Abstract. This paper proposes a partial order reduction algorithm for timed trace theoretic verification in order to detect both safety failures and timing failures of timed circuits efficiently. This algorithm is based on the framework of timed trace theoretic verification according to the original untimed trace theory. Consequently, its conformance checking supports hierarchical verification. Experimenting with the STARI circuits, the proposed approach shows its effectiveness.
Introduction
Nowadays, the role of timed circuits have rapidly arisen in integrated digital circuit design. Thus, the verificationof such timed circuits is imperative. But, the cost of timing verificationis quite high. Several approaches have been proposed in order to reduce the average complexity of verification, i.e. symbolic methods based on BDDs and partial order reduction. Symbolic methods are difficultto efficientlyapply to timing verification, yet partial order reduction is one of the most promising solution to the state explosion problem, e.g. [1] [2] [3] [4] . Hence, verificationmethods in which partial order reduction is well-suited are preferred.
One direction is a timing analysis algorithm to validate correctness in the levelruled Petri net [5] . Another direction is the simple timed trace theory based on timed Petri net [6] . The partial order reduction is applied to both of them, but they are unable to hierarchically perform verificationby using the conformation relation.
In addition, [6] has no ability to verify liveness property, i.e. only safety failures are detected. A framework of timed trace theoretic verification based on pseudo failure is proposed in [7] , in which not only safety failures but also timing failures are examined. The timing failure is a restricted form of violation of liveness property. Practically, detecting timing failure is adequate to verify timed circuits. Moreover, even if this approach certainly supports hierarchical structure as the original trace theory [8] , it still differs from the original one in many points. Eventually, the framework of timed , there exists at most one output transition 6 such that wire 7 6 @ in a module.
is used to represent such a transition 6 especially in the figuresfor simplicity. On the other hand, we allow multiple input transitions for an input wire is used in cases that there exists only one corresponding input transition. Figure 1 shows examples of modules. A time Petri net is a Petri net except that each transition 6 of a time Petri net has two non-negative rationals, the earliest firingtime
and the latest firingtime & Q # P 7 6 , and that each enabled transition must fire within this time bound. A timed run is the initial state, and be a set of all timed traces generated by¨. A semimodule is the same as a module, but the corresponding timed trace structure is distinctively defined,which is shown later.
A timed trace structure of a module is the latest time until when the firingsof all enabled transitions in¨can be postponed after . For example, in Figure 1 ,
, and
is 15 in not possible. This difference comes from the fact that a net can control producing or not producing an output, but cannot control an input.
, because an input cannot be controlled by the net. Hence, this must be a failure. Again, if is the set of all timed traces that can be generated by inserting any event of between any consecutive events in traces of
1
. This is extended for a timed trace structure
. Note that the inserted wires are always considered to be the inputs. The composition of
The correctness between modules is definedas follows.
with any environment with respect to failure-freeness. From this correctness definition,the following property is inherited.
The proof is shown in [8] . This is what we call hierarchical verification.
Practically, however, considering all possible timed trace structures ¤ is infeasible. Instead, the mirror of , and formally, for a timed trace structure
, is also a timed trace structure 
is coincidentally equal to
wire . This can be explained intuitively as follows. Suppose that
. First,
"
, because the net is the same. In untimed systems, every trace
because there is no upper bound. Thus, for 8 % "
, if
is a failure, then must be an input of holds, and so
, which is equal to by definition.From this fact, it is straightforward to implement conformance checking for untimed systems.
Unfortunately, for timed systems, this construction of mirror trace structures is not correct (See [9] for details). Note that such mirroring is only necessary for a module representing a specification. Thus, in order to obtain a timed conformance checking algorithm similar to the one of untimed case, we introduce a slightly different version of a module for the specification. Since this is no longer a module of which timed trace structure is defined by C1, we call it semimodule. A semimodule is also a tuple
wire , but its timed trace structure
, denoted by , is defined as follows. 
C2:
wire , we say that a semimodule
wire is the semimirror of is failure-free [9] .
