Abstract. This paper presents a new algorithm for efficiently verifying timed systems. The new algorithm represents timing information using geometric regions and explores the timed state space by considering partially ordered sets of events rather than linear sequences. This approach avoids the explosion of timed states typical of highly concurrent systems by dramatically reducing the ratio of timed states to untimed states in a system. A general class of timed systems which include both event and level causality can be specified and verified. This algorithm is applied to several recent timed benchmarks showing orders of magnitude improvement in runtime and memory usage.
Introduction
The fundamental difficulty in verification is controlling the state explosion problem. The state spaces involved in verifying reasonably sized systems are large even if the timing behavior of the system is not considered. The problem gets even more complex when verification is done on timed systems. However, verification with timing is crucial to applications such as asynchronous circuits and real-time systems.
A number of techniques have been proposed to deal with state explosion. Approaches have been proposed that use stubborn sets [1] , partial orders [2] , or unfolding [3] . These techniques reduces the number of states explored by considering only a subset of the possible interleavings between events. These approaches have been successful, but they only deal with untimed verification.
The state space of timed systems is even larger than the state space of untimed systems and has been more difficult to reduce. The representation of the timing information has a huge impact on the growth of the state space. Timing behavior can either be modeled continuously (i.e., dense-time), where the timers in the system can take on any value between their lower and upper bounds, or discretely, where timers can only take on values that are multiples of a discretization constant. Discrete time has the advantage that the timing analysis technique is simpler and implicit techniques can be easily applied to improve performance [4, 5] . However, the state space explodes if the delay ranges are large and the discretization constant is set small enough to ensure exact exploration of the state space.
Continuous time techniques eliminate the need for a discretization constant by breaking the infinite continuous timed state space into equivalence classes. All timing assignments within an equivalence class lead to the same behavior and do not need to be explored separately. In order to reduce the size of the state space, the size of the equivalence classes should be as large as possible. In the unit-cube (or region) approach [6] , timed states with the same integral clock values and a particular linear ordering of the fractional values of the clocks are considered equivalent. Although this approach eliminates the need to discretize time, the number of timed states is dependent on the size of the delay ranges and can explode if they are large.
Another approach to continuous time is to represent the equivalence classes as convex geometric regions (or zones) [7] [8] [9] . These geometric regions can be represented by sets of linear inequalities (also known as difference bound matrices or DBMs). These larger equivalence classes can often result in smaller state spaces than those generated by the unit-cube approach.
While geometric methods are efficient for some problems, their complexity can be worse than either discrete or unit-cube methods when analyzing highly concurrent systems. The number of geometric regions can explode with these approaches since each untimed state has at least one geometric region associated with it for every firing sequence that can result in that state. In highly concurrent systems where many interleavings are possible, the number of geometric regions per untimed state can be huge. Some researchers [10] [11] [12] have attacked this problem by reducing the number of interleavings explored using the partial order techniques developed for untimed systems. These algorithms reduce verification time by exploring only part of the timed state space, but this may limit the timing properties that can be verified. While reducing the number of interleavings is useful, in [10, 11] one region is still required for every firing sequence explored to reach a state. If most interleavings need to be explored, these techniques could still result in state explosion.
