@article{4249, abstract = {We examined causes of speciation in asexual populations in both sympatry and parapatry, providing an alternative explanation for the speciation patterns reported by Dieckmann and Doebeli (1999) and Doebeli and Dieckmann (2003). Both in sympatry and parapatry, they find that speciation occurs relatively easily. We reveal that in the sympatric clonal model, the equilibrium distribution is continuous and the disruptive selection driving evolution of discrete clusters is only transient. Hence, if discrete phenotypes are to remain stable in the sympatric sexual model, there should be some source of nontransient disruptive selection that will drive evolution of assortment. We analyze sexually reproducing populations using the Bulmer’s infinitesimal model and show that cost-free assortment alone leads to speciation and disruptive selection only arises when the optimal distribution cannot be matched—in this example, because the phenotypic range is limited. In addition, Doebeli and Dieckmann’s analyses assumed a high genetic variance and a high mutation rate. Thus, these theoretical models do not support the conclusion that sympatric speciation is a likely outcome of competition for resources. In their parapatric model (Doebeli and Dieckmann 2003), clustering into distinct phenotypes is driven by edge effects, rather than by frequency-dependent competition.}, author = {Jitka Polechova and Nicholas Barton}, journal = {Evolution; International Journal of Organic Evolution}, number = {6}, pages = {1194 -- 1210}, publisher = {Wiley-Blackwell}, title = {{Speciation through competition: A critical review}}, doi = {10.1111/j.0014-3820.2005.tb01771.x}, volume = {59}, year = {2005}, } @article{4251, abstract = {In finite populations subject to selection, genetic drift generates negative linkage disequilibrium, on average, even if selection acts independently (i.e. multiplicatively) upon all loci. Negative disequilibrium reduces the variance in fitness and hence, by FISHER's Fundamental Theorem (1930), slows the rate of increase in mean fitness. Modifiers that increase recombination eliminate the negative disequilibria that impede selection and consequently increase in frequency by 'hitch-hiking'. In addition, recombinant progeny are more fit on average than non-recombinant progeny when there is negative linkage disequilibrium and loci interact multiplicatively. For both these reasons, stochastic fluctuations in linkage disequilibrium in finite populations favor the evolution of increased rates of recombination, even in the absence of epistatic interactions among loci and even when disequilibrium is initially absent. The method developed within this paper quantifies the strength of selection on a modifier allele that increases recombination due to stochastically generated linkage disequilibria. The analysis indicates that, in a population subject to multiplicative selection, genetic associations generated by drift do select for increased recombination, a result that is confirmed by Monte Carlo simulations. Selection for a modifier that increases recombination is highest when linkage among all loci is tight, when beneficial alleles rise from low to high frequency, and when the population size is small.}, author = {Nicholas Barton and Otto, Sarah P}, journal = {Genetics}, number = {4}, pages = {2353 -- 2370}, publisher = {Genetics Society of America}, title = {{Evolution of recombination due to random drift}}, doi = {10.1534/genetics.104.032821}, volume = {169}, year = {2005}, } @article{4252, abstract = {Empirical studies of quantitative genetic variation have revealed robust patterns that are observed both across traits and across species. However, these patterns have no compelling explanation, and some of the observations even appear to be mutually incompatible. We review and extend a major class of theoretical models, ‘mutation–selection models’, that have been proposed to explain quantitative genetic variation. We also briefly review an alternative class of ‘balancing selection models’. We consider to what extent the models are compatible with the general observations, and argue that a key issue is understanding and modelling pleiotropy. We discuss some}, author = {Johnson, Toby and Nicholas Barton}, journal = {Philosophical Transactions of the Royal Society of London. Series B, Biological Sciences}, number = {1459}, pages = {1411 -- 1425}, publisher = {Royal Society, The}, title = {{Theoretical models of selection and mutationon quantitative traits}}, doi = {10.1098/rstb.2005.1667}, volume = {360}, year = {2005}, } @inproceedings{4367, author = {Podelski,Andreas and Thomas Wies}, pages = {267 -- 282}, publisher = {Springer}, title = {{Boolean Heaps}}, doi = {1550}, year = {2005}, } @inproceedings{4404, author = {Alur, Rajeev and Pavol Cerny and Madhusudan,P. and Nam,Wonhong}, pages = {98 -- 109}, publisher = {ACM}, title = {{Synthesis of interface specifications for Java classes}}, doi = {1542}, year = {2005}, } @inproceedings{4412, abstract = {The periodic resource model for hierarchical, compositional scheduling abstracts task groups by resource requirements. We study this model in the presence of dataflow constraints between the tasks within a group (intragroup dependencies), and between tasks in different groups (inter-group dependencies). We consider two natural semantics for dataflow constraints, namely, RTW (real-time workshop) semantics and LET (logical execution time) semantics. We show that while RTW semantics offers better end-to-end latency on the task group level, LET semantics allows tighter resource bounds in the abstraction hierarchy and therefore provides better composability properties. This result holds both for intragroup and intergroup dependencies, as well as for shared and for distributed resources.