4)
else if pre cstate = 372 and not HH2O and not HCH4 then ( false, false, 2)
else if pre cstate = 372 and not HH2O and HCH4 then ( false, false, 7)
else if pre cstate = 372 and HH2O and not HCH4 then ( false, true, 4)
else if pre cstate = 372 and HH2O and HCH4 then ( false, true, 4)
else ( dontCare, dontCare, pre cstate) ;
tel
E Case study: 3-cell arbiter
In this section we illustrate another application of our specification format and
associated tools. For this we use the standard McMillan arbiter circuit given in
NuSMV examples and do the model checking against the specification below.
A synchronous 3-cell bus arbiter has 3 request lines req1, req2 and req3, and
corresponding acknowledgement lines ack1, ack2 and ack3. At any time instance
a subset of request lines can be high and arbiter decides which request should be
granted permission to access the bus by making corresponding acknowledgement
line high. The requirements for such a bus arbiter are as formulated below.
- Exclusion: pref([[(
∧
i 6=j ¬(acki ∧ ackj))]]) . At most 1 acknowledgement can
be given at a time.
- No spurious acknowledgement: pref([[(
∧
1(acki ⇒ reqi))]]) . A request should
be granted access to the bus only if it has requested it.
- Response time: implies([[req]] ∧ slen = n, true ^<ack>^true ). One of
the most important property of an arbiter is that it any request should be
granted within n cycles, i. e. if a request is continuously true for sometime
then it should be heard.
- Deadtime: to specify this property we first specify lost cycle as follows:
Lost ≡ (∨i reqi)∧(¬(∨i acki)). Then Deadtime ≡ anti([[Lost]]∧slen > n).
This specifies the maximum number of consecutive cycles that can be lost
by the arbiter is n.
The requirement ARBREQ is a conjunction of above formulas.
We ran the requirement through our tool chain to generate NuSMV module
for the requirement monitor. This module was then instantiated synchronously
with McMillan arbiter implementation in NuSMV and NuSMV model checker
was called in to check the property G(assumptions⇒ commitments).
Model checking : Experimental results show that the deadtime for 3-cell McMil-
lan arbiter is 3. If we specify the deadtime as 2 cycles then a counter example
is generated by NuSMV as depicted in Fig. 12. This counter examples show
that even though there is an request line high in 4th, 5th and 6th cycle, but no
acknowledgment is given by arbiter. Similarly, the response time for 1st request
is 3 cycles whereas for 2nd and 3rd cell it is 6 cycles. If we specify the response
time of 2 and 5 cycles for 1st and 2nd then NuSMV generates counter exam-
ples in Fig. 13 and Fig. 14 respectively. Fig. 14 shows that the request line for
cell 2 (i. e. req2) is high continuously for 5 cycles starting from 3rd without an
acknowledgement from the arbiter.
Fig. 12. Counter Example
Showing deadtime exceed-
ing 2 cycles
Fig. 13. Counter Example
showing response time of
1st cell exceeding 2 cycles
Fig. 14. Counter Example
showing response time of
2nd cell exceeding 5 cycles
Controller synthesis : We have also synthesized a controller for the arbiter speci-
fication using our tool DCSynthG. We have tightened the requirements by spec-
ifying the response time as 3 cycles uniformly for all three cells and deadtime as
0 cycles, i. e. there is no lost cycle. The tool could synthesize a controller in 0.03
seconds with 17 states.
