The problem of "time separation" can be stated as follows: Given a system made of several connected components, each one entailing a local delay known with uncertainty, what is the maximum time for traversing the global system? This problem is useful, e.g. in the domain of digital circuits, for determining the global traversal time of a signal from the knowledge of bounds on the component propagation delays. The uncertainty on each component delay is given under the form of an interval. The general problem is NP-complete. We focus here on the inverse problem: we seek intervals for component delays for which the global traversal time is guaranteed to be no greater than a specified maximum. We give a polynomial time method to solve it. As a typical application, we show how to use the method in order to relax some specified local delays while preserving the maximum traversal time. This is especially useful, in the area of digital circuits, for optimizing "setup" timings of input signals (minimum timings required for stability).
Introduction
As said in [5] : "The behavior of asynchronous and concurrent systems is naturally described in terms of events and their interactions. A fundamental problem in analyzing such systems is to determine bounds on the time separation of events. Stated informally, we seek answers to questions such as: "How late can event i occur after event j?" for arbitrary events i and j. The problem of computing time separation bounds is compounded in practice by statistical variations in manufacturing and operating conditions that introduce uncertainties in component delays. Consequently, finding bounds on time separation of events in the presence of uncertain component delays is an important practical problem."
The uncertainty on each component delay is given under the form of an interval. The general problem of finding the exact bound on the time separation between two given events i and j is NP-complete ( [12] ). We focus here on the inverse problem: we seek intervals for the component delays, so that the time separation between i and j is guaranteed to be no greater than a specified bound. We give a polynomial time method to solve it, and explain how it is useful for relaxing some bounds associated to some component delays while preserving the global separation time from i to j.
Related Work.
The direct problem of time separation of events has received considerable attention in the literature (see, e.g. [5] for an extensive survey). Even in the case of acyclic timing constraint graphs, the direct problem is NP-complete [12] . Many researchers have thus proposed polynomial-time approximating algorithms, which give an upper approximation of the maximal separation time. In contrast here, the time generated will be guaranteed to be the exact maximal time (for a possibly restricted domain of component delays, however). Other researchers have replaced some of the bound values by parameters, then have computed the exact solution space using exponential-time procedures (e.g., Fourier-Motzkin elimination or Presburger-based procedures [2] )). A variant of this approach has been proposed using additional techniques of abstract interpretation [9] or parametric reachability analysis [8] .
In this paper we focus on the inverse problem. To our knowledge, such an inverse problem has been rarely tackled in the literature. An exception is [6] . Its goal is there to compute safe bounds on some timing constraints (typically, setup timings), in the sense that, when satisfied, these constraints guarantee "correct" operation of the circuit. In their context, "correct" means that the circuit has no hazard, i.e., roughly speaking, that the output signal changes at most once. Such a guarantee is complementary to ours, since what we guarantee, in this context, is that the first change of the output signal occurs before a specified lapse of time. Also, their analysis does not take place in the framework of separation of events, but in the framework of "multi-value signal algebra", which is well-suited to the problem of hazard-detection. Another work, which can be viewed as an inverse method, is by [4] : they pose the problem as a min-max linear programming problem and use it for computing optimal clock schedules in synchronous circuits, but their method is exponential.
Time Separation of Events
The Direct Problem. Formally, the system can be represented under the form of a "timing constraint graph" [7] . The graph is oriented: vertices (or nodes) represent events and directed edges represent causal dependencies between them. Let {0, ..., N − 1} be the set of vertices. Each event is labeled with a min, max or delay operator specifying how the time of occurrence of event q, denoted t q , depends on those of its predecessors in the timing constraint graph. A delay node q is either a source event (no incoming edge), or has a unique predecessor, say p, in the graph, and the edge from event p to event q is labeled with symbol δ p,q representing the (non-negative) delay in the propagation of event p to event q. For any vertex q, let preds(q) denote the set of its predecessor vertices. We have the system 3 :
-for each delay-node q, distinct from the source, of (unique) predecessor p: 
In the following, we restrict our analysis to acyclic timing constraint graphs, with a unique source (event with no incoming edge). The delay-edges are the edges linking a node p to a delay-node q. Note that, for a given vector of values d for δ, system (1)-(2)-(3) has a unique solution in t 0 , ..., t N −1 .
For all delay-edge from p to q, the associated delay δ p,q is constrained to fall within fixed (nonnegative) lower and upper bounds l p,q and u p,q . That is:
l p,q ≤ δ p,q ≤ u p,q . Let δ be the vector of the δ p,q s, where q is a delay-node (distinct from the source). Let l and u be the vectors of l p,q s and u p,q s respectively. Note that all these vectors have r−1 components, where r is the number of delay-nodes (including the source). 4 Let Δ = (l, u) be the zone delimited by intervals (l p,q , u p,q ). Henceforth, the set of inequations {l p,q ≤ δ p,q ≤ u p,q } will appear under the form l ≤ δ ≤ u or δ ∈ Δ. The direct problem is posed as one of finding the maximum achievable separation max(t j − t i ) between two events i and j under the considered system of timing constraints. We will assume here that the time of source event is null, and coincides with vertex i (t i = 0). In the direct problem, one seeks therefore the maximal value of t j , denoted by MAX j :
MAX j = max δ∈(l,u) t j . As usual, a path π p from the source to event p is a sequence of adjacent edges going from the source to p. The delay of a path π is the sum of the delays of its edge components, (p,q)∈π δ p,q , which will be abbreviated as π δ.
