Vasyis an
Inriaproject team that is also a team of the
Liglaboratory, a joint research unit of Centre National de Recherche Scientifique, Grenoble
Inp, Université Joseph Fourier, and Université Pierre Mendès-France. This is the last yearly activity report for
Vasy, as it completed its scientific activities on December 31, 2011 after having reached the 12-year age limit for
Inriaproject teams. As of January 2012, the
Vasyteam members have launched a new research team named
Convecs(see
http://

Created on January 1st, 2000, the Vasyproject focuses on formal methods for the design of reliable systems.

We are interested in any system (hardware, software, telecommunication) that exhibits
*asynchronous concurrency*, i.e., any system whose behavior can be modelled as a set of parallel processes governed by interleaving semantics.

For the design of reliable systems, we advocate the use of formal description techniques together with software tools for simulation, rapid prototyping, verification, and test generation.

Among all existing verification approaches, we focus on
*enumerative verification*(also known as
*explicit state verification*) techniques. Although less general than theorem proving, these techniques enable an automatic, cost-efficient detection of design errors in complex
systems.

Our research combines two main directions in formal methods, the
*model-based*and the
*language-based*approaches:

Models provide mathematical representations for parallel programs and related verification problems. Examples of models are automata, networks of communicating automata, Petri nets, binary decision diagrams, boolean equation systems, etc. From a theoretical point of view, research on models seeks for general results, independently of any particular description language.

In practice, models are often too elementary to describe complex systems directly (this would be tedious and error-prone). Higher level formalisms are needed for this task, as well as compilers that translate high level descriptions into models suitable for verification algorithms.

To verify complex systems, we believe that model issues and language issues should be mastered equally.

In 2011, Hubert Garavel received the prestigious Humboldt Research Award granted by the Alexander von Humboldt foundation (Bonn, Germany).

By verification, we mean comparison — at some abstraction level — of a complex system against a set of
*properties*characterizing the intended functioning of the system (for instance, deadlock freedom, mutual exclusion, fairness, etc.).

Most of the verification algorithms we develop are based on the
*labeled transition systems*(or, simply,
*automata*or
*graphs*) model, which consists of a set of states, an initial state, and a transition relation between states. This model is often generated automatically from high-level descriptions of
the system under study, then compared against the system properties using various decision procedures. Depending on the formalism used to express the properties, two approaches are
possible:

*Behavioral properties*express the intended functioning of the system in the form of automata (or higher level descriptions, which are then translated into automata). In this case, the
natural approach to verification is
*equivalence checking*, which consists in comparing the system model and its properties (both represented as automata) modulo some equivalence or preorder relation. We develop
equivalence checking tools that compare and minimize automata modulo various equivalence and preorder relations; some of these tools also apply to stochastic and probabilistic models (such
as Markov chains).

*Logical properties*express the intended functioning of the system in the form of temporal logic formulas. In this case, the natural approach to verification is
*model checking*, which consists in deciding whether or not the system model satisfies the logical properties. We develop model checking tools for a powerful form of temporal logic,
the
*modal
$\mu $-calculus*, which we extend with typed variables and expressions so as to express predicates over the data contained in the model. This extension (the practical usefulness of
which has been highlighted in many examples) provides for properties that could not be expressed in the standard

Although these techniques are efficient and automated, their main limitation is the
*state explosion*problem, which occurs when models are too large to fit in computer memory. We provide software technologies (see §
) for handling models in two complementary ways:

Small models can be represented
*explicitly*, by storing all their states and transitions in memory (
*exhaustive*verification).

Larger models are represented
*implicitly*, by exploring only the model states and transitions needed for the verification (
*on the fly*verification).

Our research focuses on high level languages with
*executable*and
*formal*semantics. The former requirement stems from enumerative verification, which relies on the efficient execution of high-level descriptions. The latter requirement states that
languages lacking formal semantics are not suitable for safety critical systems (as language ambiguities usually lead to interpretation divergences between designers and implementors).
Moreover, enumerative techniques are not always sufficient to establish the correctness of an infinite system (they only deal with finite abstractions); one might need theorem proving
techniques, which only apply to languages with formal semantics.

