@inproceedings{4445, abstract = {We present a type system for E code, which is an assembly language that manages the release, interaction, and termination of real-time tasks. E code specifies a deadline for each task, and the type system ensures that the deadlines are path-insensitive. We show that typed E programs allow, for given worst-case execution times of tasks, a simple schedulability analysis. Moreover, the real-time programming language Giotto can be compiled into typed E~code. This shows that typed E~code identifies an easily schedulable yet expressive class of real-time programs. We have extended the Giotto compiler to generate typed E code, and enabled the run-time system for E code to perform a type and schedulability check before executing the code.}, author = {Thomas Henzinger and Kirsch, Christoph M}, pages = {104 -- 113}, publisher = {ACM}, title = {{A typed assembly language for real-time programs}}, doi = {10.1145/1017753.1017774}, year = {2004}, } @inproceedings{4458, abstract = {The success of model checking for large programs depends crucially on the ability to efficiently construct parsimonious abstractions. A predicate abstraction is parsimonious if at each control location, it specifies only relationships between current values of variables, and only those which are required for proving correctness. Previous methods for automatically refining predicate abstractions until sufficient precision is obtained do not systematically construct parsimonious abstractions: predicates usually contain symbolic variables, and are added heuristically and often uniformly to many or all control locations at once. We use Craig interpolation to efficiently construct, from a given abstract error trace which cannot be concretized, a parsominous abstraction that removes the trace. At each location of the trace, we infer the relevant predicates as an interpolant between the two formulas that define the past and the future segment of the trace. Each interpolant is a relationship between current values of program variables, and is relevant only at that particular program location. It can be found by a linear scan of the proof of infeasibility of the trace.We develop our method for programs with arithmetic and pointer expressions, and call-by-value function calls. For function calls, Craig interpolation offers a systematic way of generating relevant predicates that contain only the local variables of the function and the values of the formal parameters when the function was called. We have extended our model checker Blast with predicate discovery by Craig interpolation, and applied it successfully to C programs with more than 130,000 lines of code, which was not possible with approaches that build less parsimonious abstractions.}, author = {Thomas Henzinger and Jhala, Ranjit and Majumdar, Ritankar S and McMillan, Kenneth L}, pages = {232 -- 244}, publisher = {ACM}, title = {{Abstractions from proofs}}, doi = {10.1145/964001.964021}, year = {2004}, } @inproceedings{4459, abstract = {Software model checking has been successful for sequential programs, where predicate abstraction offers suitable models, and counterexample-guided abstraction refinement permits the automatic inference of models. When checking concurrent programs, we need to abstract threads as well as the contexts in which they execute. Stateless context models, such as predicates on global variables, prove insufficient for showing the absence of race conditions in many examples. We therefore use richer context models, which combine (1) predicates for abstracting data state, (2) control flow quotients for abstracting control state, and (3) counters for abstracting an unbounded number of threads. We infer suitable context models automatically by a combination of counterexample-guided abstraction refinement, bisimulation minimization, circular assume-guarantee reasoning, and parametric reasoning about an unbounded number of threads. This algorithm, called CIRC, has been implemented in BLAST and succeeds in checking many examples of NESC code for data races. In particular, BLAST proves the absence of races in several cases where previous race checkers give false positives.}, author = {Thomas Henzinger and Jhala, Ranjit and Majumdar, Ritankar S}, pages = {1 -- 13}, publisher = {ACM}, title = {{Race checking by context inference}}, doi = {10.1145/996841.996844}, year = {2004}, } @inbook{4461, abstract = {One of the central axioms of extreme programming is the disciplined use of regression testing during stepwise software development. Due to recent progress in software model checking, it has become possible to supplement this process with automatic checks for behavioral safety properties of programs, such as conformance with locking idioms and other programming protocols and patterns. For efficiency reasons, all checks must be incremental, i.e., they must reuse partial results from previous checks in order to avoid all unnecessary repetition of expensive verification tasks. We show that the lazy-abstraction algorithm, and its implementation in Blast, can be extended to support the fully automatic and incremental checking of temporal safety properties during software development.