Publications (273)35.76 Total impact
 [Show abstract] [Hide abstract]
ABSTRACT: Scenarios, or Message Sequence Charts, offer an intuitive way of describing the desired behaviors of a distributed protocol. In this paper we propose a new way of specifying finitestate protocols using scenarios: we show that it is possible to automatically derive a distributed implementation from a set of scenarios augmented with a set of safety and liveness requirements, provided the given scenarios adequately \emph{cover} all the states of the desired implementation. We first derive incomplete state machines from the given scenarios, and then synthesis corresponds to completing the transition relation of individual processes so that the global product meets the specified requirements. This completion problem, in general, has the same complexity, PSPACE, as the verification problem, but unlike the verification problem, is NPcomplete for a constant number of processes. We present two algorithms for solving the completion problem, one based on a heuristic search in the space of possible completions and one based on OBDDbased symbolic fixpoint computation. We evaluate the proposed methodology for protocol specification and the effectiveness of the synthesis algorithms using the classical alternatingbit protocol.02/2014;  [Show abstract] [Hide abstract]
ABSTRACT: We focus on (partial) functions that map input strings to a monoid such as the set of integers with addition and the set of output strings with concatenation. The notion of regularity for such functions has been defined using twoway finitestate transducers, (oneway) cost register automata, and MSOdefinable graph transformations. In this paper, we give an algebraic and machineindependent characterization of this class analogous to the definition of regular languages by regular expressions. When the monoid is commutative, we prove that every regular function can be constructed from constant functions using the combinators of choice, split sum, and iterated sum, that are analogs of union, concatenation, and Kleene*, respectively, but enforce unique (or unambiguous) parsing. Our main result is for the general case of noncommutative monoids, which is of particular interest for capturing regular stringtostring transformations for document processing. We prove that the following additional combinators suffice for constructing all regular functions: (1) the leftadditive versions of split sum and iterated sum, which allow transformations such as string reversal; (2) sum of functions, which allows transformations such as copying of strings; and (3) function composition, or alternatively, a new concept of chained sum, which allows output values from adjacent blocks to mix.02/2014;  [Show abstract] [Hide abstract]
ABSTRACT: The design and implementation of software for medical devices is challenging due to the closedloop interaction with the patient, which is a stochastic physical environment. The safetycritical nature and the lack of existing industry standards for verification make this an ideal domain for exploring applications of formal modeling and closedloop analysis. The biggest challenge is that the environment model(s) have to be both complex enough to express the physiological requirements and general enough to cover all possible inputs to the device. In this effort, we use a dual chamber implantable pacemaker as a case study to demonstrate verification of software specifications of medical devices as timedautomata models in UPPAAL. The pacemaker model is based on the specifications and algorithm descriptions from Boston Scientific. The heart is modeled using timed automata based on the physiology of heart. The model is gradually abstracted with timed simulation to preserve properties. A manual CounterExampleGuided Abstraction and Refinement (CEGAR) framework has been adapted to refine the heart model when spurious counterexamples are found. To demonstrate the closedloop nature of the problem and heart model refinement, we investigated two clinical cases of Pacemaker Mediated Tachycardia and verified their corresponding correction algorithms in the pacemaker. Along with our tools for code generation from UPPAAL models, this effort enables modeldriven design and certification of software for medical devices.International Journal on Software Tools for Technology Transfer 01/2014; 16(2).  [Show abstract] [Hide abstract]
ABSTRACT: The reactive synthesis problem is to find a finitestate controller that satisfies a given temporallogic specification regardless of how its environment behaves. Developing a formal specification is a challenging and tedious task and initial specifications are often unrealizable. In many cases, the source of unrealizability is the lack of adequate assumptions on the environment of the system. In this paper, we consider the problem of automatically correcting an unrealizable specification given in the generalized reactivity (1) fragment of linear temporal logic by adding assumptions on the environment. When a temporallogic specification is unrealizable, the synthesis algorithm computes a counterstrategy as a witness. Our algorithm then analyzes this counterstrategy and synthesizes a set of candidate environment assumptions that can be used to remove the counterstrategy from the environment's possible behaviors. We demonstrate the applicability of our approach with several case studies.08/2013; 
Conference Paper: Automated grading of DFA constructions
[Show abstract] [Hide abstract]
