Finding Extremal Models of Discrete Duration Calculus formulae using Symbolic Search  by Pandya, Paritosh K.
Finding Extremal Models of Discrete Duration
Calculus formulae using Symbolic Search
Paritosh K. Pandya1
School of Technology and Computer Science
Tata Institute of Fundamental Research
Homi Bhabha Road, Colaba
Mumbai 400005, India
Abstract
QDDC is a logic for specifying quantitative timing aspects of synchronous programs. Properties
such as worst-case response time and latency (when known) can be speciﬁed elegantly in this
logic and model checked. However, computing these values requires ﬁnding by trial and error the
least/greatest value of a parameter k making a formula D(k) valid for a program. In this paper,
we discuss how an automata theoretic decision procedure for QDDC together with symbolic search
for shortest/longest path can be used to compute the lengths of extremal (least/greatest length)
models of a formula D. These techniques have been implemented into the DCVALID veriﬁer for
QDDC formulae. We illustrate the use of this technique by eﬃciently computing response and
dead times of some synchronous bus arbiter circuits.
Keywords: Symbolic model checking, Response time computation, Discrete duration calculus,
Extremal models, SMV.
1 Introduction
For synchronous programs (e.g. clocked circuits), execution time is measured
in terms of clock ticks, i.e. the notion of time is discrete. For many such
programs, it is important to analyse quantitative timing properties such as
response time and latency. Doing such quantitative analysis remains a chal-
lenging problem for the formal methods community.
1 Email: pandya@tifr.res.in
Electronic Notes in Theoretical Computer Science 128 (2005) 247–262
1571-0661© 2005 Elsevier B.V. Open access under CC BY-NC-ND license.
www.elsevier.com/locate/entcs
doi:10.1016/j.entcs.2005.04.015
Quantiﬁed Discrete-time Duration Calculus (QDDC) [12] is a highly ex-
pressive logic for specifying properties of ﬁnite sequences of states (behaviours).
It is closely related to the Interval Temporal Logic of Moszkowski [11] and the
Duration Calculus of Zhou et al. [16] (see [12,15,6] for their relationship.) It
provides novel interval based modalities for describing behaviours. For exam-
ple, the following formula holds for a behaviour σ provided for all fragments
σ′ of σ which have (a) P true in the beginning, (b) Q true at the end, and
(c) no occurrences of Q in between, the number of occurrences of states in σ′
where R is true is at most 3.
(P 0 ¬QQ0 ⇒ (ΣR ≤ 3)) .
Here, the  modality ranges over all fragments of a behaviour. Operator  is
like concatenation (fusion) of behaviour fragments and ¬Q states invariance
of ¬Q over the behaviour fragment. Finally, ΣR counts number of occurrences
of R within a behaviour fragment. A precise deﬁnition of the syntax and
semantics of QDDC is given in Section 2.
In spite of their high expressive power QDDC formulae can be model
checked. An automata theoretic decision procedure allows converting aQDDC
formula into a ﬁnite state automaton recognising precisely the models of the
formula [12]. The automaton can be used as a synchronous observer for model
checking the property of a synchronous program [8]. We have implemented
this theory into a tool called DCVALID [12,13] which permits model checking
QDDC properties of synchronous programs written in Esterel [2], Verilog and
SMV [10] notations.
Quantiﬁed Discrete-time Duration Calculus, (QDDC), is a logic well suited
to specifying quantitative timing properties of synchronous programs. It ad-
dresses a qualitatively diﬀerent class of properties of synchronous programs
from those considered earlier. Properties such as worst-case response time
and latency (when known) can be speciﬁed elegantly in this logic and model
checked. However, computing these values requires ﬁnding by trial and error
the least/greatest value of a parameter k making a formula D(k) valid for a
program. Such a trial-error technique is inherently incomplete.
In the paper, we propose formulations of many interesting timing prop-
erties as lengths of extremal (shortest/longest) sub-executions of a system
satisfying a property D written in the logic QDDC. By sub-execution we
mean a ﬁnite (not necessarily initial) fragment of an execution. For example,
response time can be formulated as the length of longest sub-execution during
which request ∧ ¬acknowledgement holds invariantly. Logic QDDC is well
suited to specify complex timing requirements in this fashion. We call this
approach extremal model length based speciﬁcation.
In the paper, we show how an automata theoretic decision procedure for
P.K. Pandya / Electronic Notes in Theoretical Computer Science 128 (2005) 247–262248
QDDC together with symbolic search for shortest/longest path can be used to
compute the extremal model lengths. These techniques have been implemented
into the DCVALID veriﬁer for QDDC formulae. The implementation is built
on top of the symbolic search routines for shortest/longest paths available in
the NuSMV veriﬁer.