Verification Algorithm
In order to describe the algorithm, we firstmake several definitionsas follows. 
is a semimodule,
is a set of modules, and¨`
, where
is a state of¨`. For a transition , respectively, where or not, which is achieved by checking whether
is failure-free or not, where
is the semimirror of satisfiesthe following three conditions, then
is concluded to be failure-free.
Condition 1
For any output transition 
Condition 2
For any input transition 
Condition 3
For any input transition such that Solution(
Intuitively, an output produced by a (semi)module must be accepted by some other (semi)module, otherwise a failure exists. The condition 1 checks this kind of failures, which we call safety failures. A state that causes a safety failure is called the safety failure state. Consider the example shown in Figure 2 to its actual firingtime in
is a failure of
, and so, for example,
is a failure in , and so, condition 1 does not hold.
On the other hand, an input expected by a (semi)module must be given in time by some other (semi)module, otherwise a failure occurs. The condition 2 and condition 3 check this kind of failures, which we call timing failures. A state that causes a timing failure is called the timing failure state. Consider an example shown in Figure 2( . The former holds because h
holds from the assumption and C1. Hence,
is a failure of and & is an output transition of some other module such that
is the smallest latest firingtime point among the enabled output transitions. This case can be handled in the same way as the condition 2.
The condition 3.2 is for the case where output transitions with the smallest latest firing time point exist only in v )
. In this case, we further need to consider a special case where such an output transition 
is a semimodule this time. Since
is a semimodule and h £ ¦ )
contains the input transition
holds from C2 for
, where . Hence,
. In this example,
, and so 
Partial Order Reduction for Timed Trace Theoretic Verification
In this section, the idea of partial order reduction for timed trace theory is proposed. Also, the difference between the proposed idea and [6] is discussed.
The concept of partial order reduction is to generate some subset of possible successor states as long as the correctness is not affected. We call a state space generated according to this principle the reduced state space. For timed trace theoretic verification, the reduced state space is not enabled in " (see Fig. 3(a) ), then (
, and -there exists a sequence¨such that (
. . . , and ¥ has a timing failure, and -(
along¨have no timing failure (see Fig. 3(b) ), then (
[PT1] is vital, because a new deadlock state must not be introduced in
[PT2] is for handling conflicting transitions. This is depicted by Figure 4(a) . In Figure 4 [PT3] is for handling transitions hiding timing failures. Such a transition is an enabled output transition that has the larger latest firingtime point than the others. For example, consider the modules illustrated in Figure 5 . If
firesat 10, then a timing failure occurs in the resultant state, because
can firelater than
On the other hand, the current state is not a failure state, because
always fires earlier than
. Also note that
is firablein this state. Therefore, if
is firedin this state, the above timing failure is never detected. In other words,
hides the timing failure, and it corresponds to to fire,if
is chosen for firing. Due to the ignoring problem [1] , we require that time certainly passes in any loop structure in any time Petri net in the module set and the latest firingtime of each output transition is bounded. This is necessary to prove the correctness of the partial order reduction algorithm. t [1, 5] [2,10] 1 t3 (a) t [1, 5] [1,5] 1 t3 (b) [1, 2] 
State Enumeration
This section briefly describes how to traverse the reduced state space of a set of (semi)-modules. The main idea is similar to that of [6] . Recall that we defined a state of a set of (semi)modules by
is a state of`. Here, we modify this definitiona little for easier presentation. Let
denote a set of time Petri nets that compose the set of (semi)modules, where¨`
. We definethe state of
is a marking of all the nets and ¡ is a set of inequalities. The initial state of
, -
is an output transition such that 6 8 enabled(
is the future variable used to represent the next firing time of an output transition 6 , and £ is a virtual variable to synchronize the nets at the initial state. Note that we only consider the output transition variables for the state space enumeration, because an input transition
synchronizes with out trans 7 6 , where out trans 7 6 is the output transition that corresponds to 6 , i.e., out trans 7 6 6 " such that wire`
, wire` wire` . Furthermore, we extend this notation by defining out trans ¢ 6 6 for an output transition
6
. enabled is extended for The ready set construction is described in the next section. Sometimes more than one successor state
can be produced from a state and an output transition . Consider a transition , we have successors which correspond to the possible combinations of true parents. Here, consider one of such combinations
is the true parent of , and
. This £ has all necessary information for the inequality part of " . It, however, still contains some unnecessary past variables, and deleting them is necessary to make the state space finite. A past is a true parent of some enabled transition. The former condition is considered in [6] , but the latter is a new condition needed in our method because a transition which is a true parent of some enabled transition must be kept 5 in order to detect the safety and timing failures as mentioned before and construct the ready set which is described in the next section. Therefore, the set of unnecessary past variables can be definedas follows. is in the ready set in Figure 5 , then
must be included in the ready 5 In the actual implementation, in order to reduce the number of variables, input transitions with §¨ © ¡ are handled in the same way as [6] instead of keeping their true parents. , i.e., if
firesbefore time 5, then
has smaller latest firingtime point than
, and otherwise,
has smaller latest firing time point than
. We solve this problem in a conservative way such that if h ¦ % is empty, then the set of all firableoutput transitions is used as a seed of the ready set.
