Automata of asynchronous behaviors  by Brzozowski, J.A. & Negulescu, R.
Theoretical Computer Science 231 (2000) 113{128
www.elsevier.com/locate/tcs
Automata of asynchronous behaviors(
J.A. Brzozowski , R. Negulescu 1
Department of Computer Science, University of Waterloo, Waterloo, Ont., Canada N2L 3G1
Abstract
We survey three applications that use nite automata to specify behaviors of concurrent pro-
cesses in general, and asynchronous circuits in particular. The applications are: verication of
concurrent processes, liveness properties, and delay insensitivity of asynchronous networks. In all
three cases, we start with a common model of a nondeterministic nite automaton, and then add
certain application-specic features. Typically, the added features involve separating the alphabet
or the state set of the automaton into several disjoint subsets. For each application we provide the
motivation, describe the type of automaton used, dene the most important operations, and state
some of the key results. For process verication, we describe a BDD-based tool that implements
the respective automata and operations. c© 2000 Elsevier Science B.V. All rights reserved.
Keywords: Asynchronous; Automaton; Behavior; Circuit; Verication
1. Introduction
We begin by introducing some concepts common to several applications. The nota-
tion is loosely based on that of [6].
Denition 1. An action automaton is a quadruple A= h;Q; I; Ei, where
1.  is a nite set, called the alphabet of actions.
2. Q is a nite, nonempty set of states.
3. I Q is a nonempty set of initial states.
4. EQQ is a set of edges.
A path of A is a nite sequence c=(q0; 1; q1) : : : (qk−1; k ; qk) of consecutive
edges; the length of this path is k. The element s= 1 : : : k of  is the word of
the path c. For each state q2Q, there is a trivial path q from q to q with word ,
the empty word. Note that trivial paths are not edges. A path with q0 2 I is called
( This research was supported by the Natural Sciences and Engineering Research Council of Canada under
grant No. OGP0000871, and by an Ontario Graduate Scholarship.
∗ Corresponding author.
E-mail address: brzozo@maveric.uwaterloo.ca (J.A. Brzozowski)
1 Presently with Department of Electrical and Computer Engineering, McGill University.
http://www.macs.ece.mcgill.ca/~radu
0304-3975/00/$ - see front matter c© 2000 Elsevier Science B.V. All rights reserved.
PII: S0304 -3975(99)00021 -3
114 J.A. Brzozowski, R. Negulescu / Theoretical Computer Science 231 (2000) 113{128
initialized. The language of A is the set of words of the initialized paths. It follows
that the language of an action automaton is prex-closed, i.e., that every prex of a
word in the language also belongs to the language. Also, such a language is never
empty, since it contains .
Denition 2. An automaton is deterministic if it has exactly one initial state, and for
each q2Q and 2 there is at most one edge of the form (q; ; q0).
Action automata will be used to represent processes. The product, dened below, of
two action automata will then denote their joint behavior.
Denition 3. The product of two action automata A1 = h1; Q1; I 1; E1i and A2 = h2;
Q2; I 2; E2i is an action automaton A=A1A2 = h;Q; I; Ei where
1. =1 [2.
2. Q=Q1Q2 (the Cartesian product of sets Q1 and Q2).
3. I = I 1 I 2 (the Cartesian product of sets I 1 and I 2).
4.
E =

((q1; q2); ; (q01; q02)) j
21n2 ^ (q1; ; q01)2E1 ^ q2 = q02 2Q2
W
22n1 ^ (q2; ; q02)2E2 ^ q1 = q01 2Q1
W
21 \2 ^ (qi; ; q0i)2Ei; for i=1; 2} :
The rationale for this denition of product is that the edges of A should be ‘com-
patible’ with both A1 and A2. If we strip an edge of A of the state components q2
and q02, we should obtain either an edge of A1 or a self-loop labeled with an action
from outside 1. Since going through a self-loop leaves the state unchanged, the action
from outside 1 is ‘ignored’ by A1. A symmetrical property holds for A2. Note that
the language of A1A2 is fw2 jw #1 2L1 ^w #2 2L2g, where L1 and L2 are
the languages of A1 and A2, respectively, and # is the projection operation dened
as follows. For word w and alphabet  ; w #  is the word obtained by deleting from
w all actions that are not in  .
2. Process automata
In [10, 13], a simple theory of concurrent systems was introduced. This theory, called
\process spaces", unies several types of systems and correctness criteria for such
systems by abstracting the notion of \execution". Executions can be nite or innite
sequences of events, functions of time, etc., but, in the general theory, executions are
just elements of an arbitrary set E.
