publications.json

[
  {
    "tag": "recent",
    "title": "Complete Multiparty Session Type Projection with Automata",
    "abstract": "Multiparty session types (MSTs) are a type-based approach to verifying communication protocols. Central to MSTs is a projection operator: a partial function that maps protocols represented as global types to correct-by-construction implementations for each participant, represented as a communicating state machine. Existing projection operators are syntactic in nature, and trade efficiency for completeness. We present the first projection operator that is sound, complete, and efficient. Our projection separates synthesis from checking implementability. For synthesis, we use a simple automata-theoretic construction; for checking implementability, we present succinct conditions that summarize insights into the property of implementability. We use these conditions to show that MST implementability is PSPACE-complete. This improves upon a previous decision procedure that is in EXPSPACE and applies to a smaller class of MSTs. We demonstrate the effectiveness of our approach using a prototype implementation, which handles global types not supported by previous work without sacrificing performance.",
    "author": [
      {
        "family": "Li",
        "given": "Elaine"
      },
      {
        "family": "Stutz",
        "given": "Felix"
      },
      {
        "family": "Wies",
        "given": "Thomas"
      },
      {
        "family": "Zufferey",
        "given": "Damien"
      }
    ],
    "container-title": "In Proceedings of the 35th International Conference on Computer Aided Verification (CAV)",
    "id": "cav23",
    "issued": {
      "date-parts": [
        [
          2023
        ]
      ]
    },
    "keyword": "conf",
    "publisher": "Springer",
    "link-paper": "https://doi.org/10.1007/978-3-031-37709-9_17",
    "type": "paper-conference"
  },
  {
    "tag": "recent",
    "title": "Comparing Channel Restrictions of Communicating State Machines, High-level Message Sequence Charts, and Multiparty Session Types",
    "abstract": "Communicating state machines provide a formal foundation for distributed computation. Unfortunately, they are Turing-complete and, thus, challenging to analyse. In this paper, we classify restrictions on channels which have been proposed to work around the undecidability of verification questions. We compare half-duplex communication, existential B-boundedness, and k-synchronisability. These restrictions do not prevent the communication channels from growing arbitrarily large but still restrict the power of the model. Each restriction gives rise to a set of languages so, for every pair of restrictions, we check whether one subsumes the other or if they are incomparable. We investigate their relationship in two different contexts: first, the one of communicating state machines, and, second, the one of communication protocol specifications using high-level message sequence charts. Surprisingly, these two contexts yield different conclusions. In addition, we integrate multiparty session types, another approach to specify communication protocols, into our classification. We show that multiparty session type languages are half-duplex, existentially 1-bounded, and 1-synchronisable. To show this result, we provide the first formal embedding of multiparty session types into high-level message sequence charts.",
    "author": [
      {
        "family": "Stutz",
        "given": "Felix"
      },
      {
        "family": "Zufferey",
        "given": "Damien"
      }
    ],
    "container-title": "In Proceedings of the 13th International Symposium on Games, Automata, Logics and Formal Verification (GandALF)",
    "id": "gandalf22",
    "issued": {
      "date-parts": [
        [
          2022
        ]
      ]
    },
    "keyword": "conf",
    "publisher": "Open Publishing Association",
    "link-paper": "https://cgi.cse.unsw.edu.au/~eptcs/paper.cgi?GandALF2022.13.pdf",
    "type": "paper-conference"
  },
  {
    "tag": "recent",
    "title": "Constraint Synthesis for Parametric CAD",
    "abstract": "Parametric CAD, in conjunction with 3D-printing, is democratizing design and production pipelines. End-users can easily change parameters of publicly available designs, and 3D-print the customized objects. In research and industry, parametric designs are being used to find optimal, or unique final objects. Unfortunately, for most designs, many combinations of parameter values are invalid. Restricting the parameter space of designs to only the valid configurations is a difficult problem. Most publicly available designs do not contain this information. Using ideas from program analysis, we synthesize constraints on parameters of parametric designs. Some constraints are synthesized statically, by exploiting implicit assumptions of the design process. Several others are inferred by evaluating the design on many different samples, and then constructing and solving hypotheses. Our approach is effective at finding constraints on parameter values for a wide variety of parametric designs, with a very small runtime cost, in the order of seconds.",
    "author": [
      {
        "family": "Mathur",
        "given": "Aman"
      },
      {
        "family": "Zufferey",
        "given": "Damien"
      }
    ],
    "container-title": "Pacific Graphics Short Papers, Posters, and Work-in-Progress Papers",
    "id": "pg21",
    "issued": {
      "date-parts": [
        [
          2021
        ]
      ]
    },
    "keyword": "conf",
    "publisher": "The Eurographics Association",
    "link-paper": "https://people.mpi-sws.org/~mathur/papers/ConstraintSynthesisCAD.pdf",
    "type": "paper-conference"
  },
  {
    "tag": "recent",
    "title": "Generalising Projection in Asynchronous Multiparty Session Types",
    "abstract": "Multiparty session types (MSTs) provide an efficient methodology for specifying and verifying message passing software systems. In the theory of MSTs, a global type specifies the interaction among the roles at the global level. A local specification for each role is generated by projecting from the global type on to the message exchanges it participates in. Whenever a global type can be projected on to each role, the composition of the projections is deadlock free and has exactly the behaviours specified by the global type. The key to the usability of MSTs is the projection operation: a more expressive projection allows more systems to be type-checked but requires a more difficult soundness argument.\nIn this paper, we generalise the standard projection operation in MSTs. This allows us to model and type-check many design patterns in distributed systems, such as load balancing, that are rejected by the standard projection. The key to the new projection is an analysis that tracks causality between messages. Our soundness proof uses novel graph-theoretic techniques from the theory of message-sequence charts. We demonstrate the efficacy of the new projection operation by showing many global types for common patterns that can be projected under our projection but not under the standard projection operation.",
    "author": [
      {
        "family": "Majumdar",
        "given": "Rupak"
      },
      {
        "family": "Mukund",
        "given": "Madhavan"
      },
      {
        "family": "Stutz",
        "given": "Felix"
      },
      {
        "family": "Zufferey",
        "given": "Damien"
      }
    ],
    "container-title": "In Proceedings of the 32nd International Conference on Concurrency Theory (CONCUR)",
    "id": "concur21",
    "issued": {
      "date-parts": [
        [
          2021
        ]
      ]
    },
    "keyword": "conf",
    "publisher": "Schloss Dagstuhl - Leibniz-Zentrum für Informatik",
    "link-paper": "https://drops.dagstuhl.de/opus/volltexte/2021/14412/pdf/LIPIcs-CONCUR-2021-35.pdf",
    "type": "paper-conference"
  },
  {
    "title": "Paracosm: A Test Framework for Autonomous Driving Simulations",
    "abstract": "Systematic testing of autonomous vehicles operating in complex real-world scenarios is a difficult and expensive problem. We present Paracosm, a framework for writing systematic test scenarios for autonomous driving simulations. Paracosm allows users to programmatically describe complex driving situations with specific features, e.g., road layouts and environmental conditions, as well as reactive temporal behaviors of other cars and pedestrians. A systematic exploration of the state space, both for visual features and for reactive interactions with the environment is made possible. We define a notion of test coverage for parameter configurations based on combinatorial testing and low dispersion sequences. Using fuzzing on parameter configurations, our automatic test generator can maximize coverage of various behaviors and find problematic cases. Through empirical evaluations, we demonstrate the capabilities of Paracosm in programmatically modeling parameterized test environments, and in finding problematic scenarios.",
    "author": [
      {
        "family": "Majumdar",
        "given": "Rupak"
      },
      {
        "family": "Mathur",
        "given": "Aman Shankar"
      },
      {
        "family": "Pirron",
        "given": "Marcus"
      },
      {
        "family": "Stegner",
        "given": "Laura"
      },
      {
        "family": "Zufferey",
        "given": "Damien"
      }
    ],
    "container-title": "In Proceedings of the Conference on Fundamental Approaches to Software Engineering (FASE)",
    "id": "fase21",
    "issued": {
      "date-parts": [
        [
          2021
        ]
      ]
    },
    "keyword": "conf",
    "publisher": "Springer",
    "type": "paper-conference"
  },
  {
    "title": "Multiparty Motion Coordination: From Choreographies to Robotics Programs",
    "abstract": "We present a programming model and typing discipline for complex multi-robot coordination programming. Our model encompasses both synchronisation through message passing and continuous-time dynamic motion primitives in physical space. We specify continuous-time motion primitives in an assume-guarantee logic that ensures compatibility of motion primitives as well as collision freedom. We specify global behaviour of programs in a choreographic type system that extends multiparty session types with jointly executed motion primitives, predicated refinements, as well as a separating conjunction that allows reasoning about subsets of interacting robots. We describe a notion of well-formedness for global types that ensures motion and communication can be correctly synchronised and provide algorithms for checking well-formedness, projecting a type, and local type checking. A well-typed program is communication safe, motion compatible, and collision free. Our type system provides a compositional approach to ensuring these properties.\n We have implemented our model on top of the ROS framework. This allows us to program multi-robot coordination scenarios on top of commercial and custom robotics hardware platforms. We show through case studies that we can model and statically verify quite complex manoeuvres involving multiple manipulators and mobile robots—such examples are beyond the scope of previous approaches.",
    "author": [
      {
        "family": "Majumdar",
        "given": "Rupak"
      },
      {
        "family": "Nobuko",
        "given": "Yoshida"
      },
      {
        "family": "Zufferey",
        "given": "Damien"
      }
    ],
    "container-title": "Proceedings of the ACM on Programming Languages (OOPSLA)",
    "id": "oopsla20a",
    "issued": {
      "date-parts": [
        [
          2020
        ]
      ]
    },
    "keyword": "journal",
    "publisher": "ACM",
    "link-paper": "files/2020_Multiparty_Motion_Coordination_From_Choreographies_to_Robotics_Programs.pdf",
    "type": "paper-journal"
  },
  {
    "title": "Programming at the Edge of Synchrony",
