Formal Verification of Safety Properties in Timed Circuits Marco A. Peña (Univ. Politècnica de Catalunya) Jordi Cortadella (Univ. Politècnica de Catalunya) Alex Kondratyev (Theseus Logic Inc.) Enric Pastor (Univ. Politècnica de Catalunya)

y- a+b+ x+y+ c+ c- a- b- x- x+y- y+x- a b x y c Are there any hazards or glitches?

Outline Preliminaries Transitions systems and timing constraints From absolute to relative timing State space refinement by timing constraints Verification algorithm Results and conclusions

Gate Delay Model d  [3,5] d  [2,4] X Y Z X Y Z

A circuit is a concurrent system Gates  Processes Delays  Computation times Signal transitions  Events

Previous work Time separation of events –McMillan & Dill (1992): min/max constraints in acyclic graphs –Hulgaard & Burns (1994): max constraints for cyclic graphs with choice Zone automata –Dill (1989): Clock zones represented as conjunctions of timing constraints (difference-bound matrices) –Rockiki, Myers, Belluomini (1994, 1998): Partial orders to reduce the number of geometric regions (ATACS) –Maler (1995): Timed polyhedra (Open KRONOS) Incremental refinement –Alur et al. (1995): timing constraints added as needed (COSPAN, timed automata). –Balarin & Sangiovanni-Vincentelli (1995): trace-based refinement –Negulescu (1997): process spaces (FIREMAPS)

Time separation of events –McMillan & Dill (1992): min/max constraints in acyclic graphs Incremental refinement Our approach for absolute timing analysis by acyclic graphs with relative timing

Applicable to timed transition systems, with any type of causality relations Verification of temporal safety properties BDD-based symbolic representation (large untimed state spaces can be handled) Backannotation: sufficient (relative) timing constraints for correctness are reported Our approach: features

Transition systems and timing constraints

x a a a b b b c c c c c g g g g b b d d y Transition System States Transitions Events g

x a a a b b b c c c c c g g g g b b d d y Firing Region (a) g

x a a a b b b c c c c c g g g g b b d d y Firing Region (b) g

x a a a b b b c c c c c g g g g b b d d y g Concurrency a || b

x a a a b b b c c c c c g g g g b b d d y AND causality g a b c d FR (d)

x a a a b b b c c c c c g g g g b b d d y OR causality g a b c FR (c)

Property g must fire before d after having fired x x a a a b b b c c c c c g g g g b b d d y g

x a a b b b c c c c c g g d y Timed Transition System (Manna, Pnueli) Transition System Min/Max Delays  (a)  [1,2]  (b)  [1,2]  (c)  [2.5,3]  (g)  [0.5,0.5]  d,x,y 

From absolute to relative timing

{x} {a,b} {b,c,g} {c,g} {d,g} {g} Ø x a b c d g x a a a b b b c c c c c g g g g b b d d y g

An event e can only become enabled at the time another event e’ fires (e’ triggers e) {e’,...} {e,...} e’ {x} {a,b} {b,c,g} {c,g} {d,g} {g} Ø x a b c d g

a a x x g b b c c d d g Timing-consistent trace Time assignment to event firings such that...  min (g)  t 6 - t 2   max (g) t1t1 t2t2 t3t3 t4t4 t5t5 t6t6 {x} {a,b} {b,c,g} {c,g} {d,g} {g} Ø x a b c d g

Event structure from a trace x a b c d g a a x x g b b c c d d g {x} {a,b} {b,c,g} {c,g} {d,g} {g} Ø x a b c d g

{x} {a,b} {b,c,g} {c,g} {d,g} {g} Ø x a b c d g x a b c d g

x a b c d g {x} {a,b} {b,c,g} {c,g} {d,g} {g} Ø x a b c d g

x a b c d g {x} {a,b} {b,c,g} {c,g} {d,g} {g} Ø x a b c d g

x a b c d g {x} {a,b} {b,c,g} {c,g} {d,g} {g} Ø x a b c d g

x a b c d g {x} {a,b} {b,c,g} {c,g} {d,g} {g} Ø x a b c d g

x a b c d g {x} {a,b} {b,c,g} {c,g} {d,g} {g} Ø x a b c d g

x a b c d g {x} {a,b} {b,c,g} {c,g} {d,g} {g} Ø x a b c d g Trace and event structure are enabling compatible

