TY - CONF AB - We present a type system for E code, which is an assembly language that manages the release, interaction, and termination of real-time tasks. E code specifies a deadline for each task, and the type system ensures that the deadlines are path-insensitive. We show that typed E programs allow, for given worst-case execution times of tasks, a simple schedulability analysis. Moreover, the real-time programming language Giotto can be compiled into typed E~code. This shows that typed E~code identifies an easily schedulable yet expressive class of real-time programs. We have extended the Giotto compiler to generate typed E code, and enabled the run-time system for E code to perform a type and schedulability check before executing the code. AU - Thomas Henzinger AU - Kirsch, Christoph M ID - 4445 TI - A typed assembly language for real-time programs ER - TY - CONF AB - The success of model checking for large programs depends crucially on the ability to efficiently construct parsimonious abstractions. A predicate abstraction is parsimonious if at each control location, it specifies only relationships between current values of variables, and only those which are required for proving correctness. Previous methods for automatically refining predicate abstractions until sufficient precision is obtained do not systematically construct parsimonious abstractions: predicates usually contain symbolic variables, and are added heuristically and often uniformly to many or all control locations at once. We use Craig interpolation to efficiently construct, from a given abstract error trace which cannot be concretized, a parsominous abstraction that removes the trace. At each location of the trace, we infer the relevant predicates as an interpolant between the two formulas that define the past and the future segment of the trace. Each interpolant is a relationship between current values of program variables, and is relevant only at that particular program location. It can be found by a linear scan of the proof of infeasibility of the trace.We develop our method for programs with arithmetic and pointer expressions, and call-by-value function calls. For function calls, Craig interpolation offers a systematic way of generating relevant predicates that contain only the local variables of the function and the values of the formal parameters when the function was called. We have extended our model checker Blast with predicate discovery by Craig interpolation, and applied it successfully to C programs with more than 130,000 lines of code, which was not possible with approaches that build less parsimonious abstractions. AU - Thomas Henzinger AU - Jhala, Ranjit AU - Majumdar, Ritankar S AU - McMillan, Kenneth L ID - 4458 TI - Abstractions from proofs ER - TY - CHAP AB - One of the central axioms of extreme programming is the disciplined use of regression testing during stepwise software development. Due to recent progress in software model checking, it has become possible to supplement this process with automatic checks for behavioral safety properties of programs, such as conformance with locking idioms and other programming protocols and patterns. For efficiency reasons, all checks must be incremental, i.e., they must reuse partial results from previous checks in order to avoid all unnecessary repetition of expensive verification tasks. We show that the lazy-abstraction algorithm, and its implementation in Blast, can be extended to support the fully automatic and incremental checking of temporal safety properties during software development. AU - Thomas Henzinger AU - Jhala, Ranjit AU - Majumdar, Ritankar S AU - Sanvido, Marco A ID - 4461 T2 - Verification: Theory and Practice TI - Extreme model checking VL - 2772 ER - TY - CONF AB - Software model checking has been successful for sequential programs, where predicate abstraction offers suitable models, and counterexample-guided abstraction refinement permits the automatic inference of models. When checking concurrent programs, we need to abstract threads as well as the contexts in which they execute. Stateless context models, such as predicates on global variables, prove insufficient for showing the absence of race conditions in many examples. We therefore use richer context models, which combine (1) predicates for abstracting data state, (2) control flow quotients for abstracting control state, and (3) counters for abstracting an unbounded number of threads. We infer suitable context models automatically by a combination of counterexample-guided abstraction