Formes

Formesstands for FORmal Methods for Embedded Systems. Formesis aiming at making research advances towards the development of safe and reliable embedded systems, by exploiting synergies between two different approaches, namely (real time) hardware simulation and formal proofs development.

Embedded systems have become ubiquitous in our everyday life, ranging from simple sensors to complex systems such as mobile phones, network routers, airplane, aerospace and defense apparatus. As embedded devices include increasingly sophisticated hardware and software, the development of combined hardware and software has become a key to economic success.

The development of embedded systems uses hardware with increasing capacities. As embedded devices include increasingly sophisticated hardware running complex functions, the development of software for embedded systems is becoming a critical issue for the industry. There are often stringent time to market and quality requirements for embedded systems manufacturers. Safety and security requirements are satisfied by using strong validation tools and some form of formal methods, accompanied with certification processes such as DO178 or Common Criteria certification. These requirements for quality of service, safety and security imply to have formally proved the required properties of the system before it is deployed.

Within the context described above, the Formesproject aims at addressing the challenges of embedded systems design with a new approach, combining fast hardware simulation techniques with advanced formal methods, in order to formally prove qualitative and quantitative properties of the final system. This approach requires the construction of a simulation environment and tools for the analysis of simulation outputs and proofs of properties of the simulated system. We therefore need to connect simulation tools with code-analyzers and easy-to-use theorem provers for achieving the following tasks:

Enhance the hardware simulation technologies with new techniques to improve simulation speed, and produce program representations that are adequate for formal analysis and proofs of the simulated programs ;

Connect validation tools that can be used in conjunction with simulation outputs that can be exploited using formal methods ;

Extend and improve the theorem proving technologies and tools to support the application to embedded software simulation.

A main novelty of the project, besides improving the existing technologies and tools, relies in the application itself: to combine simulation technologies with formal methods in order to cut down the development time for embedded software and scale up its reliability. Apart from being a novelty, this combination is also a necessity: proving very large code is unrealistic and will remain so for quite some time; and relying only on simulation for assessing critical properties of embedded systems is unrealistic as well.

We assume that these properties can be localized in critical, but small, parts of the code, or dedicated hardware models. This nevertheless requires scaling up the proof activity by an order of magnitude with respect to the size of codes and the proof development time. We expect that it is realistic to rely on both combined. We plan to rely on formal proofs for assessing properties of small, critical components of the embedded system that can be analyzed independently of the environment. We plan to rely on formal proofs as well for assessing correctness of the elaboration of program representation abstractions from object code. We plan to rely on simulations for testing the whole embedded system, and to formal proofs to verify the completeness of test sets. We finally plan to rely on formal proofs again for verifying the correct functioning of our tools. Proving properties of these various abstractions requires using a certified, interactive theorem prover.

The project Formeswas created in September 2008, by union of three different smaller groups which origin and interests were somewhat different : a group working on simulation of embedded systems at CASIA since march 2007 under the leadership of Vania Joloboff; a second group working on user-assisted theorem proving under the leadership of Jean-Pierre Jouannaud originated from the INRIA project-teams LogiCalat INRIA-Saclay-Île-de-France and Protheoat INRIA-Lorraine; and a group working on model-checking and trustworthy computing at Tsinghua University under the leadership of Gu Ming. The second group moved from France to Beijing in September 2008. A previous 4 weeks visit of Jean-Pierre Jouannaud and Frédéric Blanqui in March 2008 had been used to define the new project Formes, and prepare its installation at Tsinghua university.

Formesis the acronym for FORmal Methods for Embedded Systems, and indeed we aim at combining in this project formal methods of very different origins
for analyzing embedded systems. We develop a software (SimSoC) for
*simulating*embedded systems, but we also develop other techniques and tools in order to analyze and predict their behavior, and that of the software running on such systems. These
techniques themselves are of different origin, and are usually developed in different teams around the world.
*Verification*techniques based on model checking have been extensively and successfully used in the past to analyze hardware systems.
*Decisions procedures*, like SAT, are now common place to analyze specific software applications, such as scheduling. Proof assistants are more and more employed to carry out
*formal proofs*of correctness of security protocols and more generally non-trivial pieces of software. One originality of our project is to
combineall these techniques in order to achieve our goal : to design methods and tools allowing one to build reliable software, also called
*trustworthy computing*.

In the next sections, we describe in more details these five areas, and their relationship to Formes.

The development of complex embedded systems platforms requires putting together many hardware components, processor cores, application specific co-processors, bus architectures, peripherals, etc. The hardware platform of a project is seldom entirely new. In fact, in most cases, 80 percent of the hardware components are re-used from previous projects or simply are COTS (Commercial Off-The-Shelf) components. There is no need to simulate in great detail these already proven components, whereas there is a need to run fast simulation of the software using these components.

These requirements call for an integrated, modular simulation environment where already proven components can be simulated quickly, (possibly including real hardware in the loop), new components under design can be tested more thoroughly, and the software can be tested on the complete platform with reasonable speed.

Modularity and fast prototyping also have become important aspects of simulation frameworks, for investigating alternative designs with easier re-use and integration of third party components.

The project aims at developing such a rapid prototyping, modular simulation platform, combining new hardware components modeling, verification techniques, fast software simulation for proven components, capable of running the real embedded software application without any change.

To fully simulate a complete hardware platform, one must simulate the processors, the co-processors, together with the peripherals such as network controllers, graphics controllers, USB controllers, etc. A commonly used solution is the combination of some ISS (Instruction Set Simulator) connected to a Hardware Description Language (HDL) simulator which can be implemented by software or by using a FPGA simulator. These solutions tend to present slow iteration design cycles and implementing the FPGA means the hardware has already been designed at low level, which comes normally late in the project and become very costly when using large FPGA platforms. Others have implemented a co-simulation environment, using two separate technologies, typically one using a HDL and another one using an ISS , , . Some communication and synchronization must be designed and maintained between the two using some inter-process communication (IPC), which slows down the process.

