Created on January 1st, 2000, the Vasyproject focuses on formal methods for the design of reliable systems.

We are interested in any system (hardware, software, telecommunication) that comprises
*asynchronous concurrency*, i.e., any system whose behavior can be modeled as a set of parallel processes governed by interleaving semantics.

For the design of reliable systems, we advocate the use of formal description techniques together with software tools for simulation, rapid prototyping, verification, and test generation.

Among all existing verification approaches, we focus on
*enumerative verification*(also known as
*explicit state verification*) techniques. Although less general than theorem proving, these techniques enable an automatic, cost-efficient detection of design errors in complex
systems.

Our research combines two main directions in formal methods, the
*model-based*and the
*language-based*approaches:

Models provide mathematical representations for parallel programs and related verification problems. Examples of models are automata, networks of communicating automata, Petri nets, binary decision diagrams, boolean equation systems, etc. From a theoretical point of view, research on models seeks for general results, independently of any particular description language.

In practice, models are often too elementary to describe complex systems directly (this would be tedious and error-prone). Higher level formalisms are needed for this task, as well as compilers that translate high level descriptions into models suitable for verification algorithms.

To verify complex systems, we believe that model issues and language issues should be mastered equally.

By verification, we mean comparison — at some abstraction level — of a complex system against a set of
*properties*characterizing the intended functioning of the system (for instance, deadlock freedom, mutual exclusion, fairness, etc.).

Most of the verification algorithms we develop are based on the
*labeled transition systems*(or, simply,
*automata*or
*graphs*) model, which consists of a set of states, an initial state, and a transition relation between states. This model is often generated automatically from high level descriptions of
the system under study, then compared against the system properties using various decision procedures. Depending on the formalism used to express the properties, two approaches are
possible:

*Behavioral properties*express the intended functioning of the system in the form of automata (or higher level descriptions, which are then translated into automata). In such a case,
the natural approach to verification is
*equivalence checking*, which consists in comparing the system model and its properties (both represented as automata) modulo some equivalence or preorder relation. We develop
equivalence checking tools that compare and minimize automata modulo various equivalence and preorder relations; some of these tools also apply to stochastic and probabilistic models (such
as Markov chains).

*Logical properties*express the intended functioning of the system in the form of temporal logic formulas. In such a case, the natural approach to verification is
*model checking*, which consists in deciding whether the system model satisfies or not the logical properties. We develop model checking tools for a powerful form of temporal logic,
the
*modal
-calculus*, which we extend with typed variables and expressions so as to express predicates over the data contained in the model. This extension (the practical usefulness of
which was highlighted in many examples) provides for properties that could not be expressed in the standard
-calculus (for instance, the fact that the value of a given variable is always increasing along any execution path).

Although these techniques are efficient and automated, their main limitation is the
*state explosion*problem, which occurs when models are too large to fit in computer memory. We provide software technologies (see §
) for handling models in two complementary ways:

Small models can be represented
*explicitly*, by storing in memory all their states and transitions (
*exhaustive*verification);

Larger models are represented
*implicitly*, by exploring only the model states and transitions needed for the verification (
*on the fly*verification).

Our research focuses on high level languages with an
*executable*and
*formal*semantics. The former requirement stems from enumerative verification, which relies on the efficient execution of high level descriptions. The latter requirement states that
languages lacking a formal semantics are not suitable for safety critical systems (as language ambiguities usually lead to interpretation divergences between designers and implementors).
Moreover, enumerative techniques are not always sufficient to establish the correctness of an infinite system (they only deal with finite abstractions); one might need theorem proving
techniques, which only apply to languages with a formal semantics.

We are working on several languages with the above properties:

Lotosis an international standard for protocol description ( Iso/ Iecstandard 8807:1989), which combines the concepts of process algebras (in particular Ccsand Csp) and algebraic abstract data types. Thus, Lotoscan describe both asynchronous concurrent processes and complex data structures. We use Lotosfor various industrial case studies and we develop Lotoscompilers, which are part of the Cadptoolbox (see § ).

We contributed to the definition of
E-Lotos(
*Enhanced*-
Lotos,
Iso/
Iecstandard 15437:2001), a deep revision of
Lotos, which tries to provide a greater expressiveness (for instance, by introducing quantitative time to describe systems with real-time
constraints) together with a better user friendliness. Our contributions to
E-Lotosare available on the
Web(see
http://

We are also working on an
E-Lotosvariant, named
Lotos NT(
Lotos
*New Technology*)
,
, in which we can experiment new ideas more freely than in the constrained framework of an international
standard. Like
E-Lotos,
Lotos NTconsists of three parts: a
*data part*, which allows the description of data types and functions, a
*process part*, which extends the
Lotosprocess algebra with new constructs such as exceptions and quantitative time, and
*modules*, which provide for structure and genericity. Both languages differ in that
Lotos NTcombines imperative and functional features, and is also simpler than
E-Lotosin some respects (static typing, operator overloading, arrays), which should make it easier to implement. We are developing several tools
for
Lotos NT: a prototype compiler named
Traian(see §
), a translator from (a subset of)
Lotos NTto
Lotos(see §
), and an intermediate semantic model named
Ntif(
*New Technology Intermediate Form*)
.

As much as possible, we try to validate our results by developing tools that we apply to complex (often industrial) case studies. Such a systematic confrontation to implementation and experimentation issues is central to our research.

The theoretical framework we use (automata, process algebras, bisimulations, temporal logics, etc.) and the software tools we develop are general enough to fit the needs of many application domains. They are virtually applicable to any system or protocol made of distributed agents communicating by asynchronous messages. The list of recent case studies performed with the Cadptoolbox (see in particular § ) illustrates the diversity of applications:

*Hardware architectures:*asynchronous circuits, multiprocessor architectures, systems on chip, networks on chip, bus arbitration protocols, cache coherency protocols, hardware/software
codesign;

*Databases:*transaction protocols, distributed knowledge bases, stock management;

*Consumer electronics:*home networking, video on-demand;

*Security protocols:*authentication, electronic transactions, cryptographic key distribution;

*Embedded systems:*smart-card applications, air traffic control, avionic systems;

*Distributed systems:*virtual shared memory, distributed file systems, election algorithms, dynamic reconfiguration algorithms, fault tolerance algorithms;

*Telecommunications:*high speed networks, network management, mobile telephony, feature interaction detection;

*Human-machine interaction:*graphical interfaces, biomedical data visualization;

*Bioinformatics:*genetic regulatory networks, nutritional stress response, metabolic pathways.

We maintain and enhance
Cadp(
*Construction and Analysis of Distributed Processes*– formerly known as
*Cæsar /
AldébaranDevelopment Package), a toolbox for protocols and distributed systems engineering (see
http://
*

Caesar_Graph, which provides the programming interface for graph exploration,

Caesar_Hash, which contains several hash functions,

Caesar_Solve, which resolves boolean equation systems on the fly,

Caesar_Stack, which implements stacks for depth-first search exploration,

Caesar_Table, which handles tables of states, transitions, labels, etc.

A number of tools have been developed within the Open/Cæsarenvironment, among which:

Bisimulator, which checks bisimulation equivalences and preorders,

Determinator, which eliminates stochastic nondeterminism in normal, probabilistic, or stochastic systems,

Distributor, which generates the graph of reachable states using several machines,

Evaluator, which evaluates regular alternation-free -calculus formulas,

Executor, which performs random execution,

Exhibitor, which searches for execution sequences matching a given regular expression,

Generator, which constructs the graph of reachable states,

Projector, which computes abstractions of communicating systems,

Reductor, which constructs and minimizes the graph of reachable states modulo various equivalence relations,

Simulator, Xsimulator, and Ocis, which allow interactive simulation, and

Terminator, which searches for deadlock states.

Bcg(
*Binary Coded Graphs*) is both a file format for storing very large graphs on disk (using efficient compression techniques) and a software environment for handling this format.
Bcgalso plays a key role in
Cadpas many tools rely on this format for their inputs/outputs. The
Bcgenvironment consists of various libraries with their programming interfaces, and of several tools, such as:

Bcg_Draw, which builds a two-dimensional view of a graph,

Bcg_Edit, which allows to modify interactively the graph layout produced by Bcg_Draw,

Bcg_Graph, which generates various forms of practically useful graphs,

Bcg_Info, which displays various statistical information about a graph,

Bcg_Io, which performs conversions between Bcgand many other graph formats,

Bcg_Labels, which hides and/or renames (using regular expressions) the transition labels of a graph,

Bcg_Merge, which gathers graph fragments obtained from distributed graph construction,

Bcg_Min, which minimizes a graph modulo strong or branching equivalences (and can also deal with probabilistic and stochastic systems),

Bcg_Steady, which performs steady-state numerical analysis of (extended) continuous-time Markov chains,

Bcg_Transient, which performs transient numerical analysis of (extended) continuous-time Markov chains, and

Xtl(
*eXecutable Temporal Language*), which is a high level, functional language for programming exploration algorithms on
Bcggraphs.
Xtlprovides primitives to handle states, transitions, labels,
*successor*and
*predecessor*functions, etc. For instance, one can define recursive functions on sets of states, which allow to specify in
Xtlevaluation and diagnostic generation fixed point algorithms for usual temporal logics (such as
Hml
,
Ctl
,
Actl
, etc.).