refinement, bisimulation minimization, circular assume-guarantee reasoning, and parametric reasoning about an unbounded number of threads. This algorithm, called CIRC, has been implemented in BLAST and succeeds in checking many examples of NESC code for data races. In particular, BLAST proves the absence of races in several cases where previous race checkers give false positives. AU - Thomas Henzinger AU - Jhala, Ranjit AU - Majumdar, Ritankar S ID - 4459 TI - Race checking by context inference ER - TY - CONF AB - We present a new high-level programming language, called xGiotto, for programming applications with hard real-time constraints. Like its predecessor, xGiotto is based on the LET (logical execution time) assumption: the programmer specifies when the outputs of a task become available, and the compiler checks if the specification can be implemented on a given platform. However, while the predecessor language xGiotto was purely time-triggered, xGiotto accommodates also asynchronous events. Indeed, through a mechanism called event scoping, events are the main structuring principle of the new language. The xGiotto compiler and run-time system implement event scoping through a tree-based event filter. The compiler also checks programs for determinism (absence of race conditions). AU - Ghosal, Arkadeb AU - Thomas Henzinger AU - Kirsch, Christoph M AU - Sanvido, Marco A ID - 4525 TI - Event-driven programming with logical execution times VL - 2993 ER - TY - CONF AB - Strategies in repeated games can be classified as to whether or not they use memory and/or randomization. We consider Markov decision processes and 2-player graph games, both of the deterministic and probabilistic varieties. We characterize when memory and/or randomization are required for winning with respect to various classes of w-regular objectives, noting particularly when the use of memory can be traded for the use of randomization. In particular, we show that Markov decision processes allow randomized memoryless optimal strategies for all M?ller objectives. Furthermore, we show that 2-player probabilistic graph games allow randomized memoryless strategies for winning with probability 1 those M?ller objectives which are upward-closed. Upward-closure means that if a set α of infinitely repeating vertices is winning, then all supersets of α are also winning. AU - Krishnendu Chatterjee AU - de Alfaro, Luca AU - Thomas Henzinger ID - 4555 TI - Trading memory for randomness ER - TY - CONF AB - We study perfect-information stochastic parity games. These are two-player nonterminating games which are played on a graph with turn-based probabilistic transitions. A play results in an infinite path and the conflicting goals of the two players are ω-regular path properties, formalized as parity winning conditions. The qualitative solution of such a game amounts to computing the set of vertices from which a player has a strategy to win with probability 1 (or with positive probability). The quantitative solution amounts to computing the value of the game in every vertex, i.e., the highest probability with which a player can guarantee satisfaction of his own objective in a play that starts from the vertex.For the important special case of one-player stochastic parity games (parity Markov decision processes) we give polynomial-time algorithms both for the qualitative and the quantitative solution. The running time of the qualitative solution is O(d · m3/2) for graphs with m edges and d priorities. The quantitative solution is based on a linear-programming formulation.For the two-player case, we establish the existence of optimal pure memoryless strategies. This has several important ramifications. First, it implies that the values of the games are rational. This is in contrast to the concurrent stochastic parity games of de Alfaro et al.; there, values are in general algebraic numbers, optimal strategies do not exist, and ε-optimal strategies have to be mixed and with infinite memory. Second, the existence of optimal pure memoryless strategies together with the polynomial-time solution forone-player case implies that the quantitative two-player stochastic parity game problem is in NP ∩ co-NP. This generalizes a result of Condon for stochastic games with reachability objectives. It also constitutes an exponential improvement over the best previous algorithm, which is based on a doubly exponential procedure of de Alfaro and Majumdar for concurrent stochastic parity games and provides only ε-approximations of the values. AU - Krishnendu