S4is a joint project of Inria, CNRSand the University of Rennes 1, within Irisa(UMR 6074).
The objective of the project is the realization by algorithmic methods of reactive and distributed systems from partial and heterogeneous specifications. Methods, algorithms and tools are developed to synthesize reactive software from one or several incomplete descriptions of the system's expected behavior, regarding functionality (synchronization, conflicts, communication), control (safety, reachability, liveness), deployment architecture (mapping, partitioning, segregation), or even quantitative performances (response time, communication cost, throughput).
These techniques are better understood on fundamental models, such as automata, Petri nets, event structures and their timed extensions. The results obtained on these basic models are then adapted to those realistic but complex models commonly used to design embedded and telecommunication systems.
The behavioral views of the Unified Modeling Language (sequence diagrams and statecharts), the High-Level Message Sequence Charts and the synchronous reactive language Signal are the heart of the software prototypes being developed and the core of the technology transfer strategy of the project.
The scientific objectives of the project can be characterized by the following elements:
The design of real-time embedded software to be deployed over dedicated distributed architectures. Engineers in this field face two important challenges. The first one is related to system specification. Behavioral descriptions should be adaptable and composable. Specifications are expressed as requirements on the system to be designed. These requirements fall into four categories: (i) functional (synchronization, conflict, communication), (ii) control (safety, reachability, liveness), (iii) architectural (mapping, segregation) and (iv) quantitative (response time, communication cost, throughput, etc). The second challenge is the deployment of the design on a distributed architecture. Domain specific software platforms, known as middlewareor real-time operating systemsor communication layers, are now part of the usual software design process in industry. They provide a specialized and platform-independent distributed environment to higher-level software components. Deployment of software components and services should be done in a safe and efficient manner.
The development of methods and tools which assist engineers since the very first design steps of reactive distributive software. The main difficulty being the adequacy of the proposed methods with standard design methods based on components and model engineering, which most often rely on heterogeneous formalisms and require correct by construction component assembly.
Those models and methods which encompass (i) the distributed nature of the systems being considered, (ii) true concurrency, and (iii) real-time.
Team S4contributes methods, algorithms and tools producing distributed reactive software from partial heterogeneous specifications of the system to be synthesized (functionality, control, architecture, quantitative performances). This means that several heterogeneous specifications (for instance, sequence diagrams and state machines) can be combined, analyzed (are the specifications inconsistent?) and mapped to lower level specifications (for instance, communicating automata, or Petri nets).
The scientific method of Team S4begins with a rigorous modeling of problems and the development of sound theoretical foundations. This not only allows to prove the correctness (functionality and control) of the proposed transformations or analysis; but can also guarantee the optimality of the quantitative performances of the systems produced with our methods (communication cost, response time).
Synthesis and verification methods are best studied within fundamental models, such as automata, Petri nets, event structures, synchronous transition systems. Then, results can be adapted to more realistic but complex formalisms, such as the UML. The research work of Team S4is divided in five tracks:
This track follows up the main research theme of the former Team Paragrapheat InriaRennes. In addition to further developments on topics related to the theory of regions, an algebraic theory of nets has been developed.
Current research work concentrates on the composition of system views expressed in scenario formalisms such as High-Level Message Sequence Charts(HMSC) . This research is done in cooperation with France Telecom (section ).
This track contributes to the extension, to distributed systems, of the well-established synchronous paradigm. The aim is to provide a unified framework in which both synchronous systems, and particular asynchronous systems (so-called weakly-synchronous systems) can be expressed, combined, analyzed and transformed.
The design of reusable components calls for rich specification formalisms, with which the interactions of a component with its environment combines expectations of the component about its environment, with guarantees offered in return by the component to its environment.We are investigating questions related to reactive component refinement and composition. We are also investigating a component-based language development environment, where attribute grammars are used to define executable specifications of software components.
Many synthesis and supervisory control problems can be expressed, with full generality, in the quantified mu-calculus, including the existence of optimal solutions to such problems. Algorithms computing winning strategies in parity games (associated with formulas in this logic) provide effective methods for solving such control problems. This framework offers means of classifying control problems, according to their decidability or undecidability, but also according to their algorithmic complexity.