}, author = {Matic, Slobodan and Thomas Henzinger}, pages = {99 -- 110}, publisher = {IEEE}, title = {{Trading end-to-end latency for composability}}, doi = {10.1109/RTSS.2005.43}, year = {2005}, } @inproceedings{4418, abstract = {We present a new software system architecture for the implementation of hard real-time applications. The core of the system is a microkernel whose reactivity (interrupt handling as in synchronous reactive programs) and proactivity (task scheduling as in traditional RTOSs) are fully programmable. The microkernel, which we implemented on a StrongARM processor, consists of two interacting domain-specific virtual machines, a reactive E (Embedded) machine and a proactive S (Scheduling) machine. The microkernel code (or microcode) that runs on the microkernel is partitioned into E and S code. E code manages the interaction of the system with the physical environment: the execution of E code is triggered by environment interrupts, which signal external events such as the arrival of a message or sensor value, and it releases application tasks to the S machine. S code manages the interaction of the system with the processor: the execution of S code is triggered by hardware interrupts, which signal internal events such as the completion of a task or time slice, and it dispatches application tasks to the CPU, possibly preempting a running task. This partition of the system orthogonalizes the two main concerns of real-time implementations: E code refers to environment time and thus defines the reactivity of the system in a hardware- and scheduler-independent fashion; S code refers to CPU time and defines a system scheduler. If both time lines can be reconciled, then the code is called time safe; violations of time safety are handled again in a programmable way, by run-time exceptions. The separation of E from S code permits the independent programming, verification, optimization, composition, dynamic adaptation, and reuse of both reaction and scheduling mechanisms. Our measurements show that the system overhead is very acceptable even for large sets of task, generally in the 0.2--0.3% range.}, author = {Kirsch, Christoph M and Sanvido, Marco A and Thomas Henzinger}, pages = {35 -- 45}, publisher = {ACM}, title = {{A programmable microkernel for real-time systems}}, doi = {10.1145/1064979.1064986}, year = {2005}, } @article{4454, abstract = {We define five increasingly comprehensive classes of infinite-state systems, called STS1--STS5, whose state spaces have finitary structure. For four of these classes, we provide examples from hybrid systems.STS1 These are the systems with finite bisimilarity quotients. They can be analyzed symbolically by iteratively applying predecessor and Boolean operations on state sets, starting from a finite number of observable state sets. Any such iteration is guaranteed to terminate in that only a finite number of state sets can be generated. This enables model checking of the μ-calculus.STS2 These are the systems with finite similarity quotients. They can be analyzed symbolically by iterating the predecessor and positive Boolean operations. This enables model checking of the existential and universal fragments of the μ-calculus.STS3 These are the systems with finite trace-equivalence quotients. They can be analyzed symbolically by iterating the predecessor operation and a restricted form of positive Boolean operations (intersection is restricted to intersection with observables). This enables model checking of all ω-regular properties, including linear temporal logic.STS4 These are the systems with finite distance-equivalence quotients (two states are equivalent if for every distance d, the same observables can be reached in d transitions). The systems in this class can be analyzed symbolically by iterating the predecessor operation and terminating when no new state sets are generated. This enables model checking of the existential conjunction-free and universal disjunction-free fragments of the μ-calculus.STS5 These are the systems with finite bounded-reachability quotients (two states are equivalent if for every distance d, the same observables can be reached in d or fewer transitions). The systems in this class can be analyzed symbolically by iterating the predecessor operation and terminating when no new states are encountered (this is a weaker termination condition than above). This enables model checking of reachability properties.