Annual Report Foundations of Hybrid and Embedded Systems and Software

s for key publications representing project findings during this reporting period, are provided here. A complete list of publications that appeared in print during this reporting period is given in Section 3 below, including publications representing findings that were reported in the previous annual report. [1] A visually-specified code generator for Simulink/Stateflow Neema, S.; Kalmar, Z.; Feng Shi; Vizhanyo, A.; Karsai, G., 2005 IEEE Symposium on Visual Languages and Human-Centric Computing, pp. 275277, 20-24 Sept. 2005 Visual modeling languages are often used today in engineering domains, Mathworks' Simulink/Stateflow for simulation, signal processing and controls being the prime example. However, they are also becoming suitable for implementing other computational tasks, like model transformations. In this paper we briefly introduce GReAT: a visual language with simple, yet powerful semantics for implementing transformations on attributed, typed hypergraphs with the help of explicitly sequenced graph transformation rules. The main contribution of the paper is a Simulink/Stateflow code generator that generates executable code (running on a distributed platform) from the visual input models. The paper provides an overview of the algorithms used and their realization in GReAT. [2] Developing Applications Using Model-Driven Design Environments Balasubramanian, K.; Gokhale, A.; Karsai, G.; Sztipanovits, J.; Neema, S., Computer, vol.39, no.2, pp. 3340, Feb. 2006 Model-driven development is an emerging paradigm that improves the software development lifecycle, particularly for large software systems, by providing a higher level of abstraction for system design than is possible with third-generation programming languages. [3] Applying a Model Transformation Taxonomy to Graph Transformation Technology Tom Mens, Pieter Van Gorp, Dániel Varró and Gabor Karsai, Electronic Notes in Theoretical Computer Science, Volume 152, Proceedings of the International Workshop on Graph and Model Transformation (GraMoT 2005), 27 March 2006, Pages 143-159. A taxonomy of model transformations was introduced in T. Mens, P.V. Gorp, A taxonomy of model transformation, in: Proc. Int'l Workshop on Graph and Model Transformation (GraMoT 2005), Electronic Notes in Computer Science (2005)]. Among others, such a taxonomy can help developers in deciding which language, forma lism, 2005-06 Annual Report June 28, 2006 Foundations of Hybrid and Embedded Systems and Software 44 tool or mechanism is best suited to carry out a particular model transformation activity. In this paper we apply the taxonomy to the technique of graph transformation, and we exemplify it by referring to four representative graph transformation tools. As a byproduct of our analysis, we discuss how well each of the considered tools carry out the activity of model transformation. [4] Improving the Usability of a Graph Transformation Language Attila Vizhanyo, Sandeep Neema, Feng Shi, Daniel Balasubramanian and Gabor Karsai, Electronic Notes in Theoretical Computer Science, Volume 152, Proceedings of the International Workshop on Graph and Model Transformation (GraMoT 2005), 27 March 2006, Pages 207222. Model transformation tools implemented using graph transformation techniques are often expected to provide high performance. For this reason, in the Graph Rewriting and Transformation (GReAT) language we have supported two techniques: pre-binding of selected pattern variables and explicit sequencing of transformation steps to improve the performance of the transformation engine. When applied to practical situations, we recognized three shortcomings in our approach: (1) no support for the convenient reuse of results of one rewriting step in another, distant step, (2) lack of a sorting capability for ordering the results of the pattern matching, and (3) absence of support for the distinguished merging of results of multiple pattern matches. In this paper we briefly highlight the relevant features of GReAT, describe three motivating examples that illustrate the problems, introduce our solutions: new extensions to the language, and compare the approaches to other languages. [5] Reusable Idioms and Patterns in Graph Transformation Languages Aditya Agrawal, Attila Vizhanyo, ZsoltKalmar, Feng Shi, Anantha Narayanan and Gabor Karsai, Electronic Notes in Theoretical Computer Science, Volume 127, Issue 1, Proceedings of the International Workshop on Graph-Based Tools (GraBaTs 2004), 30 March 2005, Pages 181192. Software engineering tools based on Graph Transformation techniques are becoming available, but their practical applicability is somewhat reduced by the lack of idioms and design patterns. Idioms and design patterns provide prototypical solutions for recurring design problems in software engineering, but their use can be easily extended into software development using graph transformation systems. In this paper we briefly present a simple graph transformation language: GReAT, and show how typical design problems that arise in the context of model transformations can be solved using its constructs. These solutions are similar to software design patterns, and intend to serve as the starting point for a more complete collection. 2005-06 Annual Report June 28, 2006 Foundations of Hybrid and Embedded Systems and Software 45 [6] Case Study: Model Transformations for Time-triggered Languages Tivadar Szemethy, Electronic Notes in Theoretical Computer Science, Volume 152, Proceedings of the International Workshop on Graph and Model Transformation (GraMoT 2005), 27 March 2006, Pages 175-190. In this study, we introduce a model transformation tool for a time-triggered language: Giotto. The tool uses graphs to represent the source code (Giotto) and the target (the schedule-carrying code) of the transformation, and has been implemented entirely using graph rewriting techniques. The meta-models of the input and the output were specified using standard (UML) technology, and the transformation itself as a programmed graph rewriting system (in GReAT). The approach illustrates how a non-trivial model transformation can be implemented using graph transformations, and how the results obtained here could be used for the formal verification of embedded systems models. The transformation developed here forms the first step towards translating high-level, domain-specific models (that use concepts of the time-triggered language) into analysis models (that use concepts from the language of the analysis, e.g. timed automata). Using a formal approach such as graph transformation helps ensure the correctness of this transformation process. [7] Corrected Through Construction: A Model-Based Approach to Embedded Systems Reality Jackson, E., Sztipanovits, J. Proceedings of ECBS’06, pp. Potsdam, Germany, March 27-30, 2006 We detail a scalable and formal specification language for embedded systems called SMOLES2. This specification language is build on top of the metaprogrammable tool GME and uses modern model-based techniques like multi-aspects, generative actions, and constraint checking to auto-generate parts of a specification and to approximate the correctness of the specification without invoking verification tools. [8] Toward a Semantic Anchoring Infrastructure for Domain-Specific Modeling Languages Chen K., Sztipanovits J., Neema S., Emerson M., Abdelwahed S. Proceedings of the Fifth ACM International Conference on Embedded Software (EMSOFT’05), pp. 35-44, Jersey City, New Jersey, September 19, 2005. Metamodeling facilitates the rapid, inexpensive development of domain-specific modeling languages (DSML-s). However, there are still challenges hindering the widescale industrial application of model-based design. One of these unsolved problems is the lack of a practical, effective method for the formal specification of DSML semantics. This problem has negative impact on reusability of DSML-s and analysis tools in domain specific tool chains. To address these issues, we propose a formal well founded methodology with supporting tools to anchor the semantics of DSML-s to precisely defined and validated “semantic units”. In our methodology, each of the syntactic and semantic DSML components is defined precisely and completely. The main contribution of our approach is that it moves toward an infrastructure for DSML design that integrates 2005-06 Annual Report June 28, 2006 Foundations of Hybrid and Embedded Systems and Software 46 formal methods with practical engineering tools. In this paper