The VerTeCs team is focused on the use of formal methods to assess the reliability, safety and security of reactive software systems. By reactive software system we mean a system controlled by software which reacts with its environment (human or other reactive software). Among these, critical systems are of primary importance, as errors occurring during their execution may have dramatic economical or human consequences. Thus, it is essential to establish their correctness before they are deployed in a real environment, or at least detect incorrectness during execution and take appropriate action. For this aim, the VerTeCs team promotes the use of formal methods, i.e. formal specification of software and their required properties and mathematically founded validation methods. Our research covers several validation methods, all oriented towards a better reliability of software systems:

Verification, which is used during the analysis and design phases, and whose aim is to establish the correctness of specifications with respect to requirements, properties or higher level specifications.

Control synthesis, which consists in “forcing” (specifications of) systems to stay within desired behaviours by coupling them with a supervisor.

Conformance testing, which is used to check the correctness of a real system with respect to its specification. In this context, we are interested in model-based testing, and in particular automatic test generation of test cases from specifications.

Diagnosis and monitoring, which are used during execution to detect erroneous behaviour.

Combinations of these techniques, both at the methodological level (combining several techniques within formal validation methodologies) and at the technical level (as the same set of formal verification techniques - model checking, theorem proving and abstract interpretation - are required for control synthesis, test generation and diagnosis).

Our research is thus concerned with the development of formal models for the description of software systems, the formalization of relations between software artifacts (e.g. satisfaction, conformance between properties, specifications, implementations), the interaction between these artifacts (modelling of execution, composition, etc). We develop methods and algorithms for verification, controller synthesis, test generation and diagnosis that ensure desirable properties (e.g. correctness, completeness, optimality, etc). We try to be as generic as possible in terms of models and techniques in order to cope with a wide range of application domains and specification languages. Our research has been applied to telecommunication systems, embedded systems, smart-cards application, and control-command systems. We implement prototype tools for distribution in the academic world, or for transfer to the industry.

Our research is based on formal models and our basic tools
are
**verification**techniques such as model checking, theorem
proving, abstract interpretation, the control theory of
discrete event systems, and their underlying models and
logics. The close connection between testing, control and
verification produces a synergy between these research topics
and allows us to share theories, models, algorithms and
tools.

Yliès Falcone, Thierry Jéron and Hervé Marchand together with Jean-Claude Fernandez and Laurent Mounier (Verimag, University of Grenoble), received the IFIP Best Paper Award at the ICTSS'2010 conference (22nd IFIP International Conference on Testing Software and Systems), in Natal (Brasil), in novembre 2010, for the paper More Testable Properties . ICTSS, which merges TestCom and FATES is a major conference on testing of software and systems.

The formal models we use are mainly automata-like
structures such as labelled transition systems (LTS) and some
of their extensions: an LTS is a tuple
M= (
Q,
,
,
q_{o})where
Qis a non-empty set of states;
q_{o}Qis the initial state;
Ais the alphabet of actions,
is the transition relation. These models are adapted
to testing and controller synthesis.

To model reactive systems in the testing context, we use
Input/Output labeled transition systems (IOLTS for short). In
this setting, the interactions between the system and its
environment (where the tester lies) must be partitioned into
inputs (controlled by the environment), outputs (observed by
the environment), and internal (non observable) events
modeling the internal behavior of the system. The alphabet
is then partitioned into
where
_{!}is the alphabet of outputs,
_{?}the alphabet of inputs, and
the alphabet of internal actions.

In the controller synthesis theory, we also distinguish
between controllable and uncontrollable events (
=
_{c}_{uc}), observable and unobservable events (
).

In the context of verification, we also use Timed
Automata. A timed automaton is a tuple
where
Lis a set of locations,
Xis a set of clocks whose valuations are positive real
numbers,
2
^{X}×
Lis a finite set of edges composed
of a source and a target state, a guard given by a finite
conjunction of expressions of the form
where
xis a clock,
cis a natural number and
, a set of resetting clocks, and
assigns an invariant to each location
. The semantics of a timed
automaton is given by a (infinite states) labelled transition
system whose states are composed of a location and a
valuation of clocks.

Also, for verification purposes, we use graph grammars that are a general tool to define families of graphs. Such grammars are formed by a set of rules, left-hand sides being simply hyperedges and right-hand sides hypergraphs. For finite degree, these graph grammars characterise transition graphs of pushdown automata (each graph generated by such a grammar correspond to the transition graph of a pushdown automaton). They provide a simple yet powerfull setting to define and study infinite state systems.

In order to cope with more realistic models, closer to
real specification languages, we also need higher level
models that consider both control and data aspects. We
defined (input-output) symbolic transition systems ((IO)STS),
which are extensions of (IO)LTS that operate on data (i.e.,
program variables, communication parameters, symbolic
constants) through message passing, guards, and assignments.
Formally, an IOSTS is a tuple
(
V,
,
,
T), where
Vis a set of variables (including a counter variable
encoding the control structure),
is the initial condition defined by a predicate on
V,
is the finite alphabet of actions, where each action
has a signature (just like in IOLTS,
can be partitioned as e.g.
),
Tis a finite set of symbolic transitions of the form
t= (
a,
p,
G,
A)where
ais an action (possibly with a polarity reflecting its
input/output/internal nature),
pis a tuple of communication parameters,
Gis a guard defined by a predicate on
pand
V, and
Ais an assignment of variables. The semantics of IOSTS
is defined in terms of (IO)LTS where states are vectors of
values of variables, and transitions between them are
labelled with instantiated actions (action with valued
communication parameter). This (IO)LTS semantics allows us to
perform syntactical transformations at the (IO)STS level
while ensuring semantical properties at the (IO)LTS level. We
also consider extensions of these models with added features
such as recursion, fifo channels, etc. An alternative to
IOSTS to specify systems with data variables is the model of
synchronous dataflow equations.

