Abstract. Parametric timing constraints are expressed naturally in timing diagram logics. Algorithmic veri cation of parametrically constrained timing properties is a di cult problem, known to be undecidable in most general cases. This paper establishes that a class of parametrically constrained timing properties can be veri ed algorithmically against nitestate systems; alternatively stated, containment by a regular language is shown decidable for a class of language properties (regular and nonregular) expressible in our timing diagram logic.
Introduction
Timing diagrams provide a linear-time temporal logic that is well suited to expressing timing constraints. When variables can appear in timing constraints, the resulting timing diagram logic can express context-free and context-sensitive language properties. Algorithmic veri cation of such non-regular properties against nite-state system speci cations is generally known to be undecidable. Timing diagrams, however, can only express non-regular languages with particular structural characteristics. This raises the question of whether the class of timing diagram languages is amenable to algorithmic veri cation. This paper establishes that containment by a regular language is decidable for a class of timing diagram languages, implying that certain non-regular language properties expressible as timing diagrams can be algorithmically tested against nite-state systems.
Timing diagrams have been used formally in a variety of hardware reasoning tasks. Brzozowski, Gahlinger, and Mavaddat provided algorithms for testing consistency and satis ability of timing speci cations given as timing diagrams in the context of interfacing components 3]; similar e orts have been undertaken by Cerny and Khordoc 4] . Several researchers have proposed using algebras of timing diagrams annotated with various programming language constructs for the behavioral speci cation of designs 6, 9, 10] . Algorithmic veri cation has been applied to requirements expressed as timing diagrams by translating the diagrams into existing formalisms such as VHDL 11] and timed automata 2]. Although some of these e orts support quantitative timing constraints (those using numeric constants), none support parametric timing constraints (those allowing variables over numerals).
Alur, Henzinger, and Vardi have studied parametric timing constraints for real-time systems 1]. They de ned a theory of parametric timed automata with multiple clocks for tracking parametric values and established that language emptiness is decidable when one clock is constrained by parameters, undecidable when three or more clocks are constrained by parameters, and an open problem when two clocks are so constrained. The timing diagrams considered in this work can correspond to problems that would require multiple parameterized clocks. We do not solve the general question of decidability of language emptiness for two clock systems. Rather, this work shows that timing diagrams correspond to a class of parameterized timing problems potentially requiring multiple clocks for which containment by a regular language is decidable.
Timing Diagrams and Their Languages
This work uses a formal logic of timing diagrams (called TDL) developed as part of our study of diagrammatic representations as formal speci cation languages for design and veri cation 5]. Starting from fairly common timing diagram notations, we de ne timing diagram semantics relative to formal languages. TDL is expressively incomparable to existing temporal logics such as LTL. In particular, LTL cannot express parametric timing constraints, while TDL cannot express properties such as Fp and G(p ! q); reasons for this are given in Section 2.2.
Syntax
Waveforms depict transitions between low and high voltage levels; timing diagrams depict relations over the levels and transitions appearing within a set of waveforms. TDL supports two relations: synchronization and temporal ordering. Temporal ordering relationships may be constrained with discrete-time lower and upper bounds. We allow these bounds to contain variables that range over the natural numbers; these variables introduce parametric timing constraints, as shown in the following example. Formally, a timing diagram contains three components: (1) an ordered sequence P of time points, which are abstract moments of time at which events occur; (2) a function N from names to waveforms, de ned as functions from P to voltage level designators of type H (for high level), L (for low level), F (for falling transition), and R (for rising transition); and (3) a ternary relation O on N P B capturing temporal ordering, synchronization and time bounds, where B consists of time bound expressions of the form l; u], such that l is a non-1 valid bound expression and u is any valid bound expression.
As an example, we construct tuple hP; N; Oi to capture the above timing diagram. P contains time points fp 1 ; p 2 ; p 3 ; p 4 ; p 5 ; p 6 ((c; p 5 ); (c; p 6 ); n; n + 5]); ((a; p 5 ); (c; p 5 ); 0; 0])g Although we have provided only an example here, the process of representing a timing diagram in this tuple form can be formalized as a straightforward parsing procedure. In the remainder of the paper, the term \timing diagram" refers to the tuple form, rather than the original picture.