    "abstract": "Synchronization primitives for fault-tolerant distributed systems that ensure an effective and efficient cooperation among processes are an important challenge in the programming languages community. We present a new programming abstraction, ReSync, for implementing benign and Byzantine fault-tolerant protocols. ReSync has a new round structure that offers a simple abstraction for group communication, like it is customary in synchronous systems, but also allows messages to be received one by one, like in the asynchronous systems. This extension allows implementing network and algorithm-specific policies for the message reception, which is not possible in classic round models.\n The execution of ReSync programs is based on a new generic round switch protocol that generalizes the famous theoretical result of Dwork et al. [1988]. We evaluate experimentally the performance of ReSync’s execution platform, by comparing consensus implementations in ReSync with LibPaxos3, etcd, and Bft-SMaRt, three consensus libraries tolerant to benign, resp. byzantine faults.",
    "author": [
      {
        "family": "Drăgoi",
        "given": "Cezara"
      },
      {
        "family": "Widder",
        "given": "Josef"
      },
      {
        "family": "Zufferey",
        "given": "Damien"
      }
    ],
    "container-title": "Proceedings of the ACM on Programming Languages (OOPSLA)",
    "id": "oopsla20b",
    "issued": {
      "date-parts": [
        [
          2020
        ]
      ]
    },
    "keyword": "journal",
    "publisher": "ACM",
    "link-paper": "files/2020_Programming_at_the_Edge_of_Synchrony.pdf",
    "type": "paper-journal"
  },
  {
    "title": "Automated Controller and Sensor Configuration Synthesis using Dimensional Analysis",
    "abstract": "Automated controller synthesis methods for cyber-physical systems (CPS) often require precise knowledge of the system’s state. Unfortunately, parts of the state may not be directly measurable, which limits the application of these methods. We present a design methodology for the co-design of software controllers and the required sensing capabilities. Our method leverages the knowledge of physical units in the model of a system to find ways of indirectly measuring parts of the system’s state which cannot be measured directly. The method contains a search procedure which uses dimensional analysis to explore the space of physically well-typed expressions and it generates as an intermediate result possible sensor combinations.The integration between the physical and software design for CPS that we present make automated controller synthesis techniques more widely applicable. We have implemented our method and applied it to the design of robotic manipulators.",
    "author": [
      {
        "family": "Pirron",
        "given": "Marcus"
      },
      {
        "family": "Zufferey",
        "given": "Damien"
      },
      {
        "family": "Stanley-Marbell",
        "given": "Phillip"
      }
    ],
    "container-title": "IEEE TCAD (EMSOFT)",
    "id": "emsoft20a",
    "issued": {
      "date-parts": [
        [
          2020
        ]
      ]
    },
    "keyword": "journal",
    "publisher": "IEEE",
    "link-paper": "files/2020_Automated_Controller_and_Sensor_Configuration_Synthesis_using_Dimensional_Analysis.pdf",
    "type": "paper-journal"
  },
  {
    "title": "Assume-Guarantee Distributed Synthesis",
    "abstract": "Distributed reactive synthesis is the problem of algorithmically constructing controllers of distributed, communicating systems so that each closed loop system satisfies a given temporal specification. We  present an algorithm, called negotiation, for sound (but necessarily incomplete) distributed reactive synthesis based on assume-guarantee decompositions. The negotiation algorithm iteratively constructs assumptions and  guarantees for each system. In each iteration, each system attempts to fulfill its specification and its guarantee (from the previous round), under the current assumption on the other systems, by solving a reactive synthesis problem. If the specificationis not realizable, the algorithm computes a sufficient assumption on the other systems that ensures it can realize the specification and guarantee. This additional assumption further constrains the behavior of other systems and they might require an additional assumption, leading to the next round in the negotiation. The process terminates when a compatible assumption-guarantee pair is found for each system, which is  sufficient to also satisfy the specification of each system. We have built a tool called Agnes that implements this algorithm. Using Agnes, we empirically demonstrate the effectiveness of our proposed algorithm on two case studies.",
    "author": [
      {
        "family": "Majumdar",
        "given": "Rupak"
      },
      {
        "family": "Mallik",
        "given": "Kaushik"
      },
      {
        "family": "Schmuck",
        "given": "Anne-Kathrin"
      },
      {
        "family": "Zufferey",
        "given": "Damien"
      }
    ],
    "container-title": "IEEE TCAD (EMSOFT)",
    "id": "emsoft20b",
    "issued": {
      "date-parts": [
        [
          2020
        ]
      ]
    },
    "keyword": "journal",
    "publisher": "IEEE",
    "link-paper": "files/2020_Assume-Guarantee_Distributed_Synthesis.pdf",
    "type": "paper-journal"
  },
  {
    "title": "Exploiting Errors for Efficiency: A Survey from Circuits to Applications",
    "abstract": "When a computational task tolerates a relaxation of its specification or when an algorithm tolerates the effects of noise in its execution, hardware, system software, and programming language compilers or their runtime systems can trade deviations from correct behavior for lower resource usage. We present, for the first time, a synthesis of research results on computing systems that only make as many errors as their end-to-end applications can tolerate. The results span the disciplines of computer-aided design of circuits, digital system design, computer architecture, programming languages, operating systems, and information theory. Rather than over-provisioning the resources controlled by each of these layers of abstraction to avoid errors, it can be more efficient to exploit the masking of errors occurring at one layer and thereby prevent those errors from propagating to a higher layer.\n We demonstrate the potential benefits of end-to-end approaches using two illustrative examples. We introduce a formalization of terminology that allows us to present a coherent view across the techniques traditionally used by different research communities in their individual layer of focus. Using this formalization, we survey tradeoffs for individual layers of computing systems at the circuit, architecture, operating system, and programming language levels as well as fundamental information-theoretic limits to tradeoffs between resource usage and correctness.",
    "author": [
      {
        "family": "Stanley-Marbell",
        "given": "Phillip"
      },
      {
        "family": "Alaghi",
        "given": "Armin"
      },
      {
        "family": "Carbin",
        "given": "Michael"
      },
      {
        "family": "Darulova",
        "given": "Eva"
      },
      {
        "family": "Dolecek",
        "given": "Lara"
      },
      {
        "family": "Gerstlauer",
        "given": "Andreas"
      },
      {
        "family": "Gillani",
        "given": "Ghayoor A"
      },
      {
        "family": "Jevdjic",
        "given": "Djordje"
      },
      {
        "family": "Moreau",
        "given": "Thierry"
      },
      {
        "family": "Cacciotti",
        "given": "Mattia"
      },
      {
        "family": "Daglis",
        "given": "Alexandros"
      },
      {
        "family": "Enright Jerger",
        "given": "Natalie "
      },
      {
        "family": "Falsafi",
        "given": "Babak"
      },
      {
        "family": "Misailovic",
        "given": "Sasa "
      },
      {
        "family": "Sampson",
        "given": "Adrian"
      },
      {
        "family": "Zufferey",
        "given": "Damien"
      }
    ],
    "container-title": "ACM Computing Surveys",
    "id": "csur20",
    "issued": {
      "date-parts": [
        [
          2020
        ]
      ]
    },
    "keyword": "journal",
    "publisher": "ACM",
    "link-paper": "files/2020_Exploiting_Errors_for_Efficiency_A_Survey_from_Circuits_to_Applications.pdf",
    "type": "paper-journal"
  },
  {
    "title": "Interactive Programming for Parametric CAD",
    "abstract": "Parametric CAD enables description of a family of objects wherein each valid combination of parameter values results in a different final form. Though GUI-based CAD tools are significantly more popular, GUI operations do not carry a semantic description, and are therefore brittle with respect to changes in parameter values. Programmatic interfaces, on the other hand, are more robust due to an exact specification of how the operations are applied. However, programming is unintuitive and has a steep learning curve. In this work, we link the interactivity of GUI with the robustness of programming. Inspired by program synthesis by example, our technique synthesizes code representative of selections made by users in a GUI interface. Through experiments, we demonstrate that our technique can synthesize relevant and robust sub-programs in a reasonable amount of time. A user study reveals that our interface offers significant improvements over a programming-only interface.",
    "author": [
      {
        "family": "Mathur",
        "given": "Aman"
      },
      {
        "family": "Pirron",
        "given": "Marcus"
      },
      {
        "family": "Zufferey",
        "given": "Damien"
      }
    ],
    "container-title": "Computer Graphics Forum",
    "id": "cgf20",
    "issued": {
      "date-parts": [
        [
          2020
        ]
      ]
    },
    "keyword": "journal",
    "publisher": "John Wiley & Sons, Inc.",
    "link-paper": "files/2020_Interactive_Programming_for_Parametric_CAD.pdf",
    "type": "paper-journal"
  },
  {
    "title": "Incremental Synthesis of Symbolic Controllers in a Changing Environment",
    "abstract": "Abstraction-Based Controller Synthesis (ABCS) is an emerging field for automatic synthesis of correct-by-design controllers for non-linear dynamical systems in the presence of bounded disturbances. An important drawback of existing ABCS techniques is the lack of flexibility against changes in the disturbance model; any change in the model results in a complete re-computation of the abstraction and the controller. This flexibility is relevant to situations when disturbances are learnt or estimated during operation in an environment which is previously not known precisely. As time passes, the disturbance model is progressively refined. The monolithic nature and high computational cost of existing algorithms make ABCS unsuited for such scenarios.\n In this paper, we present an incremental algorithm that makes the entire ABCS work-flow dynamically adapt to local changes in the disturbance model. Only the parts of the space which are affected by the changes are updated and the rest of the abstraction is reused. We empirically show the benefit of dynamic adaptation of abstraction on two large examples: a 5-dimensional vehicle model and a 12-dimensional quadrotor model. In both cases, the speed-up over complete re-computation is significant.",
    "author": [
      {
        "family": "Bai",
        "given": "Yunjun"
      },
      {
        "family": "Majumdar",
        "given": "Rupak"
      },
      {
        "family": "Mallik",
        "given": "Kaushik"
      },
      {
        "family": "Schmuck",
        "given": "Anne-Kathrin"
      },
      {
        "family": "Zufferey",
        "given": "Damien"
      }
    ],
    "container-title": "In Proceedings of the Conference on Decision and Control (CDC)",
    "id": "cdc19",
    "issued": {
      "date-parts": [
        [
          2019
        ]
      ]
    },