ABSTRACT: One challenge in making online education more effective is to develop automatic grading software that can provide meaningful feedback. This paper provides a solution to automatic grading of the standard computationtheory problem that asks a student to construct a deterministic finite automaton (DFA) from the given description of its language. We focus on how to assign partial grades for incorrect answers. Each student's answer is compared to the correct DFA using a hybrid of three techniques devised to capture different classes of errors. First, in an attempt to catch syntactic mistakes, we compute the edit distance between the two DFA descriptions. Second, we consider the entropy of the symmetric difference of the languages of the two DFAs, and compute a score that estimates the fraction of the number of strings on which the student answer is wrong. Our third technique is aimed at capturing mistakes in reading of the problem description. For this purpose, we consider a description language MOSEL, which adds syntactic sugar to the classical Monadic Second Order Logic, and allows defining regular languages in a concise and natural way. We provide algorithms, along with optimizations, for transforming MOSEL descriptions into DFAs and viceversa. These allow us to compute the syntactic edit distance of the incorrect answer from the correct one in terms of their logical representations. We report an experimental study that evaluates hundreds of answers submitted by (real) students by comparing grades/feedback computed by our tool with human graders. Our conclusion is that the tool is able to assign partial grades in a meaningful way, and should be preferred over the human graders for both scalability and consistency.Proceedings of the TwentyThird international joint conference on Artificial Intelligence; 08/2013 
Conference Paper: Regular Functions and Cost Register Automata
[Show abstract] [Hide abstract]
ABSTRACT: We propose a deterministic model for associating costs with strings that is parameterized by operations of interest (such as addition, scaling, and minimum), a notion of regularity that provides a yardstick to measure expressiveness, and study decision problems and theoretical properties of resulting classes of cost functions. Our definition of regularity relies on the theory of stringtotree transducers, and allows associating costs with events that are conditioned on regular properties of future events. Our model of cost register automata allows computation of regular functions using multiple "writeonly" registers whose values can be combined using the allowed set of operations. We show that the classical shortestpath algorithms as well as the algorithms designed for computing discounted costs can be adapted for solving the mincost problems for the more general classes of functions specified in our model. Cost register automata with the operations of minimum and increment give a deterministic model that is equivalent to weighted automata, an extensively studied nondeterministic model, and this connection results in new insights and new open problems.Proceedings of the 2013 28th Annual ACM/IEEE Symposium on Logic in Computer Science; 06/2013 
Conference Paper: TRANSIT: specifying protocols with concolic snippets
[Show abstract] [Hide abstract]
ABSTRACT: With the maturing of technology for model checking and constraint solving, there is an emerging opportunity to develop programming tools that can transform the way systems are specified. In this paper, we propose a new way to program distributed protocols using concolic snippets. Concolic snippets are sample execution fragments that contain both concrete and symbolic values. The proposed approach allows the programmer to describe the desired system partially using the traditional model of communicating extended finitestatemachines (EFSM), along with highlevel invariants and concrete execution fragments. Our synthesis engine completes an EFSM skeleton by inferring guards and updates from the given fragments which is then automatically analyzed using a model checker with respect to the desired invariants. The counterexamples produced by the model checker can then be used by the programmer to add new concrete execution fragments that describe the correct behavior in the specific scenario corresponding to the counterexample. We describe TRANSIT, a language and prototype implementation of the proposed specification methodology for distributed protocols. Experimental evaluations of TRANSIT to specify cache coherence protocols show that (1) the algorithm for expression inference from concolic snippets can synthesize expressions of size 15 involving typical operators over commonly occurring types, (2) for a classical directorybased protocol, TRANSIT automatically generates, in a few seconds, a complete implementation from a specification consisting of the EFSM structure and a few concrete examples for every transition, and (3) a published partial description of the SGI Origin cache coherence protocol maps directly to symbolic examples and leads to a complete implementation in a few iterations, with the programmer correcting counterexamples resulting from underspecified transitions by adding concrete examples in each iteration.Proceedings of the 34th ACM SIGPLAN conference on Programming language design and implementation; 06/2013  [Show abstract] [Hide abstract]