Chatterjee AU - Jurdziński, Marcin AU - Thomas Henzinger ID - 4558 TI - Quantitative stochastic parity games ER - TY - JOUR AB - We study the problem of determining stack boundedness and the exact maximum stack size for three classes of interrupt-driven programs. Interrupt-driven programs are used in many real-time applications that require responsive interrupt handling. In order to ensure responsiveness, programmers often enable interrupt processing in the body of lower-priority interrupt handlers. In such programs a programming error can allow interrupt handlers to be interrupted in a cyclic fashion to lead to an unbounded stack, causing the system to crash. For a restricted class of interrupt-driven programs, we show that there is a polynomial-time procedure to check stack boundedness, while determining the exact maximum stack size is PSPACE-complete. For a larger class of programs, the two problems are both PSPACE-complete, and for the largest class of programs we consider, the two problems are PSPACE-hard and can be solved in exponential time. While the complexities are high, our algorithms are exponential only in the number of handlers, and polynomial in the size of the program. AU - Krishnendu Chatterjee AU - Ma, Di AU - Majumdar, Ritankar S AU - Zhao, Tian AU - Thomas Henzinger AU - Palsberg, Jens ID - 4556 IS - 2 JF - Information and Computation TI - Stack size analysis for interrupt-driven programs VL - 194 ER - TY - CONF AB - BLAST is an automatic verification tool for checking temporal safety properties of C programs. Blast is based on lazy predicate abstraction driven by interpolation-based predicate discovery. In this paper, we present the Blast specification language. The language specifies program properties at two levels of precision. At the lower level, monitor automata are used to specify temporal safety properties of program executions (traces). At the higher level, relational reachability queries over program locations are used to combine lower-level trace properties. The two-level specification language can be used to break down a verification task into several independent calls of the model-checking engine. In this way, each call to the model checker may have to analyze only part of the program, or part of the specification, and may thus succeed in a reduction of the number of predicates needed for the analysis. In addition, the two-level specification language provides a means for structuring and maintaining specifications. AU - Beyer, Dirk AU - Chlipala, Adam J AU - Thomas Henzinger AU - Jhala, Ranjit AU - Majumdar, Ritankar S ID - 4578 TI - The BLAST query language for software verification VL - 3148 ER - TY - CONF AB - While model checking has been successful in uncovering subtle bugs in code, its adoption in software engineering practice has been hampered by the absence of a simple interface to the programmer in an integrated development environment. We describe an integration of the software model checker BLAST into the Eclipse development environment. We provide a verification interface for practical solutions for some typical program analysis problems - assertion checking, reachability analysis, dead code analysis, and test generation - directly on the source code. The analysis is completely automatic, and assumes no knowledge of model checking or formal notation. Moreover, the interface supports incremental program verification to support incremental design and evolution of code. AU - Beyer, Dirk AU - Thomas Henzinger AU - Jhala, Ranjit AU - Majumdar, Ritankar S ID - 4577 TI - An eclipse plug-in for model checking ER - TY - CONF AB - We have extended the software model checker BLAST to automatically generate test suites that guarantee full coverage with respect to a given predicate. More precisely, given a C program and a target predicate p, BLAST determines the set L of program locations which program execution can reach with p true, and automatically generates a set of test vectors that exhibit the truth of p at all locations in L. We have used BLAST to generate test suites and to detect dead code in C programs with up to 30 K lines of code. The analysis and test vector generation is fully automatic (no user intervention) and exact (no false positives). AU - Beyer, Dirk AU - Chlipala, Adam J AU - Thomas Henzinger AU - Jhala, Ranjit AU - Majumdar, Ritankar S ID - 4581 TI - Generating tests from counterexamples ER - TY - CONF AB - Temporal logic is two-valued: a property is either true or false. When applied to the analysis of stochastic systems, or systems with