Results 1  10
of
22
Gradient clock synchronization
 In Proceedings of the 23rd Annual ACM Symposium on Principles of Distributed Computing (PODC). ACM
"... We introduce the distributed gradient clock synchronization problem. As in traditional distributed clock synchronization, we consider a network of nodes equipped with hardware clocks with bounded drift. Nodes compute logical clock values based on their hardware clocks and message exchanges, and the ..."
Abstract

Cited by 27 (1 self)
 Add to MetaCart
We introduce the distributed gradient clock synchronization problem. As in traditional distributed clock synchronization, we consider a network of nodes equipped with hardware clocks with bounded drift. Nodes compute logical clock values based on their hardware clocks and message exchanges, and the goal is to synchronize the nodes ’ logical clocks as closely as possible, while satisfying certain validity conditions. The new feature of gradient clock synchronization (GCS for short) is to require that the skew between any two nodes ’ logical clocks be bounded by a nondecreasing function of the uncertainty in message delay (call this the distance) between the two nodes. That is, we require nearby nodes to be closely synchronized, and allow faraway nodes to be more loosely synchronized. We contrast GCS with traditional clock synchronization, and discuss several practical motivations for GCS, mostly arising in sensor and ad hoc networks. Our main result is that the worst case clock skew between two nodes at distance d from each other is log D log log D), where D is the diameter1 of the network. Ω(d + This means that clock synchronization is not a local property, in the sense that the clock skew between two nodes depends not only on the distance between the nodes, but also on the size of the network. Our lower bound implies, for example, that the TDMA protocol with a fixed slot granularity will fail as the network grows, even if the maximum degree of each node stays constant. Categories and Subject Descriptors: F.2.0 [Theory of Computation]: analysis of algorithms and problem complexity— general
Modeling and Verification of a FaultTolerant Realtime Startup Protocol using Calendar Automata
, 2004
"... We discuss the modeling and verification of realtime systems using the SAL model checker. A new modeling framework based on event calendars enables dense timed systems to be described without relying on continuously varying clocks. We present verification techniques that rely on induction and ab ..."
Abstract

Cited by 26 (2 self)
 Add to MetaCart
We discuss the modeling and verification of realtime systems using the SAL model checker. A new modeling framework based on event calendars enables dense timed systems to be described without relying on continuously varying clocks. We present verification techniques that rely on induction and abstraction, and show how these techniques are e#ciently supported by the SAL symbolic modelchecking tools. The modeling and verification method is applied to the faulttolerant realtime startup protocol used in the Timed Triggered Architecture.
On the language inclusion problem for timed automata: Closing a decidability gap
 in Proc. LICS’04. IEEE
"... We consider the language inclusion problem for timed automata: given two timed automata A and B, are all the timed traces accepted by B also accepted by A? While this problem is known to be undecidable, we show here that it becomes decidable if A is restricted to having at most one clock. This is so ..."
Abstract

Cited by 24 (3 self)
 Add to MetaCart
We consider the language inclusion problem for timed automata: given two timed automata A and B, are all the timed traces accepted by B also accepted by A? While this problem is known to be undecidable, we show here that it becomes decidable if A is restricted to having at most one clock. This is somewhat surprising, since it is wellknown that there exist timed automata with a single clock that cannot be complemented. The crux of our proof consists in reducing the language inclusion problem to a reachability question on an infinite graph; we then construct a suitable wellquasiorder on the nodes of this graph, which ensures the termination of our search algorithm. We also show that the language inclusion problem is decidable if the only constant appearing among the clock constraints of A is zero. Moreover, these two cases are essentially the only decidable instances of language inclusion, in terms of restricting the various resources of timed automata. 1.
Clock Synchronization for Wireless Networks
 In Proc. 8th International Conference on Principles of Distributed Systems (OPODIS
, 2004
"... Abstract. Time synchronization is a fundamental service in many wireless applications. While the synchronization problem is wellstudied in traditional wired networks, physical constraints of the wireless medium impose a unique set of challenges. We present a novel time synchronization algorithm whi ..."
Abstract

Cited by 15 (3 self)
 Add to MetaCart
Abstract. Time synchronization is a fundamental service in many wireless applications. While the synchronization problem is wellstudied in traditional wired networks, physical constraints of the wireless medium impose a unique set of challenges. We present a novel time synchronization algorithm which is highly energy efficient and failure/recoverytolerant. Our algorithm allows nodes to synchronize to sources of real time such as GPS when such signals are available, but continues to synchronize nodes to each other, even in the absence of GPS. In addition, the algorithm satisfies a relaxed gradient property, in which the degree of synchronization between nodes varies as a linear function of their distance. Thus, nearby nodes are highly synchronized, which is desirable in many wireless applications. 1
TIOA User Guide and Reference Manual
, 2005
"... TIOA is a simple formal language for modeling distributed systems with timing as collections of interacting state machines, called timed input/output automata. The TIOA Toolkit supports a range of validation methods, including simulation and machinechecked proofs. This user guide and reference manu ..."
Abstract