ABSTRACT: Additive Cost Register Automata (ACRA) map strings to integers using a finite set of registers that are updated using assignments of the form "x := y + c" at every step. The corresponding class of additive regular functions has multiple equivalent characterizations, appealing closure properties, and a decidable equivalence problem. In this paper, we solve two decision problems for this model. First, we define the register complexity of an additive regular function to be the minimum number of registers that an ACRA needs to compute it. We characterize the register complexity by a necessary and sufficient condition regarding the largest subset of registers whose values can be made far apart from one another. We then use this condition to design a PSPACE algorithm to compute the register complexity of a given ACRA, and establish a matching lower bound. Our results also lead to a machineindependent characterization of the register complexity of additive regular functions. Second, we consider twoplayer games over ACRAs, where the objective of one of the players is to reach a target set while minimizing the cost. We show the corresponding decision problem to be EXPTIMEcomplete when costs are nonnegative integers, but undecidable when costs are integers.04/2013; 
Conference Paper: Towards synthesis of platformaware attackresilient control systems: extended abstract
[Show abstract] [Hide abstract]
ABSTRACT: Abstract We consider a resource allocation problem that ensures a fair QoS (Quality of Service) level among selfish clients in a cloud computing system. The clients share multiple resources and process applications concurrently on the cloud computing ...Proceedings of the 2nd ACM international conference on High confidence networked systems; 04/2013  [Show abstract] [Hide abstract]
ABSTRACT: Boundedrate multimode systems (BMMS) are hybrid systems that can switch freely among a finite set of modes, and whose dynamics is specified by a finite number of realvalued variables with modedependent rates that can vary within given bounded sets. The schedulability problem for BMMS is defined as an infiniteround game between two playersthe scheduler and the environmentwhere in each round the scheduler proposes a time and a mode while the environment chooses an allowable rate for that mode, and the state of the system changes linearly in the direction of the rate vector. The goal of the scheduler is to keep the state of the system within a prespecified safe set using a nonZeno schedule, while the goal of the environment is the opposite. Green scheduling under uncertainty is a paradigmatic example of BMMS where a winning strategy of the scheduler corresponds to a robust energyoptimal policy. We present an algorithm to decide whether the scheduler has a winning strategy from an arbitrary starting state, and give an algorithm to compute such a winning strategy, if it exists. We show that the schedulability problem for BMMS is coNP complete in general, but for two variables it is in PTIME. We also study the discrete schedulability problem where the environment has only finitely many choices of rate vectors in each mode and the scheduler can make decisions only at multiples of a given clock period, and show it to be EXPTIMEcomplete.02/2013; 
Conference Paper: Syntaxguided synthesis
[Show abstract] [Hide abstract]
ABSTRACT: The classical formulation of the programsynthesis problem is to find a program that meets a correctness specification given as a logical formula. Recent work on program synthesis and program optimization illustrates many potential benefits of allowing the user to supplement the logical specification with a syntactic template that constrains the space of allowed implementations. Our goal is to identify the core computational problem common to these proposals in a logical framework. The input to the syntaxguided synthesis problem (SyGuS) consists of a background theory, a semantic correctness specification for the desired program given by a logical formula, and a syntactic set of candidate implementations given by a grammar. The computational problem then is to find an implementation from the set of candidate expressions so that it satisfies the specification in the given theory. We describe three different instantiations of the counterexampleguidedinductivesynthesis (CEGIS) strategy for solving the synthesis problem, report on prototype implementations, and present experimental results on an initial set of benchmarks.Formal Methods in ComputerAided Design (FMCAD), 2013; 01/2013 
Conference Paper: On the feasibility of automation for bandwidth allocation problems in data centers
[Show abstract] [Hide abstract]
ABSTRACT: Mapping virtual networks to physical networks under bandwidth constraints is a key computational problem for the management of data centers. Recently proposed heuristic strategies for this problem work efficiently, but are not guaranteed to always find an allocation even when one exists. Given that the bandwidth allocation problem is NPcomplete, and the stateoftheart SAT solvers have recently been successfully applied to NPhard problems in planning and formal verification, the goal of this paper is to study whether these SAT solvers can be used to solve the bandwidth allocation problem exactly with acceptable overhead. We investigate alternative ways of encoding the allocation problem, and develop techniques for abstraction and refinement of network graphs for scalability. We report experimental comparisons of the proposed encodings with the existing heuristics for typical datacenter topologies.Formal Methods in ComputerAided Design (FMCAD), 2013; 01/2013 