    "keyword": "conf",
    "publisher": "IEEE",
    "link-paper": "files/2019_Incremental_Abstraction_Computation_for_Symbolic_Controller_Synthesis_in_a_Changing_Environment.pdf",
    "type": "paper-conference"
  },
  {
    "title": "Mperl: Hardware and Software Co-design for Robotic Manipulators",
    "abstract": "Building small custom robots is getting democratized thanks to affordable tools like 3D printers and microcontrollers. However, it still requires expertise from a wide range of domains: from designing the mechanical parts to writing the code that controls the robot. We present Mperl, a tool to help non-experts build custom robotic manipulators.\n Mperl starts from an abstract description of the robot’s kinematic structure which contains information about joints, actuators, and sensors. The structure is refined with an easily manufactured geometry. Furthermore, from the structure Mperl generates control code which can be used to move the robot to a target configuration. We evaluate Mperl on a range of common robotic manipulator architectures, both serial and parallel.",
    "author": [
      {
        "family": "Pirron",
        "given": "Marcus"
      },
      {
        "family": "Zufferey",
        "given": "Damien"
      }
    ],
    "container-title": "In Proceedings of the International Conference on Intelligent Robots and Systems (IROS)",
    "id": "iros19",
    "issued": {
      "date-parts": [
        [
          2019
        ]
      ]
    },
    "keyword": "conf",
    "publisher": "IEEE",
    "link-paper": "files/2019_MPERL_Hardware_and_Software_Co-design_for_Robotic_Manipulators.pdf",
    "type": "paper-conference"
  },
  {
    "title": "<em>[Updated]</em> Motion Session Types for Robotic Interactions",
    "abstract": "<em>Update (2020.4.8):</em> Theorem 4.9, Corollary 4.10, and Theorem 4.11 have been strengthened.\n\nRobotics applications involve programming concurrent components synchronising through messages while simultaneously executing motion primitives that control the state of the physical world.  Today, these applications are typically programmed in low-level imperative programming languages which provide little support for abstraction or reasoning.\n We present a unifying programming model for concurrent message-passing systems that additionally control the evolution of physical state variables, together with a compositional reasoning framework based on multiparty session types. Our programming model combines message-passing concurrent processes with motion primitives.  Processes represent autonomous components in a robotic assembly, such as a cart or a robotic arm, and they  synchronise via discrete messages as well as via motion primitives.  Continuous evolution of trajectories under the action of controllers is also modelled by motion primitives, which operate in global, physical time.\n We use multiparty session types as specifications to orchestrate discrete message-passing concurrency and continuous flow of trajectories.  A global session type specifies the communication protocol among the components with joint motion primitives. A projection from a global type ensures that jointly executed actions at end-points are communication safe and deadlock-free, i.e., session-typed components do not get stuck.  Together, these checks provide a compositional verification methodology for assemblies of robotic components with respect to concurrency invariants such as a progress property of communications as well as dynamic invariants such as absence of collision.\n We have implemented our core language and, through initial experiments, have shown how multiparty session types can be used to specify and compositionally verify robotic systems implemented on top of off-the-shelf and custom hardware using standard robotics application libraries.",
    "author": [
      {
        "family": "Majumdar",
        "given": "Rupak"
      },
      {
        "family": "Pirron",
        "given": "Marcus"
      },
      {
        "family": "Nobuko",
        "given": "Yoshida"
      },
      {
        "family": "Zufferey",
        "given": "Damien"
      }
    ],
    "container-title": "In Proceedings of 33rd European Conference on Object-Oriented Programming (ECOOP)",
    "editor": [
      {
        "family": "Donaldson",
        "given": "Alastair"
      }
    ],
    "id": "ecoop19",
    "issued": {
      "date-parts": [
        [
          2019
        ]
      ]
    },
    "keyword": "conf",
    "publisher": "Schloss Dagstuhl - Leibniz-Zentrum fuer Informatik",
    "link-paper": "files/2019_Motion_Session_Types_for_Robotic_Interactions_updated.pdf",
    "link-slides": "files/2019_Motion_Session_Types_for_Robotic_Interactions_slides.odp",
    "type": "paper-conference"
  },
  {
    "title": "PGCD: Robot Programming and Verification with Geometry, Concurrency, and Dynamics",
    "abstract": "Robotics applications are typically programmed in low-level imperative programming languages, leaving the programmer to deal with dynamic controllers affecting the physical state, geometric constraints on components, and concurrency and synchronization. The combination of these features —dynamics, geometry, and concurrency— makes developing robotic applications difficult. We present PGCD, a programming model for robotics applications consisting of assemblies of robotic components, together with its runtime and a verifier. PGCD combines message-passing concurrent processes with motion primitives, which represent continuous evolution of trajectories in geometric space under the action of dynamic controllers, and explicit modeling of geometric frame shifts, which allow relative coordinate transformations between components evolving in space. We describe a verification algorithm for PGCD programs based on model checking and SMT solvers that statically verify  concurrency-related properties such as absence of deadlocks and  geometric invariants such as absence of collision during motion. We have implemented a runtime for PGCD programs that compiles down to imperative code on top of ROS and runs directly on robotic hardware. We illustrate the programming model and reasoning principles by building a number of statically verified robotic manipulation programs on top of 3D-printed robotic arm and cart assemblies.",
    "author": [
      {
        "family": "Banus̆ić",
        "given": "Gregor B."
      },
      {
        "family": "Majumdar",
        "given": "Rupak"
      },
      {
        "family": "Pirron",
        "given": "Marcus"
      },
      {
        "family": "Schmuck",
        "given": "Anne-Kathrin"
      },
      {
        "family": "Zufferey",
        "given": "Damien"
      }
    ],
    "container-title": "In Proceedings of the 10th International Conference on Cyber-Physical Systems (ICCPS)",
    "editor": [
      {
        "family": "Xue",
        "given": "Liu"
      },
      {
        "family": "Tabuada",
        "given": "Paulo"
      }
    ],
    "id": "iccps19",
    "issued": {
      "date-parts": [
        [
          2019
        ]
      ]
    },
    "keyword": "conf",
    "publisher": "ACM/IEEE",
    "link-paper": "files/2019_PGCD_Robot_Programming_and_Verification_with_Geometry_Concurrency_and_Dynamics.pdf",
    "type": "paper-conference"
  },
  {
    "title": "Evaluating Branching Heuristics in Interval Constraint Propagation for Satisfiability",
    "abstract": "Interval Constraint Propagation (ICP) is a powerful method for solving general nonlinear constraints over real numbers. ICP uses interval arithmetic to prune the space of potential solutions and, when the constraint propagation fails, divides the space into smaller regions and continues recursively. The original goal is to find paving boxes of all solutions to a problem. Already when the whole domain needs to be considered, branching methods do matter much. However, recent applications of ICP in decision procedures over the reals need only a single solution. Consequently, variable ordering in branching operations becomes even more important.\n In this work, we compare three different branching heuristics for ICP. The first method, most commonly used, splits the problem in the dimension with the largest lower and upper bound. The two other types of branching methods try to exploit an integration of analytical/numerical properties of real functions and search-based methods. The second method, called smearing, uses gradient information of constraints to choose variables that have the highest local impact on pruning. The third method, lookahead branching, designs a measure function to compare the effect of all variables on pruning operations in the next several steps.\n We evaluate the performance of our methods on over 11,000 benchmarks from various sources. While the different branching methods exhibit significant differences on larger instance, none is consistently better. This shows the need for further research on branching heuristics when ICP is used to find an unique solution rather than all solutions.",
    "author": [
      {
        "family": "Huang",
        "given": "Calvin"
      },
      {
        "family": "Kong",
        "given": "Soonho"
      },
      {
        "family": "Gao",
        "given": "Sicun"
      },
      {
        "family": "Zufferey",
        "given": "Damien"
      }
    ],
    "container-title": "In Proceedings of the 12th International Workshop on Numerical Software Verification (NSV)",
    "editor": [
      {
        "family": "Zamani",
        "given": "Majid"
      },
      {
        "family": "Zufferey",
        "given": "Damien"
      }
    ],
    "id": "nsv19",
    "issued": {
      "date-parts": [
        [
          2019
        ]
      ]
    },
    "keyword": "workshop",
    "publisher": "Springer",
    "link-paper": "files/2019_Evaluating_Branching_Heuristics_in_Interval_Constraint_Propagation_for_Satisfiability.pdf",
    "link-slides": "files/2019_Evaluating_Branching_Heuristics_in_Interval_Constraint_Propagation_for_Satisfiability_slides.odp",
    "type": "paper-conference"
  },
  {
    "title": "Tool: Accessible Automated Reasoning for Human Robot Collaboration",
    "abstract": "We present an expressive, concise, and extendable domain specific language for planning of assembly systems, such as industrial human robot cooperation. Increased flexibility requirements in manufacturing processes call for more automation at the description and planning stages of manufacturing. Procedural models are good candidates to meet this demand as programs offer a high degree of flexibility and are easily composed.\nFurthermore, we aim to make our programs close to declarative specification and integrate automatic reasoning tools to help the users. The constraints come both from specific programs and preexisting knowledge base from the target domain. The case of human robot collaboration is interesting as there is a number of constraints and regulations around this domain. Unfortunately, automated reasoners are often too unpredictable and cannot be used directly by non-experts.\nIn this paper, we present our domain specific language “Tool Ontology and Optimization Language” (Tool) and describe how we integrated automated reasoners and planners in a way that makes them accessible to users which have little programming knowledge, but expertise in manufacturing domain and no previous experience with or knowledge about the underlying reasoners. We present encouraging results by applying Tool to a case study from the automotive and aerospace industry.",
    "author": [
      {
        "family": "Gavran",
        "given": "Ivan"
      },
      {
        "family": "Mailahn",
        "given": "Ortwin"
      },
      {
        "family": "Müller",
        "given": "Rainer"
      },
      {
        "family": "Peifer",
        "given": "Richard"
      },
      {
        "family": "Zufferey",
        "given": "Damien"
      }
    ],
    "container-title": "In Proceedings of Onward!",
    "editor": [
      {
        "family": "Gabriel",
        "given": "Richard P."