We are working on several languages with the above properties:

Lotosis an international standard for protocol description ( Iso/ Iecstandard 8807:1989), which combines the concepts of process algebras (in particular Ccsand Csp) and algebraic abstract data types. Thus, Lotoscan describe both asynchronous concurrent processes and complex data structures. We use Lotosfor various industrial case studies and we develop Lotoscompilers, which are part of the Cadptoolbox (see § ).

We contributed to the definition of
E-Lotos(
*Enhanced*-
Lotos,
Iso/
Iecstandard 15437:2001), a deep revision of
Lotos, which tries to provide a greater expressiveness (for instance, by introducing quantitative time to describe systems with real-time
constraints) together with a better user friendliness. Our contributions to
E-Lotosare available on the
Web(see
http://

We are also working on an
E-Lotosvariant, named
Lotos NT(
Lotos
*New Technology*)
,
, in which we can experiment with new ideas more freely than in the
constrained framework of an international standard. Like
E-Lotos,
Lotos NTconsists of three parts: a
*data part*, which enables the description of data types and functions, a
*process part*, which extends the
Lotosprocess algebra with new constructs such as exceptions and quantitative time, and
*modules*, which provide for structure and genericity. The languages differ in that
Lotos NTcombines imperative and functional features, and is also simpler than
E-Lotosin some respects (static typing, operator overloading, arrays), which should make it easier to implement. We are developing several tools
for
Lotos NT: a prototype compiler named
Traian(see §
), a translator from (a subset of)
Lotos NTto
Lotos(see §
), and an intermediate semantic model named
Ntif(
*New Technology Intermediate Form*)
.

As far as possible, we validate our results by developing tools that we apply to complex (often industrial) case studies. Such a systematic confrontation of implementation and experimentation issues is central to our research.

The theoretical framework we use (automata, process algebras, bisimulations, temporal logics, etc.) and the software tools we develop are general enough to fit the needs of many application domains. They are applicable to virtually any system or protocol that consists of distributed agents communicating by asynchronous messages. The list of recent case studies performed with the Cadptoolbox (see in particular § ) illustrates the diversity of applications:

*Hardware architectures:*asynchronous circuits, multiprocessor architectures, systems on chip, networks on chip, bus arbitration protocols, cache coherency protocols, hardware/software
codesign;

*Databases:*transaction protocols, distributed knowledge bases, stock management;

*Consumer electronics:*home networking, video on-demand;

*Security protocols:*authentication, electronic transactions, cryptographic key distribution;

*Embedded systems:*smart-card applications, air traffic control, avionic systems;

*Distributed systems:*virtual shared memory, distributed file systems, election algorithms, dynamic reconfiguration algorithms, fault tolerance algorithms, cloud computing;

*Telecommunications:*high-speed networks, network management, mobile telephony, feature interaction detection;

*Human-machine interaction:*graphical interfaces, biomedical data visualization;

*Bioinformatics:*genetic regulatory networks, nutritional stress response, metabolic pathways.

We maintain and enhance
Cadp(
*Construction and Analysis of Distributed Processes*– formerly known as
*Cæsar /
AldébaranDevelopment Package)
, a toolbox for protocols and distributed systems engineering (see
http://
*

Caesar_Graph, which provides the programming interface for graph exploration,

Caesar_Hash, which contains several hash functions,

Caesar_Solve, which resolves boolean equation systems on the fly,

Caesar_Stack, which implements stacks for depth-first search exploration, and

Caesar_Table, which handles tables of states, transitions, labels, etc.

A number of tools have been developed within the Open/Cæsarenvironment, among which:

Bisimulator, which checks bisimulation equivalences and preorders,

Cunctator, which performs on-the-fly steady-state simulation of continuous-time Markov chains,

Determinator, which eliminates stochastic nondeterminism in normal, probabilistic, or stochastic systems,

Distributor, which generates the graph of reachable states using several machines,

Evaluator, which evaluates regular alternation-free

Executor, which performs random execution,

Exhibitor, which searches for execution sequences matching a given regular expression,

Generator, which constructs the graph of reachable states,

Projector, which computes abstractions of communicating systems,

Reductor, which constructs and minimizes the graph of reachable states modulo various equivalence relations,

Simulator, Xsimulator, and Ocis, which allow interactive simulation, and

Terminator, which searches for deadlock states.

