Formal Timing Analysis of Digital

Circuits

By

Qurat-ul-Ain

Fall 2015-MS(EE)-7 00000118693

Supervisor

Dr. Osman Hassan

Department of Electrical Engineering

A thesis submitted in partial fulfillment of the requirements for the degree

of Masters of Science in Electrical Engineering (MS EE)

In

School of Electrical Engineering and Computer Science,

National University of Sciences and Technology (NUST),

Islamabad, Pakistan.

(May 2018)

Approval

It is certified that the contents and form of the thesis entitled “Formal

Timing Analysis of Digital Circuits” submitted by Qurat-ul-Ain have

been found satisfactory for the requirement of the degree.

Advisor: Dr. Osman Hassan

Signature:

Date:

Committee Member 1: Dr. Sajid Saleem

Signature:

Date:

Committee Member 2: Dr. Sohail Iqbal

Signature:

Date:

Committee Member 3: Dr. Awais Kamboh

Signature:

Date:

i

Abstract

Formal verification provides complete and sound analysis results and has

widely been advocated for the functional verification of digital circuits. Be-

sides the functional verification, a very important aspect of digital circuit

design process is their timing analysis. However, despite its importance and

critical nature, timing analysis is usually performed using traditional tech-

niques, like gate-level simulation or static timing analysis, which provide ap-

proximate results due to their in-exhaustive nature and thus may lead to an

undesired functional behavior as well. To overcome these issues, we propose

a generic framework to conduct the formal timing analysis using the Uppaal

model checker in this paper. The first step in the proposed framework is to

represent the timing characteristics of the given digital circuit using a state

transition diagram in Uppaal. In this model, delays are integrated using

the corresponding technology parameters and the information about timing

paths is added using Quratus Prime Pro, which is used as a path extracting

tool. The Uppaal timing model is then verified through TCTL properties

to obtain timing related information, like maximum delay. For illustration

purposes, we present the analysis of a number of real-world digital circuits,

like Full Adder, 4-Bit Ripple Carry Adder, Shift Registers as well as C17,

S27, S208, and S386 benchmark circuits.

ii

Dedication

Dedicated to my Parents and Sisters.

iii

Certificate of Originality

I hereby declare that this submission is my own work and to the best of my

knowledge it contains no materials previously published or written by another

person, nor material which to a substantial extent has been accepted for the

award of any degree or diploma at NUST SEECS or at any other educational

institute, except where due acknowledgement has been made in the thesis.

Any contribution made to the research by others, with whom I have worked

at NUST SEECS or elsewhere, is explicitly acknowledged in the thesis.

I also declare that the intellectual content of this thesis is the product

of my own work, except for the assistance from others in the project’s de-

sign and conception or in style, presentation and linguistics which has been

acknowledged.

Author Name: Qurat-ul-Ain

Signature:

iv

Acknowledgment

First of all, I am grateful to ALLAH Almighty who give me ability and

strength to do this work. I would then like to thank my advisor Dr. Osman

Hasan for his day to day guidance and support. Moreover, I am particularly

thankful to my parents and sisters for their prayers and continuous support.