      },
      {
        "family": "Gonzalez Boix",
        "given": "Elisa"
      }
    ],
    "id": "onward18",
    "issued": {
      "date-parts": [
        [
          2018
        ]
      ]
    },
    "keyword": "conf",
    "publisher": "ACM",
    "link-paper": "files/2018_tool_preprint.pdf",
    "link-slides": "files/2018_tool_presentation.pdf",
    "type": "paper-conference"
  },
  {
    "title": "DroidStar: Callback Typestates for Android Classes",
    "abstract": "Event-driven programming frameworks, such as Android, are based on components with asynchronous interfaces. The protocols for interacting with these components can often be described by finite-state machines we dub callback typestates. Callback typestates are akin to classical typestates, with the difference that their outputs (callbacks) are produced asynchronously. While useful, these specifications are not commonly available, because writing them is difficult and error-prone.\nOur goal is to make the task of producing callback typestates significantly easier. We present a callback typestate assistant tool, DroidStar, that requires only limited user interaction to produce a callback typestate. Our approach is based on an active learning algorithm, L*. We improved the scalability of equivalence queries (a key component of L*), thus making active learning tractable on the Android system.\nWe use DroidStar to learn callback typestates for Android classes both for cases where one is already provided by the documentation, and for cases where the documentation is unclear. The results show that DroidStar learns callback typestates accurately and efficiently. Moreover, in several cases, the synthesized callback typestates uncovered surprising and undocumented behaviors.",
    "author": [
      {
        "family": "Radhakrishna",
        "given": "Arjun"
      },
      {
        "family": "Lewchenko",
        "given": "Nicholas"
      },
      {
        "family": "Meier",
        "given": "Shawn"
      },
      {
        "family": "Mover",
        "given": "Sergio"
      },
      {
        "family": "Sripada",
        "given": "Krishna Chaitanya"
      },
      {
        "family": "Zufferey",
        "given": "Damien"
      },
      {
        "family": "Chang",
        "given": "Bor-Yuh Evan"
      },
      {
        "family": "Černý",
        "given": "Pavol"
      }
    ],
    "container-title": "In Proceedings of the 40th International Conference on Software Engineering (ICSE)",
    "editor": [
      {
        "family": "Chechik",
        "given": "Marsha"
      },
      {
        "family": "Harman",
        "given": "Mark"
      }
    ],
    "id": "icse18",
    "issued": {
      "date-parts": [
        [
          2018
        ]
      ]
    },
    "keyword": "conf",
    "publisher": "ACM",
    "link-paper": "files/2018_DroidStar_Callback_Typestate_for_Android_Classes.pdf",
    "type": "paper-conference"
  },
  {
    "abstract": "When a computational task tolerates a relaxation of its specification or when an algorithm tolerates the effects of noise in its execution, hardware, programming languages, and system software can trade deviations from correct behavior for lower resource usage. We present, for the first time, a synthesis of research results on computing systems that only make as many errors as their users can tolerate, from across the disciplines of computer aided design of circuits, digital system design, computer architecture, programming languages, operating systems, and information theory. Rather than over-provisioning resources at each layer to avoid errors, it can be more efficient to exploit the masking of errors occurring at one layer which can prevent them from propagating to a higher layer. We survey tradeoffs for individual layers of computing systems from the circuit level to the operating system level and illustrate the potential benefits of end-to-end approaches using two illustrative examples. To tie together the survey, we present a consistent formalization of terminology, across the layers, which does not significantly deviate from the terminology traditionally used by research communities in their layer of focus.",
    "author": [
      {
        "family": "Stanley-Marbell",
        "given": "Phillip"
      },
      {
        "family": "Alaghi",
        "given": "Armin"
      },
      {
        "family": "Carbin",
        "given": "Michael"
      },
      {
        "family": "Darulova",
        "given": "Eva"
      },
      {
        "family": "Dolecek",
        "given": "Lara"
      },
      {
        "family": "Gerstlauer",
        "given": "Andreas"
      },
      {
        "family": "Gillani",
        "given": "Ghayoor"
      },
      {
        "family": "Jevdjic",
        "given": "Djordje"
      },
      {
        "family": "Moreau",
        "given": "Thierry"
      },
      {
        "family": "Cacciotti",
        "given": "Mattia"
      },
      {
        "family": "Daglis",
        "given": "Alexandros"
      },
      {
        "family": "Enright Jerger",
        "given": "Natalie D."
      },
      {
        "family": "Falsafi",
        "given": "Babak"
      },
      {
        "family": "Misailovic",
        "given": "Sasa"
      },
      {
        "family": "Sampson",
        "given": "Adrian"
      },
      {
        "family": "Zufferey",
        "given": "Damien"
      }
    ],
    "container-title": "under submission",
    "id": "approx_comp_techrep",
    "issued": {
      "date-parts": [
        [
          2018
        ]
      ]
    },
    "keyword": "techrep",
    "link-paper": "https://arxiv.org/pdf/1809.05859.pdf",
    "number": "1809.05859",
    "publisher": "arXiv",
    "title": "Exploiting Errors for Efficiency: A Survey from Circuits to Algorithms",
    "type": "report"
  },
  {
    "abstract": "In event-driven programming frameworks, such as Android, the client and the framework interact using callins (framework methods that the client invokes) and callbacks (client methods that the framework invokes). The protocols for interacting with these frameworks can often be described by finite-state machines we dub <em>asynchronous typestates</em>. Asynchronous typestates are akin to classical typestates, with the key difference that their outputs (callbacks) are produced asynchronously.\nWe present an algorithm to infer asynchronous typestates for Android framework classes. It is based on the L* algorithm that uses membership and equivalence queries. We show how to implement these queries for Android classes. Membership queries are implemented using testing. Under realistic assumptions, equivalence queries can be implemented using membership queries. We provide an improved algorithm for equivalence queries that is better suited for our application than the algorithms from literature. Instead of using a bound on the size of the typestate to be learned, our algorithm uses a <em>distinguisher bound</em>. The distinguisher bound quantifies how two states in the typestate are locally different.\nWe implement our approach and evaluate it empirically. We use our tool, Starling, to learn asynchronous typestates for Android classes both for cases where one is already provided by the documentation, and for cases where the documentation is unclear. The results show that Starling learns asynchronous typestates accurately and efficiently. Additionally, in several cases, the synthesized asynchronous typestates uncovered surprising and undocumented behaviors.",
    "author": [
      {
        "family": "Radhakrishna",
        "given": "Arjun"
      },
      {
        "family": "Lewchenko",
        "given": "Nicholas"
      },
      {
        "family": "Meier",
        "given": "Shawn"
      },
      {
        "family": "Mover",
        "given": "Sergio"
      },
      {
        "family": "Sripada",
        "given": "Krishna Chaitanya"
      },
      {
        "family": "Zufferey",
        "given": "Damien"
      },
      {
        "family": "Chang",
        "given": "Bor-Yuh Evan"
      },
      {
        "family": "Černý",
        "given": "Pavol"
      }
    ],
    "id": "android_learning_techrep",
    "issued": {
      "date-parts": [
        [
          2017
        ]
      ]
    },
    "keyword": "techrep",
    "link-paper": "https://arxiv.org/pdf/1701.07842.pdf",
    "number": "1701.07842",
    "publisher": "arXiv",
    "title": "Learning Asynchronous Typestates for Android Classes",
    "type": "report"
  },
  {
    "abstract": "We develop algorithms for computing Craig interpolants for first-order formulas over real numbers with a wide range of nonlinear functions, including transcendental functions and differential equations. We transform proof traces from δ-complete decision procedures into interpolants that consist of Boolean combinations of linear constraints. The algorithms are guaranteed to find the interpolants between two formulas A and B whenever A ∧ B is not δ-satisfiable. At the same time, by exploiting δ-perturbations one can parameterize the algorithm to find interpolants with different positions between A and B. We show applications of the methods in control and robotic design, and hybrid system verification.",
    "author": [
      {
        "family": "Gao",
        "given": "Sicun"
      },
      {
        "family": "Zufferey",
        "given": "Damien"
      }
    ],
    "container-title": "In Proceedings of Tools and Algorithms for the Construction and Analysis of Systems (TACAS)",
    "editor": [
      {
        "family": "Chechik",
        "given": "Marsha"
      },
      {
        "family": "Raskin",
        "given": "Jean-Francois"
      }
    ],
    "id": "tacas16",
    "issued": {
      "date-parts": [
        [
          2016
        ]
      ]
    },
    "keyword": "conf",
    "link-paper": "files/2016_Interpolants_in_Nonlinear_Theories_over_the_Reals_v2.pdf",
    "link-slides": "files/2016_Interpolants_in_Nonlinear_Theories_over_the_Reals.pptx",
    "publisher": "Springer",
    "title": "<em>[Updated]</em> Interpolants in Nonlinear Theories over the Reals",
    "type": "paper-conference"
  },
  {
    "abstract": "Fault-tolerant distributed algorithms play an important role in many critical/high-availability applications. These algorithms are notoriously difficult to implement correctly, due to asynchronous communication and the occurrence of faults, such as the network dropping messages or computers crashing.\nWe introduce PSync, a domain specific language based on the Heard-Of model, which views asynchronous faulty systems as synchronous ones with an adversarial environment that simulates asynchrony and faults by dropping messages. We define a runtime system for PSync that efficiently executes on asynchronous networks. We formalise the relation between the runtime system and PSync in terms of observational refinement. The high-level lockstep abstraction introduced by PSync simplifies the design and implementation of fault-tolerant distributed algorithms and enables automated formal verification.\nWe have implemented an embedding of PSync in the Scala programming language with a runtime system for partially synchronous networks. We show the applicability of PSync by implementing several important fault-tolerant distributed algorithms and we compare the implementation of consensus algorithms in PSync against implementations in other languages in terms of code size, runtime efficiency, and verification.",
    "author": [
      {
        "family": "Drăgoi",
        "given": "Cezara"
      },
      {
        "family": "Henzinger",
        "given": "Thomas A."
      },
      {
        "family": "Zufferey",
        "given": "Damien"
      }
    ],
    "container-title": "In Proceedings of Principles of Programming Languages (POPL)",
    "editor": [
      {
        "family": "Bodík",
        "given": "Rastislav"
      },
      {
        "family": "Majumdar",
        "given": "Rupak"
      }
    ],
    "id": "psync",
    "issued": {
      "date-parts": [
        [
          2016
        ]
      ]
    },
    "keyword": "conf",
    "link-paper": "files/2016_PSync_A_Partially_Synchronous_Language_for_Fault-Tolerant_Distributed_Algorithms.pdf",
    "link-slides": "files/2016_PSync_A_Partially_Synchronous_Language_for_Fault-Tolerant_Distributed_Algorithms.pptx",
    "link-poster": "files/2016_PSync_A_Partially_Synchronous_Language_for_Fault-Tolerant_Distributed_Algorithms-poster.pdf",
    "publisher": "ACM",
    "title": "PSync: A Partially Synchronous Language for Fault-tolerant Distributed Algorithms",
    "title-short": "PSync",
    "type": "paper-conference"
  },
  {
    "abstract": "Fault-tolerant distributed algorithms play an important role in many critical/high-availability applications. These algorithms are notoriously difficult to implement correctly, due to asynchronous communication and the occurrence of faults, such as the network dropping messages or computers crashing. Nonetheless there is surprisingly little language and verification support to build distributed systems based on fault-tolerant algorithms. In this paper, we present some of the challenges that a designer has to overcome to implement a fault-tolerant distributed system. Then we review different models that have been proposed to reason about distributed algorithms and sketch how such a model can form the basis for a domain-specific programming language. Adopting a high-level programming model can simplify the programmer’s life and make the code amenable to automated verification, while still compiling to efficiently executable code. We conclude by summarizing the current status of an ongoing language design and implementation project that is based on this idea.",
    "author": [
      {
        "family": "Drăgoi",
        "given": "Cezara"
      },
      {
        "family": "Henzinger",
        "given": "Thomas A."