we use a mathematical model, Abstract State Machines, a common semantic framework to define the semantic domains of DSML-s. [9] Semantic Anchoring with Model Transformations Chen K., Sztipanovits J., Abdelwahed S., Jackson E. European Conference on Model Driven Architecture -Foundations and Applications (ECMDA-FA), Nuremberg, Germany, November 7, 2005. Lecture Notes in Computer Science, (LNCS 3748) pp. 115-129, Springer 2005 Model-Integrated Computing (MIC) places strong emphasis on the use of domainspecific modeling languages (DSML-s) and model transformations. A metamodeling process facilitated by the Generic Modeling Environment (GME) tool suite enables the rapid and inexpensive development of DSML-s. However, the specification of semantics for DSML-s is still a hard problem. In order to simplify the DSML semantics, this paper discusses semantic anchoring, which is based on the transformational specification of semantics. Using a mathematical model, Abstract State Machine (ASM), as a common semantic framework, we have developed formal operational semantics for a set of basic models of computations, called semantic units. Semantic anchoring of DSML-s means the specification of model transformations between DSML-s (or aspects of complex DSML-s) and selected semantic units. The paper describes the semantic anchoring process using the meta-programmable MIC tool suite. [10] A Semantic Unit for Timed Automata Based Modeling Languages Chen K., Sztipanovits J., Abdelwahed S. Proceedings of RTAS’06 pp. 347-360, San Jose, CA, April 4-7, 2006 Model-Integrated Computing (MIC) is an infrastructure for model-based design of realtime and embedded software and systems. MIC places strong emphasis on the use of domain-specific modeling languages (DSMLs) and model transformations in design flows. Building on our earlier work on transformational specification of semantics for DSMLs, the paper proposes a “semantic unit” a common semantic model for timed automata behavior. The semantic unit is defined using Abstract State Machine (ASM) formalism. We show that the precise semantics of a wide range of timed automata based modeling languages (TAMLs) can be defined through specifying model transformations between a domain-specific TAML and the semantic unit. The proposed method that we call semantic anchoring is demonstrated by developing the transformation rules from the UPPAAL and IF languages to the semantic unit. [11] Compositional Specification of Behavioral Semantics Chen K., Sztipanovits J., Neema, S. Technical Report 2006-14, ISIS, Vanderbilt University May, 2006 (submitted paper) Domain-Specific Modeling Languages (DSMLs) play fundamental role in the modelbased design of embedded software and systems. In previous work, we have developed methods and tools for the semantic anchoring of DSMLs. Semantic anchoring introduces a set of reusable “semantic units” that provide reference semantics for basic behavioral categories using the Abstract State Machine framework. In this paper, we extend the 2005-06 Annual Report June 28, 2006 Foundations of Hybrid and Embedded Systems and Software 47 semantic anchoring framework to heterogeneous behaviors by developing method for the composition of semantic units. Semantic unit composition reduces the required effort from DSML designers and improves the quality of the specification. The proposed method is demonstrated through a case study. [12] Towards A Formal Foundation For Domain Specific Modeling Languages Jackson, E., Sztipanovits, J. Technical Report 2006-15, ISIS, Vanderbilt University May, 2006 (submitted paper) Embedded system design is inherently domain specific and typically model driven. As a result, design methodologies like OMG’s model driven architecture (MDA) and model integrated computing (MIC) evolved to support domain specific modeling languages (DSMLs). The success of the DSML approach has encouraged work on the heterogeneous composition of DSMLs, model transformations between DSMLs, approximations of formal properties within DSMLs, and reuse of DSML semantics. However, in the effort to produce a mature design approach that can handle both the structural and behavioral semantics of embedded system design, many foundational issues concerning DSMLs have been overlooked. In this paper we present a formal foundation for DSMLs and for their construction within metamodeling frameworks. This foundation allows us to algorithmically decide if two DSMLs or metamodels are equivalent, if model transformations preserve properties, and if metamodeling frameworks have meta-metamodels. These results are key to building correct embedded systems with DSMLs. [13] Using Separation of Concerns in Embedded Systems Design Jackson, E., Sztipanovits, J. Proceedings of the Fifth ACM International Conference on Embedded Software (EMSOFT’05), pp. 25-34, Jersey City, New Jersey, September 19, 2005. Embedded systems are commonly abstracted as collections of interacting components. This perspective has lead to the insight that component behaviors can be defined separately from admissible component interactions. We show that this separation of concerns does not imply that component behaviors can be defined in isolation from their envisioned interaction models. We argue that a type of behavior/interaction co-design must be employed to successfully leverage the separation of these concerns. We present formal techniques for accomplishing this co-design and describe tools that implement these formalisms. [14] Online Fault-Adaptive Control for Efficient Resource Management in Advanced Life Support Systems S. Abdelwahed, J. Wu, G. Biswas, J. Ramirez, and E.J. Manders, Habitation: International Journal of Human Support Research, vol. 10, no. 2, pp. 105-115, 2005. This paper presents the design and implementation of a controller scheme for efficient resource management in Advanced Life Support Systems. In the proposed approach, a switching hybrid system model is used to represent the dynamics of the system components and their interactions. The operational specifications for the controller are represented as a utility function, and the corresponding resource management problem is 2005-06 Annual Report June 28, 2006 Foundations of Hybrid and Embedded Systems and Software 48 formulated as a safety control problem. A limited-horizon online supervisory controller is used for this purpose. The online controller explores a limited region of the state-space of the system at each time step and uses the utility function to decide on the best action. The feasibility and accuracy of the online algorithm can be assessed at design time. We demonstrate the effectiveness of the scheme by running a set of experiments on the Reverse Osmosis (RO) subsystem of the Water Recovery System (WRS). [15] Introducing Embedded Software and Systems Education and Advanced Learning Technology in an Engineering Curriculum J. Sztipanovits, G. Biswas, K. Frampton, A. Gokhale, L. Howard, G. Karsai, J. Koo, X. Koutsoukos, and D. Schmidt, Special issue, ACM Trans. on Embedded Systems (TECS), vol. 4, no. 3, pp. 549-568, August 2005. Embedded software and systems are at the intersection of electrical engineering, computer engineering, and computer science, with, increasing importance, in mechanical engineering. Despite the clear need for knowledge of systems modeling and analysis (covered in electrical and other engineering disciplines) and analysis of computational processes (covered in computer science), few academic programs have integrated the two disciplines into a cohesive program of study. This paper describes the efforts conducted at Vanderbilt University to establish a curriculum that addresses the needs of embedded software and systems. Given the compartmentalized nature of traditional engineering schools, where each discipline has an independent program of study, we have had to devise innovative ways to bring together the two disciplines. The paper also describes our current efforts in using learning technology to construct, manage, and deliver sophisticated computer-aided learning modules that can supplement the traditional course structure in the individual disciplines through out-of-class and in-class use. [16] Building Efficient Simulations from Hybrid Bond Graph Models C. Beers, E.J. Manders, G. Biswas, and P. Mosterman, 2nd IFAC Conference on Analysis and Design of Hybrid Systems, Sardinia, Italy, June 2006. Embedded systems and their corresponding hybrid models are pervasive in engineering applications, therefore, systematic mathematical analysis using these models has become an important research area. Our approach to hybrid modeling with Hybrid Bond Graphs allows for seamless integration of physical system principles with discrete computational structures, but simulating the hybrid behaviors can be difficult and computationally expensive. In this paper, we develop a methodology that transforms Hybrid Bond Graphs into computational block diagrams and incrementally modifies the block diagram when mode changes occur. This forms the basis for a computationally efficient hybrid simulation algorithm. 