}, author = {Thomas Henzinger and Majumdar, Ritankar S and Raskin, Jean-François}, journal = {ACM Transactions on Computational Logic (TOCL)}, number = {1}, pages = {1 -- 32}, publisher = {ACM}, title = {{A classification of symbolic transition systems}}, doi = {10.1145/1042038.1042039}, volume = {6}, year = {2005}, } @inproceedings{4455, abstract = {We define quantitative similarity functions between timed transition systems that measure the degree of closeness of two systems as a real, in contrast to the traditional boolean yes/no approach to timed simulation and language inclusion. Two systems are close if for each timed trace of one system, there exists a corresponding timed trace in the other system with the same sequence of events and closely corresponding event timings. We show that timed CTL is robust with respect to our quantitative version of bisimilarity, in particular, if a system satisfies a formula, then every close system satisfies a close formula. We also define a discounted version of CTL over timed systems, which assigns to every CTL formula a real value that is obtained by discounting real time. We prove the robustness of discounted CTL by establishing that close states in the bisimilarity metric have close values for all discounted CTL formulas.}, author = {Thomas Henzinger and Majumdar, Ritankar S and Prabhu, Vinayak S}, pages = {226 -- 241}, publisher = {Springer}, title = {{Quantifying similarities between timed systems}}, doi = {10.1007/11603009_18}, volume = {3829}, year = {2005}, } @inproceedings{4456, abstract = {A modular program analysis considers components independently and provides a succinct summary for each component, which is used when checking the rest of the system. Consider a system consisting of a library and a client. A temporal summary, or interface, of the library specifies legal sequences of library calls. The interface is safe if no call sequence violates the library's internal invariants; the interface is permissive if it contains every such sequence. Modular program analysis requires full interfaces, which are both safe and permissive: the client does not cause errors in the library if and only if it makes only sequences of library calls that are allowed by the full interface of the library.Previous interface-based methods have focused on safe interfaces, which may be too restrictive and thus reject good clients. We present an algorithm for automatically synthesizing software interfaces that are both safe and permissive. The algorithm generates interfaces as graphs whose vertices are labeled with predicates over the library's internal state, and whose edges are labeled with library calls. The interface state is refined incrementally until the full interface is constructed. In other words, the algorithm automatically synthesizes a typestate system for the library, against which any client can be checked for compatibility. We present an implementation of the algorithm which is based on the BLAST model checker, and we evaluate some case studies.}, author = {Thomas Henzinger and Jhala, Ranjit and Majumdar, Ritankar S}, pages = {31 -- 40}, publisher = {ACM}, title = {{Permissive interfaces}}, doi = {10.1145/1081706.1081713}, year = {2005}, } @inproceedings{4457, abstract = {We present a compositional approach to the implementation of hard real-time software running on a distributed platform. We explain how several code suppliers, coordinated by a system integrator, can independently generate different parts of the distributed software. The task structure, interaction, and timing is specified as a Giotto program. Each supplier is given a part of the Giotto program and a timing interface, from which the supplier generates task and scheduling code. The integrator then checks, individually for each supplier, in pseudo-polynomial time, if the supplied code meets its timing specification. If all checks succeed, then the supplied software parts are guaranteed to work together and implement the original Giotto program. The feasibility of the approach is demonstrated by a prototype implementation.}, author = {Thomas Henzinger and Kirsch, Christoph M and Matic, Slobodan}, pages = {21 -- 30}, publisher = {ACM}, title = {{Composable code generation for distributed Giotto}}, doi = {10.1145/1065910.1065914}, year = {2005}, } @inproceedings{4536, abstract = {We show how to automatically construct and refine rectangular abstractions of systems of linear differential equations. From a hybrid automaton whose dynamics are given by a system of linear differential equations, our method computes automatically a sequence of rectangular hybrid automata that are increasingly precise overapproximations of the original hybrid automaton. We prove an optimality criterion for successive refinements. We also show that this method can take into account a safety property to be verified, refining only relevant parts of the state space. The practicability of the method is illustrated on a benchmark case study. }, author = {Doyen, Laurent and Thomas Henzinger and Raskin, Jean-François}, pages = {144 -- 161}, publisher = {Springer}, title = {{Automatic rectangular refinement of affine hybrid systems}}, doi = {DOI: 10.1007/11603009_13}, volume = {3829}, year = {2005}, } @inproceedings{4541, abstract = {Much recent research has focused on the applications of games with ω-regular objectives in the control and verification of reactive systems. However, many of the game-based models are ill-suited for these applications, because they assume that each player has complete information about the state of the system (they are “perfect-information” games). This is because in many situations, a controller does not see the private state of the plant. Such scenarios are naturally modeled by “partial-information” games. On the other hand, these games are intractable; for example, partial-information games with simple reachability objectives are 2EXPTIME-complete. We study the intermediate case of “semiperfect-information” games, where