      },
      {
        "family": "Zufferey",
        "given": "Damien"
      }
    ],
    "collection-title": "LIPIcs",
    "container-title": "In Proceedings of Summit on Advances in Programming Languages (SNAPL)",
    "editor": [
      {
        "family": "Ball",
        "given": "Thomas"
      },
      {
        "family": "Bodík",
        "given": "Rastislav"
      },
      {
        "family": "Krishnamurthi",
        "given": "Shriram"
      },
      {
        "family": "Lerner",
        "given": "Benjamin S."
      },
      {
        "family": "Morrisett",
        "given": "Greg"
      }
    ],
    "id": "snapl15",
    "issued": {
      "date-parts": [
        [
          2015
        ]
      ]
    },
    "keyword": "conf",
    "link-paper": "files/2015_the_need_for_language_support_for_fault-tolerant_distributed_systems.pdf",
    "link-slides": "files/2015_the_need_for_language_support_for_fault-tolerant_distributed_systems.pptx",
    "publisher": "Schloss Dagstuhl - Leibniz-Zentrum fuer Informatik",
    "title": "The Need for Language Support for Fault-tolerant Distributed Systems",
    "type": "paper-conference",
    "volume": "32"
  },
  {
    "abstract": "Separation logic (SL) is a widely used formalism for verifying heap manipulating programs. Existing SL solvers focus on decidable fragments for list-like structures. More complex data structures such as trees are typically unsupported in implementations, or handled by incomplete heuristics. While complete decision procedures for reasoning about trees have been proposed, these procedures suffer from high complexity, or make global assumptions about the heap that contradict the separation logic philosophy of local reasoning. In this paper, we present a fragment of classical first-order logic for local reasoning about tree-like data structures. The logic is decidable in NP and the decision procedure allows for combinations with other decidable first-order theories for reasoning about data. Such extensions are essential for proving functional correctness properties. We have implemented our decision procedure and, building on earlier work on translating SL proof obligations into classical logic, integrated it into an SL-based verification tool. We successfully used the tool to verify functional correctness of tree-based data structure implementations.",
    "author": [
      {
        "family": "Piskac",
        "given": "Ruzica"
      },
      {
        "family": "Wies",
        "given": "Thomas"
      },
      {
        "family": "Zufferey",
        "given": "Damien"
      }
    ],
    "collection-title": "LNCS 8559",
    "container-title": "In Proceedings of Computer Aided Verification (CAV)",
    "editor": [
      {
        "family": "Biere",
        "given": "Armin"
      },
      {
        "family": "Bloem",
        "given": "Roderick"
      }
    ],
    "id": "DBLP:conf/cav/PiskacWZ14",
    "issued": {
      "date-parts": [
        [
          2014
        ]
      ]
    },
    "keyword": "conf",
    "link-paper": "files/2014_automating_separation_logic_with_trees_and_data.pdf",
    "link-slides": "files/2014_automating_separation_logic_with_trees_and_data.pptx",
    "page": "711-728",
    "publisher": "Springer",
    "title": "Automating Separation Logic with Trees and Data",
    "type": "paper-conference"
  },
  {
    "abstract": "We present GRASShopper, a tool for compositional verification of heap-manipulating programs against user-provided specifications. What makes our tool unique is its decidable specification language, which supports mixing of assertions expressed in separation logic and first-order logic. The user of the tool can thus take advantage of the succinctness of separation logic specifications and the discipline of local reasoning. Yet, at the same time, she can revert to classical logic in the cases where decidable separation logic fragments are less suited, such as reasoning about constraints on data and heap structures with complex sharing. We achieve this combination of specification languages through a translation to programs whose specifications are expressed in a decidable fragment of first-order logic called GRASS. This logic is well-suited for automation using satisfiability modulo theory solvers. Unlike other tools that provide similar features, our decidability guarantees enable GRASShopper to produce detailed counterexamples for incorrect or underspecified programs. We have found this feature to be invaluable when debugging specifications. We present the underlying philosophy of the tool, describe the major technical challenges, and discuss implementation details. We conclude with an evaluation that considers challenging benchmarks such as sorting algorithms and a union/find data structure.",
    "author": [
      {
        "family": "Piskac",
        "given": "Ruzica"
      },
      {
        "family": "Wies",
        "given": "Thomas"
      },
      {
        "family": "Zufferey",
        "given": "Damien"
      }
    ],
    "container-title": "In Proceedings of Tools and Algorithms for the Construction and Analysis of Systems (TACAS)",
    "editor": [
      {
        "family": "Ábrahám",
        "given": "Erika"
      },
      {
        "family": "Havelund",
        "given": "Klaus"
      }
    ],
    "id": "tacas14",
    "issued": {
      "date-parts": [
        [
          2014
        ]
      ]
    },
    "keyword": "conf",
    "link-paper": "files/2014_grasshopper_complete_heap_verification_with_mixed_specifications.pdf",
    "publisher": "Springer",
    "title": "GRASShopper: Complete Heap Verification with Mixed Specifications",
    "title-short": "GRASShopper",
    "type": "paper-conference"
  },
  {
    "abstract": "A hallmark of object-oriented programming is the ability to perform computation through a set of interacting objects. A common manifestation of this style is the notion of a package, which groups a set of commonly used classes together. A challenge in using a package is to ensure that a client follows the implicit protocol of the package when calling its methods. Violations of the protocol can cause a runtime error or latent invariant violations. These protocols can extend across different, potentially unboundedly many, objects, and are specified informally in the documentation. As a result, ensuring that a client does not violate the protocol is hard.\nWe introduce dynamic package interfaces (DPI), a formalism to explicitly capture the protocol of a package. The DPI of a package is a finite set of rules that together specify how any set of interacting objects of the package can evolve through method calls and under what conditions an error can happen. We have developed a dynamic tool that automatically computes an approximation of the DPI of a package, given a set of abstraction predicates. A key property of DPI is that the unbounded number of configurations of objects of a package are summarized finitely in an abstract domain. This uses the observation that many packages behave monotonically: the semantics of a method call over a configuration does not essentially change if more objects are added to the configuration. We have exploited monotonicity and have devised heuristics to obtain succinct yet general DPIs. We have used our tool to compute DPIs for several commonly used Java packages with complex protocols, such as JDBC, HashSet, and ArrayList.",
    "author": [
      {
        "family": "Esmaeilsabzali",
        "given": "Shahram"
      },
      {
        "family": "Majumdar",
        "given": "Rupak"
      },
      {
        "family": "Wies",
        "given": "Thomas"
      },
      {
        "family": "Zufferey",
        "given": "Damien"
      }
    ],
    "container-title": "In Proceedings of Fundamental Approaches to Software Engineering (FASE)",
    "editor": [
      {
        "family": "Gnesi",
        "given": "Stefania"
      },
      {
        "family": "Rensink",
        "given": "Arend"
      }
    ],
    "id": "fase14",
    "issued": {
      "date-parts": [
        [
          2014
        ]
      ]
    },
    "keyword": "conf",
    "link-paper": "files/2014_dynamic_package_interfaces.pdf",
    "publisher": "Springer",
    "title": "Dynamic Package Interfaces",
    "type": "paper-conference"
  },
  {
    "abstract": "Fault-tolerant distributed algorithms play an important role in ensuring the reliability of many software applications. In this paper we consider distributed algorithms whose computations are organized in rounds. To verify the correctness of such algorithms, we reason about (i) properties (such as invariants) of the state, (ii) the transitions controlled by the algorithm, and (iii) the communication graph. We introduce a logic that addresses these points, and contains set comprehensions with cardinality constraints, function symbols to describe the local states of each process, and a limited form of quantifier alternation to express the verification conditions. We show its use in automating the verification of consensus algorithms. In particular, we give a semi-decision procedure for the unsatisfiability problem of the logic and identify a decidable fragment. We successfully applied our framework to verify the correctness of a variety of consensus algorithms tolerant to both benign faults (message loss, process crashes) and value faults (message corruption).",
    "author": [
      {
        "family": "Drăgoi",
        "given": "Cezara"
      },
      {
        "family": "Henzinger",
        "given": "Thomas A."
      },
      {
        "family": "Veith",
        "given": "Helmut"
      },
      {
        "family": "Widder",
        "given": "Josef"
      },
      {
        "family": "Zufferey",
        "given": "Damien"
      }
    ],
    "collection-title": "LNCS 8318",
    "container-title": "In Proceedings of Verification, Model Checking, and Abstract Interpretation (VMCAI)",
    "editor": [
      {
        "family": "McMillan",
        "given": "Kenneth L."
