In this paper we describe the KRONOS system, a tool for verifying real-time properties based on the model of timedautomata. As an example, we show how KRONOS is applied to the verijication of a MOS circuit under various delay assumptions.
Introduction
The use of finite-state automata as models of synchronous circuits is as old as computer science. Recently, verification methods for finite-state systems have proliferated from academia to industry with the progress in efficient techniques for symbolic model-checking [IO] , [3] . Timed automata, that is, automata augmented with fictitious clocks that can measure the time between various events, were introduced by Dill and Alur [7] , [2] as models for real-time systems and asynchronous circuits. At this real-time level of modeling, systems are not viewed anymore as generators of sequences over an abstract time domain, but rather as generators of signals over the real time domain. This allows us to speak quantitatively about the implementation (the time it takes for an instruction to be performed or for a gate to switch), the environment (the minimal time between two requests) and the requirements (the response time of the system).
The KRONOS system [4] , [5] , developed at VERIMAG during the last five years, represents the state-of-the-art in verification tools for real-time. It has been applied in the past to the verification of a variety of time-dependent protocols.
In this paper we illustrate the application of KRONOS in another domain, namely timing analysis of hardware circuits. The theoretical basis of the translation of Boolean asynchronous circuits with delay uncertainties into timed automata has been presented in [ 1 I]. Here we apply this methodology to the verification of a MOS circuit, a problem posed to us by members of IBM Haifa research group. The paper is organized as follows. In section 2 we give a short introduction to timed automata and real-time logics which constitute the theoretical infrastructure for KRONOS. In section 3 we describe the KRONOS system and in section 4 we demonstrate how MOS circuits are modeled as timed automata and verified using KRONOS.
Theoretical Background

Timed Automata
A timed automaton A is a tuple ( S , X , L , f , T , p 
Symbolic Verification
KRONOS implements a symbolic verification method based on predicate transformers for computing the set of predecessors (backward analysis) and successors (forward analysis) of sets of states symbolically represented as disjunctions of convex polyhedra. A more detailed description of the symbolic verification method can be found in [9] .
Backward analysis. Given a set of states Q 2 Q and an edge e E E , the predecessors of Q by e are those states that can reach a state in Q by letting time elapse for some amount and then moving through e. We define:
The set of all predecessors of Q is pred(Q) =
U e E E prede(Q).
Forward analysis. Given a set of states Q C Q and an edge e E E , the successors of Q by e are those states that can be reached from a state in Q by a time transition followed by a discrete transition through e. We define:
The logic TCTL
TCTL [l, 91 is an extension of the temporal logic CTL [8] that allows reasoning about the quantitative realtime elapsed between events along the runs of a timed automaton. The formulas of TCTL are defined by the following grammar:
where p E P is a basic predicate and I is an interval If qinit E Q; for some i, the answer is "YES", otherwise, the answer is "NO". This procedure always terminates. A similar algorithm is used to verify qinit + 301&.
To check that the system, always remains at a set of states Q we verify the formula qinit + V'OQ, or equivalently, i ( q i n i t A 3OiQ), that is, there is no run starting at qin;t that reaches a state outside Q. On this formula, the forwardcomputation algorithm works as follows: start with QO = {qinit}, and for i 2 0 compute &;+I = Qi U post (&;) . If Qi n -Q # 0 for some i , the answer is "NO", otherwise, the answer is "YES". Notice that during the computation we can keep track of the transitions taken, so as when the answer is "NO" we can exhibit a counter-example, that is, a sequence of transitions that leads from qin;t to a state in 1 Q .
The Tool KRONOS
KRONOS [4, 51 is a tool developed with the aim to assist the user to validate complex real-time systems. The tool checks whether a real-time system modeled by a timed automaton A satisfies a timing property specified by a T~T Lformula 'p. Figure 1 illustrates the structure of the tool.
A system is usually described as a set of timed automata that run in parallel and synchronise via the names labeling the edges. The parallel composition of timed automata is defined in [SI. KRONOS each one describing a single component and computes their product which is itself a timed automaton. The latter as well as the Tcx-formula to be checked are fed into the model-checker that answers "YES" whenever the formula is verified, otherwise it answers "NO" exhibiting a counterexample. The syntax of the input (automata, formulae) and output (counter-example) files, is demonstrated via examples in the appendices.
KRONOS has been used to verify a variety of protocols whose correctness strongly depends on timing parameters. 
Circuit Timing Analysis
In this section we show how MOS circuits are modeled by a timed automata and how they are verified using KRONOS. This is not intended to be a complete nor accurate introduction to VLSI, but rather an illustration of the modeling principles.
AMOS transistor ( figure 2 ) Off. Otherwise, when G = 1 is goes to On (emitting the signal T t) and stays there until the next SI event.
Remark: We can employ other transistor models as well. For example, if a non-zero delay is associated with falling of the transitor, we would need a 4-state automaton with the additional state Fulling. We can also model uncertainties in delays. The formal translation of general Boolean asynchronous circuits into timed automata is described in
The circuit we consider appears in figure 3 . It consists of 8 transistors and 4 input wires P , A, B, and C which behave as follows: Note that we allow non-determinism in the behavior of the inputs. For example, when CA is in the interval [0, 6] A can either stay at A0 or move to A, and generate an A T
transition. An example of the KRONOS source files for the input A and its transistor T2 appears in appendix 1.
As a first step we compose the automata of P , A, B , and C with T l , T2, T3, and T4. This gives us an automaton with 193 states, 529 transitions and 8 clocks. We then define a formula X as
and apply a special utility that adds the event labels X t and X J, to all the transitions of the product that change the value of X. Then we compose the automaton with the remaining transistors T 5 , T6, T 7 and T8, and obtain the whole circuit as a timed automaton with 769 states, 2683 transitions and 12 clocks.
The property that we want to verify is the absence of short-cuts, namely current flowing from VDD to GND for all the possible executions starting at the initial state. This is expressed in the formula
We call KRONOS to evaluate this formula against the system and the result is false. In this case we obtain an evaluation file containing a generalized counter-example (appendix 2), which indicates classes of timed event sequences that invalidate the formula. From this output one can extract a concrete counter example and deduce which change of parameters will guarantee the satisfaction of the formula. For example, in this case a bad sequence of events is:
If, on the other hand, we change the system such that P must wait more than 21 time units before falling, we can make sure that A 1 and T2 1 occur before TI and, indeed, when we verify this property with the modified system we get a positive answer from KRONOS. The verification CPU time (on Sun SparcStation 20 with 64MB of memory) was 5 seconds when the property was false and 27 seconds when it was true. t r u e => A-DOWN; r e s e t ( } ; goto 0 some s t a t e s and t r a n s i t i o n s deleted . . . I This is the source code for the property we wish to verify: i n i t imp1 ab ( (not (T1-1 and T2-1 and (T3-1 or T4-1))) and (not (T5-1 and T6-1 and (T8-1 or T7-1)))
)
Appendix 2
This is the beginning and the end of the counter-example information provided by KRONOS when a the verification of a property fails. It is a sequence of generalized states and transitions. A generalized state consists o€ a location and a set of constraints on the system clocks, including an additional variable T representing the global time. A generalized transition is an event that can take place when certain conditions on the clock are satisfied. From these constraints one can deduce a family of system runs (one of which is described in the body of the paper) which invalidate the property.