imprecise formal models, temporal logic is therefore fragile: even small changes in the model can lead to opposite truth values for a specification. We present a generalization of the branching-time logic Ctl which achieves robustness with respect to model perturbations by giving a quantitative interpretation to predicates and logical operators, and by discounting the importance of events according to how late they occur. In every state, the value of a formula is a real number in the interval [0,1], where 1 corresponds to truth and 0 to falsehood. The boolean operators and and or are replaced by min and max, the path quantifiers ∃ and ∀ determine sup and inf over all paths from a given state, and the temporal operators and □ specify sup and inf over a given path; a new operator averages all values along a path. Furthermore, all path operators are discounted by a parameter that can be chosen to give more weight to states that are closer to the beginning of the path. We interpret the resulting logic Dctl over transition systems, Markov chains, and Markov decision processes. We present two semantics for Dctl: a path semantics, inspired by the standard interpretation of state and path formulas in CTL, and a fixpoint semantics, inspired by the μ-calculus evaluation of CTL formulas. We show that, while these semantics coincide for CTL, they differ for Dctl, and we provide model-checking algorithms for both semantics. AU - de Alfaro, Luca AU - Faella, Marco AU - Thomas Henzinger AU - Majumdar, Ritankar S AU - Stoelinga, Mariëlle ID - 4629 TI - Model checking discounted temporal properties VL - 2988 ER - TY - JOUR AB - The genome of the nematode Caenorhabditis elegans encodes seven soluble guanylate cyclases (sGCs) [1]. In mammals, sGCs function as α/β heterodimers activated by gaseous ligands binding to a haem prosthetic group 2, 3. The principal activator is nitric oxide, which acts through sGCs to regulate diverse cellular events. In C. elegans the function of sGCs is mysterious: the worm genome does not appear to encode nitric oxide synthase, and all C. elegans sGC subunits are more closely related to mammalian β than α subunits [1]. Here, we show that two of the seven C. elegans sGCs, GCY-35 and GCY-36, promote aggregation behavior. gcy-35 and gcy-36 are expressed in a small number of neurons. These include the body cavity neurons AQR, PQR, and URX, which are directly exposed to the blood equivalent of C. elegans and regulate aggregation behavior [4]. We show that GCY-35 and GCY-36 act as α-like and β-like sGC subunits and that their function in the URX sensory neurons is sufficient for strong nematode aggregation. Neither GCY-35 nor GCY-36 is absolutely required for C. elegans to aggregate. Instead, these molecules may transduce one of several pathways that induce C. elegans to aggregate or may modulate aggregation by responding to cues in C. elegans body fluid. AU - Cheung, Benny H.H AU - Arellano-Carbajal, Fausto AU - Rybicki, Irene AU - de Bono, Mario ID - 6155 IS - 12 JF - Current Biology SN - 0960-9822 TI - Soluble guanylate cyclases act in neurons exposed to the body fluid to promote C. elegans aggregation behavior VL - 14 ER - TY - JOUR AB - Fundamental and phenomenological models for cells, stacks, and complete systems of PEFC and SOFC are reviewed and their predictive power is assessed by comparing model simulations against experiments. Computationally efficient models suited for engineering design include the (1+1) dimensionality approach, which decouples the membrane in-plane and through-plane processes, and the volume-averaged-method (VAM) that considers only the lumped effect of pre-selected system components. The former model was shown to capture the measured lateral current density inhomogeneities in a PEFC and the latter was used for the optimization of commercial SOFC systems. State Space Modeling (SSM) was used to identify the main reaction pathways in SOFC and, in conjunction with the implementation of geometrically well-defined electrodes, has opened a new direction for the understanding of electrochemical reactions. Furthermore, SSM has advanced the understanding of the COpoisoning-induced anode impedance in PEFC. Detailed numerical models such as the Lattice Boltzmann (LB) method for transport in porous media and the full 3-D Computational Fluid Dynamics (CFD) Navier-Stokes simulations are addressed. These models contain all components of the relevant physics and they can improve the understanding of the related phenomena, a necessary condition for the development of both