circuit composed of gates whose real-valued delays are in an integerbounded interval, is there a way to discretize time while preserving the qualitative b e h a vior of the circuit?" This problem is described as open in BS94] . When \preservation of qualitative b e h a vior" is interpreted in a strict sense, as having all original sequences of events with their original ordering we obtain the following two results: 1) For acyclic (combinatorial) circuits whose inputs change only once, the answer is positive: there is a constant , depending on the maximal number of possible events in the circuit, such that if we restrict all events to take place at multiples of , w e still preserve qualitative b e h a viors. 2) For cyclic circuits the answer is negative: a simple circuit with three gates can demonstrate a qualitative behavior which cannot be captured by a n y discretization. Nevertheless we show that a weaker notion of preservation, similar to that of HMP92], allows in many cases to verify discretized circuits with = 1 s u c h that the veri cation results are valid in dense time.
Introduction
The analysis of digital circuits 1 whose components exhibit uncertain delay p arameters is a challenging task. A commonly-used model for specifying such s y stems is the bi-bounded delay model where the output of every gate passes through a delay element c haracterized by s o m e i n terval l u]. Roughly speaking, changes at the input port of the delay e l e m e n t are propagated to its output port after some time t taken from the interval l u]. The results were obtained while the author was a visiting professor at Ensimag, Inpg, Grenoble z The results were obtained while the author was a visiting professor at UJF, Grenoble. 1 In this paper, we treat digital circuits which w e consider to be a well-behaving subset of timed automata. While many of the results can be extended to arbitrary timed automata, we prefer clarity of presentation over generality.
Adding quantitative timing information to a discrete transition system A amounts to connecting A to a special system called Time, which is viewed as a transition system with a special structure, namely, a linear order, such that all transitions go \to the right". The composition of A and Time consists of a system where transitions of A and time passage transitions are interleaved.
Consider the example in gure 1: Initially we have a two-state automaton which can decide at any time to take a single transition labeled by a, and a time structure annotated with t transitions. Adding timing constraints to A consists in: 1) annotating the a transition with a condition T 2 2 4] on the state of Time and 2) adding \idling" transitions to both in order to synchronize: each system takes its real transitions when the other is idling. The product of the two i s a system which m a k es a at some time in 2 4]. Remark: This picture is intentionally over-simpli ed, mainly because we do not have t wo consecutive transitions and the reference time value is always 0. Otherwise we need to introduce an additional unbounded state variable of type Time, memorizing the time of the last transition since the beginning. If we had a product of several systems, we w ould have n e e d e d s u c h a v ariable for each.
Note that we w ere not very speci c about one important p r o p e r t y of Time, whether its order is dense or discrete. One can imagine (if not draw) an analogue of gure 1 where the states of Time are labeled by all the real numbers. The structure of the interaction between Time and A remains the same. In fact, there is a slight misconception concerning the signi cance of timed models such as timed automata. Our view is that one should distinguish two aspects of timed models: one is the interaction with a special process such as Time, whose statespace admits order and metric, and the other is the use of continuous dense Time. 2 The latter is not necessarily implied by the former, and the goal of the 2 We o we some of this insight t o R T97].
paper is to investigate what expressive p o wer (in the sense of modeling) is lost if we refrain from using dense time models, and stay within the familiar (to computer scientists, that is) realm of discrete systems.
Consider again gure 1 with a discrete time interpretation where every t indicates 1 time unit. What does it really mean to move to a coarser time scale of 2 time units? One interpretation is that odd Time states are removed and that t represents 2 units. Alternatively, w e can maintain the same intrinsic structure of Time but erase all the a transitions from the odd time instants, restricting the product system to take u n timed transitions only at even times. In this example the possibility of taking a at T = 3 is lost. If we restrict transitions to occur at multiples of 5 we m a y miss the transition altogether. However, if the granularity of time is at least as ne as the scale of the timing constraints, we are sure not to miss any e v ent i n a single-clock (single variable) system. Suppose now t h a t we h a ve t wo s u c h systems running in parallel, one can make a in 2 3] and the other can make b at 3 4] ( gure 2). Here, the integer time-scale allows a and b to occur either simultaneously (at 3) or one after the other. By restricting transitions to occur either at odd or even time instants, only one of the above possibilities is allowed. Similar investigations were carried out in HMP92] using a di erent model and a di erent technique.
The rest of the paper is organized as follows: In section 2 we describe the circuit and delay models that we use. In section 3 we s h o w h o w the realizability o f a qualitative behavior is related to the emptiness of certain polyhedra (possibly in nite-dimensional). These results are used to show that, essentially, acyclic circuits (and automata) admit a discretization, while cyclic circuits (and timed automata in general) do not. In section 4 we s h o w t h a t u n timed properties can essentially be veri ed using discrete time models. Some short contemplations on the potential implications of the results conclude the paper.
