Automatically validating temporal safety properties of interfaces
, 2001
"... We present a process for validating temporal safety properties of software that uses a welldefined interface. The process requires only that the user state the property of interest. It then automatically creates abstractions of C code using iterative refinement, based on the given property. The pro ..."
. The process is realized in the SLAM toolkit, which consists of a model checker, predicate abstraction tool and predicate discovery tool. We have applied the SLAM toolkit to a number of Windows NT device drivers to validate critical safety properties such as correct locking behavior. We have found
Time Discounting and Time Preference: A Critical Review
 Journal of Economic Literature
, 2002
"... www.people.cornell.edu/pages/edo1/. ..."
Symmetry and Related Properties via the Maximum Principle
, 1979
"... We prove symmetry, and some related properties, of positive solutions of second order elliptic equations. Our methods employ various forms of the maximum principle, and a device of moving parallel planes to a critical position, and then showing that the solution is symmetric about the limiting plan ..."
We prove symmetry, and some related properties, of positive solutions of second order elliptic equations. Our methods employ various forms of the maximum principle, and a device of moving parallel planes to a critical position, and then showing that the solution is symmetric about the limiting
A Critical Point For Random Graphs With A Given Degree Sequence
, 2000
"... Given a sequence of nonnegative real numbers 0 ; 1 ; : : : which sum to 1, we consider random graphs having approximately i n vertices of degree i. Essentially, we show that if P i(i \Gamma 2) i ? 0 then such graphs almost surely have a giant component, while if P i(i \Gamma 2) i ! 0 the ..."
Given a sequence of nonnegative real numbers 0 ; 1 ; : : : which sum to 1, we consider random graphs having approximately i n vertices of degree i. Essentially, we show that if P i(i \Gamma 2) i ? 0 then such graphs almost surely have a giant component, while if P i(i \Gamma 2) i ! 0 then almost surely all components in such graphs are small. We can apply these results to G n;p ; G n;M , and other wellknown models of random graphs. There are also applications related to the chromatic number of sparse random graphs.
A LongMemory Property of Stock Market Returns and a New Model
 Journal of Empirical Finance
, 1993
"... A ‘long memory ’ property of stock market returns is investigated in this paper. It is found that not only there is substantially more correlation between absolute returns than returns themselves, but the power transformation of the absolute return lrfl ” also has quite high autocorrelation for lo ..."
A ‘long memory ’ property of stock market returns is investigated in this paper. It is found that not only there is substantially more correlation between absolute returns than returns themselves, but the power transformation of the absolute return lrfl ” also has quite high autocorrelation
Automatic predicate abstraction of C programs
 IN PROC. ACM PLDI
, 2001
"... Model checking has been widely successful in validating and debugging designs in the hardware and protocol domains. However, statespace explosion limits the applicability of model checking tools, so model checkers typically operate on abstractions of systems. Recently, there has been significant in ..."
interest in applying model checking to software. For infinitestate systems like software, abstraction is even more critical. Techniques for abstracting software are a prerequisite to making software model checking a reality. We present the first algorithm to automatically construct a predicate abstraction
Featherweight Java: A Minimal Core Calculus for Java and GJ
 ACM Transactions on Programming Languages and Systems
, 1999
"... Several recent studies have introduced lightweight versions of Java: reduced languages in which complex features like threads and reflection are dropped to enable rigorous arguments about key properties such as type safety. We carry this process a step further, omitting almost all features of the fu ..."
Several recent studies have introduced lightweight versions of Java: reduced languages in which complex features like threads and reflection are dropped to enable rigorous arguments about key properties such as type safety. We carry this process a step further, omitting almost all features
UPPAAL in a Nutshell
, 1997
"... . This paper presents the overall structure, the design criteria, and the main features of the tool box Uppaal. It gives a detailed user guide which describes how to use the various tools of Uppaal version 2.02 to construct abstract models of a realtime system, to simulate its dynamical behavior, ..."
, to specify and verify its safety and bounded liveness properties in terms of its model. In addition, the paper also provides a short review on casestudies where Uppaal is applied, as well as references to its theoretical foundation. 1 Introduction Uppaal is a tool box for modeling, simulation
Symbolic Model Checking for Realtime Systems
 INFORMATION AND COMPUTATION
, 1992
"... We describe finitestate programs over realnumbered time in a guardedcommand language with realvalued clocks or, equivalently, as finite automata with realvalued clocks. Model checking answers the question which states of a realtime program satisfy a branchingtime specification (given in an ..."
, many standard program properties, such as response for all nonzeno execution sequences (during which time diverges), cannot be characterized by fixpoints: we show that the expressiveness of the timed calculus is incomparable to the expressiveness of timed CTL. Fortunately, this result does