2005-06 Annual Report June 28, 2006 Foundations of Hybrid and Embedded Systems and Software 49 [17] Hierarchical Online Control Design for Autonomous Resource Management in Advanced Life Support Systems S. Abdelwahed, J. Wu, G. Biswas, and E. J.-Manders, International Conference on Environmental Systems, Paper no. 2005-01-2965, Rome, Italy, July 2005. This paper presents a distributed, hierarchical control scheme for autonomous resource management in complex embedded systems that can handle dynamic changes in resource constraints and operational requirements. The developed hierarchical control structure handles the interactions between subsystem and system-level controllers. A global coordinator at the root of the hierarchy ensures resource requirements for the duration of the mission are not violated. We have applied this approach to design a three-tier hierarchical controller for the operation of a lunar habitat that includes a number of interacting life support components. [18] Requirements for an Autonomous Control Architecture for Advanced Life Support Systems G. Biswas, P. Bonasso, S. Abdelwahed, E.J. Manders, J. Wu, D. Kortenkamp, and S. Bell, International Conference on Environmental Systems, Paper no.2005-01-3010, Rome, Italy, July 2005. This paper builds upon a series of life support control experiments conducted at NASA Johnson Space Center and at Vanderbilt University. The experiments used two distinct, layered control architectures: (i) a model-based approach, and (ii) a procedural approach to control complex, distributed systems. Both sets of experiments produced good results, but they also brought out the strengths and weaknesses of the two in the context of requirements for long duration human missions. Our goal in this paper is to come up with the design requirements for an integrated architecture for autonomous controller design that combines the best of the two approaches. This paper provides a framework for integrated design and discusses the advantages it offers. [19] Multi-scale Modeling of Advanced Life Support Systems E.J.-Manders, S. Bell, G. Biswas, and D. Kortenkamp, International Conference on Environmental Systems, Paper no.2005-01-113, Rome, Italy, July 2005. Regenerative life support systems for long duration human space exploration missions present unique design challenges that are also reflected in constructing behavior models of these systems for analysis purposes. These systems have multiple modes of operation and complex non-linear dynamics that occur at multiple time scales. Coarse grained analysis of the complete system over long duration and fine grained analysis of smaller system elements while avoiding computational intractability can be achieved by using multiple modeling and simulation paradigms. We describe a multi-level simulation model of an advanced life support system. The simulation model couples a discrete-event approach at the system level, with more detailed hybrid (continuous/discrete) physical system modeling at the sub-system level. 2005-06 Annual Report June 28, 2006 Foundations of Hybrid and Embedded Systems and Software 50 [20] Component-oriented modeling of hybrid dynamic systems using the Generic Modeling Environment Eric-J. Manders, Gautam Biswas, Nagabhushan Mahadevan, Gabor Karsai, pp. 159-168, Fourth Workshop on Model-Based Development of Computer-Based Systems and Third International Workshop on Model-Based Methodologies for Pervasive and Embedded Software (MBD-MOMPES'06), 2006. This paper presents a component oriented modeling environment for building hybrid dynamic models of physical systems. The modeling environment is created using the Generic Modeling Environment (GME), a meta programmable visual modeling application developed at the Institute for Software Integrated Systems (ISIS). The core of the modeling language itself is a hybrid extension of the bond graph modeling language. The advantages of an object-oriented approach to physical system modeling combined with the advanced features of GME for managing model complexity are illustrated by building a library of hydraulic system components. A simulation model can be automatically generated from the physical system model using a model translator. As an example application we use the component library to build the model of a coupled multitank system with controlled and autonomous hybrid behaviors, and illustrate this with a simulation example. [21] A Hybrid Control System Design and Implementation for a Three-tank Testbed J. Wu, G. Biswas, S. Abdelwahed, and E.J. Manders, IEEE Conference on Control Applications, Toronto, CA, pp. 645-650, August 2005. This paper discusses methodologies for designing online supervisory controllers for a class of embedded systems that can be modeled as switching hybrid system (SHS). In the online control approach, a limited forward horizon of possible behaviors is explored at each time step. The controller decides the best action using a cost function to determine the best state on the horizon. We discuss the controller design and implementation for a three-tank system test-bed with distributed sensor and actuation units. A set of real-time fault adaptive control experiments demonstrate the effectiveness of the approach. [22] Cascaded Control Design for a Quadrotor Aerial Robot T. J. Koo, C. A. Clifton and G. Hemingway: In Proceedings of the Asian Control Conference, Bali, Indonesia, July 2006. Aerial robot can swiftly react to changes in dynamical environment, by properly executing a sequence of controllers. In this paper, a cascaded controller design based on an outer-inner model of the quadrotor aerial robot is presented. The cascaded control structure enables the design of multi-modal controller in the outer loop for executing autonomous mission while reducing control design complexity by using a single controller for the inner loop. An outer controller is designed by using the differential flatness property of the outer system and the backstepping design technique in order to take advantage of the nonlinear nature of the system. A robust linear inner controller is designed based on an identified inner model to deal with model uncertainty and disturbance. Given a desired output trajectory, the outer controller can generate desired inner trajectory for the inner controller to track. The controllers are designed to guarantee 2005-06 Annual Report June 28, 2006 Foundations of Hybrid and Embedded Systems and Software 51 bounded output tracking and bounded state performance for bounded desired output trajectory in the presence of anticipated disturbance. The control design is implemented and the experimental results are presented. [23] A Semantic Anchoring Infrastructure for Model-based Embedded System Design G. Hemingway, H. Su, K. Chen, and T. J. Koo: Technical Report 2006-16, ISIS, Vanderbilt University May, 2006 (submitted paper) Model-Integrated Computing (MIC) is an infrastructure for model-based design of embedded software and systems. MIC places strong emphasis on the use of Domain Specific Modeling Language (DSMLs) and model transformations in design flows. Practical and effective development of formal specifications for DSML semantics within model-based tools can be challenging, but could positively impact adoption and reuse of these tools. The semantic anchoring methodology was developed to address this challenge by formally tying DSMLs to a ``semantic unit'', which is a formal specification that captures the operational semantics of a specific model of computation. Leveraging our prior work with semantic units, we develop a semantic unit for hybrid automata. Hybrid automata can be used to model system-level behaviors for embedded systems that exhibit strong couplings between discrete and continuous dynamics. In this paper, we explicitly specify the operational semantics of hybrid automata, and develop the corresponding semantic unit and model transformation rules. We demonstrate the effectiveness of the infrastructure in a practical case study involving the hybrid automata