v

Table of Contents

1 Introduction 1

1.1 Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

1.1.1 Timing Analysis in Combinational Circuit . . . . . . . 2

1.1.2 Timing Analysis in Sequential Circuit . . . . . . . . . . 3

1.2 Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

1.3 Problem Statement . . . . . . . . . . . . . . . . . . . . . . . . 6

1.4 Prior State of Art . . . . . . . . . . . . . . . . . . . . . . . . . 6

1.5 Proposed Approach . . . . . . . . . . . . . . . . . . . . . . . . 7

1.6 Contribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

2 Literature Review 10

3 Preliminaries 13

3.1 Circuit Delay . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

3.2 Uppaal Model Checker . . . . . . . . . . . . . . . . . . . . . . 15

3.2.1 Timed Automata . . . . . . . . . . . . . . . . . . . . . 15

3.2.2 Queries . . . . . . . . . . . . . . . . . . . . . . . . . . 16

3.3 Quartus Prime Pro . . . . . . . . . . . . . . . . . . . . . . . . 16

4 Proposed Methodology 18

4.1 Delay Calculation . . . . . . . . . . . . . . . . . . . . . . . . . 18

vi

TABLE OF CONTENTS vii

4.2 Path Extraction . . . . . . . . . . . . . . . . . . . . . . . . . . 21

4.3 Modeling and Verification in Uppaal Model Checker . . . . . . 23

4.3.1 Timing Models of Combinational Circuits . . . . . . . 23

4.3.2 Timing Models of Sequential Circuits . . . . . . . . . . 24

4.3.3 TCTL Queries . . . . . . . . . . . . . . . . . . . . . . 25

4.4 Basic Uppaal Models and Properties . . . . . . . . . . . . . . 27

5 Case Studies 32

5.1 C17 Modeling and Verification . . . . . . . . . . . . . . . . . . 32

5.2 S27 Modeling and Verification . . . . . . . . . . . . . . . . . . 35

6 Verification Results 41

6.1 Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

6.2 Comparison . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

7 Conclusion 49

7.1 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

7.2 Future Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

List of Figures

1.1 No Delay in Ideal Case . . . . . . . . . . . . . . . . . . . . . . 2

1.2 Delay in Real Case . . . . . . . . . . . . . . . . . . . . . . . . 3

1.3 Basic Sequential Block . . . . . . . . . . . . . . . . . . . . . . 4

1.4 Timing Diagram of Basic Sequential Block . . . . . . . . . . . 5

1.5 Proposed Methodology . . . . . . . . . . . . . . . . . . . . . . 8

3.1 Propagational delay . . . . . . . . . . . . . . . . . . . . . . . . 14

4.1 Proposed Methodology . . . . . . . . . . . . . . . . . . . . . . 19

4.2 Transition Diagram of the NOT Gate . . . . . . . . . . . . . . 24

4.3 Transition Diagram of a Flip-Flop . . . . . . . . . . . . . . . . 25

4.4 A Typical Sequential Circuit . . . . . . . . . . . . . . . . . . . 27

4.5 Not Gate Uppaal Model . . . . . . . . . . . . . . . . . . . . . 27

4.6 Nand Gate Uppaal Model . . . . . . . . . . . . . . . . . . . . 28

4.7 Nor Gate Uppaal Model . . . . . . . . . . . . . . . . . . . . . 29

4.8 And Gate Uppaal Model . . . . . . . . . . . . . . . . . . . . . 29

4.9 Or Gate Uppaal Model . . . . . . . . . . . . . . . . . . . . . . 30

4.10 FF Gate Uppaal Model . . . . . . . . . . . . . . . . . . . . . . 30

4.11 Clock Uppaal Model . . . . . . . . . . . . . . . . . . . . . . . 31

5.1 ISCAS-85 C17 Benchmark . . . . . . . . . . . . . . . . . . . . 32

viii

LIST OF FIGURES ix

5.2 C17 Path Report . . . . . . . . . . . . . . . . . . . . . . . . . 33

5.3 ISCAS-89 S27 Benchmark . . . . . . . . . . . . . . . . . . . . 35

5.4 S27 Path Report from Inputs to Flip-Flops . . . . . . . . . . . 36

5.5 S27 Path Report from Flip-Flop to Flip-Flop . . . . . . . . . . 36

5.6 S27 Path Report from Flip-Flops to Output . . . . . . . . . . 36

6.1 Explored States with Gates Input . . . . . . . . . . . . . . . . 42

6.2 Explored States and Memory in Various Digital Circuits . . . 44

6.3 Maximum Delays of Basic Gates . . . . . . . . . . . . . . . . . 44

6.4 Timing Analysis Results . . . . . . . . . . . . . . . . . . . . . 45

6.5 Comparison with Existing Techniques . . . . . . . . . . . . . . 46

List of Tables

4.1 Nand Gate Delay Equations . . . . . . . . . . . . . . . . . . . 20

4.2 Not Gate Delay Equations . . . . . . . . . . . . . . . . . . . . 20

4.3 Nor Gate Delay Equations . . . . . . . . . . . . . . . . . . . . 21

4.4 Flip-Flop Delay Equations . . . . . . . . . . . . . . . . . . . . 22

6.1 Result of Combinational Circuits . . . . . . . . . . . . . . . . 42

6.2 Result of Sequential Circuits . . . . . . . . . . . . . . . . . . . 43

6.3 Comparison with Existing Techniques . . . . . . . . . . . . . . 48

x

Chapter 1

Introduction

1.1 Background

Due to the gradual reduction in transistor sizing governed by the Moore’s law

and the continuous increase in integrated circuit complexity, modeling and

analyzing timing characteristics of digital circuits has become a very chal-

lenging task. Timing analysis usually involves determining the timing delays

associated with each component of the circuit based on the technology used

and its fan-out while considering the circuit variations. The delays of indi-

vidual components are then used to calculate the overall circuit delay using

various analysis techniques, like gate-level simulation [30] or static timing

analysis [17]. However, both of these techniques cannot ensure an exhaustive

analysis due to the complexity of the present-age digital circuits. This kind

of an in-exhaustive analysis results in an incorrect timing analysis, which

may in turn lead to an in-optimal design or a functional bug. Digital circuits

are increasing being used in designing safety-critical systems, like the ones

used in health-care, transportation and defense related domains. Thus, an

in-optimal design or a functional issue may lead to disastrous consequences,

1

CHAPTER 1. INTRODUCTION 2

Figure 1.1: No Delay in Ideal Case

like financial losses or even the loss of human life in worst case scenarios.

According to Moore’s law, number of transistors become double in an

integrated circuit after every two years. A small microchip with billions

of transistors contains many processors, memories, gates, and switches. A

chip with billions of transistors integrated on it is termed as system on chip

(SOC). Increase in number of memories result in increased complexity of a

chip. Memories can occupy more than 50% of area of a chip. Verification of

a critical path of sequential and combinational blocks in IC is essential for

accurate working of a chip.

1.1.1 Timing Analysis in Combinational Circuit

In ideal cases, output changes immediately with input. Timing analysis

causes a small delay between input and output. Functional verification com-

putes results only on the basis of logics used in a model. Timing verification

should also be incorporated in a circuit to make more realistic model. Time

taken by input to travel from input to output is called propagational delay.

In ideal cases, when we model just logical behaviour, propagational delay is

assumed zero. Fig. 1.1 is showing ideal case. In reality, delays plays a signif-

icant role in functionality and performance of circuit. By considering delay

CHAPTER 1. INTRODUCTION 3

Figure 1.2: Delay in Real Case

parameters, some unstable region is introduced between input and output.

Figure 1.2 is showing a real case with delay.

1.1.2 Timing Analysis in Sequential Circuit

In sequential circuits, setup time, hold time and clock to Q [23] delay plays

a very vital role. Basic sequential block is shown in Figure1.3 A brief intro-

duction about these timing parameters is explained below.

Setup Time

It is the amount of time at which data should remain stable before rising

edge of clock. Setup time violation can be avoided using equation below.

TClk2Q + Tcomb + Tsetup + Trouting ≤ Tclkperiod

Hold Time

It is the amount of time at which data should be stable after the rising edge

of a clock. Hold time violation can be avoided using formula below

CHAPTER 1. INTRODUCTION 4

Figure 1.3: Basic Sequential Block

TClk2Q + Tcomb + Trouting ≥ Thold

Clock to Q delay

It is the time between clock edge and and output value. It is the delay when

new input reach the output according to clock edge. Timing diagram for

setup time, hold time and clock to Q delay can be observed in Figure 1.4

[20].

1.2 Motivation

Timing verification can be performed through electrical stimulation. With

the circuit size increases, complexity also increases. High complexity in a cir-

cuit causes slow simulation and chances of error can be increased. Moreover

checking all the output combinations with respect to input is impossible in

bigger circuits. Due to non-exhaustive nature of electrical simulation, accu-

rate analysis is not possible. Hence there is a need of more accurate analysis

CHAPTER 1. INTRODUCTION 5

Figure 1.4: Timing Diagram of Basic Sequential Block

technique.

Formal verification [15] is known to overcome the above-mentioned limi-

tations of traditional analysis approaches, like simulation. It has been exten-

sively used for the functional verification of digital circuits [6, 11, 16, 31]. The

main idea in formal verification based analysis is to make a formal model of

the given circuit and formally verify the desired behavior of this model using

formal specifications. Model checking [9] is one of the most commonly used

formal verification techniques for the functional verification of digital circuits

due to its automatic verification and the ability to provide a counterexample

in the case of a failing property. It mainly involves modeling the system

as a state transition diagram and the verification is done by exhaustively

exploring the state space in a push button manner.

Digital devices are used in almost every field. Correct working of these

safety critical devices with respect to timings along with functionality is cru-

cial since a small delay can cause a huge loss. In daily use devices like mobile

phones, timing delay can occur due to digital circuitry inside it. Average

CHAPTER 1. INTRODUCTION 6

300ms response of browsers on every tap is observed in some mobile phones

[1]. Medical equipments like blood coagulation device [4] can be effected by

delay. Coagulation level of blood is being checked at specific intervals to ex-

amine patient condition. Timing errors or delay in such medical equipments

can be dangerous for a patient since it can results in wrong reading. Timing

verification in ammunitions is very critical. A small delay in air craft can

results in missing of actual target. Timing analysis can help in finding faults

in clock speed and hence result in better performance of a system.

1.3 Problem Statement

Finding out of delay parameters (propagational delay, setup time, hold time,

clk2Q delay), automatic path extraction and formal modeling and verification

of combinational and sequential circuit make our problem statement.

we provide a generic framework in which by knowing delays of the basic

circuit blocks, i.e., NAND, NOR, NOT and a Flip-Flop, we can verify the

timing behavior of any digital circuit, such as the clock period of a circuit,

the critical paths as well as setup and hold time constraints in a circuit.

It is important to note that by using a model checking tool for the timing

analysis, our results are based on a rigorous exploration of the state space

of the circuit model and thus all the paths and input values are implicitly

considered in the analysis.

1.4 Prior State of Art

Due to the dire need of accurate analysis in the domain of timing analysis,

formal timing analysis of digital circuits using model checking got some at-

CHAPTER 1. INTRODUCTION 7

tention in recent years. Various techniques have been used for formal timing

verification of circuits. Some techniques [29, 3] perform timing verification

on only combinational circuits using model checking approach. Some other

[7, 14] methods performed timing analysis on combinational as well as sequen-

tial circuits. In [29], timing verification of combinational circuit is performed

using model checker Open-Kronos. Modeling is performed at abstract level.

In [7] circuit is modeled at the macroscopic level where state transition graph

(STG) is modeled as a configuration of inputs while excluding the multiple

input transitions. In [14], a technique for symbolic timing verification of con-

current system has been discussed. In [32], author models the circuits using

propagational delays but does not discuss about modeling of propagational

delays. In [3] formal verification of only combinational circuit is performed.

Circuits paths are analyzed for delay calculation by manual search of paths

in a circuit.

1.5 Proposed Approach

The main motivation of this paper to overcome the above-mentioned defi-

ciencies of the existing formal timing analysis approaches for digital circuits

and thus making the formal timing analysis more realistic. Block diagram of

proposed methodology is shown in Figure 1.5. Delay and path information

is integrated to Uppaal model checker for modeling and verification. Firstly,

we propose to use the Elmore delay model [35] to compute the delays of

both combinational and sequential components of the given circuit. More-

over, instead of using bi-bounded delays, we propose to calculate the value of

the delay at every possible input transition of every gate in the design. For

example, in the case of a 2 input gate, delays are calculated for all the four

CHAPTER 1. INTRODUCTION 8

Figure 1.5: Proposed Methodology

possible transitions ΓDelay = [d00, d01, d10, d11]. Moreover, instead of manu-

ally searching of timing paths within a circuit as is the case for all existing

formal timing analysis approaches, we propose to use the Quartus Prime Pro

software [33] for automatically extracting the paths of the given circuit. This

choice allows us to not only automate the timing analysis flow but also re-

duces the risks of ignoring some timing paths in the design. While using the

above-mentioned information, we develop a formal model of the given circuit

in the Uppaal model checker and then verify its desired timing properties

in Uppaal. To facilitate the modeling and verification process, we provide

a generic framework in which by knowing delays of the basic circuit blocks,

i.e., NAND, NOR, NOT and a Flip-Flop, we can verify the timing behavior

of any digital circuit, such as the clock period of a circuit, the critical paths

as well as setup and hold time constraints in a circuit. It is important to note

that by using a model checking tool for the timing analysis, our results are

based on a rigorous exploration of the state space of the circuit model and

thus all the paths and input values are implicitly considered in the analysis.

