The VerTeCsteam is focused on the reliability of reactive software using formal methods. By reactive software we mean software that continuously reacts with its environment. The environment can be a human user for a complete reactive system, or another software using the reactive software as a component. Among these, critical systems are of primary importance, as errors occurring during their execution may have dramatic economical or human consequences. Thus, it is essential to establish their correctness before they are deployed in a real environment. Correctness is also essential for less critical applications, in particular for COTS components whose behavior should be trusted before integration in software systems.

For this, the
VerTeCsteam promotes the use of formal methods, i.e. formal specification and mathematically founded analysis methods. During the analysis and design phases, correctness of specifications with respect to requirements or higher level specifications
can be established by formal
*verification*. Alternatively,
*control*consists in forcing specifications to stay within desired behaviours by coupling them with a supervisor. During validation,
*testing*can be used to check the conformance of implementations with respect to their specifications.
*Test generation*is the process of automatically generating test cases from specifications.

More precisely, the aim of the
VerTeCsproject is to improve the reliability of reactive systems by providing software engineers with methods and tools for automating the
**verification**, the
**test generation**and
**controller synthesis**from formal specifications. We adapt or develop formal models for the description of testing and control artifacts, e.g. specifications, implementations, test cases, supervisors. We formally describe correctness relations (e.g. conformance or satisfaction). We also
formally describe interaction semantics between testing artifacts. From these models, relations and interaction semantics, we develop algorithms for automatic test and controller synthesis that ensure desirable properties. We try to be as generic as possible in terms of models and techniques
in order to cope with a wide range of specification languages and application domains. We implement prototype tools for distribution in the academic world, or for transfer to industry.

Our research is based on formal models and our basic tools are
**verification**techniques such as model checking, theorem proving, abstract interpretation, the control theory of discrete event systems, and their underlying models and logics. The close connection between testing, control and verification produces a synergy between these research topics
and allows us to share theories, models, algorithms and tools.

The formal models we use are mainly automata-like structures such as labelled transition systems (LTS) and some of their extensions: an LTS is a tuple
M= (
Q,
,
,
q_{o})where
Qis a non-empty set of states;
q_{o}Qis the initial state;
Ais the alphabet of actions,
is the transition relation. These models are adapted to testing and controller synthesis.

To model reactive systems in the testing context, we use Input/Output labeled transition systems (IOLTS for short). In this setting, the interactions between the system and its environment (where the tester lies) must be partitioned into inputs (controlled by the environment), outputs
(observed by the environment), and internal (non observable) events modeling the internal behavior of the system. The alphabet
is then partitioned into
where
_{!}is the alphabet of outputs,
_{?}the alphabet of inputs, and
the alphabet of internal actions.

In the controller synthesis theory, we also distinguish between controllable and uncontrollable events (
=
_{c}_{uc}), observable and unobservable events (
).

In order to cope with more realistic models, closer to real specification languages, we also need higher level models that consider both control and data aspects. We defined (input-output) symbolic transition systems ((IO)STS), which are extensions of (IO)LTS that operate on data (i.e.,
program variables, communication parameters, symbolic constants) through message passing, guards, and assignments. Formally, an IOSTS is a tuple
(
V,
,
,
T), where
Vis a set of variables (including a counter variable encoding the control structure),
is the initial condition defined by a predicate on
V,
is the finite alphabet of actions, where each action has a signature (just like in IOLTS,
can be partitioned as e.g.
),
Tis a finite set of symbolic transitions of the form
t= (
a,
p,
G,
A)where
ais an action (possibly with a polarity reflecting its input/output/internal nature),
pis a tuple of communication parameters,
Gis a guard defined by a predicate on
pand
V, and
Ais an assignment of variables. The semantics of
IOSTSis defined in terms of (IO)LTS where states are vectors of values of variables, and transitions between them are labelled with instantiated actions (action with valued communication parameter). This (IO)LTS semantics allows us to perform syntactical transformations at the (IO)STS level
while ensuring semantical properties at the (IO)LTS level. We also consider extensions of these models with added features such as recursion, fifo channels, etc. An alternative to IOSTS to specify systems with data variables is the model of synchronous dataflow equations.

Our research is based on well established theories: conformance testing, supervisory control, abstract interpretation, and theorem proving. Most of the algorithms that we employ take their origins in these theories:

graph traversal algorithms (breadth first, depth first, strongly connected components, ...). We use these algorithms for verification as well as test generation and control synthesis.

BDDs (Binary Decision Diagrams) algorithms, for manipulating Boolean formula, and their MTBDDs (Multi-Terminal Decision Diagrams) extension for manipulating more general functions. We use these algorithms for verification and test generation.

abstract interpretation algorithms, specifically in the abstract domain of convex polyhedra (for example, Chernikova's algorithm for the computation of dual forms). Such algorithms are used in verification and test generation.

logical decision algorithms, such as satisfiability of formulas in Presburger arithmetics. We use these algorithms during generation and execution of symbolic test cases.

Most of our research, and in particular controller synthesis and conformance testing, relies on the ability to solve some verification problems. A large part of these problems reduces to reachability and coreachability problems on a formal model (a state
sis
*reachable from an initial state
s_{i}*if an execution starting from

Verification in its full generality consists in checking that a system, which is specified in a formal model, satisfies a required property. When the state space of the system is finite and not too large, verification can be carried out by graph algorithms (model-checking). For large or infinite state spaces, we can perform approximate computations, either by computing a finite abstraction and resort to graph algorithms, or preferably by using more sophisticated abstract interpretation techniques. Another way to cope with large or infinite state systems is deductive verification, which, either alone or in combination with compositional and abstraction techniques, can deal with complex systems that are beyond the scope of fully automatic methods.

The techniques described above, which are dedicated to the analysis of LTS, are already mature. It seems natural to extend them to IOSTSor data-flow applications that manipulate variables taking their values into possibly infinite data domains.

The techniques we develop for test generation or controller synthesis require to solve state reachability and state coreachability problems which can be solved by fixpoint computations (and also by deductive methods).

The big change induced by taking into account the data and not only the (finite) control of the systems under study is that the fixpoints become uncomputable. The undecidability is overcome by resorting to approximations, using the theoretical framework of Abstract Interpretation .

Abstract Interpretation is a theory of approximate solving of fixpoint equations applied to program analysis. Most program analysis problems, among others reachability analysis, come down to solving a fixpoint equation

x
F
x
x
C

where
Cis a lattice. In the case of reachability analysis, if we denote by
Sthe state space of the considered program,
Cis the lattice
(
S)of sets of states, ordered by inclusion, and
Fis roughly the ``
*successor states*'' function defined by the program.