Although executions have no structure in general process spaces, for a particular
problem one needs to choose particular executions. Often, we choose nite words over
J.A. Brzozowski, R. Negulescu / Theoretical Computer Science 231 (2000) 113{128 115
Fig. 1. Example: buer specication.
a given alphabet U, i.e., E=U. The execution sets of a process are then languages
over U, and U is called the universe of actions.
In a typical application, we represent waveforms of digital circuits by nite-word
executions by associating the occurrence of an action to each signal transition in the
circuit. We do not distinguish between rising and falling transitions. For instance, the
waveform in Fig. 1(b) is represented by ababab.
Denition 4. A process over a set E is a pair (X; Y ) of subsets of E such that
X [Y =E.
A process represents a contract between a device and its environment; this contract
is from the device point of view. A process (X; Y ) splits E into three disjoint subsets:
X \Y; X , and Y , called goals, errors, and rejects, respectively. Executions in X \Y are
legal for both the device and the environment. Executions in X represent errors of the
device. Finally, executions in Y represent bad behavior on the part of the environment,
and, as such, can be rejected by the device. Executions in X are called accessible by
the device, whereas those in Y are called acceptable by the device.
For example, the safety properties of the buer in Fig. 1(a) can be represented by a
process over U, where Ufa; bg. Refer to the nite automaton of Fig. 1(d), where
the initial state is indicated by an incoming arrow; such automata are formally dened
later. Execution abab is legal for both the device and the environment; thus it is a
goal. Execution abb should be avoided by the device; thus it is an error. So is execu-
tion abba, since the second b is the fault of the device. Hazards, i.e., situations where
an output transition is enabled and then disabled before being completed, are some-
times considered undesirable, since, as in Fig. 1(c), they may generate signal maxima
or minima at intermediate voltages. If hazards are undesirable, execution aa should
be avoided by the environment, to ensure that the enabled b transition is completed.
Accordingly, execution aa is a reject.
In process spaces, several operations and correctness conditions from concurrency
theory become elementary set operations, as in the denition below.
Denition 5. For processes p=(X; Y ); p0=(X 0; Y 0), and p00=(X 00; Y 00),
1. p00=pp0, read p00 is the product of p and p0, if X 00=X \X 0 and
Y 00=(Y \Y 0)[X [X 0.
2. p0=−p, read p0 is the reection of p, if X 0= Y and Y 0=X .
3. p is robust if Y is empty.
4. pvp0, read p0 renes p, if X X 0 and Y Y 0.
116 J.A. Brzozowski, R. Negulescu / Theoretical Computer Science 231 (2000) 113{128
Briey, the motivation for these concepts is as follows. The product of p and p0
represents the joint behavior of the devices of p and p0. Reection rewrites the process-
environment contract to the environment point of view. A process is robust if it has
no rejects, and thus requires no guarantees from the environment. Finally, renement
formalizes that process p0 is a ‘satisfactory substitute’ for process p: Process p0 has
fewer accessible executions and more acceptable executions than p. Equivalently, p0
has more errors and fewer rejects.
The following property links robustness and renement, and is important for veri-
cation applications.
Proposition 1. For processes p and q;
pv q,−p q is robust:
If its execution languages are regular, a process can be represented as a nite au-
tomaton, as follows.
Denition 6. A process automaton is a tuple P= hA; Qr ; Qg; Qei consisting of an
action automaton A= h;Q; I; Ei and three subsets of Q, where
1.  is a nite subset of U.
2. Qr ; Qg, and Qe, whose elements are called rejects, goals, and errors, respectively,
are mutually disjoint.
3. Q=Qr [Qg [Qe.
4. For each q2Q and 2, there exists q0 2Q such that (q; ; q0)2E.
A process automaton is said to be deterministic if its action automaton is determin-
istic. We normally work with deterministic process automata. Nondeterministic process
automata arise, for instance, as a result of hiding internal actions, but in those cases
we prefer to determinize them before performing any other operations. From now on
we use only deterministic process automata. Nondeterminism is treated in [14].
Each word from  represents a possible sequence of process actions. We want
to classify each such sequence of actions as being a reject, a goal, or an error for
the process. For this reason, we included the fourth property (completeness) in the
denition above. Now every word from  is spelled by some initialized path that
terminates in Qr ; Qg, or Qe.
Notice that the words spelled by the paths of an automaton have actions only from
, whereas our processes are over U. We resolve this mismatch by labelling an
arbitrary word a reject, goal, or error if its projection on  is a reject, goal, or error,
respectively.