The seed of the ready set obtained in this way satisfies [PT1] and [PT3] . In order to satisfy [PT2], the seed should be extended such that for any transition 6 in the set, the set includes the dependent set of 6 , where the dependent set is definedbelow. Note that this process is the same as the one presented in [6] , and so, only its intuitive idea is described here. The details are shown in [6] .
The necessary set for a transition . This set contains transitions that should be firedwhen again conservatively. Moreover, if some (semi)module contains independent loop structure, our algorithm may not terminate [6] . This is because the time differences of concurrent transitions increase without converging. This situation can be detected by checking that the time differences exceed some constant value. In such a case, again the set of all firabletransitions is used for the ready set, meaning that the algorithm temporally reverts to the full state space enumeration.
Experimental Results
To show the performance of the proposed method, we have implemented it based on a tool VINAS-P [6] . This section demonstrates the proposed method with the STARI circuits [10, 11] .
The STARI circuit is composed of a number of FIFO stages. A two-stage STARI circuit is shown in Figure 7 (a). These gates are modeled by the timed Petri nets. In [11] , the verification of this circuit with respect to the following three properties is demonstrated: (1) 2 time units after ack3 goes high and at least 9 time unit before ack3 goes low again. To express these whole properties, we use the time Petri net shown in Figure 7 (e).
Here, the experiments have been done on a 2.8 GHz Pentium 4 workstation with 4 gigabytes of memory. We have verified the STARI circuits by using the total order method and the partial order method to compare their performances, where in the total order method, the ready set contains all firable output transitions. Moreover, we have hierarchically verifiedthese circuits with the partial order method as well. In this experiment, we first verify a one-stage STARI circuit with its specification shown in Figure 8 . Note that this specificationis obtained by analyzing the behavior of the onestage STARI circuit. The verificationof such a sub-circuit and its specificationshould be done for stages with different initial markings. Once those verificationssucceed, every stage-circuit is replaced by its corresponding specification,which is much smaller than the circuit model, and it is verifiedthat the set of those sub-specificationsconforms to the original specification (Figure 7(e) ). Figure 9 shows the CPU times for verificationsof E -stage STARI circuits where the x-axis shows E . Note that "Partial(hierarchical)" includes the verificationruns for subcircuits. These results show that the performance improved by partial order reduction is significant, and the hierarchical verification is much more powerful. One disadvan-tage of the hierarchical verification is that the sufficient sub-specifications should be prepared by users.
In addition to these experiments, we have run the XOR chain example in [12] to compare the proposed method with Minea's work. According to our results, the example is very sensitive with the delay bounds of the XOR gates, which is not specified in his thesis. Thus, fair comparison is not easy. One fact is that the total order method outperforms our partial order method in this example, although it has some amount of concurrency. This is probably because this example contains many almost independent loops, which makes the visited state checking difficultin the partial order method (the details can be found in [6] ).
Conclusion
In this paper, we have proposed a partial order reduction algorithm for a timed trace theoretic verification.Our algorithm can hierarchically verify timed circuits and detect a kind of liveness failures (i.e. timing failures). Experimental results obtained from the STARI circuits by using the partial order reduction show the effectiveness of the proposed method.
We are planing to do a case study to verify a practical system for showing the usefulness of the proposed method.