The exact computation of such an equation is generally not possible for undecidability (or complexity) reasons. The fundamental principles of Abstract Interpretation are:

to substitute to the
*concrete domain*
Ca simpler
*abstract domain*
A(static approximation) and to transpose the fixpoint equation into the abstract domain, so that one has to solve an equation
y=
G(
y),
yA;

to use a
*widening operator*(dynamic approximation) to make the iterative computation of the least fixpoint of
Gconverge after a finite number of steps to some upper-approximation (more precisely, a post-fixpoint).

Approximations are conservative so that the obtained result is an upper-approximation of the exact result. Those two principles are well illustrated by the Interval Analysis , which consists in associating to each numerical variable of a program an interval representing an (upper) set of reachable values:

One substitutes to the concrete domain
(
R^{n})induced by the numerical variables the abstract domain
(
I
_{R})
^{n}, where
I_{R}denotes the set of intervals on real numbers; a set of values of a variable is then represented by the smallest interval containing it;

An iterative computation on this domain may not converge: it is indeed easy to generate an infinite sequence of intervals which is strictly growing. The ``standard'' widening operator extrapolates by + the upper bound of an interval if the upper bound does not stabilize within a given number of steps (and similarly for the lower bound).

In this example, the state space
(
R^{n})that should be abstracted has a simple structure, but this may be more complicated when variables belong to different data types (Booleans, numerics, arrays) and when it is necessary to establish
*relations*between the values of different types.

Programs performing dynamic allocation of objects in memory have an even more complex state space. Solutions have been devised to represent in an approximate way the memory heap and pointers between memory cells by graphs (
*shape analysis*
,
). Values contained in memory cells are however generally ignored.

In the same way, programs with recursive procedure calls, parameter passing and local variables are more delicate to analyse with precision. The difficulty is to abstract the execution stacks which may have a complex structure, particularly when parameters passing by reference are allowed, as it induces aliasing on the stack .

For verification we also use theorem proving and more particularly the
pvs
and
Coq
proof assistants. These are two general-purpose systems based on two different versions of higher-order logic. A
verification task in such a proof assistant consists in encoding the system under verification and its properties into the logic of the proof assistant, together with verification
*rules*that allow to prove the properties. Using the rules usually requires input from the user; for example, proving that a state predicate holds in every reachable state of the system (i.e., it is an
*invariant*) typically requires to provide a stronger,
*inductive*invariant, which is preserved by every execution step of the system. Another type of verification problem is proving
*simulation*between a concrete and an abstract semantics of a system. This too can be done by induction in a systematic manner, by showing that, in each reachable state of the system, each step of the concrete system is simulated by a corresponding step at the abstract level.

In testing, we are mainly interested in conformance testing. Conformance testing consists in checking whether a black box implementation under test (the real system that is only known by its interface) behaves correctly with respect to its specification (the reference which specifies the intended behavior of the system). In the line of model-based testing, we use formal specifications and their underlying models to unambiguously define the intended behavior of the system, to formally define conformance and to design test case generation algorithms. The difficult problems are to generate test cases that correctly identify faults (the oracle problem) and, as exhaustiveness is impossible to reach in practice, to select an adequate subset of test cases that are likely to detect faults. Hereafter we detail some elements of the models, theories and algorithms we use.

**Models:**We use IOLTS (or IOSTS) as formal models for specifications, implementations, test purposes, and test cases. Most often, specifications are not directly given in such low-level models, but are written in higher-level specification languages (e.g. SDL, UML, Lotos). The tools
associated with these languages often contain a simulation API that implements their semantics under the form of IOLTS. On the other hand, the IOSTS model is expressive enough to allow a direct representation of most constructs of the higher-level languages.

**Conformance testing theory:**We adapt a well established theory of conformance testing
, which formally defines conformance as a relation between formal models of specifications and implementations. This
conformance relation, called
**ioco**is defined in terms of visible behaviors (called
*suspension traces*) of the implementation
I(denoted by
STraces(
I)) and those of the specification
S(denoted by
STraces(
S)). Suspension traces are sequence of inputs, outputs or quiescence (absence of action denoted by
), thus abstract away internal behaviors that cannot be observed by testers. The conformance relation
iocowas originally written in
as follows:

where
Mafteris the set of states where
Mcan stay after the observation of the suspension trace
, and
Out(
Mafter)is the set of outputs and quiescence allowed by
Min this set. Intuitively,
IiocoSif, after a suspension trace of the specification, the implementation
Ican only show outputs and quiescences of the specification
S. We re-formulated ioco as a partial inclusion of visible behaviors as follows

Intuitively, this says that suspension traces of
Iwhich are suspension traces of
Sprolongated by an output or quiescence, are still suspension traces of
S. An alternative characterization of ioco is then

Interestingly, this characterization presents conformance with respect to
Sas a safety property of suspension traces of
I. In fact
characterizes finite unexpected behaviours. Thus conformance with respect to
Sis clearly a safety property of
Iwhich negation can be specified by a ``non conformance'' observer
A_{¬
i
o
c
o
S}built from
Sand recognizing these unexpected behaviours. However, as
Iis a black box, one cannot check conformance exhaustively, but may only experiment
Iusing test cases, expecting the detection of some non-conformances. In fact the non-conformance observer
A_{¬
i
o
c
o
S}can also be thought as the canonical tester of
Sfor
ioco, i.e. the most general testing process of
Sfor
ioco. It then serves also as a basis for test selection.

Test cases are processes executed against implementations in order to detect non-conformance. They are also formalized by IOLTS (or IOSTS) with special states indicating
*verdicts*. The execution of test cases against implementations is formalized by a parallel composition with synchronization on common actions. Usually a
*Fail*verdict means that the IUT is rejected and should correspond to non-conformance, a
*Pass*verdict means that the IUT exhibited a correct behavior and some specific targeted behaviour has been observed, while an
*Inconclusive*verdict is given to a correct behavior that is not targeted. Based on these models, the execution semantics, and the conformance relation, one can then define required properties of test cases and test suites (sets of test cases). Typical properties are soundness (only non
conformant implementations should be rejected by a test case) and exhaustiveness (every non conformant implementation may be rejected by a test case). Soundness is not difficult to obtain, but exhaustiveness is not possible in practice and one has to select test cases.

**Test selection:**in the literature, in particular in white box testing, test selection is often based on coverage of some criteria (state coverage, transition coverage, etc). But in practice, test cases are often associated with
*test purposes*describing some particular behaviors targeted by a test case. We have developed test selection algorithms based on the formalization of these
*test purposes*. In our framework, test purposes are specified as IOLTS (or IOSTS) associated with marked states, giving them the status of automata or observers accepting sequences of actions or visible behaviors (suspension traces), denoted
ASTraces(
TP). Now selection of test cases amounts at selecting visible behaviors of the specification that are accepted by the test purpose i.e.
STraces(
S)
ASTraces(
TP), and then complement them with unspecified outputs leading to
*Fail*. Alternatively, this can be seen as the computation of a sub-automaton of the canonical tester
A_{¬
i
o
c
o
S}whose accepting traces are
. The resulting test case is then both an observer of the negation of a safety property (non-conformance wrt.
S), and an observer of a reachability property (acceptance by the test purpose).