Denition 7. With each process automaton P= hh;Q; I; Ei; Qr ; Qg; Qei we associate a
process prP=(X; Y ) as follows. For every word w2U,
1. If the initialized path spelling w # in A ends in Qg or Qr , then w2X .
2. If the initialized path spelling w # in A ends in Qr , then w2Y .
J.A. Brzozowski, R. Negulescu / Theoretical Computer Science 231 (2000) 113{128 117
Fig. 2. Example for robustness.
Fig. 3. Example for renement.
For example, the process automaton in Fig. 1(d) represents the buer process dis-
cussed previously.
Denition 8. Corresponding to the properties and operations of processes given in
Denition 5, we dene the following concepts for process automata.
1. The product of two process automata P1 = hA1; Q1r ; Q1g ; Q1ei and P2 = hA2; Q2r ; Q2g ;
Q2e i is a process automaton P1P2 = hA; Qr ; Qg; Qei such that
(a) A=A1A2.
(b) (q1; q2)2Qr if and only if q1 2Q1r ^ q2 2Q2r or q1 2Q1r ^ q2 2Q2g or q1 2Q1g ^
q2 2Q2r .
(c) (q1; q2)2Qg if and only if q1 2Q1g ^ q2 2Q2g .
(d) (q1; q2)2Qe if and only if q1 2Q1e or q2 2Q2e .
2. Reection swaps Qr and Qe; thus, −P= hA; Qe; Qg; Qri.
3. Process automaton P= hA; Qr ; Qg; Qei is robust if no state from Qr is on an ini-
tialized path.
4. Renement is a binary relationship v on process automata such that P1vP2 if
and only if −P1P2 is robust.
The automaton in Fig. 1(d) is not robust, since its reject state can be reached by,
say, aa. A robust process for the buer, this time ignoring hazards as ‘inertial’ models
do, is represented in Fig. 2. There, none of the reachable states is a reject. In particular,
the second a in aa cancels the rst a by leading back to the initial state, a goal state.
The process automaton P0 in Fig. 3 is yet another possible process for the buer,
which forbids stopping after a, since the device is supposed to respond by b. The state
to which a leads is an error, making it illegal for the buer device to complete its
operation by stopping there. One can verify that PvP0. Since P0 has more errors,
it is more determinate and more constrained than P. On the other hand, since a is
accessible for P but not for P0; P does not rene P0. Informally, P has the option of
stopping after a, but P0 does not allow this.
The process automaton operations correspond to process operations.
118 J.A. Brzozowski, R. Negulescu / Theoretical Computer Science 231 (2000) 113{128
Proposition 2. For process automata P1 and P2;
1: pr(P1P2)= prP1 prP2.
2: pr(−P1)=−(prP1).
3: prP1 is robust if and only if P1 is robust.
4: prP1v prP2 if and only if P1vP2.
Process equality induces an equivalence relationship on process automata.
Proposition 3. For process automata P1 and P2; prP1 = prP2 if and only if every
state (q1; q2) of P1P2 that appears on an initialized path satises q1 2Q1r ^ q2 2Q2r
or q1 2Q1g ^ q2 2Q2g or q1 2Q1e ^ q2 2Q2e .
3. BDD implementation of process automata
Process automata and the operations mentioned in Section 2 are implemented in a
BDD-based tool called FIREMAPS (for nitary and regular manipulation of processes
and systems) [11]. Several other operations on process automata are also implemented
in FIREMAPS, most notably minimization, determinization, and operations for project-
ing a process automaton on an alphabet and for hiding internal actions.
Binary decision diagrams (BDDs) are graph-based data structures for representing
Boolean functions [3]. BDDs allow for greater average-case eciency of the Boolean
operations than do the traditional representations of Boolean functions. The tool uses
a BDD library [2] which oers the basic routines for manipulating large Boolean
functions.
The standard BDDs, used in FIREMAPS, express Boolean functions of the form
f : f0; 1gV !f0; 1g, where V is a nite set, whose elements are referred to as Boolean
variables. A valuation for V is a function x :V !f0; 1g, which gives a Boolean value
to each variable. A valuation can be regarded as a binary vector with jV j bits, where
j  j denotes the cardinality of a set. The set of all possible valuations for V is denoted
as f0; 1gV .
To manipulate process automata by Boolean functions, we encode the actions, states,
and edges as binary vectors over some of the Boolean variables available, and we
represent the nite sets of actions, states, and edges by characteristic functions of
sets of binary vectors. Let us formalize this BDD representation, following loosely
the treatment of symbolic analysis in [4]. Given a nite set D, we encode it by an
injective function D :D!f0; 1gWD , where WDV . Under this encoding, the set D is
represented by a function D : f0; 1gV !f0; 1g such that D(x)= 1 if and only if the
components of x corresponding to WD are the code-word of an element of D.