}, author = {Thomas Henzinger and Jhala, Ranjit and Majumdar, Ritankar S and Sanvido, Marco A}, booktitle = {Verification: Theory and Practice}, pages = {332 -- 358}, publisher = {Springer}, title = {{Extreme model checking}}, doi = {10.1007/978-3-540-39910-0_16}, volume = {2772}, year = {2004}, } @inproceedings{4525, abstract = {We present a new high-level programming language, called xGiotto, for programming applications with hard real-time constraints. Like its predecessor, xGiotto is based on the LET (logical execution time) assumption: the programmer specifies when the outputs of a task become available, and the compiler checks if the specification can be implemented on a given platform. However, while the predecessor language xGiotto was purely time-triggered, xGiotto accommodates also asynchronous events. Indeed, through a mechanism called event scoping, events are the main structuring principle of the new language. The xGiotto compiler and run-time system implement event scoping through a tree-based event filter. The compiler also checks programs for determinism (absence of race conditions).}, author = {Ghosal, Arkadeb and Thomas Henzinger and Kirsch, Christoph M and Sanvido, Marco A}, pages = {167 -- 170}, publisher = {Springer}, title = {{Event-driven programming with logical execution times}}, doi = {10.1007/978-3-540-24743-2_24}, volume = {2993}, year = {2004}, } @inproceedings{4555, abstract = {Strategies in repeated games can be classified as to whether or not they use memory and/or randomization. We consider Markov decision processes and 2-player graph games, both of the deterministic and probabilistic varieties. We characterize when memory and/or randomization are required for winning with respect to various classes of w-regular objectives, noting particularly when the use of memory can be traded for the use of randomization. In particular, we show that Markov decision processes allow randomized memoryless optimal strategies for all M?ller objectives. Furthermore, we show that 2-player probabilistic graph games allow randomized memoryless strategies for winning with probability 1 those M?ller objectives which are upward-closed. Upward-closure means that if a set α of infinitely repeating vertices is winning, then all supersets of α are also winning.}, author = {Krishnendu Chatterjee and de Alfaro, Luca and Thomas Henzinger}, pages = {206 -- 217}, publisher = {IEEE}, title = {{Trading memory for randomness}}, doi = {10.1109/QEST.2004.10051}, year = {2004}, } @article{4556, abstract = {We study the problem of determining stack boundedness and the exact maximum stack size for three classes of interrupt-driven programs. Interrupt-driven programs are used in many real-time applications that require responsive interrupt handling. In order to ensure responsiveness, programmers often enable interrupt processing in the body of lower-priority interrupt handlers. In such programs a programming error can allow interrupt handlers to be interrupted in a cyclic fashion to lead to an unbounded stack, causing the system to crash. For a restricted class of interrupt-driven programs, we show that there is a polynomial-time procedure to check stack boundedness, while determining the exact maximum stack size is PSPACE-complete. For a larger class of programs, the two problems are both PSPACE-complete, and for the largest class of programs we consider, the two problems are PSPACE-hard and can be solved in exponential time. While the complexities are high, our algorithms are exponential only in the number of handlers, and polynomial in the size of the program.}, author = {Krishnendu Chatterjee and Ma, Di and Majumdar, Ritankar S and Zhao, Tian and Thomas Henzinger and Palsberg, Jens}, journal = {Information and Computation}, number = {2}, pages = {144 -- 174}, publisher = {Elsevier}, title = {{Stack size analysis for interrupt-driven programs}}, doi = {10.1016/j.ic.2004.06.001}, volume = {194}, year = {2004}, } @inproceedings{4558, abstract = {We study perfect-information stochastic parity games. These are two-player nonterminating games which are played on a graph with turn-based probabilistic transitions. A play results in an infinite path and the conflicting goals of the two players are ω-regular path properties, formalized as parity winning conditions. The qualitative solution of such a game amounts to computing the set of vertices from which a player has a strategy to win with probability 1 (or with positive probability). The quantitative solution amounts to computing the value of the game in every vertex, i.e., the highest probability with which a player can guarantee satisfaction of his own objective in a play that starts from the