DSMLs, HyVisual and ReachLab. [24] Advantages and challenges of distributed active vibro-acoustic control Frampton, K.: The Journal of the Acoustical Society of America -September 2005 -Volume 118, Issue 3, p. 1950 As active control technologies reach their performance limits in large scale systems, many investigators have looked toward decentralized control as a means of expanding the application horizons. Decentralized control is defined here as numerous independent controllers operating on a single system. These decentralized approaches have been shown to be effective, but not as effective as traditional centralized control. In an effort to achieve control performance approaching centralized control while maintaining the scalability benefits of decentralized control, the use of distributed control is considered. Distributed control consists of numerous control processors operating on a system that are capable of communicating with each other over a network. This work discusses the application of distributed active control to vibroacoustic problems. Key elements in distributed control systems will be presented along with the state of each of the key technologies involved. Of particular interest are the limitations in enabling technologies that limit the application of distributed control: namely real-time network communications; distributed control algorithms and design tools; software infrastructure for system management; and other factors. Results will demonstrate that distributed control can perform nearly as well as centralized control, but that it can also be ``scaled up'' for use in large complex systems. 2005-06 Annual Report June 28, 2006 Foundations of Hybrid and Embedded Systems and Software 52 [25] A Causality Interface for Deadlock Analysis in Dataflow Ye Zhou and Edward A. Lee. A Causality Interface for Deadlock Analysis in Dataflow. Submitted to EMSOFT, May, 2006. In this paper, we consider a concurrent model of computation called dataflow, where components (actors) communicate via streams of data tokens. Dataflow semantics has been adopted by experimental and production languages used to design embedded systems. The execution of a data-flow actor is enabled by the availability of its input data. One important question is whether a dataflow model will deadlock (i.e., actors cannot execute due to a data dependency loop). Deadlock in many cases can be determined, although it is generally not decidable. We develop a causality interface for dataflow actors based on the general framework we introduced in [1] and show how this causality information can be algebraically composed so that composition of components acquire causality interfaces that are inferred from their components and the interconnections. We illustrate the use of these causality interfaces to statically analyze for deadlock. [26] A Formalism for Higher-Order Composition Languages that Satisfies the ChurchRosser Property Adam Cataldo, Elaine Cheong, Thomas Huining Feng, Edward A. Lee and Andrew Mihal. Technical report, EECS Dept., University of California, Berkeley, 48, May, 2006. In actor-oriented design, programmers make hierarchical compositions of concurrent components. As embedded systems become increasingly complex, these compositions become correspondingly complex in the number of actors, the depth of hierarchies, and the connections between ports. We propose higher-order composition languages as a way to specify these actor-oriented models. The key to these languages is the ability to succinctly specify configurations with higher-order parameters---parameters that themselves might be configurations. We present a formalism which allows us to describe arbitrarily complex configurations of components with higher-order parameters. This formalism is an extension of the standard lambda calculus. [27] Automotive engine hybrid modelling and control for reduction of hydrocarbon emissions P.R. Sanketi, J.C. Zavala and J.K. Hedrick. International Journal of Control, 79(5):449-464, May 2006. Automotive engine models vary in their complexity depending on the intended application. Pre-prototype performance prediction models can be very complex in order to make accurate predictions. Controller design models need to be as simple as possible since model-based controllers must operate in real time. This paper develops hybrid models for engine control that incorporate time and events in their formulation. The resulting hybrid controllers have the capability of switching between two alternative control modes. The first mode is designed to reduce the raw hydrocarbon (HC) emissions while the second mode tries to increase the temperature of the catalytic converter as rapidly as possible during the initial transient or ‘‘cold start’’ period. Reachability, as a tool for system analysis, is used to verify the properties of the closed loop system. 2005-06 Annual Report June 28, 2006 Foundations of Hybrid and Embedded Systems and Software 53 [28] New real-time embedded software for an autonomous helicopter system using Giotto Jongho Lee. New real-time embedded software for an autonomous helicopter system using Giotto. Master's thesis, UC Berkeley, May, 2006. A new design of embedded software for an autonomous helicopter control system is presented. A helicopter is a practical hard real-time system. Its timing behaviors of embedded software are crucial for safety. Readable and maintainable control software is essential for complex systems. In this thesis, a time-based control domain specific programming language is used to fulfill timing constraints and needs of reusable software. A design procedure along with implementation and flight tests is described for a radio controlled helicopter system. [29] Accelerating Applications Using TIPI Sub-RISC Processing Elements Scott Weber, Kaushik Ravindran, Andrew Mihal and Kurt Keutzer. Unpublished article, May, 2006. We introduce the TIPI sub-RISC architecture and a supporting infrastructure for designing, programming, analyzing, and implementing TIPI sub-RISC processing elements. The TIPI sub-RISC architectural abstraction encapsulates programmable architectures ranging from hard-wired data paths to RISC/VLIW processors. Although RTL design can capture TIPI processing elements, the TIPI infrastructure substantially increases design entry productivity and provides a 100-1000x increase in simulation performance when compared to RTL design. We have used the TIPI infrastructure to design two processors to accelerate an MP3 decoder. The TIPI processors achieved speedups up to 26x over the corresponding functions in software. The TIPI framework also provides a path to implementation using RTL synthesis. We used this path to implement the system on the Xilinx ML-310 FPGA platform. The main program was executed on the PowerPC core and the TIPI accelerators were built on the Virtex-II Pro 2VP30 FPGA. [30] Modeling Timed Concurrent Systems using Generalized Ultrametrics Xiaojun Liu, Eleftherios Matsikoudis and Edward A. Lee. Modeling Timed Concurrent Systems using Generalized Ultrametrics. Technical report, EECS Department, UC Berkeley, May, 2006. Timed concurrent systems are used in concurrent and distributed real-time software, modeling of hybrid systems, design of hardware systems (using hardware description languages), discrete-event simulation, and modeling of communication networks. They consist of concurrent components that communicate using timed signals, which are sets of (semantically) time-stamped events. The denotational semantics of such systems is traditionally formulated in a metric space. In this metric space, causal components are modeled by contracting functions. We show that this formulation excessively restricts the models of time that can be used. In particular, it cannot handle super-dense time, commonly used in hardware description languages and hybrid systems modeling, finite time lines, and time with no origin. Moreover, if we admit continuous-time and mixed signals (essential for hybrid systems modeling) or certain Zeno signals, then causality is no longer equivalent to its formalization in terms of contracting functions. In this paper, 2005-06 Annual Report June 28, 2006 Foundations of Hybrid and Embedded Systems and Software 54 we offer an alternative semantic framework using a generalized ultrametric that overcomes these limitations. [31] The Problem with Threads Edward A. Lee. The Problem with Threads. IEEE Computer, 39(5):33-42, May 2006. For concurrent programming to become mainstream, we must discard threads as a programming model. Nondeterminism