CHAPTER 1. INTRODUCTION 9

1.6 Contribution

Major contributions of this work are:

1. We presented a generic framework in which by knowing the delays

values of basic block (Nand, Not, Not and Flip-Flop), we can verify

these basic gates and higher circuits using proposed approach

2. Our technique is independent of modeling and simulations on Spice.

We use Elmore delay technique for delay calculations.

3. Instead of manual searching of paths with in a circuit, we are using

Quartus Prime Pro software for path analysis of a given circuit.

4. Delay and path information along with state space is implemented in

model checker Uppaal and verified against given properties.

Chapter 2

Literature Review

Formal verification [15] is known to overcome the limitations of traditional

analysis approaches, like simulation. It has been extensively used for the

functional verification of digital circuits [6, 11, 16, 31]. The main idea in

formal verification based analysis is to make a formal model of the given

circuit and formally verify the desired behavior of this model using formal

specifications. Model checking [9] is one of the most commonly used formal

verification techniques for the functional verification of digital circuits due to

its automatic verification and the ability to provide a counterexample in the

case of a failing property. It mainly involves modeling the system as a state

transition diagram and the verification is done by exhaustively exploring the

state space in a push button manner.

Due to the dire need of accurate analysis in the domain of timing analysis,

formal verification of timing analysis of digital circuits using model checking

got some attention in recent years. The model checker Open-Kronos has

been used for the timing analysis of combinational circuits [29]. An abstract

model of the given circuit is developed by partitioning the circuit into smaller

sub-circuits and reachability graphs are used to make timed automata. A

10

CHAPTER 2. LITERATURE REVIEW 11

major limitation of this approach is that it uses fix delay values for all the

gates, e.g., the delay of an inverter is assumed to be 0, and thus the technol-

ogy parameters and process variations are completely ignored in the models.

Similarly, Open-Kronos is also used for timing analysis with bi-bounded de-

lay values between two integer numbers in [10]. Formal timing verification of

digital circuits, including their combinational and sequential components, is

performed in [7]. The given circuit is modeled at the macroscopic level where

state transition graph (STG) is modeled as a configuration of inputs while

excluding the multiple input transitions. The delays of the components are

extracted from Spice simulations. Similarly, symbolic timing verification of

concurrent systems is proposed in [14]. The complex polyhedra modeling ap-

proach is used as the abstraction to represent sets of timed states as a timed

transition system. Each event in this model has a symbolic delay defined in

an interval [di, Di] where di and Di symbolize minimum and maximum delay

values, respectively.

Formal timing analysis of digital circuits has also been done with various

other motivations. For example, digital circuits have been formally modeled

using propagational delays, which are assumed to take values in an inter-

val δ[τmin, τmax] in the context of testing of circuits in [32]. The model is

developed in Uppaal, where delay faults are intentionally inserted into the

circuit to generate counterexamples. These counterexamples are then used

for testing of circuits. Similarly, formal timing analysis of combinational cir-

cuit has been performed to detect the Hardware Trojans using side channel

parameters, like delay and power, in [3]. The main idea in this work is to

insert an intrusion in the circuit in the form of logic gates. After intrusion,

formal timing verification is performed to generate a counterexample. In this

technique, only combinational circuits are formally verified and no sequential

CHAPTER 2. LITERATURE REVIEW 12

circuit is analyzed. Moreover, various circuit’s paths are identified manually

for delay calculations in a circuit in this work [3].

Chapter 3

Preliminaries

A short introduction the about tools and techniques used in this work is

provided in this chapter.

3.1 Circuit Delay

Delays play a significant role in functionality and performance of circuit. By

considering the delay parameters, some unstable region is introduced between

input and final output of a circuit. Delay in circuit must remain with in

specific range and must not exceed the maximum value. Propagational delay

can be calculated [21, 27, 35] using: circuit simulator, complex differential

equation, Rise and Fall time, Elmore delay.

In Spice [24] or any other circuit simulator, we model the circuit at tran-

sistor level. we added the predictive library parameters from open source

libraries and can analyze the propagational delays of a circuit. One can also

model the complicated differential equations for delay calculation by analyz-

ing the response of circuit at specific conditions. Calculation of propagational

delay using rise and fall time is commonly used. Rise time of a circuit can

13

CHAPTER 3. PRELIMINARIES 14

Figure 3.1: Propagational delay

be defined as a time in which output reaches from 10% to 90% of its maxi-

mum value. In a similar way, fall time of a circuit is a time in which output

moves from 90% to 10% of its maximum value. TimeρHL and TimeρLH [26]

is shown in a Figure 3.1.

Tprop =TimeρHL + TimeρLH

2(3.1)

Elmore delay calculation is based on internal resistance and capacitor

values of a transistor. We used Elmore delay calculation technique since

it does not depend on Spice simulation or waveform analysis.The delay is

calculated from internal capacitance Ci, which is multiplied by the effective

internal resistance Ris on the shared path from source to the node and leaf.

CHAPTER 3. PRELIMINARIES 15

Equation used for Elmore delay is:

Te =∑i

Ci ×Ris (3.2)

τdelay = Te × ln2 (3.3)

3.2 Uppaal Model Checker

Uppaal [7, 8, 32] is an open source model checker for the formal verification of

real-time systems. The model checker Uppaal is based on the timed automata

theory [5] and its modeling language offers many additional features, such as

bounded integer variables and urgency.

3.2.1 Timed Automata

A timed automaton is a tuple TA = (S, so, T, σ, Y, β), where:

• S is a set of locations.

• so ∈ S is an initial location.

• T is a set of clock.

• σ is a set of all defined action.

• Y ⊆ S × σ ×B(T )× 2T × S is a set of edges between locations.

• β : S → B(T ) assigns invariants to locations.

B(T ) is the set of conjunctions over simple conditions, i.e., x− y ./ c or

x ./ c, where c ∈ N, x, y ∈ T and ./ ∈ {=,≥,≤, >,<}. A clock valuation

is a function u : T → R≥0 from the set of clocks to the non-negative real

values. Thus, writing u ∈ β(s) means that u satisfies β(s). Timed automata

CHAPTER 3. PRELIMINARIES 16

are finite state automata having states and transitions, enriched with built

in clock, that evolve at a uniform rate and can be reset to its initial value.

A state is a pair (S, α) where α can be a clock or a variable computed in

that particular state. A state (S, α) has a discrete transition t, and system

moves to the next state (S ′, α′) if the constraints on t, called guards, are

satisfied. The interconnection between two timed automata can be obtained

by using synchronization channels. The signal is emitted by one automata

in transition t and received by one or more automata.

3.2.2 Queries

Verification of a model using the required specifications is a crucial step in

mode-checking. Similar to a model, properties must be expressed in a formal

language. Uppaal uses a simplified version of TCTL (timed computational

tree logic) properties. Various path formulae supported by Uppaal are:

• ∃♦ρ (Possibly): There exists a path at which query ρ possibly satisfies.

• ∃�ρ (Potentially always): There exists a path where query ρ always

satisfies.

• ∀�ρ (Invariantly): For all paths, query ρ always satisfies .

• ∀♦ρ (Eventually): For all paths, query ρ eventually satisfies .

