--- _id: '4468' abstract: - lang: eng text: Giotto is a high-level programming language for time-triggered control applications. The authors begin with a conceptual overview of its methodology, discuss the Giotto helicopter project, and summarize available Giotto implementations. acknowledgement: We thank Niklaus Wirth and Walter Schaufelberger for their advice and support of the reengineering effort of the ETH Zurich helicopter control system using Giotto. This research was supported in part by DARPA SEC grant F33615-C-98–3614, MARCO GSRC grant 98-DT-660, and AFOSR MURI grant F49620–00-1–0327. A preliminary version of this article appeared as [1]. article_processing_charge: No article_type: original author: - first_name: Thomas A full_name: Henzinger, Thomas A id: 40876CD8-F248-11E8-B48F-1D18A9856A87 last_name: Henzinger orcid: 0000−0002−2985−7724 - first_name: Christoph full_name: Kirsch, Christoph last_name: Kirsch - first_name: Marco full_name: Sanvido, Marco last_name: Sanvido - first_name: Wolfgang full_name: Pree, Wolfgang last_name: Pree citation: ama: Henzinger TA, Kirsch C, Sanvido M, Pree W. From control models to real-time code using Giotto. IEEE Control Systems Magazine. 2003;23(1):50-64. doi:10.1109/MCS.2003.1172829 apa: Henzinger, T. A., Kirsch, C., Sanvido, M., & Pree, W. (2003). From control models to real-time code using Giotto. IEEE Control Systems Magazine. IEEE. https://doi.org/10.1109/MCS.2003.1172829 chicago: Henzinger, Thomas A, Christoph Kirsch, Marco Sanvido, and Wolfgang Pree. “From Control Models to Real-Time Code Using Giotto.” IEEE Control Systems Magazine. IEEE, 2003. https://doi.org/10.1109/MCS.2003.1172829. ieee: T. A. Henzinger, C. Kirsch, M. Sanvido, and W. Pree, “From control models to real-time code using Giotto,” IEEE Control Systems Magazine, vol. 23, no. 1. IEEE, pp. 50–64, 2003. ista: Henzinger TA, Kirsch C, Sanvido M, Pree W. 2003. From control models to real-time code using Giotto. IEEE Control Systems Magazine. 23(1), 50–64. mla: Henzinger, Thomas A., et al. “From Control Models to Real-Time Code Using Giotto.” IEEE Control Systems Magazine, vol. 23, no. 1, IEEE, 2003, pp. 50–64, doi:10.1109/MCS.2003.1172829. short: T.A. Henzinger, C. Kirsch, M. Sanvido, W. Pree, IEEE Control Systems Magazine 23 (2003) 50–64. date_created: 2018-12-11T12:09:00Z date_published: 2003-01-29T00:00:00Z date_updated: 2024-01-08T10:54:53Z day: '29' doi: 10.1109/MCS.2003.1172829 extern: '1' intvolume: ' 23' issue: '1' language: - iso: eng month: '01' oa_version: None page: 50 - 64 publication: IEEE Control Systems Magazine publication_identifier: issn: - '1066-033X ' publication_status: published publisher: IEEE publist_id: '260' quality_controlled: '1' scopus_import: '1' status: public title: From control models to real-time code using Giotto type: journal_article user_id: ea97e931-d5af-11eb-85d4-e6957dddbf17 volume: 23 year: '2003' ... --- _id: '4465' abstract: - lang: eng text: Giotto is a principled, tool-supported design methodology for implementing embedded control systems on platforms of possibly distributed sensors, actuators, CPUs, and networks. Giotto is based on the principle that time-triggered task invocations plus time-triggered mode switches can form the abstract essence of programming real-time control systems. Giotto consists of a programming language with a formal semantics, and a retargetable compiler and runtime library. Giotto supports the automation of control system design by strictly separating platform-independent functionality and timing concerns from platform-dependent scheduling and communication issues. The time-triggered predictability of Giotto makes it particularly suitable for safety-critical applications with hard real-time constraints. We illustrate the platform independence and time-triggered execution of Giotto by coordinating a heterogeneous flock of Intel x86 robots and Lego Mindstorms robots. article_processing_charge: No author: - first_name: Thomas A full_name: Henzinger, Thomas A id: 40876CD8-F248-11E8-B48F-1D18A9856A87 last_name: Henzinger orcid: 0000−0002−2985−7724 - first_name: Benjamin full_name: Horowitz, Benjamin last_name: Horowitz - first_name: Christoph full_name: Kirsch, Christoph last_name: Kirsch citation: ama: 'Henzinger TA, Horowitz B, Kirsch C. Embedded control systems development with Giotto. In: Software-Enabled Control: Information Technology for Dynamical Systems. Wiley-Blackwell; 2003:123-146. doi:10.1002/047172288X.ch8' apa: 'Henzinger, T. A., Horowitz, B., & Kirsch, C. (2003). Embedded control systems development with Giotto. In Software-Enabled Control: Information Technology for Dynamical Systems (pp. 123–146). Wiley-Blackwell. https://doi.org/10.1002/047172288X.ch8' chicago: 'Henzinger, Thomas A, Benjamin Horowitz, and Christoph Kirsch. “Embedded Control Systems Development with Giotto.” In Software-Enabled Control: Information Technology for Dynamical Systems, 123–46. Wiley-Blackwell, 2003. https://doi.org/10.1002/047172288X.ch8.' ieee: 'T. A. Henzinger, B. Horowitz, and C. Kirsch, “Embedded control systems development with Giotto,” in Software-Enabled Control: Information