one player has complete knowledge of the state, while the other player has only partial knowledge. This model is appropriate in control situations where a controller must cope with plant behavior that is as adversarial as possible, i.e., the controller has partial information while the plant has perfect information. As is customary, we assume that the controller and plant take turns to make moves. We show that these semiperfect-information turn-based games are equivalent to perfect-information concurrent games, where the two players choose their moves simultaneously and independently. Since the perfect-information concurrent games are well-understood, we obtain several results of how semiperfect-information turn-based games differ from perfect-information turn-based games on one hand, and from partial-information turn-based games on the other hand. In particular, semiperfect-information turn-based games can benefit from randomized strategies while the perfect-information variety cannot, and semiperfect-information turn-based games are in NP ∩ coNP for all parity objectives. }, author = {Krishnendu Chatterjee and Thomas Henzinger}, pages = {1 -- 18}, publisher = {Schloss Dagstuhl - Leibniz-Zentrum für Informatik}, title = {{Semiperfect-information games}}, doi = {10.1007/11590156_1}, volume = {3821}, year = {2005}, } @inproceedings{4553, abstract = {The theory of graph games with ω-regular winning conditions is the foundation for modeling and synthesizing reactive processes. In the case of stochastic reactive processes, the corresponding stochastic graph games have three players, two of them (System and Environment) behaving adversarially, and the third (Uncertainty) behaving probabilistically. We consider two problems for stochastic graph games: the qualitative problem asks for the set of states from which a player can win with probability 1 (almost-sure winning); the quantitative problem asks for the maximal probability of winning (optimal winning) from each state. We show that for Rabin winning conditions, both problems are in NP. As these problems were known to be NP-hard, it follows that they are NP-complete for Rabin conditions, and dually, coNP-complete for Streett conditions. The proof proceeds by showing that pure memoryless strategies suffice for qualitatively and quantitatively winning stochastic graph games with Rabin conditions. This insight is of interest in its own right, as it implies that controllers for Rabin objectives have simple implementations. We also prove that for every ω-regular condition, optimal winning strategies are no more complex than almost-sure winning strategies.}, author = {Krishnendu Chatterjee and de Alfaro, Luca and Thomas Henzinger}, pages = {878 -- 890}, publisher = {Springer}, title = {{The complexity of stochastic Rabin and Streett games}}, doi = {10.1007/11523468_71}, volume = {3580}, year = {2005}, } @inproceedings{4554, abstract = {Games played on graphs may have qualitative objectives, such as the satisfaction of an ω-regular property, or quantitative objectives, such as the optimization of a real-valued reward. When games are used to model reactive systems with both fairness assumptions and quantitative (e.g., resource) constraints, then the corresponding objective combines both a qualitative and a quantitative component. In a general case of interest, the qualitative component is a parity condition and the quantitative component is a mean-payoff reward. We study and solve such mean-payoff parity games. We also prove some interesting facts about mean-payoff parity games which distinguish them both from mean-payoff and from parity games. In particular, we show that optimal strategies exist in mean-payoff parity games, but they may require infinite memory.}, author = {Krishnendu Chatterjee and Thomas Henzinger and Jurdziński, Marcin}, pages = {178 -- 187}, publisher = {IEEE}, title = {{Mean-payoff parity games}}, doi = {10.1109/LICS.2005.26}, year = {2005}, } @inproceedings{4557, abstract = {Planning in adversarial and uncertain environments can be modeled as the problem of devising strategies in stochastic perfect information games. These games are generalizations of Markov decision processes (MDPs): there are two (adversarial) players, and a source of randomness. The main practical obstacle to computing winning strategies in such games is the size of the state space. In practice therefore, one typically works with abstractions of the model. The diffculty is to come up with an abstraction that is neither too coarse to remove all winning strategies (plans), nor too fine to be intractable. In verification, the paradigm of counterexample-guided abstraction refinement has been successful to construct useful but parsimonious abstractions automatically. We extend this paradigm to probabilistic models (namely, perfect information games and, as a special case, MDPs). This allows us to apply the counterexample-guided abstraction paradigm to the AI planning problem. As special cases, we get planning algorithms for MDPs and deterministic systems that automatically construct system abstractions.