Notice that the function D depends only on the variables in WD. However, we
dened D over all variables in V rather than just WD for two reasons: to follow
closely the BDD implementation, and because we need conjunctions or disjunctions of
functions that may depend on dierent variable sets.
J.A. Brzozowski, R. Negulescu / Theoretical Computer Science 231 (2000) 113{128 119
In FIREMAPS, all actions are encoded over a set WU of Boolean variables. Alphabets
are represented by the corresponding characteristic functions.
The states of a process automaton hh;Q; I; Ei; Qr ; Qg; Qei are represented over a
set WQ of variables, where 2jWQj>jQj and WQ is disjoint from WU. To each process
automaton, we associate functions for Q, I , Qr [Qg, and Qe [Qg, all these functions
being from f0; 1gWQ to f0; 1g.
The edge set of a process automaton is a subset of QUQ. The edges are
represented over the variable set WQ [WU [W 0Q where the variables in W 0Q encode the
‘next state’, those in WQ encode the ‘current state’, and those in WU encode the action
of an edge. The set W 0Q is disjoint from WQ and WU, and there is a bijective function
s :WQ!W 0Q that denes the ‘next state’ encoding as the valuation 0Q :Q!f0; 1gW
′
Q
that satises 8q2Q; 2WQ: (0Q(q))(s())= (Q(q))().
The product operation is implemented as follows. If P1 and P2 are the operands
and P is the result, then
1. = 1 _ 2 .
2. 82WQ1 : s()= s1() and 82WQ2 : s()= s2().
3. Q = Q1 ^ Q2 .
4. I = I1 ^ I2 .
5. E = E1 ^ E 2 .
6. Qr [Qg = Q1r [Q1g ^ Q2r [Q2g .
7. Qe [Qg = Q1e [Q1g ^ Q2e [Q2g _ :Q1r [Q1g _ :Q2r [Q2g .
This implementation of product follows the denition straightforwardly, except that
the sets of state variables of P1 and P2 are not necessarily disjoint.
Sharing of state variables among dierent process automata can provide substantial
savings, but requires certain compatibility conditions among the process automata in-
volved and among their Boolean function representations. We do not go deeper into
this issue, but we note that the product automaton is compatible in this sense with the
factors, justifying the variable sharing among the product and the factors. The same
holds for the result and the operand of reection.
Reection is implemented by simply swapping the functions for Qr [Qg and Qe [Qg.
Robustness is veried by reachability analysis, which checks whether any reject
state is reachable from the initial states. For variable set U V and for function
 : f0; 1gV !f0; 1g, we use the notation (9U : ) for function 0(y)= (9y0 2f0; 1gV :
(y0)^ (y0jVnU =yjVnU )), where j is domain restriction; and, for variable set U 0V
and bijective function s :U!U 0 we use the notation [s] for the function obtained
by simultaneously substituting in  the variables from U by their images through
s. For process automaton hh;Q; I; Ei; Qr ; Qg; Qei, let R denote the set of states cur-
rently reached, and let F denote the edge set without the action information, i.e.,
F = f(q; q0) j 9a2U : (q; a; q0)2Eg. The reachability analysis algorithm is roughly as
follows:
1. F =(9WU : E)
2. R= I
3. repeat
120 J.A. Brzozowski, R. Negulescu / Theoretical Computer Science 231 (2000) 113{128
4. if (R ^ Qr 6= 0) then stop, NOT ROBUST
5. R := R _ [s−1](9WQ : R ^ F)
6. until (no change in R)
7. stop, ROBUST
For process automata P1 and P2, we check renement by checking robustness of
−P1P2. Thus renement is also checked by reachability analysis.
With minor modications, the algorithm above can be used to nd and return a
reject execution for a process, if that process is not robust.
4. Behavior automata
The present section is based on the work in [13, 14]. Liveness properties such as
fairness and deadlock-freedom have been modeled traditionally by using explicit spec-
ications of the innite sequences of actions that may occur in a system. It has been
considered that nitary specications, consisting basically of the nite words that may
occur in a system, are not suciently powerful for deciding liveness properties [1].
Without challenging the statements in [1], we argued in [14] that implicit liveness
properties can be associated in a sensible manner to structures that consist of a ni-
tary language and two alphabets. We also proposed a relative liveness condition whose
verdict is uniquely determined by the nitary structures involved. If the language is
regular, such a structure can be represented by a nite automaton, called a behavior
automaton, and the condition can be checked directly on the automata. We have im-
plemented the test for our liveness condition in an experimental tool, called ACUTE
(for automaton checks using transition enablings).