should be judiciously and carefully introduced where needed, and it should be explicit in programs. [32] Automated Mapping from a Domain Specific Language to a Commercial Embedded Multiprocessor William Plishker and Kurt Keutzer. Unpublished article, May, 2006; Submitted to CODES 2006. Application specific programmable systems are capable of high performance implementations while remaining flexible enough to support a range of applications. Architects of these systems achieve high performance through domain specific optimizations, often introduced at the expense of programming productivity. We examine one of the most performance critical and time consuming steps to arriving at efficient implementations on these platforms: the mapping of an application to a target architecture. We accelerate this step by constructing a model of the architecture which captures its key features while being amenable to automated mapping. With an analogous presentation of the application and mapping formulated as an integer linear programming (ILP) problem, we demonstrate this approach finds solutions that are guaranteed to be close to optimal solutions with respect to this model. These solutions enable efficient implementations of representative network applications on a commercial network processor family. We show this approach can produce an implementation comparable to a hand crafted design. [33] COP Semantics of Timed Interactive Actor Networks Xiaojun Liu and Edward A. Lee. COP Semantics of Timed Interactive Actor Networks. Technical report, EECS Department, UC Berkeley, 67, May, 2006. We give a denotational framework for composing interactive components into closed or open systems and show how to adapt classical domain-theoretic approaches to open systems and to timed systems. For timed systems, instead of the usual metric-space-based approaches, we show that existence and uniqueness of behaviors are ensured by continuity with respect to a simply defined prefix order. Existence and uniqueness of behaviors, however, does not imply that a composition of components yields a useful behavior. The unique behavior could be empty or smaller than expected. We define liveness and show that appropriately defined causality conditions ensure liveness and freedom from Zeno conditions. In our formulation, causality does not require a metric and can embrace a wide variety of models of time. 2005-06 Annual Report June 28, 2006 Foundations of Hybrid and Embedded Systems and Software 55 [34] Hierarchical Timing Language Arkadeb Ghosal, Thomas A. Henzinger, Daniel Iercan, Christoph Kirsch and Alberto L. Sangiovanni-Vincentelli. Hierarchical Timing Language. Technical report, EECS Department, University of California, Berkeley, Technical Report No. UCB/EECS-20, May, 2006. We have designed and implemented a new programming language for hard real-time systems. Critical timing constraints are specified within the language, and ensured by the compiler. The main novel feature of the language is that programs are extensible in two dimensions without changing their timing behavior: new program modules can be added, and individual program task can be refined. The mechanism that supports time invariance under parallel composition is that different program modules communicate at specified instances of time. Time invariance under refinement is achieved by conservative scheduling of the top level. The language, which assembles real-time tasks within a hierarchical module structure with timing constraints, is called Hierarchical Timing Language (HTL). It is a coordination language, in that individual tasks can be implemented in other languages. We present a distributed HTL implementation of an automotive steer-by-wire controller as a case study. [35] Analysis of Low-Level Code Using Cooperating Decompilers Bor-Yuh Evan Chang, Matthew Harren, and George C. Necula. Analysis of Low-Level Code Using Cooperating Decompilers. April, 2006; In submission. We present a modular framework for building assembly-language program analyzers by using a pipeline of decompilers that gradually lift the level of the language to something appropriate for source-level analysis tools. Each decompilation stage contains an abstract interpreter that encapsulates its findings about the program by translating the program into a higher-level intermediate language. For the hardest decompilation tasks a decompiler may request information from higher-level stages in the pipeline. We provide evidence for the modularity of this framework through the implementation of multiple decompilation pipelines for both x86 and MIPS assembly produced by gcc, gcj, and coolc (a compiler for a pedagogical mini-Java language) that share several low-level components. Finally, we discuss our experimental results that apply the BLAST model checker for C and the Cqual analyzer to decompiled assembly. [36] Incremental Checkpointing with Application to Distributed Discrete Event Simulation Huining Thomas Feng and Edward A. Lee. Technical report, EECS Dept., University of California Berkeley, 37, April, 2006. Checkpointing is widely used in robust fault-tolerant applications. We present an efficient incremental checkpointing mechanism. It requires to record only the the state changes and not the complete state. After the creation of a checkpoint, state changes are logged incrementally as records in memory, with which an application can spontaneously roll back later. This incrementality allows us to implement checkpointing with high performance. Only small constant time is required for checkpoint creation and state recording. Rollback requires linear time in the number of recorded state changes, which is bounded by the number of state variables times the number of checkpoints. We 2005-06 Annual Report June 28, 2006 Foundations of Hybrid and Embedded Systems and Software 56 implement a Java source transformer that automatically converts an existing application into a behavior-preserving one with checkpointing functionality. This transformation is application-independent and application-transparent. A wide range of applications can benefit from this technique. Currently, it has been used for distributed discrete event simulation using the Time Warp technique. [37] An Interface Algebra for Real-time Components Thomas Henzinger, Slobodan Matic. Proceedings of RTAS 2006, 253-263, April, 2006. We present an assume-guarantee interface algebra for real-time components. In our formalism a component implements a set of task sequences that share a resource. A component interface consists of an arrival rate function and a latency for each task sequence, and a capacity function for the shared resource. The interface specifies that the component guarantees certain task latencies depending on assumptions about task arrival rates and allocated resource capacities. Our algebra defines compatibility and refinement relations on interfaces. Interface compatibility can be checked on partial designs, even when some component interfaces are yet unknown. In this case interface composition computes as new assumptions the weakest constraints on the unknown components that are necessary to satisfy the specified guarantees. Interface refinement is defined in a way that ensures that compatible interfaces can be refined and implemented independently. Our algebra thus formalizes an interface-based design methodology that supports both the incremental addition of new components and the independent stepwise refinement of existing components. We demonstrate the flexibility and efficiency of the framework through simulation experiments. [38] Design Space Exploration of Automotive Platforms in Metropolis Haibo Zeng, Abhijit Davare, Alberto Sangiovanni-Vincentelli, Sampada Sonalkar, Sri Kanajan, Claudio Pinello. Society of Automotive Engineers Congress, April, 2006. Automotive control applications are implemented over distributed platforms consisting of a number of electronic control units (ECUs) connected by communication buses. During system development, the designer can explore a number of design alternatives: for example, software distribution, software architecture, hardware architecture, and network configuration. Exploring design alternatives efficiently and evaluating them to optimize metrics such as cost, time, resource utilization, and reliability provides an important competitive advantage to OEMs and helps minimize integration risks. We present a methodology (Platform-Based Design) and a framework (Metropolis) to support efficient architecture exploration. We have exercised the methodology