Semantics
Timing diagrams are modeled by ( nite or in nite) words over an alphabet containing all possible assignments of boolean values to the names labeling waveforms. Intuitively, a word models a timing diagram when the transition patterns in the diagram re ect the changes in values assigned to names in the word. One di culty in formalizing timing diagrams is that their intended meanings di er widely between contexts and among users. Rather than x one interpretation, TDL has been parameterized to allow user customization of the semantics. These parameters are illustrated using the following timing diagram and word. The word is presented in tabular form: the rows are labeled with waveform names and the columns with the indices into the word. The three lines containing time points beneath the table indicate three separate assignments of indices to time points, as explained in the example below. We allow timing diagrams to specify assume-guarantee relationships between their events. One parameter indicates those time points that comprise the \as-sume" portion. For purposes of this example, take p 1 as the only such time point. Semantically, we will begin to match the word against the timing diagram starting at the rst index that matches the events in the assumed portion, in this case index 0. Next, we walk the word looking for the smallest indices that match any events that can immediately follow the falling transition on b, in this case the rst synchronization line (p 2 ).
A second parameter is motivated by the attempt to assign an index to the rst synchronization line. The line itself requires that b be low when a rises; however, is b required to be low until a rises? The desirability of the \until" interpretation is heavily context-dependent. Therefore, the user may indicate segments of waveforms that should be matched exactly within words. Such segments are called xed-level constraints and have the form (n; p; p 0 ), where n is a waveform name and p and p 0 are time points such that the waveform corresponding to n shows a single voltage level between p and p 0 . For this example, assume we have only one such constraint: (a; p 2 ; p 3 ). Then the rst synchronization line is matched at index 2, while the rising transition on b is matched at index 3 and the second synchronization line at index 4: this assignment appears in the rst line below the table. Note that despite the appearance that the rising transition on b must follow the one on c, the semantics does not enforce this since the relationship was not indicated explicitly using an arrow.
TDL requires timing diagrams to be matched repeatedly in a word. Two notions of repetition appear useful: one in which the next repetition starts after the previous one has been completed, and the other in which a new repetition starts in any index satisfying the \assume" portion of the diagram. We therefore de ne two semantic relationships: j = Iter (for iterative) and j = Inv (for invariant), respectively. Under the invariant semantics, the next match would begin at index 4, while under the iterative semantics, the next match would begin at index 5; these matches are shown in the next two lines beneath the table. Note that the match attempted from index 4 is not valid since the assigned indices violate the bounds on the arrow. This word would therefore model the diagram under the iterative semantics, but not under the invariant semantics. . TDL can not express more general non-regular languages such as \the number of a's equals the number of b's". Relative to temporal logic, TDL can not express LTL formula Fp because there is no way to stop the repeated searches at a particular point. TDL can not express G(p ! q) because it is not possible to make disjunctive statements within a TDL timing diagram. In separate work, we are investigating calculi over timing diagrams that would relax these restrictions 5].
Due to space constraints, only the invariant semantics is de ned in the remainder of this section. The iterative semantics is de ned formally in 5]. Tuples hT; S; Xi capture a timing diagram, its set of assumed time points, and its xedlevel constraints; the term \timing diagram" is henceforth overloaded to also refer to one of these tuples.
Given a timing diagram, we can derive a partial order on its time points from the ordering of events within individual waveforms and the temporal ordering relationships. For a time point p, the enabling points of p are those time points p 0 such that p 0 precedes p in this partial order. If the order is total, the timing diagram is called temporally unambiguous.
An index assignment is a partial function I from time points to natural numbers indexing a word; if I is not total, the time points on which it is de ned must form a pre x of the partial order on time points. Defn. 1 details the conditions an index assignment must meet in order to satisfy the requirements of a pre x of time points. Intuitively, the assigned indices must satisfy the events occurring at each time point while respecting the xed-level constraints and time bounds on all events de ned within those time points. For index i into a word W, W i (n) denotes the value of W on the signal named n at index i.