vertex.For the important special case of one-player stochastic parity games (parity Markov decision processes) we give polynomial-time algorithms both for the qualitative and the quantitative solution. The running time of the qualitative solution is O(d · m3/2) for graphs with m edges and d priorities. The quantitative solution is based on a linear-programming formulation.For the two-player case, we establish the existence of optimal pure memoryless strategies. This has several important ramifications. First, it implies that the values of the games are rational. This is in contrast to the concurrent stochastic parity games of de Alfaro et al.; there, values are in general algebraic numbers, optimal strategies do not exist, and ε-optimal strategies have to be mixed and with infinite memory. Second, the existence of optimal pure memoryless strategies together with the polynomial-time solution forone-player case implies that the quantitative two-player stochastic parity game problem is in NP ∩ co-NP. This generalizes a result of Condon for stochastic games with reachability objectives. It also constitutes an exponential improvement over the best previous algorithm, which is based on a doubly exponential procedure of de Alfaro and Majumdar for concurrent stochastic parity games and provides only ε-approximations of the values.}, author = {Krishnendu Chatterjee and Jurdziński, Marcin and Thomas Henzinger}, pages = {121 -- 130}, publisher = {SIAM}, title = {{Quantitative stochastic parity games}}, year = {2004}, } @inproceedings{4577, abstract = {While model checking has been successful in uncovering subtle bugs in code, its adoption in software engineering practice has been hampered by the absence of a simple interface to the programmer in an integrated development environment. We describe an integration of the software model checker BLAST into the Eclipse development environment. We provide a verification interface for practical solutions for some typical program analysis problems - assertion checking, reachability analysis, dead code analysis, and test generation - directly on the source code. The analysis is completely automatic, and assumes no knowledge of model checking or formal notation. Moreover, the interface supports incremental program verification to support incremental design and evolution of code.}, author = {Beyer, Dirk and Thomas Henzinger and Jhala, Ranjit and Majumdar, Ritankar S}, pages = {251 -- 255}, publisher = {IEEE}, title = {{An eclipse plug-in for model checking}}, doi = {10.1109/WPC.2004.1311069 }, year = {2004}, } @inproceedings{4578, abstract = {BLAST is an automatic verification tool for checking temporal safety properties of C programs. Blast is based on lazy predicate abstraction driven by interpolation-based predicate discovery. In this paper, we present the Blast specification language. The language specifies program properties at two levels of precision. At the lower level, monitor automata are used to specify temporal safety properties of program executions (traces). At the higher level, relational reachability queries over program locations are used to combine lower-level trace properties. The two-level specification language can be used to break down a verification task into several independent calls of the model-checking engine. In this way, each call to the model checker may have to analyze only part of the program, or part of the specification, and may thus succeed in a reduction of the number of predicates needed for the analysis. In addition, the two-level specification language provides a means for structuring and maintaining specifications. }, author = {Beyer, Dirk and Chlipala, Adam J and Thomas Henzinger and Jhala, Ranjit and Majumdar, Ritankar S}, pages = {2 -- 18}, publisher = {Springer}, title = {{The BLAST query language for software verification}}, doi = {10.1007/978-3-540-27864-1_2}, volume = {3148}, year = {2004}, } @inproceedings{4581, abstract = {We have extended the software model checker BLAST to automatically generate test suites that guarantee full coverage with respect to a given predicate. More precisely, given a C program and a target predicate p, BLAST determines the set L of program locations which program execution can reach with p true, and automatically generates a set of test vectors that exhibit the truth of p at all locations in L. We have used BLAST to generate test suites and to detect dead code in C programs with up to 30 K lines of code. The analysis and test vector generation is fully automatic (no user intervention) and exact (no false positives).