Bcg(
*Binary Coded Graphs*) is both a file format for storing very large graphs on disk (using efficient compression techniques) and a software environment for handling this format.
Bcgalso plays a key role in
Cadpas many tools rely on this format for their inputs/outputs. The
Bcgenvironment consists of various libraries with their programming interfaces, and of several tools, such as:

Bcg_Draw, which builds a two-dimensional view of a graph,

Bcg_Edit, which allows to modify interactively the graph layout produced by Bcg_Draw,

Bcg_Graph, which generates various forms of practically useful graphs,

Bcg_Info, which displays various statistical information about a graph,

Bcg_Io, which performs conversions between Bcgand many other graph formats,

Bcg_Labels, which hides and/or renames (using regular expressions) the transition labels of a graph,

Bcg_Merge, which gathers graph fragments obtained from distributed graph construction,

Bcg_Min, which minimizes a graph modulo strong or branching equivalences (and can also deal with probabilistic and stochastic systems),

Bcg_Steady, which performs steady-state numerical analysis of (extended) continuous-time Markov chains,

Bcg_Transient, which performs transient numerical analysis of (extended) continuous-time Markov chains, and

Xtl(
*eXecutable Temporal Language*), which is a high level, functional language for programming exploration algorithms on
Bcggraphs.
Xtlprovides primitives to handle states, transitions, labels,
*successor*and
*predecessor*functions, etc.

For instance, one can define recursive functions on sets of states, which allow to specify in Xtlevaluation and diagnostic generation fixed point algorithms for usual temporal logics (such as Hml , Ctl , Actl , etc.).

The connection between explicit models (such as Bcggraphs) and implicit models (explored on the fly) is ensured by Open/Cæsar-compliant compilers, e.g.:

Bcg_Open, for models represented as Bcggraphs,

Cæsar.open, for models expressed as Lotosdescriptions,

Exp.open, for models expressed as communicating automata,

Fsp.Open, for models expressed as Fspdescriptions,

Lnt.Open, for models expressed as Lotos NTdescriptions, and

Seq.open, for models represented as sets of execution trace.

The
Cadptoolbox also includes
Tgv(
*Test Generation based on Verification*), developed by the
Verimaglaboratory (Grenoble) and the
Vertecsproject team at
InriaRennes.

The Cadptools are well-integrated and can be accessed easily using either the Eucalyptusgraphical interface or the Svl scripting language. Both Eucalyptusand Svlprovide users with an easy and uniform access to the Cadptools by performing file format conversions automatically whenever needed and by supplying appropriate command-line options as the tools are invoked.

We develop a compiler named Traianfor translating descriptions written in the Lotos NTlanguage (see § ) into C programs, which will be used for simulation, rapid prototyping, verification, and testing.

The current version of Traianperforms lexical analysis, syntactic analysis, abstract syntax tree construction, static semantics analysis, and C code generation for Lotos NTtypes and functions.

Although this version of Traianis still incomplete (it does not handle Lotos NTprocesses), it already has useful applications in compiler construction . The recent compilers developed by the Vasyproject team — including Aal, Evaluator 4.0 (see § ), Exp.open 2.0 (see § ), Lnt2Lotos(see § ), Ntif(see § ), Pic2Lnt(see § ), and Svl(see § ) — all contain a large amount of Lotos NTcode, which is then translated into C code by Traian.

Our approach consists in using the Syntaxtool (developed at InriaRocquencourt) for lexical and syntactic analysis together with Lotos NTfor semantical aspects, in particular the definition, construction, and traversal of abstract trees. Some involved parts of the compiler can also be written directly in C if necessary. The combined use of Syntax, Lotos NT, and Traianproves to be satisfactory, in terms of both the rapidity of development and the quality of the resulting compilers.

The
Traiancompiler can be freely downloaded from the
Vasy
Website (see
http://

Bcg(
*Binary-Coded Graphs*) is both a file format for the representation of explicit graphs and a collection of libraries and programs dealing with this format. Version 1.0 of the
Bcgformat was recently replaced by version 1.1, which can exploit the capabilities of 64-bit addressing.

In 2011, we continued to enhance the Bcglibraries as follows:

We extended the Bcg_Readapplication programming interface with three new primitives so as to increase symmetry with the Open/Cæsarapplication programming interface (see § ).

We fixed a memory corruption problem occurring with very long label strings; this problem would cause random crashes of the Distributortool (see § ).