De nition 1 Let D = hhP; N; Oi; S; Xi be a timing diagram. Let U be a pre x of the partial order of P and let I be an index assignment for U over a word W. I satis es the constraints of U relative to D i 1. For each time point p 2 U, I(p) satis es p; i.e., for every waveform name n in N, W I(p) (n) = 0 (resp. 1) and W I(p)+1 (n) = 1 (resp. 0) if n has a rising (resp. falling) transition at p and W I(p) (n) = 0 (resp. 1) if n has a low (resp. high) level at p and there is a synchronization line through n at p. for each index i such that I(p) < i < I(p 0 ), W i (n) = 0 (resp. 1) if n has a low (resp. high) level between p and p 0 .
It follows from part 2 of this de nition that variables in timing constraints are treated as existentially quanti ed within a single index assignment. However, the instantiations of variables need not be consistent across the many index assignments produced while repeatedly matching the diagram against the word.
Starting from a given index, there are potentially many index assignments satisfying Defn. 1. The semantic de nitions must rely on a particular such index assignment. We have chosen to use the one that assigns to each time point the smallest index that satis es it while respecting the partial order among the time points; this index assignment will be called minimal.
De nition 2 Let D = hhP; N; Oi; S; Xi be a timing diagram, W be a word, i be an index into W, and U be a pre x of the partial order on P. Index assignment I is minimal for D, W, i, and U i I satis es the constraints of U relative to D and for each time point p 2 U, I(p) i and I(p) is the smallest index of W that satis es p and is larger than all indices assigned to the enabling points of p.
The semantics places one other restriction on index assignments in addition to minimality: they must be de ned on as large a pre x of the time point partial order as possible. An index assignment is called fully minimal if it is minimaland cannot be extended to a minimal index assignment for the same timing diagram, word, and starting index, but with a larger pre x of time points. Fully minimal index assignments are unique for temporally unambiguous timing diagrams. 
Decidability
This section establishes that containment of a regular language in a temporally unambiguous timing diagram language is decidable; we refer to the general problem of containment by a regular language as the regular containment problem. Formally, a timing diagram language is any language that can model a timing diagram under either the iterative or the invariant semantics. The proof for the invariant semantics is discussed in detail; the proof for the iterative semantics is outlined. Our decision procedures are based on a correspondence between temporally unambiguous timing diagram languages and the languages accepted by deterministic, two-way, 1-counter machines (1-2DCM). Given a temporally unambiguous timing diagram, our algorithm creates one 1-2DCM if the diagram is interpreted invariantly, and two such machines if the diagram is interpreted iteratively. Then, given a nite automaton, we determine whether the language of the automaton models the timing diagram by computing relations on the states of the automaton using the counter machine(s). The algorithms discussed here operate on nite-state automata accepting by nal state. With a slight modi cation, they can be tailored to operate on B uchi automata; the B uchi construction is not presented here for lack of space.
A 1-2DCM has a nite-state control, a two-way, read-only head over a nite, bounded-length input tape, and one counter which can store any natural number. Transitions are based on the current state, the letter being read, and whether the counter contains zero; the transition indicates a next state, which direction, if any, to move the input head, and whether to increment, decrement, or hold the value of the counter. The following formal de nition is adapted from 7].
De nition 4
1. A two-way 1-counter machine M is a tuple hK; ; ; ; ; q 0 ; Fi where K, , , , q 0 , and F are the states, inputs, left and right endmarkers, initial state, and accepting states, respectively. is a mapping from K ( f ; g) f0; 1g into K f?1; 0; 1g f?1; 0; 1g. 2. A con guration of M on an input x , for x 2 , is given by a tuple (q; x ; i; c) denoting the fact that M is in state q with the input head reading the i th symbol of x , and value c is in the counter. This result indicates that we can use 1-2DCM in decision procedures if we can bound the number of counter reversals made while processing any input. Such machines are called reversal bounded.
