---
_id: '4468'
abstract:
- lang: eng
text: Giotto is a high-level programming language for time-triggered control applications.
The authors begin with a conceptual overview of its methodology, discuss the Giotto
helicopter project, and summarize available Giotto implementations.
acknowledgement: We thank Niklaus Wirth and Walter Schaufelberger for their advice
and support of the reengineering effort of the ETH Zurich helicopter control system
using Giotto. This research was supported in part by DARPA SEC grant F33615-C-98–3614,
MARCO GSRC grant 98-DT-660, and AFOSR MURI grant F49620–00-1–0327. A preliminary
version of this article appeared as [1].
article_processing_charge: No
article_type: original
author:
- first_name: Thomas A
full_name: Henzinger, Thomas A
id: 40876CD8-F248-11E8-B48F-1D18A9856A87
last_name: Henzinger
orcid: 0000−0002−2985−7724
- first_name: Christoph
full_name: Kirsch, Christoph
last_name: Kirsch
- first_name: Marco
full_name: Sanvido, Marco
last_name: Sanvido
- first_name: Wolfgang
full_name: Pree, Wolfgang
last_name: Pree
citation:
ama: Henzinger TA, Kirsch C, Sanvido M, Pree W. From control models to real-time
code using Giotto. IEEE Control Systems Magazine. 2003;23(1):50-64. doi:10.1109/MCS.2003.1172829
apa: Henzinger, T. A., Kirsch, C., Sanvido, M., & Pree, W. (2003). From control
models to real-time code using Giotto. IEEE Control Systems Magazine. IEEE.
https://doi.org/10.1109/MCS.2003.1172829
chicago: Henzinger, Thomas A, Christoph Kirsch, Marco Sanvido, and Wolfgang Pree.
“From Control Models to Real-Time Code Using Giotto.” IEEE Control Systems
Magazine. IEEE, 2003. https://doi.org/10.1109/MCS.2003.1172829.
ieee: T. A. Henzinger, C. Kirsch, M. Sanvido, and W. Pree, “From control models
to real-time code using Giotto,” IEEE Control Systems Magazine, vol. 23,
no. 1. IEEE, pp. 50–64, 2003.
ista: Henzinger TA, Kirsch C, Sanvido M, Pree W. 2003. From control models to real-time
code using Giotto. IEEE Control Systems Magazine. 23(1), 50–64.
mla: Henzinger, Thomas A., et al. “From Control Models to Real-Time Code Using Giotto.”
IEEE Control Systems Magazine, vol. 23, no. 1, IEEE, 2003, pp. 50–64, doi:10.1109/MCS.2003.1172829.
short: T.A. Henzinger, C. Kirsch, M. Sanvido, W. Pree, IEEE Control Systems Magazine
23 (2003) 50–64.
date_created: 2018-12-11T12:09:00Z
date_published: 2003-01-29T00:00:00Z
date_updated: 2024-01-08T10:54:53Z
day: '29'
doi: 10.1109/MCS.2003.1172829
extern: '1'
intvolume: ' 23'
issue: '1'
language:
- iso: eng
month: '01'
oa_version: None
page: 50 - 64
publication: IEEE Control Systems Magazine
publication_identifier:
issn:
- '1066-033X '
publication_status: published
publisher: IEEE
publist_id: '260'
quality_controlled: '1'
scopus_import: '1'
status: public
title: From control models to real-time code using Giotto
type: journal_article
user_id: ea97e931-d5af-11eb-85d4-e6957dddbf17
volume: 23
year: '2003'
...
---
_id: '4465'
abstract:
- lang: eng
text: Giotto is a principled, tool-supported design methodology for implementing
embedded control systems on platforms of possibly distributed sensors, actuators,
CPUs, and networks. Giotto is based on the principle that time-triggered task
invocations plus time-triggered mode switches can form the abstract essence of
programming real-time control systems. Giotto consists of a programming language
with a formal semantics, and a retargetable compiler and runtime library. Giotto
supports the automation of control system design by strictly separating platform-independent
functionality and timing concerns from platform-dependent scheduling and communication
issues. The time-triggered predictability of Giotto makes it particularly suitable
for safety-critical applications with hard real-time constraints. We illustrate
the platform independence and time-triggered execution of Giotto by coordinating
a heterogeneous flock of Intel x86 robots and Lego Mindstorms robots.
article_processing_charge: No
author:
- first_name: Thomas A
full_name: Henzinger, Thomas A
id: 40876CD8-F248-11E8-B48F-1D18A9856A87
last_name: Henzinger
orcid: 0000−0002−2985−7724
- first_name: Benjamin
full_name: Horowitz, Benjamin
last_name: Horowitz
- first_name: Christoph
full_name: Kirsch, Christoph
last_name: Kirsch
citation:
ama: 'Henzinger TA, Horowitz B, Kirsch C. Embedded control systems development with
Giotto. In: Software-Enabled Control: Information Technology for Dynamical
Systems. Wiley-Blackwell; 2003:123-146. doi:10.1002/047172288X.ch8'
apa: 'Henzinger, T. A., Horowitz, B., & Kirsch, C. (2003). Embedded control
systems development with Giotto. In Software-Enabled Control: Information Technology
for Dynamical Systems (pp. 123–146). Wiley-Blackwell. https://doi.org/10.1002/047172288X.ch8'
chicago: 'Henzinger, Thomas A, Benjamin Horowitz, and Christoph Kirsch. “Embedded
Control Systems Development with Giotto.” In Software-Enabled Control: Information
Technology for Dynamical Systems, 123–46. Wiley-Blackwell, 2003. https://doi.org/10.1002/047172288X.ch8.'
ieee: 'T. A. Henzinger, B. Horowitz, and C. Kirsch, “Embedded control systems development
with Giotto,” in Software-Enabled Control: Information Technology for Dynamical
Systems, Wiley-Blackwell, 2003, pp. 123–146.'
ista: 'Henzinger TA, Horowitz B, Kirsch C. 2003.Embedded control systems development
with Giotto. In: Software-Enabled Control: Information Technology for Dynamical
Systems. , 123–146.'
mla: 'Henzinger, Thomas A., et al. “Embedded Control Systems Development with Giotto.”