Test selection algorithms are based on the computation of the visible behaviors of the specification
STraces(
S), involving the identification of quiescence (
actions) followed by determinisation, the construction of a product between the specification and test purpose which accepted behavior is
STraces(
S)
ASTraces(
TP), and finally the selection of these accepted behaviors. Selection can be seen as a model-checking problem where one wants to identify states (and transition between them) that are reachable from the initial state and co-reachable from the accepting states. We have
proved that these algorithms ensure soundness. Moreover the (infinite) set of all possibly generated test cases is also exhaustive. Apart from these theoretical results, our algorithms are designed to be as efficient as possible in order to be able to scale up to real applications.

Our first test generation algorithms are based on enumerative techniques, thus adapted to IOLTS models, and optimized to fight the state-space explosion problem. We have developed on-the-fly algorithms, which consist in performing a lazy exploration of the set of states that are reachable in both the specification and the test purpose. This technique is implemented in the TGV tool (see ). However, this enumerative technique suffers from some limitations.

More recently, we have explored symbolic test generation techniques for IOSTS specifications. This is a promising technique whose main objective is to avoid the state space explosion problem induced by the enumeration of values of variables and communication parameters. The idea consists
in computing a test case under the form of an
*IOSTS*, i.e., a reactive program in which the operations on data is kept in a symbolic form. Test selection is still based on test purposes (also described as IOSTS) and involves syntactical transformations of IOSTS models that should ensure properties of their IOLTS semantics. However,
most of the operations involved in test generation (determinisation, reachability, and coreachability) become undecidable. For determinisation we employ heuristics that allow us to solve the so-called bounded observable non-determinism (i.e., the result of an internal choice can be detected
after finitely many observable actions). The product is defined syntactically. Finally test selection is performed as a syntactical transformation of transitions which is based on a semantical reachability and co-reachability analysis. As both problems are undecidable for IOSTS, syntactical
transformations are guided by over-approximations using abstract interpretation techniques. Nevertheless, these over-approximations still ensure soundness of test cases. These techniques are implemented in the STG tool (see
), with an interface with
NBACused for abstract interpretation.

**The Supervisory Control Problem**is concerned with ensuring (not only checking) that a computer-operated system works correctly. More precisely, given a specification model and a required property, the problem is to control the specification's behavior, by coupling it to a supervisor,
such that the controlled specification satisfies the property
. The models used are LTSs, say
G, and the associated languages, say
, which make a distinction between
*controllable*and
*non-controllable*actions and between
*observable*and
*non-observable*actions. Typically, the controlled system is constrained by the supervisor, which acts on the system's controllable actions and forces it to behave as specified by the property. The control synthesis problem can be seen as a constructive verification problem: building a
supervisor that prevents the system from violating a property. Several kinds of properties can be ensured such as reachability, invariance (i.e. safety), attractivity, etc. Techniques adapted from model checking are then used to compute the supervisor w.r.t. the objectives. Optimality must be
taken into account as one often wants to obtain a supervisor that constrains the system as few as possible.

**The Supervisory Control Theory overview**. Supervisory control theory deals with control of Discrete Event Systems
. In this theory, the behavior of the system
Sis assumed not to be fully satisfactory. Hence, it has to be reduced by means of a feedback control (named Supervisor or Controller) in order to achieve a given set of requirements
. Namely, if
Sdenotes the specification of the system and
is a safety property that has to be ensured on
S(i.e.
S¬
), the problem consists in computing a supervisor
, such that

where
is the classical parallel composition between two LTSs. Given
S, some events of
Sare said to be uncontrollable (
_{uc}), i.e. the occurrence of these events cannot be prevented by a supervisor, while the others are controllable (
_{c}). It means that all the supervisors satisfying (
) are not good candidates. In fact, the behavior of the controlled system must respect an additional condition that
happens to be similar to the
iococonformance relation that we previously defined in
. This condition is called the
*controllability condition*and is defined as follows.

Namely, when acting on
S, a supervisor is not allowed to disable uncontrollable events. Given a safety property
, that can be modeled by an LTS
, there actually exists many different supervisors satisyfing both (
) and (
). Among all the valid supervisors, we are interested in computing the supremal one, ie the one that restricts the
system as few as possible. It has been shown in
that such a supervisor always exists and is unique. It gives access to a behavior of the controlled system that is
called the supremal controllable sub-language of
w.r.t.
Sand
_{uc}. In some situations, it may also be interesting to force the controlled system to be non-blocking (See
for details).

The underlying techniques are similar to the ones used for Automatic Test Generation. It consists in computing a product between the specification and and to remove the states of the obtained LTS that may lead to states that violate the property by triggering only uncontrollable events.

**Optimal Control.**We are also interested in the Optimal Control Problem. The purpose of optimal control is to study the behavioral properties of a system in order to generate a supervisor that constrains the system to a desired behavior according to quantitative and qualitative
requirements. In this spirit, we have been working on the optimal scheduling of a system through a set of multiple goals that the system had to visit one by one
. We have also extended the results of
to the case of partial observation in order to handle more realistic applications
.

**Control of Hierarchical Discrete Event System.**In many applications and control problems, LTS are the starting point to model fragments of a large scale system, which usually consists of several composed and nested sub-systems. Knowing that the number of states of the global system
grows exponentially with the number of parallel and nested sub-systems, we have been interested in designing algorithms that perform the controller synthesis phase by taking advantage of the structure of the plant without expanding the system
. In other words, given the modular structure of the system, it becomes of interest, for computational reasons, to be
able to synthesize a supervisor on each sub-part of the system w.r.t. the specification and then to infer a global supervisor from the local ones.

In order to reduce the complexity of the supervisor synthesis phase, several approaches have been considered in the literature. Modular control and modular plant are natural ways to handle this problem. Similarly, in order to take into account nested behaviors, some techniques based on model aggregation methods , have been proposed to deal with hierarchical control problems. Another direction has been proposed in . Brave and Heimann in introduced Hierarchical State Machines which constitute a simplified version of the Statecharts. Compared to the classical state machines, they add concurrency and hierarchy features. Some other works dealing with control and hierarchy can be found in , . This is the direction we have chosen in the VertecsTeam . Details are given in Section .

The methods and tools developed by the VerTeCsproject-team for test generation and control synthesis of reactive systems are intended to be as generic as possible. This allows us to apply them in many application domains where the presence of software is predominant and its correctness is essential. In particular, we apply our research in the context of telecommunication systems, for embedded systems, for smart-cards application, and control-command systems.