{x} {a,b} {b,c,g} {c,g} {d,g} {g} Ø x a b c d g x a b c d g {x} {a,b} {a} {c,g} {d,g} {g} Ø x b a c d g {x} {a,b} {b,c,g} {b,g} {b} {d} Ø x a c g b d {x} {a,b} {b,c,g} {b,c} {c} {d} Ø x a g b c d

x a b c d g [1,2] [2.5,3] [0.5,0.5] [0,  ) Maximum Time Separation (McMillan & Dill, 1992) max  (g) -  (d) = -2

x a b c d g [1,2] [2.5,3] [0.5,0.5] [0,  ) Maximum Time Separation (McMillan & Dill, 1992) max  (g) -  (d) longest min path for d slack for max path of g = -2

x a b c d g Maximum Time Separation (McMillan & Dill, 1992) max  (g) -  (d) = -2 From absolute to relative timing

{x} {a,b} {b,c,g} {c,g} {d,g} {g} Ø x a b c d g x a b c d g {x} {a,b} {a} {c,g} {d,g} {g} Ø x b a c d g {x} {a,b} {b,c,g} {b,g} {b} {d} Ø x a c g b d {x} {a,b} {b,c,g} {b,c} {c} {d} Ø x a g b c d

{x} {a,b} {b,c,g} {c,g} {d,g} {g} Ø x a b c d g x a b c d g  min and  max for each event Theorem: timed The trace is timing consistent iff it is an enabling-compatible trace of the timed event structure {x} {a,b} {b,c,g} {b,g} {b} {d} Ø x a c g b d

State space refinement by timing constraints

x a a a b b b c c c c c g g g g b b d d y g x a b c g d

x a a a b b b c c c c c g g g g b b d d y g x a b c g d

x a a a b b b c c c c c g g g g b b d d y g x a b c g d

x a a a b b b c c c c c g g g g b b d d y g x a b c g d

x a a a b b b c c c c c g g g g b b d d y g x a b c g d

x a a a b b b c c c c c g g g g b b d d y g x a b c g d

x a a a b b b c c c c c g g g g b b d d y g x a b c g d Enabling compatible

x a a a b b b c c c c c g g g g b b d d y g x a b c g d

x a a a b b b c c c c c g g g g b b d d y g x a b c g d Not enabling compatible

x a a a b b b c c c c c g g g g b b d d y g x a b c g d

x a a a b b b c c c c c g g g g b b d d y g x a b c g d

x a a a b b b c c c c c g g g g b b d d y g x a b c g d

x a b b b c c c c g g g g b b d d y g a a c c c g g g d d y

x a b b c c c c g g g g b b d d g x a b c g d Timing analysis

x a b b c c c c g g g g b b d d g x a b c g d

x a b b c c c c g g d x a b c g d

x a b b c g g d b y a a c c c g g g d d y

x b a a c c c g g g d d x a b c g d

x b a a c c c g g g d d x a b c g d

x b a c c c g d x a b c g d

x b a c g d a b c g g d y y b

x a b b b c g g d y a c g d y

Verification algorithm

Symbolic state space exploration and failure detection

Border of failure states Failure trace Event structure x a b c g d Timing analysis Composition

Failure trace Event structure Timing analysis x a b c g d Composition

r s t u w

r s t u w

i j k

i j k

i j k r s t u w x a b c g d Backannotation (sufficient timing constraints)

Convergence of the algorithm Nodal points All cycles cut by nodal points Finite number of traces between nodal points Convergence and exact results guaranteed

Implementation issues Event structure: calculated from the shortest suffix that invalidates the failure trace Composition: slight modification of the Transition Relation (one extra boolean variable to indicate enabling compatibility) State encoding: n bits for untimed states n+k bits for timed states (k event structures used for timing analysis)

Experimental results

Conclusions Timing analysis with absolute delays typically produces unmanageable state spaces Temporal properties (no glitches, mutual exclusion, no conflicts) can be posed as relative timing constraints Strategy: combine absolute timing (for analysis) with relative timing (for state space calculation) Backannotation: important in the design flow and for sensitivity analysis

Experimental results: the STARI FIFO