We illustrate the use of our technique by computing response and dead
times of some synchronous bus arbiter circuits using our tool DCVALID and
NuSMV, with some surprising results. It is our claim that these properties are
quite diﬃcult to analyse by hand and a system designer’s intuition about them
can be misleading. Hence, the availability of tools is crucial for the analysis
of such properties. In the paper, we also provide an experimental comparison
of the eﬃciency of our extremal model length computation with traditional
model checking.
The rest of the paper is organised as follows. A synchronous bus arbiter
circuit model is presented in the next subsection. The logic QDDC and its
model checking are brieﬂy presented in Section 2. The notion of extremal
model lengths is deﬁned in Section 3. Section 4 presents the main technique
used for symbolically computing extremal model lengths. Section 5 brieﬂy
describes the implementation of this technique into our tool DCVALID. It
also gives the experimental results for the timing analysis of the bus arbiter
circuits. The paper ends with a discussion.
1.1 Synchronous Bus Arbiter
Example 1.1 A synchronous bus arbiter with n cells has request lines req1,
. . ., reqi, . . ., reqn and acknowledgement lines ack1, . . . , acki, . . . , ackn. At any
clock cycle a subset of the request lines are high. It is the task of the arbiter to
set at most one of the corresponding acknowledgement lines high. Preferably,
the arbiter should be fair to all requests.
The bus arbiter circuit of Figure 1 (called MacArbV0) was analysed by
McMillan [10] using the pioneering SMV veriﬁer based on symbolic model
checking 2 . A variant, MacArbV1, of McMillan’s arbiter is given in Figure 2.
(The changes from the original arbiter are highlighted by dotted lines.) Both
these arbiters have the property that at most one ack signal can occur at a
time. 
Example 1.2 We consider some quantitative timing properties of the ar-
2 The circuit elements are standard. The square box denotes a D-latch which delays the
signal by one clock cycle.
P.K. Pandya / Electronic Notes in Theoretical Computer Science 128 (2005) 247–262 249
Cell Interconnection
Ack−out
0
Tokenout
TokenIn
En
E2
E1
Ack−out
Ack−outRequest
Request
Request
GrantOutOverrideIn
Out
Override GrantIn
Cell Circuit
TokenOut OverrideIn GrantOut
Ackout
GrantInTokenIn OverrideOut
Request
T
W
Fig. 1. McMillan’s Arbiter: MacArbV0
Modiﬁed Cell Circuit
TokenOut OverrideIn GrantOut
Ackout
GrantInTokenIn OverrideOut
T
W
Request
Fig. 2. A Variant of McMillan’s Arbiter: MacArbV1
biters.
• 3-cycle response time: The least number of cycles for which reqi must be
held high continuously in the worst case to ensure three occurrences of acki.
P.K. Pandya / Electronic Notes in Theoretical Computer Science 128 (2005) 247–262250
• Dead time: The maximum possible number of consecutive lost cycles. A
cycle is lost if at least one of the cells has its req high but all the cells have
ack low, i.e. lostcycle
def
= (
∨
i reqi) ∧ ¬(
∨
j ackj). 
2 Quantiﬁed Discrete-Time Duration Calculus (QDDC)
Let Pvar be a ﬁnite set of propositional variables representing some observable
aspects of system state. Let VAL(Pvar)
def
= Pvar → {0, 1} be the set of
valuations assigning a truth value to each variable.
We shall identify behaviours with ﬁnite, nonempty sequences of valuations,
i.e. elements of VAL(Pvar)+.
Example 2.1 The following picture gives a behaviour over variables {p, q}.
Each column vector gives a valuation, and the word is a sequence of such
column vectors.
p 1 0 1 1 0
q 0 0 0 0 1
The above word satisﬁes the property that p holds initially and q holds at the
end but nowhere before that. QDDC is a logic for formalising such properties.
Each formula speciﬁes a set of such words.
Given a non-empty ﬁnite sequence of valuations σ ∈ VAL+, we denote the
satisfaction of a QDDC formula D over σ by σ |= D.
Syntax of QDDC Formulae
Let Pvar be the set of propositional variables. Let p range over proposi-
tional variables, P,Q over propositions and D,D1, D2 over QDDC formulae.
Propositions are constructed from variables Pvar and constants 0, 1 (denoted
true, false respectively) using boolean connectives ∧, ¬ etc. as usual.
The syntax of QDDC is as follows.