Software-Enabled Control: Information Technology for Dynamical Systems,
Wiley-Blackwell, 2003, pp. 123–46, doi:10.1002/047172288X.ch8.'
short: 'T.A. Henzinger, B. Horowitz, C. Kirsch, in:, Software-Enabled Control: Information
Technology for Dynamical Systems, Wiley-Blackwell, 2003, pp. 123–146.'
date_created: 2018-12-11T12:08:59Z
date_published: 2003-05-20T00:00:00Z
date_updated: 2024-01-08T12:24:01Z
day: '20'
doi: 10.1002/047172288X.ch8
extern: '1'
language:
- iso: eng
month: '05'
oa_version: None
page: 123 - 146
publication: 'Software-Enabled Control: Information Technology for Dynamical Systems'
publication_identifier:
isbn:
- '9780471234364 '
publication_status: published
publisher: Wiley-Blackwell
publist_id: '262'
quality_controlled: '1'
status: public
title: Embedded control systems development with Giotto
type: book_chapter
user_id: ea97e931-d5af-11eb-85d4-e6957dddbf17
year: '2003'
...
---
_id: '4466'
abstract:
- lang: eng
text: One source of complexity in the μ-calculus is its ability to specify an unbounded
number of switches between universal (AX) and existential (EX) branching modes.
We therefore study the problems of satisfiability, validity, model checking, and
implication for the universal and existential fragments of the μ-calculus, in
which only one branching mode is allowed. The universal fragment is rich enough
to express most specifications of interest, and therefore improved algorithms
are of practical importance. We show that while the satisfiability and validity
problems become indeed simpler for the existential and universal fragments, this
is, unfortunately, not the case for model checking and implication. We also show
the corresponding results for the alternationfree fragment of the μ-calculus,
where no alternations between least and greatest fixed points are allowed. Our
results imply that efforts to find a polynomial-time model-checking algorithm
for the μ-calculus can be replaced by efforts to find such an algorithm for the
universal or existential fragment.
acknowledgement: This work was supported in part by NSF grant CCR-9988172, the AFOSR
MURI grant F49620-00-1-0327, and a Microsoft Research Fellowship.
alternative_title:
- LNCS
article_processing_charge: No
author:
- first_name: Thomas A
full_name: Henzinger, Thomas A
id: 40876CD8-F248-11E8-B48F-1D18A9856A87
last_name: Henzinger
orcid: 0000−0002−2985−7724
- first_name: Orna
full_name: Kupferman, Orna
last_name: Kupferman
- first_name: Ritankar
full_name: Majumdar, Ritankar
last_name: Majumdar
citation:
ama: 'Henzinger TA, Kupferman O, Majumdar R. On the universal and existential fragments
of the mu-calculus. In: Proceedings of the 9th International Conference on
Tools and Algorithms for the Construction and Analysis of Systems . Vol 2619.
Springer; 2003:49-64. doi:10.1007/3-540-36577-X_5'
apa: 'Henzinger, T. A., Kupferman, O., & Majumdar, R. (2003). On the universal
and existential fragments of the mu-calculus. In Proceedings of the 9th International
Conference on Tools and Algorithms for the Construction and Analysis of Systems
(Vol. 2619, pp. 49–64). Warsaw, Poland: Springer. https://doi.org/10.1007/3-540-36577-X_5'
chicago: Henzinger, Thomas A, Orna Kupferman, and Ritankar Majumdar. “On the Universal
and Existential Fragments of the Mu-Calculus.” In Proceedings of the 9th International
Conference on Tools and Algorithms for the Construction and Analysis of Systems
, 2619:49–64. Springer, 2003. https://doi.org/10.1007/3-540-36577-X_5.
ieee: T. A. Henzinger, O. Kupferman, and R. Majumdar, “On the universal and existential
fragments of the mu-calculus,” in Proceedings of the 9th International Conference
on Tools and Algorithms for the Construction and Analysis of Systems , Warsaw,
Poland, 2003, vol. 2619, pp. 49–64.
ista: 'Henzinger TA, Kupferman O, Majumdar R. 2003. On the universal and existential
fragments of the mu-calculus. Proceedings of the 9th International Conference
on Tools and Algorithms for the Construction and Analysis of Systems . TACAS:
Tools and Algorithms for the Construction and Analysis of Systems, LNCS, vol.