The connection between explicit models (such as Bcggraphs) and implicit models (explored on the fly) is ensured by Open/Cæsar-compliant compilers, e.g.:

Cæsar.open, for models expressed as Lotosdescriptions,

Bcg_Open, for models represented as Bcggraphs,

Exp.open, for models expressed as communicating automata, and

Seq.open, for models represented as sets of execution traces.

The
Cadptoolbox also includes additional tools, such as
Aldébaranand
Tgv(
*Test Generation based on Verification*) developed by the
Verimaglaboratory (Grenoble) and the
Vertecsproject-team of
InriaRennes.

The Cadptools are well-integrated and can be accessed easily using either the Eucalyptusgraphical interface or the Svl scripting language. Both Eucalyptusand Svlprovide users with an easy, uniform access to the Cadptools by performing file format conversions automatically whenever needed and by supplying appropriate command-line options as the tools are invoked.

We develop a compiler named Traianfor translating descriptions written in the Lotos NTlanguage (see § ) into C programs, which will be used for simulation, rapid prototyping, verification, and testing.

The current version of Traianperforms lexical analysis, syntactic analysis, abstract syntax tree construction, static semantics analysis, and C code generation for Lotos NTtypes and functions.

Although this version of Traianis still incomplete (it does not handle Lotos NTprocesses), it already has useful applications in compiler construction . The recent compilers developed by the Vasyproject-team — namely Aal, Chp2Lotos(see § ), Evaluator 4.0, Exp.open 2.0 (see § ), Fsp2Lotos(see § ), Lnt2Lotos(see § ), Ntif(see § ), and Svl(see § ) — all contain a large amount of Lotos NTcode, which is then translated into C code by Traian.

Our approach consists in using the Syntaxtool (developed at InriaRocquencourt) for lexical and syntactic analysis together with Lotos NTfor semantical aspects, in particular the definition, construction, and traversals of abstract trees. Some involved parts of the compiler can also be written directly in C if necessary. The combined use of Syntax, Lotos NT, and Traianproves to be satisfactory, as regards both the rapidity of development and the quality of resulting compilers.

The
Traiancompiler can be freely downloaded from the
Vasy
Website (see
http://

Cæsar_Solveis a generic software library for solving boolean equation systems of alternation depth 1 (i.e., without mutual recursion between minimal and maximal fixed point equations) on the fly. This library is at the core of several Cadpverification tools, namely the equivalence checker Bisimulator, the model checker Evaluator 3.5 (see § ), and the minimization tool Reductor. The resolution method is based on boolean graphs, which provide an intuitive representation of dependencies between boolean variables, and which are handled implicitly, in a way similar to the Open/Cæsarinterface .

The Cæsar_Solvelibrary provides five different resolution algorithms. A1 and A2 are general algorithms based upon depth-first, respectively breadth-first, traversals of boolean graphs. A3 and A4, based upon memory-efficient depth-first traversals of boolean graphs, are optimized for the case of acyclic, respectively disjunctive/conjunctive, boolean graphs. A5 is a general algorithm based upon a depth-first traversal of boolean graphs; it generalizes Tarjan's algorithm for computing strongly connected components and is much faster than A1 and A2 when it is invoked many times on the same equation block. All these algorithms can generate diagnostics explaining why a result is true or false (examples and counterexamples).

In 2007, the Cæsar_Solvelibrary (13,600 lines of C code) was improved as follows:

Two new resolution algorithms, named A6 and A7, based upon a breadth-first search of the dependency graph between boolean variables, were added to the library. Algorithm A6 (respectively, A7) is specialized for solving disjunctive minimal (respectively, conjunctive maximal) fixed point equation blocks when a single invocation of the algorithm is requested on the block, which is frequent in practice: equivalence checking leads to boolean equation systems containing a single conjunctive maximal fixed point equation block when one Ltsis deterministic (for strong equivalence) and -free (for weak equivalences), therefore enabling the use of algorithm A7; model checking leads to systems containing a single disjunctive minimal fixed point equation block (for liveness properties expressing potential reachability) or a single conjunctive maximal fixed point equation block (for safety properties), both of which can be solved using algorithms A6 or A7, respectively.

Algorithms A6 and A7 require less memory than the general algorithm A2 because they are optimized to store only boolean variables (and not the dependencies between them). When applied to equivalence checking and model checking problems, this amounts to store only the states of the Ltss involved, and not their transitions. Therefore, when applicable, algorithms A6 and A7 combine the advantages of algorithm A2 (small-depth diagnostics), and algorithms A3 and A4 (low memory consumption). The Bisimulatorand Evaluatortools have been modified to select automatically algorithms A6 and A7 whenever appropriate. This leads in practice to memory savings of about 30% whilst keeping the same execution time.

A new primitive was added for cleaning up the set of boolean variables explored during a sequence of resolution calls. Invoked periodically, this primitive achieves a trade-off between memory consumption and execution time for certain applications (such as reduction by -confluence) that make a large number of resolutions.

The primitive for reading a boolean equation system from a text file was made reentrant, in such a way that applications using the library can read and manipulate several boolean equation systems at the same time.

The primitive for displaying statistical information about the resolutions performed on a boolean equation system was enhanced to show global information about the whole boolean equation system, in addition to local information about individual equation blocks.

To assess the Cæsar_Solvelibrary (see § ), a prototype tool named Bes_Solvewas developed in the past years for generating random boolean equation systems and for reading/writing boolean equation systems from/to text files.

In 2007, we completely rewrote this tool, leading to Bes_Solve 1.0, which became part of Cadpin November 2007. The new version (3,500 lines of C code) allows to compare and cross-check the various resolution algorithms provided by the sequential and distributed versions of Cæsar_Solve. It constructs a boolean equation system in memory, either by reading it from a (possibly compressed) text file, or by generating it randomly according to various parameters. Then, a boolean variable defined in some equation block of the boolean system can be solved by invoking any sequential or distributed algorithm of Cæsar_Solve.

The random generation parameters are described in the newly defined
Rbc(
*Random BES Configuration*) file format. An
Rbcfile is a set of directives specifying the form of each random equation block of the boolean equation system. It allows to produce a diversity of
boolean equation systems by varying 11 different parameters: fixed point sign of the current block, unique or multiple resolutions, algorithm used for solving variables, maximum number of
variables, maximum number of operands in the boolean formulas occurring in the right-hand sides of equations, percentage of local (defined in the current block) and global (defined in other
blocks) variables in the boolean formulas, percentage of disjunctive variables, percentage of false constants, alternation between disjunctive and conjunctive variables between the left and
right-hand sides of equations, and shape of the block (general, acyclic, disjunctive or conjunctive). Each parameter has a default value, which can be modified selectively for a subset of the
equation blocks of the system.

A test suite of 110 boolean equation systems and 283 Rbcfiles was collected and used to validate Bes_Solveand Cæsar_Solveacross multiple platforms. It allowed to make random generation portable, so as to ensure that an Rbcfile yields the same random boolean equation system independently from the machine architecture.

Evaluatoris a model checker that evaluates a temporal logic property on a graph represented implicitly using the Open/Cæsarenvironment. Properties are described in regular alternation-free -calculus, a logic built from boolean operators, possibility and necessity modalities containing regular expressions denoting transition sequences, and fixed point operators without mutual recursion between least and greatest fixed points. The input language of the tool also allows to define parameterized temporal operators and to group them into separate libraries. Evaluatorworks on the fly, meaning that only those parts of the implicit graph pertinent to verification are explored. The model checking problem is reformulated in terms of solving a boolean equation system. A useful feature of Evaluatoris the generation of diagnostics (examples and counterexamples) explaining why a formula is true or false.

In 2007, we enhanced the Evaluator 3.5 tool with a new option allowing to reduce the input graph on the fly modulo -confluence while checking the temporal formula. For systems containing many loosely-coupled parallel processes, this option can reduce execution time significantly (e.g., by a factor 7 on an Erathostene's sieve specified in Lotoswith 10 processes).