Open/Cæsaris an extensible, modular, language-independent software framework for exploring implicit graphs. This key component of Cadpis used to build simulation, execution, verification, and test generation tools.

In 2011, a bug in the Cæsar_Tablelibrary has been corrected, which would cause segmentation faults when certain primitives of the Application Programming Interface were invoked on a bounded table.

Cæsar_Solveis a generic software library based on Open/Cæsarfor solving boolean equation systems of alternation depth 1 (i.e., without mutual recursion between minimal and maximal fixed point equations) on the fly. This library is at the core of several Cadpverification tools, namely the equivalence checker Bisimulator, the minimization tool Reductor, and the model checkers Evaluator 3.5 and 4.0. The resolution method is based on boolean graphs, which provide an intuitive representation of dependencies between boolean variables, and which are handled implicitly, in a way similar to the Open/Cæsarinterface .

In 2011, we improved the parallel resolution algorithm of Cæsar_Solve(see § ).

Evaluatoris a model checker that evaluates a temporal logic property on a graph represented implicitly using the Open/Cæsarenvironment. Evaluatorworks on the fly, meaning that only those parts of the implicit graph relevant to verification are explored. The model checking problem is reformulated in terms of solving a boolean equation system. A useful feature of Evaluatoris the generation of diagnostics (examples and counterexamples) explaining why a formula is true or false.

In version 3.5 of
Evaluator, properties are described in regular alternation-free

In version 4.0 of
Evaluator(
*Model Checking Language*)
, an extension of the regular alternation-free
**if-then-else**”, “
**for**”, etc.), and operators (of alternation depth two) allowing to characterize complex infinite sequences.

In 2011, we continued the extensive testing of
Evaluator 3.5 and 4.0 using our test base of

We extended the set of Mcloperators of alternation depth two with parameterized versions of the infinite looping and saturation operators, which allow to succinctly encode the presence (respectively, the absence) of accepting cycles in generalized Büchi automata. The evaluation of these parameterized operators is translated into parameterized boolean equation systems, which are instantiated into plain boolean equation systems and solved on the fly using the algorithms A3 and A4 (extended with marked cycle detection) of the Cæsar_Solvelibrary. This evaluation procedure has a complexity linear in the size of the degeneralized Büchi automaton, which is represented by the boolean equation system obtained after instantiation.

We enhanced Mclby adding a data type for manipulating sets of natural numbers. This data type, equipped with the classical set operations (union, intersection, difference, insertion, deletion, membership, etc.), enables a succinct specification of temporal properties referring to the past, such as the fact that a certain set of events (represented by natural numbers) occurred on the transition sequences leading from the initial state to the current state.

We added a new option to Evaluator 4.0 for displaying a set of regular expressions that over-approximate the set of visible actions (transition labels in the Lts) satisfying the action predicates occurring in the Mclformula. This feature enables to improve the efficiency of verification by hiding the set of actions other than those produced from the Mclformula, minimizing the Ltsmodulo a weak equivalence relation compatible with the formula, and then verifying the Mclformula on the minimized Lts. This may increase the efficiency of verification by one order of magnitude, as reported in .

Evaluator 4.0 was officially integrated in Cadpin March 2011. Mcland Evaluator 4.0 were used successfully for analyzing mutual exclusion protocols (see § ) and hardware architectures (see § ).

The
Cadptoolbox contains various tools dedicated to compositional verification, among which
Exp.open 2.1,
Projector 3.0,
Bcg_Min 2.0, and
Svl 2.2 play a central role.
Exp.openexplores on the fly the graph corresponding to a network of communicating automata (represented as a set of
Bcgfiles).
Projectorimplements behavior abstraction
,
by taking into account interface constraints.
Bcg_Minminimizes behavior graphs modulo strong or branching bisimulation and their stochastic extensions.
Svl(
*Script Verification Language*) is both a high level language for expressing complex verification scenarios and a compiler dedicated to this language.

In 2011, we corrected one bug in Projector, two bugs in Exp.open, and four bugs in Svl. We also enhanced these tools as follows:

The generalized parallel composition operator proposed in
, including the support for “

Together with Pepijn Crouzen (Saarland University), we pursued our work on the so-called “smart reduction” techniques for compositional verification. An article about smart reduction was published in an international conference .