Our research is based on well established theories: conformance testing, supervisory control, abstract interpretation, and theorem proving. Most of the algorithms that we employ take their origins in these theories:

graph traversal algorithms (breadth first, depth first, strongly connected components, ...). We use these algorithms for verification as well as test generation and control synthesis.

BDDs (Binary Decision Diagrams) algorithms, for manipulating Boolean formula, and their MTBDDs (Multi-Terminal Decision Diagrams) extension for manipulating more general functions. We use these algorithms for verification and test generation.

abstract interpretation algorithms, specifically in the abstract domain of convex polyhedra (for example, Chernikova's algorithm for the computation of dual forms). Such algorithms are used in verification and test generation.

logical decision algorithms, such as satisfiability of formulas in Presburger arithmetics. We use these algorithms during generation and execution of symbolic test cases.

Verification in its full generality consists in checking
that a system, which is specified by a formal model,
satisfies a required property. Verification takes place in
our research in two ways: on the one hand, a large part of
our work, and in particular controller synthesis and
conformance testing, relies on the ability to solve some
verification problems. Many of these problems reduce to
reachability and coreachability questions on a formal model
(a state
sis
*reachable from an initial state
s_{i}*if an execution starting from

On the other hand we investigate verification on its own in the context of complex systems. For expressivity purposes, it is necessary to be able to describe faithfully and to deal with complex systems. Some particular aspects require the use of infinite state models. For example asynchronous communications with unknown transfer delay (and thus arbitrary large number of messages in transit) are correctly modeled by unbounded FIFO queues, and real time systems require the use of continuous variables which evolve with time. Apart from these aspects requiring infinite state data structure, systems often include uncertain or random behaviours (such as failures, actions from the environment), which it make sense to model through probabilities. To encompass these aspects, we are interested in the verification of systems equipped with infinite data structures and/or probabilistic features.

When the state space of the system is infinite, or when we try to evaluate performances, standard model-checking techniques (essentially graph algorithms) are not sufficient. For large or infinite state spaces, symbolic model-checking or approximation techniques are used. Symbolic verification is based on efficient representations of set of states and permits exact model-checking of some well-formed infinite-state systems. However, for feasibility reasons, it is often mandatory to make the use of approximate computations, either by computing a finite abstraction and resort to graph algorithms, or preferably by using more sophisticated abstract interpretation techniques. Another way to cope with large or infinite state systems is deductive verification, which, either alone or in combination with compositional and abstraction techniques, can deal with complex systems that are beyond the scope of fully automatic methods. For systems with stochastic aspects, a quantitative analysis has to be performed, in order to evaluate the performances. Here again, either symbolic techniques (e.g. by grouping states with similar behaviour) or approximation techniques should be used.

We detail below four verification topics we are interested in: abstract interpretation, theorem proving, model-checking of infinite state and probabilistic systems and analysis of systems defined by graph grammars.

Most problems in test generation or controller synthesis
reduce to state reachability and state coreachability
problems which can be solved by fixpoint computations of
the form
x=
F(
x),
xCwhere
Cis a lattice. In the case of reachability analysis,
if we denote by
Sthe state space of the considered program,
Cis the lattice
(
S)of sets of states, ordered by
inclusion, and
Fis roughly the “
*successor states*” function defined by the
program.

The big change induced by taking into account the data and not only the (finite) control of the systems under study is that the fixpoints become uncomputable. The undecidability is overcome by resorting to approximations, using the theoretical framework of Abstract Interpretation . The fundamental principles of Abstract Interpretation are:

to substitute to the
*concrete domain*
Ca simpler
*abstract domain*
A(static approximation) and to transpose the
fixpoint equation into the abstract domain, so that one
has to solve an equation
y=
G(
y),
yA;

to use a
*widening operator*(dynamic approximation) to make
the iterative computation of the least fixpoint of
Gconverge after a finite number of steps to some
upper-approximation (more precisely, a
post-fixpoint).

Approximations are conservative so that the obtained
result is an upper-approximation of the exact result. In
simple cases the state space that should be abstracted has
a simple structure, but this may be more complicated when
variables belong to different data types (Booleans,
numerics, arrays) and when it is necessary to establish
*relations*between the values of different types.

For verification we also use theorem proving and more
particularly the
pvs
and
Coq
proof assistants. These are two
general-purpose systems based on two different versions of
higher-order logic. A verification task in such a proof
assistant consists in encoding the system under
verification and its properties into the logic of the proof
assistant, together with verification
*rules*that allow to prove the properties. Using the
rules usually requires input from the user; for example,
proving that a state predicate holds in every reachable
state of the system (i.e., it is an
*invariant*) typically requires to provide a stronger,
*inductive*invariant, which is preserved by every
execution step of the system. Another type of verification
problem is proving
*simulation*between a concrete and an abstract
semantics of a system. This can also be done by induction
in a systematic manner, by showing that, in each reachable
state of the system, each step of the concrete system is
simulated by a corresponding step at the abstract
level.