We also continued the development of the
Evaluator 4.0 prototype tool (4,800 lines of
Syntax code, 35,600 lines of
Lotos NTcode, and 8,000 lines of C code), which accepts as input specifications written in
Mcl(
*Model Checking Language*), an extension of the regular alternation-free
-calculus of
Evaluator 3.5 with data-handling operators. In addition to fixing several bugs and porting
Evaluator 4.0 to new architectures and compilers, we enhanced the
Mcllanguage with a new “
**check**” operator allowing to verify that a given state of the graph (either the initial state, or a state stored in the enclosing formula using the state capture operators) satisfies a
certain state formula. This allows to express non-standard temporal properties, such as the fact that a state is nondeterministic w.r.t. a certain action. This work led to a publication in an
international conference
.

A comprehensive test suite containing 3, 600formulas was collected and used to check upward compatibility between Evaluator 3.5 and Evaluator 4.0.

The
Cadptoolbox contains various tools dedicated to compositional verification, among which
Exp.open 2.0,
Projector 2.0, and
Svlplay a central role.
Exp.open 2.0 explores on the fly the graph corresponding to a network of communicating automata (represented as a set of
Bcgfiles).
Projector 2.0 implements behavior abstraction
,
by taking into account interface constraints.
Svl(
*Script Verification Language*) is both a high level language for expressing complex verification scenarios and a compiler dedicated to this language.

In 2007, we enhanced these tools along the following lines:

We added to Exp.opena new operator for specifying priorities between the transitions of communicating automata. This led to a new version 2.1 of Exp.openthat became part of Cadpin January 2007.

We entirely rewrote Projectorby introducing an improved algorithm and more compact data structures. On average, the new version Projector 3.0 uses 3 times less memory than Projector 2.0 and runs 3 times faster (and even 36 times faster for some examples).

We experimented Projector 3.0 on the Ieee1394 panic protocol (which is part of the Ieee1394.1 “ FireWire” bridge specification). In 2005, Projector 2.0 could not generate the corresponding graph (due to memory exhaustion) on a Pentium III computer (700 MHz, 1 Gb Ram, 4 Gbswap memory) running Linux. In 2007, using Projector 3.0, we managed to generate this graph (16 million states and 123 million transitions) in a few hours on the same machine.

We enhanced the
Svllanguage with new “
**cut**” and “
**stop**” operators. We also added means to pass C compiler options and
Bcgoptions to the
Cadptools.

Together with Sandro Spina and Gordon Pace (University of Malta), we also started studying the combination of refined interface generation with graph reduction techniques to generate interfaces of tractable sizes.

Taking advantage of the new primitive added to the Cæsar_Solvelibrary (see § ), we enhanced the on the fly -confluence reduction used by the Reductorand Distributortools so as to periodically clean the set of boolean variables explored while solving the underlying boolean equation system. This reduces the memory consumption of -confluence by up to 15%, whilst keeping the same execution speed and achieving the same reductions.

We developed and documented a new prototype tool named Scrutator(600 lines of C code) that prunes on the fly a graph represented implicitly using the Open/Cæsarenvironment. Two kinds of pruning are implemented by the tool: the first one deletes the states leading eventually to deadlocks, and the second one keeps only the states leading (potentially or eventually) to transitions labeled by a given action. Additionally, the tool can also reduce the pruned graph on the fly modulo -confluence, trace equivalence, and weak trace equivalence. To identify which states will be deleted or kept in the graph, Scrutatorbuilds a (disjunctive or conjunctive) boolean equation system, which is solved on the fly using algorithms A3 and A4 of the Cæsar_Solvelibrary. This allows to keep in memory only the states (and not the transitions) of the implicit graph during exploration. The use of Scrutatorto synthesize adaptors supervising the execution of distributed software components led to a publication .

Because of the growing usage of Cadpin industry and academy, we set up an ambitious plan to master the software quality of Cadp. To this aim, we started building a comprehensive validation framework, based on non-regression testing and semantical checking, for all the Cadptools. As mentioned already, we developed several test suites for boolean equation systems and -calculus formulas to validate Bes_Solve(see § ) and Evaluator(see § ), respectively. We also collected a series of 1,700 Bcggraphs that we used for the systematic testing of Bcg_Io, Bcg_Min, Bisimulator, and Projector. This revealed one bug in Bisimulatorand two bugs in Bcg_Min, which have been repaired, the latter in collaboration with Pepijn Crouzen (Saarland University, Germany).

We migrated 32-bit versions of Cadpto support recent computing platforms (including Sparcstations running Solaris 10, Intelmachines running Linux 2.6, and Intel-based Applecomputers running MacOS10.3 and 10.4) together with the latest C compilers available on these platforms ( Gcc 4, Intel Icc 9.0, and Sun Studio 11).

A key objective for the perpetuity of Cadpis the ability to support the latest 64-bit platforms. This is a heavy task because of the number of tools in Cadp, of their intrinsic complexity, and their reliance upon third-party software. In the framework of the Multivalproject (see § ), we made significant steps in this direction:

We selected three 64-bit platforms ( Sparc V9stations running Solaris 10, Intel Ia64machines running Linux, and Intel Emt64/ Amd64machines running Linux) and we constructed cross-compiling environments for these platforms.

In a first step towards 64-bit architectures, we improved the code of all Cadptools so as to suppress any warning message issued by recent C compilers with the strictest code-checking options.

We ported all the 55 shell scripts of Cadpto these 64-bit architectures.

We started porting the Bcgand Open/Cæsar Apis to these 64-bit architectures.

We started porting third party software used by Cadp. The Cudd, Tcl-Tk, Tix, and Boehm-Demers garbage collector libraries have been ported successfully to 64-bit architectures. The Sparselibrary has been ported partially. The Fnc2compiler generation system will not be ported, since it is no longer maintained and its source code not accessible to us.

Together with Pierre Boullier, Philippe Deschamp, and Benoît Sagot ( Atoll/Alpageproject-team of InriaRocquencourt), we started to port the Syntaxcompiler generation software (more than 300,000 lines of C code) to 64-bit architectures. We first removed all warning messages emitted by recent C compilers. We found and repaired several bugs, some of which were specific to 64-bit architectures. We set up automated procedures to compile Syntaxon eleven different platforms (processor, operating system, and C compiler) as well as quality tests to be applied at each modification of Syntax. The port of Syntaxis almost complete.

Finally, we designed a prototype
Ide(
*Integrated Development Environment*) for
Cadpwithin the
Eclipseframework. In its current form (30,000 lines of
Javacode), it comprises both a
Lotoseditor and a graphical user-interface (inspired from
Eucalyptus, but based on
Eclipse).

Other research teams took advantage of the software components provided by Cadp(e.g., the Bcgand Open/Cæsarenvironments) to build their own research software. We can mention the following developments:

an abstract test case execution framework , developed at the University of Graz (Austria),

an algorithm for interoperability test generation , developed at Inria/University of Rennes,

the C.Openand Annotatortools for model checking C programs , , , developed at the Universities of Málaga and Valencia (Spain),

the Lysknowledge analysis toolset: an epistemic verification framework , developed at the Technical University of Eindhoven (The Netherlands).

The Cadptoolbox contains several tools dedicated to the Lotoslanguage, namely the Cæsar.adtcompiler for the data type part of Lotos, the Cæsarcompiler for the process part of Lotos, and the Cæsar.indentpretty-printer.

In 2007, we performed maintenance activities for these tools, fixing a few errors. We also modified in many places the C code generated by Cæsarand Cæsar.adtto avoid all warnings emitted by recent C compilers with the strictest code-checking options. For the end-user, this eases the development of Lotosspecifications by guaranteeing that all warnings seen when compiling the C code generated by Cæsarand Cæsar.adtare relevant to the source Lotosdescription (e.g., unused parameters of some Lotosoperation) or to the hand-written C code provided by the user (and are not meaningless warnings arising from C code generation artefacts).

We pursued our study of state space reduction techniques, our goal being to decrease the size of the graphs generated by Cæsar, still preserving strong bisimulation between the original and reduced graphs. We improved the results of our reduction technique based on live variable analysis by allowing data-flow optimizations to be repeatedly applied in a hierarchical manner on parts of the Lotosspecification. On 151 out of 684 benchmarks, we observed a reduction in the numbers of states (by a mean factor of 2.49 and a maximum factor of 24.27) and of transitions (by a mean factor of 2.41 and a maximum factor of 23.54).