The research work of the team is built on top of solid foundations, mainly, algebraic, combinatorial or logical theories of transition systems. These theories cover several sorts of systems which have been studied during the last thirty years: sequential, concurrent, synchronous or asynchronous. They aim at modeling the behavior of finite or infinite systems (usually by abstracting computations on data), with a particular focus on the control flow which rules state changes in these systems. Systems can be autonomous or reactive, that is, embedded in an environment with which the system interacts, both receiving an input flow, and emitting an output flow of events and data. System specifications can be explicit (for instance, when the system is specified by an automaton, defined extensively by a set of states and a set of transitions), or implicit (symbolic transition rules, usually parameterized by state or control variables; partially-synchronized products of finite transition systems; Petri nets; systems of equations constraining the transitions of synchronous reactive systems, according to their input flows; etc.). Specifications can be non-ambiguous, meaning that they fully define at most one system (this holds in the previous cases), or they can be ambiguous, in which case more than one system is conforming to the specification (for instance, when the system is described by logical formulas in the modal mu-calculus, or when the system is described by a set of scenario diagrams, such as Sequence Diagrams or Message Sequence Charts ).
Systems can be described in two ways: either the state structure is described, or only the behavior is described. Both descriptions are often possible (this is the case for formal languages, automata, products of automata or, Petri nets), and moving from one representation to the other is achieved by folding/unfolding operations.
Another taxonomy criteria is the concurrency these models can encompass. Automata usually describe sequential systems. Concurrency in synchronous systems is usually not considered. In contrast, Petri nets or partially-synchronized products of automata are concurrent. When these models are transformed, concurrency can be either preserved, reflected or even, infused. An interesting case is whenever the target architecture requires distributing events among several processes. There, communication efficient implementations require that concurrency is preserved as far as possible and that, at the same time, causality relations are also preserved. These notions of causality and independence are best studied in models such as concurrent automata, Petri nets or Mazurkiewicz trace languages.
Here are our sources of inspiration regarding formal mathematical tools:
Jan van Leeuwen (ed.), Handbook of Theoretical Computer Science - Volume B: Formal Models and Semantics, Elsevier, 1990.
Jörg desel, Wolfgang Reisig and Grzegorz Rozenberg (eds.), Lectures on Concurrency and Petri nets, Lecture Notes in Computer Science, Vol. 3098, Springer, 2004.
Volker Diekert and Grzegorz Rozenberg (eds.), The Book of Traces, World Scientific, 1995.
André Arnold and Damian Niwinski, Rudiments of Mu-Calculus, North-Holland, 2001.
Gérard Berry, Synchronous languages for hardware and software reactive systems Hardware Description Languages and their Applications, Chapman and Hall, 1997.
Our research exploits decidability or undecidability results on these models (for instance, inclusion of regular languages, bisimilarity on automata, reachability on Petri nets, validity of a formula in the mu-calculus, etc.) and also, representation theorems which provide effective translations from one model to another. For instance, Zielonka's theorem yields an algorithm which maps regular trace languages to partially-synchronized products of finite automata. Another example is the theory of regions, which provides methods for mapping finite or infinite automata, languages, or even High-Level Message Sequence Charts to Petri nets. A further example concerns the mu-calculus, in which, algorithms computing winning strategies for parity games can be used to synthesize supervisory control of discrete event systems.
Our research aims to contribute effective representation theorems, with a particular emphasis on algorithms and tools which, given an instance of one model, synthesize an instance of another model. In particular we have contributed a theory, several algorithms and a tool for synthesizing Petri nets from finite or infinite automata, regular languages, or languages of High-Level Message Sequence Charts. This also applies to our work on supervisory control of discrete event systems. In this framework, the problem is to compute a system (the controller) such that its partially-synchronized product with a given system (the plant) satisfies a given behavioral property (control objective, such as, a regular language or satisfaction of a mu-calculus formula).
Software engineers often face problems like service adaptationor component interfacing. Problems of this kind are reducible to particular instances of system synthesis or supervisory control problems.
Results obtained in Team S4apply to the design of real-time systems consisting in a distributed hardware architecture and software to be deployed over that architecture. A particular emphasis is put on embeddedsystems (automotive, avionics, production systems, ...), and also, to a lesser extent, telecommunicationand productionsystems.
Research on scenario languages, and in particular on compositions of High-Level Message Sequence Chartsis well suited to the specification and analysis of servicesin intelligenttelecommunication networks. This work is funded by France Telecom (section ).