P 0 | P  | D1
D2 | D1 ∧D2 | ¬D | ∃p.D |
η op c | ΣP op c where op ∈ {<,≤,=,≥, >} .
Let σ ∈ VAL(Pvar)+ be a behaviour. Let #σ denote the length of σ
and σ[i] the ith element. For example, if σ = 〈v0, v1, v2〉 then #σ = 3 and
σ[1] = v1. Let dom(σ) = {0, 1, . . . ,#σ− 1} denote the set of positions within
σ. The set of intervals in σ is given by Intv(σ) = {[b, e] ∈ dom(σ)2 | b ≤ e}
where each interval [b, e] identiﬁes the subsequence of σ between the positions
b and e.
P.K. Pandya / Electronic Notes in Theoretical Computer Science 128 (2005) 247–262 251
Let σ, i |= P denote that proposition P evaluates to true at position i in
σ. We omit this obvious deﬁnition. We inductively deﬁne the satisfaction of
QDDC formula D for behaviour σ and interval [b, e] ∈ Intv(σ) as follows.
σ, [b, e] |= P 0 iﬀ b = e and σ, b |= P
σ, [b, e] |= P  iﬀ b < e and σ, i |= P for all i : b ≤ i < e
σ, [b, e] |= ¬D iﬀ σ, [b, e] |= D
σ, [b, e] |= D1 ∧D2 iﬀ σ, [b, e] |= D1 and σ, [b, e] |= D2
σ, [b, e] |= D1
D2 iﬀ for some m : b ≤ m ≤ e :
σ, [b,m] |= D1 and σ, [m, e] |= D2 .
Entities η and ΣP are called measurements. Term η denotes the length of the
interval whereas ΣP denotes the number of times P is true within the interval
[b, e] (we treat the interval as being left-closed and right-open). Formally,
eval(η, σ, [b, e])
def
= e− b
eval(ΣP, σ, [b, e])
def
=
∑e−1
i=b
⎧⎨
⎩
1 if σ, i |= P
0 otherwise
⎫⎬
⎭ .
Let t range over measurements. Then,
σ, [b, e] |= t op c iﬀ eval(t, σ, [b, e]) op c .
Call a behaviour σ′ to be a p-variant of σ provided #σ = #σ′ and for all
i ∈ dom(σ) and for all q = p, we have σ(i)(q) = σ′(i)(q). Then,
σ, [b, e] |= ∃p.D iﬀ σ′, [b, e] |= D for some p-variant σ′ of σ .
Finally,
σ |= D iﬀ σ, [0,#σ − 1] |= D .
Derived Constructs
We can also deﬁne some derived constructs. Boolean combinators ∨,⇒,⇔
can be deﬁned using ∧,¬ as usual.
•  
def
= 10 holds for point intervals of the form [b, b].
• P 
def
= (P P 0) states that proposition P holds invariantly over the
extended closed interval [b, e] including the endpoint. Formula P +
def
=
(P  ∨ P 0) additionally also holds for point intervals where P is true.
• D
def
= true D true holds provided D holds for some subinterval.
• D
def
= ¬¬D holds provided D holds for all subintervals.
P.K. Pandya / Electronic Notes in Theoretical Computer Science 128 (2005) 247–262252
Decidability of QDDC
The following theorem characterises the sets of models satisfying a QDDC
formula. Let pvar(D) be the ﬁnite set of propositional variables occurring
within a QDDC formula D. Let VAL(Pvar) = Pvar → {0, 1} be the set of
valuations over Pvar as before.
Theorem 2.2 For every QDDC formula D, we can eﬀectively construct a
ﬁnite state automaton A(D) over the alphabet VAL(pvar(D)) such that for all
σ ∈ VAL(pvar(D))∗,
σ |= D iﬀ σ ∈ L(A(D)) .
Corollary 2.3 Satisﬁability (validity) of QDDC formulae is decidable. 
DCVALID
The reduction from formulae of QDDC to ﬁnite state automata as outlined
in Theorem 2.2 has been implemented into a tool called DCVALID [12], which
also checks for the validity of formulae as in Corollary 2.3. This tool is built
on top of MONA [9]. MONA is a sophisticated and eﬃcient BDD-based im-
plementation of the automata-theoretic decision procedure for monadic logic
over ﬁnite words.
An associated tool, called CTLDC [13], translates the automaton into an
Esterel, SMV or Verilog module to give a synchronous observer [8] for the
property. Using this, DCVALID can model check whether M |= D where M
is an Esterel, SMV or Verilog program and D is a QDDC formula [13].