Our research on test generation was initially proposed for conformance testing of telecommunication protocols. In this domain, testing is a normalized process , and formal specification languages are widely used (SDL in particular). Our test generation techniques have already proved useful in this context, going up to industrial transfer. New standardized component-based design methodologies such as UML and OMG's MDE increase the need for formal techniques in order to ensure the composionality of components, by verification and testing. Our techniques, by their genericity and adaptativity, have also proved useful at different levels of these methodologies, from component testing to system testing. The telecommunication industry now also tries to provide more and more services to the users. These services also have to be validated. We are involved with France Telecom R & D in a project on the validation of vocal services (see ). Very recently, we also started to study the impact of our test generation techniques in the domain of network security. More specifically, we believe that testing that a network or information systems meets its security policy is a major concern, and complements other design and verification techniques.

In the context of transport, software embedded systems are increasingly predominant. This is particularly important in automotive systems, where software replaces electronics for power train, chassis (e.g. engine control, steering, brakes) and cabin (e.g. wiper, windows, air conditioning) or new services to passengers are increasing (e.g. telematics, entertainment). Car manufacturers have to integrate software components provided by many different suppliers, according to specifications. One of the problems is that testing is done late in the life cycle, when the complete system is available. Faced with these problems, but also complexity of systems, compositionality of components, distribution, etc, car manufacturers now try to promote standardized interfaces and component-based design methodologies. They also develop virtual platforms which allow for testing components before the system is complete. It is clear that software quality and trust are one of the problems that have to be tackled in this context. This is why we believe that our techniques (testing and control) can be useful in such a context.

We have also applied our test generation techniques in the context of smart-card applications. Such applications are typically reactive as they describe interactions between a user, a terminal and a card. The number and complexity of such applications is increasing, with more and more services offered to users. The security of such applications is of primary interest for both users and providers and testing is one of the means to improve it.

The main application domain for controller synthesis is control-command systems. In general, such systems control costly machines (see e.g. robotic systems, flexible manufacturing systems), that are connected to an environment (e.g. a human operator). Such systems are often critical systems and errors occurring during their execution may have dramatic economical or human consequences. In this field, the controller synthesis methodology (CSM) is useful to ensure by construction the interaction between 1) the different components, and 2) the environment and the system itself. For the first point, the CSM is often used as a safe scheduler, whereas for the second one, the supervisor can be interpreted as a safe discrete tele-operation system.

NBACis a verification/slicing tool developed in collaboration with Vérimag. This tool analyses synchronous and deterministic reactive systems containing combination of Boolean and numerical variables and continuously interacting with an external environment. Its input format is directly inspired by the low-level semantics of the LUSTRE dataflow synchronous language. Asynchronous and/or non-deterministic systems can be compiled in this model. The kind of analyses performed by NBACare: reachability analysis from a set of initial states, which allows to compute invariants satisfied by the system; coreachability analysis from a set of final states, which allows to compute sets of states that may lead to a final state; and combination of the above. The result of an analysis is either a set of states together with a necessary condition on states and inputs to stay in this set during an execution, either a verdict of a verification problem. The tool is founded on the theory of abstract interpretation: sets of states are approximated by abstract values belonging to an abstract domain, on which fix-point computations are performed. The originality of NBACresides in

the use of a very general notion of control structure in order to very precisely tune the trade-off between precision and efficiency;

the ability to dynamically refine the control structure, and to guide this refinement by the needs of the analysis;

sophisticated methods for computing postconditions and preconditions of abstract values.

More recently,
NBAChas been extended with auxiliary translation tools
Auto2nbacand
Nbac2auto. This allows to specify systems to be analyzed as a product of hybrid automata with constant differential inclusion (
*e.g.*,
) and to get the result of the analysis on the product automaton.

Sigaliis a model-checking tool that operates on ILTS (Implicit Labeled Transition Systems, an equational representation of an automaton), an intermediate model for discrete event systems. It offers functionalities for verification of reactive systems and discrete controller synthesis. It is developed jointly by the ESPRESSOand VerTeCsteams. The techniques used consist in manipulating the system of equations instead of the sets of solution, which avoids the enumeration of the state space. Each set of states is uniquely characterized by a predicate and the operations on sets can be equivalently performed on the associated predicates. Therefore, a wide spectrum of properties, such as liveness, invariance, reachability and attractivity can be checked. Algorithms for the computation of predicates on states are also available . Sigaliis connected with the Polychrony environment (Espresso project-team) as well as the Matou environment (Verimag), thus allowing the modeling of reactive systems by means of Signal Specification or Mode Automata and the visualization of the synthesized controller by an interactive simulation of the controlled system. Sigaliis protected by APP (Agence de Protection des Programmes).

Syntoolis a tool dedicated to the control of structured discrete event systems. It implements the theory developed during the Ph.D. of Benoit Gaudin . Syntoolhas an API allowing the user to graphically describe the different LTSs modeling the plant, to perform some controller synthesis computations solving the forbidden state avoidance problem for structured systems, and finally to simulate the result (i.e. the behavior of the controlled system). This tool is currently under testing.

Raptureis a verification tool developed jointly by BRICS and INRIA
. The tool is designed to verify reachability properties on Markov Decision Processes (MDP), also known as
Probabilistic Transition Systems. This model can be viewed both as an extension to classical (finite-state) transition systems extended with probability distributions on successor states, or as an extension of Markov Chains with non-determinism. We have developed a simple automata language
that allows to describe a set of processes communicating over a set of channels
*à la*CSP. Processes can also manipulate local and global variables of finite type. Probabilistic reachability properties are specified by defining two sets of initial and final states together with a probability bound. The originality of the tool is to provide two reduction techniques
that limit the state space explosion problem: automatic abstraction and refinement algorithms, and the so-called essential states reduction
.

In many applications (as e.g. manufacturing systems, control-command systems, protocol networks, etc) and control problems, systems are also often modeled by several components acting concurrently. We are concerned with the control of a system where its construction is assumed not to be
feasible (due to the state space explosion resulting from the composition), making the use of classical supervisory control methodologies impractical. Given a concurrent system and a
*safety property, modeled as a language*, also called specification that have to be ensured on this system, we investigated in
and
the computation of the supremal controllable language contained in the expected language. We do not adopt the
decentralized approach. Instead, we have chosen to use a modular centralized approach and to perform the control on some approximations of the plant derived from the behavior of each component. The behavior of these approximations is restricted so that they respect a new language property
for discrete event systems called
*partial controllability condition*that depends on the safety property. It is shown that, under some assumptions (the objectives have to be either
*locally consistent*w.r.t. the plant
or
*locally controllable*w.r.t. the plant
), the intersection of these ``controlled approximations'' corresponds to the supremal controllable language
contained in the specification with respect to the plant. This computation is performed without building the whole plant, hence avoiding the state space explosion induced by the concurrent nature of the plant. It is finally shown that the class of specifications on which our method can be
applied strictly subsumes that considered in
.