• ρ ξ (Leads-to): Whenever ρ satisfies, query ξ verifies eventually.

3.3 Quartus Prime Pro

We used Quartus prime pro 17.1 [33] for path analysis of circuits. It provides

compilation, synthesis, optimization, simulation and verification of FPGA,

CHAPTER 3. PRELIMINARIES 17

SOCs and CPLDs. Its provides latest devices like Intel Stratix, Arria, and

Cyclone 10. In the path extraction phase of the proposed methodology, we

have to provide the Verilog code of the circuit that needs to be analyzed.

This Verilog file is first analyzed and synthesized. After compilation, we run

the TimeQuest Timing Analyzer tool to get the information about the paths

in the given circuit.

Chapter 4

Proposed Methodology

In this section, we will explain the proposed methodology, depicted in Figure

4.1, for the formal timing analysis of a digital circuit. Our methodology com-

prises of three major steps: delay calculation, path extraction and modeling

and verification in the Uppaal model checker.

4.1 Delay Calculation

The individual gate delays are estimated in the proposed methodology based

on individual transitions at the gate inputs using the Elmore delay model [3],

which computes the delay by representing each circuit in the form of a RC

tree. The delay is estimated by the model from a source node to one of the

leaf nodes by accumulating the capacitances Ci on each node of the path,

multiplied by the effective resistance Ris on the shared path from source node

to the leaf node.

Te =∑i

Ci ×Ris (4.1)

τdelay = Te × ln2 (4.2)

18

CHAPTER 4. PROPOSED METHODOLOGY 19

Figure 4.1: Proposed Methodology

Using the basic technology parameters, we calculate the capacitance and

resistance values for PMOS and NMOS transistors in an ON state. We pro-

pose to develop timing models for the basic circuit components, i.e., NAND,

NOR, NOT and a Flip-Flop. These gates are then further used to model

complex circuits. Gate capacitances for PMOS and NMOS [27] are given

below:

CgatenMOS = CgminN × fan− out×WRnMOS (4.3)

CgatepMOS = CgminP × fan− out×WRpMOS (4.4)

Where Cgmin represents the minimum gate capacitance and WR represents

the width ratio. CL is the load capacitance calculated from the addition of

gate capacitances of all the gates connected at the output of the considered

component.

CL =a∑k=1

CgatenMOSk +b∑

j=1

CgatepMOSj (4.5)

CHAPTER 4. PROPOSED METHODOLOGY 20

Table 4.1: Nand Gate Delay Equations

Input Transition Output Delay Equation

00 1 ln2× [(CT ×Rp)/(2×WRpMOS)]

01 1 ln2× [(CT ×Rp)/WRpMOS]

10 1 ln2× [((CT + CST )×Rp)/WRpMOS]

11 0 ln2× [(CT × 2×Rn)/WRnMOS]

Table 4.2: Not Gate Delay Equations

Input Transition Output Delay Equation

0 1 ln2× [(CT ×Rp)/WRpMOS)]

1 0 ln2× [(CT ×Rn)/WRnMOS)]

Diffusion capacitance CDiff can be calculated from the drain capacitance [35].

The addition of load and diffusion capacitance leads to the total capacitance

of a gate CT , which is used for the calculation of delay.

CT = CL + CDiff (4.6)

Resistance of a PMOS or NMOS [28] can be calculated as follows:

Ron =1

WL× µ× Cox× (VGS − VTH)(4.7)

Using the values of corresponding resistances and capacitances, we can

find out the Elmore delays for NAND, NOT, and NOR gates. Delay is

calculated by considering all the possible input transitions of a gate. For

example, the Elmore delay equations for the NAND gate are shown in Table

4.1. Delay equations are also modeled for Not in Table 4.2, and Nor gate in

Table ??, in a similar way.

We have used the True Single-Phase Clocked (TSPC) Flip-Flop model

[27] to capture the timing behavior of the Flip-Flop as this provides less

CHAPTER 4. PROPOSED METHODOLOGY 21

Table 4.3: Nor Gate Delay Equations

Input Transition Output Delay Equation

00 1 ln2× [2× (CT ×Rp)]/(WRpMOS)

01 0 ln2× [(CT ×Rn)/WRnMOS]

10 0 ln2× [((CT + CST )×Rn)/WRnMOS]

11 0 ln2× [(CT ×Rn)/(2×WRnMOS)]

complexity and less number of transistors to deal with [27]. Setup time,

hold time, and clock to Q delay are three most important timing constraint

in a Flip-Flop. In the TSPC Flip-Flop model, the setup time is assigned a

delay of one inverter, the hold time is considered to be less than one inverter

delay and the propagational delay is considered to be equal to three inverters

delays. Similarly, in our model, we consider the worst case hold time to be

equal to one inverter delay. The delay equations used in our model for setup

time, hold time and the clock to Q in a Flip-Flop are given in Table 4.4.

4.2 Path Extraction

Calculation of a delay in a circuit, which is composed of several gates and

Flip-Flops, is done based on its various paths, i.e., from input to a Flip-Flop,

between Flip-Flops and from a Flip-Flop to an output. The delay of a path

is calculated by adding delays of logic elements present in that path. In case

of smaller circuits, we can manually analyze all the paths in a circuit and

can calculate the delays of all the paths. But in case of large circuits, it

is impossible to analyze the paths manually, therefore we propose to use a

software that can provide all the valid paths in a circuit automatically from

a given circuit netlist. We found Altera Quartus Prime Pro [33] to be the

CHAPTER 4. PROPOSED METHODOLOGY 22

Table 4.4: Flip-Flop Delay Equations

Data Input Output Delay Equation

Setup Time

0 0 ln2× [(CT ×Rp)/WRpMOS)]

1 1 ln2× [(CT ×Rn)/WRnMOS)]

Hold Time

0 0 ln2× [(CT ×Rp)/WRpMOS)]

1 1 ln2× [(CT ×Rn)/WRnMOS)]

Clk2Q Delay

0 0 ln2× [(3× CT ×Rp)/WRpMOS)]

1 1 ln2× [(3× CT ×Rn)/WRnMOS)]

most relevant tool for this purpose. It not only provides all the possible paths

from all input ports to all output ports but can also provide paths from the

input port to a Flip-Flop, Flip-Flop to a Flip-Flop, or Flip-Flop to an output

ports.

In the path extraction phase of the proposed methodology, we have to

provide the Verilog code of the circuit that needs to be analyzed. This

Verilog file is first analyzed and synthesized. After compilation, we run the

TimeQuest Timing Analyzer tool to get the information about the paths in

the given circuit. Synopsys design constraint file and a timing netlist is thus

created automatically by the Timing Analyzer. After this, we can analyze

the paths that are reported by the TimeQuest Timing Analyzer.

CHAPTER 4. PROPOSED METHODOLOGY 23

4.3 Modeling and Verification in Uppaal Model

Checker

Modeling and verification in Uppaal is the most important step in timing ver-

ification of circuits. Firstly, the given netlist is translated to its corresponding

state transition diagram. This state transition diagram along with the de-

lay values of logic elements and path information from TimeQuest Timing

Analyzer is used for this purpose in the Uppaal Model Checker. The TCTL

properties of path delays have to be given to the Uppaal model checker as

well. The state space model is then verified in Uppaal against the identified

TCTL properties to judge the circuit performance. We mainly check that

the delay in a circuit is less than the required maximum delay. If the delay

of the circuit exceeds the maximum delay, then the Uppaal model checker

returns a counterexample which provides us the exact trace that caused the

timing violation. Thereafter, it can be investigated if the issues is due to a

modeling error or its an actual timing violation.

In order to facilitate the modeling of digital circuits, we developed the

formal models of the basic gates, i.e., NAND, NOR, NOT and a Flip-Flop,

in Uppaal and these models can be built upon to formalize models of larger

complex circuits.