Technology for Dynamical Systems, Wiley-Blackwell, 2003, pp. 123–146.' ista: 'Henzinger TA, Horowitz B, Kirsch C. 2003.Embedded control systems development with Giotto. In: Software-Enabled Control: Information Technology for Dynamical Systems. , 123–146.' mla: 'Henzinger, Thomas A., et al. “Embedded Control Systems Development with Giotto.” Software-Enabled Control: Information Technology for Dynamical Systems, Wiley-Blackwell, 2003, pp. 123–46, doi:10.1002/047172288X.ch8.' short: 'T.A. Henzinger, B. Horowitz, C. Kirsch, in:, Software-Enabled Control: Information Technology for Dynamical Systems, Wiley-Blackwell, 2003, pp. 123–146.' date_created: 2018-12-11T12:08:59Z date_published: 2003-05-20T00:00:00Z date_updated: 2024-01-08T12:24:01Z day: '20' doi: 10.1002/047172288X.ch8 extern: '1' language: - iso: eng month: '05' oa_version: None page: 123 - 146 publication: 'Software-Enabled Control: Information Technology for Dynamical Systems' publication_identifier: isbn: - '9780471234364 ' publication_status: published publisher: Wiley-Blackwell publist_id: '262' quality_controlled: '1' status: public title: Embedded control systems development with Giotto type: book_chapter user_id: ea97e931-d5af-11eb-85d4-e6957dddbf17 year: '2003' ... --- _id: '4466' abstract: - lang: eng text: One source of complexity in the μ-calculus is its ability to specify an unbounded number of switches between universal (AX) and existential (EX) branching modes. We therefore study the problems of satisfiability, validity, model checking, and implication for the universal and existential fragments of the μ-calculus, in which only one branching mode is allowed. The universal fragment is rich enough to express most specifications of interest, and therefore improved algorithms are of practical importance. We show that while the satisfiability and validity problems become indeed simpler for the existential and universal fragments, this is, unfortunately, not the case for model checking and implication. We also show the corresponding results for the alternationfree fragment of the μ-calculus, where no alternations between least and greatest fixed points are allowed. Our results imply that efforts to find a polynomial-time model-checking algorithm for the μ-calculus can be replaced by efforts to find such an algorithm for the universal or existential fragment. acknowledgement: This work was supported in part by NSF grant CCR-9988172, the AFOSR MURI grant F49620-00-1-0327, and a Microsoft Research Fellowship. alternative_title: - LNCS article_processing_charge: No author: - first_name: Thomas A full_name: Henzinger, Thomas A id: 40876CD8-F248-11E8-B48F-1D18A9856A87 last_name: Henzinger orcid: 0000−0002−2985−7724 - first_name: Orna full_name: Kupferman, Orna last_name: Kupferman - first_name: Ritankar full_name: Majumdar, Ritankar last_name: Majumdar citation: ama: 'Henzinger TA, Kupferman O, Majumdar R. On the universal and existential fragments of the mu-calculus. In: Proceedings of the 9th International Conference on Tools and Algorithms for the Construction and Analysis of Systems . Vol 2619. Springer; 2003:49-64. doi:10.1007/3-540-36577-X_5' apa: 'Henzinger, T. A., Kupferman, O., & Majumdar, R. (2003). On the universal and existential fragments of the mu-calculus. In Proceedings of the 9th International Conference on Tools and Algorithms for the Construction and Analysis of Systems (Vol. 2619, pp. 49–64). Warsaw, Poland: Springer. https://doi.org/10.1007/3-540-36577-X_5' chicago: Henzinger, Thomas A, Orna Kupferman, and Ritankar Majumdar. “On the Universal and Existential Fragments of the Mu-Calculus.” In Proceedings of the 9th International Conference on Tools and Algorithms for the Construction and Analysis of Systems , 2619:49–64. Springer, 2003. https://doi.org/10.1007/3-540-36577-X_5. ieee: T. A. Henzinger, O. Kupferman, and R. Majumdar, “On the universal and existential fragments of the mu-calculus,” in Proceedings of the 9th International Conference on Tools and Algorithms for the Construction and Analysis of Systems , Warsaw, Poland, 2003, vol. 2619, pp. 49–64. ista: 'Henzinger TA, Kupferman O, Majumdar R. 2003. On the universal and existential fragments of the mu-calculus. Proceedings of the 9th International Conference on Tools and Algorithms for the Construction and Analysis of Systems . TACAS: Tools and Algorithms for the Construction and Analysis of Systems, LNCS, vol. 2619, 49–64.' mla: Henzinger, Thomas A., et al. “On the Universal and Existential Fragments of the Mu-Calculus.” Proceedings of the 9th International Conference on Tools and Algorithms for the Construction and Analysis of Systems , vol. 2619, Springer, 2003, pp. 49–64, doi:10.1007/3-540-36577-X_5. short: T.A. Henzinger, O. Kupferman, R. Majumdar, in:, Proceedings of the 9th International Conference on Tools and Algorithms for the Construction and Analysis of Systems , Springer, 2003, pp. 49–64. conference: end_date: 2003-04-11 location: Warsaw, Poland name: 'TACAS: Tools and Algorithms for the Construction and Analysis of Systems' start_date: 2003-04-07 date_created: 2018-12-11T12:08:59Z date_published: 2003-03-14T00:00:00Z