Meanwhile, we have also been interested in ensuring safety properties that are more related to the notion of states rather than to the notion of trajectories of the system (the mutual exclusion problem for example). For this class of problem, one of the main issue is the
*state avoidance control problem*, i.e. the supervisor has to control the plant so that the controlled plant does not reach a set of forbidden states. Note that if one wants to used a language-based approach to encode this problem, as e.g.
or
, then the obtained specification may be of the size of the global system itself. This leads us to develop
techniques totally devoted to the state avoidance control problem. Assuming the system is modeled as concurrent FSMs, we thus provide algorithms that, based on a particular decomposition of the set of forbidden configurations, solve the control problem locally (i.e. on each component
without computing the whole system) and produce a global supervisor ensuring the desired property
. We then provide sufficient conditions under which the obtained controlled system is non-blocking
. This kind of objectives may be useful to perform dynamic interactions between different parts of a system.
Finally, we apply these results to the case of Hierarchical Finite State Machines
.

This year, we have been interested in solving the safety controller synthesis problem for various models (from finite transition systems to hybrid systems). Within this framework, we have been mainly interested in an intermediate model: symbolic transition systems. Due to the
infiniteness of the alphabet, we have chosen to redefine the concept of controllability by introducing the notion of dynamic uncontrollable transitions (the controllability status is carried on by the symbolic transitions by means of guards, instead of the events). We focus on
*safety requirements*, modeled by observers that encode the negation of a safety property. We then defined synthesis algorithms based on abstract interpretation techniques so that we can ensure convergence of fixpoint computations in a finite number of steps
. We finally generalized our methodology to the control of hybrid systems, which gives an unified framework to the
supervisory control problem for several classes of models
.

We address here the generation of symbolic test cases for testing the conformance of a black-box implementation with respect to a specification. More specifically, the problem we consider is the selection of test cases according to a test purpose, which is here a set of scenarii of interest that one wants to observe during test execution. Because of the interactions that occur between the test case and the implementation, test execution can be seen as a game involving two players, in which the test case attempts to satisfy the test purpose (in addition to its role of detecting conformance errors).

Efficient solutions to this problem have been proposed in the past in the context of finite-state models, based on the use of fixpoint computations. In , we extend them in the context of infinite-state symbolic models (IOSTS), by showing how approximate fixpoint computations can be used in a conservative way. We also formalize a quality criterion for test cases, and we provide a result relating the quality of a generated test case to the approximations used in the selection algorithm.

Instead of considering the extension of the finite-state IOLTS model with variables, as in , one can also consider the extension of the IOLTS model with recursion, which corresponds to a pushdown system. A preliminary study was done in 2004 with the master thesis of Liva Randriamanohisoa. One of the main problems still to be solved is the determinisation of a pushdown system. This determinisation is a necessary operation for test generation, but is undecidable. To overcome this problem, we study context-free grammars in order to find a sub-class of these grammars that can be translated into a deterministic pushdown system. We are also working on the combination of IOSTS and pushdown systems, which gives the full expressiveness of a programming language.

In this work, we present a combination of verification and conformance testing techniques for the formal validation of reactive systems. A formal specification of a system, which may be infinite-state, and a set of safety properties are assumed. Each property is verified on the specification using automatic techniques based on abstract interpretation, which are sound, but, as a price to pay for automation, are not necessarily complete. Next, for each property, a test case is automatically generated from the specification and the property, and is executed on a black-box implementation of the system to detect violations of the property by the implementation and non-conformances between implementation and specification. If the verification step did not conclude, the test execution may also detect violations of the property by the specification . This work generalizes our previous works on test selection with test purposes, allowing selection based on safety properties (while test purposes describe reachability properties). Moreover generated test cases are decorated with new verdicts.

We have also extended the combination of verification and conformance testing techniques by considering more expressive properties, allowing a better and finer selection of test cases. These properties are represented by observers with internal actions (the same as the specification) that are unobservable actions. Unfortunately, compared to , without any assumption about a mapping between the internal actions of the specification and the ones of the implementation, we cannot verify whether the implementation violates these properties or not (internal actions of the implementation are not known). Nevertheless, we can still detect non-conformances between the implementation and the specification and violations of the property by the specification.

The Master's thesis of Sophie Quinton consisted in comparing and combining run-time verification and conformance testing techniques. The basic idea of run-time verification is to execute a program together with a
*monitor*that checks the validity of some properties on the program's behaviour; typically, the monitor is automatically synthesized from logical annotations written in the program's code. On the other hand, conformance testing consists in comparing the observable behaviour of a
black-box implementation of a system with respect to that described by an operational specification; this comparison is typically performed by executing the implementation in parallel with
*test cases*generated from the specification and test purposes that may be, e.g., reachability or safety properties. This produces
*test verdicts*about the conformance between implementation and specification and about the satisfaction of the properties by the implementation.

Clearly, there are similarities between the two approaches: for example, monitors and test cases play the same role of observing the program's behaviour and checking whether it respects some required properties. There are also some differences: run-time verification typically checks one particular implementation, namely, the executable program obtained by compiling the given (annotated) source code. In contrast, in conformance testing the implementation is not necessarily derived from the specification - the only requirement is that both views of the system have the same interface. Moreover, a test case not only observes, but may also control the implementation in attempting to satisfy a given test purpose (reachability property), or to violate a given safety property.

We have shown that many errors that can be discovered by run-time verification can be formalised as non-conformances with respect to an adequately chosen specification.

We also propose a methodology for replacing runtime verification by conformance testing in situations where runtime verification cannot work, for example, when not all the code of functions constituting the program under test is available, but only the annotations for those functions are available.

The PhD thesis of Tristan Le Gall holds on the verification of asynchronous systems communicating through FIFO channels and applications of it. This year, we tackled the reachability analysis of finite-state systems communicating through unbounded FIFO channels, using a finite set of messages . Instead of related works relying on exact acceleration techniques, that may non terminate, our approach is based on abstract interpretation. We proposed a set of abstract lattices based on regular languages for representing sets of possible configurations of FIFO queues. We first focused on the simple case of systems with only one queue. We then generalized our results to systems with several queues, for which we proposed both non-relational and relational abstract lattices (a relational lattice preserves relations between contents of different queues, while a non relational one does not). Our experiments show that our method is generally as precise as exact methods founded on acceleration techniques, while it is arguably simpler.

In we are interested in abstracting sets of functions. Main applications where one needs to infer properties on functions are interprocedural analysis, analysis of higher-order programs, and shape analysis, where one may use functions to associate to memory records their field contents. In we give an overview of existing methods, which are illustrated with applications to shape analysis, and we formalize a new family of relational abstract domains that allows sets of functions to be abstracted more precisely than with known approaches, while being still machine-representable.

Symbolic model checking provides partially effective verification procedures that can handle systems with an infinite state space. So-called "acceleration techniques" enhance the convergence of fixpoint computations by computing the transitive closure of some transitions. We have developed a new framework for symbolic model checking with accelerations. We have also proposed new symbolic algorithms using accelerations to compute reachability sets.