Example 2.4 [Arbiter Speciﬁcation] We formalise the timing properties of
the arbiters from Example 1.2 in QDDC.
• 3-cycle response time: The minimum k such that the following is valid for
the arbiter. (reqi ∧ η ≥ k − 1 ⇒ Σacki ≥ 3)
• Dead time: The minimum k such that the following is valid for the arbiter.
(lostcycle ⇒ η < k). 
Note that traditional model checking can verify a property D(k) for a given
constant k. In this paper, we propose some techniques which can compute the
extremal values of k. Moreover, these techniques are experimentally shown to
be eﬀective in solving problems like the dead and response times of the arbiters.
The techniques have been built into our model checking tool DCVALID.
P.K. Pandya / Electronic Notes in Theoretical Computer Science 128 (2005) 247–262 253
3 Extremal Model Lengths
Deﬁnition 3.1 A transition system M = (S,R, L, S0) consists of a set of
states S, a set of initial states S0 ⊆ S, a transition relation R ⊆ S × S
and a labelling function L : S → VAL(Pvar). Here, Pvar is the set of
observable propositions. Let M1 × M2 denote the synchronous product of
transition systems M1 and M2, as usual. It captures the parallel execution of
the two transition systems running in synchronous (lock-step) parallel fashion.
An execution of M is a (ﬁnite or inﬁnite) sequence of states starting with
an element of S0 where every (tuple consisting of) consecutive pair of states
is in R. A behaviour is a complete execution which is either inﬁnite or ends in
state which has no R successor. Let Beh(M) denote the set of behaviours of
M . 
Notation
Let α ∈ S∗ ∪ Sω be a ﬁnite or inﬁnite sequence of states from S. Then,
α[i] denotes the ith element. Also, α[i, j] = α[i], . . . , α[j] denotes the ﬁnite
subsequence between positions i and j.
Let ω denote the set of natural numbers and ∅ be the empty set. Let N ⊆ ω.
Then max N denotes the least upper bound of N and min N denotes the
greatest lower bound of N . Some special cases of these functions are outlined
below. Let max ∅ = 0 and max ω = ∞. Let min ∅ = ∞ and min ω = 0.
Deﬁnition 3.2 [sub-executions] Let α ∈ S∗ ∪ Sω. Then,
• subseq(α)
def
= {α[b, e] | b, e ∈ dom(α), b ≤ e}.
• subexec(M)
def
=
⋃
α∈Beh(M) subseq(α).
The elements of subexec(M) will be called sub-executions. They denote
ﬁnite fragments of the executions of M .
• Let 〈s0, . . . , sn〉 |=L D
def
= 〈L(s0), . . . , L(sn)〉 |= D denote that formula D
holds for a sub-execution 〈s0, . . . , sn〉.
We now formalise the notion of lengths of extremal (i.e. longest/shortest)
sub-executions ofM which satisfy a QDDC formulaD. Term MAXLEN (D,M)
denotes the length (i.e. number of states) of longest sub-execution of M sat-
isfying D. In case there are sub-executions of unbounded lengths satisfying
D, then the term evaluates to ∞. If there are no sub-executions satisfying D,
the term evaluates to 0. Term MINLEN (D,M) denotes the step length (i.e.
number of edges) in the shortest sub-execution satisfying D. If there are no
sub-executions satisfying D, the term evaluates to ∞.
P.K. Pandya / Electronic Notes in Theoretical Computer Science 128 (2005) 247–262254
Deﬁnition 3.3 [Extremal sub-execution lengths]
• MAXLEN (D,M) =
max {(#σ) | σ ∈ subexec(M) and σ |=L D}
• MINLEN (D,M) =
min {#σ − 1 | σ ∈ subexec(M) and σ |=L D}
Many quantitative features of interest can be speciﬁed using the constructs
MAXLEN and MINLEN .
Example 3.4 For the arbiters of Example 1.1, we can elegantly formalise the
response and dead-time (see Example 2.4) using MAXLEN as follows.
• 3-cycle response time is given by
MAXLEN (req+ ∧ (Σack = 2ack0), Arbiter)
The 3-cycle response time is given by the length of the longest sub-execution
of Arbiter where req is invariantly true, where there are two occurrences of
ack in between followed by ack at the end.
• Dead-time is given by
MAXLEN (lostcyle+, Arbiter)
The dead-time is given by the length of the longest sub-execution of Arbiter
with lostcycle invariantly true. 
4 Computing the Lengths of Extremal Models
In this section, we propose techniques for computing MAXLEN (D,M) and
MINLEN (D,M) using symbolic search.