Model-checking techniques for finite state probabilistic systems are now quite developed. Given a finite state Markov chain, for example, one can check whether some property holds almost surely (i.e. the set of executions violating the property is negligible), and one can even compute (or at leat approximate as close as wanted) the probability that some property holds. In general, these techniques cannot be adapted to infinite state probabilistic systems, just as model-checking algorithms for finite state systems do not carry over to infinite state systems. For systems exhibiting complex data structures (such as unbounded queues, continuous clocks) and uncertainty modeled by probabilities, it can thus be hard to design model-checking algorithms. However, in some cases, especially when considering qualitative verification, symbolic methods can lead to exact results. Qualitative questions do not aim at computing neither approximating a probability, but are only concerned with almost-sure or non negligible behaviours (that is events either of probability one, or non zero). In some cases, qualitative model-checking can be derived from a combination of techniques for infinite state systems (such as abstractions) with methods for finite state probabilistic systems. However, when one is interested in computing (or rather approximating) precise probability values (neither 0 nor 1), exact methods are scarce. To deal with these questions, we either try to restrict to classes of systems where exact computations can be made, or look for approximation algorithms.

Currently, many techniques (reachability, model checking, ...) from finite state systems have been generalised to pushdown systems, that can be modeled by graph grammars. Several such extensions heavily depend on the actual definition of the pushdown automata, for example, how many top stack symbols may be read, or whether the existence of -transitions (silent transitions) is allowed. Many of these restrictions do not affect the actual structure of the graph, and interesting properties like reachability or satisfiability (of a formula) only depend on the structure of a graph.

Deterministic graph grammars enable to focus on structural properties of systems. The connexion with finite graph algorithms is often straightforward: for example reachability is simply the finite graph algorithm iterated on the right hand sides. On the other hand, extending these grammars with time or probabilities is not straightforward: qualitative values associated to each copy (in the graph) of the same vertex (in the grammar) is different, introducing more complex equations. Furthermore, the fact that the left-hand sides are single hyperarcs is a very strong restriction. But removing this restriction leads to non-recursive graphs. Identifying decidable families of graphs defined by contextual graph grammars is also very challenging.

We are mainly interested in conformance testing which consists in checking whether a black box implementation under test (the real system that is only known by its interface) behaves correctly with respect to its specification (the reference which specifies the intended behavior of the system). In the line of model-based testing, we use formal specifications and their underlying models to unambiguously define the intended behavior of the system, to formally define conformance and to design test case generation algorithms. The difficult problems are to generate test cases that correctly identify faults (the oracle problem) and, as exhaustiveness is impossible to reach in practice, to select an adequate subset of test cases that are likely to detect faults. Hereafter we detail some elements of the models, theories and algorithms we use.

We use IOLTS (or IOSTS) as formal models
for specifications, implementations, test purposes, and test
cases. We adapt a well established theory of conformance
testing
, which formally defines
conformance as a relation between formal models of
specifications and implementations. This conformance
relation, called
**ioco**compares the visible behaviors (called
*suspension traces*) of the implementation
I(denoted by
STraces(
I)) with those of the specification
S(
STraces(
S)). Suspension traces are sequence
of inputs, outputs or quiescence (absence of action denoted
by
), thus abstract away internal behaviors that cannot
be observed by testers. Intuitively,
IiocoSif after a suspension trace of the specification, the
implementation
Ican only show outputs and quiescences of the
specification
S. We re-formulated ioco as a partial inclusion of
visible behaviors as follows:

In other words, suspension traces of
Iwhich are suspension traces of
Sprolongated by an output or quiescence, should still
be suspension traces of
S.

Interestingly, this characterization presents conformance
with respect to
Sas a safety property of suspension traces of
I. The negation of this property is charaterized by a
*canonical tester*
Can(
S)which recognizes exactly
, the set of non-conformant suspension traces. This
*canonical tester*also serves as a basis for test
selection.

Test cases are processes executed against implementations
in order to detect non-conformance. They are also formalized
by IOLTS (or IOSTS) with special states indicating
*verdicts*. The execution of test cases against
implementations is formalized by a parallel composition with
synchronization on common actions. A
*Fail*verdict means that the IUT is rejected and should
correspond to non-conformance, a
*Pass*verdict means that the IUT exhibited a correct
behavior and some specific targeted behaviour has been
observed, while an
*Inconclusive*verdict is given to a correct behavior
that is not targeted.

Test suites (sets of test cases) are required to exhibit some properties relating the verdict they produce to the conformance relation. Soundness means that only non conformant implementations should be rejected by a test suite and exhaustiveness means that every non conformant implementation may be rejected by the test suite. Soundness is not difficult to obtain, but exhaustiveness is not possible in practice and one has to select test cases.