Denition 9. A trace structure is a triple hI; O; Li consisting of two disjoint sets I
and O, called the sets of input and output actions, respectively, and a prex-closed,
non-empty language L of nite words from (I [O).
For the formal treatment, we make explicit the liveness properties of a trace structure
by associating a language of nite and innite sequences of actions to such a structure.
Denition 10. For trace structure hI; O; Li, word u from L, and action a from (I [
O), u enables a if ua2L. An output trap is either
1. a (nite) word u2L that enables no output, or
2. an innite sequence e of actions from I [O such that every (nite) prex of e
is in L, and any output that is enabled by innitely many prexes of e also appears
innitely many times in e.
We want to capture the following intuitive concepts of violation of liveness. First
consider a nite sequence u in the language L1 of a trace structure T 1 = h1I ; 1O; L1i
representing the specication of a process. If a is an output of the process, and ua
J.A. Brzozowski, R. Negulescu / Theoretical Computer Science 231 (2000) 113{128 121
is in L1, then a is enabled in T 1 after u, i.e., output a is expected after u. Suppose
trace structure T 2 = h2I ; 2O; L2i represents a proposed implementation of T 1. Suppose
further that u is in L2, but ua is not. Then, normally, T 2 is not a good implementa-
tion of T 1, because a is not produced after u, as required by T 1. Secondly, consider
again a specication T 1 = h1I ; 1O; L1i and an innite sequence e over (1I [1O) in
which innitely many prexes u enable an output a, in the sense that ua2L1. This
enabling creates a ‘pressure’ on the process to produce output a, and the pressure
can be ‘relieved’ only if a appears innitely many times in e. Suppose, however, that
in the implementation T 2 = h2I ; 2O; L2i only nitely many, possibly zero, prexes of
u enable a, but u has all its prexes in L2. Since no pressure builds up for a, the
implementation is not under any obligation to deliver a innitely many times. As a
result, the pressure apparent in the specication is not relieved and the specication is
‘starved’ for a. This is also a violation of liveness. More details are given in [13].
Formally, our liveness condition, called traplock-freedom, is a relative condition
comparing two trace structures. Some examples will be discussed later.
Denition 11. For trace structures T 1 = h1I ; 1O; L1i and T 2 = h2I ; 2O; L2i, we have
T 1vtf T 2, read T 2 is traplock-free for T 1, if for every nite or innite sequence e of
actions from 1I [1O [2I [2O that satises
1. e # (2I [2O) is an output trap for T 2, and
2. every prex of e # (1I [1O) is in L1,
we have that
e # (1I [1O) is also an output trap for T 1:
Next we dene automata for representing trace structures whose languages are reg-
ular.
Denition 12. A behavior automaton is a triple B= hA; I; Oi consisting of an ac-
tion automaton A= h;Q; I; Ei and two subsets I and O of , where
1. I \O = ;.
2. I [O =.
3. A is deterministic.
With each behavior automaton B= hA; I; Oi we associate a trace structure trB=
hI; O; Li, where L is the language of A.
A liveness condition is also dened on behavior automata.
Denition 13. The composite of two behavior automata B1 = hA1; 1I ; 1Oi and B2 =
hA2; 2I ; 2Oi is the behavior automaton B= hA; I; Oi where A= h;Q; I; Ei and
1. A=A1A2.
2. I = (1I [2I )n(1O [2O).
3. O =1O [2O.
122 J.A. Brzozowski, R. Negulescu / Theoretical Computer Science 231 (2000) 113{128
Fig. 4. Examples of knots corresponding to nite sequences.
Fig. 5. Example of knot corresponding to an innite sequence.
The projection of a strongly connected subgraph H of B on B1 is obtained by
deleting the states of B2 from the states and edges of H . The projection on B2 is
dened symmetrically.
For convenience, we identify inputs and outputs in a behavior automaton by append-
ing ‘?’ and ‘!’, respectively.
A strongly connected subgraph of a behavior automaton is called a knot if it has
at least one state and that state is on an initialized path. The states in boxes in Fig.
4 are knots corresponding to nite sequences in the usual manner. Some of the corre-
sponding sequences are  and ba for the left knot and c and babac for the right knot.
The subgraph in the box in Fig. 5 is a knot corresponding to the innite sequence
abab : : : .