The idea we pursue is to combine hardware modeling and fast simulation into a fully integrated, software based (not using FPGA) simulation environment named SimSoC, which uses a single simulation loop thanks to Transaction Level Modeling (TLM) , combined with a new ISS technology designed specifically to fit within the TLM environment.

The most challenging way to enhance simulation speed is to simulate the processors. Processor simulation is achieved with Instruction Set Simulation (ISS). There are several alternatives to
achieve such simulation. In
*interpretive simulation*, each instruction of the target program is fetched from memory, decoded, and executed. This method is flexible and easy to implement, but the simulation speed is
slow as it wastes a lot of time in decoding. Interpretive simulation is used in Simplescalar
. Another technique to implement a fast ISS is
*dynamic translation*
,
,
which has been favored by many
,
,
,
in the past decade.

With dynamic translation, the binary target instructions are fetched from memory at run-time, like in interpretive simulation. They are decoded on the first execution and the simulator translates these instructions into another representation which is stored into a cache. On further execution of the same instructions, the translated cached version is used. Dynamic translation introduces a translation time phase as part of the overall simulation time. But as the resulting cached code is re-used, the translation time is amortized over time. If the code is modified during run-time, the simulator must invalidate the cached representation. Dynamic translation provides much faster simulation while keeping the advantage of interpretive simulation as it supports the simulation of programs that have either dynamic loading or self-modifying code.

There are many ways of translating binary code into cached data, which each come at a price, with different trade-offs between the translation time and the obtained speed up on cache execution. Also, simulation speed-ups usually don't come for free : most of time there is a trade-off between accuracy and speed.

There are two well known variants of the dynamic translation technology: the target code is translated either directly into machine code for the simulation host, or into an intermediate representation, independent from the host machine, that makes it possible to execute the code with faster speed. Both have pros and cons.

Processor simulation is also achieved in Virtual Machines such as QEMU and GXEMUL that emulate to a large extent the behavior of a particular hardware platform. The technique used in QEMU is a form of dynamic translation. The target code is translated directly into machine code using some pre-determined code patterns that have been pre-compiled with the C compiler. Both QEMU and GXEMUL include many device models of open-source C code, but this code is hard to reuse. The functions that emulate device accesses do not have the same profile. The scheduling process of the parallel hardware entities is not specified well enough to guarantee the compatibility between several emulators or re-usability of third-party models using the standards from the electronics industry (e.g. IEEE 1666).

A challenge in the development of high performance simulators is to maintain simultaneously fast speed and simulation accuracy. In the Formesproject, we expect to develop a dynamic translation technology satisfying the following additional objectives:

provide different levels of translation with different degrees of accuracy so that users can choose between accurate and slow (for debugging) or less accurate but fast simulation.

to take advantage of multi-processor simulation hosts to parallelize the simulation;

to define intermediate representations of programs that optimize the simulation speed and possibly provide a more convenient format for studying properties of the simulated programs.

Another objective of the Formessimulation is to extract information from the simulated applications to prove properties. Running a simulation is exercising a test case. In most cases, if a test is failing, a bug has been found. One can use model checking tools to generate tests that can be run on the simulator to check whether the test fails or not on the real application. It is also a goal of Formessimulation activity to use such formal methods tools to detect bugs, either by generating tests, or by using formal methods tools to analyze the results of simulation sessions.

Modeling in Coq is not always as easy as argued. In Coq, a powerful, very useful mechanism identifies expressions up to computation. For example, identifying two lists of identical content
but respective lengths
*Coq modulo Theories*, in which computations do not operate only on closed terms (as are
*proof certificate*in case of success, the correctness of a Coq proof now results from type checking the proof as well as the various certificates generated along the proof. Trusting Coq
becomes incremental, resulting from trusting each certificate checker when added in turn to Coq's kernel. The development of this new paradigm is our first research challenge here.

Scaling up is yet another challenge. Modeling a large, complex software is a hard task which has been addressed within the Coq community in two different ways. By developing a module system
for Coq in the OCaml style, which makes it possible to modularize proof developments and hence to develop modular libraries. By developing a methodology for modeling real programs and proving
their properties with Coq. This methodology allows to translate a JavaCard (tool Krakatoa

Our last challenge is to rely on certified tools only. In particular, we decided to certify in Coq all extensions of Coq developed in the project: the core logic of CoqMT (a Calculus of
Inductive Constructions incorporating Presburger arithmetic) has been certified with Coq. Of course, Coq itself cannot be reduced to CIC anymore, which makes the certification of the
*real logic*of CoqMT a major challenge. The most critical parts of the simulator will also be certified. As for compilers, there are two ways to certify tools: either, the code is proved
correct, or it outputs a certificate that can be checked. The second approach demands less man-power, and has the other advantage to be compatible with the use of tools taken from the shelves,
provided these tools are open-source since they must be equipped with a mechanism for generating certificates. This is the approach we will favor for the theories to be used in CoqMT, as well
as for the SMT prover to be developed. For the simulator SimSoC itself, we shall probably combine both approaches.

Some of these challenges require expertise in both rewriting and type theory. To maintain this combined expertise in Formes, we also carry out theoretical activities in these areas, even if they may sometimes appear remotely connected to the mainstream of our work on the verification of embedded systems. First and higher-order rewriting deal with relations on sets (abstract rewriting), term algebras (first-order rewriting), and binding algebras (higher-order rewriting), which are generated by a (usually finite) set of pairs. Important problems are few: termination (also called strong normalization) is the property of non-existence of infinite computations; confluence is the property that rewriting computations, although non-deterministic, return a unique result, hence define functions; Subject reduction is the property that computations preserve types. Since the third is usually easy to check, we are mostly interested in confluence and termination.