2619, 49–64.'
mla: Henzinger, Thomas A., et al. “On the Universal and Existential Fragments of
the Mu-Calculus.” Proceedings of the 9th International Conference on Tools
and Algorithms for the Construction and Analysis of Systems , vol. 2619, Springer,
2003, pp. 49–64, doi:10.1007/3-540-36577-X_5.
short: T.A. Henzinger, O. Kupferman, R. Majumdar, in:, Proceedings of the 9th International
Conference on Tools and Algorithms for the Construction and Analysis of Systems
, Springer, 2003, pp. 49–64.
conference:
end_date: 2003-04-11
location: Warsaw, Poland
name: 'TACAS: Tools and Algorithms for the Construction and Analysis of Systems'
start_date: 2003-04-07
date_created: 2018-12-11T12:08:59Z
date_published: 2003-03-14T00:00:00Z
date_updated: 2024-01-08T13:17:35Z
day: '14'
doi: 10.1007/3-540-36577-X_5
extern: '1'
intvolume: ' 2619'
language:
- iso: eng
month: '03'
oa_version: None
page: 49 - 64
publication: 'Proceedings of the 9th International Conference on Tools and Algorithms
for the Construction and Analysis of Systems '
publication_identifier:
isbn:
- '9783540008989'
publication_status: published
publisher: Springer
publist_id: '263'
quality_controlled: '1'
status: public
title: On the universal and existential fragments of the mu-calculus
type: conference
user_id: ea97e931-d5af-11eb-85d4-e6957dddbf17
volume: 2619
year: '2003'
...
---
_id: '4467'
abstract:
- lang: eng
text: 'BLAST (the Berkeley Lazy Abstraction Software verification Tool) is a verification
system for checking safety properties of C programs using automatic property-driven
construction and model checking of software abstractions. Blast implements an
abstract-model check-refine loop to check for reachability of a specified label
in the program. The abstract model is built on the fly using predicate abstraction.
This model is then checked for reachability. If there is no (abstract) path to
the specified error label, Blast reports that the system is safe and produces
a succinct proof. Otherwise, it checks if the path is feasible using symbolic
execution of the program. If the path is feasible, Blast outputs the path as an
error trace, otherwise, it uses the infeasibility of the path to refine the abstract
model. Blast short-circuits the loop from abstraction to verification to refinement,
integrating the three steps tightly through “lazy abstraction” [5]. This integration
can offer significant advantages in performance by avoiding the repetition of
work from one iteration of the loop to the next. '
acknowledgement: This work was supported in part by the NSF grants CCR-0085949 and
CCR-9988172, the DARPA PCES grant F33615-00-C-1693, the MARCO GSRC grant 98-DT-660,
and a Microsoft Research Fellowship.
alternative_title:
- LNCS
article_processing_charge: No
author:
- first_name: Thomas A
full_name: Henzinger, Thomas A
id: 40876CD8-F248-11E8-B48F-1D18A9856A87
last_name: Henzinger
orcid: 0000−0002−2985−7724
- first_name: Ranjit
full_name: Jhala, Ranjit
last_name: Jhala
- first_name: Ritankar
full_name: Majumdar, Ritankar
last_name: Majumdar
- first_name: Grégoire
full_name: Sutre, Grégoire
last_name: Sutre
citation:
ama: 'Henzinger TA, Jhala R, Majumdar R, Sutre G. Software verification with BLAST.
In: Proceedings of the 10th International SPIN Workshop . Vol 2648. Springer;
2003:235-239. doi:10.1007/3-540-44829-2_17'
apa: 'Henzinger, T. A., Jhala, R., Majumdar, R., & Sutre, G. (2003). Software
verification with BLAST. In Proceedings of the 10th International SPIN Workshop
(Vol. 2648, pp. 235–239). Portland, OR, USA: Springer. https://doi.org/10.1007/3-540-44829-2_17'
chicago: Henzinger, Thomas A, Ranjit Jhala, Ritankar Majumdar, and Grégoire Sutre.
“Software Verification with BLAST.” In Proceedings of the 10th International
SPIN Workshop , 2648:235–39. Springer, 2003. https://doi.org/10.1007/3-540-44829-2_17.
ieee: T. A. Henzinger, R. Jhala, R. Majumdar, and G. Sutre, “Software verification
with BLAST,” in Proceedings of the 10th International SPIN Workshop , Portland,
OR, USA, 2003, vol. 2648, pp. 235–239.
ista: 'Henzinger TA, Jhala R, Majumdar R, Sutre G. 2003. Software verification with
BLAST. Proceedings of the 10th International SPIN Workshop . SPIN: Model Checking
Software, LNCS, vol. 2648, 235–239.'
mla: Henzinger, Thomas A., et al. “Software Verification with BLAST.” Proceedings
of the 10th International SPIN Workshop , vol. 2648, Springer, 2003, pp. 235–39,
doi:10.1007/3-540-44829-2_17.
short: T.A. Henzinger, R. Jhala, R. Majumdar, G. Sutre, in:, Proceedings of the
10th International SPIN Workshop , Springer, 2003, pp. 235–239.
conference:
end_date: 2003-05-10
location: Portland, OR, USA
name: 'SPIN: Model Checking Software'
start_date: 2003-05-09
date_created: 2018-12-11T12:09:00Z
date_published: 2003-04-28T00:00:00Z
date_updated: 2024-01-08T14:05:29Z
day: '28'
doi: 10.1007/3-540-44829-2_17
extern: '1'
intvolume: ' 2648'
language:
- iso: eng
month: '04'
oa_version: None
page: 235 - 239
publication: 'Proceedings of the 10th International SPIN Workshop '
publication_identifier:
isbn:
- '9783540401179'
publication_status: published
publisher: Springer
publist_id: '264'
quality_controlled: '1'
scopus_import: '1'
status: public
title: Software verification with BLAST
type: conference
user_id: ea97e931-d5af-11eb-85d4-e6957dddbf17
volume: 2648
year: '2003'
...