As regards the Lotos NTlanguage — a variant of E-Lotoselaborated by the Vasyproject-team — we worked in three directions:

We continued to enhance our Traian 2.5 compiler (see § ), which generates C code from Lotos NTdata type and function definitions. Traianis distributed on the Internet (see § ) and used intensively within the Vasyproject-team as a development tool for compiler construction .

In 2007, we corrected nine bugs (three bugs already known and six bugs discovered in 2007) and improved the C code generated by Traianin two respects:

It no longer produces warnings when compiled with recent C compilers using the strictest code-checking options. Thus, Traianusers will only get warnings relevant to their Lotos NTcode.

It was ported to 64-bit architectures, together with the predefined includes and libraries provided with Traian. We checked that this yields the same results as for 32-bit architectures.

In addition, we fully automated the cross-compilation of Traianfor multiple platforms. We also enriched the validation database for Traianwith 60 new files, and enhanced the validation scripts to support cross-testing on multiple platforms.

We undertook the development of a new version 3.0 of Traianwritten entirely in Lotos NTand no longer relying on the obsolete Fnc2compiler generation tool used for Traian 1.* and 2.*. We completed the lexical and syntactic analysis phases of Traian 3.0 representing 6,900 lines of code (4,500 lines of Syntax code, 2,000 lines of Lotos NT code, and 400 lines of C code).

In the context of the FormalFame Pluscontract (see § ), we continued to improve the Lnt2Lotostool suite that translates (a large subset of) Lotos NTinto Lotos, thus allowing to use Cadpto verify Lotos NTdescriptions. Bullis using this tool suite to model and verify critical parts of its Fame2 multiprocessor architecture (see § ).

In 2007, we brought the following improvements:

As regards the data part of
Lotos NT, a new type constructor “
**array**
`[
n..
m]`

As regards the process part of Lotos NT, we finalized the definition of processes and behaviors, ensuring language symmetry in the sense that most Lotos NTconstructs used in functions are also allowed in processes (absence of such a nice symmetry is a drawback of Lotosmaking the language harder to learn). The concrete syntax and static semantics of processes have been specified. The translation of Lotos NTprocess definitions is under development.

Lnt2Lotosis developed using the Syntax/ Traiantechnology. Currently, it represents 22,300 lines of code (3,700 lines of Syntaxcode, 16,500 lines of Lotos NTcode, and 2,200 lines of C code). The Lotos NTreference manual was updated and grew from 47 pages (at the end of 2006) to 61 pages.

As regards the compilation of temporal extensions, we studied in 2007 the state of the art of intermediate forms for the compilation of high-level concurrent (and possibly timed) languages and undertook the definition of a new intermediate form into which languages combining data, concurrency, and real-time (such as E-Lotosand Lotos NT) could be translated efficiently. We took as a basis the Ntifmodel for sequential processes with data, which we extended in several ways to support concurrency and real-time.

Although process algebras are, from a technical point of view, the best formalism to describe concurrent systems, they are not used as widely as they could be . Besides the steep learning curve of process algebras, which is traditionally mentioned as the main reason for this situation, it seems also that the process algebra community scattered its efforts by developing too many languages, similar in concept but incompatible in practice. Even the advent of two international standards, such as Lotos(in 1989) and E-Lotos(in 2001), did not remedy this fragmentation. To address this problem, we started investigating source-level translators from various process algebras into Lotos, so as to widen the applicability of the Cadptools.

In 2007, besides the Lnt2Lotostool suite (see § ), we worked on the following translators:

In the framework of the
Fiacre(see §
),
OpenEmbedd(see §
), and
Topcased(see §
) projects, and in cooperation with the
Laas-Cnrsand
Iritlaboratories, we continued the development of
Fiacre(
*Format Intermédiaire pour les Architectures de Composants Répartis Embarqués*). Derived from
Ntif
and
V-Cotre
,
Fiacrewill be used as a pivot formalism between modeling languages (such as
Aadl,
Uml, or
SysML) and verification tools (such as
Cadpand
Tina).

In 2007, we finalized the formal definition of the syntax and semantics of
Fiacre
. We started to develop support tools for
Fiacrein close cooperation with
Laas-Cnrs. A
Fiacreto
Lotostranslation algorithm covering the whole
Fiacrelanguage (except priorities and time constraints) was formalized
. We enriched the
Fiacrecompiler front-end developed by
Laas-Cnrswith a verification module (550 lines of standard
Mlcode) that checks whether all
Fiacrevariables are initialized before use. We started to develop a tool named
Flac(
*Fiacre to Lotos Adaptation Component*) that translates
Fiacredata types into
Lotosabstract data types (so far
3, 050lines of standard
Mlcode).

We considered
Csp
_{m}(
*Machine-readable
Csp
)
, a language implementing the
Csp
process algebra designed at Oxford University (United Kingdom). A comparative study of
Csp
_{m}and
Lotosled to the conclusion that translating
Csp
_{m}to
Lotoswould not be straightforward: even if
Cspis close to
Lotosin essence (
Lotoshaving borrowed some
Cspoperators, and vice versa), this is not the case for
Csp
_{m}. Certain functional language features of
Csp
_{m}(such as lambda expressions, lazy computation, and list comprehensions) proved to be difficult to translate to
Lotosbecause of the strict rewrite strategy enforced by the
Cæsar.adtdata type compiler. Moreover, the choice operator “
[]” of
Csp
_{m}does not translate easily to
Lotos. Our study
led to the development of a compiler front-end for
Csp
_{m}(2,000 lines of
Syntaxcode, 14,000 lines of
Lotos NTcode, and 2,000 lines of C code), which currently covers syntax and static semantics (variable binding and type checking).*

We considered the process algebra
Fsp(
*Finite State Processes*) defined in a popular textbook on concurrency
and supported by the
Ltsatool designed at Imperial College (London, United Kingdom). We continued the development of the
Fsp2Lotostranslator, which translates
Fspinto
Lotos,
Exp.open, and
Svlcode. Our prior work on
Fsp2Lotosled to a publication in an international conference
.

In 2007, we developed a new generic library (
2, 100lines of C code), which allows to generate non-colliding
Lotosidentifiers independently of the source language being translated. In particular, this solved a bug that occurred when the source
Fspcode contained identifiers identical to
Lotoskeywords (e.g., “
**i**”, “
**stop**”, ...).

The Fsp2Lotostranslator was originally assumed to generate Lotos/ Exp.opencode that is branching equivalent to the source Fspcode. In some cases, this assumption was wrong, due to the fact that branching equivalence is not a congruence for the priority operators of Fsp. Therefore, we redesigned and reimplemented most Fsp2Lotostranslation rules so that the generated Lotos/ Exp.opencode is now strongly equivalent (and thus, branching equivalent) to the source Fspcode.

In order to validate the Fsp2Lotostool experimentally, we developed a shell script that generates (using Ltsa) a first graph corresponding to a source Fspspecification, generates (using Cadp) a second graph corresponding to the Lotos/ Exp.opencode generated by Fsp2Lotos, and checks (using the Bisimulatortool of Cadp) that both graphs are equivalent once all labels in Cadpformat have been converted to the Ltsaformat. We used this script on a base of 574 Fspexamples, including all the examples provided with the Ltsatool. Using the older version of Fsp2Lotos(December 2006), only 85% of the Fspexamples would translate into branching equivalent Lotos/ Exp.opencode. Using the latest version of Fsp2Lotos(December 2007), strong equivalence held for all the 574 Fspexamples.

In the context of the
Inria/
Leticollaboration (see §
) and the
Multivalcontract (see §
), we continued the study of the process algebra
Chp(
*Communicating Hardware Processes*) for which the
Timalaboratory has developed a circuit synthesis tool named
Tast
and which is used by the
Letilaboratory to describe the
Faust2 architecture (see §
). Our goal is to integrate formal verification tools into the design flow of complex asynchronous circuits.

In 2007, we revisited the Chp2Lotostranslator to add support for Chpexpressions containing multiple probes of channels (this feature provides for efficient hardware implementation by checking the availability of different partners in handshake communications). To guarantee an “atomic” evaluation of such expressions and ensure mutual exclusion between channels, we designed a locking mechanism that we implemented in the generated Lotoscode. Comparing the new version of the translator to the previous on 310 examples, we found that this increased the state space for 40 examples (by a maximum factor of two), but surprisingly also decreased the state space for 19 examples (by a maximum factor of two). We wrote an overview publication on the Chpto Lotostranslation that was submitted to an international journal.