Test selection is often based on the
coverage of some criteria (state coverage, transition
coverage, etc). But test cases are often associated with
*test purposes*describing some abstract behaviors
targeted by a test case. In our framework, test purposes are
specified as IOLTS (or IOSTS) associated with marked states
or dedicated variables, giving them the status of automata or
observers accepting runs (or sequences of actions or
suspension traces). Selection of test cases amounts to
selecting traces of the canonical tester accepted by the test
purpose. The resulting test case is then both an observer of
the negation of a safety property (non-conformance wrt.
S), and an observer of a reachability property
(acceptance by the test purpose). Selection can be reduced to
a model-checking problem where one wants to identify states
(and transitions between them) which are both reachable from
the initial state and co-reachable from the accepting states.
We have proved that these algorithms ensure soundness.
Moreover the (infinite) set of all possibly generated test
cases is also exhaustive. Apart from these theoretical
results, our algorithms are designed to be as efficient as
possible in order to be able to scale up to real
applications.

Our first test generation algorithms are based on enumerative techniques, thus adapted to IOLTS models, and optimized to fight the state-space explosion problem. On-the-fly algorithms where designed and implemented in the TGV tool (see ), which consist in computing co-reachable states from a target state during a lazy exploration of the set of reachable states in a product of the specification and the test purpose . However, this enumerative technique suffers from some limitations when specification models contain data.

More recently, we have explored symbolic test generation
techniques for IOSTS specifications
. The objective is to avoid the
state space explosion problem induced by the enumeration of
values of variables and communication parameters. The idea
consists in computing a test case under the form of an
*IOSTS*, i.e., a reactive program in which the
operations on data are kept in a symbolic form. Test
selection is still based on test purposes (also described as
IOSTS) and involves syntactical transformations of IOSTS
models that should ensure properties of their IOLTS
semantics. However, most of the operations involved in test
generation (determinisation, reachability, and
coreachability) become undecidable. For determinisation we
employ heuristics that allow us to solve the so-called
bounded observable non-determinism (i.e., the result of an
internal choice can be detected after finitely many
observable actions). The product is defined syntactically.
Finally test selection is performed as a syntactical
transformation of transitions which is based on a semantical
reachability and co-reachability analysis. As both problems
are undecidable for IOSTS, syntactical transformations are
guided by over-approximations using abstract interpretation
techniques. Nevertheless, these over-approximations still
ensure soundness of test cases
. These techniques are
implemented in the STG tool (see
), with an interface with
NBACused for
abstract interpretation.

**The Supervisory Control Problem**is concerned with
ensuring (not only checking) that a computer-operated system
works correctly. More precisely, given a specification model
and a required property, the problem is to control the
specification's behavior, by coupling it to a supervisor,
such that the controlled specification satisfies the
property
. The models used are LTSs and
the associated languages, which make a distinction between
*controllable*and
*non-controllable*actions and between
*observable*and
*non-observable*actions. Typically, the controlled
system is constrained by the supervisor, which acts on the
system's controllable actions and forces it to behave as
specified by the property. The control synthesis problem can
be seen as a constructive verification problem: building a
supervisor that prevents the system from violating a
property. Several kinds of properties can be ensured such as
reachability, invariance (i.e. safety), attractivity, etc.
Techniques adapted from model checking are then used to
compute the supervisor w.r.t. the objectives. Optimality must
be taken into account as one often wants to obtain a
supervisor that constrains the system as few as possible.

**The Supervisory Control Theory overview**. Supervisory
control theory deals with control of Discrete Event Systems.
In this theory, the behavior of the system
Sis assumed not to be fully satisfactory. Hence, it has
to be reduced by means of a feedback control (named
Supervisor or Controller) in order to achieve a given set of
requirements
. Namely, if
Sdenotes the specification of the system and
is a safety property that has to be ensured on
S(i.e.
S¬
), the problem consists in
computing a supervisor
, such that

where
is the classical parallel composition between two
LTSs. Given
S, some events of
Sare said to be uncontrollable (
_{uc}), i.e. the occurrence of these events cannot be
prevented by a supervisor, while the others are controllable
(
_{c}). It means that all the supervisors satisfying (
) are not good candidates. In
fact, the behavior of the controlled system must respect an
additional condition that happens to be similar to the
iococonformance relation that we previously defined
in
. This condition is called the
*controllability condition*and is defined as
follows.

Namely, when acting on
S, a supervisor is not allowed to disable
uncontrollable events. Given a safety property
, that can be modeled by an LTS
, there actually exist many different supervisors
satisyfing both (
) and (
). Among all the valid
supervisors, we are interested in computing the supremal one,
ie the one that restricts the system as few as possible. It
has been shown in
that such a supervisor always
exists and is unique. It gives access to a behavior of the
controlled system that is called the supremal controllable
sub-language of
w.r.t.
Sand
_{uc}. In some situations, it may also be interesting to
force the controlled system to be non-blocking (See
for details).

The underlying techniques are similar to the ones used for Automatic Test Generation. It consists in computing a product between the specification and and to remove the states of the obtained LTS that may lead to states that violate the property by triggering only uncontrollable events.

The methods and tools developed by the VerTeCsproject-team for test generation and control synthesis of reactive systems are intended to be as generic as possible. This allows us to apply them in many application domains where the presence of software is predominant and its correctness is essential. In particular, we apply our research in the context of telecommunication systems, for embedded systems, for smart-cards application, and control-command systems.