We have shown that flatness appears as a central notion in the verification of counter automata. A counter automaton is called flat when its control graph can be ``replaced'', equivalently w.r.t. reachability, by another one with no nested loops.

From a practical view point, we have proved that flatness is a necessary and sufficient condition for termination of accelerated symbolic model checking, a generic semi-algorithmic technique implemented in successful tools like Fast, Lashor TReX.

From a theoretical view point, we have also proved that many known semilinear subclasses of counter automata are flat: reversal bounded counter machines, lossy vector addition systems with states, reversible Petri nets, persistent and conflict-free Petri nets, etc. Hence, for these
subclasses, the semilinear reachability set can be computed using a
*uniform*accelerated symbolic procedure (whereas previous algorithms were specifically designed for each subclass)
,
,
,
.

Determinisation of symbolic transition systems is a crucial problem for the verification of properties on external traces, test generation, and diagnosis based on these models. However STSs cannot be determinised in general. In this work, we define a symbolic determinisation procedure for a class of STS. The class consists of extended automata operating on symbolic variables and synchronizing with the environment (a simplified version of STS). The subclass of extended automata for which the procedure terminates is characterized. This class named ``Bounded Lookahead Automata'' corresponds to systems where non-deterministic choices can be find out after the observation of a bounded number of actions. Decidable sufficient conditions for checking termination are also given. This work is under submission.

In this work, we are interested in the diagnosis of finite transition systems. We propose a model of supervision patterns corresponding to reachability properties (i.e. violation of a safety property). This allows to generalize the properties to be diagnosed and to render them independent of the description of the system. We thus deduce techniques for the verification of diagnosability and the construction of a diagnoser based on standard operations on transition systems. We show that these techniques are general enough to express and solve in a unified way a broad class of diagnosis problems found in the literature, e.g. diagnosing permanent faults, multiple faults, fault sequences and some problems of intermittent faults . This work has been done in cooperation with Marie-Odile Cordier (Dream project-team) and Sophie Pinchinat (S4 project-team).

Our aim is now to extend these results to infinite state systems and to apply these techniques to the automatic generation of passive testers (intruder detection systems) in order to test on-line whether an implementation respects a given security policy.

This work has been done in cooperation with David Cachera, Thomas Jensen, and David Pichardie from the Lande project-team of Irisa. A constraint-based data flow analysis is formalized in the specification language of the Coq proof assistant. This involves defining a dependent type of lattices together with a library of lattice functors for modular construction of complex abstract domains. Constraints are represented in a way that allows for both efficient constraint resolution and correctness proof of the analysis with respect to an operational semantics. The proof of existence of a solution to the constraints is constructive which means that the extraction mechanism of Coq provides a provably correct data flow analyser in Ocaml from the proof. The library of lattices and the representation of constraints are defined in an analysis-independent fashion that provides a basis for a generic framework for proving and extracting static analysers in Coq .

This is common work with David Pichardie, formerly in the Lande project of Irisa, currently in the Everest project-team at Sophia Antipolis.

The approach has been experimented in the Coq proof assistant, but should work in like-minded proof assistants as well. It allows for functions with mutual recursive calls, nested recursive calls, and works also for the standard encoding of partial functions using total functions over a dependent type that restricts the original function's domain.

We present simple examples and report on a larger case study (sets of integers represented as ordered lists of intervals) that we have conducted in the context of certified static analyses .

In ongoing independent work, yet unpublished, Barthe and Forest from the Everest project at Inria Sophia Antipolis are developing an approach for synthesizing a recursive function from an arbitrary inductive relation. We have submitted a paper to FLOPS'06 (Int. Symposium on Functional and Logic Programming) on a general framework that encompasses both our approaches, as well as on an implementation of these techniques in a prototype tool within Coq.

The goal of this 3-year project (starting October 2004) is to build a platform for the formal validation of France Telecom's vocal phone services. Vocal services are based on speech recognition and synthesis algorithms, and they include automatic connection to the callee's phone number by pronouncing her name, or automatic pronounciation of the callee's name whose phone number was dialed in by the user. Here, we are not interested in validating the voice recognition/synthesis algorithms, but on the logic surrounding them. For example, the system may allow itself a certain number of attempts for recognizing a name, after which it switches to normal number-dialing mode, during which the user may choose to go back to voice-recognition mode by pronouncing a certain keyword. This logic may become quite intricate, and this complexity is multiplied by the number of clients that may be using the service at any given time. Its correctness has been identified by France Telecom as a key factor in the success of the deployment of voice-based systems. To validate them we are planning to apply a combination of formal verification and conformance testing techniques (cf. Section ).

The Potestat project ( http://www-lsr.imag.fr/POTESTAT/) [2004-2006] involves LSR-IMAG Grenoble, Verimag Grenoble and Lande and Vertecs project teams in Irisa.

In the framework of open service implementations, based on the interconnection of heterogeneous systems, the security managers lack of well-formalized analysis techniques. The security of such systems is therefore organized from pragmatic elements, based on well-known vulnerabilities and their associated solutions. It then remains to verify if such security policies are correctly and effectively implemented in the actual system. This is usually carried out by auditing the administrative procedures and the system configuration. Tests are then performed, for instance by probing, to check the presence of some particular vulnerabilities. Although some tools are already available for specific tests (like password crackers), there is no solution to analyse the whole system conformance with respect to a security policy. This lack may be explained by several factors. First, there is currently no complete study about the formal modeling of a security policy, even if some particular aspects have been more thoroughly studied. Furthermore, verification based researches about security usually concerned more precise elements, like cryptographic protocols or code analysis. Finally, most of these works are dedicated to a priori verification of the coherency of security policies before their implementation. We are concerned here by the conformance of a system configuration with respect to a given policy. In the framework of the POTESTAT project we plan to tackle this problem according to the following items:

Formal modeling of security policies, allowing a test directed analysis.

Definition of a conformance notion between a system configuration and some security policies elements. The goal is to obtain a test theory similar to the one existing in the protocol testing area (like the Z.500 norm).

Definition of methods to test this conformance notion, including the testability problems, the environment of execution, code analysis and test selection.

A long-term of this project is to offer some tools allowing security managers to model information flow, network elements (protocols, node types and their associated security policy, etc) to better describe the security policy for conformance testing and to provide some practical tools to perform coherency verification and vulnerabilities detection.

The POLITESS project has just been accepted as an RNRT project. Partners of the project are GET (INT Evry and ENST Rennes), INPG-IMAG (LSR and Verimag laboratories), France Telecom R&D Caen, Leyrios Technologies, SAP Research, AQL Silicomp and Irisa. In a sense, this project is an extension of the Potestat project. The objective of the project is to study and provide methodological guidelines and software solutions for a formal approach to security of networks. This encompasses the specification of high level security policies with clear semantics, their deployment on the network in terms of security artifacts and the analysis of this deployment, testing and monitoring of security based on models of security policies and abstract models of networks.