---
_id: '4463'
abstract:
- lang: eng
text: We present an algorithm called TAR (“Thread-modular Abstraction Refinement”)
for model checking safety properties of concurrent software. The TAR algorithm
uses thread-modular assume-guarantee reasoning to overcome the exponential complexity
in the control state of multithreaded programs. Thread modularity means that TAR
explores the state space of one thread at a time, making assumptions about how
the environment can interfere. The TAR algorithm uses counterexample-guided predicate-abstraction
refinement to overcome the usually infinite complexity in the data state of C
programs. A successive approximation scheme automatically infers the necessary
precision on data variables as well as suitable environment assumptions. The scheme
is novel in that transition relations are approximated from above, while at the
same time environment assumptions are approximated from below. In our software
verification tool BLAST we have implemented a fully automatic race checker for
multithreaded C programs which is based on the TAR algorithm. This tool has verified
a wide variety of commonly used locking idioms, including locking schemes that
are not amenable to existing dynamic and static race checkers such as ERASER or
WARLOCK.
acknowledgement: This work was supported in part by the NSF grants CCR-0085949 and
CCR-0234690, the DARPA grant F33615-00-C-1693, and the MARCO grant 98-DT-660.
alternative_title:
- LNCS
article_processing_charge: No
author:
- first_name: Thomas A
full_name: Henzinger, Thomas A
id: 40876CD8-F248-11E8-B48F-1D18A9856A87
last_name: Henzinger
orcid: 0000−0002−2985−7724
- first_name: Ranjit
full_name: Jhala, Ranjit
last_name: Jhala
- first_name: Ritankar
full_name: Majumdar, Ritankar
last_name: Majumdar
- first_name: Shaz
full_name: Qadeer, Shaz
last_name: Qadeer
citation:
ama: 'Henzinger TA, Jhala R, Majumdar R, Qadeer S. Thread-modular abstraction refinement.
In: Proceedings of the 15th International Conference on Computer Aided Verification.
Vol 2725. Springer; 2003:262-274. doi:10.1007/978-3-540-45069-6_27'
apa: 'Henzinger, T. A., Jhala, R., Majumdar, R., & Qadeer, S. (2003). Thread-modular
abstraction refinement. In Proceedings of the 15th International Conference
on Computer Aided Verification (Vol. 2725, pp. 262–274). Boulder, CO, USA:
Springer. https://doi.org/10.1007/978-3-540-45069-6_27'
chicago: Henzinger, Thomas A, Ranjit Jhala, Ritankar Majumdar, and Shaz Qadeer.
“Thread-Modular Abstraction Refinement.” In Proceedings of the 15th International
Conference on Computer Aided Verification, 2725:262–74. Springer, 2003. https://doi.org/10.1007/978-3-540-45069-6_27.
ieee: T. A. Henzinger, R. Jhala, R. Majumdar, and S. Qadeer, “Thread-modular abstraction
refinement,” in Proceedings of the 15th International Conference on Computer
Aided Verification, Boulder, CO, USA, 2003, vol. 2725, pp. 262–274.
ista: 'Henzinger TA, Jhala R, Majumdar R, Qadeer S. 2003. Thread-modular abstraction
refinement. Proceedings of the 15th International Conference on Computer Aided
Verification. CAV: Computer Aided Verification, LNCS, vol. 2725, 262–274.'
mla: Henzinger, Thomas A., et al. “Thread-Modular Abstraction Refinement.” Proceedings
of the 15th International Conference on Computer Aided Verification, vol.
2725, Springer, 2003, pp. 262–74, doi:10.1007/978-3-540-45069-6_27.
short: T.A. Henzinger, R. Jhala, R. Majumdar, S. Qadeer, in:, Proceedings of the
15th International Conference on Computer Aided Verification, Springer, 2003,
pp. 262–274.
conference:
end_date: 2003-07-12
location: Boulder, CO, USA
name: 'CAV: Computer Aided Verification'
start_date: 2003-07-08
date_created: 2018-12-11T12:08:59Z
date_published: 2003-06-27T00:00:00Z
date_updated: 2024-01-10T11:05:53Z
day: '27'
doi: 10.1007/978-3-540-45069-6_27
extern: '1'
intvolume: ' 2725'
language:
- iso: eng
month: '06'
oa_version: None
page: 262 - 274
publication: Proceedings of the 15th International Conference on Computer Aided Verification
publication_identifier:
isbn:
- '9783540405245'
publication_status: published
publisher: Springer
publist_id: '266'
quality_controlled: '1'
status: public
title: Thread-modular abstraction refinement
type: conference
user_id: ea97e931-d5af-11eb-85d4-e6957dddbf17
volume: 2725
year: '2003'
...
---
_id: '4462'
abstract:
- lang: eng
text: 'A major hurdle in the algorithmic verification and control of systems is
the need to find suitable abstract models, which omit enough details to overcome
the state-explosion problem, but retain enough details to exhibit satisfaction
or controllability with respect to the specification. The paradigm of counterexample-guided
abstraction refinement suggests a fully automatic way of finding suitable abstract
models: one starts with a coarse abstraction, attempts to verify or control the
abstract model, and if this attempt fails and the abstract counterexample does
not correspond to a concrete counterexample, then one uses the spurious counterexample
to guide the refinement of the abstract model. We present a counterexample-guided
refinement algorithm for solving ω-regular control objectives. The main difficulty
is that in control, unlike in verification, counterexamples are strategies in
a game between system and controller. In the case that the controller has no choices,
our scheme subsumes known counterexample-guided refinement algorithms for the
verification of ω-regular specifications. Our algorithm is useful in all situations
where ω-regular games need to be solved, such as supervisory control, sequential
and program synthesis, and modular verification. The algorithm is fully symbolic,
and therefore applicable also to infinite-state systems.'
acknowledgement: This research was supported in part by the DARPA SEC grant F33615-C-98-3614,
the ONR grant N00014-02-1-0671, and the NSF grants CCR-9988172, CCR-0085949, and
CCR-0225610.
alternative_title:
- LNCS
article_processing_charge: No
author:
- first_name: Thomas A
full_name: Henzinger, Thomas A
id: 40876CD8-F248-11E8-B48F-1D18A9856A87
last_name: Henzinger
orcid: 0000−0002−2985−7724
- first_name: Ranjit
full_name: Jhala, Ranjit
last_name: Jhala
- first_name: Ritankar
full_name: Majumdar, Ritankar
last_name: Majumdar
citation:
ama: 'Henzinger TA, Jhala R, Majumdar R. Counterexample-guided control. In: Proceedings
of the 30th International Colloquium on Automata, Languages and Programming.