}, author = {Beyer, Dirk and Chlipala, Adam J and Thomas Henzinger and Jhala, Ranjit and Majumdar, Ritankar S}, pages = {326 -- 335}, publisher = {IEEE}, title = {{Generating tests from counterexamples}}, doi = {10.1109/ICSE.2004.1317455}, year = {2004}, } @inproceedings{4629, abstract = {Temporal logic is two-valued: a property is either true or false. When applied to the analysis of stochastic systems, or systems with imprecise formal models, temporal logic is therefore fragile: even small changes in the model can lead to opposite truth values for a specification. We present a generalization of the branching-time logic Ctl which achieves robustness with respect to model perturbations by giving a quantitative interpretation to predicates and logical operators, and by discounting the importance of events according to how late they occur. In every state, the value of a formula is a real number in the interval [0,1], where 1 corresponds to truth and 0 to falsehood. The boolean operators and and or are replaced by min and max, the path quantifiers ∃ and ∀ determine sup and inf over all paths from a given state, and the temporal operators and □ specify sup and inf over a given path; a new operator averages all values along a path. Furthermore, all path operators are discounted by a parameter that can be chosen to give more weight to states that are closer to the beginning of the path. We interpret the resulting logic Dctl over transition systems, Markov chains, and Markov decision processes. We present two semantics for Dctl: a path semantics, inspired by the standard interpretation of state and path formulas in CTL, and a fixpoint semantics, inspired by the μ-calculus evaluation of CTL formulas. We show that, while these semantics coincide for CTL, they differ for Dctl, and we provide model-checking algorithms for both semantics.}, author = {de Alfaro, Luca and Faella, Marco and Thomas Henzinger and Majumdar, Ritankar S and Stoelinga, Mariëlle}, pages = {77 -- 92}, publisher = {Springer}, title = {{Model checking discounted temporal properties}}, doi = {10.1007/978-3-540-24730-2_6}, volume = {2988}, year = {2004}, } @article{847, abstract = {The accumulation of genome-wide information on single nucleotide polymorphisms in humans provides an unprecedented opportunity to detect the evolutionary forces responsible for heterogeneity of the level of genetic variability across loci. Previous studies have shown that history of recombination events has produced long haplotype blocks in the human genome, which contribute to this heterogeneity. Other factors, however, such as natural selection or the heterogeneity of mutation rates across loci, may also lead to heterogeneity of genetic variability. We compared synonymous and non-synonymous variability within human genes with their divergence from murine orthologs. We separately analyzed the non-synonymous variants predicted to damage protein structure or function and the variants predicted to be functionally benign. The predictions were based on comparative sequence analysis and, in some cases, on the analysis of protein structure. A strong correlation between non-synonymous, benign variability and non-synonymous human-mouse divergence suggests that selection played an important role in shaping the pattern of variability in coding regions of human genes. However, the lack of correlation between deleterious variability and evolutionary divergence shows that a substantial proportion of the observed non-synonymous single-nucleotide polymorphisms reduces fitness and never reaches fixation. Evolutionary and medical implications of the impact of selection on human polymorphisms are discussed.}, author = {Sunyaev, Shamil R and Fyodor Kondrashov and Bork, Peer and Ramensky, Vasily}, journal = {Human Molecular Genetics}, number = {24}, pages = {3325 -- 3330}, publisher = {Oxford University Press}, title = {{Impact of selection, mutation rate and genetic drift on human genetic variation}}, doi = {10.1093/hmg/ddg359}, volume = {12}, year = {2003}, } @article{8519, author = {Kaloshin, Vadim}, issn = {0020-9910}, journal = {Inventiones mathematicae}, keywords = {General Mathematics}, number = {3}, pages = {451--512}, publisher = {Springer Nature}, title = {{The existential Hilbert 16-th problem and an estimate for cyclicity of elementary polycycles}}, doi = {10.1007/s00222-002-0244-9}, volume = {151}, year = {2003}, } @article{876, abstract = {Alternative splicing is thought to be a major source of functional diversity in animal proteins. We analyzed the evolutionary conservation of proteins encoded by alternatively spliced genes and predicted the ancestral state for 73 cases of alternative splicing (25 insertions and 48 deletions). The amino acid sequences of most of the inserts in proteins produced by alternative splicing are as conserved as the surrounding sequences. Thus, alternative splicing often creates novel isoforms by the insertion of new, functional protein sequences that probably originated from noncoding sequences of introns.