date_updated: 2024-01-08T13:17:35Z day: '14' doi: 10.1007/3-540-36577-X_5 extern: '1' intvolume: ' 2619' language: - iso: eng month: '03' oa_version: None page: 49 - 64 publication: 'Proceedings of the 9th International Conference on Tools and Algorithms for the Construction and Analysis of Systems ' publication_identifier: isbn: - '9783540008989' publication_status: published publisher: Springer publist_id: '263' quality_controlled: '1' status: public title: On the universal and existential fragments of the mu-calculus type: conference user_id: ea97e931-d5af-11eb-85d4-e6957dddbf17 volume: 2619 year: '2003' ... --- _id: '4467' abstract: - lang: eng text: 'BLAST (the Berkeley Lazy Abstraction Software verification Tool) is a verification system for checking safety properties of C programs using automatic property-driven construction and model checking of software abstractions. Blast implements an abstract-model check-refine loop to check for reachability of a specified label in the program. The abstract model is built on the fly using predicate abstraction. This model is then checked for reachability. If there is no (abstract) path to the specified error label, Blast reports that the system is safe and produces a succinct proof. Otherwise, it checks if the path is feasible using symbolic execution of the program. If the path is feasible, Blast outputs the path as an error trace, otherwise, it uses the infeasibility of the path to refine the abstract model. Blast short-circuits the loop from abstraction to verification to refinement, integrating the three steps tightly through “lazy abstraction” [5]. This integration can offer significant advantages in performance by avoiding the repetition of work from one iteration of the loop to the next. ' acknowledgement: This work was supported in part by the NSF grants CCR-0085949 and CCR-9988172, the DARPA PCES grant F33615-00-C-1693, the MARCO GSRC grant 98-DT-660, and a Microsoft Research Fellowship. alternative_title: - LNCS article_processing_charge: No author: - first_name: Thomas A full_name: Henzinger, Thomas A id: 40876CD8-F248-11E8-B48F-1D18A9856A87 last_name: Henzinger orcid: 0000−0002−2985−7724 - first_name: Ranjit full_name: Jhala, Ranjit last_name: Jhala - first_name: Ritankar full_name: Majumdar, Ritankar last_name: Majumdar - first_name: Grégoire full_name: Sutre, Grégoire last_name: Sutre citation: ama: 'Henzinger TA, Jhala R, Majumdar R, Sutre G. Software verification with BLAST. In: Proceedings of the 10th International SPIN Workshop . Vol 2648. Springer; 2003:235-239. doi:10.1007/3-540-44829-2_17' apa: 'Henzinger, T. A., Jhala, R., Majumdar, R., & Sutre, G. (2003). Software verification with BLAST. In Proceedings of the 10th International SPIN Workshop (Vol. 2648, pp. 235–239). Portland, OR, USA: Springer. https://doi.org/10.1007/3-540-44829-2_17' chicago: Henzinger, Thomas A, Ranjit Jhala, Ritankar Majumdar, and Grégoire Sutre. “Software Verification with BLAST.” In Proceedings of the 10th International SPIN Workshop , 2648:235–39. Springer, 2003. https://doi.org/10.1007/3-540-44829-2_17. ieee: T. A. Henzinger, R. Jhala, R. Majumdar, and G. Sutre, “Software verification with BLAST,” in Proceedings of the 10th International SPIN Workshop , Portland, OR, USA, 2003, vol. 2648, pp. 235–239. ista: 'Henzinger TA, Jhala R, Majumdar R, Sutre G. 2003. Software verification with BLAST. Proceedings of the 10th International SPIN Workshop . SPIN: Model Checking Software, LNCS, vol. 2648, 235–239.' mla: Henzinger, Thomas A., et al. “Software Verification with BLAST.” Proceedings of the 10th International SPIN Workshop , vol. 2648, Springer, 2003, pp. 235–39, doi:10.1007/3-540-44829-2_17. short: T.A. Henzinger, R. Jhala, R. Majumdar, G. Sutre, in:, Proceedings of the 10th International SPIN Workshop , Springer, 2003, pp. 235–239. conference: end_date: 2003-05-10 location: Portland, OR, USA name: 'SPIN: Model Checking Software' start_date: 2003-05-09 date_created: 2018-12-11T12:09:00Z date_published: 2003-04-28T00:00:00Z date_updated: 2024-01-08T14:05:29Z day: '28' doi: 10.1007/3-540-44829-2_17 extern: '1' intvolume: ' 2648' language: - iso: eng month: '04' oa_version: None page: 235 - 239 publication: 'Proceedings of the 10th International SPIN Workshop ' publication_identifier: isbn: - '9783540401179' publication_status: published publisher: Springer publist_id: '264' quality_controlled: '1' scopus_import: '1' status: public title: Software verification with BLAST type: conference user_id: ea97e931-d5af-11eb-85d4-e6957dddbf17 volume: 2648 year: '2003' ... --- _id: '4463' abstract: - lang: eng text: We present an algorithm called TAR (“Thread-modular Abstraction Refinement”) for model checking safety properties of concurrent software. The TAR algorithm uses thread-modular assume-guarantee reasoning to overcome the exponential complexity in the control state of multithreaded programs. Thread modularity means that TAR explores the state space of one thread at a time, making assumptions about how the environment can interfere. The TAR algorithm uses counterexample-guided predicate-abstraction refinement to overcome