Our research on test generation was initially proposed for conformance testing of telecommunication protocols. In this domain, testing is a normalized process , and formal specification languages are widely used (SDL in particular). Our test generation techniques have already proved useful in this context, going up to industrial transfer. New standardized component-based design methodologies such as UML and OMG's MDE increase the need for formal techniques in order to ensure the compositionality of components, by verification and testing. Our techniques, by their genericity and adaptativity, have also proved useful at different levels of these methodologies, from component testing to system testing. The telecommunication industry now also tries to provide more and more services to the users. These services must be validated. We are involved with France Telecom R & D in a project on the validation of vocal services. Very recently, we also started to study the impact of our test generation techniques in the domain of network security. More specifically, we believe that testing that a network or information system meets its security policy is a major concern, and complements other design and verification techniques.

In the context of transport, software embedded systems are increasingly predominant. This is particularly important in automotive systems, where software replaces electronics for power train, chassis (e.g. engine control, steering, brakes) and cabin (e.g. wiper, windows, air conditioning) or new services to passengers are increasing (e.g. telematics, entertainment). Car manufacturers have to integrate software components provided by many different suppliers, according to specifications. One of the problems is that testing is done late in the life cycle, when the complete system is available. Faced with these problems, but also complexity of systems, compositionality of components, distribution, etc, car manufacturers now try to promote standardized interfaces and component-based design methodologies. They also develop virtual platforms which allow for testing components before the system is complete. It is clear that software quality and trust are one of the problems that have to be tackled in this context. This is why we believe that our techniques (testing and control) can be useful in such a context.

We have also applied our test generation techniques in the context of smart-card applications. Such applications are typically reactive as they describe interactions between a user, a terminal and a card. The number and complexity of such applications is increasing, with more and more services offered to users. The security of such applications is of primary interest for both users and providers and testing is one of the means to improve it.

The main application domain for controller synthesis is control-command systems. In general, such systems control costly machines (see e.g. robotic systems, flexible manufacturing systems), that are connected to an environment (e.g. a human operator). Such systems are often critical systems and errors occurring during their execution may have dramatic economical or human consequences. In this field, the controller synthesis methodology (CSM) is useful to ensure by construction the interaction between 1) the different components, and 2) the environment and the system itself. For the first point, the CSM is often used as a safe scheduler, whereas for the second one, the supervisor can be interpreted as a safe discrete tele-operation system.

TGV (Test Generation with Verification technology) is a tool for test generation of conformance test suites from specifications of reactive systems . It is based on the IOLTS model, a well defined theory of testing, and on-the-fly test generation algorithms coming from verification technology. Originally, TGV allows test generation focused on well defined behaviors formalized by test purposes. The main operations of TGV are (1) a synchronous product which identifies sequences of the specification accepted by a test purpose, (2) abstraction and determinisation for the computation of next visible actions, (3) selection of test cases by the computation of reachable states from the initial states and co-reachable states from accepting states. TGV has been developed in collaboration with Vérimag Grenoble and uses libraries of the CADP toolbox ( VERIMAGand VASY). TGV can be seen as a library that can be linked to different simulation tools through well defined APIs. An academic version of TGV is distributed in the CADP toolbox and allows test generation from Lotos specifications by a connection to its simulator API. The first version of TGV is protected by APP (Agence de Protection des Programmes) Number IDDN.FR.001.310012.00.R.P.1997.000.2090.

Stg(Symbolic Test
Generation) is a prototype tool for the generation and
execution of test cases using symbolic techniques. It takes
as input a specification and a test purpose described as
IOSTS, and generates a test case program also in the form of
IOSTS. Test generation in STG is based on a syntactic product
of the specification and test purpose IOSTS, an extraction of
the subgraph corresponding to the test purpose, elimination
of internal actions, determinisation, and simplification. The
simplification phase now relies on
NBAC, which
approximates reachable and coreachable states using abstract
interpretation. It is used to eliminate unreachable states,
and to strengthen the guards of system inputs in order to
eliminate some
*Inconclusive*verdicts. After a translation into C++ or
Java, test cases can be executed on an implementation in the
corresponding language. Constraints on system input
parameters are solved on-the-fly (i.e. during execution)
using a constraint solver. The first version of STG was
developed in C++, using Omega as constraint solver during
execution. This version has been deposit at APP
(IDDN.FR.001.510006.000.S.P.2004.000.10600).

A new version in OCaml has been developed in the last two years. This version is more generic and will serve as a library for symbolic operations on IOSTS. Most functionalities of the C++ version have been re-implemented. Also a new translation of abstract test cases into Java executable tests has been developed, in which the constraint solver is LuckyDraw( VERIMAG). This version has also been deposit at APP and is available for download on the web as well as its documentation and some examples.

Finally, in collaboration with ULB, we implemented a prototype SMACS, derived from STG, that is devoted to the control of infinite system modeled by STS.

Sigaliis a model-checking tool that operates on ILTS (Implicit Labeled Transition Systems, an equational representation of an automaton), an intermediate model for discrete event systems. It offers functionalities for verification of reactive systems and discrete controller synthesis. It is developed jointly by the ESPRESSOand VerTeCsteams. The techniques used consist in manipulating the system of equations instead of the set of solutions, which avoids the enumeration of the state space. Each set of states is uniquely characterized by a predicate and the operations on sets can be equivalently performed on the associated predicates. Therefore, a wide spectrum of properties, such as liveness, invariance, reachability and attractivity, can be checked. Algorithms for the computation of predicates on states are also available , . Sigaliis connected with the Polychrony environment ( ESPRESSOproject-team) as well as the Matou environment ( VERIMAG), thus allowing the modeling of reactive systems by means of Signal Specification or Mode Automata and the visualization of the synthesized controller by an interactive simulation of the controlled system. Sigaliis protected by APP (Agence de Protection des Programmes).