}, author = {Fyodor Kondrashov and Koonin, Eugene V}, journal = {Trends in Genetics}, number = {3}, pages = {115 -- 119}, publisher = {Elsevier}, title = {{Evolution of alternative splicing: Deletions, insertions and origin of functional parts of proteins from intron sequences}}, doi = {10.1016/S0168-9525(02)00029-X}, volume = {19}, year = {2003}, } @article{166, abstract = {For any number field k, upper bounds are established for the number of k-rational points of bounded height on non-singular del Pezzo surfaces defined over k, which are equipped with suitable conic bundle structures over k.}, author = {Browning, Timothy D and Swarbick Jones, M}, journal = {Proceedings of the Bonn session in analytic number theory and diophantine equations}, publisher = {Mathematisches Institut der Universität Bonn}, title = {{Counting rational points on del Pezzo surfaces of degree 5}}, volume = {360}, year = {2003}, } @article{1959, abstract = {The molecular organization of bacterial NADH: ubiquinone oxidoreductase (complex I or NDH-1) is not established, apart from a rough separation into dehydrogenase, connecting and membrane domains. In this work, complex I was purified from Escherichia coli and fragmented by replacing dodecylmaltoside with other detergents. Exchange into decyl maltoside led to the removal of the hydrophobic subunit NuoL from the otherwise intact complex. Diheptanoyl phosphocholine led to the loss of NuoL and NuoM subunits, whereas other subunits remained in the complex. The presence of N,N-dimethyldodecylamine N-oxide or Triton X-100 led to further disruption of the membrane domain into fragments containing NuoL/M/N, NuoA/K/N, and NuoH/J subunits. Among the hydrophilic subunits, NuoCD was most readily dissociated from the complex, whereas NuoB was partially dissociated from the peripheral arm assembly in N,N-dimethyldodecylamine N-oxide. A model of subunit arrangement in bacterial complex I based on these data is proposed. Subunits NuoL and NuoM, which are homologous to antiporters and are implicated in proton pumping, are located at the distal end of the membrane arm, spatially separated from the redox centers of the peripheral arm. This is consistent with proposals that the mechanism of proton pumping by complex I is likely to involve long range conformational changes.}, author = {Holt, Peter J and Morgan, David J and Leonid Sazanov}, journal = {Journal of Biological Chemistry}, number = {44}, pages = {43114 -- 43120}, publisher = {American Society for Biochemistry and Molecular Biology}, title = {{The location of NuoL and NuoM subunits in the membrane domain of the Escherichia coli Complex I: implications for the mechanism of proton pumping}}, doi = {10.1074/jbc.M308247200}, volume = {278}, year = {2003}, } @article{1960, abstract = {NADH-ubiquinone oxidoreductase (complex I or NDH-1) was purified from the BL21 strain of Escherichia coli using an improved procedure. The complex was effectively stabilized by addition of divalent cations and lipids, making the preparation suitable for structural studies. The ubiquinone reductase activity of the enzyme was fully restored by addition of native E. coli lipids. Two different two-dimensional crystal forms, with p2 and p3 symmetry, were obtained using lipids containing native E. coli extracts. Analysis of the crystals showed that they are formed by fully intact complex I in an L-shaped conformation. Activity assays and single particle analysis indicated that complex I maintains this structure in detergent solution and does not adopt a different conformation in the active state. Thus, we provide the first experimental evidence that complex I from E. coli has an L-shape in a lipid bilayer and confirm that this is also the case for the active enzyme in solution. This suggests strongly that bacterial complex I exists in an L-shaped conformation in vivo. Our results also indicate that native lipids play an important role in the activation, stabilization and, as a consequence, crystallization of purified complex I from E. coli.}, author = {Leonid Sazanov and Carroll, Joe D and Holt, Peter J and Toime, Laurence J and Fearnley, Ian M}, journal = {Journal of Biological Chemistry}, number = {21}, pages = {19483 -- 19491}, publisher = {American Society for Biochemistry and Molecular Biology}, title = {{A role for native lipids in the stabilization and two dimensional crystallization of the Escherichia coli NADH ubiquinone oxidoreductase (complex I)}}, doi = {10.1074/jbc.M208959200}, volume = {278}, year = {2003}, } @article{205, author = {Timothy Browning}, journal = {Acta Arithmetica}, number = {3}, pages = {275 -- 295}, publisher = {Instytut Matematyczny}, title = {{Counting rational points on cubic and quartic surfaces}}, doi = {10.4064/aa108-3-7}, volume = {108}, year = {2003}, } @article{206, abstract = {Let T ⊂ ℙ 4 be a non-singular threefold of degree at least four. Then we show that the number of points in T(ℚ), with height at most B, is o(B 3) or B → ∞.}, author = {Timothy Browning}, journal = {Quarterly Journal of Mathematics}, number = {1}, pages = {33 -- 39}, publisher = {Unknown}, title = {{A note on the distribution of rational points on threefolds}}, doi = {10.1093/qjmath/54.1.33}, volume = {54}, year = {2003}, }