4.3.1 Timing Models of Combinational Circuits

Each combinational circuit is represented by combinations of gates. For

example, the model of the NOT gate is shown in Figure 4.2. This timed

automaton is modeled using three different states: input state, propagational

delay state and output state. In the initial state, the input value is updated

and the delay flag is zero since the delay has not been calculated yet. Based

CHAPTER 4. PROPOSED METHODOLOGY 24

Figure 4.2: Transition Diagram of the NOT Gate

on the value of the input, internal resistances, internal capacitances, fan-out,

and various technology parameters, the delay is calculated using the Elmore

delay equation. The system then moves to the stable output state after

the calculated delay is elapsed. While the transition state represents the

delay state and in this state the output is considered to be unstable because

the output gets its appropriate values, i.e., the negation of input, after the

delay has elapsed. Similarly, the models of other basic gates have also been

developed and they can be used to formalize any combinational gate-level

circuit.

4.3.2 Timing Models of Sequential Circuits

Each sequential circuit is made up of combinations of logic gates and Flip-

Flops. Sequential circuits also contain Flip-Flops besides the basic logic

gates and to formalize their behavior, we also formalized the Flip-Flop. In

CHAPTER 4. PROPOSED METHODOLOGY 25

Figure 4.3: Transition Diagram of a Flip-Flop

the proposed Flip-Flop model, shown in Figure 4.3, the timed automaton is

modeled using three main states. The input signal is updated in the first

state and the delay flag is zero since the delay value has not calculated so

far like the case of the NOT gate, described above. Based on the value of

the input, internal resistances, internal capacitances, fan-out, and various

technology parameters, the setup time, hold time and clock to Q delay is

calculated using the Elmore delay equation.

4.3.3 TCTL Queries

We propose to verify the following properties.

• Firstly, we check the deadlock property, which ensures that the timed

automata is not stuck at any particular state and thus moves ahead

through all the states.

CHAPTER 4. PROPOSED METHODOLOGY 26

∀ � not deadlock

• For verifying combinational circuits, we check that the delay, consid-

ering all the paths delay in the given combinational model, does not

exceed the maximum delay value for the given circuit. If the delay

exceeds the maximum value and the property fails then we get a coun-

terexample.

∀ � !((delaygate1 + delaygate2 + · · · · · ·+ delaygaten) > Dmaxcomb))

Where Dmaxcomb = max(delaygate1 + delaygate2 + · · · · · · + delaygaten)

represents the maximum delay in the considered path.

• For verifying sequential circuits, we check the input port to Flip-Flop

and Flip-Flop to output port paths just like we check the timing prop-

erties of combinational circuits. Moreover, we also need to conduct the

Flip-Flop to Flip-Flop path analysis while considering the setup and

hold time constraints, which allows us to determine the clock period

of the given circuit and avoid metastability. For example, consider a

typical sequential circuit scenario, shown in Figure 4, where we have

an input port IN, two Flip-Flops FF1 and FF2 and an output port

OUT. There are i gates between input and FF1, n gates between Flip-

Flops, and j gates between FF2 and output. We propose to verify the

following properties in this case.

∀ � ((delaygate1 + delaygate2 + · · ·+ delaygatei) ≤ DmaxINtoFF )

∀ � (T ≥

(FF1clk2Q + delaygate1 + delaygate2 + · · ·+ delaygaten) + FF2setup)

CHAPTER 4. PROPOSED METHODOLOGY 27

Figure 4.4: A Typical Sequential Circuit

Figure 4.5: Not Gate Uppaal Model

∀ � ((FF1clk2Q + delaygate1 + delaygate2 + · · ·+ delaygaten) ≥ FF2hold)

∀ � ((FF2clk2Q + delaygate1 + delaygate2 + · · ·+ delaygatej) ≤

DmaxFFtoOUT )

4.4 Basic Uppaal Models and Properties

Uppaal models of Not, Nand, Nor, And, Or, Flip-Flop, and clock is shown

in below Figures 4.5 - 4.11, along with Properties to be verified.

CHAPTER 4. PROPOSED METHODOLOGY 28

Figure 4.6: Nand Gate Uppaal Model

∀�(!(delaynot < Tmin && delaynot! = 0) && !(delaynot > Tmax))

∀�(!(delayNand < Tmin && delayNand! = 0) && !(delayNand > Tmax))

∀�(!(delayNor < Tmin && delayNor! = 0) && !(delayNor > Tmax))

∀�(!(delayAnd < Tmin && delayAnd! = 0) && !(delayAnd > Tmax))

∀�(!(delayOr < Tmin && delayOr! = 0) && !(delayOr > Tmax))

∀ � (T ≥ (FFclk2Q + delaycomb + FFsetup)

∀ � ((FFclk2Q + delaycomb) ≥ FFhold)

CHAPTER 4. PROPOSED METHODOLOGY 29

Figure 4.7: Nor Gate Uppaal Model

Figure 4.8: And Gate Uppaal Model

CHAPTER 4. PROPOSED METHODOLOGY 30

Figure 4.9: Or Gate Uppaal Model

Figure 4.10: FF Gate Uppaal Model

CHAPTER 4. PROPOSED METHODOLOGY 31

Figure 4.11: Clock Uppaal Model

Chapter 5

Case Studies

We illustrate usefulness of our proposed methodology by evaluating it on

combinational as well as sequential circuits. Some of our case studies include

benchmark circuits from ISCAS-85 and ISCAS-89.

5.1 C17 Modeling and Verification

C17, shown in Figure 5.1, is one of the benchmarks from ISCAS-85 that con-

sist of 5 input ports and 2 output ports. Path report of C17 circuit generated

from TimeQuest Timing Analyzer is shown in Figure 5.2. The path infor-

Figure 5.1: ISCAS-85 C17 Benchmark

32

CHAPTER 5. CASE STUDIES 33

Figure 5.2: C17 Path Report

mation is modeled in Uppaal with the help of a function in order to avoid

complexity in timed automata. Paths of C17 incorporated in Uppaal timed

automata are:

//N1 --> N22

c17_p1 = (delay1_nand_c17+delay5_nand_c17);

//N2 --> N22

c17_p2 = (delay3_nand_c17+delay5_nand_c17);

//N2 -->N23

c17_p3 = (delay3_nand_c17+delay6_nand_c17);

//N3 --> N23

c17_p4 = (delay2_nand_c17+delay3_nand_c17+delay6_nand_c17);

//N3 --> N22

c17_p5 = (delay2_nand_c17+delay3_nand_c17+delay5_nand_c17);

//N6 --> N23

c17_p6 = (delay2_nand_c17+delay4_nand_c17+delay6_nand_c17);

CHAPTER 5. CASE STUDIES 34

//N6 --> N22

c17_p7 = (delay2_nand_c17+delay3_nand_c17+delay5_nand_c17);

//N7 --> N23

c17_p8 = (delay4_nand_c17+delay6_nand_c17);

//N3 --> N22

c17_p9 = (delay1_nand_c17+delay5_nand_c17);

//N3 --> N23

c17_p10 = (delay2_nand_c17+delay4_nand_c17+delay6_nand_c17);

//N6 --> N23

c17_p11 = (delay2_nand_c17+delay3_nand_c17+delay6_nand_c17);

The properties that we verified against each path are shown below. Tmax

is the maximum value of delay for a particular path. These properties are

checked against all the paths and all the states of the model.

• ∀�(!(c17p1 > Tmaxc17−p1))

• ∀�(!(c17p2 > Tmaxc17−p2))

• ∀�(!(c17p3 > Tmaxc17−p3))

• ∀�(!(c17p4 > Tmaxc17−p4))

• ∀�(!(c17p5 > Tmaxc17−p5))

• ∀�(!(c17p6 > Tmaxc17−p6))

• ∀�(!(c17p7 > Tmaxc17−p7))

• ∀�(!(c17p8 > Tmaxc17−p8))

• ∀�(!(c17p9 > Tmaxc17−p9))

CHAPTER 5. CASE STUDIES 35

Figure 5.3: ISCAS-89 S27 Benchmark

• ∀�(!(c17p10 > Tmaxc17−p10))

• ∀�(!(c17p11 > Tmaxc17−p11))

5.2 S27 Modeling and Verification

S27, shown in Figure 5.3, is one of the sequential circuit benchmarks from

ISCAS-89 that consist of 4 input ports and 1 output port. It is made up of 3

Flip-Flops, 2 Not gates, 1 NAND gate, 1 AND gate, 2 OR gate, and 4 NOR

gate.