Timed automata are frequently used to model real-time
systems. Their determinization is a key issue for several
validation problems. However, not all timed automata can
be determinized, and determinizability itself is
undecidable. In
,
, we propose a game-based
algorithm which, given a timed automaton, tries to
produce a language-equivalent deterministic timed
automaton, otherwise a deterministic over-approximation.
Our method subsumes two recent contributions: it is at
once more general than an existing (non terminating)
determinization procedure by Baier
*et al.*(2009) and more precise than the
approximation algorithm of Krichen and Tripakis (2009).
Moreover, an extension of the method allows to deal with
invariants and
-transitions, and to consider other useful
approximations: underapproximation, and combination of
under- and over-approximations.

Deterministic graph grammars generate regular graphs, that form a structural extension of configuration graphs of pushdown systems. In , we study a probabilistic extension of regular graphs obtained by labelling the terminal arcs of the graph grammars by probabilities. Stochastic properties of these graphs are expressed using PCTL, a probabilistic extension of computation tree logic. We present here an algorithm to perform approximate verification of PCTL formulae. Moreover, we prove that the exact model-checking problem for PCTL on probabilistic regular graphs is undecidable, unless restricting to qualitative properties. Our results generalise those of Esparza et al (2006), on probabilistic pushdown automata, using similar methods combined with graph grammars techniques.

Deterministic graph grammars generate a family of infinite graphs which characterise context-free (word) languages. The present work introduces a context-sensitive extension of these grammars. We prove that this extension characterises rational graphs (whose traces are context-sensitive languages). We illustrate that this extension is not straightforward: the most obvious context-sensitive graph rewriting systems generate non recursive infinite graphs .

We present an approach for verifying dynamic systems specified in rewriting logic, a formal specification language implemented in the Maude system. Our approach is tailored for invariants, i.e., properties that hold on all states reachable from a given class of initial states. The approach consists in encoding invariance properties into inductive properties written in membership equational logic, a sublogic of rewriting logic also implemented in Maude. The invariants can then be verified using an inductive theorem prover available for membership equational logic, possibly in interaction with narrowing-based symbolic analysis tools for rewriting-logic specifications also available in the Maude environment.We show that it is possible, and useful, to automatically test invariants by symbolic analysis before interactively proving them .

In , we propose novel off-line test generation techniques for non-deterministic timed automata with inputs and outputs (TAIOs) in the formal framework of the tioco conformance theory. In this context, a first problem is the determinization of TAIOs, which is necessary to foresee next enabled actions, but is in general impossible. The determinization problem is solved in thanks to an approximate determinization using a game approach. We adapt this procedure here to over- and under-approximation, in order to preserve tioco and guarantee the soundness of generated test cases. A second problem is test selection for which a precise description of timed behaviors to be tested is carried out by expressive test purposes modeled by a generalization of TAIOs. Finally, using a symbolic co-reachability analysis guided by the test purpose, test cases are generated in the form of TAIOs equipped with verdicts.

We explore the set of testable properties within the Safety-Progress classification where testability means to establish by testing that a relation, between the tested system and the property under scrutiny, holds. We characterize testable properties wrt. several relations of interest. For each relation, we give a sufficient condition for a property to be testable. Then, we study and delineate, for each Safety-Progress class, the subset of testable properties and their corresponding test oracle producing verdicts for the possible test executions. Furthermore, we address automatic test generation for the proposed framework. Finally, a tool implementing the results has been developped , .

Monitoring of recursive discrete-event systems under partial observation is an important issue with major applications such as the diagnosability of faulty behaviors and the detection of information flow. We consider regular discrete-event systems, that is recursive discrete-event systems definable by deterministic graph grammars. This setting is expressive enough to capture classical models of recursive systems such as the pushdown systems. Hence they are infinite-state in general and standard powerset constructions for monitoring do not apply anymore. We exhibit computable conditions on these grammars together with non-trivial transformations of graph grammars that enable us to construct a monitor. This construction is applied to diagnose faulty behaviors and to detect information flow in regular discrete-event systems.

Conformance testing has a rich underlying formal theory called IOLTS-based conformance testing. Depending upon whether the implementation-under-test (IUT) interacts with its environment directly, or indirectly through a medium, IOLTS-based conformance testing can be classified as synchronous testing or asynchronous testing, respectively. So far the problem of test case selection has been addressed mostly in the context of synchronous testing. In this work we contribute by addressing this problem in the context of asynchronous testing. Though an asynchronously communicating process can be simulated by a synchronously communicating process, the fact that the simulating process is infinite state even if the simulated process is finite state made the problem challenging.

In the field of computer security, a problem that
received little attention so far is the enforcement of
confidentiality properties by supervisory control. Given
a critical system
Gthat may leak confidential information, the
problem consists in designing a controller
C, possibly disabling occurrences of a fixed subset
of events of
G, so that the closed-loop system
G/
Cdoes not leak confidential
information. We consider this problem in the case where
Gis a finite transition system with set of events
and an inquisitive user, called the adversary,
observes a subset
_{a}of
. The confidential information is the fact (when
it is true) that the trace of the execution of
Gon
^{*}belongs to a regular set
, called the secret. The secret
Sis said to be opaque w.r.t.
G(resp.
G/
C) and
_{a}if the adversary cannot safely infer this fact
from the trace of the execution of
G(resp.
G/
C) on
_{a}^{*}. In the converse case, the secret can be
disclosed. We present an effective algorithm for
computing the most permissive controller
Csuch that
Sis opaque w.r.t.
G/
Cand
_{a}. This algorithm subsumes two earlier algorithms
working under the strong assumption that the alphabet
_{a}of the adversary and the set of events that the
controller can disable are comparable
.