We improved smart reduction for stochastic branching bisimulation so as to cut stochastic transitions (according to the “maximal progress” assumption) as early as possible in intermediate parallel compositions, thus yielding state space reductions. With this new optimization, Exp.opendetects when some action (usually, an output) offered by some process can synchronize with corresponding actions (usually, inputs) offered by the other processes in all their states; if so, all stochastic transitions in choice with this action can safely be cut in every intermediate composition. This situation occurs frequently with Input/Output Interactive Markov Chains.

Additionally, we studied an alternative compositional verification approach named
*partial model checking*
. Given a temporal logic formula
*quotienting*. Simplifications must be applied at each step, so as to maintain formulas at a tractable size.

We developed a prototype implementation of this approach using the generic software components of Cadp:

We extended the definition of quotienting given by
to support all features of the input language of
Exp.open 2.1, which enables networks of labeled transition systems to be described using parallel composition operators borrowed from
various process algebras such as
Ccs,
Csp, and
Lotos, including also
Lotos NTparallel composition and “

We gave an executable definition of quotienting in terms of a synchronous product between a graph representation (called
*formula graph*) of the formula

We proposed and implemented efficient formula simplifications by combining reductions modulo bisimulations and partial formula evaluation computed using boolean equation systems.

We used this prototype implementation to verify 28 temporal logic properties on the Tftpavionics protocol . For several of these properties, partial model checking uses hundreds of times less memory than on-the-fly model checking using Evaluator. This work led to a publication in an international conference .

The Cadptoolbox contains several components designed to take advantage of distributed computing facilities (such as clusters of machines) to perform large-scale verifications, namely: Cæsar_Network, a network communication library used by the other tools, Distributorand Bcg_Merge, two companion tools that perform reachability analysis using a distributed state space exploration algorithm, and Bes_Solve , a tool that solves boolean equations systems using the various resolution algorithms provided by the Cæsar_Solvelibrary (see § ), including a distributed on-the-fly resolution algorithm.

In 2011, we continued enhancing these tools, taking advantage of the valuable feedback provided by Eric Madelaine ( InriaSophia Antipolis) who used Cadpon the PacaGridcluster. We brought the following improvements:

We performed careful code reviews of the Cæsar_Networklibrary, and corrected nine bugs. We equipped this library with logging primitives that proved to be helpful for debugging distributed algorithms programmed above the Cæsar_Networklibrary.

We fixed three bugs in Distributorand two bugs in Bcg_Merge.

We pursued the intensive testing campaign undertaken in 2010 for Bes_Solve, using up to 100 concurrent processes running on the Pipoland Grid5000platforms. We focused our efforts on the distributed resolution algorithm for boolean equation systems of Cæsar_Solve/ Bes_Solve, which was tested extensively on examples of boolean equation systems represented explicitly as text files or generated randomly according to various parameters, the resolution results being cross-checked against the sequential resolution algorithms provided by Cæsar_Solve/ Bes_Solve.

Several bugs (affecting memory leaks, handling of early termination, diagnostic generation, collecting of statistical information about the resolution) were fixed. Changes were also carried out on the code to simplify its structure, increase modularity, and improve readability. The convergence of the distributed resolution algorithm was accelerated by backward propagation of constants as soon as they have been discovered.

The Evaluator 4.0 tool was extended with a new prototype algorithm allowing the distributed verification of an Mclformula on a graph using several machines connected by a network. This functionality was implemented by connecting the tool to the distributed resolution algorithm for boolean equation systems and experimented out on clusters of machines.

Finally, we added to Cadpfour new tools named Pbg_Cp, Pbg_Info, Pbg_Mv, and Pbg_Rm. These tools respectively enable to copy, query, move, and delete the Pbg(Partitioned BCG Graph) collection of files generated and used by Distributorand Bcg_Merge.

To support the usage of Cadpin industry and academia, we pursued our efforts to master the software quality of Cadp:

We added support for Mac OS X 10.7 (“Lion”) and enhanced the documentation for Mac OS X.

We corrected one bug in the Installatorinstallation assistant, two bugs in the Tstplatform-checking command, and brought two bug fixes and one usability enhancement in the Eucalyptusgraphical user-interface. We also provided a workaround for supporting recent versions of Ubuntu.

We continued building a comprehensive validation framework, based on non-regression testing and semantical checking for the Cadptools. This framework allows functional testing of individual tools as well as integration testing for several Cadptools used together to perform complex verification scenarios on various computing platforms and using various compilers.