A knot enables an action if that action is on an edge that leaves a state of the knot,
and res an action if that action is on an edge in the knot. A knot is an output trap
if it res all the actions that it enables. Several examples are given in Fig. 6. In the
rst row, the knot on the left is an output trap, since it res c and it enables no other
output; the knot on the right is not an output trap, since it enables output c but it does
not re it. In the second row, both knots enable c but neither knot res c. The left
knot is an output trap because there c is an input, but the right knot is not an output
trap, since c is an output.
For behavior automata B1 and B2, B2 is traplock-free for B1 if, for every knot G
in the composite of B1 and B2 such that the projection of G on B2 is an output trap
in B2, the projection of G on B1 is an output trap in B1.
Fig. 7 shows an example of deadlock as a violation of traplock-freedom. The au-
tomaton on the left represents a specication, and the automaton on the right an imple-
mentation. From the initial state, an internal action c may occur on the right, stranding
the implementation in the marked output trap, but leaving the specication in the initial
state, which is not an output trap and thus is supposed to be left eventually. Fig. 8
shows an example of unfairness as a violation of traplock-freedom. Innite sequence
J.A. Brzozowski, R. Negulescu / Theoretical Computer Science 231 (2000) 113{128 123
Fig. 6. Examples of output traps and knots that are not output traps.
Fig. 7. Traps and deadlock.
Fig. 8. Traps and unfairness.
adbababa : : : , corresponding to the trap on the right, projects on the specication al-
phabet as abababa : : : , which is not a trap in the specication, since it is unfair to c.
The corresponding specication knot, marked by a box, should be eventually left by
ring c, but, as shown, this might not happen in the implementation.
The two denitions of our liveness condition are related as follows.
Theorem 1. For behavior automata B1 and B2; B2 is traplock-free for B1 if and
only if trB2 is traplock-free for trB1.
124 J.A. Brzozowski, R. Negulescu / Theoretical Computer Science 231 (2000) 113{128
It follows from the theorem that the information needed to decide traplock-freedom
on behavior automata is contained in their nitary trace structures. For classes of
systems in which the implicit liveness properties are appropriate, the users need not
specify explicitly the innite sequences of actions that may occur in their systems. It
suces to provide the input and output alphabets and the languages of nite words
that may occur in such systems. This way we specify liveness properties implicitly.
5. Delay-insensitivity of asynchronous networks
This section follows closely the work in [4, 5, 18]. We study asynchronous sequential
networks consisting of sets of modules interconnected by wires. Modules have binary
inputs and outputs and, normally, have binary internal state variables. To hide the
details of the internal design of a module, however, we represent its internal state by
a single multivalued variable.
Denition 14. A module is a sequential machine M = hS;X; y;Z; ; i, where
1. S is a nite, nonempty set of module internal states.
2. X= fx1; : : : ; xmg, m>0, is a nite set of module input variables; also, x=(x1; : : : ; xm)
is the m-tuple of module input variables.
3. y is the module internal state variable.
4. Z=fz1; : : : ; zpg, p>0, is a nite set of module output variables; also, z=(z1; : : : ; zp)
is the p-tuple of module output variables.
5.  is the module excitation function,  : f0; 1gmS! 2S − f;g, and for any a2
f0; 1gm and b2S, either (a; b)= fbg or b 62 (a; b).
6. =(1; : : : ; p) is the module output function,  :S!f0; 1gp.
With each module we associate a directed graph, the module graph dened below.
The vertices of this graph are of three types: There are m input vertices, one internal
state vertex, and p output vertices. For convenience, we identify these vertices with
their corresponding module variables. Thus G= hV;Ei, where
1. V=X[fyg[Z is the set of module vertices, and
2. E=(Xfyg)[ (fygZ) is the set of module edges.
The denition above permits us to represent arbitrary nondeterministic sequential
machines of the Moore type [9]. Examples of such machines are delays, inverters,
forks, arbitrary m-input=n-output logic gates, latches, counters, C-elements, and arbiters.
A collection of such modules can be connected by wires to form a network, as dened
below. In the sequel, dierent modules are distinguished by superscripts.
Denition 15. A network is a pair N = hM; Gi, where
1. M= fM 1; : : : ; M ng; n>1, is a set of modules.
2. G= hV;Ei is a connected directed graph, the network graph, where
(a) V=
Sn
i=1V
i is the set of network vertices.
J.A. Brzozowski, R. Negulescu / Theoretical Computer Science 231 (2000) 113{128 125
Fig. 9. A network.
(b) E is the set of network edges, such that
(i) ESni=1 Ei and E (
Sn
i=1Z
iSni=1Xi)[
Sn
i=1 E
i,
(ii) for each module input vertex x2V, there exists exactly one module output
vertex z 2V such that (z; x)2E,
(iii) for each module output vertex z 2V, there exists exactly one module input
vertex x2V such that (z; x)2E.