and the capabilities of Metropolis for developing a library of automotive architecture components and performed design space exploration on a chassis control sub-system. [39] Concurrent Embedded Design for Multimedia: JPEG encoding on Xilinx FPGA Case Study Jike Chong, Abhijit Davare, Kelvin Lwin. Technical report, UC Berkeley, April, 2006. Parallel platforms are becoming predominant in the embedded systems space due to a variety of factors. These platforms can deliver high peak performance if they can be 2005-06 Annual Report June 28, 2006 Foundations of Hybrid and Embedded Systems and Software 57 programmed effectively. However, current sequential software design techniques as well as the Single Program Multiple Data (SPMD) programming models often used in the High Performance Computing (HPC) domain are insufficient. In this report, we experiment with a dataflow programming model for multimedia embedded systems. By applying this programming model to a common application and embedded platform, we get a better idea of the implementation challenges for this class of systems. [40] Composition Languages James Adam Cataldo and Edward A. Lee. Technical report, EECS Dept., University of California, Berkeley, 24, March, 2006; Found at: http://www.eecs.berkeley.edu/Pubs/TechRpts/2006/EECS-2006-24.pdf. We propose composition languages as a way to specify actor-oriented models, or hierarchical networks of concurrent components which communicate with one another through ports. The key to composition languages is the ability to succinctly specify higher-order models. As an example, a higher-order model may be a distributed sort model. The model may be parameterized by a divide component (or model), a conquer component, and the respective numbers of divide and conquer components. A programmer will specify this higher-order model once and can then use it for an arbitrary number of components with arbitrary divide and conquer components. We believe composition languages will become increasingly important in actor-oriented design, since they will enable rapid development of large systems. [41] Finitary Winning in \omega-Regular Games Krishnendu Chatterjee and Thomas A. Henzinger. Finitary Winning in \omega-Regular Games. TACAS, March, 2006. Games on graphs with \omega-regular objectives provide a model for the control and synthesis of reactive systems. Every \omega-regular objective can be decomposed into a safety part and a liveness part. The liveness part ensures that something good happens eventually. Two main strengths of the classical, infinite-limit formulation of liveness are robustness (independence from the granularity of transitions) and simplicity (abstraction of complicated time bounds). However, the classical liveness formulation suffers from the drawback that the time until something good happens may be unbounded. A stronger formulation of liveness, so-called finitary liveness, overcomes this drawback, while still retaining robustness and simplicity. Finitary liveness requires that there exists an unknown, fixed bound b such that something good happens within b transitions. While for one-shot liveness (reachability) objectives, classical and finitary liveness coincide, for repeated liveness objectives, the finitary formulation is strictly stronger. In this work we study games with finitary parity and Streett (fairness) objectives. We prove the determinacy of these games, present algorithms for solving these games, and characterize the memory requirements of winning strategies. Our algorithms can be used, for example, for synthesizing controllers that do not let the response time of a system increase without bound. 2005-06 Annual Report June 28, 2006 Foundations of Hybrid and Embedded Systems and Software 58 [42] Reachability Analysis of Controlled Discrete-Time Stochastic Hybrid Systems S. Amin, A. Abate, M. Prandini, J. Lygeros, and S. Sastry. Hybrid Systems: Computation and Control, Proceedings of the 9th International Workshop, Santa Barbara, CA, vol. 3927 of Lecture Notes in Computer Science, J. Hespanha and A. Tiwari, Springer-Verlag, pp. 49-63, March, 2006. In this research, a model for discrete time stochastic hybrid systems is proposed. With reference to the introduced class of systems, a methodology for probabilistic reachability analysis is studied, which can be useful for safety verification. This methodology is based on the interpretation of the safety verification problem as an optimal control problem for a certain controlled Markov process. In particular, this allows us to characterize through some optimal cost function the set of initial conditions for the system such that its state can be maintained within a given "safe" set with sufficiently high probability. [43] Interchange Formats for Hybrid Systems: Abstract Semantics Alessandro Pinto, Luca P. Carloni, Roberto Passerone and Alberto Sangiovanni-Vincentelli. Hybrid Systems: Computation and Control, Joao Hespanha and Ashish Tiwari, 491-506, March, 2006. In previous work we advocated the need for an interchange format for hybrid systems that enables the integration of design tools coming from many different research communities. In deriving such interchange format the main challenge is to define a language that, while presenting a particular formal semantics, remains general enough to accommodate the translation across the various modeling approaches used in the existing tools. In this paper we give a formal definition of the syntax and semantics for the proposed interchange format. In doing so, we clearly separate the structure of a hybrid system from the semantics attached to it. The semantics can be considered an ``abstract semantics'' in the sense that it can be refined to yield the model of computation, or ``concrete semantics'', which, in turn, is associated to the existing languages that are used to specify hybrid systems. We show how the interchange format can be used to capture the essential information across different modeling approaches and how such information can be used in the translation process. [44] A Platform-based Design Flow for Kahn Process Networks Abhijit Davare, Qi Zhu, Alberto Sangiovanni-Vincentelli. Technical report, UC Berkeley, 200630, March, 2006. Effectively implementing multimedia applications on multiprocessor architectures is a key challenge in system-level design. This work explores automated solutions to this problem by considering two separate directions of research. First, the problem is placed within the context of a generalized mapping strategy and the concept of a common semantic domain is developed which is capable of reasoning about the automation techniques that are to be applied. Second, a specialized design flow and associated algorithms are developed to solve this problem. The idea of a common semantic domain is described and its usefulness in other mapping problems is demonstrated. For this particular problem, a common semantic domain is identified and forms the basis of the algorithms which are developed in the design flow. The design flow is divided into four 2005-06 Annual Report June 28, 2006 Foundations of Hybrid and Embedded Systems and Software 59 clearly defined steps, to ensure the tractability of optimization problems while obtaining a good overall solution. The separation of the flow into these steps allows prior work from a variety of sources to be used. Efficient heuristics are developed for each step of the design flow. The effectiveness of the heuristics used in this design flow is demonstrated by applying them to an industrial case study. [45] Communication and Co-Simulation Infrastructure for Heterogeneous System Integration Guang Yang, Xi Chen, Felice Balarin, Harry Hsieh, Alberto Sangiovanni-Vincentelli. Design Automation and Test in Europe, March, 2006. With the increasing complexity and heterogeneity of embedded electronic systems, a unified design methodology at higher levels of abstraction becomes a necessity. Meanwhile, it is also important to incorporate the current design practice emphasizing IP reuse at various abstraction levels. In the traditional design industry, there are many legacy IPs at the register transfer level or gate level. To handle the design complexity, people are now moving towards higher abstraction levels, such as the transaction level or behavior level. However, the abstraction gap prohibits easy communication and synchronization in IP integration. Another challenge is the co-simulation among IPs written in different design languages. Up to now, there are attempts on co-simulation between HDLs