In the service oriented architecture framework, a modal specification, as defined by Larsen et al, formalises how a service should interact with its environment. More precisely, a modal specification determines the events that the server may or must allow at each stage in an interactive session. Therefore, techniques to enforce a modal specification on a system would be useful for practical applications. In this work, we investigate the adaptation of the supervisory control theory of Ramadge and Wonham to enforce a modal specification (with final states marking the ends of the sessions) on a system modelled by a finite LTS. We prove that there exists at most one most permissive solution to this control problem. We also prove that this solution is regular and we present an algorithm for the effective computation of the corresponding controller .

We propose a technique for discrete controller synthesis, with optimal synthesis on bounded paths, in order to model, design, and optimize fault-tolerant distributed systems, taking into account several criteria (e.g., the execution costs of the tasks and their quality of service). Different combinations are explored for multi-criteria optimization .

We describe the extension of a reactive programming language with a behavioral contract construct. It is dedicated to the programming of reactive control of applications in embedded systems, and involves principles of the supervisory control of discrete event systems. Our contribution is in a language approach where modular discrete controller synthesis (DCS) is integrated, and it is concretized in the encapsulation of DCS into a compilation process. From transition system specifications of possible behaviors, DCS automatically produces controllers that make the controlled system satisfy the property given as objective. Our language features and compiling technique provide correctness-by-construction in that sense, and enhance reliability and verifiability. Our application domain is adaptive and reconfigurable systems: closed-loop adaptation mechanisms enable flexible execution of functionalities w.r.t. changing resource and environment conditions. Our language can serve programming such adaption controllers. This work particularly describes the compilation of the language. We present a method for the modular application of discrete controller synthesis on synchronous programs, and its integration in the BZR language. We consider structured programs, as a composition of nodes, and first apply DCS on particular nodes of the program, in order to reduce the complexity of the controller computation; then, we allow the abstraction of parts of the program for this computation; and finally, we show how to recompose the different controllers computed from different abstractions for their correct coexecution with the initial program. Our work is illustrated with examples, and we present quantitative results about its implementation .

The TesTec project is a three years [2008-2010] industrial research project that gathers two companies: an end-user (EDF R&D ) and one software editor for embedded real-time systems and automation systems (Geensys), and four laboratories from automation engineering and computer science (I3S, INRIA Rennes, LaBRI, LURPA). This project focuses on automatic generation and execution of tests for the class of embedded real-time systems. They are highly critical. Such systems can be found in many industrial domains, such as energy, transport systems. More precisely the project TesTec will address two crucial technological issues:

optimisation of test generation techniques for large size systems, in particular by an explicit modelling of time and by simultaneous management of continuous and discrete variables in hybrid applications;

reduction of the size of the tests derived from specification models by using the results of formal verification of implementation models.

The overall aim of this project is to propose a software tool for generation and execution of tests; this tool will be based on an existing environment for embedded systems design and will implement the scientific results of the project.

This year our contributions to this project were our works on test generation from timed models, as well as approximate determinization of timed automata.

In 2010, the post-doc position of Puneet Bhateja and the internship of Amélie Stainer were funded by TestTec.

The GIPSy "Action Incitative" is a one-year [2010] project funded by Rennes 1 University to develop emerging research themes. The goal of the project is to start studying games of imperfect information and logics for privacy and security in protocols. The participants are Sophie Pinchinat (leader, S4), Sébastien Gambs (ADEPT), Loïc Hélouët and Blaise Genest (DistribCom), and Nathalie Bertrand (Vertecs). To gather researchers interested in the topic, a workshop on Games, Logics and Security has been organized in November 2010.

The central objective for ArtistDesign
http://

The research effort aims at integrating topics, teams, and competencies, grouped into 4 Thematic Clusters: “Modelling and Validation”, “Software Synthesis, Code Generation, and Timing Analysis”, “Operating Systems and Networks”, “Platforms and MPSoC”. “Transversal Integration” covering both industrial applications and design issues aims for integration between clusters.

The Vertecs EPI is a partner of the “Validation” activity of the “Modeling and Validation” cluster. The objective is to address the growth in complexity of future embedded products while reducing time and cost to market. This requires methods allowing for early exploration and assessment of alternative design solutions as well as efficient methods for verifying final implementations. This calls for a range of model-based validation techniques ranging from simulation, testing, model-checking, compositional techniques, refinement as well as abstract interpretation. The challenge will be in designing scalable techniques allowing for efficient and accurate analysis of performance and dependability issues with respect to the various types of (quantitative) models considered. The activity brings together the leading teams in Europe in the area of model-based validation.

We are partners of the Combest European Strep Project
http://

The objective of this bilateral collaboration [2009-2010] with the group of Prof. Christel Baier in TU Dresden (Germany) is to study partially observable probabilistic systems. This year, Christel Baier and Clemens Dubslaff visited Rennes for 1 week and Nathalie Bertrand went to Dresden for 2 weeks.