Our work on heterogeneous reactive systems facilitates the mapping of pure synchronous designs to a distributed architecture where communication is done by non-instantaneous message passing. These architectures can be usual asynchronousdistributed systems or, more interestingly, loosely time-triggered architectures(LTTA), such as those found on-board recent Airbus planes. In the latter, communication is done by periodically reading or writing (according to local inaccurate real-time clocks) distributed shared variables, without any means of synchronizing these operations. The consequence is that values may be lost or duplicated, and software designed for such specific architectures must resist losses or duplications of messages. In the context of the IST European network of excellence Artist(Section ) we have developed a theoretical and methodological framework in which the correct mapping of synchronous designs to such particular distributed architectures can be best understood, at a high level of abstraction.
Our work on Petri net synthesis and distributed control (Section ) have found applications in various domains such as automated production systems (in particular, flexible production cells, in collaboration with Team Macsiof InriaLorraine) and work-flow engineering.
We have studied the problem of embedding partial 2-structures into set 2-structures such that the target substructure is full and forward closed and it is minimal w.r.t. these properties. A. Ehrenfeucht and G. Rozenberg introduced the notion of partial 2-structures — an abstract form of transition systems — and studied the problem of representing them as partial set 2-structures — directed graphs made of sets and their ordered symmetric differences. They constructed a representation and gave the conditions under which the representation is an isomorphism. We have proposed in an alternative representation of partial 2-structures by partial set 2-structures which are complete graphs, hence their transitions may be left implicit, yielding a static representations of dynamic systems.
We have shown in that 2-bounded and persistent Petri nets with the same language have indeed isomorphic reachable state graphs. The proof is entirely based on the residual operation which was defined by E. W. Stark in .
The firing rule of Petri nets relies on a residuation operation for the commutative monoid of natural numbers. We have identified in a class of residuated commutative monoids, called Petri algebras, for which one can mimic the token game of Petri nets to define the behavior of generalized Petri nets whose flow relation and place contents are valued in such algebraic structures. The sum and its associated residuation capture respectively how resources within places are produced and consumed through the firing of a transition. We have shown that Petri algebras coincide with the positive cones of lattice-ordered commutative groups and constitute the sub-variety of the (duals of) residuated lattices generated by the commutative monoid of natural numbers. We however have exhibited a Petri algebra whose corresponding class of nets is strictly more expressive than the class of Petri nets. More precisely, we have introduced a class of nets, termed lexicographic Petri nets, that are associated with the positive cones of the lexicographic powers of the additive group of real numbers. This class of nets has been proved universal in the sense that any net associated with some Petri algebra can be simulated by a lexicographic Petri net. All the classical decidable properties of Petri nets however (termination, covering, boundedness, structural boundedness, accessibility, deadlock, liveness...) are undecidable on the class of lexicographic Petri nets. Finally we have turned our attention to bounded nets associated with Petri algebras, and have shown that their dynamic can be reformulated in term of MV-algebras.
In the framework of the ARTIST network of excellence (see Section ), we have developed a systematic method to formally model heterogeneous reactive systems. This is joint work with Alberto Sangiovanni-Vincentelli, Luca Carloni (U.C. Berkeley and Columbia University) and Paul Caspi ( Verimag).
The motivation is twofold. On the one hand, heterogeneous models are encountered throughout the design flow for embedded systems: use of UML notations, of Simulink-Stateflow, of synchronous languages. On the other hand, execution architectures for deployment generally follow a model of computationthat is different from that of the modeling tools. For example, whereas the Time-Triggered Architecture (TTA) of H. Kopetz strictly obeys the synchronous model, this is no longer the case for other commonly used infrastructures (field buses, CAN, ARINC, etc.). In 2002–2003, we analyzed the Loosely Time-Triggered Architecture (LTTA), that is in use at Airbus.
In 2003 and 2004, we addressed the issue of heterogeneity, thanks to the so-called
tag systemmodel originally due to Edward Lee and Alberto Sangiovanni-Vincentelli. We have simplified and tailored this model to our needs
. The new version covers not only synchronous and asynchronous models, timed and untimed models, and their free
combination, but also is able to model causality dependence relations, such as those induced by data- and control-flow dependencies. We have formally defined what it means to migrate from one model to another. We have formally defined what heterogeneous parallel composition means,
e.g., what
means, for
Psynchronous and
Qasynchronous. We have formally defined what it means to preserve semantics,
e.g., when migrating from a synchronous to a
globally asynchronous, locally synchronousdesign (GALS). We have characterized, by algebraic means, those designs that preserve semantics when deployed on an infrastructure which
model of computationdiffers.