the usually infinite complexity in the data state of C programs. A successive approximation scheme automatically infers the necessary precision on data variables as well as suitable environment assumptions. The scheme is novel in that transition relations are approximated from above, while at the same time environment assumptions are approximated from below. In our software verification tool BLAST we have implemented a fully automatic race checker for multithreaded C programs which is based on the TAR algorithm. This tool has verified a wide variety of commonly used locking idioms, including locking schemes that are not amenable to existing dynamic and static race checkers such as ERASER or WARLOCK. acknowledgement: This work was supported in part by the NSF grants CCR-0085949 and CCR-0234690, the DARPA grant F33615-00-C-1693, and the MARCO grant 98-DT-660. alternative_title: - LNCS article_processing_charge: No author: - first_name: Thomas A full_name: Henzinger, Thomas A id: 40876CD8-F248-11E8-B48F-1D18A9856A87 last_name: Henzinger orcid: 0000−0002−2985−7724 - first_name: Ranjit full_name: Jhala, Ranjit last_name: Jhala - first_name: Ritankar full_name: Majumdar, Ritankar last_name: Majumdar - first_name: Shaz full_name: Qadeer, Shaz last_name: Qadeer citation: ama: 'Henzinger TA, Jhala R, Majumdar R, Qadeer S. Thread-modular abstraction refinement. In: Proceedings of the 15th International Conference on Computer Aided Verification. Vol 2725. Springer; 2003:262-274. doi:10.1007/978-3-540-45069-6_27' apa: 'Henzinger, T. A., Jhala, R., Majumdar, R., & Qadeer, S. (2003). Thread-modular abstraction refinement. In Proceedings of the 15th International Conference on Computer Aided Verification (Vol. 2725, pp. 262–274). Boulder, CO, USA: Springer. https://doi.org/10.1007/978-3-540-45069-6_27' chicago: Henzinger, Thomas A, Ranjit Jhala, Ritankar Majumdar, and Shaz Qadeer. “Thread-Modular Abstraction Refinement.” In Proceedings of the 15th International Conference on Computer Aided Verification, 2725:262–74. Springer, 2003. https://doi.org/10.1007/978-3-540-45069-6_27. ieee: T. A. Henzinger, R. Jhala, R. Majumdar, and S. Qadeer, “Thread-modular abstraction refinement,” in Proceedings of the 15th International Conference on Computer Aided Verification, Boulder, CO, USA, 2003, vol. 2725, pp. 262–274. ista: 'Henzinger TA, Jhala R, Majumdar R, Qadeer S. 2003. Thread-modular abstraction refinement. Proceedings of the 15th International Conference on Computer Aided Verification. CAV: Computer Aided Verification, LNCS, vol. 2725, 262–274.' mla: Henzinger, Thomas A., et al. “Thread-Modular Abstraction Refinement.” Proceedings of the 15th International Conference on Computer Aided Verification, vol. 2725, Springer, 2003, pp. 262–74, doi:10.1007/978-3-540-45069-6_27. short: T.A. Henzinger, R. Jhala, R. Majumdar, S. Qadeer, in:, Proceedings of the 15th International Conference on Computer Aided Verification, Springer, 2003, pp. 262–274. conference: end_date: 2003-07-12 location: Boulder, CO, USA name: 'CAV: Computer Aided Verification' start_date: 2003-07-08 date_created: 2018-12-11T12:08:59Z date_published: 2003-06-27T00:00:00Z date_updated: 2024-01-10T11:05:53Z day: '27' doi: 10.1007/978-3-540-45069-6_27 extern: '1' intvolume: ' 2725' language: - iso: eng month: '06' oa_version: None page: 262 - 274 publication: Proceedings of the 15th International Conference on Computer Aided Verification publication_identifier: isbn: - '9783540405245' publication_status: published publisher: Springer publist_id: '266' quality_controlled: '1' status: public title: Thread-modular abstraction refinement type: conference user_id: ea97e931-d5af-11eb-85d4-e6957dddbf17 volume: 2725 year: '2003' ... --- _id: '4462' abstract: - lang: eng text: 'A major hurdle in the algorithmic verification and control of systems is the need to find suitable abstract models, which omit enough details to overcome the state-explosion problem, but retain enough details to exhibit satisfaction or controllability with respect to the specification. The paradigm of counterexample-guided abstraction refinement suggests a fully automatic way of finding suitable abstract models: one starts with a coarse abstraction, attempts to verify or control the abstract model, and if this attempt fails and the abstract counterexample does not correspond to a concrete counterexample, then one uses the spurious counterexample to guide the refinement of the abstract model. We present a counterexample-guided refinement algorithm for solving ω-regular control objectives. The main difficulty is that in control, unlike in verification, counterexamples are strategies in a game between system and controller. In the case that the controller has no choices, our scheme subsumes known counterexample-guided refinement algorithms for the verification of ω-regular specifications. Our algorithm is useful in all situations where ω-regular games need to be solved, such as supervisory control, sequential and program synthesis, and modular verification. The algorithm is fully symbolic, and therefore applicable also to infinite-state systems.' acknowledgement: This research was supported in part by the DARPA SEC grant F33615-C-98-3614, the ONR grant N00014-02-1-0671, and the NSF grants CCR-9988172, CCR-0085949, and CCR-0225610. alternative_title: - LNCS article_processing_charge: No author: - first_name: Thomas A full_name: Henzinger, Thomas A id: 40876CD8-F248-11E8-B48F-1D18A9856A87 last_name: Henzinger orcid: 0000−0002−2985−7724 - first_name: Ranjit full_name: Jhala, Ranjit last_name: Jhala - first_name: Ritankar full_name: Majumdar, Ritankar last_name: Majumdar citation: ama: 'Henzinger TA, Jhala R, Majumdar R. Counterexample-guided control. In: Proceedings of the 30th International Colloquium on Automata, Languages and Programming. Vol 2719. Springer; 2003:886-902. doi:10.1007/3-540-45061-0_69' apa: 'Henzinger, T. A., Jhala, R., & Majumdar, R. (2003). Counterexample-guided control. In Proceedings of the 30th International Colloquium on Automata, Languages and Programming (Vol. 2719, pp. 886–902). Eindhoven, The Netherlands: Springer. https://doi.org/10.1007/3-540-45061-0_69' chicago: Henzinger, Thomas A, Ranjit Jhala, and Ritankar Majumdar. “Counterexample-Guided Control.” In Proceedings of the 30th International Colloquium on Automata, Languages and Programming, 2719:886–902. Springer, 2003. https://doi.org/10.1007/3-540-45061-0_69. ieee: T. A. Henzinger, R. Jhala, and R. Majumdar, “Counterexample-guided control,” in Proceedings of the 30th International Colloquium on Automata, Languages and Programming, Eindhoven, The Netherlands, 2003, vol. 2719, pp. 886–902. ista: 'Henzinger TA, Jhala R, Majumdar R. 2003. Counterexample-guided control. Proceedings of the 30th International Colloquium on Automata, Languages and Programming. ICALP: Automata, Languages and Programming, LNCS, vol. 2719, 886–902.' mla: Henzinger, Thomas A., et al. “Counterexample-Guided Control.” Proceedings of the 30th International Colloquium on Automata, Languages and Programming, vol. 2719, Springer, 2003, pp. 886–902, doi:10.1007/3-540-45061-0_69. short: T.A. Henzinger, R. Jhala, R. Majumdar, in:, Proceedings of the 30th International Colloquium on Automata, Languages and Programming, Springer, 2003, pp. 886–902. conference: end_date: 2003-07-04 location: Eindhoven, The Netherlands name: 'ICALP: Automata, Languages and Programming' start_date: 2003-06-30 date_created: 2018-12-11T12:08:58Z date_published: 2003-06-25T00:00:00Z date_updated: 2024-01-10T11:19:41Z day: '25' doi: 10.1007/3-540-45061-0_69 extern: '1' intvolume: ' 2719' language: - iso: eng month: '06' oa_version: None page: 886 - 902 publication: Proceedings of the 30th International Colloquium on Automata, Languages and Programming publication_identifier: isbn: - '9783540404934' publication_status: published publisher: Springer publist_id: '265' quality_controlled: '1' scopus_import: '1' status: public title: Counterexample-guided control type: conference user_id: ea97e931-d5af-11eb-85d4-e6957dddbf17 volume: 2719 year: '2003' ... --- _id: '4464' abstract: - lang: eng text: We introduce the paradigm of schedule-carrying code (SCC). A hard real-time program can be executed on a given platform only if there exists a feasible schedule for the real-time tasks of the program. Traditionally, a scheduler determines the existence of a feasible schedule according to some scheduling strategy. With SCC, a compiler proves the existence of a feasible schedule by generating executable code that is attached to the program and represents its schedule. An SCC executable is a real-time program that carries its schedule as code, which is produced once and can be revalidated and executed with each use. We evaluate SCC both in theory and practice. In theory, we give two scenarios, of nonpreemptive and distributed scheduling for Giotto programs, where the generation of a feasible schedule is hard, while the validation of scheduling instructions that are attached to the programs is easy. In practice, we implement SCC and show that explicit scheduling instructions can reduce the scheduling overhead up to 35% and can provide an efficient, flexible, and verifiable means for compiling Giotto programs on complex architectures, such as the TTA. acknowledgement: This work was supported by the AFOSR MURI grant F49620-00-1-0327, the California MICRO grant 01-037, the DARPA grant F33615-C-98-3614, the MARCO grant 98-DT-660, and the NSF grants CCR-0208875, CCR-0085949, and CCR-0225610. alternative_title: - LNCS article_processing_charge: No author: - first_name: Thomas A full_name: Henzinger, Thomas A id: 40876CD8-F248-11E8-B48F-1D18A9856A87 last_name: Henzinger orcid: 0000−0002−2985−7724 - first_name: Christoph full_name: Kirsch, Christoph last_name: Kirsch - first_name: Slobodan full_name: Matic, Slobodan last_name: Matic citation: ama: 'Henzinger TA, Kirsch C, Matic S. Schedule-carrying code. In: Proceedings of the 3rd International Conference on Embedded Software. Vol 2855. ACM; 2003:241-256. doi:10.1007/978-3-540-45212-6_16' apa: 'Henzinger, T. A., Kirsch, C., & Matic, S. (2003). Schedule-carrying code. In Proceedings of the 3rd International Conference on Embedded Software (Vol. 2855, pp. 241–256). Philadelphia, PA, USA: ACM. https://doi.org/10.1007/978-3-540-45212-6_16' chicago: Henzinger, Thomas A, Christoph Kirsch, and Slobodan Matic. “Schedule-Carrying Code.” In Proceedings of the 3rd International Conference on Embedded Software, 2855:241–56. ACM, 2003. https://doi.org/10.1007/978-3-540-45212-6_16. ieee: T. A. Henzinger, C. Kirsch, and S. Matic, “Schedule-carrying code,” in Proceedings of the 3rd International Conference on Embedded Software, Philadelphia, PA, USA, 2003, vol. 2855, pp. 241–256. ista: 'Henzinger TA, Kirsch C, Matic S. 2003. Schedule-carrying code. Proceedings of the 3rd International Conference on Embedded Software. EMSOFT: Embedded Software , LNCS, vol. 2855, 241–256.' mla: Henzinger, Thomas A., et al. “Schedule-Carrying Code.” Proceedings of the 3rd International Conference on Embedded Software, vol. 2855, ACM, 2003, pp. 241–56, doi:10.1007/978-3-540-45212-6_16. short: T.A. Henzinger, C. Kirsch, S. Matic, in:, Proceedings of the 3rd International Conference on Embedded Software, ACM, 2003, pp. 241–256. conference: end_date: 2003-10-15 location: Philadelphia, PA, USA name: 'EMSOFT: Embedded Software ' start_date: 2003-10-13 date_created: 2018-12-11T12:08:59Z date_published: 2003-09-29T00:00:00Z date_updated: 2024-01-10T11:33:57Z day: '29' doi: 10.1007/978-3-540-45212-6_16 extern: '1' intvolume: ' 2855' language: - iso: eng month: '09' oa_version: None page: 241 - 256 publication: Proceedings of the 3rd International Conference on Embedded Software publication_identifier: isbn: - '9783540202233' publication_status: published publisher: ACM publist_id: '267' quality_controlled: '1' scopus_import: '1' status: public title: Schedule-carrying code type: conference user_id: ea97e931-d5af-11eb-85d4-e6957dddbf17 volume: 2855 year: '2003' ... --- _id: '4460' abstract: - lang: eng text: "Symbolic model checking, which enables the automatic verification of large systems, proceeds by calculating expressions that represent state sets. Traditionally, symbolic model-checking tools are based on back- ward state traversal; their basic operation is the function pre, which, given a set of states, returns the set of all predecessor states. This is because specifiers usually employ formalisms with future-time modalities, which are naturally evaluated by iterating applications of pre. It has been shown experimentally that symbolic model checking can perform significantly better if it is based, instead, on forward state traversal; in this case, the basic operation is the function post, which, given a set of states, returns the set of all successor states. This is because forward state traversal can ensure that only parts of the state space that are reachable from an initial state and relevant for the satisfaction or violation of the specification are explored; that is, errors can be detected as soon as possible.\r\nIn this paper, we investigate which specifications can be checked by symbolic forward state traversal. We formulate the problems of symbolic backward and forward model checking by means of two μ-calculi. The pre-μ calculus is based on the pre operation, and the post-μ calculus is based on the post operation. These two μ-calculi induce query logics, which augment fixpoint expressions with a boolean emptiness query. Using query logics, we are able to relate and compare the symbolic backward and forward approaches. In particular, we prove that all ω-regular (linear-time) specifications can be expressed as post-μ queries, and therefore checked using symbolic forward state traversal. On the other hand, we show that there are simple branching-time specifications that cannot be checked in this way." acknowledgement: This research was supported in part by the SRC contract 99-TJ-683.003 and the NSF grant CCR-9988172. article_processing_charge: No article_type: original author: - first_name: Thomas A full_name: Henzinger, Thomas A id: 40876CD8-F248-11E8-B48F-1D18A9856A87 last_name: Henzinger orcid: 0000−0002−2985−7724 - first_name: Orna full_name: Kupferman, Orna last_name: Kupferman - first_name: Shaz full_name: Qadeer, Shaz last_name: Qadeer citation: ama: Henzinger TA, Kupferman O, Qadeer S. From pre-historic to post-modern symbolic model checking. Formal Methods in System Design. 2003;23(3):303-327. doi:10.1023/A:1026228213080 apa: Henzinger, T. A., Kupferman, O., & Qadeer, S. (2003). From pre-historic to post-modern symbolic model checking. Formal Methods in System Design. Springer. https://doi.org/10.1023/A:1026228213080 chicago: Henzinger, Thomas A, Orna Kupferman, and Shaz Qadeer. “From Pre-Historic to Post-Modern Symbolic Model Checking.” Formal Methods in System Design. Springer, 2003. https://doi.org/10.1023/A:1026228213080. ieee: T. A. Henzinger, O. Kupferman, and S. Qadeer, “From pre-historic to post-modern symbolic model checking,” Formal Methods in System Design, vol. 23, no. 3. Springer, pp. 303–327, 2003. ista: Henzinger TA, Kupferman O, Qadeer S. 2003. From pre-historic to post-modern symbolic model checking. Formal Methods in System Design. 