Path reports of S27 having paths from input to Flip-Flops, from Flip-

Flop to Flip-Flop and from Flip-Flops to output generated from TimeQuest

Timing Analyzer are shown in Figures 5.4, 5.5, 5.6, respectively.

The Path information is modeled in Uppaal with the help of a function

in order to avoid complexity in timed automata. All three types of paths

of S27 are defined in separate functions and incorporated in Uppaal timed

automata. Paths functions are below:

*** Input to Flip-Flop ***

// G3-->FF3

delay_p1_in = (delay2_or+delay1_nand+delay4_nor);

CHAPTER 5. CASE STUDIES 36

Figure 5.4: S27 Path Report from Inputs to Flip-Flops

Figure 5.5: S27 Path Report from Flip-Flop to Flip-Flop

Figure 5.6: S27 Path Report from Flip-Flops to Output

CHAPTER 5. CASE STUDIES 37

// G1-->FF3

delay_p2_in = (delay3_nor+delay1_or+delay1_nand+delay4_nor);

// G0-->FF3

delay_p3_in = (delay1_not+delay2_or+delay1_and+delay1_nand+delay4_nor);

// G0-->FF3

delay_p4_in = (delay1_not+delay1_or+delay1_and+delay1_nand+delay4_nor);

// G2-->FF2

delay_p5_in = (delay2_nor);

// G1-->FF2

delay_p6_in = (delay3_nor+delay2_nor);

// G0-->FF1

delay_p7_in = (delay1_not+delay1_nor);

// G0-->FF1

delay_p8_in = (delay1_not+delay1_or+delay1_and+delay1_nand+delay4_nor+

delay1_nor);

// G0-->FF1

delay_p9_in = (delay1_not+delay2_or+delay1_and+delay1_nand+delay4_nor+

delay1_nor);

*** Flip-Flop to Flip-Flop ***

// FF1-->FF3

delay_p1_ff = (delay1_clk2Q+delay4_nor+delay3_setup);

// FF2-->FF3

delay_p2_ff = (delay2_clk2Q+delay3_nor+delay1_or+delay1_nand+delay4_nor+

delay3_setup);

// FF3-->FF3

delay_p3_ff = (delay3_clk2Q+delay1_and+delay2_or+delay1_nand+delay4_nor+

delay3_setup);

CHAPTER 5. CASE STUDIES 38

// FF3-->FF3

delay_p4_ff = (delay3_clk2Q+delay1_and+delay1_or+delay1_nand+delay4_nor+

delay3_setup);

// FF2-->FF2

delay_p5_ff = (delay2_clk2Q+delay3_nor+delay2_nor+delay2_setup);

// FF1-->FF3

delay_p1_h1 = (delay1_clk2Q+delay4_nor);

// FF2-->FF3

delay_p2_h2 = (delay2_clk2Q+delay3_nor+delay1_or+delay1_nand+delay4_nor);

// FF3-->FF3

delay_p3_h3 = (delay3_clk2Q+delay1_and+delay2_or+delay1_nand+delay4_nor);

// FF3-->FF3

delay_p4_h4 = (delay3_clk2Q+delay1_and+delay1_or+delay1_nand+delay4_nor);

// FF2-->FF2

delay_p5_h5 = (delay2_clk2Q+delay3_nor+delay2_nor);

*** Flip-Flop to Output ***

// FF2-->G17

delay_p1_out = (delay2_clk2Q+delay3_nor+delay1_or+delay1_nand+delay4_nor+

delay2_not);

// FF1-->G17

delay_p2_out = (delay1_clk2Q+delay4_nor+delay1_or+delay2_not);

// FF3-->G17

delay_p3_out = (delay3_clk2Q+delay1_and+delay2_or+delay1_nand+delay4_nor+

delay2_not);

// FF3-->G17

delay_p4_out = (delay3_clk2Q+delay1_and+delay1_or+delay1_nand+delay4_nor+

CHAPTER 5. CASE STUDIES 39

delay2_not);

Properties which are verified against each specified path are written be-

low. In these properties Tmax show maximum delay time in that particular

path. Tclk shows time period of a clock.

Input to Flip-Flop

• ∀� (delay p1in ≤ Tmaxp1−in)

• ∀� (delay p2in ≤ Tmaxp2−in)

• ∀� (delay p3in ≤ Tmaxp3−in)

• ∀� (delay p4in ≤ Tmaxp4−in)

• ∀� (delay p5in ≤ Tmaxp5−in)

• ∀� (delay p6in ≤ Tmaxp6−in)

• ∀� (delay p7in ≤ Tmaxp7−in)

• ∀� (delay p8in ≤ Tmaxp8−in)

• ∀� (delay p9in ≤ Tmaxp9−in)

Flip-Flop to Flip-Flop

• ∀� (Tclk ≥ (delayp1−ff ))

• ∀� (Tclk ≥ (delayp2−ff ))

• ∀� (Tclk ≥ (delayp3−ff ))

CHAPTER 5. CASE STUDIES 40

• ∀� (Tclk ≥ (delayp4−ff ))

• ∀� (Tclk ≥ (delayp5−ff ))

• ∀� (delayp−h1 ≥ (delay3−hold))

• ∀� (delayp−h2 ≥ (delay3−hold))

• ∀� (delayp−h3 ≥ (delay3−hold))

• ∀� (delayp−h4 ≥ (delay3−hold))

• ∀� (delayp−h5 ≥ (delay2−hold))

Flip-Flop to Output

• ∀� (delay p1out ≤ (Tmaxp1−out))

• ∀� (delay p2out ≤ (Tmaxp2−out))

• ∀� (delay p3out ≤ (Tmaxp3−out))

• ∀� (delay p4out ≤ (Tmaxp4−out))

C17 is one of the example from combinational circuit and S27 is one of

the example from Sequential circuits. Time and memory utilization in C17

is 0.014sec and 7.34 MB, respectively. Time and memory utilization in S27

is 2.46sec and 43.96 MB, respectively. Hence we exhaustively perform timing

verification of these circuits. Results of combinational and sequential circuits

which are modeled as a case study are shown in next section.

Chapter 6

Verification Results

We illustrate the usefulness of our proposed methodology by evaluating it on

various digital circuits. Verification results of the considered combinational

circuits are shown in Table 6.1, which presents the information about the

total number of gates in the given circuit, its verification time and the mem-

ory utilization during the verification phase of corresponding circuit. We can

observe that in case of a smaller circuit, such as C17, verification time and

memory utilization is 0.014 s and 7.34 MB, respectively. But in the case of a

relatively larger circuit, like 4-bit Ripple Carry Adder (RCA), the verification

takes more time (63.31 s) and a large memory (2684 MB). Formal modeling

and verification results of sequential circuits are shown in Table 6.2, which

presents the total number of gates and Flip-Flops in the given circuit, its ver-

ification time, and the memory utilization. For a smaller circuit, such as a

single Flip-Flop, verification takes a smaller time, i.e., 0.019 s and minimum

memory, i.e., 7.85 MB. In case of a larger circuit, like S208, the verification

time and memory consumption is 316 s and 8820 MB, respectively, which

is much larger than a single Flip-Flop. It can be observed that the model-

ing and verification of several case studies, like 4-bit Ripple Carry Adder,

41

CHAPTER 6. VERIFICATION RESULTS 42

Table 6.1: Result of Combinational Circuits

CircuitsNumber of Gates Verification

NAND NOR NOT Time (s)Memory

(MB)

C17 [13] 6 - - 0.014 7.34

C17 [34] 7 - - 0.021 7.35

C17 [22] 9 1 2 0.033 11.78

Full Adder [25] 11 - - 0.032 8.82

Full Adder [18] 10 3 1 0.074 16.06

Full Adder [3] 14 3 1 0.91 18.06

4-bit RCA [18] 40 12 4 63.31 2684

S208, and S386, were very challenging. These circuits have complex timed

automata because of larger number of gates and hence utilized considerable

amount of time and memory.