Model checking is an automatic formal verification technique . In order to apply the technique, users have to formally specify desired properties on an abstract model of the system under verification. Model checkers will check whether the abstract model satisfies the given properties. If model checkers are able to prove or disprove the properties on the abstract model, they report the result and terminate. In practice, however, abstract models can be extremely complicated, model checkers may not conclude with reasonable computational resources.

Finding contextual assumptions however is difficult and may require clairvoyance. Interestingly, a fully automated technique for computing contextual assumptions was proposed in . The automated technique formalizes the contextual assumption generation problem as a learning problem. If properties and abstract models are formalized as finite automata, then a contextual assumption is nothing but an unknown finite automaton that characterizes the environment. Applying a learning algorithm for finite automata, the automated technique will generate contextual assumptions for assume-guarantee reasoning. Experimental results show that the automated technique can outperform a monolithic and explicit verification algorithm.

The success of the learning-based assume-guarantee reasoning is however not satisfactory. Most verification tools are using implicit algorithms. In fact, implicit representations such as
Binary Decision Diagrams can improve the capacity of model checking algorithms in several order of magnitudes. Early learning-based techniques, on the other hand, are based on the

Learning Boolean functions can also be applied to loop invariant inference , . Suppose that a programmer annotates a loop with pre- and post-conditions. We would like to compute a loop invariant to verify that the annotated loop conforms to its specification. Finding loop invariants manually is very tedious. One makes a first guess and then iteratively refines the guess by examining the loop body. This process is in fact very similar to learning an unknown formula. Applying predicate abstraction and decision procedures, a learning algorithm for Boolean functions can infer loop invariants generated by a given set of atomic predicates. Preliminary experimental results show that the learning-based technique is effective for annotated loops extracted from source codes of Linux and SPEC2000 benchmarks.

Although implicit learning techniques have been developed for assume-guarantee reasoning and loop invariant inference successfully, challenges still remain. Currently, the learning algorithm is able to infer Boolean functions over tens of Boolean variables. Contextual assumptions over tens of Boolean variables are not enough. Ideally, one would like to have contextual assumptions over hundreds (even thousands) of Boolean variables. On the other hand, it is known that learning arbitrary Boolean functions is infeasible. The scalability of implicit learning techniques cannot be improved satisfactorily by tuning the learning algorithm alone. Combining implicit learning with abstraction will be essential to improve its scalability.

Our second challenge is to extend learning-based techniques to other computation models. In addition to finite automata, probabilistic automata and timed automata are also widely used to
specify abstract models. Their verification problems are much more difficult than those for finite automata. Compositional reasoning thus can improve the capacity of model checkers more
significantly. Recently, the

Through predicate abstraction, learning Boolean functions can be very useful in program analysis. We have successfully applied algorithmic learning to infer both quantified and quantifier-free loop invariants for annotated loops. Applying algorithmic learning to static analysis or program testing will be our last challenge. In the context of program analysis, scalability of the learning algorithm is less of an issue. Formulas over tens of atomic predicates usually suffice to characterize relation among program variables. On the other hand, learning algorithms require oracles to answer queries or generate samples. Designing such oracles necessarily requires information extracted from program texts. How to extract information will be essential to applying algorithmic learning in static analysis or program testing.

Decision procedures are of utmost importance for us, since they are at the heart of theorem proving and verification. Research in decision procedures started several decades ago, and are now commonly used both in the academia and industry. A decision procedure is an algorithm which returns a correct yes/no answer to a given input decision problem. Many real-world problems can be reduced to the decision problems, making this technique very practical. For example, Intel and AMD are developing solvers for their circuit verification tools, while Microsoft is developing decision procedures for their code analysis tools.

Mathematical logic is the appropriate tool to formulate a decision problem. Most decision problems are formulated as a decidable fragment of a first-order logic interpreted in some specific domain. On such, easy and popular fragment, is propositional (or Boolean) logic, which corresponding decision procedure is called SAT. Representing real problems in SAT often results in awkward encodings that destroy the logical structure of the original problem.

A very popular, effective recent trend is Satisfiability Modulo Theories (SMT)
, a general technique to solve decision problems formulated as
propositional formulas operating on atoms in a given background theory, for example linear real arithmetic. Existing approaches for solving SMT problems can be classified into two categories:
*lazy*method
, and
*eager*method
. The eager method encodes an SMT problem into an equi-satisfiable
SAT problem, while the lazy method employs different theory solvers for each theory and coordinates them appropriately. The eager method does allow the user to express her problem in a natural
way, but does not exploit its logical structure to speed up the computation. The lazy approach is more appealing, and has prompted much interest in algorithms for the various background
theories important in practice.

Our SMT solver aCiNO is based on the lazy approach. So far, it provides with two (popular) theories only: linear real arithmetic (LRA) and uninterpreted functions (UF). For efficiency consideration, the solver is implemented in an incremental way. It also invokes an online SAT solver, which is now a modified DPLL procedure, so that recovery from conflicts is possible. Our challenge here is twofold: first, to add other theories of interest for the project, we are currently working on fragments of the theory of arrays , . The theory of arrays is important because of its use for expressing loop invariants in programs with arrays, but its full first-order theory is undecidable. We are also interested in the theory of bit vectors, very much used for hardware verification.