and C/C++/SystemC; however, there does not exist a generic cosimulation framework for arbitrary design languages. In this paper, we present a communication infrastructure for an integrated design framework that enables co-design and co-simulation of heterogeneous design components specified at different abstraction levels and in different languages. The core of the approach is to abstract different communication interfaces or protocols to a common high level communication semantics. Designers only need to specify the interfaces of the design components using extended regular expressions; communication adapters can then be automatically generated for the co-simulation or other co-design and co-verification purposes. [46] Viptos: A Graphical Development and Simulation Environment for TinyOS-based Wireless Sensor Networks Elaine Cheong, Prof. Edward A. Lee, Yang Zhao. Technical report, EECS Dept. UC Berkeley, 15, February, 2006; Presented in conjunction with BEARS 2006. We describe Viptos (Visual Ptolemy and TinyOS), an integrated graphical development and simulation environment for TinyOS-based wireless sensor networks. TinyOS is a component-based, event-driven runtime environment designed for wireless sensor networks. Viptos allows networked embedded systems developers to construct block and arrow diagrams to create TinyOS programs from any standard library of TinyOS components written in nesC, a C-based programming language. Viptos automatically transforms the diagram into a nesC program that can be compiled and downloaded from within the graphical environment onto any TinyOS-supported target platform. Viptos is built on Ptolemy II, a modeling and simulation environment for embedded systems, and TOSSIM, an interrupt-level discrete event simulator for homogeneous TinyOS networks. In particular, Viptos includes the full capabilities of VisualSense, a Ptolemy II environment that can model communication channels, networks, and non-TinyOS nodes. 2005-06 Annual Report June 28, 2006 Foundations of Hybrid and Embedded Systems and Software 60 Viptos extends the capabilities of TOSSIM to allow simulation of heterogeneous networks. Viptos provides a bridge between VisualSense and TOSSIM by providing interrupt-level simulation of actual TinyOS programs, with packet-level simulation of the network, while allowing the developer to use other models of computation available in Ptolemy II for modeling the physical environment and other parts of the system. This framework allows application developers to easily transition between high-level simulation of algorithms to low-level implementation and simulation. This paper presents our experiences with integrating the nesC/TinyOS/TOSSIM and Ptolemy II programming and execution models. [47] Strategy Improvement and Randomized Subexponential Algorithms for Stochastic Parity Games Krishnendu Chatterjee and Thomas A. Henzinger. STACS 06, February, 2006. A stochastic graph game is played by two players on a game graph with probabilistic transitions. We consider stochastic graph games with \omega-regular winning conditions specified as parity objectives. These games lie in NP and coNP. We present a strategy improvement algorithm for stochastic parity games; this is the first non-brute-force algorithm for solving these games. From the strategy improvement algorithm we obtain a randomized subexponential-time algorithm to solve such games. [48] Markov Decision Processes with Multiple Objectives Krishnendu Chatterjee, Rupak Majumdar and Thomas A. Henzinger. STACS, February, 2006. We consider Markov decision processes (MDPs) with multiple discounted reward objectives. Such MDPs occur in design problems where one wishes to simultaneously optimize several criteria, for example, latency and power. The possible trade-offs between the different objectives are characterized by the Pareto curve. We show that every Pareto-optimal point can be achieved by a memoryless strategy; however, unlike in the single-objective case, the memoryless strategy may require randomization. Moreover, we show that the Pareto curve can be approximated in polynomial time in the size of the MDP. Additionally, we study the problem if a given value vector is realizable by any strategy, and show that it can be decided in polynomial time; but the question whether it is realizable by a deterministic memoryless strategy is NP-complete. These results provide efficient algorithms for design exploration in MDP models with multiple objectives. [49] A Constructive Fixed-Point Theorem and the Feedback Semantics of Timed Systems James Adam Cataldo, Edward A. Lee, Xiaojun Liu, Eleftherios Dimitrios Matsikoudis and Haiyang Zheng. Technical report, EECS Dept. University of California, Berkeley, 4, January, 2006. Deterministic timed systems can be modeled as fixed point problems. In particular, any connected network of timed systems can be modeled as a single system with feedback, and the system behavior is the fixed point of the corresponding system equation, when it exists. For delta-causal systems, we can use the Cantor metric to measure the distance 2005-06 Annual Report June 28, 2006 Foundations of Hybrid and Embedded Systems and Software 61 between signals and the Banach fixed-point theorem to prove the existence and uniqueness of a system behavior. Moreover, the Banach fixed-point theorem is constructive: it provides a method to construct the unique fixed point through iteration. In this paper, we extend this result to systems modeled with the superdense model of time used in hybrid systems. We call the systems we consider eventually delta-causal, a strict generalization of delta-causal in which multiple events may be generated on a signal in zero time. With this model of time, we can use a generalized ultrametric instead of a metric to model the distance between signals. The existence and uniqueness of behaviors for such systems comes from the fixed-point theorem of Priess-Crampe, but this theorem gives no constructive method to compute the fixed point. This leads us to define petrics, a generalization of metrics, which we use to generalize the Banach fixed-point theorem to provide a constructive fixed-point theorem. This new fixed-point theorem allows us to construct the unique behavior of eventually delta-causal systems. [50] The Problem with Threads Edward A. Lee. Technical report, EECS Dept., University of California, Berkeley, 1, January, 2006. Threads are a seemingly straightforward adaptation of the dominant sequential model of computation to concurrent systems. Languages require little or no syntactic changes to support threads, and operating systems and architectures have evolved to efficiently support them. Many technologists are pushing for increased use of multithreading in software in order to take advantage of the predicted increases in parallelism in computer architectures. In this paper, I argue that this is not a good idea. Although threads seem to be a small step from sequential computation, in fact, they represent a huge step. They discard the most essential and appealing properties of sequential computation: understandability, predictability, and determinism. Threads, as a model of computation, are wildly nondeterministic, and the job of the programmer becomes one of pruning that nondeterminism. Although many research techniques improve the model by offering more effective pruning, I argue that this is approaching the problem backwards. Rather than pruning nondeterminism, we should build from essentially deterministic, composable components. Nondeterminism should be explicitly and judiciously introduced where needed, rather than removed where not needed. The consequences of this principle are profound. I argue for the development of concurrent coordination languages based on sound, composable formalisms. I believe that such languages will yield much more reliable, and more concurrent programs. [51] HyVisual: A Hybrid System Modeling Framework Based on Ptolemy II Edward A. Lee and Haiyang Zheng. IFAC Conference on Analysis and Design of Hybrid Systems, January, 2006; HyVisual is a hybrid systems modeling framework providing a block diagram visual syntax for specifying continuous dynamics and a bubble-and-arc syntax for specifying modal behavior. It is based on Ptolemy II, is written in Java, and is distributed opensource at http://ptolemy.eecs.berkeley.edu/hyvisual/. HyVisual has a rigorous operational semantics described in [1]. A key property is that it internally uses superdense time, where signals are modeled as partial functions of the form f:R+ × N * V , where R+ is the 2005-06 Annual Report June 28, 2006 Foundations of Hybrid and Embedded Systems and Software 62 non-negative real numbers and represents time, V is the value set (a data type, such as Rn), and N is the set of natural numbers. Continuous-time functions are total, whereas discrete-event functions are defined only on a discrete subset of R+. The N in the domain permits signals to have multiple values in a well-defined order at a particular time. Using this framework, HyVisual gives a rigorous semantics to discontinuous signals (which have multiple values at the point of discontinuity), to discrete-event signals with multiple events at the same time, and to transient states, where the time spent in the state is zero. An example of a HyVisual model that leverages this is shown in fig. 1, which shows many features of HyVisual. This models Newton’s cradle, an apparatus with three (or more) balls hanging from strings (inspired by a one dimensional version in [2]). If the model is initialized with one of the balls displaced as shown in the HyVisual graphical animation at the lower left, then when the ball collides with the middle ball, a transient state results. At that time, the right ball transfers its momentum to the middle ball, and then, without any time elapsing, the middle ball transfers its momentum to the left ball. The two events (state transitions in the state machine at the middle left) are simultaneous but ordered. Other initial conditions can be chosen where two simultaneous events are unordered (e.g., starting with two balls appropriately displaced). HyVisual allows a model to permit nondeterministic choice of enabled transitions. [52] The Complexity of Quantitative Concurrent Parity Games Krishnendu Chatterjee, Luca de Alfaro and Thomas A. Henzinger. SODA, January, 2006. We consider two-player infinite games played on graphs. The games are concurrent, in that at each state the players choose their moves simultaneously and independently, and stochastic, in that the moves determine a probability distribution for the successor state. The value of a game is the maximal probability with which a player can guarantee the satisfaction of her objective. We show that the values of concurrent games with \omegaregular objectives expressed as parity conditions can be decided in NP and coNP. This result substantially improves the best known previous bound of 3EXPTIME. It also shows that the full class of concurrent parity games is no harder than the special case of turn-based stochastic reachability games, for which NP and coNP is the best known bound. While the previous, more restricted NP and coNP results for graph games relied on the existence of particularly simple (pure memoryless) optimal strategies, in concurrent games with parity objectives optimal strategies may not exist, and e-optimal strategies (which achieve the value of the game within a parameter e > 0) require in general both randomization and infinite memory. Hence our proof must rely on a more detailed analysis of strategies and, in addition to the main result, yields two results that are interesting on their own. First, we show that there exist e-optimal strategies that in the limit coincide with memoryless strategies; this parallels the celebrated result of MertensNeyman for concurrent games with limit-average objectives. Second, we complete the characterization of the memory requirements for e-optimal strategies for concurrent games with parity conditions, by showing that memoryless strategies suffice for eoptimality for coBÃ1⁄4chi conditions. 2005-06 Annual Report June 28, 2006 Foundations of Hybrid and Embedded Systems and Software 63 [53] Games with Secure Equilibria Krishnendu Chatterjee, Thomas A. Henzinger and Marcin Jurdzinski. Theoretica Computer Science, January 2006. In 2-player non-zero-sum games, Nash equilibria capture the options for rational behavior if each player attempts to maximize her payoff. In contrast to classical game theory, we consider lexicographic objectives: first, each player tries to maximize her own payoff, and then, the player tries to minimize the opponent's payoff. Such objectives arise naturally in the verification of systems with multiple components. There, instead of proving that each component satisfies its specification no matter how the other components behave, it sometimes suffices to prove that each component satisfies its specification provided that the other components satisfy their specifications. We say that a Nash equilibrium is secure if it is an equilibrium with respect to the lexicographic objectives of both players. We prove that in graph games with Borel winning conditions, which include the games that arise in verification, there may be several Nash equilibria, but there is always a unique maximal payoff profile of a secure equilibrium. We show how this equilibrium can be computed in the case of \omega-regular winning conditions, and we characterize the memory requirements of strategies that achieve the equilibrium. [54] Ellipsoidal Toolbox Alex A. Kurzhanskiy, Pravin Varaiya. Technical report, EECS, UC Berkeley, January, 2006. Ellipsoidal Toolbox (ET) implements in MATLAB the ellipsoidal calculus and its application to the reachability analysis of continuousand discrete-time, possibly timevarying linear systems, and linear systems with disturbances, for which ET calculates both open-loop and close-loop reach sets. The ellipsoidal calculus provides the following benefits: The complexity of the ellipsoidal representation is quadratic in the dimension of the state space, and linear in the number of time steps. It is possible to exactly represent the reach set of linear system through both external and internal ellipsoids. It is possible to single out individual external and internal approximating ellipsoids that are optimal to some given criterion (e.g. trace, volume, diameter), or combination of such criteria. It gives simple analytical expressions for the control that steers the state to a desired target. [55] Languages and Tools for Hybrid Systems Design Luca P. Carloni, Roberto Passerore, Alessandro Pinto and Alberto Sangiovanni-Vincentelli. Foundations and Trends in Design Automation, 1(1):1-204, January 2006. The explosive growth of embedded electronics is bringing information and control systems of increasing complexity to every aspects of our lives. The most challenging designs are safety-critical systems, such as transportation systems (e.g., airplanes, cars, and trains), industrial plants and health care monitoring. The difficulties reside in accommodating constraints both on functionality and implementation. The correct behavior must be guaranteed under diverse states of the environment and potential failures; implementation has to meet cost, size, and power consumption requirements. The design is therefore subject to extensive mathematical analysis and simulation. However, traditional models of information systems do not interface well to the 2005-06 Annual Report June 28, 2006 Foundations of Hybrid and Embedded Systems and Software 64 continuous evolving nature of the environment in which these devices operate. Thus, in practice, different mathematical representations have to be mixed to analyze the overall behavior of the system. Hybrid systems are a particular class of mixed models that focus on the combination of discrete and continuous subsystems. There is a wealth of tools and languages that have been proposed over the years to handle hybrid systems. However, each tool makes different assumptions on the environment, resulting in somewhat different notions of hybrid system. This makes it difficult to share information among tools. Thus, the community cannot maximally leverage the substantial amount of work that has been directed to this important topic. In this paper, we review and compare hybrid system tools by highlighting their differences in terms of their underlying semantics, expressive power and mathematical mechanisms. We conclude our review with a comparative summary, which suggests the need for a unifying approach to hybrid systems design. As a step in this direction, we make the case for a semantic-aware interchange format, which would enable the use of joint techniques, make a formal comparison between different approaches possible, and facilitate exporting and importing design representations. [56] A-Priori Detection of Zeno Behavior in Communication Networks Modeled as Hybrid Systems A. Abate, A. D. Ames, and Shankar S. Sastry. Proc. 25th IEEE American Control Conference, Minneapolis, MN, Jun. 2006.