With an increase in the circuit size, the number of states increase expo-

nentially. Similarly, the number of explored states increase significantly with

an increase in the number of inputs of basic gates, such as NOT, NAND,

Figure 6.1: Explored States with Gates Input

CHAPTER 6. VERIFICATION RESULTS 43

Table 6.2: Result of Sequential Circuits

CircuitsNumber of Gates Number of

Flip-Flops

Verification

NAND NOR NOT Time (s)Memory

(MB)

Flip-Flop [27] - - - 1 0.019 7.85

16-bit SIPO [19]

Shift Register- - - 16 0.031 10.38

64-bit SISO

Shift Register [19]- - - 64 0.047 16.80

64-bit

Ring Counter [2]- - - 64 0.090 21.19

64-bit

Johnson Counter [2]- - 1 64 0.100 27.29

S27 [12] 2 6 5 3 2.46 43.96

S208 [12] 39 37 90 8 316 8820

S386 [12] 151 36 228 6 3306 29745

CHAPTER 6. VERIFICATION RESULTS 44

(a) Explored States and Utilized Memory in

Combinational Circuits

(b) Explored States and Utilized Memory in

Sequential Circuits

Figure 6.2: Explored States and Memory in Various Digital Circuits

Figure 6.3: Maximum Delays of Basic Gates

NOR, AND and OR as shown in Figure 6.1. The number of states also in-

crease, and hence the memory requirements, by a considerable amount with

an increase in the circuit size for both combinational and sequential circuits

as shown in Figure 6.2. The explored states for the case of C17 circuit was

found to be 209, while for the 4-bit Ripple Carry Adder it was 16315416.

Similarly, the explored states are found to be 66 in a single Flip-Flop and

105735463 in S386. With the substantial increase in the number of states,

the utilized memory for the verification also increases.

We calculated the maximum delays of basic gates, such as NOT, NAND,

NOR, AND and OR as shown in Figure 6.3. In case of NOT, AND and

CHAPTER 6. VERIFICATION RESULTS 45

(a) Maximum Delay in Combinational Cir-

cuits

(b) Maximum Time Period in Sequential Cir-

cuits

Figure 6.4: Timing Analysis Results

OR, the maximum delay for 3 input and 4 input is same since the type and

number of logic elements are same in a path. The maximum delays in case

of the considered combinational circuits is shown in Figure 6.4(a), where-as

the maximum time periods of the clock in case of sequential circuits is shown

Figure 6.4(b).

6.1 Limitations

After S386, we were unable to implement further circuit because of two main

reasons.

• State Space Explosion:

Number of states in model checking increases exponentially hence pro-

duces million and billions of states in seconds, hence causes state space

explosion. Due to state space explosion, we were unable to verify bigger

circuits. Our memory became exhausted in seconds because of bigger

state transition diagram.

• Maximum Integer Limit in Uppaal:

CHAPTER 6. VERIFICATION RESULTS 46

(a) Comparison of Verification Time of [3]

and the Proposed Technique

(b) Number of Logic Elements Analyzed by

Existing and Proposed Techniques

Figure 6.5: Comparison with Existing Techniques

Maximum integer value supported by Uppaal is 36000. If we used value

greater than this, we got an error and unable to perform verification.

With increased number of fanout and number of gates in a specific

path, we were unable to verifiy properties in Uppaal since path delays

was exceeding the maximum interger value supported by Uppaal.

6.2 Comparison

In comparison with an existing technique [3], which uses the nuXmv model

checker for verifying combinational circuits, we find our results to be acquired

in a much faster manner as shown in Figure 6.5(a). For example, the veri-

fication time in [3] and the proposed technique in case of the C17 circuit is

1530 s and 0.014 s, respectively. In comparison with the existing techniques,

we also verify circuits with larger number of gates and Flip-Flops, i.e., upto

415 gates and 64 Flip-Flops, as shown in Figure 6.5(b).

A summary of comparison of the proposed approach with some existing

techniques is shown in Table 6.3. The comparative analysis is mainly based

on seven parameters. First two parameters show the type of a circuit which

CHAPTER 6. VERIFICATION RESULTS 47

is analyzed, i.e, combinational circuit or sequential circuit. Automatic path

extraction, depicts whether the existing techniques perform path analysis

automatically or not. Next two parameters refers to delay modeling tech-

niques and the model checker used for the formal verification. Finally, the

last two parameters show the maximum gates and Flip-Flops verified by the

corresponding technique. Our technique is found to be better than existing

techniques in the following ways:

• Unlike some existing techniques [29], [3], we perform timing verification

of the combinational as well as sequential circuits.

• In order to perform more realistic modeling and verification, we pro-

posed to use the Elmore delay modeling technique [3] instead of as-

sumed delay model as used in [10], [14], [29], [32].

• We proposed to extract the path information automatically using Quar-

tus Prime Pro [33].

• We verify circuits with comparatively larger number of gates and Flip-

Flops compared to all the existing formal timing analysis works.

CHAPTER 6. VERIFICATION RESULTS 48

Table 6.3: Comparison with Existing Techniques

Related WorkComb

cct

Seq

cct

Automatic

Path

Extraction

Delay

ModelTool

Max

Gates

Max

FF

Bozga et al. [10] X X xAssumed

delay

Open

kronos24 4

Salah et al. [29] X x xAssumed

delay

Open

kronos88 x

Clariso et al. [14] X X xSymbolic

delay

Abstract

Algorithm12 4

Bara et al. [7] X X xSpice

delay

Kronos/

Uppaal100 15

Abbasi et al. [3] X x xElmore

delaynuXmv 68 x

Proposed

TechniqueX X X

Elmore

delayUppaal 415 64

Chapter 7

Conclusion

This work presented a model checking based approach for the formal timing

analysis of digital circuits. The main idea behind this approach is to use

timed automata as a state transitions diagram for formal modeling of the

digital circuits and TCTL queries for the formal verification of their timing

properties using the Uppaal model checker. A generic framework is proposed

to facilitate the formal timing analysis. For this purpose, we have developed

the models of the basic components of a digital circuit, i.e., logic gates and

Flip-Flops, that can be built upon for the formal modeling of more com-

plex circuits. Moreover, the proposed approach supports the automatic path

extraction along with modeling and verification in Uppaal. The proposed

approach can be used to formally verify various timing characteristics, such

as finding the clock period of a circuit, finding the critical path as well as

setup and hold time constraints in a circuit.

49

CHAPTER 7. CONCLUSION 50

7.1 Summary

Formal verification provides complete and sound analysis results and has

widely been advocated for the functional verification of digital circuits. Be-

sides the functional verification, a very important aspect of digital circuit

design process is their timing analysis. However, despite its importance and

critical nature, timing analysis is usually performed using traditional tech-

niques, like gate-level simulation or static timing analysis, which provide ap-

proximate results due to their in-exhaustive nature and thus may lead to an

undesired functional behavior as well. To overcome these issues, we propose

a generic framework to conduct the formal timing analysis using the Uppaal

model checker in this paper. The first step in the proposed framework is to

represent the timing characteristics of the given digital circuit using a state

transition diagram in Uppaal. In this model, delays are integrated using

the corresponding technology parameters and the information about timing

paths is added using Quratus Prime Pro, which is used as a path extracting

tool. The Uppaal timing model is then verified through TCTL properties to

obtain timing related information, like maximum delay.