We denote the set of network edges that are not internal module edges by K, and
refer to these edges as connections. An example of a network is given in Fig. 9,
showing the modules, connections, and module variables.
The set of state variables of the network N is Y= fy1; : : : ; yng. The set of states
of N is S=S1   Sn. If s2S, the ith component of s is denoted by si.
Let y i 2Y. The network excitation function i :S! 2Si − f;g of y i, is the mod-
ule excitation function i of Mi with arguments changed as follows. If (zhk ; x
i
l) is a
connection, then the lth input argument of i is hk(y
h). Since h depends solely on
yh, the excitation function i becomes a function of yh. For y i 2Y and s2S, the
excitation of y i in state s is denoted by Si, and is dened to be Si=i(s). A state s
is stable if Si= fsig for all i; otherwise, s is unstable. We denote the set of unstable
state variables in state s by
U(s)= fy i 2Y j Si 6= fsigg:
When a network is in a given state s=(s1; : : : ; sn) and has some unstable variables,
any one of the unstable variables may change to any module state in its excitation.
The state t so reached is a possible next state of the network. Under these conditions
we say that sRt, i.e., s is related to t by the binary relation R on S. This relation is
known as the general single-winner relation GSW [4].
We now dene the behavior of a network. It is usually assumed that each of the
modules in the network has a single initial state.
Denition 16. The network automaton of a network N is an action automaton N=
h;Q; I; Ei, where
1. =Y, i.e., the actions are the module variables.
2. Q=S is the set of network states.
126 J.A. Brzozowski, R. Negulescu / Theoretical Computer Science 231 (2000) 113{128
Fig. 10. Network automaton.
3. I is a singleton set, the ordered tuple of the initial states of the modules.
4. E is derived from the GSW relation R as follows: If sRt and the variable in which
s and t dier is y i, then (s; y i; t)2E, and there are no other edges.
The network automaton for the network of Fig. 9 is shown in Fig. 10, where unstable
entries are shown in boldface type.
An important question in the theory of asynchronous circuits is the problem of sensi-
tivity of network behaviors to delays in the modules and connecting wires [4, 5, 16{18].
In our formal model of a module, we have eectively associated a delay with each
module. A module variable y i has a value si in a given state s of the network. If y i is
unstable, then its excitation Si diers from fsig. According to our model, y i can change
to a state in Si at any time, and this represents an arbitrary delay of the module. There
are no delays associated with the module outputs, since the module state completely
determines the values of the module outputs.
In some design styles, assumptions are made about the relative sizes of module de-
lays; such designs improve eciency, but are sensitive to delay uctuations. If the
correctness of the network behavior is independent of the module delays, then the net-
work is called speed-independent. Connecting wires may also have appreciable delays.
If the correctness of the network behavior is independent of the delays of the modules
and wires, the network is called delay-insensitive.
In [5, 18] we take the following approach to the study of delay-insensitivity of
networks. We assume that we have a speed-independent network, i.e., a network whose
behavior, as dened in our model, is acceptable with respect to some specication. We
then wish to know whether this behavior is still acceptable in the presence of arbitrary
delays in the connecting wires. Note that, in our model, the connecting wires have no
J.A. Brzozowski, R. Negulescu / Theoretical Computer Science 231 (2000) 113{128 127
delays. However, we can model wire delays by inserting (zero or more) delay modules
in each connection. A delay module has one binary input x, one binary output z and
one binary internal variable y. The excitation is always equal to the input, and the
output always agrees with y. Thus, the output always tries to follow the input, after
an arbitrary delay.
Suppose we have a network N and a network N^ obtained from N by the insertion
of a number of delays in the connections of N . Then N^ is called a delay-extension
of N . We need to compare the behaviors of N and N^ . Formally, N^ has more state
variables, since each inserted delay module has a state variable. We ‘project out’ these
delay module variables, and then compare the state of the remaining variables with the
state of those of N . We consider N , started in a given state, to be delay-insensitive if
every delay-extension N^ , started in the corresponding state, is bisimilar [7] to N , after
the added delay variables have been projected out.
Testing whether a network is delay-insensitive according to our denition is an
innite process, since there is an innite number of delay extensions of any network.
Fortunately, there is an equivalent denition that requires only a nite test.