appropriate simplified models as well as reliable technologies. Within the LB framework, a technique for the characterization and computer-reconstruction of the porous electrode structure was developed using advanced pattern recognition algorithms. In CFD modeling, 3-D simulations were used to investigate SOFC with internal methane steam reforming and have exemplified the significance of porous and novel fractal channel distributors for the fuel and oxidant delivery, as well as for the cooling of PEFC. As importantly, the novel concept has been put forth of functionally designed, fractal-shaped fuel cells, showing promise of significant performance improvements over the conventional rectangular shaped units. Thermo-economic modeling for the optimization of PEFC is finally addressed. AU - Mantzaras, John AU - Freunberger, Stefan Alexander AU - Büchi, Felix N. AU - Roos, Markus AU - Brandstätter, Wilhelm AU - Prestat, Michel AU - Gauckler, Ludwig J. AU - Andreaus, Bernhard AU - Hajbolouri, Faegheh AU - Senn, Stephan M. AU - Poulikakos, Dimos AU - Chaniotis, Andreas K. AU - Larrain, Diego AU - Autissier, Nordahl AU - Maréchal, François ID - 7334 IS - 12 JF - CHIMIA International Journal for Chemistry SN - 0009-4293 TI - Fuel cell modeling and simulations VL - 58 ER - TY - JOUR AB - The analysis of the complete H2/air polymer electrolyte fuel cell system shows that process air humidification is one of the biggest obstacles for a high performance portable system in the kW range. Therefore, a new concept, with passive process air humidification integrated into the stack, has been developed. Humidification in each cell makes the process independent from the number of cells and the operation mode, thus making the concept fully scalable. Without external humidification the system is simpler, smaller, and cheaper. The humidification of the process air is achieved by transfer of product water from the exhaust air, through part of the membrane, to the dry intake air. Tests have shown that cells using the concept of internal humidification and operated with dry air at 70 ° have almost the same performance as when operated with external humidification. A 42‐cell stack with this internal humidification concept was built and integrated into a portable 1 kW power generator system. AU - Santis, M. AU - Schmid, D. AU - Ruge, M. AU - Freunberger, Stefan Alexander AU - Büchi, F.N. ID - 7333 IS - 3 JF - Fuel Cells SN - 1615-6846 TI - Modular stack-internal air humidification concept-verification in a 1 kW stack VL - 4 ER - TY - JOUR AB - We present a method for prediction of functional sites in a set of aligned protein sequences. The method selects sites which are both well conserved and clustered together in space, as inferred from the 3D structures of proteins included in the alignment. We tested the method using 86 alignments from the NCBI CDD database, where the sites of experimentally determined ligand and/or macromolecular interactions are annotated. In agreement with earlier investigations, we found that functional site predictions are most successful when overall background sequence conservation is low, such that sites under evolutionary constraint become apparent. In addition, we found that averaging of conservation values across spatially clustered sites improves predictions under certain conditions: that is, when overall conservation is relatively high and when the site in question involves a large macromolecular binding interface. Under these conditions it is better to look for clusters of conserved sites than to look for particular conserved sites. AU - Panchenko, Anna R AU - Fyodor Kondrashov AU - Bryant, Stephen H ID - 864 IS - 4 JF - Protein Science TI - Prediction of functional sites by analysis of sequence and structure conservation VL - 13 ER - TY - JOUR AB - Only a fraction of eukaryotic genes affect the phenotype drastically. We compared 18 parameters in 1273 human morbid genes, known to cause diseases, and in the remaining 16 580 unambiguous human genes. Morbid genes evolve more slowly, have wider phylogenetic distributions, are more similar to essential genes of Drosophila melanogaster, code for longer proteins containing more alanine and glycine and less histidine, lysine and methionine, possess larger numbers of longer introns with more accurate splicing signals and have higher and broader expressions. These differences make it possible to classify as non-morbid 34% of human genes with unknown morbidity, when only 5% of known morbid genes are incorrectly classified as non-morbid. This