Vol 2719. Springer; 2003:886-902. doi:10.1007/3-540-45061-0_69'
apa: 'Henzinger, T. A., Jhala, R., & Majumdar, R. (2003). Counterexample-guided
control. In Proceedings of the 30th International Colloquium on Automata, Languages
and Programming (Vol. 2719, pp. 886–902). Eindhoven, The Netherlands: Springer.
https://doi.org/10.1007/3-540-45061-0_69'
chicago: Henzinger, Thomas A, Ranjit Jhala, and Ritankar Majumdar. “Counterexample-Guided
Control.” In Proceedings of the 30th International Colloquium on Automata,
Languages and Programming, 2719:886–902. Springer, 2003. https://doi.org/10.1007/3-540-45061-0_69.
ieee: T. A. Henzinger, R. Jhala, and R. Majumdar, “Counterexample-guided control,”
in Proceedings of the 30th International Colloquium on Automata, Languages
and Programming, Eindhoven, The Netherlands, 2003, vol. 2719, pp. 886–902.
ista: 'Henzinger TA, Jhala R, Majumdar R. 2003. Counterexample-guided control. Proceedings
of the 30th International Colloquium on Automata, Languages and Programming. ICALP:
Automata, Languages and Programming, LNCS, vol. 2719, 886–902.'
mla: Henzinger, Thomas A., et al. “Counterexample-Guided Control.” Proceedings
of the 30th International Colloquium on Automata, Languages and Programming,
vol. 2719, Springer, 2003, pp. 886–902, doi:10.1007/3-540-45061-0_69.
short: T.A. Henzinger, R. Jhala, R. Majumdar, in:, Proceedings of the 30th International
Colloquium on Automata, Languages and Programming, Springer, 2003, pp. 886–902.
conference:
end_date: 2003-07-04
location: Eindhoven, The Netherlands
name: 'ICALP: Automata, Languages and Programming'
start_date: 2003-06-30
date_created: 2018-12-11T12:08:58Z
date_published: 2003-06-25T00:00:00Z
date_updated: 2024-01-10T11:19:41Z
day: '25'
doi: 10.1007/3-540-45061-0_69
extern: '1'
intvolume: ' 2719'
language:
- iso: eng
month: '06'
oa_version: None
page: 886 - 902
publication: Proceedings of the 30th International Colloquium on Automata, Languages
and Programming
publication_identifier:
isbn:
- '9783540404934'
publication_status: published
publisher: Springer
publist_id: '265'
quality_controlled: '1'
scopus_import: '1'
status: public
title: Counterexample-guided control
type: conference
user_id: ea97e931-d5af-11eb-85d4-e6957dddbf17
volume: 2719
year: '2003'
...
---
_id: '4464'
abstract:
- lang: eng
text: We introduce the paradigm of schedule-carrying code (SCC). A hard real-time
program can be executed on a given platform only if there exists a feasible schedule
for the real-time tasks of the program. Traditionally, a scheduler determines
the existence of a feasible schedule according to some scheduling strategy. With
SCC, a compiler proves the existence of a feasible schedule by generating executable
code that is attached to the program and represents its schedule. An SCC executable
is a real-time program that carries its schedule as code, which is produced once
and can be revalidated and executed with each use. We evaluate SCC both in theory
and practice. In theory, we give two scenarios, of nonpreemptive and distributed
scheduling for Giotto programs, where the generation of a feasible schedule is
hard, while the validation of scheduling instructions that are attached to the
programs is easy. In practice, we implement SCC and show that explicit scheduling
instructions can reduce the scheduling overhead up to 35% and can provide an efficient,
flexible, and verifiable means for compiling Giotto programs on complex architectures,
such as the TTA.
acknowledgement: This work was supported by the AFOSR MURI grant F49620-00-1-0327,
the California MICRO grant 01-037, the DARPA grant F33615-C-98-3614, the MARCO grant
98-DT-660, and the NSF grants CCR-0208875, CCR-0085949, and CCR-0225610.
alternative_title:
- LNCS
article_processing_charge: No
author:
- first_name: Thomas A
full_name: Henzinger, Thomas A
id: 40876CD8-F248-11E8-B48F-1D18A9856A87
last_name: Henzinger
orcid: 0000−0002−2985−7724
- first_name: Christoph
full_name: Kirsch, Christoph
last_name: Kirsch
- first_name: Slobodan
full_name: Matic, Slobodan
last_name: Matic
citation:
ama: 'Henzinger TA, Kirsch C, Matic S. Schedule-carrying code. In: Proceedings
of the 3rd International Conference on Embedded Software. Vol 2855. ACM; 2003:241-256.
doi:10.1007/978-3-540-45212-6_16'
apa: 'Henzinger, T. A., Kirsch, C., & Matic, S. (2003). Schedule-carrying code.