4.1 Symbolic Search for Longest/Shortest Paths
Campos et al. have investigated BDD based symbolic techniques for ﬁnding
lengths of shortest/longest subsequences within the executions of M satisfying
some simple conditions [3], [4]. We give a brief overview of their results.
(Recall that fragments of executions of M are called sub-executions).
Consider a transition system M = (S, S0, R, L). Let
source dest = {σ ∈ subexec(M) ∧ σ[0]∈ source ∧ σ[#σ − 1]∈ dest}
source←↩ within = {σ ∈ subexec(M) ∧ σ[0] ∈ source ∧
∀0 ≤ i ≤ #σ − 1. σ[i] ∈ within}
Then, source  dest denotes the set of all sub-executions of M which begin
in a state from source and end in a state from dest. Also, source ←↩ within
P.K. Pandya / Electronic Notes in Theoretical Computer Science 128 (2005) 247–262 255
denotes the set of all sub-executions of M which begin with a state from source
and contain only the states from the set within.
Campos et al. [3] have deﬁned two algorithms (functions) calledMAXDELAY
and MINDELAY for computing maximum/minimum delay. These have been
implemented in the model checking tool NuSMV 3 [5].
The function MINDELAY [source, dest,M ] returns the step length (i.e.
number of edges) in the shortest sub-execution within source  dest. If
source  dest is empty then the algorithm returns the value ∞. Function
MAXDELAY [source, within] in M returns the length (i.e. number of nodes)
of the longest sub-execution in source ←↩ within. If there are sub-executions
of unboundedly many lengths then the algorithm returns the value ∞. In
case the set source ←↩ within is empty the algorithm returns the value 0.
Formally, we have the following theorem.
Theorem 4.1 (Campos, Clarke and Grumberg [4])
MINDELAY [source, dest,M ] = min {#σ − 1 | σ ∈ source dest}
MAXDELAY [source, within,M ] = max {#σ | σ ∈ source←↩ within}
We now address the problem of ﬁnding the length of the longest sub-
execution of M which starts with a state in source and ends with a state
in dest. Consider a maximal (i.e. one which cannot be extended to another
element) sub-execution σ in source ←↩ ¬dest. Then, either σ ends in a state
without any successor, or for all s ∈ S, if σ.s ∈ subexec(M) then s ∈ dest.
Hence, computing MAXDELAY [source,¬dest] does not give the correct an-
swer.
Recall that the CTL logic formula EFdest denotes the set of states of M
from which there exists a path to a state in dest. Now, consider source ←↩
EFdest. Let σ be a maximal sub-execution in it. Then, σ begins with a state
from source and ends with a state from dest. Hence, we have the following
theorem.
Theorem 4.2 MAXDELAY [source, EFdest,M ] =
max {#σ | σ ∈ source dest} 
Thus, MAXDELAY [source, EFdest,M ] gives the length of the longest
sub-execution of M which starts with a state in source and ends with a state in
dest. If there are executions of unbounded lengths of this form, the algorithm
gives the value ∞. If there is no such sub-execution (i.e the set start ←↩
EF finish is empty) then the algorithm gives the value 0.
3 There are many variants of these algorithms in literature. We consider a version close to
the NuSMV tool. Details can be found in the full paper.
P.K. Pandya / Electronic Notes in Theoretical Computer Science 128 (2005) 247–262256
Module AnyOnce
m0st : { a,b,c } ;
ASSIGN
init(m0st) := {a,b} ;
next(m0st) := case
m0st = a : {a,b};
m0st = b : c ;
m0st = c : c;
esac;
DEFINE
m0 := m0st = b;
Fig. 3.
4.2 Computing Extremal Model Lengths of QDDC Formulae
Let M = (S, S0, R, L) be a transition system. Let m0 be a fresh propositional
variable (not in image of L) and let AnyOnce(m0) be a transition system
which nondeterministically sets m0 to true for at most one position in each of
its execution. The SMV code for such a transition is given in Figure 3.
Let D′ be a QDDC formula. By Theorem 2.2, we have a ﬁnite state
automaton A(D′) which precisely accepts the models of D′. We can use
A(D′) as a synchronous observer for D′ and run it in synchronous (lock-step)
parallel with M giving the transition system M ×A(D′). Let end be a fresh
propositional variable and (using the labelling function for A(D′)) deﬁne end
to be true exactly when A(D′) is its ﬁnal state. 4 In the following, we use
D′ = (truem0
0 D). Let,
M ′ = M × AnyOnce(m0)×A(true
m0
0 D) .(1)
Consider any sub-execution σ of M ′ which starts with m0 being true and
ﬁnishes with end being true. Then, it is obvious that σ |=L D. Hence,
MINDELAY [m0, end,M
′] gives the length of the shortest sub-execution of M
satisfying D. Formally,
Theorem 4.3 Let M ′ be as in Equation (1). Then,
MINLEN (D,M) = MINDELAY [m0, end, M
′] .