Theory solvers implement state-of-the-art algorithms which sophistication makes their correct implementation a delicate task. Moreover, SMT solvers themselves employ a quite complex
machinery, making them error prone as well

Since the early days of software development, computer scientists have been interested in designing methods for improving software quality. Formal methods based on model checking, correctness proofs, common criteria certification, all address this issue in their own way. None of these methods, however, considers the trustworthiness of a given software system as a system-level property, requiring to grasp a given software within its environment of execution.

The major challenge we want to address here is to provide a framework in which to formalize the notion of trustworthiness, to evaluate the trustworthiness of a given software, and if necessary improve it.

To make trustworthiness a fruitful concept, our vision is to formalize it via a hierarchy of observability and controllability degrees: the more the software is observable and controllable, the more its behaviors can be trusted by users. On the other hand, users from different application domains have different expectations from the software they use. For example, aerospace embedded software should be safety-critical while e-commerce software should be insensitive to attacks. As a result, trustworthiness should be domain-specific.

A main challenge is the evaluation of trustworthiness. We believe that users should be responsible for describing the level of trustworthiness they need, in the form of formal requirements that the software should satisfy. A major issue is to come up with some predefined levels of trustworthiness for the major applicative areas. Another is to use stepwise refinement techniques to achieve the appropriate level of trustworthiness. These levels would then drive the design and implementation of a software system: the objective would be to design a model with enough details (observability) to make it possible to check all requirements of that level.

The other challenge is the effective integration of results obtained from different verification methods. There are many verification techniques, like simulation, testing, model checking and theorem proving. These methods may operate on different models of the software to be then executed, while trustworthiness should measure our trust in the real software running in its real execution environment. There are also monitoring and analysis techniques to capture the characteristics of actual executions of the system. Integrating all the analysis in order to decide the trustworthiness level of a software is quite a hard task.

Simulation is relevant to most areas where complex embedded systems are used, not only to the semiconductor industry for System-on-Chip modeling, but also to any application where a complex hardware platform must be assembled to run the application software. It has applications for example in industry automation, digital TV, telecommunications and transportation.

aCiNO is an SMT (Satisfiability Modulo Theory) solver based on a Nelson-Oppen architecture, and written in C++. Currently, two popular theories are considered: linear real arithmetic (LRA) and uninterpreted functions (UF). A lazy approach is used for solving SMT problem. For efficiency consideration, the solver is implemented in an incremental way. It also invokes an online SAT solver, which is now a modified MiniSAT, so that recovery from conflict is possible.

CoLoR is a Coq library on rewriting theory and termination of nearly 70,000 lines of code . it provides definitions and theorems for:

Mathematical structures: relations, (ordered) semi-rings.

Data structures: lists, vectors, polynomials with multiple variables, finite multisets, matrices.

Term structures: strings, algebraic terms with symbols of fixed arity, algebraic terms with varyadic symbols, simply typed lambda-terms.

Transformation techniques: conversion from strings to algebraic terms, conversion from algebraic to varyadic terms, arguments filtering, rule elimination, dependency pairs, dependency graph decomposition, semantic labelling.

Termination criteria: polynomial interpretations, multiset ordering, lexicographic ordering, first and higher order recursive path ordering, matrix interpretations.

Rainbow is a tool for automatically certifying termination certificates expressed in the CPF XML format used in the termination competition on termination . Termination certificates are translated and checked in Coq by using the CoLoR library.

CoLoR and Rainbow are distributed under the CeCILL license on
http://

Joint work with Jiaguang Sun (Tsinghua University, China).

EDOLA is an integrated tool for domain-specific modeling and verification of PLC applications . It is based on a domain-specific modeling language to describe system models. It supports both model checking and automatic theorem proving techniques for verification. The goal of this tool is to possess both the usability in domain modeling, the reusability in its architecture and the capability of automatic verification.

For the moment, we have developed a prototype of the EDOLA language, which can easily describe the features of PLC applications like the scan cycle mechanism, the pattern of environment model, time constraints and five property patterns. TLA+ was chosen as the intermediate language to implement the automatic verification of EDOLA models. A prototype of EDOLA has also been developed, which comes along with an editor to help writing EDOLA models. To automatically verify properties on EDOLA models, it provides the interface for both a model checker TLC and a first-order theorem prover SPASS .

Joint work with Pierre Weis (INRIA Rocquencourt) and Richard Bonichon (CEA).

Moca is a construction functions generator for OCaml data types with invariants.

It allows the high-level definition and automatic management of complex invariants for data types. In addition, it provides the automatic generation of maximally shared values, independently or in conjunction with the declared invariants.

A relational data type is a concrete data type that declares invariants or relations that are verified by its constructors. For each relational data type definition, Moca compiles a set of construction functions that implements the declared relations.

Moca supports two kinds of relations:

predefined algebraic relations (such as associativity or commutativity of a binary constructor),

user-defined rewrite rules that map some pattern of constructors and variables to some arbitrary user's define expression.

The properties that user-defined rules should satisfy (completeness, termination, and confluence of the resulting term rewriting system) must be verified by a programmer's proof before compilation. For the predefined relations, Moca generates construction functions that allow each equivalence class to be uniquely represented by their canonical value.

Moca is distributed under QPL on
http://

SimSoC is an infrastructure to run simulation models which comes along with a library of simulation models. SimSoC allows its users to experiment various system architectures, study hardware/software partition, and develop embedded software in a co-design environment before the hardware is ready to be used. SimSoC aims at providing high performance, yet accurate simulation, and provide tools to evaluate performance and functional or non functional properties of the simulated system.