}, author = {Krishnendu Chatterjee and Thomas Henzinger and Jhala, Ranjit and Majumdar, Ritankar S}, pages = {104 -- 111}, publisher = {AUAI Press}, title = {{Counterexample-guided planning}}, year = {2005}, } @inproceedings{4560, abstract = {We define and study a quantitative generalization of the traditional boolean framework of model-based specification and verification. In our setting, propositions have integer values at states, and properties have integer values on traces. For example, the value of a quantitative proposition at a state may represent power consumed at the state, and the value of a quantitative property on a trace may represent energy used along the trace. The value of a quantitative property at a state, then, is the maximum (or minimum) value achievable over all possible traces from the state. In this framework, model checking can be used to compute, for example, the minimum battery capacity necessary for achieving a given objective, or the maximal achievable lifetime of a system with a given initial battery capacity. In the case of open systems, these problems require the solution of games with integer values. Quantitative model checking and game solving is undecidable, except if bounds on the computation can be found. Indeed, many interesting quantitative properties, like minimal necessary battery capacity and maximal achievable lifetime, can be naturally specified by quantitative-bound automata, which are finite automata with integer registers whose analysis is constrained by a bound function f that maps each system K to an integer f(K). Along with the linear-time, automaton-based view of quantitative verification, we present a corresponding branching-time view based on a quantitative-bound μ-calculus, and we study the relationship, expressive power, and complexity of both views. }, author = {Chakrabarti, Arindam and Krishnendu Chatterjee and Thomas Henzinger and Kupferman, Orna and Majumdar, Ritankar S}, pages = {50 -- 64}, publisher = {Springer}, title = {{Verifying quantitative properties using bound functions}}, doi = {10.1007/11560548_7}, volume = {3725}, year = {2005}, } @inproceedings{4576, abstract = {We present a language for specifying web service interfaces. A web service interface puts three kinds of constraints on the users of the service. First, the interface specifies the methods that can be called by a client, together with types of input and output parameters; these are called signature constraints. Second, the interface may specify propositional constraints on method calls and output values that may oc- cur in a web service conversation; these are called consis- tency constraints. Third, the interface may specify temporal constraints on the ordering of method calls; these are called protocol constraints. The interfaces can be used to check, first, if two or more web services are compatible, and second, if a web service A can be safely substituted for a web ser- vice B. The algorithm for compatibility checking verifies that two or more interfaces fulfill each others’ constraints. The algorithm for substitutivity checking verifies that service A demands fewer and fulfills more constraints than service B.}, author = {Beyer, Dirk and Chakrabarti, Arindam and Thomas Henzinger}, pages = {148 -- 159}, publisher = {ACM}, title = {{Web service interfaces}}, doi = {10.1145/1060745.1060770}, year = {2005}, } @inproceedings{4579, abstract = {BLAST is an automatic verification tool for checking temporal safety properties of C programs. Given a C program and a temporal safety property, BLAST statically proves that either the program satisfies the safety property or the program has an execution trace that exhibits a violation of the property. BLAST constructs, explores, and refines abstractions of the program state space based on lazy predicate abstraction and interpolation-based predicate discovery. We show how BLAST can be used to statically prove memory safety for C programs. We take a two-step approach. First, we use Ccured, a type-based memory safety analyzer, to annotate with run-time checks all program points that cannot be proved memory safe by the type system. Second, we use BLAST to remove as many of the run-time checks as possible (by proving that these checks never fail), and to generate for the remaining run-time checks execution traces that witness them fail. Our experience shows that BLAST can remove many of the run-time checks added by Ccured and provide useful information to the programmer about many of the remaining checks.}, author = {Beyer, Dirk and Thomas Henzinger and Jhala, Ranjit and Majumdar, Ritankar S}, pages = {2 -- 18}, publisher = {Springer}, title = {{Checking memory safety with BLAST}}, doi = {10.1007/978-3-540-31984-9_2}, volume = {3442}, year = {2005}, } @inproceedings{4624, abstract = {Surveying results from [5] and [6], we motivate and introduce the theory behind formalizing rich interfaces for software and hardware components. Rich interfaces specify the protocol aspects of component interaction. Their formalization, called interface automata, permits a compiler to check the compatibility of component interaction protocols. Interface automata support incremental design and independent implementability. Incremental design means that the compatibility checking of interfaces can proceed for partial system descriptions, without knowing the interfaces of all components. Independent implementability means that compatible interfaces can be refined separately, while still maintaining compatibility.}, author = {de Alfaro, Luca and Thomas Henzinger}, pages = {83 -- 104}, publisher = {Springer}, title = {{Interface-based design}}, doi = {10.1007/1-4020-3532-2_3}, volume = {195}, year = {2005}, }