Let N be a network and N its network automaton. A state s of N is semi-modular
if, for all t 2S, if sRt and the variable in which s and t dier is y i, then the excitations
Sj and Tj satisfy Sj Tj, for all j 6= i such that yj 2U(s). In words, if y i changes
causing a transition from state s to state t, and y j; j 6= i, is unstable in state s and can
change to the value vj, then yj should still be unstable in state t, and should still be
able to change to vj. Thus a transition that is enabled for yj, cannot be disabled by a
transition on another variable y i. A network automaton N is semi-modular if each of
its states is semi-modular.
Two modules in a network are adjacent if the output of one module is connected to
the input of the second module. A network is delay-dense if of every pair of adjacent
modules, one module is a delay module. We can make any network delay-dense by
inserting one delay module in each connection of the network. Obviously, delay-dense
networks are appropriate models for the study of delay-insensitivity in asynchronous
circuits.
The following theorem [5] relates delay-insensitivity and semi-modularity.
Theorem 2. A delay-dense network N is delay-insensitive i its network automaton
N is semi-modular.
6. Conclusions
We have described three applications of automaton theory to the theory of concurrent
processes and asynchronous circuits. These applications lead to new operations on
automata and their languages. These include testing for robustness and renement in
process automata, for traplock-freedom in behavior automata, and for semi-modularity
in network automata. We have described formally a BDD-based implementation of
process automata and their operations in the verication tool FIREMAPS.
128 J.A. Brzozowski, R. Negulescu / Theoretical Computer Science 231 (2000) 113{128
The results in Sections 2 and 3 have been applied to the verication of several
experimental asynchronous circuits; also see [8, 11{13, 15].
References
[1] D.L. Black, On the existence of delay-insensitive fair arbiters: trace theory and its limitations, Distributed
Computing 1 (1986) 205{225.
[2] K.S. Brace, R.L. Rudell, R.E. Bryant, Ecient implementation of a BDD package, Proc. 27th
ACM=IEEE Design Automation Conf., 1990, pp. 40{45.
[3] R.E. Bryant, Graph based algorithms for Boolean function manipulation, IEEE Trans. Comput. C-35
(1986) 677{691.
[4] J.A. Brzozowski, C.-J.H. Seger, Asynchronous Circuits, Springer-Verlag, 1995.
[5] J.A. Brzozowski, H. Zhang, Delay-insensitivity and semi-modularity, in: Formal Methods in System
Design, to appear. Also Research Report CS-97-11, Department of Computer Science, University of
Waterloo, Waterloo, Ontario, Canada, 1997.
[6] S. Eilenberg, Automata, Languages, and Machines, vol. A, Academic Press, New York, 1974.
[7] R. Milner, Communication and Concurrency, Prentice-Hall, Englewood Clis, NJ, 1989.
[8] C.E. Molnar, I.W. Jones, B. Coates, J. Lexau, A FIFO ring oscillator performance experiment, Proc.
Internat. Symp. on Advanced Research in Asynchronous Circuits and Systems, 1997.
[9] E.F. Moore, Gedanken experiments on sequential machines, Automata studies, Ann. Math. Studies 34
(1956) 129{153.
[10] R. Negulescu, Process spaces, Research Report CS-95-48, Department of Computer Science, University
of Waterloo, Waterloo, Ontario, Canada, 1995.
[11] R. Negulescu, A technique for nding and verifying speed-dependences in gate circuits, Proc.
ACM=IEEE Internat. Workshop on Timing Issues in the Specication and Synthesis of Digital Systems,
1997.
[12] R. Negulescu, Event-driven verication of switch-level correctness concerns, Proc. Internat. Conf. on
Application of Concurrency to System Design, 1998.
[13] R. Negulescu, Process spaces and formal verication of asynchronous circuits, Ph.D. Thesis,
Department of Computer Science, University of Waterloo, Waterloo, Ontario, Canada, 1998.
http://www.macs.ece.mcgill.ca/~radu/ps.html
[14] R. Negulescu, J.A. Brzozowski, Relative liveness: from intuition to automated verication, Formal
Methods System Des. 12 (1998) 73{115.
[15] R. Negulescu, A. Peeters, Verication of speed-dependences in single-rail handshake circuits, Proc.
Internat. Symp. on Advanced Research in Asynchronous Circuits and Systems, 1998.
[16] J.T. Udding, Classication and composition of delay-insensitive circuits, Ph.D. Thesis, Department
of Mathematics and Computing Science, Eindhoven University of Technology, Eindhoven, The
Netherlands, 1984.
[17] J.T. Udding, A formal model for dening and classifying delay-insensitive circuits and systems,
Distributed Computing 1 (1986) 197{204.
[18] H. Zhang, Delay-insensitive networks, MMath. Thesis, Department of Computer Science, University of
Waterloo, Waterloo, Ontario, Canada, 1997.