SimSoC is based on SystemC standard and uses Transaction Level Modeling for interactions between the simulation models. The current version of SimSoC is based on the open source libraries from the OSCI Consortium: SystemC version 2.2 and TLM 2.0.1 , . Hardware components are modeled as TLM models, and since TLM is itself based on SystemC, the simulation is driven by the SystemC kernel. We use standard, unmodified, SystemC (version 2.2), hence the simulator has a single simulation loop.

The second open source version of SimSoC, SimSoC v0.7.1, has been released in November 2010. It contains a full simulator for ARM V5 and PowerPC both running at an average speed of about 80 Millions instructions per second in, and a simulator for the MIPS architecture with an average speed of 20 Mips in mode DT1. It represents about 70,000 lines of source code and includes:

Instruction Set Simulators. The ARM Version 5 architecture has been implemented with DT0, DT1, DT2 mode. The ARM and PowerPC 600 architecture with DT0 and DT1 mode. For both architectures, complete simulation models of the processor and MMU are provided, making it possible to run operating systems of the simulated platform. MIPS architecture in DT0 mode is under development.

A dynamic translator from binary programs to an internal representation. For the ARM architecture a compiler has been developed that generates the C++ translated code (for DT2), using parametrized specialization options.

Peripheral models including a serial line controller, a flash memory controller, an interrupt controller.

A utility to generate permanent storage for flash memory simulation; a compiler tool to generate instruction binary decoder.

Examples illustrating the use of the library and infrastructure.

SimSoC is distributed under LGPL on
https://

SimSoC-Cert is a set of tools that can automatically generate in various target languages (Coq and C) the decoding functions and the state transition functions of each instruction and addressing mode of the ARMv6 architecture manual (implemented by the ARM11 processor family) but the Thumb and coprocessor instructions. The input of SimSoC-Cert is the ARMv6 architecture manual itself.

Based on this, we first developed
*simlight*(8000 generated lines of C, plus 1500 hand-written lines of C), a simulator for ARMv6 programs using no peripheral and no coprocessor. Next, we developed
*simlight2*, a fast ARMv6 simulator integrated inside a SystemC/TLM module, now part of SimSoC v0.7.

We can also generate similar programs for SH4 but this is still under test.

Many architectures including PowerPC and ARM now have
*vectorized*instructions, that is, instructions that can execute on several data items in parallel (e.g 8 simultaneous additions) on specific vector data.

We have implemented the ALTIVEC extension of the PowerPC to support the vector instructions.

We have started to implement a new technique of dynamic translation. This new method consists in decompiling the binary object code into an abstract representation and recompiling it to native host code.

The decompilation of the program amounts to reconstructing the simulated program Control Flow Graph using an intermediate representation. We have chosen LLVM (Low Level Virtual Machine), defined by University of Illinois, and now widely adopted in many projects, as our representation format. Using LLVM allows us to directly use the LLVM Intel code generator.

The SimSoC binary decoder has been modified to identify basic blocks (blocks of sequential instructions ending with a branch instruction). After instructions have been grouped into basic blocks, they are translated into an LLVM representation and finally the LLVM compiler is called to generate native code.

A first version of this technique has been implemented for both the ARM and Power Architecture. We have reach a considerable speed improvement in the generated code, with the execution speed multiplied by factor of 2 to 8. However the translation time from binary to LLVM and from LLVM to native code is significant (translation speed is roughly 1000 instructions per second). Consequently the overall speed is improved by only a factor of 20 to 50 percent when the simulation are relatively short test programs .

In order to reach still higher simulation speed we need to use a more sophisticated analysis of the control flow graph. The idea is to do an edge profiling analysis of the basic blocks in order to identify larger blocks. This work is under development.

Another idea is to use multi-processor hosts machine to parallelize translation from LLVM to native code. This is also under investigation.

Simulation sessions produce huge trace files, sometimes now in hundreds of gigabytes, that are hard to analyze with a quick response time. This comes down to two sub-problems:

The trace file size. Trace files are huge because they include lots of information. But when looking for a specific problem, one does not need all of this information. To search one given defect, one may ignore a large amount of the data in the trace file. One would like the trace file to contain only relevant information to the concerned problem.

The expressive power of the language to analyze the trace, and its usability. If the language is limited to expression search, it is easy to use but hard to construct sophisticated formulas. If the language used is Linear Temporal Logic (LTL), there is a lot of expressive power but many engineers are unable to write a LTL formula and to maintain it over time.

We would like to build a trace analysis tool that includes a language which allows expression of time-related formulas but is simple to formulate expressions. When this language is compiled, ideally the compiler is smart enough to identify independent formulae, the search of which can be parallelized, and it is also smart enough to generate "filter scripts".

When compiling one trace language input file, it would generate, from one input file, N filter scripts and N analyzers. Then during the simulation, the huge raw trace file is actually split into N smaller trace files, each relevant to one problem only, filtering out all unnecessary data. Hence trace files sizes would be considerably reduced.

We have started to design a trace language and a compiler, and extended the SimSoC simulator to support generation of trace files with a filter.

A first version of the trace language compiler has been coded in OCAML.

In the current version under development, the filters are not generated but coded manually, and filters are not parallelized.

Starting last year, we undertook the task of generating automatically an instruction set simulator (ISS) from the vendor specification in a PDF file. In order to generate the C code of the simulator, it is assumed such vendor specification contains at least some formal definitions of the instruction set that can be analyzed. It is the case to a wide extent for the ARM, the PowerPC and the SH architectures.

The process of generating the simulator consists of 4 major steps, first eliminating from the PDF file irrelevant information, next construct from the relevant data an abstract syntax representation of the instruction set, then to generate the C code of the simulator, using some additional data provided manually to complete the vendor specification.

This work was completed last year for the ARM architecture with the documentation form ARM corporation . This year, we did similar work for the SH architecture from specification from RENESAS corporation.