Signals and Circuits
Let T = R + , B = f0 1g and K = f1 : : : k g. De nition 1 (Boolean Signals). A B o olean signal is a left-continuous function : T ! B k admitting a countable 3 increasing sequence (which is either nite or diverging) J ( ) = t 0 t 1 : : : of transition points such that t 0 = 0 and is constant at every interval (t j t j+1 ] and discontinuous at every t j .
A signal is ultimately-constant if J ( ) is nite. We denote the set of all Boolean signals by S k . A Boolean function is a function f : B k ! B for some k 0. For any such function we de ne its pointwise extension f : S k ! S in the obvious way, namely = f( ) i for every t 2 T, t] = f( t]). We call this an instantaneous signal function. At t h e l e v el of modeling in which w e a r e interested, a gate is usually viewed as a composition of an instantaneous function and a delay element which holds the output of the function for some time before transmitting it outside. There are several realistic properties of delays which must be accounted for in the model:
And of order type ! if you want t o b e p e d a n tic.
1. Positive l o wer-bound: there is a minimal amount of time that has to elapse between the change of the input and the change in the output. 4 2. Uncertainty: the exact delay is usually unknown and can only be estimated to be within an interval. 3. Inertia: small uctuations in the input are ignored by the delay element, and only changes that persist for a minimal duration are propagated to the output.
These considerations are re ected in the following de nition:
De nition 2 (Non-Deterministic Inertial Delay). Let (Every change in must be preceded by a persistent change in which happened at least l time units before).
3. For every t 2 J ( ), (t t + u] \ J ( ) 6 = _ t + l t+ u] \ J ( ) 6 = .
(Every u-persistent c hange in must be re ected in ). Essentially this means that changes in that persist less than l are ignored ( ltered), those that persist between l and u time can be either ltered or propagated to , and those that persist for u or more time must be propagated to .
The distance between a change in and its corresponding change in must be the interval l u]. These notions are illustrated in gure 3.
Remark: This model is only one among possible alternative models for the delay phenomenon. One could assume, for example, that changes should persist for at least l 1 time units, but propagated after l 2 , l 2 > l 1 time. On the other hand, the requirement that an input change persists until its propagation to the output may be relaxed. Incorporating such d e l a y models can be done in the timed automaton framework by adding additional states to the basic automaton. The choice among models depends on the trade-o between model complexity and the faithfulness to the physical reality. Also, we use the closed interval l u] in the discussion, but the results in the following sections treat intervals which can be open at one or two e n d s .
Non-deterministic delays pose problems for traditional simulation methods as the next \event" in the simulation can take place anywhere within an interval. In the sequel, in order not to drag with us too much notation, we will omit the reference to the initial value from the delay equations and use equations of the form = l u] ( ).
De nition 3 (Circuit). A k-variable digital circuit is a tuple N = ( X F D) where X = fx 1 : : : x k g is a set of variables, F = ff 1 : : : f k g is a set of Boolean 4 Some models relax this condition and allow u n boundedly small (but positive) delays. 
A circuit appears in gure 4-(a). The correspondence between a circuit and the system of inclusions (1) is straightforward and we will refer to the latter as the description of the circuit. Needless to say, the system of inclusions (1) need not have a unique solution. The set of solutions is called the semantics of the circuit and is denoted by L N .
For certain purposes it is useful to introduce an auxiliary set of variables Y = fy 1 : : : y k g and consider the signal y = hy 1 : : : y k i such that for every i 2 K, y i = f i (x 1 : : : x k ): Every y i represents the \hidden" value of x i , that is, the value that x i is about to obtain given that f i (x 1 : : : x k ) remains stable for a su ciently long period. The signal y is called the hidden behavior associated with x. In the analysis of synchronous circuits with a central clock, it is often assumed that the circuit is acyclic, i.e. there is no cycle in the circuit layout. Such a circuit appears in gure 4-(b). The signals entering at the top are called the primary inputs of the circuit. A primary input which may change at most once at the beginning of the execution can be modeled by a t i m e d automaton of the type appearing in gure 5-(b). We l e a ve i t t o t h e reader to verify that a product of such input automata with the automata corresponding to the equations of an acyclic circuit is an acyclic automaton (no cycles in the transition graph), and hence the number of transitions in any run is nite and bounded. 
Qualitative Behaviors and their Realizability
In this section we introduce the notion of a qualitative behavior, a result of stripping away the quantitative properties of a signal and considering only the ordering relation among events.
Let x be an observable behavior of a given circuit and let y be the corresponding hidden behavior. We de ne three function E X , E Y and E : J (x) ! 2 K as follows:
E X (j) = fi : x i t j ] 6 = x i t j;1 ]g E Y (j) = fi : y i t j ] 6 = y i t j;1 ]g E(j) = E X (j) E Y (j) In other words, E X (j) is the set of all indices of the x-variables that change at time t j . If i 2 E X (j) (resp. i 2 E Y (j)) we say that t j is an x i -event (resp. a y i -event). If i 2 E (j) we s a y t h a t t j is an i-event. Note that E Y (j) 6 = only if E X (j) 6 = .