A two-year contract with the group of Thomas Brihaye (Université Mons) started in 2010. Its objective is to study timed and probabilistic systems. This year, Thomas Brihaye together with Patricia Bouyer made a 1 week visit in Rennes and Nathalie Betrand visited Mons for 1 week. Moreover, Amélie Stainer, Nathalie Bertrand, Thomas Brihaye and Patricia Bouyer met for 3 days in Cachan.

This two years collaboration [2009-2010] with ENIS Sfax Tunisia (Maher Ben Jemaa and Moez Krichen) is targetted on testing embedded systems and adaptability (with the Paris project team). It is funded by an DGRST - INRIA grant which involves visits on both sides and scholarships for Tunisian students. M. Krichen visited Vertecs during one month in summer 2010, working on test generation from timed automata.

This associated team
http://

We collaborate with several Inria project-teams. We collaborate with the ESPRESSOEPI for the development of the Sigalitool inside the Polychrony environment. With the Pop Artand SardeEPI on the use of the controller synthesis methodology for the control of control-command systems (e.g. robotic systems). With Distribcomon stochastic games with partial observation. With the S4EPI on the use of control, game theory and diagnosis for test generation as well as on the study of timed modal specifications, in the context of the Combest grant and with the TriskellEPI (Benoit Combemale) on analysis of domain-specific modelling languages. With the VASYEPI on the use of CADP libraries in TGV and the distribution of TGV in the CADP toolbox.

We collaborate with Verimag in Grenoble on automatic test generation. We also work in collaboration with the LSV Cachan on topological and probabilistic semantics for timed automata. With LURPA Cachan, LaBRI Bordeaux and I3S Nice we collaborate on testing control-command systems in the context of the RNTL TesTec grant.

in Belgium (Prof. Thierry Massart) on testing and control of symbolic transitions systems. Gabriel Kalyon visited us for 1 week in september and Hervé Marchand visited ULB for 3 weeks.

(Matthew Hague) on Probabilistic Higher order pushdown automata.

(Roland Meyer) on Petri nets.

at Urbana Champaign, USA (Prof. Grigore Rosu) and Univ. Iasi, Romania (Prof. Dorel Lucanu) on formally defining and veryfying domain-specific languages by means of rewriting techniques.

(Marina Egea) on formal semantics conformance in model-driven engineering

in USA (Prof. Stéphane Lafortune) on control and diagnosis of discrete event systems.

gave a course on Advanced model-cheching in the VTS module of the Master 2 Recherche at Université Rennes 1 in Fall 2010. She taught Finite Automata and regular languages to students of ENS Ker Lann preparing the Agrégation de Mathématiques.

is teaching at the University of Marne La Vallée (192h/year).

taught 8h to students of ENS Ker Lann preparing the Agrégation de Mathématiques.

**Current PhD. thesis:**

“
*Verification and Test of systems modeled by regular
graphs*”, second year.

“
*Quantitative verification of timed automata*”,
first year.

**Trainees 2009-2010:**

“
*Test of timed automata*”

was PC member of QAPL'10, EXPRESS'10 and WODES'10 worshops, and QEST'10 conference and SC member of the GIPSy Workshop. She was invited at Schloss Dagstuhl for the seminar on Quantitative models in January 2010.

was an editor of the Proceedings of the 1st International Conference on Runtime Verification. He was a reviewer for several conferences (HSCC'11, FASE'11, WODES'10, VECOS', TASE'10). He gave an invited talk "What can You Verify and Enforce at Runtime ?" at INRIA Grenoble and during the GDR GPL day. He also gave a tutorial "You should Better Enforce than Verify" during the RV'10 conference. Finally, he visited NASA JPL for one week.

was PC member of ICTSS'2010, ICFEM'10, a thematic track of QUATIC'2010 and SC member of Movep 2010. He was reviewer of the PhD defense of Marius Mikucionis (University of Aalborg, Denmark, June 2010) and of the thesis proposal of Sidney Nogueira (University of Pernambuco, Brazil, November 2010). He is member of the IFIP Working Group 10.2 on Embedded Systems.

is Associate Editor of the IEEE Transactions on Automatic Control journal and member of the IFAC Technical Committees (TC 1.3 on Discrete Event and Hybrid Systems). He was PC member of the ICINCO'10, Wodes'10 Conferences and IFAC Worl Congress 2011. He visited ULB (Bruxelles) for three weeks in April and November 2010. He was member of the PhD commitee of Gabriel Kalyon ULB, Bruxelles, November 2010) and co-advisor of this thesis.

was invited to give a seminar “On probabilistic regular graphs” at LSV, Cachan.

organized the EJCP (Ecole Jeunes Chercheurs en Programmation) in June 2010. He was on the committee of the PhD thesis of Jose Escobedo (University Evry Val d'Essonne) on Symbolic Test Case Generation for Testing Orchestrators in Context (November 2010). He gave an invited talk entitled "Embedding domain-specific languages in Maude specifications" at the Univ. Iasi, (Romania) in January 2010, at the 1st International Workshop on the K Framework (Nags Head, North Carolina, USA) in August 2010 and at CWI (Amsterdam) in October 2010. He is "Foreign Advisor" for PhD students at the University of Iasi (Romania).