Given a timing diagram hT; S; Xi, we construct a 1-2DCM called M FAIL that accepts exactly those words for which the fully minimal index assignment starting from the rst position of the word is de ned for all the time points in S, but unde ned for some time point in T. Intuitively, the machine walks the word from the starting index, looking for indices to assign to time points; the transitions used to search for each time point's index also check for violations of the xed-level constraints. If an index satisfying the time point is found, the machine tests any time-bounds on temporal ordering arrows whose target is at the recently matched time point. Constraints are tested one at a time by repeatedly sweeping over the input word. M FAIL moves into an accepting state as soon as a violation of either the xed-level constraints or the time-bound requirements is found. If indices corresponding to all of the time points are located, M FAIL moves into a looping state from which nothing is accepted.
By construction, M FAIL rejects certain words that do not model hT; S; Xi. In particular, this applies to words for which the fully minimal index assignment from position 0 is de ned for all time points in T, but the fully minimal index assignment from some later starting position is unde ned for some time point in T. The restriction of M FAIL to accepting only words failing on the index assignment from the rst position is important for the decidability of the problem.
Based on the syntax of T, we can bound the number of counter reversals required for a 1-2DCM to test the time bound constraints of T over an arbitrary word; this follows from results in 5]. Therefore, we can bound the number of counter reversals required in a test of some xed number of index assignment searches over a given timing diagram. As there is no xed upper bound for the number of searches required in testing an entire word, our algorithm must perform searches only in nite increments. The restriction to single searches is su cient for either semantics, since it follows from the de nitions that any word failing to model a timing diagram has a su x accepted by M FAIL . The decision procedure for the invariant semantics is fairly simple: the language generated by DFA A is contained in the language of timing diagram hT; S; Xi i no reachable state of A can generate a word accepted by M FAIL . Formally, let A = hQ; ; ; q 0 ; Q F i be a DFA that accepts by nal state. Notation Aj (q;q 0 ) denotes A modi ed to have q as the only start state and q 0 as the only nal state, where q and q 0 are both in Q. We de ne a set Avoid containing exactly those states of A from which a word in M FAIL is accepted as follows: Hence there does not exist a state of A reachable from q 0 from which a word can be generated such that the fully minimal index assignment for S is de ned for all time points in S, but for which the fully minimal index assignment for all time points in T is unde ned for some time point. By construction, any states in Avoid cannot be reachable from q 0 , so Theorem 2 holds. 2. Assume L(A) 6 L(D) Inv . From Defn. 3, there must exist some index i into W from which the fully minimal index assignment for S is de ned for all time points in S, but unde ned for some time point in T. By construction, the su x of W starting at index i is accepted by M FAIL . Let q i be the state A was in when it processed index i; q i must be in Avoid by construction. The existence of W proves that q i is reachable from q 0 , so containment is correctly determined to fail.
2 Theorem 2 suggests a decision procedure. Both M FAIL and the set Avoid are constructible. Any DFA can be converted into a 1-2DCM by augmenting the transitions of the DFA with a counter whose value is never changed. The intersection of two reversal-bounded, 1-2DCMs is e ectively constructible and is also a reversal-bounded, 1-2DCM by Theorem 1. The emptiness test on the intersection machine is decidable by Theorem 1.
We outline the decision procedure for the iterative semantics via an example. The set Avoid is also used in deciding containment under the iterative semantics. However, the procedure for the iterative semantics is harder because the existence of a reachable state of A from which a word in M FAIL is generated is not su cient. The iterative semantics only starts a test in an index if the previous test ended in the preceding index. The decision procedure therefore needs a way to track which states in Avoid can serve as starting states for tests under the iterative semantics. We accomplish this by constructing a second 1-2DCM called M EXACT which accepts those words meeting two conditions: (1) the fully minimal index assignment constructed from the rst position in the word is either unde ned for some time point in S or it is de ned for all time points in T; (2) the last index of the word is the index in which the subsequent index assignment search must start. The justi cation for the rst position search is the same as it was for M FAIL . The restriction on the nal index of the word is necessary so that we can compose words accepted by M EXACT into longer words iteratively modeled by the timing diagram.