We propose to calculate the value of the delay at every possible in-

put transition of every gate in the design. For example, in the case of

a 2 input gate, delays are calculated for all the four possible transitions

ΓDelay = [d00, d01, d10, d11]. Moreover, instead of manually searching of tim-

ing paths within a circuit as is the case for all existing formal timing analysis

approaches, we propose to use the Quartus Prime Pro software [33] for au-

tomatically extracting the paths of the given circuit. We provide a generic

framework in which by knowing delays of the basic circuit blocks, i.e., NAND,

NOR, NOT and a Flip-Flop, we can verify the timing behavior of any digital

circuit, such as the clock period of a circuit, the critical paths as well as setup

CHAPTER 7. CONCLUSION 51

and hold time constraints in a circuit. It is important to note that by using a

model checking tool for the timing analysis, our results are based on a rigor-

ous exploration of the state space of the circuit model and thus all the paths

and input values are implicitly considered in the analysis. For illustration

purposes, we present the analysis of a number of real-world digital circuits,

like Full Adder, 4-Bit Ripple Carry Adder, Shift Registers as well as C17,

S27, S208, and S386 benchmark circuits.

7.2 Future Work

A generic framework is proposed to facilitate the formal timing analysis. For

this purpose, we have developed the models of the basic components of a

digital circuit, i.e., logic gates and Flip-Flops, that can be built upon for

the formal modeling of more complex circuits. In the future, we plan to

incorporate routing delays and clock skew in a circuit so that we have a more

accurate and realistic timing model.

Bibliography

[1] The most common problems in lenovo phones.

Available online: https://www.quora.com/

What-are-the-most-common-problems-in-Lenovo-phones. 2017.

[2] Shift Registers and Counters. Available online:

https://computing.ece.vt.edu/ LiaB/Microelectronic%20Systems

/Lectures/Digital%20Logic/pdf/Shift%20registers. pdf, 2014.

[3] Imran Hafeez Abbasi, Faiq Khalid Lodhi, Awais Mehmood Kamboh,

and Osman Hasan. Formal verification of gate-level multiple side channel

parameters to detect hardware trojans. In International Workshop on

Formal Techniques for Safety-Critical Systems, pages 75–92. Springer,

2016.

[4] Niloofar Ajdari, Cian Vyas, Stephanie L Bogan, Bashir A Lwaleed,

and Brian G Cousins. Gold nanoparticle interactions in human blood:

a model evaluation. Nanomedicine: Nanotechnology, Biology and

Medicine, 13(4):1531–1542, 2017.

[5] Rajeev Alur, Costas Courcoubetis, and David Dill. Model-checking for

real-time systems. In Logic in Computer Science, 1990. LICS’90, Pro-

52

BIBLIOGRAPHY 53

ceedings., Fifth Annual IEEE Symposium on e, pages 414–425. IEEE,

1990.

[6] Z. S. Andraus and K. A. Sakallah. Automatic abstraction and verifica-

tion of verilog models. In Proceedings. 41st Design Automation Confer-

ence, 2004., pages 218–223, 2004.

[7] Abdelrezzak Bara, Pirouz Bazargan-Sabet, Remy Chevallier, Dominique

Ledu, Emmanuelle Encrenaz, and Patricia Renault. Formal verification

of timed vhdl programs. In FDL, pages 80–85. IET, 2010.

[8] Gerd Behrmann, Alexandre David, and Kim G Larsen. A tutorial on

Uppaal 4.0 (updated november 28, 2006).

[9] Beatrice Berard, Michel Bidoit, Alain Finkel, Francois Laroussinie, An-

toine Petit, Laure Petrucci, and Philippe Schnoebelen. Systems and

software verification: model-checking techniques and tools. Springer Sci-

ence & Business Media, 2013.

[10] Marius Bozga, Hou Jianmin, Oded Maler, and Sergio Yovine. Verifica-

tion of asynchronous circuits using timed automata. Electronic Notes in

Theoretical Computer Science, 65(6):47–59, 2002.

[11] Thomas Braibant. Coquet: a coq library for verifying hardware. In

International Conference on Certified Programs and Proofs, pages 330–

345. Springer, 2011.

[12] Franc Brglez, David Bryan, and Krzysztof Kozminski. Notes on the

iscas’89 benchmark circuits. North-Carolina State University, 1989.

[13] David Bryan. The iscas’85 benchmark circuits and netlist format. North

Carolina State University, 25, 1985.

BIBLIOGRAPHY 54

[14] Robert Clariso and Jordi Cortadella. Verification of timed circuits with

symbolic delays. In Design Automation Conference, 2004. Proceedings

of the ASP-DAC 2004. Asia and South Pacific, pages 628–633. IEEE,

2004.

[15] Osman Hasan and Sofiene Tahar. Formal verification methods. In En-

cyclopedia of Information Science and Technology, Third Edition, pages

7162–7170. IGI Global, 2015.

[16] A. Irfan, A. Cimatti, A. Griggio, M. Roveri, and R. Sebastiani. Ver-

ilog2smv: A tool for word-level verification. In Design Automation Test

in Europe Conference Exhibition, pages 1156–1159, 2016.

[17] Steve Kilts. Static timing analysis. Advanced FPGA Design: Architec-

ture, Implementation, and Optimization, pages 269–278.

[18] M Morris Mano and Charles R Kime. Logic and computer design fun-

damentals, volume 3. Prentice Hall, 2008.

[19] Clive Maxfield. Bebop to the Boolean boogie: an unconventional guide

to electronics. Newnes, 2008.

[20] Iain McNally. Race hazards and clock skew. Available online:

http://users.ecs.soton.ac.uk/bim/notes/cad/guides/cross_

simulation.html, 2011.

[21] Santiago Mok. Propagation delay approximation considering effective

capacitance and slew degradation. Techical Report, UCLA, 2011.

[22] Debdeep Mukhopadhyay and Rajat Subhra Chakraborty. Hardware se-

curity: Design, threats, and safeguards. Chapman and Hall/CRC, 2014.

BIBLIOGRAPHY 55

[23] VLSI n EDA. Setup time and hold time basics. Available on-

line: http://vlsiuniverse.blogspot.com/2013/06/setup-and-hold-basics-

of-timing-analysis.html. 2013.

[24] JW Nilsson and JR Evans. PSPICE manual using orcad release 9.2 for

introductory circuits, 2002.

[25] David A Patterson and John L Hennessy. Computer organization and

design. zadnje izdanje, 1994.

[26] Slide Player. Digital circuits. Available online: http://users.ecs.

soton.ac.uk/bim/notes/cad/guides/cross_simulation.html/.

2016.

[27] Jan M Rabaey, Anantha P Chandrakasan, and Borivoje Nikolic. Digital

integrated circuits, volume 2. Prentice hall Englewood Cliffs, 2002.

[28] Behzad Razavi. Design of Analog CMOS Integrated Circuits. Tata

McGraw-Hill Education, 2002.

[29] Ramzi Ben Salah, Marius Bozga, and Oded Maler. On timing analysis of

combinational circuits. In International Conference on Formal Modeling

and Analysis of Timed Systems, pages 204–218. Springer, 2003.

[30] Resve Saleh, Shyh-Jye Jou, and A Richard Newton. Gate-level sim-

ulation. In Mixed-Mode Simulation and Analog Multilevel Simulation,

pages 123–152. Springer, 1994.

[31] S. Shiraz and O. Hasan. A library for combinational circuit verification

using the hol theorem prover. IEEE Transactions on Computer-Aided

Design of Integrated Circuits and Systems, 37(2):512–516, 2018.

BIBLIOGRAPHY 56

[32] Savas Takan, Berkin Guler, and Tolga Ayav. Model checker-based delay

fault testing of sequential circuits. In Architecture of Computing Sys-

tems. Proceedings, ARCS 2015-The 28th International Conference on,

pages 1–7. VDE, 2015.

[33] Quartus Prime Standard Edition Handbook Volume. 1: Design and

synthesis. Altera Corporation, May, 4, 2015.

[34] Sheng Wei, Saro Meguerdichian, and Miodrag Potkonjak. Malicious

circuitry detection using thermal conditioning. IEEE Transactions on

Information Forensics and Security, 6(3):1136–1145, 2011.

[35] Neil HE Weste and David Harris. CMOS VLSI design: A circuits and

systems perspective. Pearson Education India, 2015.