The APRON (Analyse de PROgrammes Numériques) project ( http://www.cri.ensmp.fr/apron/) [2004-2006] involves ENSMP, LIENS-ENS, LIX-Polytechnique, VERIMAG and Vertecs-Irisa.

The goal is to develop methods and tools to analyse statically embedded software with high-level of criticity for which the detection of errors at run-time is unacceptable for safety or security reasons. Such safety and security software is found in the context of transportation,
automotive, avionics, space, industrial process control and supervision, etc. One characteristics of such software is that it is based on physical models whence involve a lot of numerical computations. Moreover,
*counters*play an important role in the control of reactive programs (e.g., delay counting in synchronous programming). Critical properties depending on these counters are generally outside the scope of model-checking approaches, while being simple enough to be accurately analysed by
more sophisticated numerical analyses.

The goal of the project is the static analysis of large specifications (e.g. à la Lustre) and corresponding programs (e.g. of 100 to 500 000 LOCs of C), made of thousands of procedures, involving a lot of numerical floating-point computations, as well as boolean and counter-based control in order to verify critical properties (including the detection of possible runtime errors), and to help in automatically locating the origin of critical property potential violation.

An example of such critical properties, as found in control/command programs, is of the form ``under a condition holding on boolean and numerical variables for some time, the program must imperatively establish a given boolean and/or numerical property, in given bounded delay''.

Vertecs contributes to the following topics within the APRON project:

The design and implementation of a common interface to several abstraction libraries (intervals, linear equalities, octagons, polyhedra, ...and their combination).

The study of adaptative techniques for adjusting the trade-off between the efficiency and the precision of analyses, among other dynamic partitioning techniques . Results have already been obtained in the intraprocedural case, but to a less extend in the interprocedural case.

Vertecs focuses mainly on Lustrespecifications and provides with the NBactool one of the main experimental platforms of the project for the verification of critical properties on such specifications.

In 2005, most of the effort of Vertecs was spent on the design and implementation of the common interface, a task which should be soon completed.

V3F ( http://lifc.univ-fcomte.fr/~v3f/)[2003-2005] is a project involving LIFC Besançon, Inria-I3S Nice, LIST-CEA Saclay and project teams Lande and Vertecs in Irisa. The goal of this project is to provide tools to support the verification and validation process of programs with floating-point numbers. More precisely, project V3F investigates techniques to check that a program satisfies the calculations hypothesis on the real numbers that have been done during the modeling step. The underlying technology will be based on constraint programming. Constraints solving techniques have been successfully used during the last years for automatic test data generation, model-checking and static analysis. However in all these applications, the domains of the constraints were restricted either to finite subsets of the integers, rational numbers or intervals of real numbers. Hence, the investigation of solving techniques for constraint systems over floating-point numbers is an essential issue for handling problems over the floats.

The results obtained in the course of the project V3F are a clean design of constraint solving techniques over floating-point number, and a study of the capabilities of these techniques in the software validation and verification process. An open and generic prototype of a constraint solver over the floats was developped. We also paid attention on the integration of floats into various formal notations (e.g., B, Lustre, UML/OCL) to allow an effective use of the constraint solver in formal model verification, automatic test data generation (functional and structural) and static analysis.

Our contribution to this project is to precisely formalize a conformance testing theory for programs with floating point with respect to their specifications, and second, to describe test generation algorithms in this framework. We consider the IOSTS model for the specification and the test purpose. An important point is to obtain a computable conformance relation. The solution that we propose takes into account the unprecision of floating points computations w.r.t. real semantics by allowing a limited skew of floating points values in conformant traces. In order to be able to recognize conformant traces/execution during test execution, and to check that the allowed skew does not diverge, we use a projection technique that allows the tester to use safely the values emitted by the implementation for its own execution. A nice point of our approach is that we can fully reuse the test generation and selection techniques implemented in our STG tool, the only change being in the implementation of the test driver. This result has been presented in the last meeting but has not yet been published.

We are partners of the ARTIST2 Network of Excellence on Embedded Systems ( http://www.artist-embedded.org/), involved in the Testing and Verification cluster with Brics in Aalborg (DK), University of Twente (NL), University of Liège (B), Uppsala (SE), Verimag Grenoble, ENS Cachan, LIAFA Paris, EPFL Lausanne (S). The aim of the cluster is to develop a theoretical foundation for real-time testing, real-time monitoring and optimal control, to design data structures and algorithms for quantitative analysis, and to apply testing and verification tools in industrial settings. For security, we plan to create a common semantic framework for describing security protocols including notion of "trust" and to develop tools and methods for the verification of security protocols. Test and verification tools developed by partners will be made available via a web-portal and with dedicated verification servers.

In Artist2, the main role of Vertecs is to integrate our research on testing and test generation based on symbolic transition systems with other works based on timed models.

This year we participated in a cluster meeting that took place in Oldenborg (Germany) in March 2005. A Summer School on Components & Modeling, Testing & Verification, and Static Analysis of Embedded Systems was organized in Nässlingen, Sweden in September by three clusters. T. Jéron gave a lecture on ``Testing and Model-checking'' in this summer school. We also participated to the first review meeting of Artist2 in Grenoble in October. Finally, a Strep proposal on quantitative testing and verification, initiated by our cluster was submitted this year.

This grant involving three groups, IRISA/INRIA, Verimag (Stavros Tripakis), and University of Illinois at Urbana-Champaign (Grigore Roşu), is concerned with various aspects of runtime analysis of software systems, and aims both at advancing theoretical foundations and at developing and improving supporting tools and prototypes. Our activity this year has been on conformance testing and rewriting logic. Vlad Rusu and Sophie Quinton visited Urbana for 2 weeks (resp. 1 month) during Summer 2005. Grigore Roşu from Urbana visited us this summer and gave a talk on runtime analysis of distributed systems.

This bilateral collaboration grant, between France and Argentina, involves 4 teams: the team MOVE of LIF (Laboratoire d'Informatique Fondamentale) of Marseille (Peter Niebert) and the Vertecs project, on the French side, the university of Cordoba (Pedro d'Argenio) and the La Empesa University of Buenos Aires (Alfredo Olivero), on the Argentinian side.

The aim of this starting collaboration (august 2005- august 2007) is to make progress in the verification of probabilistic timed concurrent systems. The Vertecs project brings its expertise in algorithms and abstraction techniques implemented in the Rapturetool for Markov Decision Processes.

Our ambition is to progress in the following directions:

Apply the abstraction techniques implemented in the
Rapturetool and the probabilistic partial order reduction techniques to
*timed*probabilistic automata, instead of untimed systems only;

Extend the same techniques to the verification of untimed and timed temporal logical formula (expressed in the (timed) LTL logic);

Explore the applicability of program slicing and abstract interpretation techniques to quantitative model checking;

Explore the possibility to use these techniques for performance analysis;

Implement the fundamental results;

Analyse case studies in order to help to understand the performances of the tools.