Given DFA A that accepts by nal state, we use M EXACT to compute a binary relation TD-Reach on the states of A such that (q; q 0 ) 2 TD-Reach i Aj (q;q 0 ) accepts some word in M EXACT . Formally,
Intuitively, once TD-Reach and Avoid are computed, we decide iterative description by checking whether there exists a state q of A such that q is in Avoid and (q 0 ; q) is in the transitive closure of TD-Reach. The language of A models hT; S; Xi iteratively i no such state exists. As examples, consider the following two nite automata A 1 (left) and A 2 (right) and timing diagram T with the time point of the rising transition on a in S and nothing in X. Let D = hT; S; Xi. The language of D is ((h0; 1i + h1; 0i + h1; 1i) h0; 0i + h1; 0i h1; 0i (h0; 1i + h1; 1i)) where each pair hx; yi denotes that a = x and b = y. Furthermore, note that L(A 1 ) = (h0; 0i h1; 0i h1; 0i h0; 1i) L(A 2 ) = (h0; 0i h1; 0i h1; 0i h0; 1i)
The language of A 1 is contained in the language of D. By de nition, Avoid = f2; 3; 4g and TD ? Reach 
Future Work
Although we have proven that the regular containment problem is decidable for temporally unambiguous timing diagram languages, we do not yet have an ecient decision procedure. Testing containment of a regular language in a 1-2DCM language lies in PSPACE. Our decidability proof relied on quadratically many such tests with respect to the number of states in the automaton for the regular language. Methods for reducing the number of containment tests required remains an important problem for future work, as does the empirical analysis of the overall procedure. In addition, our current restriction to temporally unambiguous timing diagrams can likely be removed by altering the construction algorithms for M FAIL and M EXACT .
We are also interested in the general problem of language containment for timing diagram languages. Although the results presented here could be used to test containment of a regular-language timing diagram in an arbitrary timing diagram, they do not decide the general problem since arbitrary 1-2DCM have an unbounded number of states. It is possible to build a 1-2DCM that accepts the entire language, rather than just a single pass, of any timing diagram. Intuitively, the machine is a modi cation of M EXACT that begins a subsequent check in the appropriate index into the word after the previous check has been completed and allows the previous pass check to walk o the end of a word. Unfortunately, this machine is not guaranteed to have bounded counter reversals. Results governing the undecidability of language containment for 1-2DCM with unbounded reversals are also inapplicable because there exist 1-counter non-reversal-bounded languages that cannot be captured in any timing diagram. Consider the \timing diagram" which is not well-formed in our syntax due to the disjunction in the time-bound expression. Although no well-formed timing diagram has exactly the same language as this one, a 1-2DCM could be constructed to accept the language of this diagram using techniques similar to those used in constructing M FAIL and M EXACT . Therefore, the undecidability of language containment for 1-counter non-reversal bounded languages does not prove the undecidability of containment for timing diagram languages. We are investigating this general problem as well as possible syntactic characterizations of general timing diagram language containment.
Conclusions
This paper has established that the regular containment problem is decidable for any temporally unambiguous timing diagram language, regardless of where it falls in the Chomsky hierarchy. This result holds for both nite regular languages and in nite regular languages accepted by B uchi automata. We see two main implications of this result. First, there is the practical implication that certain non-regular language properties are amenable to algorithmic veri cation against nite-state systems; an implementation of these ideas would extend the scope of algorithmic veri cation, as existing logics such as LTL express only regular language properties.
The second implication is more foundational in nature. The formal methods community has largely treated diagrams as interface tools. Diagrammatic representations certainly have advantages in this regard, as evidenced by their popularity. Unfortunately, the interface approach to diagrams has lead us to focus more on how diagrams can be used to represent existing sentential logics, rather than on the computational models suggested by the diagrams in their own right. This work establishes that the structure naturally imposed by diagrammatic representations also o ers advantages on a theoretical level, thus making diagrammatic representations worthy of investigation outside of the realm of interface design.