Cited by 10 (2 self)
 Add to MetaCart
TIOA is a simple formal language for modeling distributed systems with timing as collections of interacting state machines, called timed input/output automata. The TIOA Toolkit supports a range of validation methods, including simulation and machinechecked proofs. This user guide and reference manual includes a tutorial on the use of timed input/output automata and the TIOA language to model timed systems. It also includes a complete definition of the TIOA language.
Specifying and proving timing properties with TIOA tools
 In Work in progress session of the 25th IEEE International RealTime Systems Symposium (RTSSWIP
, 2004
"... ..."
PVS Strategies for Proving Abstraction Properties of Automata
 STRATEGIES 2004 PRELIMINARY VERSION
, 2004
"... ..."
Proving atomicity: An assertional approach
 Proceedings of Nineteenth International Symposium on Distributed Computing (DISC’05). Volume 3724 of Lecture Notes in Computer Science
, 2005
"... Abstract. Atomicity (or linearizability) is a commonly used consistency criterion for distributed services and objects. Although atomic object implementations are abundant, proving that algorithms achieve atomicity has turned out to be a challenging problem. In this paper, we initiate the study of s ..."
Abstract

Cited by 4 (1 self)
 Add to MetaCart
Abstract. Atomicity (or linearizability) is a commonly used consistency criterion for distributed services and objects. Although atomic object implementations are abundant, proving that algorithms achieve atomicity has turned out to be a challenging problem. In this paper, we initiate the study of systematic ways of verifying distributed implementations of atomic objects, beginning with read/write objects (registers). Our general approach is to replace the existing operational reasoning about events and partial orders with assertional reasoning about invariants and simulation relations. To this end, we define an abstract state machine that captures the atomicity property and prove correctness of the object implementations by establishing a simulation mapping between the implementation and the specification automata. We demonstrate the generality of our specification by showing that it is implemented by three different read/write register constructions: the messagepassing register emulation of Attiya, BarNoy and Dolev, its optimized version based on real time, and the shared memory register construction of Vitanyi and Awerbuch. In addition, we show that a simplified version of our specification is implemented by a general atomic object construction based on the Lamport’s replicated state machine algorithm. 1
CRET: a crisis response evaluation tool to improve crisis preparednesss
 In IEEE International Conference on Technologies for Homeland Security (HST) (To Appear). IEEE Computer
, 2009
"... Abstract—In recent years, crisis response has become cyberphysical in nature because of the increased use of computing technologies by the responders. As such, crisis preparedness requires objective evaluation of crisis response in addition to the traditional drills. This paper develops a generic Cr ..."
Abstract

Cited by 3 (1 self)
 Add to MetaCart
Abstract—In recent years, crisis response has become cyberphysical in nature because of the increased use of computing technologies by the responders. As such, crisis preparedness requires objective evaluation of crisis response in addition to the traditional drills. This paper develops a generic Crisis Response Evaluation Tool (CRET) for offline objective crisis response evaluation to improve preparedness. The evaluation is performed through modelbased engineering, which allows specification and automated analysis of crisis response behavior. An established statebased stochastic model is used to describe the behavior of crisis response processes. The effectiveness of a planned action is measured in terms of the action’s qualifiedness (also called the Qvalue)—which depends on the probability of any additional crises and the conformance to a temporal windowofopportunity Architecture Description Language (AADL) to specify the stochastic crisis response behavior model. Using this specification, CRET objectively analyzes the planned actions ’ Qvalues under different circumstances; thus enabling an objective evaluation for crisis preparedness.
Modeling an Electronic Throttle Controller using the Timed Abstract State Machine Language and Toolset
 IN: PROCEEDINGS OF THE SATELLITE EVENTS OF THE 2006 MODELS CONFERENCE. LNCS
, 2006
"... A key challenge in the design and analysis of realtime systems is the integration of functional and nonfunctional properties into a single specification. In this paper, we present an integrated toolset based on the TASM language. The toolset is used to specify and analyze reactive embedded realti ..."
Abstract

Cited by 3 (2 self)
 Add to MetaCart
A key challenge in the design and analysis of realtime systems is the integration of functional and nonfunctional properties into a single specification. In this paper, we present an integrated toolset based on the TASM language. The toolset is used to specify and analyze reactive embedded realtime systems. The toolset implements the features of the Timed Abstract State Machine (TASM) language, a novel specification language. The nonfunctional properties that can be expressed in the language include timing behavior and resource consumption. The toolset enables the creation of executable specifications with welldefined execution semantics, abstraction mechanisms, and composition semantics. The toolset includes facilities for editing, analyzing, and simulating TASM specifications. The features of the toolset are demonstrated using an Electronic Throttle Controller (ETC) from a major automotive vendor. The TASM toolset is used to analyze the mode switching logic of the ETC. The ETC is used to calculate fuel injection and air intake to optimize fuel consumption. The TASM toolset is used to analyze the resource consumption resulting from the mode switching logic, and to verify the completeness and consistency of the specification.