We omit the formal proof of this theorem. 
Consider the product transition system M ′ in Equation (1). Let endpref be
a new propositional letter which is true exactly when the observer automaton
4 Our tool DCVALID is able to take a QDDC formula D′ and construct an SMV module
for A(D′) which deﬁnes such a proposition end.
P.K. Pandya / Electronic Notes in Theoretical Computer Science 128 (2005) 247–262 257
A(D′) is in a state from which it is possible for M ′ to reach a ﬁnal state of A.
Thus, deﬁne endpref ⇔ (EFend) where end is as before.
Consider a sub-execution of M ′ which begins with m0 true and which has
endpref true throughout. Then, a maximal sub-execution of this form will be
one where D holds. Hence, using Theorem 4.2 we have the following result.
Theorem 4.4 Let M ′ be as in Equation (1) and let endpref ⇔ EFend.
Then,
MAXLEN (D,M) = MAXDELAY [m0, endpref, M
′] .
We omit the formal proof of this theorem. 
5 Implementation and Experimental Results
Using Theorems 4.3 and 4.4, the computations of the values ofMAXLEN (D,M)
andMINLEN (D,M) can be reduced to simpler MINDELAY andMAXDELAY
computations over the transformed model M ′. Note that constructing M ′ re-
quires taking the synchronous product of M with the observer automaton for
D′ as in Equation (1). These reductions have been implemented into the tool
DCVALID which takes as input an SMV module for system M as well the
speciﬁcations consisting of MINLEN (D,M) and MAXLEN (D,M) computa-
tion commands. It produces a transformed SMV module corresponding to
the transformed system M ′ as deﬁned in Equation (1). It also produces the
transformed MINDELAY and MAXDELAY computation speciﬁcations as in
Theorems 4.3 and 4.4. We call this reduction observer generation. Next, the
generated SMV speciﬁcation is given to the NuSMV tool to perform required
MINDELAY and MAXDELAY computations by symbolic search. We shall
call this step delay time computation. The required answers are obtained at
the end of this step. We now give some experimental results obtained using
this tool.
Experimental Results
We consider the n-cell synchronous bus arbiters MacArbV0 and MacArbV1
from Example 1.1 with their response time and dead time speciﬁcations as
extremal model lengths as given in Example 3.4. The exact input to our tool
DCVALID as well as the transformed SMV code produced by the tool can be
found in the full version of the paper.
In Figure 4, we summarise the computation results obtained for the two
5-cell arbiters, namely MacArbV0 and MacArbV1. In particular, these show
that the dead-time for the 5-cell arbiter MacArbV1 is ∞. Thus, surprisingly,
P.K. Pandya / Electronic Notes in Theoretical Computer Science 128 (2005) 247–262258
3-cycle response time
Arbiter cell cycles
MacArbV0 1 15 cycles
2 to 5 20 cycles
MacArbV1 1 15
2 to 5 16
Dead-time
Arbiter cycles
MacArbV0 5
MacArbV1 inf
Fig. 4.
the arbiter MacArbV1 can loose unboundedly many consecutive cycles. Note
that this result is impossible to obtain using traditional model checking.
We compare the performances of the timing analysis of the arbiter cir-
cuits using (a) the extremal model length computation technique, and (b)
traditional model checking of the speciﬁcation given in Example 2.4. In both
cases, ﬁrst the observers (automata) are generated from QDDC formulae and
then symbolic search is carried out. Hence, to measure performance, we give a
pair of execution times in seconds. Let ↑ n denote that the execution does not
ﬁnish within n seconds, let ↓ denote failed execution due to resource overrun
(e.g. memory), and let ∗ denote the absence of an experiment.
The arbiter MacArbV0 from Figure 1 with a diﬀerent number of cells was
used as the model and its two properties from Example 3.4 were checked. The
results are given in the table below.