In Proceedings of the 3rd International Conference on Embedded Software
(Vol. 2855, pp. 241–256). Philadelphia, PA, USA: ACM. https://doi.org/10.1007/978-3-540-45212-6_16'
chicago: Henzinger, Thomas A, Christoph Kirsch, and Slobodan Matic. “Schedule-Carrying
Code.” In Proceedings of the 3rd International Conference on Embedded Software,
2855:241–56. ACM, 2003. https://doi.org/10.1007/978-3-540-45212-6_16.
ieee: T. A. Henzinger, C. Kirsch, and S. Matic, “Schedule-carrying code,” in Proceedings
of the 3rd International Conference on Embedded Software, Philadelphia, PA,
USA, 2003, vol. 2855, pp. 241–256.
ista: 'Henzinger TA, Kirsch C, Matic S. 2003. Schedule-carrying code. Proceedings
of the 3rd International Conference on Embedded Software. EMSOFT: Embedded Software
, LNCS, vol. 2855, 241–256.'
mla: Henzinger, Thomas A., et al. “Schedule-Carrying Code.” Proceedings of the
3rd International Conference on Embedded Software, vol. 2855, ACM, 2003, pp.
241–56, doi:10.1007/978-3-540-45212-6_16.
short: T.A. Henzinger, C. Kirsch, S. Matic, in:, Proceedings of the 3rd International
Conference on Embedded Software, ACM, 2003, pp. 241–256.
conference:
end_date: 2003-10-15
location: Philadelphia, PA, USA
name: 'EMSOFT: Embedded Software '
start_date: 2003-10-13
date_created: 2018-12-11T12:08:59Z
date_published: 2003-09-29T00:00:00Z
date_updated: 2024-01-10T11:33:57Z
day: '29'
doi: 10.1007/978-3-540-45212-6_16
extern: '1'
intvolume: ' 2855'
language:
- iso: eng
month: '09'
oa_version: None
page: 241 - 256
publication: Proceedings of the 3rd International Conference on Embedded Software
publication_identifier:
isbn:
- '9783540202233'
publication_status: published
publisher: ACM
publist_id: '267'
quality_controlled: '1'
scopus_import: '1'
status: public
title: Schedule-carrying code
type: conference
user_id: ea97e931-d5af-11eb-85d4-e6957dddbf17
volume: 2855
year: '2003'
...
---
_id: '4460'
abstract:
- lang: eng
text: "Symbolic model checking, which enables the automatic verification of large
systems, proceeds by calculating expressions that represent state sets. Traditionally,
symbolic model-checking tools are based on back- ward state traversal; their basic
operation is the function pre, which, given a set of states, returns the set of
all predecessor states. This is because specifiers usually employ formalisms with
future-time modalities, which are naturally evaluated by iterating applications
of pre. It has been shown experimentally that symbolic model checking can perform
significantly better if it is based, instead, on forward state traversal; in this
case, the basic operation is the function post, which, given a set of states,
returns the set of all successor states. This is because forward state traversal
can ensure that only parts of the state space that are reachable from an initial
state and relevant for the satisfaction or violation of the specification are
explored; that is, errors can be detected as soon as possible.\r\nIn this paper,
we investigate which specifications can be checked by symbolic forward state traversal.
We formulate the problems of symbolic backward and forward model checking by means
of two μ-calculi. The pre-μ calculus is based on the pre operation, and the post-μ
calculus is based on the post operation. These two μ-calculi induce query logics,
which augment fixpoint expressions with a boolean emptiness query. Using query
logics, we are able to relate and compare the symbolic backward and forward approaches.
In particular, we prove that all ω-regular (linear-time) specifications can be
expressed as post-μ queries, and therefore checked using symbolic forward state
traversal. On the other hand, we show that there are simple branching-time specifications
that cannot be checked in this way."
acknowledgement: This research was supported in part by the SRC contract 99-TJ-683.003
and the NSF grant CCR-9988172.
article_processing_charge: No
article_type: original
author:
- first_name: Thomas A
full_name: Henzinger, Thomas A
id: 40876CD8-F248-11E8-B48F-1D18A9856A87
last_name: Henzinger
orcid: 0000−0002−2985−7724
- first_name: Orna
full_name: Kupferman, Orna
last_name: Kupferman
- first_name: Shaz
full_name: Qadeer, Shaz
last_name: Qadeer
citation:
ama: Henzinger TA, Kupferman O, Qadeer S. From pre-historic to post-modern symbolic
model checking. Formal Methods in System Design. 2003;23(3):303-327. doi:10.1023/A:1026228213080
apa: Henzinger, T. A., Kupferman, O., & Qadeer, S. (2003). From pre-historic
to post-modern symbolic model checking. Formal Methods in System Design.
Springer. https://doi.org/10.1023/A:1026228213080
chicago: Henzinger, Thomas A, Orna Kupferman, and Shaz Qadeer. “From Pre-Historic
to Post-Modern Symbolic Model Checking.” Formal Methods in System Design.
Springer, 2003. https://doi.org/10.1023/A:1026228213080.
ieee: T. A. Henzinger, O. Kupferman, and S. Qadeer, “From pre-historic to post-modern
symbolic model checking,” Formal Methods in System Design, vol. 23, no.