We have indeed generated a simulator for the SH4 architecture , which has not been fully tested yet.

However, this works has proved that the abstract syntax we have defined is powerful enough to describe two different architectures with significant differences in the way they are described by the vendor.

The simulation of Systems-on-Chip (SoC) is nowadays a hot topic because, beyond providing many debugging facilities, it allows the development of dedicated software before the hardware is available. Low-consumption CPUs such as ARM play a central role in SoC. However, the effectiveness of simulation depends on the faithfulness of the simulator. To this effect, in , we propose here to prove significant parts of such a simulator, SimSoC. Basically, on one hand, we develop a Coq formal model of the ARM architecture while on the other hand, we consider a version of the simulator including components written in Compcert-C . Then we prove that the simulation of ARM operations, according to Compcert-C formal semantics, conforms to the expected formal model of ARM. Size issues are partly dealt with using automatic generation of significant parts of the Coq model and of SimSoC from the official textual definition of ARM. However, this is still a long-term project. We report here the current stage of our efforts and discuss in particular the use of Compcert-C in this framework.

In this joint work with Bruno Barras and Pierre-Yves Strub , we describe an abstract model of CoqMT called CoqMTU, which puts together the Calculus of Inductive Constructions, decidable first-order theories, and an infinite hierarchy of universes which are all predicative but the first impredicative universe of propositions. We have shown its consistency, strong normalization and decidability of type checking in presence of weak elimination (and absence of strong elimination). An important feature of this work is that the first-order theory is abstract, characterized by the three natural axioms that (i) it is non-degenerated (its models have at least two elements), (ii) constructors are free, and (iii) defined symbols are completely defined. On the theoretical side, this allows us to give an abstract elimination principle for such non-canonical theories. On the practical side, this justifies the implementation of CoqMT in which decidable theories can be dynamically dowloaded. It should be noticed that these proofs are done in Coq, except for the strong normalization part. Qian Wang is now continuing this work at Ecole Polytechnique with Bruno Barras and Pierre-Yves Strub, the target being strong normalization.

Invented by Vincent Van Oostrom, decreasing diagrams capture both kinds of diagrams arising from Newmann's Lemma and Hindley's Lemma: they indeed allow to reduce all known confluence methods to critical pairs computations, and a search of decreasing diagrams for them all, where decreasingness is measured by a well-founded order on proof steps.

During this year, we have further simplified and generalized these results in order to get rid of the left-linearity assumption for the first system, and of the right-linearity assumption for the second. This yields a true generalization of the well-known Knuth-Bendix-Huet confluence result for terminating systems, and at the same time of various critical-pair based results found in the literature for non-terminating systems.

Confluence results for first-order and higher-order rewriting differ in many ways: by the rewriting relation used, and by the strong normalization assumption made. We believe that these differences hide the strong similarities of these (and other) kinds of rewriting.

In this work, we introduce a new notion of rewriting,
*normal rewriting*, which aims at capturing all known results reducing confluence to critical (and extension) pair computations in presence of some termination assumption.

We achieve this goal in the following way. First, we consider theories made of a set
*rules*, a set
*simplifiers*, and a set
*equations*. Rewriting operates on terms in

Joint work with Keiichirou Kusakari and Sho Suzuki from Nagoya University, Japan.

The static dependency pair method is a method for proving the termination of higher-order rewrite systems
*à la*Nipkow
. It combines the dependency pair method introduced for first-order
rewrite systems with the notion of strong computability introduced for typed lambda-calculi
. Argument filterings and usable rules are two important methods of
the dependency pair framework used by current state-of-the-art first-order automated termination provers
,
. In
, we extend the class of higher-order systems on which the static
dependency pair method can be applied. Then, we extend argument filterings and usable rules to higher-order rewriting, hence providing the basis for a powerful automated termination prover
for higher-order rewrite systems.

Satisfiability Modulo Theories (SMT) techniques are widely used nowadays. SMT solvers are used to decide the satisfiability of first-order formulas. When an SMT solver is invoked, it is important to ensure correctness of the result. For this purpose, we proposed a certificate framework based on DPLL(T), including generation of certificates and verification of certificates. Some properties are discussed and proved theoretically. The certificate is easy to generate because it only needs minor modification to the existing SMT solvers. Experiment results show that the overhead for certificates generation is only 10%. Moreover, verifying the certificate requires few memory and time, which outperforms other approaches.

The research community on rewriting developed a grammar for termination certificates called CPF (given by a XML Schema file). Our goal is to develop a safe, modular and efficient termination certificate verifier based on the formal library of mathematical results on termination called CoLoR that has been developed for the proof assistant Coq .

Because the CPF format is regularly modified and extended with new features, it is useful to have a tool that can automatically generate data structures, parsers and pretty-printers for that format. Hence, we developed a first version of such a tool in OCaml.

Once we got a representation of termination certificates in Coq, we could start defining a boolean function checking the correctness of a certificate, and formally prove its correctness. For the moment, we only considered the case of polynomial interpretations on integers. The proof is almost finished. To do so, we had to modify some of the CoLoR files to be able to use its results (transformation of modules into records that are first-class objects). The use of dependent types in CoLoR makes also definitions and proofs much more difficult.

Geometric algorithms are widely used in many scientific fields like computer vision, computer graphics. To guarantee the correctness of these algorithms, it is important to apply formal method to them. In this work, we propose an approach to proving the correctness of geometric algorithms . The main contribution is that a set of proof decomposition rules is proposed which can help improve the automation of the proof of geometric algorithms. We choose TLA+2, a structural specification and proof language, as our experiment environment. The case study on a classical convex hull algorithm shows the usability of the method.