23(3), 303–327. mla: Henzinger, Thomas A., et al. “From Pre-Historic to Post-Modern Symbolic Model Checking.” Formal Methods in System Design, vol. 23, no. 3, Springer, 2003, pp. 303–27, doi:10.1023/A:1026228213080. short: T.A. Henzinger, O. Kupferman, S. Qadeer, Formal Methods in System Design 23 (2003) 303–327. date_created: 2018-12-11T12:08:58Z date_published: 2003-06-20T00:00:00Z date_updated: 2024-01-10T11:50:31Z day: '20' doi: 10.1023/A:1026228213080 extern: '1' intvolume: ' 23' issue: '3' language: - iso: eng month: '06' oa_version: None page: 303 - 327 publication: Formal Methods in System Design publication_identifier: issn: - 0925-9856 publication_status: published publisher: Springer publist_id: '268' quality_controlled: '1' scopus_import: '1' status: public title: From pre-historic to post-modern symbolic model checking type: journal_article user_id: ea97e931-d5af-11eb-85d4-e6957dddbf17 volume: 23 year: '2003' ... --- _id: '4469' abstract: - lang: eng text: Giotto provides an abstract programmer's model for the implementation of embedded control systems with hard real-time constraints. A typical control application consists of periodic software tasks together with a mode-switching logic for enabling and disabling tasks. Giotto specifies time-triggered sensor readings, task invocations, actuator updates, and mode switches independent of any implementation platform. Giotto can be annotated with platform constraints such as task-to-host mappings, and task and communication schedules. The annotations are directives for the Giotto compiler, but they do not alter the functionality and timing of a Giotto program. By separating the platform-independent from the platform-dependent concerns, Giotto enables a great deal of flexibility in choosing control platforms as well as a great deal of automation in the validation and synthesis of control software. The time-triggered nature of Giotto achieves timing predictability, which makes Giotto particularly suitable for safety-critical applications. acknowledgement: The authors would like to thank R. Majumdar for implementing a prototype Giotto compiler for Lego Mindstorms robots. They would like to thank D. Derevyanko and W. Williams for building the Intel x86 robots; and E. Lee and X. Liu for help with implementing Giotto as a “model of computation” in Ptolemy II [26]. Finally, they would also like to thank M. Sanvido for his suggestions on the design of the Giotto drivers; and P. Griffiths for implementing the functionality code of the electronic throttle controller. article_processing_charge: No article_type: original author: - first_name: Thomas A full_name: Henzinger, Thomas A id: 40876CD8-F248-11E8-B48F-1D18A9856A87 last_name: Henzinger orcid: 0000−0002−2985−7724 - first_name: Benjamin full_name: Horowitz, Benjamin last_name: Horowitz - first_name: Christoph full_name: Kirsch, Christoph last_name: Kirsch citation: ama: 'Henzinger TA, Horowitz B, Kirsch C. Giotto: A time-triggered language for embedded programming. Proceedings of the IEEE. 2003;91(1):84-99. doi:10.1109/JPROC.2002.805825' apa: 'Henzinger, T. A., Horowitz, B., & Kirsch, C. (2003). Giotto: A time-triggered language for embedded programming. Proceedings of the IEEE. IEEE. https://doi.org/10.1109/JPROC.2002.805825' chicago: 'Henzinger, Thomas A, Benjamin Horowitz, and Christoph Kirsch. “Giotto: A Time-Triggered Language for Embedded Programming.” Proceedings of the IEEE. IEEE, 2003. https://doi.org/10.1109/JPROC.2002.805825.' ieee: 'T. A. Henzinger, B. Horowitz, and C. Kirsch, “Giotto: A time-triggered language for embedded programming,” Proceedings of the IEEE, vol. 91, no. 1. IEEE, pp. 84–99, 2003.' ista: 'Henzinger TA, Horowitz B, Kirsch C. 2003. Giotto: A time-triggered language for embedded programming. Proceedings of the IEEE. 91(1), 84–99.' mla: 'Henzinger, Thomas A., et al. “Giotto: A Time-Triggered Language for Embedded Programming.” Proceedings of the IEEE, vol. 91, no. 1, IEEE, 2003, pp. 84–99, doi:10.1109/JPROC.2002.805825.' short: T.A. Henzinger, B. Horowitz, C. Kirsch, Proceedings of the IEEE 91 (2003) 84–99. date_created: 2018-12-11T12:09:00Z date_published: 2003-01-29T00:00:00Z date_updated: 2024-01-10T11:55:18Z day: '29' doi: 10.1109/JPROC.2002.805825 extern: '1' intvolume: ' 91' issue: '1' language: - iso: eng month: '01' oa_version: None page: 84 - 99 publication: Proceedings of the IEEE publication_identifier: issn: - '0018-9219 ' publication_status: published publisher: IEEE publist_id: '261' quality_controlled: '1' scopus_import: '1' status: public title: 'Giotto: A time-triggered language for embedded programming' type: journal_article user_id: ea97e931-d5af-11eb-85d4-e6957dddbf17 volume: 91 year: '2003' ... --- _id: '4338' abstract: - lang: eng text: 'Mosaic hybrid zones arise when ecologically differentiated taxa hybridize across a network of habitat patches. Frequent interbreeding across a small-scale patchwork can erode species differences that might have been preserved in a clinal hybrid zone. In particular, the rapid breakdown of neutral divergence sets an upper limit to the time for which differences at marker loci can persist. We present here a case study of a mosaic hybrid zone between the fire-bellied toads Bombina