We collaborate with several Inria project-teams. We collaborate with the LANDE project-team in two ACI-Sécurité grants (V3F and POTESTAT). With ESPRESSO project-team for the development of the Sigalitool inside the Polychrony environment. With the DART project-team on the use of the controller synthesis methodology for the control of control-command systems (e.g. robotic systems). With DISTRIBCOM on security testing. With the S4 project-team on the use of control, game theory and diagnosis for test generation. With the DREAMproject-team on the diagnosis of discrete event systems. With the VASY project-team on the use of CADP libraries in TGV and the distribution of TGV in the CADP toolbox.

Our main collaborations in France are with Vérimag. Beyond formalized collaborations, (ACI Potestat and APRON, RNRT Politess, Rex Artist2), we also collaborate on the connection of NBACwith Lurette for the analysis of Lustre programs, as well as the connection of SIGALIand Matou. We are also involved in several collaborations with LSR Imag (ACI Potestat and RNRT Politess).

in The Netherlands (E. Brinksma, J. Tretmans) on test generation (symbolic in particular) following the Van Gogh bilateral cooperation (1999-2001).

in Italy (A. Bertolino) on using TGV for test generation for software architectures.

(T. Reps) on shape analysis. Bertrand Jeannet published a paper with T. Reps and D. Gopan.

in Tunisia (M. Tahar Bhiri). Thierry Jéron is co-supervisor of a PhD student Hatem Hamdi working on robustness and security testing.

in Belgium on testing. Thierry Massart, Bram de Wachter and Cédric Meuter visited us in November. Thierry Jéron visited ULB for the defense of Bram de Watchter in December and gave a talk on Test Generation using Model Checking.

in Quebec (Guy-Vincent Jourdan) on security testing. G.-V. Jourdan visited us in summer 2005 (one week).

on supervisory control of concurrent systems (with Jan Komenda). He visited us in November (one week). Benoit Gaudin and Hervé Marchand published a paper with Jan Komenda.

is teaching in INSA of Rennes (32h in 2004-2005), on constraint programming.

was teaching at the University of Rennes 1 (92h/year).

is teaching in the Master of Computer Science in Rennes, on abstract interpretation,

is teaching in Master of Computer Science at the University of Rennes 1 and in the engineering school EnstB in Rennes, on testing and test generation.

is teaching in License in the Univeristy of Rennes 1 and in "Magistère Informatique-Télécom" in ENS Cachan-Bretagne (64h/year)

teaches in the Master of Computer Science in Rennes, on deductive verification methods.

was teaching at the University of Rennes 1 (92h/year).

**Current PhD. theses:**

``
*Verification and symbolic test generation for reactive systems*'', 2nd year,

``
*Abstract lattice of fifo channels for verification and control synthesis*'', 2nd year,

``
*Testing of network security*'', In collaboration with University of Sfax, 1st year.

**Trainees 2004-2005:**

``
*Conformance testing and runtime verification*'', Master student (6 months).

``
*representation of set of numerical values for verification purposes*'', Master student (6 months).

``
*Generation of test cases with TGV-Agedis*'' in collaboration with ENIS Sfax, Master student (6 month).

``
*Test generation and execution with the STG Tool*'' 4th year INSA Student, (2 months).

**Trainees 2005-2006:**

``
*Diagnosis for intrusion detection*'', Master student, university of Uppsala and Enst Brest, (5 months).

was jury of the following PhD defenses: Pierre Bontron (University Grenoble, March 2005, reviewer), Hélène Le Guen (University Rennes 1, June 2005), Cyril Pachon (University Grenoble, October 2005, reviewer), Gregory Lestienne (LRI Orsay, October 2005), Franck Lebeau (LIFC Besançon, December 2005, reviewer), Alban Gratien (University of Rennes, December 2005), Bram de Wachter (ULB Bruxelles, December 2005, private and public defenses). He served as reviewer of ARA SSIA and RNTL projects and Dutch Technology Foundation STW project (The Netherlands).

was jury of the PhD defense of David Merchat (University Grenoble 1, May 2005).

is member of the ``Commissions de Spécialistes 27e section'' at University of Rennes 1.

is member of the Ifsic Council as PhD representative and is Vice-president of the ADOC (association of PhD students).

was the organizer of the thematic seminar ``68 NQRT'' ( http://www.irisa.fr/NQRT/index.html) in Irisa.

is PC member of Fates'05 (Edinburgh, July 2005), Testcom 2005 (Montreal, June 2005), Tacas'05 (Edimburgh, April 2006). He is PC member of the forthcoming Testcom 2006 (New-York, May 2006), and PC member and Tool Chair of Tacas'06 (Vienna, March 06). He is SC of the Movep summer school (Bordeaux, June 2006). He is reviewer for Zentralblatt Math. Thierry Jéron gave a lecture on Testing and model-checking at the Artist 2 Summer School (Sept 2005). He was invited to give presentations in LIFC Besançon (Nov. 2006) and ULB Bruxelles (Dec. 2006) on Test generation using model-checking, and a presentation on Testing in DGA seminar ``Enjeux opérationnels de la modélisation des systèmes complexes à logiciels prépondérants'' in Toulouse (Nov. 2006).

was invited to give a seminar on
*``A polynomial time Presburger criterion and synthesis for number decision diagrams''*at LIAFA (Paris, France, Apr. 2005). He was also invited to give seminars on
*``The convex hull of a Number Decision Diagram is an effectively computable polyhedron''*at LIPN (Villetaneuse, France, Mar. 2005) and at LORIA, (Nancy, France, Nov. 2004). He gave an invited talk on
*``De l'automate binaire à la formule''*at ``Journée des systèmes infinis 2005'', at ENS-Cachan, (Cachan, France, Dec. 2005).

is member of the Organizing Committee of ACSD'05 (St Malo, 06/05). He is PC member of MSR'05 conference on modeling of reactive systems (Autrans, 10/05). He is PC member of the forthcoming WODES'2006 and is member of the IFAC Technical Committees (TC 1.3 on Discrete Event and Hybrid Systems) for the 2005- 2008 triennium. He was invited to give a seminar on "Méthodes pour automatiser la génération de sytèmes fiables: Une approche par contrôle modulaire" at ENS Cachan, antenne Bretagne.

was invited to give a seminar on ``combining conformance testing and formal verification'' at "Formalisation des activités concurrentes" workshop (LAAS, Toulouse, march 2005). He also gave a seminar on the same topic at the Univ. Urbana Champaign (august 2005) and a lecture on the same topic at the Real-time summer school, Nancy, sept. 2005.

is member of the Organizing Committee of MajecStic 2005 (Rennes, Nov. 2005).