Henceforth, we assume given a Time Separation of Events system with an acyclic timing constraint graph with a unique source (node i), a set of vertices {0, ..., N −1}, a domain Δ = (l, u), and an associated set of equations (1)- (2)-(3) (together with implicit equation t i = 0). Example 2.1 This example concerns SPSMALL, an embedded memory designed by STMicroelectronics which has been presented in [8] . The constraint timing graph 3 In the original formulation of the problem, there is no delay-nodes, but one allows min-nodes of the form tq = min(tp + δp,q, tr + δr,q) (and similarly for max-nodes). Such a timing constraint graph can be transformed into an equivalent form as above, at the price of introducing new intermediate nodes on each edge. This adds to the original graph at most n × K new vertices, where n is the number of vertices of the original graph, and K the maximum number of predecessors of any vertex. (Usually K is a small constant, and in any case bounded by n.) 4 It is convenient to assume that all the other edges (to min/max nodes q) have delays δp,q which are null (i.e., lp,q = up,q = 0 for min/max node q). (for the write operation) is made of 27 event nodes (see Fig. 1 ). For the sake of homogeneity with presentation of [8] , we proceed to cosmetic changes with respect to the presentation of timing constraint graphs given above. Thus, events are not only numbered but also denoted by symbols corresponding to those used in [8] ; for example event 20 is also denoted by o ↓ 16 . 5 Also, delays δ p,q between events p and q are allowed to appear as an algebraic sum of more elementary delays: for example,
The delay δ HI (resp. δ LO ) corresponds to the high-level (resp. low-level) period of the clock of the circuit. These delays are specific, as they are assumed to be fixed: the bounds l HI and u HI of δ HI are equal to a common value denoted by d HI , and similarly for δ LO . Henceforth, δ HI and δ LO will appear under the form d HI and d LO respectively. The expression δ ∈ (l, u) (where l and u correspond to implementation SP1 of [8] ) is given componentwise as follows:
Besides: MAX 23 ≡ MAX Q ↑ = 56 (+d HI +d LO ). All these values have been found by the manufacturer via electrical simulation (at the transistor level). Decreasing values l setup D = 108 and l setup W = 48 would lower the cost of the circuit, but this should not alter the maximal response time MAX 23 = 56 (see [8] ). Our inverse method will show that this can be safely done.
Interest of the Inverse Problem.
Before giving the inverse method, let us explain why the resolution of the inverse problem can help to relax the bounds assigned to the component delays of the system. In the direct problem, we have:
-as an input: Δ = (l, u), -as an output: MAX j , a value such that t j ≤ MAX j for all δ ∈ Δ. In the inverse problem, we will have:
-as an input: a specific value d 0 for δ, -as outputs: a domain Δ * = (l * , u * ), and a value MAX * j , such that t j ≤ MAX * j for all δ ∈ Δ * . In a "good situation", we will have for MAX * j and Δ * the following:
In this case, we can safely relax the original bounds l and u to l * and u * , and still guarantee an upper bound (no greater than) MAX j . As illustrated in Example 1, the method is useful, in the area of digital circuits, for optimizing "setup" timings of input signals (i.e., for minimizing the stability period of an input signal required before the circuit clock changes). Even if the second item does not hold for all its components, i.e.: l * k > l k or u k > u * k for some events k, the knowledge of Δ * may be instructive: it allows in particular to identify certain sets of "key" parameters k, which, when ranging over a restricted interval, enables the relaxation of the bounds of the other parameters (see Appendix 2).
Inverse Method
Let us now describe our inverse method. -if q is a delay-node then q * = q.
-if q is a min-node (resp. max-node) then q * is the O-earliest (resp. O-latest) node among the delay-nodes representing the predecessors of q (i.e. among {p * | p ∈ preds(q)}).
For all event q of representative delay-node q * , it follows from (1)- (2)- (3) 
The other inequalities of I * 0 associated to O 0 are given in Appendix 1.