In the context of the
Inria/
Leticollaboration (see §
), we investigated the verification of
Tlm(
*Transaction Level Model*) models. Compared to traditional
Rtl(
*Register Transfer Level*) models,
Tlmallows faster simulation, simultaneous development of software and hardware, and earlier hardware/software partitioning. Among all languages
supporting
Tlm,
SystemC
emerges as an industrial standard.
SystemCis a C++ library providing both a high-level description language and a simulation kernel that involves a central (largely deterministic)
scheduler ordering the actions of the different processes.

In 2007, we focused on the
Pv(
*Programmers View*) level of
SystemC/
Tlm, i.e.,
Tlmmodels without explicit timing information. We worked in two directions:

Our first approach follows the “official” simulation semantics of
SystemC/
Tlm, keeping the scheduler as defined in
. Inspired by a translation from
SystemC/
Tlmto
Promela
, we devised a translation from
SystemC/
Tlmto
Lotos, which we experimented on the parameterized benchmark with
nconcurrent components given in
.

Using the Reductorand Bisimulatortools of Cadp, we compared the state space generated for the Lotosdescription with the set of finite execution traces produced by the Rvstool , for SystemC/ Tlm. Both were found to be trace equivalent, showing that our Lotos-based approach complies to the SystemC/ Tlmsimulation semantics.

Using the
Evaluatortool of
Cadp(see §
), we verified the liveness property given in
that explores the complete state space of the parameterized benchmark. We experimented both direct state
space generation (for which we obtained results comparable to those reported in
) and compositional state space generation (for which we observed state spaces three times smaller than
those reported for
Spinin
, which enabled us to handle the case
n= 19while
Spinfails at
n>15).

Our second approach pursues the work undertaken in 2006 to design a fully asynchronous semantics for
SystemC/
Tlm. In this approach, we get rid of the central scheduler because it implements a global supervisor (that is difficult to achieve in a
parallel circuit without sacrificing efficiency) and hampers the effectiveness of formal verification by preventing certain possible execution sequences from being analyzed. To the
contrary, our approach explores all possible interleavings arising from concurrent components and fits well with the principles of
Gals(
*Globally Asynchronous Locally Synchronous*),
NoCs (
*Networks on Chip*), and So
cs (
*Systems on Chip*).

We devised translation rules from SystemC/ Tlmto Lotos, which rely on the user to translate C++ types and functions to Lotosmanually and which are parameterized by a locking policy that controls the level of asynchrony between transactions. This work led to a publication in an international conference .

We experimented our translation on several examples, namely the parameterized benchmark of and seven examples taken from the SystemC/ Tlmreference document , and we started investigating a large industrial case study provided by STMicroelectronics.

We compared both approaches (i.e., with and without the scheduler) on the parameterized benchmark of :

We could show that the state space for the approach with scheduler is included (modulo branching preorder) in the state space for the approach without scheduler.

We could show that the approach without scheduler generalizes the approach with scheduler in the sense that the latter is obtained from the former by choosing a
particular locking policy. Remarkably, the approach without scheduler even allowed to handle the case
n= 19using either direct state space generation (102 million states and 152 million transitions) or compositional generation (3 million states and 23 million
transitions, the largest intermediate state space having 91 million states and 128 million transitions).

In practice, even if the approach without scheduler explores more configurations due to asynchrony, this is compensated in part by our efficient Lotosencoding. For instance, the state spaces we generated for the approach without scheduler were similar in size to those reported in with a scheduler-based semantics.

In the context of the
Multival(see §
) contract together with
Bull, we studied the
Mpisoftware layer and
Mpibenchmark applications to be run on
Fame2 (
*Flexible Architecture for Multiple Environments*), a
Cc-Numamultiprocessor architecture developed at
Bullfor teraflop mainframes and petaflop computing.

In 2007, we focused on a particular
Mpibenchmark (the so-called “
*ping-pong*” protocol), our goal being to predict the performance of this benchmark on
Fame2 machines, in particular to estimate the latency of send/receive operations in different topologies, different software implementations of the
Mpiprimitives, and different cache coherency protocols. The ping-pong benchmark consists of two parallel processes, which send to each other a data
packet
ktimes. Two variants of the benchmark were specified using a combination of
Lotoscode (to describe the behavior of processes) and C code (to describe the data structures of memory and caches). Several configurations
were studied, for two data packets and
kvarying between 1 and 10 (which corresponds to a normal termination of the benchmark session) or being infinite (which corresponds to cyclic execution).

For each configuration, several safety and liveness temporal properties were specified in regular alternation-free
-calculus, and successfully verified on the corresponding graph using
Evaluator 3.5 (see §
). Additionally, it was successfully checked using
Bisimulatorthat the two variants were branching equivalent to each other (when observing only send/receive actions), and that each configuration
with
kiterations was smaller (modulo the branching preorder) than the configurations with
k+ 1iterations and
kinfinite.

Finally, the Lotosspecification was extended with Markov delays and a performance analysis was carried out using the Bcg_Min, Determinator, and Bcg_Steadytools in order to predict the latency of the send/receive operations and of the various types of transfers between memory and (local or remote) caches. The results obtained by numerical analysis were close enough to the experimental measures to assess the suitability of the model.

In the context of the
Inria/
Leticollaboration (see §
) and the
Multivalcontract (see §
), we pursued the study (started in 2005) of the
Faust(
*Flexible Architecture of Unified System for Telecom*)
NoC(
*Network on Chip*)
developed by the
Letilaboratory. Our previous work on the first version of
Faustled to a joint
Inria/
Letipublication
.

In 2007, we focused on the second version of
Faust, a
NoC-based platform for wireless telecom applications (4G,
Mimo, etc.). Together with
Letiscientists, we studied the communication interconnect part of
Faust, which routes packets (consisting of several 34-bit flits) between the 23 components of the
Faustcircuit. At the block level, this interconnect is described in the hardware process calculus
Chp(
*Communicating Hardware Processes*) and implemented, at the
Rtllevel, in asynchronous logic. The interconnect has 23 communication nodes, each of which consisting of five input controllers and five output
controllers. Each input controller dispatches incoming flits to one out of four output controllers, and each output controller arbitrates between four input controllers.

To generate the state space of the input controller, we first abstracted the Chpspecification (500 lines of code) by applying data independence considerations: we replaced the 34-bit data values by 8-bit data values, focusing on the control information. Then, applying our Chp2Lotostranslator (see § ) to the Chpdescription of the input controller, we produced a Lotosspecification in less than one second. This led to 15 concurrent Lotosprocesses, several of which were so large that their parallel composition could not be computed directly. By replacing “internal” in Chp/ Lotosby “external” to reflect the actual hardware implementation of Faust, we further reduced the size of the intermediate state spaces by a factor of 50, making the state space of the entire input controller tractable (less than 3 million states).

To generate the state space of the output controller, we also applied our Chp2Lotostranslator to the corresponding Chpdescription (400 lines of code). By making the same data abstractions as for the input controller, by applying symmetry reductions (allowing to consider only two out of four input controllers), and by using the compositional state space generation features of Cadp, we managed to generate the state space for an output controller (less than 6 million states).

In 2007, we studied in depth the concurrent behavior of xSTreamqueues:

We developed several
Lotosmodels of
xSTreamqueues (in total 6800 lines of code), differing in whether each
xSTreamprimitive (
*push*,
*pop*,
*peek*, etc.) is modeled by one or two (request/response)
Lotosevents.

For several values of
nand
p, we established (by means of on the fly equivalence checking using the
Bisimulatortool of
Cadp) that an
xSTreamqueue of size
nwith a backlog of size
pis branching equivalent to an
xSTreamqueue of size
n+
p.

We then investigated the interaction of several
xSTreamqueues sharing the
NoC. By using
Bisimulator, we discovered that the state space (1.5 million states and 8 million transitions) for a pair
(
Q
_{1},
Q
_{2})of
xSTreamqueues sharing the
NoCwith another pair
(
Q
_{3},
Q
_{4})of
xSTreamqueues was not branching equivalent, when hiding the actions of
(
Q
_{3},
Q
_{4}), to the state space obtained for
(
Q
_{1},
Q
_{2})alone. Such a possibility of starvation caused by
NoCaccess conflicts revealed that the
xSTreamcredit protocol was not optional (as assumed so far) but mandatory.

We then incorporated the xSTreamcredit protocol into our Lotosmodel and managed to generate the corresponding state space by means of compositional verification techniques (which allowed to reduce the size of the largest intermediate state space from 17 million states and 108 million transitions down to 1.5 million states and 8 million transitions). This time, we managed to prove branching equivalence, but only when the credit value parameter is equal to 1; for values greater than 1, we reported the issue to the xSTreamarchitects, together with a convincing counterexample (a valid xSTreamapplication running into a deadlock when executed on an xSTreamsimulator generated from our Lotosmodel using the Exec/Cæsarenvironment of Cadp).