classification can help to identify disease-causing genes among multiple candidates. AU - Fyodor Kondrashov AU - Ogurtsov, Aleksey Yu AU - Kondrashov, Alexey S ID - 870 IS - 5 JF - Nucleic Acids Research TI - Bioinformatical assay of human gene morbidity VL - 32 ER - TY - JOUR AB - The dominance of wild-type alleles and the concomitant recessivity of deleterious mutant alleles might have evolved by natural selection or could be a by-product of the molecular and physiological mechanisms of gene action. We compared the properties of human haplosufficient genes, whose wild-type alleles are dominant over loss-of-function alleles, with haploinsufficient (recessive wild-type) genes, which produce an abnormal phenotype when heterozygous for a loss-of-function allele. The fraction of haplosufficient genes is the highest among the genes that encode enzymes, which is best compatible with the physiological theory. Haploinsufficient genes, on average, have more paralogs than haplosufficient genes, supporting the idea that gene dosage could be important for the initial fixation of duplications. Thus, haplo(in)sufficiency of a gene and its propensity for duplication might have a common evolutionary basis. AU - Fyodor Kondrashov AU - Koonin, Eugene V ID - 875 IS - 7 JF - Trends in Genetics TI - A common framework for understanding the origin of genetic dominance and evolutionary fates of gene duplications VL - 20 ER - TY - JOUR AB - The function of protein and RNA molecules depends on complex epistatic interactions between sites. Therefore, the deleterious effect of a mutation can be suppressed by a compensatory second-site substitution. In relating a list of 86 pathogenic mutations in human IRNAs encoded by mitochondrial genes to the sequences of their mammalian orthologs, we noted that 52 pathogenic mutations were present in normal tRNAs of one or several nonhuman mammals. We found at least five mechanisms of compensation for 32 pathogenic mutations that destroyed a Watson-Crick pair in one of the four tRNA stems: restoration of the affected Watson-Crick interaction (25 cases), strengthening of another pair (4 cases), creation of a new pair (8 cases), changes of multiple interactions in the affected stem (11 cases) and changes involving the interaction between the loop and stem structures (3 cases). A pathogenic mutation and its compensating substitution are fixed in a lineage in rapid succession, and often a compensatory interaction evolves convergently in different clades. At least 10%, and perhaps as many as 50%, of all nucleotide substitutions in evolving mammalian (RNAs participate in such interactions, indicating that the evolution of tRNAs proceeds along highly epistatic fitness ridges. AU - Kern, Andrew D AU - Fyodor Kondrashov ID - 889 IS - 11 JF - Nature Genetics TI - Mechanisms and convergence of compensatory evolution in mammalian mitochondrial tRNAs VL - 36 ER - TY - JOUR AB - In a number of organisms, transgenes containing transcribed inverted repeats (IRs) that produce hairpin RNA can trigger RNA-mediated silencing, which is associated with 21-24 nucleotide small interfering RNAs (siRNAs). In plants, IR-driven RNA silencing also causes extensive cytosine methylation of homologous DNA in both the transgene "trigger" and any other homologous DNA sequences--"targets". Endogenous genomic sequences, including transposable elements and repeated elements, are also subject to RNA-mediated silencing. The RNA silencing gene ARGONAUTE4 (AGO4) is required for maintenance of DNA methylation at several endogenous loci and for the establishment of methylation at the FWA gene. Here, we show that mutation of AGO4 substantially reduces the maintenance of DNA methylation triggered by IR transgenes, but AGO4 loss-of-function does not block the initiation of DNA methylation by IRs. AGO4 primarily affects non-CG methylation of the target sequences, while the IR trigger sequences lose methylation in all sequence contexts. Finally, we find that AGO4 and the DRM methyltransferase genes are required for maintenance of siRNAs at a subset of endogenous sequences, but AGO4 is not required for the accumulation of IR-induced siRNAs or a number of endogenous siRNAs, suggesting that AGO4 may function downstream of siRNA production. AU - Zilberman, Daniel AU - Cao, Xiaofeng AU - Johansen, Lisa K. AU - Xie, Zhixin AU - Carrington, James C. AU - Jacobsen, Steven E. ID - 9493 IS - 13 JF - Current Biology SN - 0960-9822 TI - Role of Arabidopsis ARGONAUTE4 in RNA-directed DNA methylation triggered by inverted repeats VL - 14 ER -