      },
      {
        "family": "Rival",
        "given": "Xavier"
      }
    ],
    "id": "vmcai14",
    "issued": {
      "date-parts": [
        [
          2014
        ]
      ]
    },
    "keyword": "conf",
    "link-paper": "files/2014_A_Logic-Based_Framework_for_Verifying_Consensus_Algorithms.pdf",
    "page": "181-201",
    "publisher": "Springer",
    "title": "A Logic-based Framework for Verifying Consensus Algorithms",
    "type": "paper-conference"
  },
  {
    "abstract": "Motivated by the analysis of highly dynamic message-passing systems, i.e. unbounded thread creation, mobility, etc. We present a framework for the analysis of depth-bounded systems. Depth-bounded systems are one of the most expressive known fragment of the π-calculus for which interesting verification problems are still decidable. Even though they are infinite state systems depth-bounded systems are well-structured, thus can be analyzed algorithmically. We give an interpretation of depth-bounded systems as graph-rewriting systems. This gives more flexibility and ease of use to apply depth-bounded systems to other type of systems like shared memory concurrency.\nFirst, we develop an adequate domain of limits for depth-bounded systems, a prerequisite for the effective representation of downward-closed sets. Downward-closed sets are needed by forward saturation-based algorithms to represent potentially infinite sets of states. Then, we present an abstract interpretation framework to compute the covering set of well-structured transition systems. Because, in general, the covering set is not computable, our abstraction over-approximates the actual covering set. Our abstraction captures the essence of acceleration based-algorithms while giving up enough precision to ensure convergence. We have implemented the analysis in the Picasso tool and show that it is accurate in practice. Finally, we build some further analyses like termination using the covering set as starting point.",
    "author": [
      {
        "family": "Zufferey",
        "given": "Damien"
      }
    ],
    "genre": "PhD thesis",
    "id": "PHD",
    "issued": {
      "date-parts": [
        [
          2013
        ]
      ]
    },
    "keyword": "thesis",
    "link-paper": "files/2013_thesis.pdf",
    "link-slides": "files/thesis_presentation/presentation.html",
    "publisher": "Institute of Science and Technology Austria",
    "title": "Analysis of Dynamic Message Passing Programs (a framework for the analysis of depth-bounded systems)",
    "type": "thesis"
  },
  {
    "ISBN": "978-3-642-39798-1",
    "abstract": "Separation logic has gained widespread popularity because of its ability to succinctly express complex invariants of a program’s heap configurations. Several specialized provers have been developed for decidable fragments of separation logic. However, these provers cannot be easily extended or combined with solvers for other theories that are important in program verification, such as linear arithmetic. In this paper, we present reductions of decidable separation logic fragments to decidable first-order theories that fit well into the SMT framework. We show how these reductions can be used to automate satisfiability, entailment, frame inference, and abduction problems for separation logic using SMT solvers. Our approach provides a simple method of integrating separation logic into existing verification tools that provide SMT backends, and an elegant way of combining separation logic fragments with other decidable first-order theories.",
    "author": [
      {
        "family": "Piskac",
        "given": "Ruzica"
      },
      {
        "family": "Wies",
        "given": "Thomas"
      },
      {
        "family": "Zufferey",
        "given": "Damien"
      }
    ],
    "collection-title": "LNCS 8044",
    "container-title": "In Proceedings of Computer Aided Verification (CAV)",
    "editor": [
      {
        "family": "Sharygina",
        "given": "Natasha"
      },
      {
        "family": "Veith",
        "given": "Helmut"
      }
    ],
    "id": "DBLP:conf/cav/PiskacWZ13",
    "issued": {
      "date-parts": [
        [
          2013
        ]
      ]
    },
    "keyword": "conf",
    "link-paper": "files/2013_automating_separation_logic_using_SMT.pdf",
    "link-slides": "files/2013_automating_separation_logic_using_SMT_slides.pdf",
    "page": "773-789",
    "publisher": "Springer",
    "title": "Automating Separation Logic using SMT",
    "type": "paper-conference"
  },
  {
    "ISBN": "978-1-4503-2014-6",
    "abstract": "We describe the design and implementation of P, a domain-specific language to write asynchronous event driven code. P allows the programmer to specify the system as a collection of interacting state machines, which communicate with each other using events. P unifies modeling and programming into one activity for the programmer. Not only can a P program be compiled into executable code, but it can also be tested using model checking techniques. P allows the programmer to specify the environment, used to “close” the system during testing, as nondeterministic ghost machines. Ghost machines are erased during compilation to executable code; a type system ensures that the erasure is semantics preserving.\nThe P language is designed so that a P program can be checked for responsiveness—the ability to handle every event in a timely manner. By default, a machine needs to handle every event that arrives in every state. But handling every event in every state is impractical. The language provides a notion of deferred events where the programmer can annotate when she wants to delay processing an event. The default safety checker looks for presence of unhandled events. The language also provides default liveness checks that an event cannot be potentially deferred forever.\nP was used to implement and verify the core of the USB device driver stack that ships with Microsoft Windows 8. The resulting driver is more reliable and performs better than its prior incarnation (which did not use P); we have more confidence in the robustness of its design due to the language abstractions and verification provided by P.",
    "author": [
      {
        "family": "Desai",
        "given": "Ankush"
      },
      {
        "family": "Gupta",
        "given": "Vivek"
      },
      {
        "family": "Jackson",
        "given": "Ethan K."
      },
      {
        "family": "Qadeer",
        "given": "Shaz"
      },
      {
        "family": "Rajamani",
        "given": "Sriram K."
      },
      {
        "family": "Zufferey",
        "given": "Damien"
      }
    ],
    "container-title": "In Proceedings of Programming Language Sesign and Implementation (PLDI)",
    "editor": [
      {
        "family": "Boehm",
        "given": "Hans-Juergen"
      },
      {
        "family": "Flanagan",
        "given": "Cormac"
      }
    ],
    "id": "DBLP:conf/pldi/DesaiGJQRZ13",
    "issued": {
      "date-parts": [
        [
          2013
        ]
      ]
    },
    "keyword": "conf",
    "link-paper": "files/2013_P_safe_asynchronous_event-driven_programming.pdf",
    "page": "321-332",
    "publisher": "ACM",
    "title": "P: Safe Asynchronous Event-driven Programming",
    "title-short": "P",
    "type": "paper-conference"
  },
  {
    "abstract": "Depth-Bounded Systems form an expressive class of well-structured transition systems. They can model a wide range of concurrent infinite-state systems including those with dynamic thread creation, dynamically changing communication topology, and complex shared heap structures. We present the first method to automatically prove fair termination of depth-bounded systems. Our method uses a numerical abstraction of the system, which we obtain by systematically augmenting an over-approximation of the system’s reachable states with a finite set of counters. This numerical abstraction can be analyzed with existing termination provers. What makes our approach unique is the way in which it exploits the well-structuredness of the analyzed system. We have implemented our work in a prototype tool and used it to automatically prove liveness properties of complex concurrent systems, including nonblocking algorithms such as Treiber’s stack and several distributed processes. Many of these examples are beyond the scope of termination analyses that are based on traditional counter abstractions.",
    "author": [
      {
        "family": "Bansal",
        "given": "Kshitij"
      },
      {
        "family": "Koskinen",
        "given": "Eric"
      },
      {
        "family": "Wies",
        "given": "Thomas"
      },
      {
        "family": "Zufferey",
        "given": "Damien"
      }
    ],
    "collection-title": "LNCS 7795",
    "container-title": "In Proceedings of Tools and Algorithms for the Construction and Analysis of Systems (TACAS)",
    "editor": [
      {
        "family": "Piterman",
        "given": "Nir"
      },
      {
        "family": "Smolka",
        "given": "Scott A."
      }
    ],
    "id": "DBLP:conf/tacas/BansalKWZ13",
    "issued": {
      "date-parts": [
        [
          2013
        ]
      ]
    },
    "keyword": "conf",
    "link-paper": "files/2013_structural_counter_abstraction.pdf",
    "link-slides": "files/2013_structural_counter_abstraction_slides.svg",
    "page": "62-77",
    "publisher": "Springer",
    "title": "Structural Counter Abstraction",
    "type": "paper-conference"
  },
  {
    "DOI": "10.1016/j.jtbi.2012.02.021",
    "ISSN": "0022-5193",
    "URL": "http://www.sciencedirect.com/science/article/pii/S002251931200094X",
    "abstract": "We study evolutionary game theory in a setting where individuals learn from each other. We extend the traditional approach by assuming that a population contains individuals with different learning abilities. In particular, we explore the situation where individuals have different search spaces, when attempting to learn the strategies of others. The search space of an individual specifies the set of strategies learnable by that individual. The search space is genetically given and does not change under social evolutionary dynamics. We introduce a general framework and study a specific example in the context of direct reciprocity. For this example, we obtain the counter intuitive result that cooperation can only evolve for intermediate benefit-to-cost ratios, while small and large benefit-to-cost ratios favor defection. Our paper is a step toward making a connection between computational learning theory and evolutionary game dynamics.",
    "author": [
      {
        "family": "Chatterjee",
        "given": "Krishnendu"
      },
      {
        "family": "Zufferey",
        "given": "Damien"
      },
      {
        "family": "Nowak",
        "given": "Martin A."
      }
    ],
    "container-title": "Journal of Theoretical Biology",
    "id": "Chatterjee2012161",
    "issue": "0",
    "issued": {
      "date-parts": [
        [
          2012
        ]
      ]
    },
    "keyword": "journal",
    "link-paper": "http://ped.fas.harvard.edu/files/ped/files/jtb12c_0.pdf",
    "page": "161 - 173",
    "title": "Evolutionary game dynamics in populations with different learners",
    "type": "article-journal",
    "volume": "301"
  },
  {
    "abstract": "Many infinite state systems can be seen as well-structured transition systems (WSTS), i.e., systems equipped with a well-quasi-ordering on states that is also a simulation relation. WSTS are an attractive target for formal analysis because there exist generic algorithms that decide interesting verification problems for this class. Among the most popular algorithms are acceleration-based forward analyses for computing the covering set. Termination of these algorithms can only be guaranteed for flattable WSTS. Yet, many WSTS of practical interest are not flattable and the question whether any given WSTS is flattable is itself undecidable. We therefore propose an analysis that computes the covering set and captures the essence of acceleration-based algorithms, but sacrifices precision for guaranteed termination. Our analysis is an abstract interpretation whose abstract domain builds on the ideal completion of the well-quasi-ordered state space, and a widening operator that mimics acceleration and controls the loss of precision of the analysis. We present instances of our framework for various classes of WSTS. Our experience with a prototype implementation indicates that, despite the inherent precision loss, our analysis often computes the precise covering set of the analyzed system.",
    "author": [
      {
        "family": "Zufferey",
        "given": "Damien"
      },
      {
        "family": "Wies",
        "given": "Thomas"
      },
      {
        "family": "Henzinger",
        "given": "Thomas A."