Other research teams took advantage of the software components provided by Cadp(e.g., the Bcgand Open/Cæsarenvironments) to build their own research software. We can mention the following developments:

the Kmeliatools for component-based systems , developed at the University of Nantes (France);

the Vercorstool for unifying architectural and behavioral specifications of distributed components , developed at InriaSophia-Antipolis;

the
Damasco(
*Discovery, Adaptation and Monitoring of Context-Aware Services and Components*) framework for composition and adaptation based on model transformation
, developed at the University of Málaga (Spain);

the Scooptool for symbolic optimizations of probabilistic processes , , developed at RwthAachen (Germany);

the
Slco(
*Simple Language of Communicating Objects*) environment
, developed at Eindhoven University of Technology (The
Netherlands);

the Motortool for probabilistic analysis of embedded systems , developed at the Embedded Systems Institute (Eindhoven, The Netherlands);

the Alvismodeling language for design and verification of embedded systems , developed at the AghUniversity of Science and Technology (Krakow, Poland).

The Cadptoolbox contains several tools dedicated to the Lotoslanguage, namely the Cæsar.adtcompiler for the data type part of Lotos, the Cæsarcompiler for the process part of Lotos, and the Cæsar.indentpretty-printer.

In 2011, in addition to fixing four bugs in the Cæsarand Cæsar.adtcompilers, we improved the Lotos-dedicated tools of Cadpas follows:

We revised the predefined type libraries and C code generated by Cæsarand Cæsar.adtto suppress warnings emitted by recent versions of Gcc.

We enhanced the format in which values of singleton and tuple types are displayed to end users.

We modified the predefined libraries for natural (unsigned) and integer (signed) types so that users can now indicate the precise number of bits (between 1 and 64) to be used for the machine representation of these types, and can also determine the precise range (lower and upper bound) to be used for values of these types.

We further modified these two libraries to enable (optional) overflow and underflow checking during arithmetic operations on the natural and integer types.

Regarding the Lotos NTlanguage — a variant of E-Lotoscreated by the Vasyproject team — we worked along two directions:

We continued enhancing the Traiancompiler (see § ), which generates C code from Lotos NTdata type and function definitions. Traianis distributed on the Internet and used intensively within the Vasyproject team as a development tool for compiler construction .

In 2011, Traianwas essentially in maintenance mode. We updated its documentation and added to its predefined library a conversion function that was missing.

The Lnt2Lotos, Lnt.Open, and Lpptools convert Lotos NTcode to Lotos, thus allowing the use of Cadpto verify Lotos NTdescriptions. These tools are officially part of Cadpsince 2010 and have been used successfully for many different systems (see § , § , § , § , and § ).

In 2011, we continued enhancing these tools, of which we delivered four new releases. In addition to 13 bug fixes, the following enhancements have been brought:

The Lotos NTlanguage was extended with range types (which are interval subtypes of character, integer, or natural types) and predicate types (which are subtypes of existing types, a boolean predicate being used to determine the domain of each subtype).

The
Lotos NTlanguage was enriched with the concept of “module pragmas”, which specify implementation constraints for predefined types such as
naturals, integers, and strings. Also, the predefined operations “
**first**” and “
**last**” have been added for enumerated types.

The Lnt2Lotostranslator was made semantically stricter by adding checks for overflow and underflow when doing natural and integer arithmetics, checking that range type bounds and array type bounds belong to the domain of admissible values for their parent types, and adding additional checks for type pragmas.

The
Lotoscode generated by the
Lnt2Lotostranslator was optimized by handling equation premises (in the data part) and boolean guards (in the behavior part) that are always
false or always true. Other optimizations have been added for process definitions whose bodies are empty or only contain a call to another process, for “
**case**” statements that are followed by no instruction or only a “
**null**” instruction, and for “
**while**” loops with an empty body.

The speed of processing Lotos NTspecifications containing several modules has been made between two and three times faster.

The error and warning messages issued by the Lotos NTtools have been enhanced.

The reference manual has been corrected, reorganized and comprehensively edited. Two new appendices have been added, one that lists all the predefined functions, and another one (20 pages) giving the formal semantics of Lotos NT.