We present a purely BDD-based assume-guarantee reasoning technique to improve the scalability of symbolic model checking. The new technique adopts a BDD learning algorithm to generate BDD's as contextual assumptions. A new witness analysis algorithm is proposed to exploit the multitude of traces returned by symbolic model checkers. Using the classification tree-based BDD learning algorithm to generate contextual assumptions, we compare assume-guarantee reasoning with monolithic symbolic model checking. The new technique always infers smaller contextual assumptions than contexts in our experiments.

We address the predicate generation problem in the context of loop invariant inference. Motivated by the interpolation-based abstraction refinement technique, we apply the interpolation theorem to synthesize predicates implicitly implied by program texts. Our technique is able to improve the effectiveness and efficiency of the learning-based loop invariant inference algorithm in . Experiments excerpted from Linux, SPEC2000, and Tar source codes are reported.

This is a joint work with Yungbum Jung, Wonchan Lee, and Kwangkuen Yi of Seoul National University, South Korea.

Thread-modular analysis is an incomplete compositional technique for verifying concurrent systems. The heuristic works rather well when there is limited interaction among system components. In this project, we develop a refinement algorithm that makes thread-modular model checking complete. Our algorithm refines abstract reachable states by exposing local information through auxiliary variables. The experiments show that our complete thread-modular model checking can outperform other complete compositional reasoning techniques.

We formalized a semantics of the Instruction List (IL) language, one of the five programing languages defined in the IEC 61131-3 standard for PLC programing . This semantics support a significant subset of the IL language that includes on-delay timers. This semantics was used in a join work to with Jan Olaf Blech from Fortiss (Germany) to prove some safety properties for a real industrial example of PLC program .

A second widely used language for programming PLC is the graphical language Ladder Diagrams (LD). We defined a formal semantics of LD in the proof assistant Coq. Based on this semantics and the IL one, we developed a translation function from LD to IL. We also proved a semantic preservation property for this translation function. We have now a certified compilation function from the graphical language LD to IL. This work opens the way for the development of a certified compilation chain for PLC. A journal paper about this work and others aspects of PLC certification is under reviewing.

In
,
, we study the definition of denotational semantics on PLC program
language, which is convenient to PLC programs modeling and model checking. The purpose of the work is the correctness verification on PLC programs by formal methods. Based on the extended

PLCs are widely used in embedded systems. Timers play a pivotal role in PLC real-time applications. The formalization of timers is of great importance. In , we present a formalization of PLC timers in the theorem proving system Coq, in which the behaviors of timers are characterized by a set of axioms at an abstract level. The authors discuss how to model timers at a proper and sound abstract level. PLC programs with timers are modeled. As a case study, a quiz machine problem with a timer is investigated. This work demonstrates the complexity of formal timer modeling.

PLCs are complex cyber-physical systems which are widely used in industry. In , we present a robust approach to design and implement PLC-based embedded systems. Timed automata are used to model the controller and its environment. We validate the design model with resort to model checking techniques. We propose an algorithm to generate PLC code from timed automata and implement this algorithm with a prototype tool. This method can condense the developing process and guarantee the correctness of PLC programs. A case study demonstrates the effectiveness of the method.

Programmable Logic Controllers are widely used in industry. Reliable PLCs are vital to many critical applications. We present a novel symbolic approach for analysis of PLC systems . The main components of the approach consists of: (1) calculating the uncertainty characterization of the PLC systems, (2) abstracting the PLC system as a Hidden Markov Model, (3) solving the Hidden Markov Model using domain knowledge, (4) integrating the solved Hidden Markov Model and the uncertainty characterization to form an integrated (regular) Markov Model, and (5) harnessing probabilistic model checking to analyze properties on the resultant Markov Model. The framework provides expected performance measures of the PLC systems by automated analytical means without expensive simulations. Case studies on an industrial automated system are performed to demonstrate the effectiveness of our approach.

Formal modeling and verification of PLC systems become paramount in engineering applications. The work presents a novel PLC domain-specific modeling language Edola . Important characteristics of PLC embedded systems, such as reactivity, scan cycling, real-time and property patterns, are embodied in the language design. Formal verification methods, such as model checking and automatic theorem proving, are supported in Edola modeling. The TLA+ specification language constitutes an intermediate language layer between Edola and the verification tools, enhancing a large degree of reusability. A prototype IDE for Edola and its seamless integration of a model checker TLC and an automatic theorem prover Spass are implemented. A case study illustrates and validates the applicability of the language.

Joint work with Yuxin Deng (Jiaotong University, Shanghai) and Stéphane Grumbach (LIAMA/Netquest).

Netlog is a language designed and implemented in the Netquest project for describing protocols. Netlog has a precise semantics, provides a high level of abstraction thanks to its Datalog flavor and benefits from an efficient implementation. This makes it a very interesting target language for proofs of protocols. Netlog comes with two possible semantics: a synchronous semantics, better suited to tightly coupled parallel systems and an asynchronous semantics, better suited to distributed systems.

We designed a formal model of Netlog in Coq, where the two possible semantics are derived from common basic blocks. In a fully certified framework, a formal proof of the Netlog engine (running on each node) would be required. We don't attack this part at the moment: we assume that the implementation respects the general properties stated in our model and focus on the issues raised by the distributed model of computation provided by Netlog.

As a proof of concept, we applied in 2010 this framework to an algorithm constructing a Breadth-First Search Spanning Tree (BFS) in a distributed system . This work has been slightly improved this year and published in .

Moreover, we generalized the model in order to take the removal of datalog facts into account, and started to use this feature for more complicated protocols. In main one under study is Prim's algorithm (publication under submission), and we target next GHS, which still resists to palatable proof techniques.