      }
    ],
    "collection-title": "LNCS 7148",
    "container-title": "In Proceedings of Verification, Model Checking, and Abstract Interpretation (VMCAI)",
    "editor": [
      {
        "family": "Kuncak",
        "given": "Viktor"
      },
      {
        "family": "Rybalchenko",
        "given": "Andrey"
      }
    ],
    "id": "DBLP:conf/vmcai/ZuffereyWH12",
    "issued": {
      "date-parts": [
        [
          2012
        ]
      ]
    },
    "keyword": "conf",
    "link-paper": "files/2012_Ideal_Abstractions_for_WSTS.pdf",
    "link-slides": "files/2012_Ideal_Abstractions_for_WSTS_slides.pdf",
    "page": "445-460",
    "publisher": "Springer",
    "title": "Ideal Abstractions for Well-structured Transition Systems",
    "type": "paper-conference"
  },
  {
    "abstract": "Cloud computing aims to give users virtually unlimited pay-per-use computing resources without the burden of managing the underlying infrastructure. We present a new job execution environment Flextic that exploits scalable static scheduling techniques to provide the user with a flexible pricing model, such as a tradeoff between different degrees of execution speed and execution price, and at the same time, reduce scheduling overhead for the cloud provider. We have evaluated a prototype of Flextic on Amazon EC2 and compared it against Hadoop. For various data parallel jobs from machine learning, image processing, and gene sequencing that we considered, Flextic has low scheduling overhead and reduces job duration by up to 15% compared to Hadoop, a dynamic cloud scheduler.",
    "author": [
      {
        "family": "Henzinger",
        "given": "Thomas A."
      },
      {
        "family": "Singh",
        "given": "Anmol V."
      },
      {
        "family": "Singh",
        "given": "Vasu"
      },
      {
        "family": "Wies",
        "given": "Thomas"
      },
      {
        "family": "Zufferey",
        "given": "Damien"
      }
    ],
    "container-title": "In Proceedings of the 3rd USENIX workshop on Hot topic in Cloud computing (HotCloud’11)",
    "id": "HSSWZ11",
    "issued": {
      "date-parts": [
        [
          2011
        ]
      ]
    },
    "keyword": "workshop",
    "link-paper": "files/2011_static_scheduling_in_clouds.pdf",
    "title": "Static Scheduling in Clouds",
    "type": "paper-conference"
  },
  {
    "abstract": "The static scheduling problem often arises as a fundamental problem in real-time systems and grid computing. We consider the problem of statically scheduling a large job expressed as a task graph on a large number of computing nodes, such as a data center.\nThis paper solves the large-scale static scheduling problem using abstraction refinement, a technique commonly used in formal verification to efficiently solve computationally hard problems. A scheduler based on abstraction refinement first attempts to solve the scheduling problem with abstract representations of the job and the computing resources. As abstract representations are generally small, the scheduling can be done reasonably fast. If the obtained schedule does not meet specified quality conditions (like data center utilization or schedule makespan) then the scheduler refines the job and data center abstractions and, again solves the scheduling problem. We develop different schedulers based on abstraction refinement. We implemented these schedulers and used them to schedule task graphs from various computing domains on simulated data centers with realistic topologies. We compared the speed of scheduling and the quality of the produced schedules with our abstraction refinement schedulers against a baseline scheduler that does not use any abstraction. We conclude that abstraction refinement techniques give a significant speed-up compared to traditional static scheduling heuristics, at a reasonable cost in the quality of the produced schedules. We further used our static schedulers in an actual system that we deployed on Amazon EC2 and compared it against the Hadoop dynamic scheduler for large MapReduce jobs. Our experiments indicate that there is great potential for static scheduling techniques.",
    "author": [
      {
        "family": "Henzinger",
        "given": "Thomas A."
      },
      {
        "family": "Singh",
        "given": "Vasu"
      },
      {
        "family": "Wies",
        "given": "Thomas"
      },
      {
        "family": "Zufferey",
        "given": "Damien"
      }
    ],
    "container-title": "In Proceedings of European Conference on Computer Systems (EuroSys)",
    "editor": [
      {
        "family": "Kirsch",
        "given": "Christoph M."
      },
      {
        "family": "Heiser",
        "given": "Gernot"
      }
    ],
    "id": "DBLP:conf/eurosys/HenzingerSWZ11",
    "issued": {
      "date-parts": [
        [
          2011
        ]
      ]
    },
    "keyword": "conf",
    "link-paper": "files/2011_Scheduling_Large_Jobs_by_Abstraction_Refinement.pdf",
    "page": "329-342",
    "publisher": "ACM",
    "title": "Scheduling Large Jobs by Abstraction Refinement",
    "type": "paper-conference"
  },
  {
    "abstract": "Concurrent data structures with fine-grained synchronization are notoriously difficult to implement correctly. The difficulty of reasoning about these implementations does not stem from the number of variables or the program size, but rather from the large number of possible interleavings. These implementations are therefore prime candidates for model checking. We introduce an algorithm for verifying linearizability of singly-linked heap-based concurrent data structures. We consider a model consisting of an unbounded heap where each vertex stores an element from an unbounded data domain, with a restricted set of operations for testing and updating pointers and data elements. Our main result is that linearizability is decidable for programs that invoke a fixed number of methods, possibly in parallel. This decidable fragment covers many of the common implementation techniques — fine-grained locking, lazy synchronization, and lock-free synchronization. We also show how the technique can be used to verify optimistic implementations with the help of programmer annotations. We developed a verification tool CoLT and evaluated it on a representative sample of Java implementations of the concurrent set data structure. The tool verified linearizability of a number of implementations, found a known error in a lock-free implementation and proved that the corrected version is linearizable.",
    "author": [
      {
        "family": "Cerný",
        "given": "Pavol"
      },
      {
        "family": "Radhakrishna",
        "given": "Arjun"
      },
      {
        "family": "Zufferey",
        "given": "Damien"
      },
      {
        "family": "Chaudhuri",
        "given": "Swarat"
      },
      {
        "family": "Alur",
        "given": "Rajeev"
      }
    ],
    "collection-title": "LNCS 6174",
    "container-title": "In Proceedings of Computer Aided Verification (CAV)",
    "editor": [
      {
        "family": "Touili",
        "given": "Tayssir"
      },
      {
        "family": "Cook",
        "given": "Byron"
      },
      {
        "family": "Jackson",
        "given": "Paul"
      }
    ],
    "id": "DBLP:conf/cav/CernyRZCA10",
    "issued": {
      "date-parts": [
        [
          2010
        ]
      ]
    },
    "keyword": "conf",
    "link-paper": "files/2010_Model_Checking_of_Linearizability_of_Concurrent_List_Implementation.pdf",
    "page": "465-479",
    "publisher": "Springer",
    "title": "Model Checking of Linearizability of Concurrent List Implementations",
    "type": "paper-conference"
  },
  {
    "abstract": "Depth-bounded processes form the most expressive known fragment of the π-calculus for which interesting verification problems are still decidable. In this paper we develop an adequate domain of limits for the well-structured transition systems that are induced by depth-bounded processes. An immediate consequence of our result is that there exists a forward algorithm that decides the covering problem for this class. Unlike backward algorithms, the forward algorithm terminates even if the depth of the process is not known a priori. More importantly, our result suggests a whole spectrum of forward algorithms that enable the effective verification of a large class of mobile systems.",
    "author": [
      {
        "family": "Wies",
        "given": "Thomas"
      },
      {
        "family": "Zufferey",
        "given": "Damien"
      },
      {
        "family": "Henzinger",
        "given": "Thomas A."
      }
    ],
    "collection-title": "LNCS 6014",
    "container-title": "In Proceedings of Foundations of Software Science and Computation Structures (FoSSaCS)",
    "editor": [
      {
        "family": "Ong",
        "given": "C.-H. Luke"
      }
    ],
    "id": "DBLP:conf/fossacs/WiesZH10",
    "issued": {
      "date-parts": [
        [
          2010
        ]
      ]
    },
    "keyword": "conf",
    "link-paper": "files/2010_Forward_Analysis_of_Depth-Bounded_Processes.pdf",
    "link-slides": "files/FoSSaCS10-DepthBounded_processes_slides.pdf",
    "page": "94-108",
    "publisher": "Springer",
    "title": "Forward Analysis of Depth-bounded Processes",
    "type": "paper-conference"
  },
  {
    "abstract": "Shape analysis is a promising technique to prove program properties about recursive data structures. The challenge is to automatically determine the data-structure type, and to supply the shape analysis with the necessary information about the data structure. We present a stepwise approach to the selection of instrumentation predicates for a TVLA-based shape analysis, which takes us a step closer towards the fully automatic verification of data structures. The approach uses two techniques to guide the refinement of shape abstractions: (1) during program exploration, an explicit heap analysis collects sample instances of the heap structures, which are used to identify the data structures that are manipulated by the program; and (2) during abstraction refinement along an infeasible error path, we consider different possible heap abstractions and choose the coarsest one that eliminates the infeasible path. We have implemented this combined approach for automatic shape refinement as an extension of the software model checker BLAST. Example programs from a data-structure library that manipulate doubly-linked lists and trees were successfully verified by our tool.",
    "author": [
      {
        "family": "Beyer",
        "given": "Dirk"
      },
      {
        "family": "Henzinger",
        "given": "Thomas A."
      },
      {
        "family": "Théoduloz",
        "given": "Grégory"
      },
      {
        "family": "Zufferey",
        "given": "Damien"
      }
    ],
    "collection-title": "LNCS 6013",
    "container-title": "In Proceedings of Fundamental Approaches to Software Engineering (FASE)",
    "editor": [
      {
        "family": "Rosenblum",
        "given": "David S."
      },
      {
        "family": "Taentzer",
        "given": "Gabriele"
      }
    ],
    "id": "FASE10",
    "issued": {
      "date-parts": [
        [
          2010
        ]
      ]
    },
    "keyword": "conf",
    "link-paper": "files/2010_Shape_Refinement_through_Explicit_Heap_Analysis.pdf",
    "page": "263-277",
    "publisher": "Springer",
    "title": "Shape Refinement through Explicit Heap Analysis",
    "type": "paper-conference"
  },
  {
    "abstract": "Cloud computing aims to give users virtually unlimited pay-per-use computing resources without the burden of managing the underlying infrastructure. We claim that, in order to realize the full potential of cloud computing, the user must be presented with a pricing model that offers flexibility at the requirements level, such as a choice between different degrees of execution speed and the cloud provider must be presented with a programming model that offers flexibility at the execution level, such as a choice between different scheduling policies. In such a flexible framework, with each job, the user purchases a virtual computer with the desired speed and cost characteristics, and the cloud provider can optimize the utilization of resources across a stream of jobs from different users.\nWe designed a flexible framework to test our hypothesis, which is called FlexPRICE (Flexible Provisioning of Resources in a Cloud Environment) and works as follows. A user presents a job to the cloud. The cloud finds different schedules to execute the job and presents a set of quotes to the user in terms of price and duration for the execution. The user then chooses a particular quote and the cloud is obliged to execute the job according to the chosen quote. FlexPRICE thus hides the complexity of the actual scheduling decisions from the user, but still provides enough flexibility to meet the users actual demands. We implemented FlexPRICE in a simulator called PRICES that allows us to experiment with our framework. We observe that FlexPRICE provides a wide range of execution options —from fastand expensive to slow and cheap— for the whole spectrum of data-intensive and computation-intensive jobs. We also observe that the set of quotes computed by FlexPRICE do not vary as the number of simultaneous jobs increases.",
    "author": [
      {
        "family": "Henzinger",
        "given": "Thomas A."
