@inproceedings{4462,
abstract = {A major hurdle in the algorithmic verification and control of systems is the need to find suitable abstract models, which omit enough details to overcome the state-explosion problem, but retain enough details to exhibit satisfaction or controllability with respect to the specification. The paradigm of counterexample-guided abstraction refinement suggests a fully automatic way of finding suitable abstract models: one starts with a coarse abstraction, attempts to verify or control the abstract model, and if this attempt fails and the abstract counterexample does not correspond to a concrete counterexample, then one uses the spurious counterexample to guide the refinement of the abstract model. We present a counterexample-guided refinement algorithm for solving ω-regular control objectives. The main difficulty is that in control, unlike in verification, counterexamples are strategies in a game between system and controller. In the case that the controller has no choices, our scheme subsumes known counterexample-guided refinement algorithms for the verification of ω-regular specifications. Our algorithm is useful in all situations where ω-regular games need to be solved, such as supervisory control, sequential and program synthesis, and modular verification. The algorithm is fully symbolic, and therefore applicable also to infinite-state systems.},
author = {Thomas Henzinger and Jhala, Ranjit and Majumdar, Ritankar S},
pages = {886 -- 902},
publisher = {Springer},
title = {{Counterexample-guided control}},
doi = {10.1007/3-540-45061-0_69},
volume = {2719},
year = {2003},
}
@inproceedings{4463,
abstract = {We present an algorithm called TAR (“Thread-modular Abstraction Refinement”) for model checking safety properties of concurrent software. The TAR algorithm uses thread-modular assume-guarantee reasoning to overcome the exponential complexity in the control state of multithreaded programs. Thread modularity means that TAR explores the state space of one thread at a time, making assumptions about how the environment can interfere. The TAR algorithm uses counterexample-guided predicate-abstraction refinement to overcome the usually infinite complexity in the data state of C programs. A successive approximation scheme automatically infers the necessary precision on data variables as well as suitable environment assumptions. The scheme is novel in that transition relations are approximated from above, while at the same time environment assumptions are approximated from below. In our software verification tool BLAST we have implemented a fully automatic race checker for multithreaded C programs which is based on the TAR algorithm. This tool has verified a wide variety of commonly used locking idioms, including locking schemes that are not amenable to existing dynamic and static race checkers such as ERASER or WARLOCK.},
author = {Thomas Henzinger and Jhala, Ranjit and Majumdar, Ritankar S and Qadeer,Shaz},
pages = {262 -- 274},
publisher = {Springer},
title = {{Thread-modular abstraction refinement}},
doi = {10.1007/978-3-540-45069-6_27},
volume = {2725},
year = {2003},
}
@inproceedings{4464,
abstract = {We introduce the paradigm of schedule-carrying code (SCC). A hard real-time program can be executed on a given platform only if there exists a feasible schedule for the real-time tasks of the program. Traditionally, a scheduler determines the existence of a feasible schedule according to some scheduling strategy. With SCC, a compiler proves the existence of a feasible schedule by generating executable code that is attached to the program and represents its schedule. An SCC executable is a real-time program that carries its schedule as code, which is produced once and can be revalidated and executed with each use. We evaluate SCC both in theory and practice. In theory, we give two scenarios, of nonpreemptive and distributed scheduling for Giotto programs, where the generation of a feasible schedule is hard, while the validation of scheduling instructions that are attached to the programs is easy. In practice, we implement SCC and show that explicit scheduling instructions can reduce the scheduling overhead up to 35% and can provide an efficient, flexible, and verifiable means for compiling Giotto programs on complex architectures, such as the TTA.},
author = {Thomas Henzinger and Kirsch, Christoph M and Matic, Slobodan},
pages = {241 -- 256},
publisher = {ACM},
title = {{Schedule-carrying code}},
doi = {10.1007/978-3-540-45212-6_16},
volume = {2855},
year = {2003},
}
@inbook{4465,
abstract = {Giotto is a principled, tool-supported design methodology for implementing embedded control systems on platforms of possibly distributed sensors, actuators, CPUs, and networks. Giotto is based on the principle that time-triggered task invocations plus time-triggered mode switches can form the abstract essence of programming real-time control systems. Giotto consists of a programming language with a formal semantics, and a retargetable compiler and runtime library. Giotto supports the automation of control system design by strictly separating platform-independent functionality and timing concerns from platform-dependent scheduling and communication issues. The time-triggered predictability of Giotto makes it particularly suitable for safety-critical applications with hard real-time constraints. We illustrate the platform independence and time-triggered execution of Giotto by coordinating a heterogeneous flock of Intel x86 robots and Lego Mindstorms robots.},
author = {Thomas Henzinger and Horowitz, Benjamin and Kirsch, Christoph M},
booktitle = {Software-Enabled Control: Information Technology for Dynamical Systems},
pages = {123 -- 146},
publisher = {Wiley-Blackwell},
title = {{Embedded control systems development with Giotto}},
doi = {10.1002/047172288X.ch8},
year = {2003},
}
@inproceedings{4466,
abstract = {One source of complexity in the μ-calculus is its ability to specify an unbounded number of switches between universal (AX) and existential (EX) branching modes. We therefore study the problems of satisfiability, validity, model checking, and implication for the universal and existential fragments of the μ-calculus, in which only one branching mode is allowed. The universal fragment is rich enough to express most specifications of interest, and therefore improved algorithms are of practical importance. We show that while the satisfiability and validity problems become indeed simpler for the existential and universal fragments, this is, unfortunately, not the case for model checking and implication. We also show the corresponding results for the alternationfree fragment of the μ-calculus, where no alternations between least and greatest fixed points are allowed. Our results imply that efforts to find a polynomial-time model-checking algorithm for the μ-calculus can be replaced by efforts to find such an algorithm for the universal or existential fragment.},