Although process algebras are, from a technical point of view, the best formalism to describe concurrent systems, they are not used as widely as they could be . Besides the steep learning curve of process algebras, which is traditionally mentioned as the main reason for this situation, it seems also that the process algebra community scattered its efforts by developing too many languages, similar in concept but incompatible in practice. Even the advent of two international standards, such as Lotos(in 1989) and E-Lotos(in 2001), did not remedy this fragmentation. To address this problem, we started investigating source-level translators from various process algebras into Lotosor Lotos NT, so as to widen the applicability of the Cadptools.

In 2011, in addition to the Lnt.Opentool suite (see § ), we worked on the following translators:

We continued our work on the
Flactool, which translates a
Fiacreprogram into a
Lotosprogram automatically, for verification using
Cadp. In 2011, 2 bugs reported by users of
Flacwere corrected. Those corrections led to revisions 74 and 75 of the
Flaccode, which is available on the development forge dedicated to
Fiacrecompilers
`http://
gforge.
enseeiht.
fr/
projects/
fiacre-compil`

Bpel(
*Business Process Execution Language*)
is a language inspired by the

Following interest expressed by research teams at Mitand the Polytechnic University of Bucharest, we designed translation rules from Bpelto Lotos NTin order to formally verify Bpelservices with Cadp. We began to develop an automated translator.

In 2011, following a remark by Charles Pecheur (Université Catholique de Louvain, Belgium) who spotted an error in the translation of Bpelprocesses into Lotos NT, we corrected the translation of exception handling so that it no longer interferes with the atomicity mechanism. The complete translation algorithm is given in Damien Thivolle's PhD thesis . We pursued the implementation of our Bpelto Lotos NTtranslator and finalized the translation of XmlSchema types and Wsdldefinitions.

In 2011, we have extended the

The
Pic2Lnttranslator was extended accordingly. It now consists of

Mutual exclusion protocols are an essential building block of concurrent systems to ensure proper use of shared resources in the presence of concurrent accesses. Many variants of mutual exclusion protocols exist for shared memory, such as Peterson's or Dekker's well-known protocols. Although the functional correctness of these protocols has been studied extensively, relatively little attention has been paid to their performance aspects.

In 2011, we considered a set of 27 mutual exclusion protocols for up to sixteen processes with a shared memory and coherent local caches. We specified each protocol in
Lotos NT, using a set of generic modules to describe shared variables, the cache protocol, and the overall architectures (in total,

Finally, using the performance evaluation tools of Cadp(i.e., Bcg_Steadyfor small numbers of processes and Cunctatorfor larger numbers of processes), we computed the steady-state throughputs of critical section accesses by varying several parameters (relative speeds of processes, ratio between the time spent in critical and non-critical sections, etc.).

These experiments enabled us to compare the protocols according to their efficiency (steady-state throughputs) and study also their scalability for an increasing number of processors. We observed that symmetric protocols are more robust when the difference in execution speed between processes is large, which confirms the importance of the symmetry requirement originally formulated by Dijkstra . The quantitative results corroborated those of functional verification: the presence of (asymmetric) starvation of processes, detected using temporal formulas, was clearly reflected in their steady-state throughputs. Our results also corroborate experimental measures found in the literature .

In 2011 we focused on the Dtd(Dynamic Task Dispatcher) hardware block that assigns a set of application tasks on a set of Pes. It is called dynamic because each task itself might add tasks to the set of those to be dispatched by the Dtd. The Dtdis synthesized from a C++ model, optimized to generate an efficient hardware block. Due to the intrinsic complexity of the Dtd, STMicroelectronicswas interested in the co-simulation of this C++ code with a formal model of the Dtd.

In a first step, we generalized the
Lotos NTmodel of the
Dtddeveloped in 2010 to allow the handling of an arbitrary number of
Pes (

Then, for each generated Lts, we verified several properties, such as the correctness of assertions inserted in the model (by checking the set of transition labels), the termination of the scenario, or that each task is executed exactly once. We expressed the latter properties using the Mcllanguage and verified them using the Evaluator 4 model checker. This allowed us to point out a difference between our implementation and the one from the architect, highlighting a high sensibility on the order of terms in an equation, revealing an under-specified mechanism. We also verified the correctness of a complex optimization.