In 2005, we presented an operational view of tag systems, where we focus on tag machines as mathematical artifacts that act as finitary generators of tag systems. Properties of tag machines have been investigated. Results on homogeneous compositionality are detailed in .
In another direction, Benoît Caillaud and Dumitru Potop-Butucaru ( Verimag, then Inria, team Aoste) have developed a theory for the correct deployment of synchronous designs over globally asynchronous, locally synchronous (GALS) architectures. We have introduced the notion of weak endochrony, at a macro-step level, which extends to a synchronous setting the classical theory of Mazurkiewicz traces .
In , we introduce a micro-step model for the representation of asynchronous implementations of synchronous specifications. The model covers classical implementations, where a notion of global synchronization is preserved by means of signaling, and globally asynchronous, locally synchronous (GALS) implementations where the global clock is removed. Our model offers a more refined framework for reasoning about essential correctness properties of an implementation: the preservation of semantics and the absence of deadlocks.
Component-based design is acknowledged as an important approach to improving the productivity in the design of complex software systems as it allows pre-designed components to be reused in larger systems. Designing components for reuse however calls for a system of program annotations rich enough to ensure that the components will interact in a coherent manner when connected together. That dynamic information about the interactions of the component with its environment combines expectations of the component about its environment with guarantees offered in return by the component to its environment.
When it comes to reactive systems a natural extension of the usual functional type systems is to consider finite automata with input and output channels as alphabets. These automata can take care of the more involved protocols of communication that take place among components in interaction. L. De Alfaro and Th. Henzinger introduced for that purpose Interface Automata, viewed as enriched type systems (the so-called Behavioral Type Systems), which capture the temporal aspects of software component interaction. A component refines another component if it imposes less constraint about the environment and offers more guarantee in return. We obtain in this way a compositional semantics due to the fact that a component can be replaced with a more refined version in any environment compatible with the original component: The refined version may offer more services but both are equivalent in restriction to the set of services of the original component; this situation is reminiscent to the sub-class polymorphism in object-oriented programming.
We are investigating some variants of this problem. The first variant is when an open asynchronous reactive system is viewed as a transducer that reacts to its environment by producing some output in response to some input received from its environment and according to its current internal state. Both input and output are buffered leading to communication monoids. A second variant considers synchronous systems whose interface are described by modal transition systems. In each case we intend to provide an operation for component assembly as a product of the components controlled by their respective intended environments, and symmetrically an operation realizing the conjunction of the environment specifications restricted by each component (since each component realizes partly the environment of the other component).
We are also investigating a component-based language development environment based on the formalism of attribute grammars. An abstract syntax tree decorated with attributes (AST+A in short) that conforms to an attribute grammar (AG in short) can be seen as an executable specification of a software component. In this context many problems can be easily stated, if not solved. For instance, aspects can be described almost syntactically at the level of attribute grammars and the aspect weaving is obtained during code generation. A view in an attribute grammar can be given as a subset of "visible" non-terminal symbols, we can then derive a new attribute grammar associated with this partial view of systems. Some problems naturally arise as the problem of coherency of views (decide whether a family of AST+A each conforming with a different view corresponds to the various projections of a same AST+A conforming to the original attribute grammar) and the problem of integration of views (decide whether given a family of attribute grammars, one can find an attribute grammar, and if so a most general one, so that each attribute grammar in the family is the projection of this global attribute grammar associated with some view). We also intend to study in that context invasive compositions of components by composing attribute grammars and to introduce a related notion of behavioral type when attribute grammars are used to describe reactive systems (inputs from the environment are transmitted through inherited attributes and the component responds to its environment by returning synthesized attributes as output).