3. Springer, pp. 303–327, 2003.
ista: Henzinger TA, Kupferman O, Qadeer S. 2003. From pre-historic to post-modern
symbolic model checking. Formal Methods in System Design. 23(3), 303–327.
mla: Henzinger, Thomas A., et al. “From Pre-Historic to Post-Modern Symbolic Model
Checking.” Formal Methods in System Design, vol. 23, no. 3, Springer, 2003,
pp. 303–27, doi:10.1023/A:1026228213080.
short: T.A. Henzinger, O. Kupferman, S. Qadeer, Formal Methods in System Design
23 (2003) 303–327.
date_created: 2018-12-11T12:08:58Z
date_published: 2003-06-20T00:00:00Z
date_updated: 2024-01-10T11:50:31Z
day: '20'
doi: 10.1023/A:1026228213080
extern: '1'
intvolume: ' 23'
issue: '3'
language:
- iso: eng
month: '06'
oa_version: None
page: 303 - 327
publication: Formal Methods in System Design
publication_identifier:
issn:
- 0925-9856
publication_status: published
publisher: Springer
publist_id: '268'
quality_controlled: '1'
scopus_import: '1'
status: public
title: From pre-historic to post-modern symbolic model checking
type: journal_article
user_id: ea97e931-d5af-11eb-85d4-e6957dddbf17
volume: 23
year: '2003'
...
---
_id: '4469'
abstract:
- lang: eng
text: Giotto provides an abstract programmer's model for the implementation of embedded
control systems with hard real-time constraints. A typical control application
consists of periodic software tasks together with a mode-switching logic for enabling
and disabling tasks. Giotto specifies time-triggered sensor readings, task invocations,
actuator updates, and mode switches independent of any implementation platform.
Giotto can be annotated with platform constraints such as task-to-host mappings,
and task and communication schedules. The annotations are directives for the Giotto
compiler, but they do not alter the functionality and timing of a Giotto program.
By separating the platform-independent from the platform-dependent concerns, Giotto
enables a great deal of flexibility in choosing control platforms as well as a
great deal of automation in the validation and synthesis of control software.
The time-triggered nature of Giotto achieves timing predictability, which makes
Giotto particularly suitable for safety-critical applications.
acknowledgement: The authors would like to thank R. Majumdar for implementing a prototype
Giotto compiler for Lego Mindstorms robots. They would like to thank D. Derevyanko
and W. Williams for building the Intel x86 robots; and E. Lee and X. Liu for help
with implementing Giotto as a “model of computation” in Ptolemy II [26]. Finally,
they would also like to thank M. Sanvido for his suggestions on the design of the
Giotto drivers; and P. Griffiths for implementing the functionality code of the
electronic throttle controller.
article_processing_charge: No
article_type: original
author:
- first_name: Thomas A
full_name: Henzinger, Thomas A
id: 40876CD8-F248-11E8-B48F-1D18A9856A87
last_name: Henzinger
orcid: 0000−0002−2985−7724
- first_name: Benjamin
full_name: Horowitz, Benjamin
last_name: Horowitz
- first_name: Christoph
full_name: Kirsch, Christoph
last_name: Kirsch
citation:
ama: 'Henzinger TA, Horowitz B, Kirsch C. Giotto: A time-triggered language for
embedded programming. Proceedings of the IEEE. 2003;91(1):84-99. doi:10.1109/JPROC.2002.805825'
apa: 'Henzinger, T. A., Horowitz, B., & Kirsch, C. (2003). Giotto: A time-triggered
language for embedded programming. Proceedings of the IEEE. IEEE. https://doi.org/10.1109/JPROC.2002.805825'
chicago: 'Henzinger, Thomas A, Benjamin Horowitz, and Christoph Kirsch. “Giotto:
A Time-Triggered Language for Embedded Programming.” Proceedings of the IEEE.
IEEE, 2003. https://doi.org/10.1109/JPROC.2002.805825.'
ieee: 'T. A. Henzinger, B. Horowitz, and C. Kirsch, “Giotto: A time-triggered language
for embedded programming,” Proceedings of the IEEE, vol. 91, no. 1. IEEE,
pp. 84–99, 2003.'
ista: 'Henzinger TA, Horowitz B, Kirsch C. 2003. Giotto: A time-triggered language
for embedded programming. Proceedings of the IEEE. 91(1), 84–99.'
mla: 'Henzinger, Thomas A., et al. “Giotto: A Time-Triggered Language for Embedded
Programming.” Proceedings of the IEEE, vol. 91, no. 1, IEEE, 2003, pp.
84–99, doi:10.1109/JPROC.2002.805825.'
short: T.A. Henzinger, B. Horowitz, C. Kirsch, Proceedings of the IEEE 91 (2003)
84–99.
date_created: 2018-12-11T12:09:00Z
date_published: 2003-01-29T00:00:00Z
date_updated: 2024-01-10T11:55:18Z
day: '29'
doi: 10.1109/JPROC.2002.805825
extern: '1'
intvolume: ' 91'
issue: '1'
language:
- iso: eng
month: '01'
oa_version: None
page: 84 - 99
publication: Proceedings of the IEEE
publication_identifier:
issn:
- '0018-9219 '
publication_status: published
publisher: IEEE
publist_id: '261'
quality_controlled: '1'
scopus_import: '1'
status: public
title: 'Giotto: A time-triggered language for embedded programming'
type: journal_article
user_id: ea97e931-d5af-11eb-85d4-e6957dddbf17
volume: 91
year: '2003'
...
---
_id: '4338'
abstract:
- lang: eng
text: 'Mosaic hybrid zones arise when ecologically differentiated taxa hybridize
across a network of habitat patches. Frequent interbreeding across a small-scale
patchwork can erode species differences that might have been preserved in a clinal
hybrid zone. In particular, the rapid breakdown of neutral divergence sets an
upper limit to the time for which differences at marker loci can persist. We present
here a case study of a mosaic hybrid zone between the fire-bellied toads Bombina
bombina and B. variegata (Anura: Discoglossidae) near Apahida in Romania. In our
20 × 20 km study area, we detected no evidence of a clinal transition but found
a strong association between aquatic habitat and mean allele frequencies at four
molecular markers. In particular, pure populations of B. bombina in ponds appear
to cause massive introgression into the surrounding B. variegata gene pool found
in temporary aquatic sites. Nevertheless, the genetic structure of these hybrid
populations was remarkably similar to those of a previously studied transect near
Pescenica (Croatia), which had both clinal and mosaic features: estimates of heterozygote
deficit and linkage disequilibrium in each country are similar. In Apahida, the
observed strong linkage disequilibria should stem from an imperfect habitat preference
that guides most (but not all) adults into the habitats to which they are adapted.