In parallel, we undertook performance evaluation studies to predict latency and throughputs in the communication architecture, as well as occupancy within xSTreamqueues (with and without backlogs). A key challenge is to combine probabilistic/stochastic information (e.g., the rates at which xSTreamapplications push and pop elements in and out of the queues) with precise timing information (e.g., memory access time). We investigated different techniques and tools, starting from the Interactive Markov Chain model supported by Cadptools (we used Erlang distributions to approximate precise timing information), but considering also max-plus algebra, discrete event simulation, and timed automata (using the Uppaal/ Coratools).

Other teams also used the Cadptoolbox for various case studies. To cite only recent work not already described in previous Vasyactivity reports, we can mention:

the model-based testing of the registrar entity responsible for maintaining user location information within a session initiation protocol (such as voice over Ip) ,

the verification of an on-line computer sale application based on Microsoft's .Networkflow foundation components ,

the formal analysis of Chaum's dining cryptographers protocol and the anonymity analysis of the Fujioka-Okamota-Ohta electronic voting scheme ,

the formal analysis of an implementation in C of Peterson's mutual exclusion protocol ,

the formal analysis of timed Erlang programs and
Otp(
*Open Telecom Platform*) library components
,
,

the verification of “bridge exchanger” software connectors in deterministic dataflow applications ,

the verification of the identify phase of the Ieee 1394 “ FireWire” high performance serial bus ,

the verification of the
Ries(
*Rijnland Internet Election System*) voting protocol used in the Netherlands' Second Chamber election in 2006
,

the verification of a cache coherence protocol for a
Java Dsm(
*Distributed Shared Memory*) implementation
,

the formal analysis of the embedded software controlling the automatic document feeder of an Océcopier ,

the verification of automatically computed adaptors between evolving components of a library management application ,

the formal analysis of two typical wireless sensor network applications (“
*Blink*” and “
*Sense*”) written in the
nesCprogramming language for networked systems running
TinyOS
.

Finally, an overview paper of a collection of large case studies from a wide range of application areas and a textbook , which uses Cadpas a software support for teaching formal verification of systems and circuits, were published.

Vasyparticipates to the
Ec-Moan(
*Scalable modeling and analysis techniques to study emergent cell behavior: Understanding the E. coli stress response*) project no. 043235, funded by the
Fp6 Nest-Path-ComEuropean program. It gathers seven participants:
InriaRhône-Alpes (
Vasyand
Helixproject-teams), Université Joseph Fourier (Grenoble), University of Twente, Free University of Amsterdam, University of Edinburgh,
CwiAmsterdam, and Masaryk University Brno.
Ec-Moanaims at the development of new, scalable methods for modeling and analyzing integrated genetic, metabolic, and signaling networks, and the
application of these methods for a better understanding of a bacterial model system.

Ec-Moanstarted on February 1st, 2007 for three years. In 2007, our contributions focused on the definition of temporal specification formalisms
allowing to express biologically-relevant properties (both branching-time properties, such as bistability, and linear-time properties, such as presence of oscillations) and their translation to
the temporal specification formalisms accepted as input by
Cadp. We also started to devise new model checking algorithms for evaluating on the fly temporal operators on graphs resulting from qualitative
simulation of genetic regulatory networks, such as those produced by the
Gna(
*Genetic Network Analyzer*) tool developed by the
Helixproject-team.

There is a long-standing collaboration between Vasyand Bull, which aims at demonstrating that the formal methods and tools developed at Inriacan be successfully applied to Bull's multiprocessor architectures. The objective is to develop a complete and integrated solution supporting formal specification, simulation, rapid prototyping, verification, and testing.

Between 1995 and 1998, two case studies were successfully tackled using
Cadp: the
PowerScalebus arbitration protocol
and the
PolyKidmultiprocessor architecture
. Between 1998 and 2004, the collaboration focused on
Fame, the
Cc-Numamultiprocessor architecture used in
Bull's
NovaScaleseries of high-performance servers based on
Intel Itaniumprocessors. The
Cadptools have been used to validate a crucial circuit of
Fame– the
Fss(
*Fame Scalability Switch*) – that implements the cache coherency protocol.

In 2004, the collaboration was renewed by a followup contract named FormalFame Plus, which, in 2005, was extended for two more years. FormalFame Plusaims at enhancing the performance and usability of the Cadptools to address the Fame2 multiprocessor architecture (see § ).

In 2007, Vasycontributed to FormalFame Plusby continuing the development of the Lnt2Lotostool suite (see § ), which allows to write architectural models in a higher level language than Lotos. This tool suite was used by Bullto model and verify using Cadpa critical part of its Fame2 architecture.

The FormalFame Pluscontract ended in March 2007 and found its continuation in the Multivalproject (see § ).

Multival(
*Validation of Multiprocessor Multithreaded Architectures*) is a project of
Minalogic, the
*pôle de compétitivité mondial*dedicated to micro-nano technologies and embedded software for systems on chip (
EmSoCcluster of
Minalogic). It is funded by the French government (
*Fonds de compétitivité des entreprises*) and
*Conseil général de l'Isère*.
Multivaladdresses verification and performance evaluation issues for three innovative asynchronous architectures developed by
Bull,
Cea/
Leti, and
STMicroelectronics.

Multivalstarted in December 2006 for three years. In 2007, we focused our activities on the enhancement of Cadp(see § and § ) and case studies in collaboration with our partners to verify and predict the performance of the architectures Fame2 (see § ), Faust2 (see § ), and xSTream(see § ).

OpenEmbeddis a French national project of
Anr(
*Agence Nationale de la Recherche*), initiated by
Rntl(
*Réseau National des Technologies Logicielles*). The goal of
OpenEmbeddis to develop an open-source, generic, standard software engineering platform for real-time embedded systems, such as those developed by
Airbus,
Cs,
France Telecom, and
Thales. Within an
Eclipseframework, this platform will combine the principles of model-driven engineering with those of formal methods.

OpenEmbeddstarted in May 2006 for three years. In 2007, we contributed to requirement surveys on formal verification of embedded systems , , , we pursued the definition of the Fiacreasynchronous intermediate model for embedded systems and studied the principles of an automated translation from Fiacreto Lotos(see § ).

Topcased(
*Toolkit in OPen-source for Critical Application and SystEms Development*) is a project of
Aese, the French
*pôle de compétitivité mondial*dedicated to aeronautics, space, and embedded systems. This project gathers 23 partners, including companies developing safety-critical systems such as
Airbus(leader),
Astrium,
Atos Origin,
Cs,
Siemens Vdo, and
Thales Aerospace.

Topcaseddevelops a modular, open-source, generic Caseenvironment providing methods and tools for embedded system development, ranging from system and architecture specifications to software and hardware implementation through equipment definition. Vasycontributes in the combination of model-driven engineering and formal methods for asynchronous systems.

Topcasedstarted in August 2006 for 40 months. In 2007, we worked along the following lines:

In collaboration with colleagues from Laas-Cnrsand Irit(Toulouse, France), we reviewed existing intermediate models for asynchronous concurrent processes so as to select features suitable for Topcased . This led to the definition of Fiacre, an intermediate model for embedded systems with asynchrony and quantitative time , , . We also undertook the development of an automated translator from Fiacreto Lotos(see § ).

In collaboration with colleagues from Laas-Cnrs, we proposed techniques to fight against state explosion which could arise when verifying Fiacremodels.

We participated in the TopcasedQuality Group, which defines the quality policy for Topcased(in particular, a set of mandatory requirements) and evaluates the Topcaseddevelopment activities.

H. Garavel is the Inriarepresentative at the Topcasedexecutive committee, for which he served as the secretary during the elaboration phase of the Topcasedproposal.

The
Vasyproject-team plays an active role in the joint research center launched in 2004 between
InriaRhône-Alpes and the
Letilaboratory of
Cea-Grenoble. In collaboration with
Letiscientists (Edith Beigné, François Bertrand, Fabien Clermidy, Virang Shah, Yvain Thonnart, and Pascal Vivet),
Vasydevelops software tools for the design of asynchronous circuits and architectures such as
Gals(
*Globally Asynchronous Locally Synchronous*),
NoCs (
*Networks on Chip*), and So
cs (
*Systems on Chip*). In 2007, this collaboration became part of the
Multivalproject (see §
), and focused on the
Chp2Lotostranslator (see §
) and its application to the
Faustarchitecture (see §
).