Synthesis is a challenging problem: in general, program synthesisconcerns investigations on automated methods to derive a program from a specification. When the synthesis is done according to semantically correct transformation rules, the resulting programs, if any, is a correct implementation of the specification. Therefore, synthesis techniques are generally preferred to verification-based approaches, as the latter can be qualified as ``post-mortem examinations'', where incorrect programs have to be modified. Synthesis problems encompass classic theoretical issues such as satisfy
The general trend is to restrict synthesis problems to simplified situations, where only some aspects of a program are considered rather than the whole program itself. We have investigated synthesis methods both on finite transition systems, unlabeled Petri nets, which naturally capture the concurrency of distributed systems, and modal logic specifications. Non-functional properties such as timing constraints are considered.
It is worthwhile noticing that synthesis problems encompass classic theoretical issues such as satisfiability of logical assertions or control of discrete event systems.
During year 2005, the activity in this track of the S4 team can be summarized as follows:
In order to show the benefits of unlabeled Petri net synthesis for distributed supervisory control, we have imposed a structural constraint of distributability on nets. Bounded and distributable nets translate to equivalent systems of finite message passing automata. Therefore, distributable net controllers induce distributed control systems for distributed discrete event systems: each DES component receives as its local control component one of the message passing automata, and the locally controlled subsystems interact with one another in fully asynchronous mode. We have studied in the implementation of Ramadge and Wonham's finite state controllers by distributable net controllers.
In and , we present an extension of Badouel & Darondeau's results for unlabeled Petri net synthesis from regular languages: we study synthesis from families of languages defined through modal mu-calculus formulas, which translate into modal specifications. A structural restriction makes this problem is decidable.
In his PhD thesis , Guillaume Feuillade has investigated a particular satisfiability problem: the mu-calculus logic, with its fragments, are considered to specify properties of unlabeled Petri nets. Considering branching-time specifications (mu-calculus sentences) is in sharp contrast with other research works in the literature, which consider only verification or synthesis issues on regular languages. Guillaume Feuillade's results provide a better understanding of the limit between decidable and undecidable cases of the satisfiability problems mentioned above.
We have developed a logical formalism for the specification of control problems for discrete-events systems under partial observation. We allow quantifications over atomic propositions of the mu-calculus and consider a decidable fragment suitable for control synthesis .
Maximal permissivity is an optimality criterion for controllers that is often the result of dedicated synthesis algorithms: the algorithms are designed for classes of control problems for which maximal permissive controllers exist and are unique. Still, maximally permissive solutions might exist in circumstances which do not fall into such identified classes, but there is no way to ensure that classic algorithms deliver an optimal solution. In , we propose a general synthesis procedure which always computes a maximal permissive controller when it exists, for very large classes of control problems.
In , we answer a wide range of control problems for nondeterministic discrete-event systems, relying on recent works based on a second order logic approach for deterministic systems. We investigate a pair of transformations: the first one transforms a nondeterministic system into a deterministic one, thanks to an additional unobservable event; the second transforms logical statements, taking this unobservable event into account. In particular, these transformations are used to reduce control problems for nondeterministic systems to control problems under partial observation for deterministic systems.
In , we clarify the notion of architecturein decentralized control, in order to consider the realizabilityproblem: given a discrete-event system, a desired behavior and decentralized control architecture, can the desired behavior be achieved by decentralized controllers obeying the given architecture? We investigate this problem for any mu-calculus definable behavior and for a large family of architectures. The method consists in compiling into a single mu-calculus formula both the desired behavior and the desired architecture. We have obtained a general decentralized control algorithm that can encompass a large number of these architectures. Interestingly, this provides an adequate framework to compare different decentralized architectures.
This collaboration with France Telecom Research and Development, in Lannion and Issy les Moulineaux is a followup of a previous collaboration with them, which has allowed to develop techniques and tools for the analysis and composition of timed High-Level Message Sequence Charts(HMSC) .
In 2005, we have addressed the problem of assembling partial views of the behavior of a distributed system. For this purpose, we have defined an operation of controlled shuffle on languages of message sequence charts . Controlled shuffle appears to be suitable for a concise description of protocols. The crucial question left open in this work is the decision whether the controlled shuffle of two existentially bounded languages of message sequence charts is still in this class.
IST-2001-34820 (April 1st, 2002, October 1st, 2005), http://www.artist-embedded.org/and IST-004527 ARTIST2 (September 2004, September 2008), http://www.artist-embedded.org/FP6/
The ARTIST project was completed this year. Its main contributions have been the ARTIST Roadmap and the report on Embedded Systems Education .