In the absence of a clinal structure, the inferred migration rate between habitats
implies that associations between selected loci and neutral markers should break
down rapidly. Although plausible selection strengths can maintain differentiation
at those loci adapting the toads to either permanent or temporary breeding sites,
the divergence at neutral markers must be transient. The hybrid zone may be approaching
a state in which the gene pools are homogenized at all but the selected loci,
not dissimilar from an early stage of sympatric divergence.'
acknowledgement: "We thank G. Mara and T. Galbena for enthusiastic field\r\nassistance,
A. Hofmann and R. Sieglstetter for access to their\r\nunpublished data, B. Fo¨rg-Brey
and G. Praetzel for help in\r\nthe lab. Helpful comments on a previous version of
the man-\r\nuscript were provided by R. Ennos, J. Szymura, F. Balloux,\r\nJ. Bridle,
L. Kruuk, F. Bonhomme, M. Arnold, and two anon-\r\nymous reviewers. We also thank
A. Pinggera for providing\r\nthe cover illustration. This work was supported by
Natural\r\nEnvironment Research Council studentships to THV and TRS\r\nand Deutsche
Forschungsgemeinschaft grant Nu 51/2-1 to BN."
article_processing_charge: No
article_type: original
author:
- first_name: Timothy
full_name: Vines, Timothy
last_name: Vines
- first_name: S C
full_name: Kohler, S C
last_name: Kohler
- first_name: M
full_name: Thiel, M
last_name: Thiel
- first_name: Ioan
full_name: Ghira, Ioan
last_name: Ghira
- first_name: T R
full_name: Sands, T R
last_name: Sands
- first_name: Catriona
full_name: Maccallum, Catriona
last_name: Maccallum
- first_name: Nicholas H
full_name: Barton, Nicholas H
id: 4880FE40-F248-11E8-B48F-1D18A9856A87
last_name: Barton
orcid: 0000-0002-8548-5240
- first_name: Beate
full_name: Nürnberger, Beate
last_name: Nürnberger
citation:
ama: Vines T, Kohler SC, Thiel M, et al. On the maintenance of reproductive isolation
in a mosaic hybrid zone between the toads Bombina bombina and B. variegata. Evolution.
2003;57(8):1876-1888. doi:10.1111/j.0014-3820.2003.tb00595.x
apa: Vines, T., Kohler, S. C., Thiel, M., Ghira, I., Sands, T. R., Maccallum, C.,
… Nürnberger, B. (2003). On the maintenance of reproductive isolation in a mosaic
hybrid zone between the toads Bombina bombina and B. variegata. Evolution.
Wiley-Blackwell. https://doi.org/10.1111/j.0014-3820.2003.tb00595.x
chicago: Vines, Timothy, S C Kohler, M Thiel, Ioan Ghira, T R Sands, Catriona Maccallum,
Nicholas H Barton, and Beate Nürnberger. “On the Maintenance of Reproductive Isolation
in a Mosaic Hybrid Zone between the Toads Bombina Bombina and B. Variegata.” Evolution.
Wiley-Blackwell, 2003. https://doi.org/10.1111/j.0014-3820.2003.tb00595.x.
ieee: T. Vines et al., “On the maintenance of reproductive isolation in a
mosaic hybrid zone between the toads Bombina bombina and B. variegata,” Evolution,
vol. 57, no. 8. Wiley-Blackwell, pp. 1876–1888, 2003.
ista: Vines T, Kohler SC, Thiel M, Ghira I, Sands TR, Maccallum C, Barton NH, Nürnberger
B. 2003. On the maintenance of reproductive isolation in a mosaic hybrid zone
between the toads Bombina bombina and B. variegata. Evolution. 57(8), 1876–1888.
mla: Vines, Timothy, et al. “On the Maintenance of Reproductive Isolation in a Mosaic
Hybrid Zone between the Toads Bombina Bombina and B. Variegata.” Evolution,
vol. 57, no. 8, Wiley-Blackwell, 2003, pp. 1876–88, doi:10.1111/j.0014-3820.2003.tb00595.x.
short: T. Vines, S.C. Kohler, M. Thiel, I. Ghira, T.R. Sands, C. Maccallum, N.H.
Barton, B. Nürnberger, Evolution 57 (2003) 1876–1888.
date_created: 2018-12-11T12:08:20Z
date_published: 2003-08-01T00:00:00Z
date_updated: 2024-01-23T09:16:43Z
day: '01'
doi: 10.1111/j.0014-3820.2003.tb00595.x
extern: '1'
intvolume: ' 57'
issue: '8'
language:
- iso: eng
month: '08'
oa_version: None
page: 1876 - 1888
publication: Evolution
publication_identifier:
issn:
- 0014-3820
publication_status: published
publisher: Wiley-Blackwell
publist_id: '1692'
quality_controlled: '1'
scopus_import: '1'
status: public
title: On the maintenance of reproductive isolation in a mosaic hybrid zone between
the toads Bombina bombina and B. variegata
type: journal_article
user_id: ea97e931-d5af-11eb-85d4-e6957dddbf17
volume: 57
year: '2003'
...