Problem MAXLEN Model
computation Checking
Obs Search Obs Search
20-cell arbiter Dead time 0.06 0.85 0.07 ↑ 600
30-cell arbiter Dead time 0.06 19.95 0.07 *
40-cell arbiter Dead time 0.06 ↑ 600 * *
200 cell arbiter 1-cycle response time 0.07 13.78 4.47 105.43
20 cell arbiter 3-cycle response time 0.07 0.21 267 ↓
200 cell arbiter 3-cycle response time 0.07 18.38 ↑ 600 *
P.K. Pandya / Electronic Notes in Theoretical Computer Science 128 (2005) 247–262 259
6 Discussion
Many interesting properties of a discrete time system, such as response time
and latency, can be conveniently speciﬁed as ﬁnding extremal (least/greatest)
value of a parameter k making a parameterised QDDC formula D(k) valid
over the system M . Here, QDDC is a rich interval temporal logic which
incorporates features (called durations) to count the number of occurrences of
events within an interval.
To characterise such properties, in the paper we have proposed constructs
(terms) MAXLEN (D,M) and MINLEN (D,M). It is easy to see from their
deﬁnitions that they capture extremal solutions of the following parameterised
QDDC speciﬁcations: MAXLEN (D,M) = min {k | M |= (D ⇒ η <
k)}, and MINLEN (D,M) = max {k | M |= (D ⇒ η ≥ k)}.
In the paper, we have also proposed a technique to compute the values of
these terms MAXLEN and MINLEN . The technique makes use of the au-
tomata theoretic decision procedure for the logic QDDC [12] and the symbolic
search technique (called Delay computation) for shortest/longest path in M
between speciﬁed sets of states start and end [3]. The technique has been im-
plemented into the model checker DCVALID for checking QDDC properties
of SMV programs.
Note that the traditional “yes/no” model checking can verify a property
D(k) for a given constant k. However, ﬁnding extremal values of k requires
trial-and-error with diﬀerent values of k. Such a method is inherently incom-
plete and it can only be partially successful. If D(k) is unsatisﬁable for all
k, the trial-and-error method of ﬁnding the minimum k will not terminate.
Moreover, trial-and-error cannot determine the maximal k in general. At best,
if the property is downward closed w.r.t k (i.e. D(k) ⇒
∧
j<k D(j)) and we
ﬁnd the least k s.t. D(k + 1) is violated then we can claim to have found the
maximal k. If there are unboundedly many k satisfying D(k), again the trial-
error method will not terminate. By contrast, our MAXLEN and MINLEN
computation algorithms always give the answer. While the worst case theoret-
ical complexity is high (non-elementary [12]), in practice the technique seems
to be reasonably eﬃcient as illustrated by our experiments.
In the paper, we have presented the results of experiments with our tool
DCVALID to compute properties like the 3-cycle response time and dead-
time for circuits such as 20 to 200 cell bus-arbiters. Using the MAXLEN
computation method, we managed to establish for the ﬁrst time that the arbiter
MacArbV1 can loose unboundedly many cycles in sequence.
Our experiments show that response time calculation using extremal model
length computation can be orders-of-magnitude faster than the traditional
P.K. Pandya / Electronic Notes in Theoretical Computer Science 128 (2005) 247–262260
model checking of a given response time value. In fact, the performance re-
sults tabulated in Section 5 show that traditional model checking is unable
to handle problems like response and dead-time for circuits larger than 5-10
cells. By comparison the extremal model length computation technique seems
to work for circuits with over 200 cells. This trend is also borne out by some
preliminary experiments with other problems like the job shop scheduling.
Thus, we believe that the technique proposed in this paper represents a use-
ful advance in our ability to carry out timing analysis. Even the dense-time
systems can be analysed using these techniques by ﬁrst digitizing them and
then carrying out a discrete time analysis of their timing properties (see [6]).
6.1 Related Work and Comparison
Parameterised temporal logics have been studied by many researchers [7,1] and
the question of ﬁnding optimal parameters has also been looked at [1]. These
techniques rely on checking D(k) for some values of k up to some (typically
large) theoretical bound m based on the model and the formula sizes. By
contrast, the techniques based on symbolic search for the shortest/longest
paths in M seem to be much more eﬃcient in practice.
In their pioneering work, Campos et al. ﬁrst formulated the DELAY algo-
rithms for symbolically computing the lengths of the shortest/longest paths
within a transition system M between two speciﬁed sets of states, source and
dest [3]. Campos, Clarke and Grumberg extended this by additionally speci-
fying a LTL formula which must hold for the interval between start and dest
[4]. The model checker NuSMV allows speciﬁcation of sets source and dest
by CTL formulae [5].
In this paper, we have generalised the method of Campos et al. to compute
the lengths of extremal sub-executions satisfying a formula of the logic QDDC.