      },
      {
        "family": "Singh",
        "given": "Anmol V."
      },
      {
        "family": "Singh",
        "given": "Vasu"
      },
      {
        "family": "Wies",
        "given": "Thomas"
      },
      {
        "family": "Zufferey",
        "given": "Damien"
      }
    ],
    "container-title": "In Proceedings of IEEE International Conference on Cloud Computing (IEEE CLOUD)",
    "id": "HSSWZ10a",
    "issued": {
      "date-parts": [
        [
          2010
        ]
      ]
    },
    "keyword": "conf",
    "title": "FlexPRICE: Flexible provisioning of resources in a cloud environment",
    "title-short": "FlexPRICE",
    "type": "paper-conference"
  },
  {
    "abstract": "Cloud computing is an emerging paradigm aimed to offer users pay-per-use computing resources, while leaving the burden of managing the computing infrastructure to the cloud provider. We present a new programming and pricing model that gives the cloud user the exibility of trading execution speed and price on a per-job basis. We discuss the scheduling and resource management challenges for the cloud provider that arise in the implementation of this model. We argue that techniques from real-time and embedded software can be useful in this context.",
    "author": [
      {
        "family": "Henzinger",
        "given": "Thomas A."
      },
      {
        "family": "Singh",
        "given": "Anmol V."
      },
      {
        "family": "Singh",
        "given": "Vasu"
      },
      {
        "family": "Wies",
        "given": "Thomas"
      },
      {
        "family": "Zufferey",
        "given": "Damien"
      }
    ],
    "container-title": "In Proceedings of International Conference on Embedded Systems (EMSOFT)",
    "editor": [
      {
        "family": "Carloni",
        "given": "Luca P."
      },
      {
        "family": "Tripakis",
        "given": "Stavros"
      }
    ],
    "id": "DBLP:conf/emsoft/HenzingerSSWZ10",
    "issued": {
      "date-parts": [
        [
          2010
        ]
      ]
    },
    "keyword": "conf",
    "link-paper": "files/2010_A_Marketplace_for_Cloud_Resources.pdf",
    "page": "1-8",
    "publisher": "ACM",
    "title": "A Marketplace for Cloud Resources",
    "type": "paper-conference"
  },
  {
    "abstract": "Cloud computing aims to give users virtually unlimited pay-per-use computing resources without the burden of managing the underlying infrastructure. We claim that, in  order to realize the full potential of cloud computing, the user must be presented with a pricing model that offers flexibility at the requirements level, such as a choice  between different degrees of execution speed, and the cloud provider must be presented with a programming  model that offers flexibility at the execution level, such as a choice between different scheduling policies.  In this paper, we present a framework called FlexPRICE (Flexible Provisioning of Resources in a Cloud Environment) where for each job, the user purchases a virtual computer with the desired speed and cost characteristics, and the cloud provider optimizes the utilization of resources across a stream of jobs from different users.",
    "author": [
      {
        "family": "Henzinger",
        "given": "Thomas A."
      },
      {
        "family": "Singh",
        "given": "Anmol V."
      },
      {
        "family": "Singh",
        "given": "Vasu"
      },
      {
        "family": "Wies",
        "given": "Thomas"
      },
      {
        "family": "Zufferey",
        "given": "Damien"
      }
    ],
    "container-title": "(EC)² Workshop",
    "id": "HSSWZ10",
    "issued": {
      "date-parts": [
        [
          2010
        ]
      ]
    },
    "keyword": "workshop",
    "link-paper": "files/2010_EC2_in_EC2.pdf",
    "title": "(EC)² in EC2",
    "type": "paper-conference"
  },
  {
    "ISBN": "978-3-540-70543-7",
    "abstract": "We present CSIsat, an interpolating decision procedure for the quantifier-free theory of rational linear arithmetic and equality with uninterpreted function symbols. Our implementation combines the efficiency of linear programming for solving the arithmetic part with the efficiency of a SAT solver to reason about the boolean structure. We evaluate the efficiency of our tool on benchmarks from software verification. Binaries and the source code of CSIsat are publicly available as free software.",
    "author": [
      {
        "family": "Beyer",
        "given": "Dirk"
      },
      {
        "family": "Zufferey",
        "given": "Damien"
      },
      {
        "family": "Majumdar",
        "given": "Rupak"
      }
    ],
    "collection-title": "LNCS 5123",
    "container-title": "In Proceedings of Computer Aided Verification (CAV)",
    "editor": [
      {
        "family": "Gupta",
        "given": "A."
      },
      {
        "family": "Malik",
        "given": "S."
      }
    ],
    "id": "CAV08",
    "issued": {
      "date-parts": [
        [
          2008
        ]
      ]
    },
    "keyword": "conf",
    "link-paper": "files/2008_CSIsat_interpolation_for_LA_EUF.pdf",
    "link-slides": "files/CAV08-csisat-final-slides.pdf",
    "page": "304-308",
    "publisher": "Springer-Verlag, Berlin",
    "title": "CSIsat: Interpolation for LA+EUF",
    "title-short": "CSIsat",
    "type": "paper-conference"
  },
  {
    "author": [
      {
        "family": "Esmaeilsabzali",
        "given": "Shahram"
      },
      {
        "family": "Majumdar",
        "given": "Rupak"
      },
      {
        "family": "Wies",
        "given": "Thomas"
      },
      {
        "family": "Zufferey",
        "given": "Damien"
      }
    ],
    "container-title": "CoRR",
    "id": "DBLP:journals/corr/EsmaeilsabzaliMWZ13",
    "issued": {
      "date-parts": [
        [
          2013
        ]
      ]
    },
    "keyword": "techrep",
    "link-paper": "http://arxiv.org/pdf/1311.4615.pdf",
    "title": "A Notion of Dynamic Interface for Depth-bounded Object-oriented Packages",
    "type": "article-journal",
    "volume": "abs/1311.4615"
  },
  {
    "author": [
      {
        "family": "Esmaeilsabzali",
        "given": "Shahram"
      },
      {
        "family": "Majumdar",
        "given": "Rupak"
      },
      {
        "family": "Wies",
        "given": "Thomas"
      },
      {
        "family": "Zufferey",
        "given": "Damien"
      }
    ],
    "container-title": "CoRR",
    "id": "DBLP:journals/corr/EsmaeilsabzaliMWZ13a",
    "issued": {
      "date-parts": [
        [
          2013
        ]
      ]
    },
    "keyword": "techrep",
    "link-paper": "http://arxiv.org/pdf/1311.4934v2.pdf",
    "title": "Dynamic Package Interfaces - extended version",
    "type": "article-journal",
    "volume": "abs/1311.4934"
  },
  {
    "author": [
      {
        "family": "Piskac",
        "given": "Ruzica"
      },
      {
        "family": "Wies",
        "given": "Thomas"
      },
      {
        "family": "Zufferey",
        "given": "Damien"
      }
    ],
    "id": "cav13extended",
    "issued": {
      "date-parts": [
        [
          2013
        ]
      ]
    },
    "keyword": "techrep",
    "link-paper": "files/2013_automating_separation_logic_using_SMT_techreport.pdf",
    "number": "TR2013-954",
    "publisher": "New York University",
    "title": "Automating Separation Logic using SMT",
    "type": "report"
  },
  {
    "author": [
      {
        "family": "Bansal",
        "given": "Kshitij"
      },
      {
        "family": "Koskinen",
        "given": "Eric"
      },
      {
        "family": "Wies",
        "given": "Thomas"
      },
      {
        "family": "Zufferey",
        "given": "Damien"
      }
    ],
    "id": "tacas13extended",
    "issued": {
      "date-parts": [
        [
          2012
        ]
      ]
    },
    "keyword": "techrep",
    "link-paper": "files/2012_structural_counter_abstraction_techreport.pdf",
    "number": "TR2012-947",
    "publisher": "New York University",
    "title": "Structural Counter Abstraction",
    "type": "report"
  },
  {
    "author": [
      {
        "family": "Desai",
        "given": "Ankush"
      },
      {
        "family": "Gupta",
        "given": "Vivek"
      },
      {
        "family": "Jackson",
        "given": "Ethan K."
      },
      {
        "family": "Qadeer",
        "given": "Shaz"
      },
      {
        "family": "Rajamani",
        "given": "Sriram K."
      },
      {
        "family": "Zufferey",
        "given": "Damien"
      }
    ],
    "id": "pldi13extended",
    "issued": {
      "date-parts": [
        [
          2012
        ]
      ]
    },
    "keyword": "techrep",
    "link-paper": "http://research.microsoft.com/pubs/177118/tr.pdf",
    "number": "MSR-TR-2012-116",
    "publisher": "Microsoft Research",
    "title": "P: Safe Asynchronous Event-driven Programming",
    "title-short": "P",
    "type": "report"
  },
  {
    "author": [
      {
        "family": "Cerný",
        "given": "Pavol"
      },
      {
        "family": "Radhakrishna",
        "given": "Arjun"
      },
      {
        "family": "Zufferey",
        "given": "Damien"
      },
      {
        "family": "Chaudhuri",
        "given": "Swarat"
      },
      {
        "family": "Alur",
        "given": "Rajeev"
      }
    ],
    "id": "cav10extended",
    "issued": {
      "date-parts": [
        [
          2010
        ]
      ]
    },
    "keyword": "techrep",
    "link-paper": "http://pub.ist.ac.at/Pubs/TechRpts/2010/IST-2010-0001.pdf",
    "number": "IST-2010-0001",
    "publisher": "IST Austria",
    "title": "Model Checking of Linearizability of Concurrent List Implementations",
    "type": "report"
  }
]