Proposition 3.8 Let O ≡ t k 1 ≤ · · · ≤ t kr be a canonical order, π * p the representative path of event p (0 ≤ p ≤ N − 1) associated to O, and I * ≡ {I k 1 , ..., I kr } the set of δ-constraints associated to O. If d is a value of δ satisfying I * , then we have (under (1)-(2)-(3)), for δ
Proof. Suppose that d is a value of δ satisfying I * . Let us prove:
, for all event p. The proof proceeds by induction on the depth of event p in the timing constraint graph. The proof of the base case is trivial. Let us prove the induction step. Node p is either a min/max node or a delay-node. Suppose first that p is a min/max-node, say a min-node (the case of a max-node is similar). Then p is the sink of a "min/max subgraph", i.e. the smallest (directed) subgraph of sink p having only delay-nodes, say p 1 , ..., p m , as sources (All the non-source nodes are min/max nodes). By induction hypothesis on p k (1 ≤ k ≤ m), we have: 
In Then, under (1)- (2)- (3), the representative path π * j is such that:
Proof. Since l * and u * are solutions of J * , we have:
is a solution of I * . Therefore, under (1)- (2)- (3), for all event The system J * is a linear system of r inequalities with r unknowns x p,q and r unknowns y p,q , where r is the number of delay-nodes (r is less than or equal to the number N of events). The problem now reduces to find solutions l * and u * which delimit a domain of interest Δ * as large as possible. This problem can be seen as an optimization problem in linear programming, which is solvable in polynomial time in N .
Example 3.12
Let us consider system J * generated for SPSMALL system (see Example 3.10). 
(from: y 
Complexity and Enhancements
The inverse method described in Sect. 3 can be recapitulated as follows:
-find an order O induced by a specific point d 0 -construct the associated set of δ-constraints J * -find an optimal solution (l * , u * ) of the associated system J * .
We have already mentioned that the last step can be seen as an optimization problem of linear programming, and, as such, is polynomial in N . It is easy to see that the two first steps are also polynomial in N (actually, respectively quadratic and linear). It follows: Let us now focus on a possible enhancement of the method. In order to have a domain Δ * as large as possible, it is of great interest to be allowed to remove inequalities from I * , hence from J * , as much as possible. Intuitively, in order to guarantee that the representative path π * j is still critical, we need to check that the removal of an inequality of I * , does not entail any new path to j of separation time greater than π * j δ * . Formally: Note that checking the unsatisfiability of system (4) is exponential in the number N of events, due to the presence of min and max constraints in (2)-(3) (The general problem is indeed NP-complete; see, e.g. [4] ). We loose therefore the polynomial-time complexity result of the basic method. Still, this enhancement turns out to be useful in practice.
Example 4.3
In order to decrease the lower bound of δ setup D , we have to remove the "restrictive" inequality, say J, of J * 0 : y
. This inequality originates itself from inequality, say I, of I * 0 : δ
}. It can be checked that such a system has no solution in δ. Hence J can be safely removed from J * 0 . After instantiation of x, y with l, u respectively, for components distinct from setup D and setup W , J * 0 − {J} then reduces to: [8] by addressing the direct problem, but it required the decomposition of the system into three smaller parts, and heavily relied on heuristics (via the repeated integration of the negation of "suspect" inequalities).
In case the space of solutions S of system (4) (see Prop. 4.2) is non empty, one can still remove (the counterpart of) inequality I: This requires the integration of the negation of an inequality delimiting the convex hull of S (cf. Appendix 2).
Implementation. Rather than a direct implementation of the inverse method, we transform the given timing constraint graph into a synchronized product of timed automata [1] , then used the facilities of HYTECH [11] . Basically, each node of the timing constraint graph corresponds to a timed automaton and each edge as a synchronized transition. It is then easy to infer the order O induced by a particular point d 0 , then to generate, via parametric reachability analysis, the associated set I * of δ-constraints. The test of unsatisfiability for removing inequalities is also done using HYTECH. Apart from the two examples given here, we tried other examples (SP2 from [8] , buffer from [7] ). They all took less than 5 minutes (on 1GHz PowerPC G4 with 512 MB of memory).
Final Remarks
The main advantage of the inverse method, compared with the direct method, is that the method gives an exact maximal separation time, which can be computed in a polynomial time (at least without the enhancement of inequality removal). A drawback is that the range of some component delays may have to be tightened with respect to the original interval. On the other hand, many other intervals may be relaxed substantially. Results obtained with the inverse method thus give a useful complementary information. The inverse method basically relies on the choice of the input point d 0 of the component delays. Intuitively, this point corresponds to a point of "good behavior", and the method infers a (rectangular) domain for points that behave similarly. Such a method is similar in spirit to a common engineering practice, where the parameters of the systems are tuned around a typical point of good behavior. Note also that the "critical path" (the representative path to the output event j) is often known in the area of digital circuits, when the system is designed in a top-down manner by assembling portions of circuit around this crucial path (see, e.g., [10] ). Such a critical path induces a partial order on events that may be useful to infer the complete order O (instead of starting from d 0 ).
Finally, let us note that timing constraint graphs correspond to unconditional systems like "free-choice" Petri nets [3] . The inverse method can be extended to more general systems (timed Petri nets or timed automata) in a natural manner. The delay-nodes representing the min/max nodes are given by: The lower bounds of δ 5,6 and δ 9,15 are thus increased (from 6 to 10), as well as the lower bound of δ 4, 5 (from 3 to 5). This is a restriction of their original domain. The set {δ 4,5 , δ 5,6 , δ 9,15 } is thus a set of "key-parameters" whose tightening allows to extend the domain of all the other δ p,q s (smaller lower bounds). Besides, we have: This coincides with the upper bound value obtained in [7] .