The algorithm presented in [13, 14] significantly reduces the number of regions per untimed state by using partially ordered sets (or POSETs) of events rather than linear sequences to construct the geometric regions. Using this technique, untimed states do not have an associated region for every firing sequence. Instead, the algorithm generates only one geometric region for any set of firing sequences that differ only in the firing order of concurrent events. This algorithm is shown in [14] to result in very few geometric regions per untimed state. The entire timed state space is explored, so it can be used to verify a wide range of timing properties. However, it is limited to specifications where the firing time of an event can only be controlled by a single predecessor event (known as the single behavioral place (or rule) restriction). This restriction can be worked around with graph transformations, but the graph transformations add ¦ § new rules for each event with ¦ behavioral rules [15, 16] . In [17] , we presented an approximate algorithm for exploring the entire state space with POSETs on a general class of specifications, lifting the single behavioral rule restriction. However, it may generate regions that are larger than necessary. This paper presents a new algorithm for timed state space exploration based on geometric regions and POSETs. This algorithm operates on a very general class of specifications, timed event/level (TEL) structures [18] , which are capable of directly expressing both event and level causality. Through a straightforward construction (omitted due to space constraints), it can be shown that TEL structures are at least as expressive as 1-safe time Petri nets [19] . TEL structures can also represent some behavior more concisely due to their ability to specify levels which are not directly supported in time Petri nets. While they are not as expressive as timed automata [6] , TEL structures represent an interesting class of timed automata sufficient to accurately model timed circuit behavior. Unlike the partial order techniques discussed earlier, the POSET timing algorithm does explore every interleaving between event firings, and therefore explores all states of the system. This new algorithm dramatically improves the performance of geometric region based techniques on highly concurrent systems, making dense-time verification extremely competitive with discrete-time when the delay ranges are small and far superior when the ranges are large. The performance of POSET timing is demonstrated by orders of magnitude improvement in runtime and memory usage on several recent timing verification benchmarks.
Timed systems and exploration of their timed states
The process of timing verification begins with a specification of a timed system and properties that it must satisfy. To check if these properties are satisfied, the verification algorithm explores the timed state space allowed by the specification. This section presents our formalism for modeling timed systems and exploring their state spaces.
Timed event/level structures
The algorithm presented in this paper is applied to specifications in the form of TEL structures [18] , an extension of timed event-rule structures [15] . TEL structures are very well suited to describing asynchronous circuits since they allow both event causality to specify sequencing and level causality to specify bit value sampling. This section gives a brief overview of TEL structures. See [18] for a more complete description of their semantics. A TEL structure is a tuple© 
is the set of atomic actions; 4. ' n is calculated. If a timed state is reached that has been seen before, the algorithm pops off the stack a timed state and the list of rules that have not yet been explored for that state. When a state that has been seen before is reached and the stack is empty, the entire timed state space has been found.
The timing information must be updated at every rule firing during state space exploration. Therefore, it is very important that the procedure for updating it is efficient. The timing analysis algorithm presented here uses geometric regions to represent the timing information within a timed state. Whenever a rule 2 q b ecomes enabled, a clock r q i s created to be used in timing analysis. The minimum and maximum age differences of all the clocks associated with rules in , not on the whole set of rules. This particular way of representing timed regions was first introduced in [7] . This constraint matrix represents a convex x' l mx d imensional region. Each dimension corresponds to a rule and the firing times of the rule can be anywhere within the space.
Timed state space exploration using POSET timing
While geometric regions are an effective way to represent dense-time state spaces, the number of geometric regions can explode for highly concurrent timed systems [14, 5] . In [14] , an algorithm is described that uses partially ordered sets (POSETs) of events rather than linear sequences to mitigate this state explosion problem. POSET timing techniques take advantage of the inherent concurrency in the TEL structure and prevent additional regions from being added for different sequences of event firings that lead to the same untimed state. This results in a compression of the state space into fewer, larger geometric regions that, taken together, contain the same region in space as the set of regions generated by the standard geometric technique. Therefore, all properties of the system that can be verified with the standard geometric technique can be verified with the POSET algorithm. This combination of regions could also be done as each region is generated during state space exploration. However the check to see if the combination of two regions is convex takes
t ime in the number of constraints in the matrix. This check must be done between each new region and all the regions that have been generated previously, making this approach prohibitively expensive [13] .
The POSET algorithm maintains a POSET matrix (also know as a process matrix in [13, 14, 17] ), in addition to the constraint matrix. A POSET is a partially ordered set of events created from a TEL structure and a firing sequence. It is constructed from a TEL structure as follows: The POSET is initially empty. Events are added in the same order as they occur in the firing sequence. For an event in the firing sequence, a correspondingly labeled event is added to the POSET. Rules are added to connect the newly enabled event to the events in the POSET that enabled it.