The goal of this project contracted with Schneider Electric China is to develop a full system simulator for a System-on-Chip used by Schneider Electric in their automation product line.

The goal of this project is to complete the PowerPC simulator and compare its performance with another simulator used internally by Orange IT Labs.

Formesis part of the working group LTP on Languages, Types and Proofs of the GDR GPL

Formesis part of the working group LAC on Logic, Algebra and Calculus of the GDR IM

Jean-Jacques Lévy (INRIA, France), director of the MSR-INRIA Joint Center, visited Formesfrom September 26 to November 18, gave lectures on reductions and causality.

Pierre-Louis Curien (PPS, CNRS and University Paris 7) visited Formesin April and May, and co-organized a working group on rewriting theory and algebra.

Joseph Sifakis (VERIMAG, France) visited Formesin March and October and participated to various working groups.

Zhang Min (JAIST, Japan) gave a talk on December 20 on algebraic-based verification of a dynamic software updating system.

Vladimir Voevodsky (IAS Princeton, USA), Fields Medal 2002, gave a talk on December 12 on univalent semantics of constructive type theories.

Jianhua Gao (ISCAS, China) gave a talk on November 25 on the clausal presentation of theories in deduction modulo.

Iddo Tzameret (ITCS, Tsinghua University) gave a talk on November 18 on short propositional refutations for dense random 3-CNF formulas.

Eric Madelaine (INRIA, France) gave a talk on November 11 at Shenzhen SIAT on specification, model generation and verification of distributed applications.

Jean-Raymond Abrial (ETH, Switzerland) gave a talk on September 9 on modeling, refining and proving with Event-B.

Graham Steel (LSV, ENS Cachan, France) gave lectures on the security of APIs at Tsinghua University and Nokia from August 22 to August 25.

Thomas Anberree (Nottingham University at Ningbo, China) gave a talk on June 22 on definable quotients in type theory.

Hsu-Chun Yen (National Taiwan University) gave a talk on May 20 on two-way transducers and parametrized machines.

Lijun Zhang (Denmark Technical University) gave a talk on May 13 on ODEs in probabilistic model checking.

Flemming Nielson (Denmark Technical University) gave a talk on May 13 on model checking as static analysis of modal logic.

Christian Urban (TU Munich, Germany) gave a talk on April 29 on verifying a regular expression matcher and formal language theory.

Zhaohui Luo (University of London, UK) visited Formesin April and gave lectures on type theory from April 13 to April 19.

On April 11, for the 1st Tsinghua Software Day organized by the Formesteam, we had the following talks: A journey into the semantics of programming languages, by Pierre-Louis Curien; type theory and its application, by Zhaohui Luo; advances towards the formal proof of the classification of finite groups, by Georges Gonthier; from boolean to quantitative theories of software, by Tom Henzinger.

Joseph Sifakis (VERIMAG, France) gave a talk on March 10 on a vision for computer science: the system perspective.

SIVES

*Logical Frameworks*is a grant from the National Science Foundation of China obtained by Jean-Pierre Jouannaud and Jianqi Li to sustain their work on the subject.

Formesorganizes a weekly seminar which is a major local forum in the area of formal methods, with a steady participation of colleagues who come from the other nearby research institutions, CASIA, ISCAS and Peking University, to attend the presentations. All seminars are announced on our website, as well as the other relevant local seminars or events, in particular those taking place at ISCAS.

Jean-Pierre Jouannaud and Zhong Shao (Yale University) have initiated a new conference, the 1st international conference on Certified Programs and Proofs (CPP'11), held on December 7-9 at Kenting, Taiwan. The local organization is done by Tyng-Ruey Chang (Academia Sinica), Yih-Kuen Tsay (NTU) and Bow-Yaw Wang (INRIA and Academia Sinica).

Vania Joloboff co-organized with Pr John Koo the first Shenzhen International Summer School on Embedded Systems Design, held at Shenzhen SIAT from July 4-8.

Formesorganized on April 11-12 the 1st Tsinghua Software Day and Tsinghua Student Day on the occasion of Tsinghua's 100 years anniversary with talks by Pierre-Louis Curien, Zhaohui Luo, Georges Gonthier and Tom Henzinger.

Frédéric Blanqui is member of the Steering Committee of the International Conference on Rewriting Techniques and Applications (RTA) from July 2010 to July 2013.

Frédéric Blanqui was a PC member of the 22nd International Conference on Rewriting Techniques and Applications (RTA'11), 30 May - 1st June, Novisad, Serbia.

Jean-Pierre Jouannaud is a member of the LICS organizing committee.

Jean-Pierre Jouannaud is a member of the editorial board of the International Journal of Software and Informatics (IJSI).

Jean-Pierre Jouannaud is a guest co-editor of JACM (selection of 3 papers from LICS 2010), and a co-guest editor of LMCS (selection of papers from LICS 2010).

Jean-Pierre Jouannaud is a member of the advisory committee of Academia Sinica, Taipei, Taiwan.

Jean-Pierre Jouannaud is PC co-chair of CPP 2011, 7-9 December 2011, Kenting, Taiwan.

Jean-Pierre Jouannaud participated to the STIC-Asie meeting in Guangdong in June, and the AURA meeting in Hanoi, Vietnam, in November, where he gave talks.

Vania Joloboff taught a class at Tsinghua University on SystemC and Transaction Level Modeling.

Vania Joloboff taught a session at Shenzhen International Summer School on Embedded Systems Design.

Jean-François Monin taught a module on Coq entitled
*Introduction to Interactive Proofs of Software*at Tsinghua School Software, 3rd year undergraduate, but also followed by 4th year students, a master student of Beihang and 2 master
students of University of Beijing, department of mathematics; volume: 35 hours.