The strategic objective of the ARTIST2 Network of Excellence is to strengthen European research in Embedded Systems Design, and promote the emergence of this new multi-disciplinary area.
ARTIST2 has a double core, consisting of leading-edge research in embedded systems design issues (described later in this document) in the Joint Programme of Research Activities (JPRA), and complementary activities around shared platforms and staff mobility in the Joint Programme of Integration Activities (JPIA). The JPRA activities are pure research, and the JPIA are complementary efforts for integration. Both work towards deep integration between the participating research teams. The JPRA and JPIA are structured into clusters - one for each of the selected topics in embedded systems design (in red). Teams may be involved in one or several clusters.
Around this double core is the Joint Programme of Activities for Spreading Excellence (JPASE). These are complementary activities for disseminating excellence across all available channels, targeting industry, students, and other European and international research teams. ARTIST2 is structured into 8 clusters: Modeling and components, adaptive real-time, control for embedded systems, execution platforms, testing and verification, compilers and timing analysis, and hard real-time.
The hard real-timecluster deals with one of the two main approaches to embedded systems design. It is focused on systems where temporal constraints are critical. This includes applications, which are often safety-critical, such as applications in space, automobile, rail transport, air traffic control, production control, etc. This is the oldest and most mature approach, and has led to significant research results in Europe, such as synchronous languages, fixed-priority scheduling, the time-triggered architectures, and these have been significantly transferred and developed in industry (for example, SCADE and Esterel to Airbus, and TTA to automotive). Albert Benveniste leads the hard real-timecluster.
Catalysis, which stands for categorical and algebraic approaches to synthesisis a collaboration initiated in 1999 between Team S4and the Institute for Computer Science ( Ipi Pan) in Gdansk, Poland. This collaboration is part of the scientific cooperation framework between CNRSand the Polish Academy of Science. Participant to that collaboration are Éric Badouel and Philippe Darondeau for Team S4, and Marek Bednarczyk, Andrzej Borzyszkowski and Wieslaw Pawlowski for Ipi Pan. A two-week visit in Gdansk of two members of the S4project and a two-week visit in Rennes of one member of Ipi Pan(in May) are planned yearly.
Éric Badouel has served in the program committee of the CARI 2005 conference and is the secretary of the steering committee of this conference. He is also member of the editorial board of the ARIMA Journal, and has been co-editor of a CARI 2004 special issue of the journal. Albert Benveniste has participated to the program committees of the CONCUR 2005 and EMSOFT 2005 conferences. Benoit Caillaud has been general chair of the ACSD 2005 held in June 2005 in St Malo, France. He his now serving in the steering committee of this conference. He has participated in the program committee of the FMGALS 2005 workshop. Benoit Caillaud has also served in the juries of the PhD thesis of Guillaume Gardey (IRCCYN, Nantes) and the habilitation thesis of Rémi Morin (U. de Provence, Marseille). Philippe Darondeau has been program committee co-chair of the ATPN 2005 conference. He is the secretary of the IFIP WG2.2 working group.
We have developed, with the help of an associate engineer (Agnès Delhaye), a software which shows a demo on control synthesis for a small factory. The demo presents a graphical 3D environment of the working factory and with a simulation of controllers' decisions - for a predefined set of properties -. The controllers are computed beforehand by using existing toolboxes such as UMDES and DESUMA . The software is made as open as possible in the following sense : a demo can be created for an arbitrary number synchronized finite states automata, which are connected to a graphical 3D environment in order to operate on it. The software is programmed in the language oRis for Linux or Windows systems.
Sophie Pinchinat organizes the 68NQRT seminar session of Irisa, with the help of another colleague: each week, a scientific talks is given by a local or an invited speaker, in the following research areas: software engineering, theoretical computer science, discrete mathematics, artificial intelligence. The seminar keeps going successfully, as this year, about 30 presentations were given, among which two thirds given by external people.
Teaching related to research undertaken in Team S4is listed below:
Master of Computer Science, University of Rennes 1, second year: Benoît Caillaud and Sophie Pinchinat are teaching a course on formal methods for the verification of reactive systems.
Eric Badouel is teaching an advanced course on functional programming in the Second year of the Master of Research in Computer Science, University of Yaoundé 1, Cameroon.