Conference Paper: An axiomatic memory model for POWER multiprocessors
[Show abstract] [Hide abstract]
ABSTRACT: The growing complexity of hardware optimizations employed by multiprocessors leads to subtle distinctions among allowed and disallowed behaviors, posing challenges in specifying their memory models formally and accurately, and in understanding and analyzing the behavior of concurrent software. This complexity is particularly evident in the IBM® Power Architecture®, for which a faithful specification was published only in 2011 using an operational style. In this paper we present an equivalent axiomatic specification, which is more abstract and concise. Although not officially sanctioned by the vendor, our results indicate that this axiomatic specification provides a reasonable basis for reasoning about current IBM® POWER® multiprocessors. We establish the equivalence of the axiomatic and operational specifications using both manual proof and extensive testing. To demonstrate that the constraintbased style of axiomatic specification is more amenable to computeraided verification, we develop a SATbased tool for evaluating possible outcomes of multithreaded test programs, and we show that this tool is significantly more efficient than a tool based on an operational specification.Proceedings of the 24th international conference on Computer Aided Verification; 07/2012 
Conference Paper: Modeling and verification of a dual chamber implantable pacemaker
[Show abstract] [Hide abstract]
ABSTRACT: The design and implementation of software for medical devices is challenging due to their rapidly increasing functionality and the tight coupling of computation, control, and communication. The safetycritical nature and the lack of existing industry standards for verification, make this an ideal domain for exploring applications of formal modeling and analysis. In this study, we use a dual chamber implantable pacemaker as a case study for modeling and verification of control algorithms for medical devices in UPPAAL. We begin with detailed models of the pacemaker, based on the specifications and algorithm descriptions from Boston Scientific. We then define the state space of the closedloop system based on its heart rate and developed a heart model which can nondeterministically cover the whole state space. For verification, we first specify unsafe regions within the state space and verify the closedloop system against corresponding safety requirements. As stronger assertions are attempted, the closedloop unsafe state may result from healthy openloop heart conditions. Such unsafe transitions are investigated with two clinical cases of Pacemaker Mediated Tachycardia and their corresponding correction algorithms in the pacemaker. Along with emerging tools for code generation from UPPAAL models, this effort enables modeldriven design and certification of software for medical devices.Proceedings of the 18th international conference on Tools and Algorithms for the Construction and Analysis of Systems; 03/2012  [Show abstract] [Hide abstract]
ABSTRACT: Constantrate multimode systems are hybrid systems that can switch freely among a finite set of modes, and whose dynamics is specified by a finite number of realvalued variables with modedependent constant rates. The schedulability problem for such systems is to design a modeswitching policy that maintains the state within a specified safety set. The main result of the paper is that schedulability can be decided in polynomial time. We also generalize our result to optimal schedulability problems with average cost and reachability cost objectives. Polynomialtime scheduling algorithms make this class an appealing formal model for design of energyoptimal policies. The key to tractability is that the only constraints on when a scheduler can switch the mode are specified by global objectives. Adding local constraints by associating either invariants with modes, or guards with mode switches, lead to undecidability, and requiring the scheduler to make decisions only at multiples of a given sampling rate, leads to a PSPACEcomplete schedulability problem.01/2012; 
Article: 2010 CAV award announcement
[Show abstract] [Hide abstract]
ABSTRACT: The 2010 CAV (ComputerAided Verification) award was awarded to Kenneth L. McMillan of Cadence Research Laboratories for a series of fundamental contributions resulting in significant advances in scalability of model checking tools. The annual award recognizes a specific fundamental contribution or a series of outstanding contributions to the CAV field.Formal Methods in System Design 01/2012; · 0.28 Impact Factor 
Conference Paper: Formal verification of hybrid systems
[Show abstract] [Hide abstract]
ABSTRACT: In formal verification, a designer first constructs a model, with mathematically precise semantics, of the system under design, and performs extensive analysis with respect to correctness requirements. The appropriate mathematical model for embedded control systems is hybrid systems that combines the traditional statemachine based models for discrete control with classical differentialequations based models for continuously evolving physical activities. In this article, we briefly review selected existing approaches to formal verification of hybrid systems, along with directions for future research.Embedded Software (EMSOFT), 2011 Proceedings of the International Conference on; 11/2011  [Show abstract] [Hide abstract]