The POSET matrix stores the minimum and maximum possible separations between the firing times of all the events in the POSET that are allowed by the firing sequence currently being explored. At each iteration, the time separations in the POSET matrix are copied into the entries of the constraint matrix that restrict the differences in the enabling times of the rules. Events are projected out of the POSET matrix when their timing information is no longer needed, so the algorithm only needs to retain and operate on local timing information.
Partially ordered sets without levels
When a new event fires and is added to the POSET matrix, the minimum and maximum time separations between its firing time and the firing times of all other events in the matrix must be determined. This set of separations must be consistent with the rule firing sequence that resulted in the current state. The rule firing sequence often limits the separations between events that are possible. There may be separations between events that are possible over all firing sequences but are not possible given the current one. Therefore, the separations in the POSET matrix must be restricted so that they are reachable given the current rule firing sequence.
The POSET matrix is kept consistent with the current rule firing sequence by ensuring that the time separations in the matrix reflect the causality implied by the current rule firing sequence. An event that is enabled by multiple rules does not fire until all of these rules have fired. The last rule to fire actually causes the event to fire, and is referred to as the causal rule. More formally, a rule
Q up [ 15, 17] .
The significant difference between the POSET technique described here and the work presented in [13, 14] is the method used to compute the POSET matrix. In [13, 14] , it is not necessary to use explicit causality information since the causal rule is always the behavioral rule. With multiple behavioral rules, causality must be considered in order to compute a correct POSET matrix. Assume that f m is a correct, maximally constraining set of inequalities that relate the firing times of a set of events % m 
. All of the inequalities in f m A ¡ can be made maximally constraining by running Floyd's all pairs shortest path algorithm [7] .
After the all pairs shortest path algorithm is run, m ¡ contains a maximally constraining set of inequalities that includes all the constraints that result from firing . However, minimum and maximum constraint between and all of the events in % m must also be included in f m ¡ . These additional constraints are immediately derivable from the constraints already in f m ¡ , this procedure can be used to construct correct sets of inequalities for an arbitrary rule firing sequence.
A geometric region representing the differences in the ages of a set of clocks associated with a set of enabled rules ' g l m can easily be computed given a POSET matrix using a method similar to the one described in [13, 14] min. These constraints are simply copied into the matrix representing the geometric region. The minimum and maximum bounds of the rules are used to set the minimum and maximum age differences between r q and r . Floyd's algorithm is then run on the constraint matrix resulting in a maximally constraining set of inequalities. This may further constrain some of the inequalities since the POSET inequalities do not take into account the fact that a clock associated with a rule may not be older than the maximum bound on the rule. Additionally, the normalization algorithm described in [13] to ensure the state space remains finite. Figure 1 shows timing analysis based on POSETs applied to the small TEL structure shown at the top of the figure. This example shows how our algorithm solves two of the problems that occur when using geometric regions for timed state space exploration: region splitting and multiple behavioral rules. In this example, initially the
has just fired. The POSET matrix contains a single event, 
Partially ordered sets with levels
In [18] , we extended a geometric region based timed state space exploration algorithm to TEL structures which include arbitrary level annotations. The POSET algorithm presented in the previous section can also be extended to TEL structures with a limited class of level annotations. The algorithm is based on the ability to determine which previous event firing is causal to each new event firing. Recall that in our algorithm, rules fire independently of events, and an event fires when a set of rules sufficient to enable it have fired. When there are no level expressions, the causal event is simply the enabling event of the causal rule. However, if there are level expressions, this is not necessarily the case. With levels, a rule does not always become enabled when its enabling event fires. A rule only becomes enabled when its enabling event has fired and its level expression evaluates to true. Therefore, an event is causal to event if the firing of event enables ' s causal rule either because it is its enabling event or because it changes the value of the state such that ' s causal rule becomes enabled. Determining this causality is straightforward during state space exploration. Whenever a rule fires, its causal event is recorded. Then when an event fires, a procedure similar to the one described in the previous subsection is used to determine the new set of inequalities that belong in the POSET matrix. The major difference is that now any event in the TEL structure may be causal to the firing event and all events need to be checked for causality. Additionally, the causality relationship may imply other time relationships between event firings. Due to space constraints, they are not described here. However, all of the constraints can be easily computed as long as the boolean expressions are restricted to pure and and pure or expressions. This limited class of TEL structures is expressive enough to model all TEL structures since more complex expressions can be modeled through graph transformations.