bombina and B. variegata (Anura: Discoglossidae) near Apahida in Romania. In our 20 × 20 km study area, we detected no evidence of a clinal transition but found a strong association between aquatic habitat and mean allele frequencies at four molecular markers. In particular, pure populations of B. bombina in ponds appear to cause massive introgression into the surrounding B. variegata gene pool found in temporary aquatic sites. Nevertheless, the genetic structure of these hybrid populations was remarkably similar to those of a previously studied transect near Pescenica (Croatia), which had both clinal and mosaic features: estimates of heterozygote deficit and linkage disequilibrium in each country are similar. In Apahida, the observed strong linkage disequilibria should stem from an imperfect habitat preference that guides most (but not all) adults into the habitats to which they are adapted. In the absence of a clinal structure, the inferred migration rate between habitats implies that associations between selected loci and neutral markers should break down rapidly. Although plausible selection strengths can maintain differentiation at those loci adapting the toads to either permanent or temporary breeding sites, the divergence at neutral markers must be transient. The hybrid zone may be approaching a state in which the gene pools are homogenized at all but the selected loci, not dissimilar from an early stage of sympatric divergence.' acknowledgement: "We thank G. Mara and T. Galbena for enthusiastic field\r\nassistance, A. Hofmann and R. Sieglstetter for access to their\r\nunpublished data, B. Fo¨rg-Brey and G. Praetzel for help in\r\nthe lab. Helpful comments on a previous version of the man-\r\nuscript were provided by R. Ennos, J. Szymura, F. Balloux,\r\nJ. Bridle, L. Kruuk, F. Bonhomme, M. Arnold, and two anon-\r\nymous reviewers. We also thank A. Pinggera for providing\r\nthe cover illustration. This work was supported by Natural\r\nEnvironment Research Council studentships to THV and TRS\r\nand Deutsche Forschungsgemeinschaft grant Nu 51/2-1 to BN." article_processing_charge: No article_type: original author: - first_name: Timothy full_name: Vines, Timothy last_name: Vines - first_name: S C full_name: Kohler, S C last_name: Kohler - first_name: M full_name: Thiel, M last_name: Thiel - first_name: Ioan full_name: Ghira, Ioan last_name: Ghira - first_name: T R full_name: Sands, T R last_name: Sands - first_name: Catriona full_name: Maccallum, Catriona last_name: Maccallum - first_name: Nicholas H full_name: Barton, Nicholas H id: 4880FE40-F248-11E8-B48F-1D18A9856A87 last_name: Barton orcid: 0000-0002-8548-5240 - first_name: Beate full_name: Nürnberger, Beate last_name: Nürnberger citation: ama: Vines T, Kohler SC, Thiel M, et al. On the maintenance of reproductive isolation in a mosaic hybrid zone between the toads Bombina bombina and B. variegata. Evolution. 2003;57(8):1876-1888. doi:10.1111/j.0014-3820.2003.tb00595.x apa: Vines, T., Kohler, S. C., Thiel, M., Ghira, I., Sands, T. R., Maccallum, C., … Nürnberger, B. (2003). On the maintenance of reproductive isolation in a mosaic hybrid zone between the toads Bombina bombina and B. variegata. Evolution. Wiley-Blackwell. https://doi.org/10.1111/j.0014-3820.2003.tb00595.x chicago: Vines, Timothy, S C Kohler, M Thiel, Ioan Ghira, T R Sands, Catriona Maccallum, Nicholas H Barton, and Beate Nürnberger. “On the Maintenance of Reproductive Isolation in a Mosaic Hybrid Zone between the Toads Bombina Bombina and B. Variegata.” Evolution. Wiley-Blackwell, 2003. https://doi.org/10.1111/j.0014-3820.2003.tb00595.x. ieee: T. Vines et al., “On the maintenance of reproductive isolation in a mosaic hybrid zone between the toads Bombina bombina and B. variegata,” Evolution, vol. 57, no. 8. Wiley-Blackwell, pp. 1876–1888, 2003. ista: Vines T, Kohler SC, Thiel M, Ghira I, Sands TR, Maccallum C, Barton NH, Nürnberger B. 2003. On the maintenance of reproductive isolation in a mosaic hybrid zone between the toads Bombina bombina and B. variegata. Evolution. 57(8), 1876–1888. mla: Vines, Timothy, et al. “On the Maintenance of Reproductive Isolation in a Mosaic Hybrid Zone between the Toads Bombina Bombina and B. Variegata.” Evolution, vol. 57, no. 8, Wiley-Blackwell, 2003, pp. 1876–88, doi:10.1111/j.0014-3820.2003.tb00595.x. short: T. Vines, S.C. Kohler, M. Thiel, I. Ghira, T.R. Sands, C. Maccallum, N.H. Barton, B. Nürnberger, Evolution 57 (2003) 1876–1888. date_created: 2018-12-11T12:08:20Z date_published: 2003-08-01T00:00:00Z date_updated: 2024-01-23T09:16:43Z day: '01' doi: 10.1111/j.0014-3820.2003.tb00595.x extern: '1' intvolume: ' 57' issue: '8' language: - iso: eng month: '08' oa_version: None page: 1876 - 1888 publication: Evolution publication_identifier: issn: - 0014-3820 publication_status: published publisher: Wiley-Blackwell publist_id: '1692' quality_controlled: '1' scopus_import: '1' status: public title: On the maintenance of reproductive isolation in a mosaic hybrid zone between the toads Bombina bombina and B. variegata type: journal_article user_id: ea97e931-d5af-11eb-85d4-e6957dddbf17 volume: 57 year: '2003' ...