ABSTRACT: Motivated by the successful application of the theory of regular languages to formal verification of finitestate systems, there is a renewed interest in developing a theory of analyzable functions from strings to numerical values that can provide a foundation for analyzing {\em quantitative} properties of finitestate systems. In this paper, we propose a deterministic model for associating costs with strings that is parameterized by operations of interest (such as addition, scaling, and $\min$), a notion of {\em regularity} that provides a yardstick to measure expressiveness, and study decision problems and theoretical properties of resulting classes of cost functions. Our definition of regularity relies on the theory of stringtotree transducers, and allows associating costs with events that are conditional upon regular properties of future events. Our model of {\em cost register automata} allows computation of regular functions using multiple "writeonly" registers whose values can be combined using the allowed set of operations. We show that classical shortestpath algorithms as well as algorithms designed for computing {\em discounted costs}, can be adopted for solving the mincost problems for the more general classes of functions specified in our model. Cost register automata with $\min$ and increment give a deterministic model that is equivalent to {\em weighted automata}, an extensively studied nondeterministic model, and this connection results in new insights and new open problems.11/2011;  [Show abstract] [Hide abstract]
ABSTRACT: We propose a mathematical framework for modeling and analyzing multihop control networks designed for systems consisting of multiple control loops closed over a multihop (wireless) communication network. We separate control, topology, routing, and scheduling and propose formal syntax and semantics for the dynamics of the composed system, providing an explicit translation of multihop control networks to switched systems. We propose formal models for analyzing robustness of multihop control networks, where data is exchanged through a multihop communication network subject to disruptions. When communication disruptions are long, compared to the speed of the control system, we propose to model them as permanent link failures. We show that the complexity of analyzing such failures is NPhard, and discuss a way to overcome this limitation for practical cases using compositional analysis. For typical packet transmission errors, we propose a transient error model where links fail for one time slot independently of the past and of other links. We provide sufficient conditions for almost sure stability in presence of transient link failures, and give efficient decision procedures. We deal with errors that have random time span and show that, under some conditions, the permanent failure model can be used as a reliable abstraction. Our approach is compositional, namely it addresses the problem of designing scalable scheduling and routing policies for multiple control loops closed on the same multihop control network. We describe how the translation of multihop control networks to switched systems can be automated, and use it to solve control and networking codesign challenges in some representative examples, and to propose a scheduling solution in a mineral floatation control problem that can be implemented on a time triggered communication protocols for wireless networks.IEEE Transactions on Automatic Control 11/2011; · 2.72 Impact Factor 
Article: Streaming Tree Transducers
[Show abstract] [Hide abstract]
ABSTRACT: Theory of tree transducers provides a foundation for understanding expressiveness and complexity of analysis problems for specification languages for transforming hierarchically structured data such as XML documents. We introduce streaming tree transducers as an analyzable, executable, and expressive model for transforming unranked ordered trees in a single pass. Given a linear encoding of the input tree, the transducer makes a single lefttoright pass through the input, and computes the output in linear time using a finitestate control, a visibly pushdown stack, and a finite number of variables that store output chunks that can be combined using the operations of stringconcatenation and treeinsertion. We prove that the expressiveness of the model coincides with transductions definable using monadic secondorder logic (MSO). Existing models of tree transducers either cannot implement all MSOdefinable transformations, or require regular look ahead that prohibits singlepass implementation. We show a variety of analysis problems such as typechecking and checking functional equivalence are solvable for our model.Computing Research Repository  CORR. 04/2011;
Publication Stats
17k  Citations  
35.76  Total Impact Points  
Top Journals
Institutions

1970–2013

University of Pennsylvania
 • Department of Computer and Information Science
 • Department of Electrical and Systems Engineering
Philadelphia, Pennsylvania, United States


2009

Konkuk University
 College of Information and Communication
Seoul, Seoul, South Korea


2006

University of Illinois, UrbanaChampaign
 Department of Computer Science
Urbana, Illinois, United States


1997–2006

University of California, Berkeley
 Department of Electrical Engineering and Computer Sciences
Berkeley, CA, United States


1992–2006

AT&T Labs
Austin, Texas, United States


1999

CSU Mentor
Long Beach, California, United States


1990–1997

Stanford University
 Department of Computer Science
Palo Alto, California, United States