Note that the 3-cycle response time speciﬁcation of our logic (Example 3.4)
cannot be speciﬁed purely using the original MAXDELAY construct, and our
extension is needed. Because of its ability to count events, the logic QDDC can
elegantly specify complex transactions and schedulability constraints. Hence
we envisage that our techniques will be useful in analysing timing problems
related to schedulability and planning.
References
[1] Alur, R., K. Etessami, S. La Torre and D. Peled, Parametric temporal logic for model
measuring, in Proc. 26th International Colloquium on Automata, Languages, and Programming,
LNCS 1644, Springer-Verlag, pp. 159–168, 1999.
[2] Bouali, A., J.P. Marmorat, R. de Simone and H. Toma, Verifying Synchronous Reactive
Systems Programmed in Esterel, in Proc. FTRTFT’96, LNCS 1135, Springer-Verlag, 1996.
P.K. Pandya / Electronic Notes in Theoretical Computer Science 128 (2005) 247–262 261
[3] Campos, S., E. Clarke, W. Marrero, M. Minea and H. Haraishi, Computing Quantitative
Characteristics of Finite-state Real-time Systems, in Proc. IEEE Real-time systems symposium,
1994.
[4] Campos, S., E. Clarke and O. Grumberg, Selective Quantitative Analysis and Interval
Model Checking, in Proc. Eighth International Conference on Computer Aided Veriﬁcation
(CAV’1996), LNCS 1102, Springer-Verlag, 1996.
[5] Cimatti, A, E. Clarke, E. Giunchiglia, F. Giunchiglia, M. Pistore, M. Roveri, R. Sebastiani
and A. Tacchella, NuSMV Version 2: An OpenSource Tool for Symbolic Model Checking,
in Proc. International Conference on Computer-Aided Veriﬁcation (CAV 2002), LNCS 2404,
Springer-Verlag, 2002.
[6] Chakravorty, G. and P.K. Pandya, Digitizing Interval Duration Logic, in Proc. International
Conference on Computer Aided Veriﬁcation (CAV 2003), Colorado, Boulder, July 2003 (Eds.)
Warren A. Hunt, Jr. and Fabio Somenzi, LNCS 2725, Springer-Verlag, (2003) pp 167-179.
[7] Emerson, E.A. and R.J. Treﬂer. Parametric quantitative temporal reasoning, in Proc. 14th
IEEE Symp. Logic in Computer Science (LICS’99), Trento, Italy, July 1999, pages 336–343,
1999.
[8] Halbwachs, N., F. Lagnier and P. Raymond, Synchronous observers and the veriﬁcation of
reactive systems, in Proc. Third Int. Conf. on Algebraic Methodology and Software Technology,
AMAST’93, Twente, Springer-Verlag, 1993.
[9] Henriksen, J.G., J. Jensen, M. Jorgensen, N. Klarlund, B. Paige, T. Rauhe, and A. Sandholm,
Mona: Monadic Second-Order Logic in Practice, in First International Workshop on Tools and
Algorithms for the Construction and Analysis of Systems (TACAS’95), LNCS 1019, Springer-
Verlag, 1996.
[10] McMillan, K., Symbolic Model Checking, Kluwer Academic Publisher, 1993.
[11] Moszkowski, B., A Temporal Logic for Multi-Level Reasoning about Hardware, in IEEE
Computer, 18(2), 1985.
[12] Pandya, P.K., Specifying and Deciding Quantiﬁed Discrete-time Duration Calculus Formulae
using DCVALID: An Automata Theoretic Approach, in Proc. Workshop on Real-time Tools
(RTTOOLS’2001), Aalborg, Denmark, August 2001.
[13] Pandya, P.K., Model checking CTL*[DC], in Proc. Int. Workshop on Tools and Algorithms for
the Construction and Analysis of Systems (TACAS 2001), Genova, Italy, LNCS 2031, Springer-
Verlag, 2001.
[14] Pandya, P.K., The saga of synchronous arbiter: On model checking quantitative timing
properties of synchronous programs, in Proc. Workshop on Synchronous languages, applications
and programming (SLAP’2002), ENTCS 65.5, Elsevier Science B.V., April 2002.
[15] Zhou Chaochen and M.R. Hansen, Duration Calculus: A formal approach to real-time systems,
Springer, 2004.
[16] Zhou Chaochen, C.A.R. Hoare and A.P. Ravn, A Calculus of Durations, Info. Proc. Letters,
40(5), 1991.
P.K. Pandya / Electronic Notes in Theoretical Computer Science 128 (2005) 247–262262