author = {Thomas Henzinger and Kupferman, Orna and Majumdar, Ritankar S},
pages = {49 -- 64},
publisher = {Springer},
title = {{On the universal and existential fragments of the mu-calculus}},
doi = {10.1007/3-540-36577-X_5},
volume = {2619},
year = {2003},
}
@inproceedings{4467,
abstract = {BLAST (the Berkeley Lazy Abstraction Software verification Tool) is a verification system for checking safety properties of C programs using automatic property-driven construction and model checking of software abstractions. Blast implements an abstract-model check-refine loop to check for reachability of a specified label in the program. The abstract model is built on the fly using predicate abstraction. This model is then checked for reachability. If there is no (abstract) path to the specified error label, Blast reports that the system is safe and produces a succinct proof. Otherwise, it checks if the path is feasible using symbolic execution of the program. If the path is feasible, Blast outputs the path as an error trace, otherwise, it uses the infeasibility of the path to refine the abstract model. Blast short-circuits the loop from abstraction to verification to refinement, integrating the three steps tightly through “lazy abstraction” [5]. This integration can offer significant advantages in performance by avoiding the repetition of work from one iteration of the loop to the next. },
author = {Thomas Henzinger and Jhala, Ranjit and Majumdar, Ritankar S and Sutre, Grégoire},
pages = {235 -- 239},
publisher = {Springer},
title = {{Software verification with BLAST}},
doi = {10.1007/3-540-44829-2_17},
volume = {2648},
year = {2003},
}
@article{4468,
abstract = {Giotto is a high-level programming language for time-triggered control applications. The authors begin with a conceptual overview of its methodology, discuss the Giotto helicopter project, and summarize available Giotto implementations.},
author = {Thomas Henzinger and Kirsch, Christoph M and Sanvido, Marco A and Pree, Wolfgang},
journal = {IEEE Control Systems Magazine},
number = {1},
pages = {50 -- 64},
publisher = {IEEE},
title = {{From control models to real-time code using Giotto}},
doi = {10.1109/MCS.2003.1172829},
volume = {23},
year = {2003},
}
@article{4469,
abstract = {Giotto provides an abstract programmer's model for the implementation of embedded control systems with hard real-time constraints. A typical control application consists of periodic software tasks together with a mode-switching logic for enabling and disabling tasks. Giotto specifies time-triggered sensor readings, task invocations, actuator updates, and mode switches independent of any implementation platform. Giotto can be annotated with platform constraints such as task-to-host mappings, and task and communication schedules. The annotations are directives for the Giotto compiler, but they do not alter the functionality and timing of a Giotto program. By separating the platform-independent from the platform-dependent concerns, Giotto enables a great deal of flexibility in choosing control platforms as well as a great deal of automation in the validation and synthesis of control software. The time-triggered nature of Giotto achieves timing predictability, which makes Giotto particularly suitable for safety-critical applications.},
author = {Thomas Henzinger and Horowitz, Benjamin and Kirsch, Christoph M},
journal = {Proceedings of the IEEE},
number = {1},
pages = {84 -- 99},
publisher = {IEEE},
title = {{Giotto: A time-triggered language for embedded programming}},
doi = {10.1109/JPROC.2002.805825},
volume = {91},
year = {2003},
}
@inproceedings{4561,
abstract = {We present a formalism for specifying component interfaces that expose component requirements on limited resources. The formalism permits an algorithmic check if two or more components, when put together, exceed the available resources. Moreover, the formalism can be used to compute the quantity of resources necessary for satisfying the requirements of a collection of components. The formalism can be instantiated in several ways. For example, several components may draw power from the same source. Then, the formalism supports compatibility checks such as: can two components, when put together, achieve their tasks without ever exceeding the available amount of peak power? or, can they achieve their tasks by using no more than the initially available amount of energy (i.e., power accumulated over time)? The corresponding quantitative questions that our algorithms answer are the following: what is the amount of peak power needed for two components to be put together? what is the corresponding amount of initial energy? To solve these questions, we model interfaces with resource requirements as games with quantitative objectives. The games are played on state spaces where each state is labeled by a number (representing, e.g., power consumption), and a play produces an infinite path of labels. The objective may be, for example, to minimize the largest label that occurs during a play. We illustrate our approach by modeling compatibility questions for the components of robot control software, and of wireless sensor networks.},
author = {Chakrabarti, Arindam and de Alfaro, Luca and Thomas Henzinger and Stoelinga, Mariëlle},
pages = {117 -- 133},
publisher = {ACM},
title = {{Resource interfaces}},
doi = {10.1007/978-3-540-45212-6_9},
volume = {2855},
year = {2003},
}
@article{2990,
abstract = {Plant growth is marked by its adaptability to continuous changes in environment. A regulated, differential distribution of auxin underlies many adaptation processes including organogenesis, meristem patterning and tropisms. In executing its multiple roles, auxin displays some characteristics of both a hormone and a morphogen. Studies on auxin transport, as well as tracing the intracellular movement of its molecular components, have suggested a possible scenario to explain how growth plasticity is conferred at the cellular and molecular level. The plant perceives stimuli and changes the subcellular position of auxin-transport components accordingly. These changes modulate auxin fluxes, and the newly established auxin distribution triggers the corresponding developmental response.},
author = {Friml, Jirí},
journal = {Current Opinion in Plant Biology},
number = {1},
pages = {7 -- 12},
publisher = {Elsevier},
title = {{Auxin transport - Shaping the plant}},
doi = {10.1016/S1369526602000031},
volume = {6},
year = {2003},
}