Together with the
Oasisproject-team of
InriaSophia-Antipolis (Antonio Cansado and Eric Madelaine), the
Ltciteam of
Enst-Paris (Irfan Hamid, Elie Najm, and Sylvie Vignes), the
Svfteam of the
Laas-Cnrslaboratory (Bernard Berthomieu, Florent Peres, and François Vernadat), and the
Mvrteam of
Irit(Mamoun Filali),
Vasyparticipated to the national action
Fiacre(
Aci
*Sécurité Informatique*) started in 2004 and ended in September 2007 (see
http://

Additionally, we collaborated in 2007 with several Inriaproject-teams:

Atlas(Nantes): collaboration in the framework of the OpenEmbeddnational action (Jean Bézivin and Frédéric Jouault);

Atoll/Alpage(Rocquencourt): enhancements to the Syntax V6 compiler generation software (Pierre Boullier, Philippe Deschamp, and Benoît Sagot);

Espresso(Rennes): collaboration in the framework of the Topcasedand OpenEmbeddnational actions (Jean-Pierre Talpin and Juan Peralta);

Helix(Rhône-Alpes): applications of model checking to biological systems (Estelle Dumas, Hidde de Jong, Pedro Monteiro, Michel Page, and Adrien Richard);

Oasis(Sophia-Antipolis): collaboration in the framework of the Fiacrenational action (Antonio Cansado and Eric Madelaine).

Beyond Inria, we had sustained scientific relations with the following teams:

Laas-Cnrslaboratory (Toulouse): collaboration in the framework of the Fiacre, OpenEmbedd, and Topcasedprojects (Bernard Berthomieu and François Vernadat);

Le2ilaboratory (Dijon): since December 2006, R. Mateescu, E. Oudot, A. Wijs, and M. Zidouni are hosted by Université de Bourgogne.

The
Vasyproject-team of
Inriaand the
Sen2team of
Cwicollaborate in
Senva, a joint research team on safety-critical systems (see
http://

The
Vasyproject-team is member of the
Fmics(
*Formal Methods for Industrial Critical Systems*) working group of
Ercim(see
http://

H. Garavel is a member of
Ifip(
*International Federation for Information Processing*) Technical Committee 1 (
*Foundations of Computer Science*) Working Group 1.8 on Concurrency Theory, launched in 2005 and chaired by Luca Aceto.

In addition to our partners in aforementioned contractual collaborations, we had scientific relations in 2007 with several international universities and research centers, including:

Imperial College (Jeff Kramer and Jeff Magee),

Liama, China (Claude Helmstetter and Vania Joloboff),

Polytechnic University of Bucharest (Valentin Cristea),

Saarland University (Pepijn Crouzen, Holger Hermanns, Sven Johr, and Reza Pulungan),

University of Málaga (Gwen Salaün and David Sanán),

University of Malta (Gordon Pace and Sandro Spina), and

University of Twente (Stefan Blom, Jaco van de Pol, and Michael Weber).

In 2007, we had the following scientific exchanges:

David Sanán (PhD student, University of Málaga, Spain) visited us from March 1st to May 31, 2007. During his visit, he focused on enhancing the C.Opentool for translating multithreaded C programs with dynamic data types into the implicit graphs defined by Open/Cæsar.

Pepijn Crouzen (Saarland University, Saarbrücken, Germany) visited us on June 19–20, 2007.

The second Ec-Moanproject meeting was held at InriaGrenoble – Rhône-Alpes on September 3–4, 2007. In addition to R. Mateescu and E. Oudot from the Vasyproject-team, Hidde de Jong, Delphine Ropers, Valentina Baldazzi, Pedro Monteiro, and Estelle Dumas ( Helixprojet team), Jaco van de Pol and Stefan Blom (University of Twente), Frank Bruggeman and Fred Boogerd (Free University of Amsterdam), Anton Wijs and Jan van Schuppen ( CwiAmsterdam), Hongwu Ma (University of Edinburgh), Lubos Brim, Jiri Barnat, Ivana Cerna, and David Safranek (Masaryk University Brno) attended this meeting.

Sandro Spina (University of Malta, Malta) visited us from September 3 to October 24, 2007.

The Vasyproject-team distributes two main software tools: the Cadptoolbox (see § ) and the Traiancompiler (see § ). In 2007, the main facts are the following:

We prepared an updated version named Cadp2006-a “Edinburgh”, released on July 26, 2007, which corrects 4 problems encountered on Linuxand Windowsarchitectures. We also prepared and distributed 2 successive beta-versions (2007-a and 2007-b) of Cadp.

The number of license contracts signed for Cadpincreased from 366 to 394.

We were requested to grant Cadplicenses for 589 different computers in the world.

The
Traiancompiler was downloaded by
**46** different sites.

The
Vasy
Website (see
http://

In September 2007, we opened the “
CadpForum” (see
http://

In 2007, we revised our internal workflow for distributing Cadp, so as to automate the licensing process (which was needed to support a growing user base) and to improve its overall reactivity and quality.

In 2007, the members of Vasyassumed the following responsibilities:

F. Lang and W. Serwe were selection committee members of a special issue of
Jesa(
*Journal Européen des Systèmes Automatisés*) on
*Formal Approaches for Specification and Verification of Real-time Systems*, to appear in 2008.

H. Garavel is a steering committee member of the
Pdmc(
*Parallel and Distributed Methods in Verification*) series of international workshops.

H. Garavel was a program committee member of
Tacas'2007 (
*13th International Conference on Tools and Algorithms for the Construction and Analysis of Systems*), Porto, Portugal, March 24–April 1st, 2007.

F. Lang was a program committee member of
Neptune'2007 (
*Nice Environment with a Process and Tools Using Norms and Examples*),
CnamParis, France, May 22–23, 2007.

H. Garavel was a program committee member of
Forte'2007 (
*27th IFIP WG 6.1 International Conference on Formal Techniques for Networked and Distributed Systems*), Tallinn, Estonia, June 26–29, 2007.

R. Mateescu was a program committee member of
Fmics'2007 (
*12th International Workshop on Formal Methods for Industrial Critical Systems*), Berlin, Germany, July 1-2, 2007.

R. Mateescu was a program committee member of
Pdmc'2007 (
*6th International Workshop on Parallel and Distributed Methods in Verification*), Berlin, Germany, July 8, 2007.

R. Mateescu was a program committee member of
Icsea'2007 (
*2nd International Conference on Software Engineering Advances*, Cap Esterel, France, August 25-31, 2007).

F. Lang was a scientific committee member of
Etr'2007 (
*5ème Ecole d'été Temps-Réel*), Nantes, France, September 3–7, 2007.

F. Lang was a program committee member of
Ecsa'2007 (
*1st European Conference on Software Architectures*), Madrid, Spain, September 24–26, 2007.

R. Mateescu was an organization committee member of
Msr'2007 (
*6ème Colloque Francophone sur la Modélisation des Systèmes Réactifs*), Lyon, France, October 17–19, 2007.

In 2007, we gave talks in several international conferences and workshops (see bibliography below). Additionally:

H. Garavel and R. Lacroix visited the Atoll/Alpageproject-team at InriaRocquencourt on January 15, 2007.

R. Mateescu gave a talk entitled “
Mcl:
*A Model Checking Language for Concurrent Value-Passing Systems*” at the
Liplaboratory (Lyon, France) on January 18, 2007.

F. Lang participated to the
Topcasedworkshop held at
Laas-Cnrs(Toulouse, France) on January 23–24, 2007. He gave, jointly with François Vernadat (
Laas-Cnrs), a talk entitled “
*Le langage pivot asynchrone
Fiacre
et les méthodes formelles”.*

O. Ponsini participated to the “
*Workshop on Certification SoC & IP*” at
Minalogic(Grenoble, France) on January 25, 2007.

Vasyorganized the 1st quarterly
Multivalmeeting, held at
InriaRhône-Alpes (France) on March 1st, 2007. H. Garavel gave a talk entitled “
*Almost Ten Years of Process Algebras and Model Checking for Multiprocessor Architectures*”.

F. Lang gave a talk entitled “
*Le langage pivot asynchrone
Fiacre
” at
InriaSophia-Antipolis (France) on March 7–8, 2007.*

O. Ponsini participated to a training on “
*Tlm modeling in
SystemC” given by
STMicroelectronics(Grenoble, France) on March 12–16, 2007.*

Vasyorganized the 2nd semestrial
OpenEmbeddmeeting, held at
InriaRhône-Alpes (France) on April 4–5, 2007. N. Lépy gave a talk entitled “
*An interface for
Cadp
using
Eclipse
” on April 4, 2007. F. Lang gave a talk entitled “
Le langage pivot asynchrone
Fiacre
” on April 5, 2007.*

O. Ponsini gave a talk entitled “
*Deux approches pour l'utilisation pratique des méthodes de vérification formelle*” at the
Lip6laboratory (Paris, France) on May 4, 2007.