Results and conclusions
The POSET algorithm drastically reduces the number of geometric regions generated during state space exploration of highly concurrent systems. We have also made additional optimizations to the state space exploration process such as eliminating timed states to be explored from the stack if a region that is a superset of previous regions is found, and reducing the number of interleavings between rule firings. This new POSET timing algorithm along with these optimizations has been implemented within the CAD tool ATACS and produce very good results as illustrated with the parameterized timing verification benchmarks in this section.
The first two, the Alpha and Beta examples, are from [5] . Each stage of the Alpha example is composed of a single event which can fire repeatedly at a given interval and is not effected by any other events in the system. In [5] , they showed that techniques based on DBMs (i.e., geometric regions) could only handle 5 stages of this highly concurrent example while their symbolic discrete-time technique using numerical decision diagrams (NDDs) could handle 18 stages in 12 hours on a SUN UltraSparc with 256MB of memory. A loglog plot of the results from [5] and our results using POSET timing on a SPARC 20 with 128 MB of memory are shown in Figure 2 . These results indicate that POSET timing is orders of magnitude faster and more memory efficient. In fact, our techniques found the reachable states space for 512 stages in about 73 minutes using 112 MB of memory. This simple example clearly has only one untimed state regardless of the number of stages, and POSET timing can represent the timed state space using only one geometric region. Our technique does not find the region in its first iteration, however. It first finds a number of smaller regions before finding the final region that is a superset of all the rest. Therefore, although its performance is very good, it does not analyze the example instantaneously. One stage of the Beta example is composed of one state bit per stage with two events, one to set and one to reset the bit. In [5] , they showed that DBMs could only handle 4 stages while their technique could handle 9 stages. A semilog plot of their results and ours are shown in Figure 3 . POSET timing can handle 14 stages in 108 MB of memory in just 16 minutes. For the Beta example, the number of states is exactly e m where ¦ is the number of stages, so POSET timing could handle an example with e times more untimed states than in [5] . Again, POSET timing is able to represent all the timing behavior in this example using one geometric region per state. Clearly, the Alpha and Beta examples are ideally suited to our algorithm, but they are used in [5] to demonstrate the weakness of traditional geometric region based methods. The next example is a n-bit synchronous counter. The basic operation of the counter is that when the clock goes high, the next value of the count is determined in from the previous value. When the clock goes low, the new value is latched and fed back to determine the next count. This example has several events which are enabled by multiple behavioral rules. In [15] , graph transformations are described that can create a new specification which satisfies the single behavioral rule restriction allowing verification by Orbits [13, 14] . Using these graph transformations, Orbits could only analyze a 3-bit counter because it required 10,222 geometric regions to find the 64 untimed states. With our new POSET timing algorithm, it only requires 294 geometric regions to represent the entire timed state space for the 3-bit counter. In fact, our algorithm could analyze up to a 6-bit counter. This drastic difference in region count occurs because the graph transformation adds ¦ § new rules for each event that has ¦ behavioral rules. In the 3-bit counter most of the events had 4 behavioral rules, causing a huge combinatorial explosion in the number of regions.
The last example is a STARI communication circuit described in detail in [20, 21] . The STARI circuit is used to communicate between two synchronous systems that are operating at the same clock frequency,