Two behaviors x and x 0 are equivalent, denoted by x x 0 , if their corresponding functions E X and E 0 X are identical. A qualitative behavior is an equivalence class of , denoted by x], and it can be viewed as a string (without repetition) taken from (B k ) (B k ) ! , which records the values of x at J (x). We extend this notion to sets of signals, i.e. L] = f x] : x 2 Lg. The number of events in a signal x is de ned as:
Let N = ( X F D) be a circuit. A signal can be generated by N if it satis es two types of constraints. The rst type is logical and does not depend on the delay parameters:
1. For every i, y i = f i (x 1 : : : x k ), where f i 2 F.
2. Every y i -event i s f o l l o wed by a n i-event. This means that every triggering of a v ariable is either aborted or concluded successfully.
3. Every x i -event is preceded by a y i event (without any x i -event between them): observable changes must be triggered rst.
On the basis of these conditions we can rule out qualitative behaviors which are not realizable regardless of quantitative timing. For the rest of signals we de ne a partial function F : K J (x) ! J (x), which associates with every i 2 f 1 : : : k g and j, s u c h t h a t t j is a y i -event , a n umberm > j such that t m is the time of the next i-event. 
We denote the set of solutions of the system of inequalities (2) The results concerning closed t-polyhedra might tempt one to think that by \closing" all timing constraints it is possible to 1-discretize all circuits (i.e. that for these circuits the dense-time and discrete-time semantics coincide). Unfortunately this is not the case: the characteristic t-polyhedron of a qualitative behavior is de ned by t wo sets of inequalities. While the timing constraints can be made closed by an (in nitesimal) modi cation of the circuit model, the ordering constraints t 0 < t 1 < t 2 : : : are open by nature, the resulting polyhedron is mixed and a discretization of = 1 =M < 1=n is necessary for the acyclic case.
For cyclic circuits, the negative result of claim 2 applies.
By relaxing the ordering constraints into t 0 t 1 t 2 : : : we obtain a weaker notion of behavior preservation. For every qualitative behavior x], realizable by a dense time circuit, there is a qualitative behavior x 0 ], realizable in discrete time, such that some events that occur at di erent time instants in x, t a k e place at the same time instant in x 0 . This is the notion of preservation used in HMP92] who employ a \timed trace" model where (a t 1 )(b t 2 ) (a t 1 )(b t 1 ) but (a t 1 )(b t 1 ) 6 (b t 1 ) (a t 1 ). To demonstrate the weak preservation phenomenon consider the circuit described by can be realized by t 1 , t 2 and t 3 satisfying 1 t 1 < t 2 < t 3 2: Clearly, this t-polyhedron does not contain an integer point. Only by relaxing the ordering relation between the events into 1 t 1 t 2 t 3 2 we can 1-discretize and obtain a behavior such a s Theorem 1 (Main Result).
1. Every acyclic circuit can be -discretized with = 1 =M < 1=n, where n is the maximum of Z(x) over all qualitative behaviors which are l o gically realizable by the circuit. 2. There a r e cyclic circuits which are not discretizable at all. 3. All circuits with closed delay intervals can be 1-discretized with weak preservation of behaviors.
Proof:
1. An immediate consequence of corollary 3. 2. Consider the circuit described by The characteristic polyhedron of this behavior is exactly the one de ned by the inequalities (5), if we t a k e t j , r j and s j to denote the j th transition times of x 1 , x 2 and x 3 respectively. The result follows from claim 2-1.
3. This is essentially the result of HMP92] and it follows from claim 2-2. u t
Preservation of Properties
In this section we use rather informally the term closed for speaking of circuits or timed automata whose timing conditions are closed, and for the languages of signals generated by such automata. Corollary 5 (Untimed Properties of Automata). Untimed properties of closed circuits/automata can be veri ed using the discrete time semantics. Untimed properties of non-closed automata can be veri ed using the discrete semantics with the risk of creating false negatives.
In BM98] a l o w-level asynchronous realization of a FIFO bu er was veri ed using a discrete time model. Since the speci cation of the desired behavior is the untimed language of compatible reads a n d writes from the bu er, the veri cation results carry over to dense time. We are currently investigating which o t h e r classes of properties can be veri ed safely using discrete time. Some suggestions appeared already in HMP92].
Discussion
The main contribution of this paper is in shedding some more light on the relation between discrete and dense time models, and in solving an open problem concerning the discretization of circuits. We believe that the circuit model and the geometric analysis techniques introduced in this paper will be useful both for hardware timing veri cation and for advancing the theory of timed automata. In particular it currently seems that for most reasonable practical purposes, discrete time veri cation will do the job.