H. Garavel and Laurent Julliard gave a presentation of the “
*pôle de compétitivité Minalogic*” at
InriaRhône-Alpes in the series “
*Une heure ensemble*” on May 14, 2007.

F. Lang participated to the
Neptuneconference held at
Cnam(Paris, France) on May 22–23, 2007. He participated to a debate entitled “
*Comment optimiser les développements par rapport aux besoins dans le cadre des pôles de compétitivité ?*”.

H. Garavel organized the visit of the
Save-Itindustrial graduate school (Mälardalen, Sweden) at
InriaRhône-Alpes on June 6, 2007. He gave a talk entitled “
*Cadp : Software Tools for System-Level Verification of Asynchronous Designs”. W. Serwe gave a demonstration of the
Cadptoolbox for the verification of asynchronous hardware.*

D. Champelovier, N. Coste, H. Garavel, H. Hermanns, R. Lacroix, O. Ponsini, W. Serwe, M. Vidal, and M. Zidouni participated
to the 2nd quarterly
Multivalmeeting held at
Cea/
Leti(Grenoble, France) on June 14, 2007. H. Garavel gave a talk entitled “
*Migrating
Cadp
to 64-bit machines”. O. Ponsini gave a talk entitled “
Translating
SystemC
/
Tlm
models into
Lotos
”.*

H. Garavel participated to the
Opeesworkshop in Paris on June 28–29, 2007. He gave a talk entitled “
*Le projet Multival*”.

J. Stoecker participated to
Etr'07 (
*5ème Ecole d'été Temps-Réel*), Nantes, France, September 3–7, 2007.

H. Garavel participated to the
Ifipworkshop on “
*Applying Concurrency Research in Industry*” held in Lisbon (Portugal) on September 7, 2007. He gave a talk entitled “
*Cadp Twenty Years After”.*

D. Champelovier, N. Coste, H. Garavel, H. Hermanns, R. Mateescu, O. Ponsini, W. Serwe, and M. Zidouni participated to the 3rd quarterly Multivalmeeting held at Bull(Paris, France) on September 20, 2007.

F. Lang gave a talk entitled “
*Recent developments and improvements of the
Cadp
toolbox” at France Telecom R&D (Lannion) on September 24, 2007.*

D. Thivolle participated to the technical meeting of engineers involved in the OpenEmbeddproject held in Rennes on October 3–4, 2007.

H. Garavel participated to a presentation of the collaborative project Multivalheld at STMicroelectronics(Grenoble, France) on November 9, 2007.

N. Coste and H. Hermanns participated to the workshop “
*Two Decades of Probabilistic Verification – Reflections and Perspectives*” held at the Lorentz center (Leiden, The Netherlands) on November 12–16, 2007.

X. Clerc, H. Garavel, F. Lang, and D. Thivolle participated to the 3rd semestrial OpenEmbeddmeeting held at Laas-Cnrs(Toulouse, France) on November 12–13, 2007.

X. Clerc, H. Garavel, F. Lang, and D. Thivolle participated to the
Topcased
Wp3meeting held at
Laas-Cnrs(Toulouse, France) on November 13–14, 2007. F. Lang gave a talk entitled “
*Le langage pivot asynchrone
Fiacre
”.*

R. Mateescu gave a seminar entitled “
*On-the-Fly Model Checking with Evaluator 3.5*” to the MSc computer science students of Université de Bourgogne on November 23, 2007.

E. Oudot gave a seminar entitled “
*Vérification incrémentale de systèmes temporisés à composants*” to the MSc computer science students of Université de Bourgogne on November 23, 2007.

A. Wijs gave a seminar entitled “
*Directed Searching through State Spaces*” to the MSc computer science students of Université de Bourgogne on November 23, 2007.

N. Coste, H. Garavel, H. Hermanns, W. Serwe, and M. Zidouni participated to the
Multivaldoctoral workshop held at Saarland University (Saarbrücken, Germany) on November 26–29, 2007. W. Serwe gave a talk entitled “
*Modeling and Analysis of Asynchronous Concurrent Hardware*”.

D. Champelovier, N. Coste, H. Garavel, Y. Guerte, R. Hérilier, H. Hermanns, R. Lacroix, R. Mateescu, O. Ponsini,
W. Serwe, and M. Zidouni participated to the 4th quarterly
Multivalmeeting held at
STMicroelectronics(Grenoble, France) on December 4, 2007. D. Champelovier gave a talk entitled “
*Le langage
Lotos NT
et le traducteur
Lnt2Lotos
”.*

The
Vasyproject-team is a host team for the computer science master entitled “
*Mathématiques, Informatique, spécialité : Systèmes et Logiciels*”, common to Institut National Polytechnique de Grenoble and Université Joseph Fourier.

In 2007:

H. Garavel, F. Lang, and W. Serwe created, jointly with Pascal Raymond (
Verimag), a course on “
*Méthodes Formelles de Développement*” to the computer science engineering students of
Cnam(
*Conservatoire National des Arts et Métiers*) Grenoble (21 hours).

F. Lang and W. Serwe gave the course on “
*Temps Réel*” to the 3rd year students of
Ensimag(18 hours).

E. Oudot and R. Mateescu, together with Sylvain Rampacek (Université de Bourgogne) gave the course on “
*Méthodes formelles*” to the 5th year students of
Esirem(86 hours).

O. Ponsini was a teaching assistant for a tutorial on programming and mathematics given to high-school pupils with the Inria's Mobinetpedagogic platform during the engineer weeks of the Institut National Polytechnique de Grenoble (3 hours).

R. Mateescu was a jury member and reviewed Juan José Sánchez Penas' PhD thesis entitled “
*From Software Architecture to Formal Verification of a Distributed System*” defended at University of Corunha (Spain) on December 24, 2006.

H. Garavel supervised the MSc thesis of D. Thivolle entitled “
*Etude de la traduction de
Csp
_{m}en
Lotos
”, defended at Université Joseph Fourier (Grenoble) on June 19, 2007.*

H. Garavel and F. Lang supervised the internship (
*mémoire*
Cnam
*) of N. Lépy entitled “
Intégration de
Cadp
dans l'environnement
Eclipse
”.*

H. Garavel was a jury member of Tarek Sadani's PhD thesis entitled “
*Validation de spécifications formelles*
Rt-Lotos
*”, defended at
Ensica(
Inpt, Toulouse) on May 3, 2007.*

R. Mateescu was the jury president of Renaud Vanlande's PhD thesis entitled “
*C-DMF : une architecture de modélisation sémantique des données. Application à la gestion technique de patrimoine immobilier*”, defended at Université de Bourgogne on December 3,
2007.

W. Serwe was a jury member of Xing Lu's MSc thesis entitled “
*Aspects de sûreté et programmes non déterministes*”, defended at université Joseph Fourier (Grenoble) on September 3, 2007.

F. Lang was a jury member and reviewed Emmanuel Donin de Rosière's PhD thesis entitled “
*Un langage non-déterministe pour l'écriture de scénarios de test*”, defended at
Enssat(Lannion) on September 24, 2007.

R. Mateescu was a jury member and reviewed Anton Wijs's PhD thesis entitled “
*What to Do Next? Analysing and Optimising System Behaviour in Time*”, defended at the Free University of Amsterdam (Netherlands) on October 2, 2007.

H. Garavel and W. Serwe were jury members of Jérôme Fereyre's engineer thesis entitled “
*Conception et amélioration d'outils logiciels pour la vérification distribuée*”, defended at
Cnam(Grenoble) on December 20, 2007.

R. Mateescu was a suppliant member of the “Commission de spécialistes” at Université de Bourgogne (section 27).

D. Champelovier is a member of the computing facilities committee of InriaRhône-Alpes.

Within the
Minalogic
*pôle de compétivité mondial*, H. Garavel is a member of the operational committee of the
EmSoCcluster (Embedded System on Chip).

F. Lang participates to the consultative organizational committee of InriaRhône-Alpes.

F. Lang led the working group (5 persons) in charge of proposing a new distribution of offices among the research and administrative teams located in the Inriabuilding of Montbonnot. The task of this working group ended in September 2007, after a moving of several teams.

F. Lang participates to the working group in charge of specifying requirements about the new aisle of the Inriabuilding of Montbonnot, which should be delivered by the end of 2009.

O. Ponsini contributed to the organization of the Liglaboratory council elections.