Having gained confidence in the Lotos NTmodel, we applied the Exec/Cæsarframework to co-simulate the C++ and Lotos NTmodels of the Dtd, a challenge being the connection of the asynchronous Lotos NTmodel with the synchronous C++ model, because one step of the C++ model corresponds, in general, to several transitions of the Lotos NTmodel.

This case study enabled us to discover and correct a few bugs in Cadpand led to a publication in an international conference .

Cloud computing emerged a few years ago as a major topic in modern programming. It leverages hosting platforms based on virtualization, and promises to deliver resources and applications
that are faster and cheaper with a new software licensing and billing model based on the
*pay-per-use*concept.

Distributed applications in the cloud are composed of a set of virtual machines ( Vms) running a set of interconnected software components. However, the task of configuring distributed applications is complex as each Vmincludes many parameters either for local configuration (e.g., pool size, authentication data) or remote interconnection (e.g., Ipaddress and port to access a server). Existing deployment solutions are often specific to certain applications and rarely take into account these configuration parameters, which are usually managed by dedicated scripts that do not work fully automatically.

Together with Xavier Etchevers, Thierry Coupaye (Orange labs), Fabienne Boyer, and Noël de Palma ( InriaGrenoble), we worked on the verification of an innovative self-configuration protocol that automates the configuration of distributed applications in the cloud without requiring any centralized server nor a scripting effort. The high degree of parallelism involved in this protocol making its design difficult and error-prone, we decided to specify the protocol using Lotos NTand to verify it with Cadp. So doing, we detected a major bug, which was corrected in the reference Javaimplementation. The Lotos NTspecification also served as a workbench to experiment with several possible communication models, which helped us to avoid an erroneous design.

These results have been published in .

The specification and the analysis of interactions among distributed components play an important role in service-oriented computing. In order to facilitate the integration of
independently developed components (named
*peers*) that may reside in different organizations, it is necessary to provide a global contract that the peers participating in a service composition should adhere to. Such a contract
is called
*choreography*. One important problem in a top-down development process is figuring out whether a choreography specification can be implemented by a set of peers that communicate via
message passing. Given a choreography specification, it would be desirable to generate peers automatically by projecting the global choreography specification to each peer ignoring all
messages that are not sent or received by that peer. However, generation of peers that precisely implement a choreography specification is not always possible, i.e., there are choreographies
that are not implementable by a set of distributed peers. This problem is known as
*realizability*.

In 2011, we considered the following aspects of the realizability problem:

In collaboration with Gregor Gössler ( InriaGrenoble) we studied the realizability of choreographies for peers interacting asynchronously through message buffers. Although this problem is generally undecidable for unbounded buffers, we proposed techniques to check whether peers interacting asynchronously with finite buffers can realize a choreography, and if so, for which buffer sizes. These results have been published in .

In collaboration with Pascal Poizat (
Lri, Orsay), we proposed an approach to check the realizability of choreographies using the interaction model of
Bpmn(
*Business Process Modeling Notation*) 2.0. While being a standard for the abstract specification of business workflows and collaboration between services,
Bpmnhas only been recently extended into
Bpmn 2.0 to support choreographies. Our approach is based on a model transformation into
Lotos NTand the use of equivalence checking. We implemented a prototype of our approach using the
Eclipse
Bpmn 2.0 editor and
Cadp. These results have been published in
.

In collaboration with Meriem Ouederni ( Lina, Nantes), we studied the automatic synthesis of monitors to enforce realizability, using Cadpto check equivalence between the choreography and an automatically obtained distributed implementation.

In the context of the
Topcasedproject (see §
), we studied how
Cadpcan be used to verify avionics protocols. In 2011, we prepared two lectures summarizing our prior results on four avionic protocols,
namely a ground/plane communication protocol based on
Tftp(
*Trivial File Transfer Protocol*)
, the
Bite(
*Built In Test Equipment*)/
Cms(
*Central Maintenance Function*), the
Atc(
*Air Traffic Control*) system, and the
Afn(
*Air Traffic System Facilities Notification*).

Our prior work (2009–2010) with Fabienne Boyer and Olivier Gruber (Université Joseph Fourier Grenoble) on modeling and verification using Lotos NTand Cadpof the Synergyreconfiguration protocol led to a publication in an international conference .

Other teams also used the Cadptoolbox for various case studies. To cite only recent work not already described in previous Vasyactivity reports, we can mention:

behavior analysis of malware by rewriting-based abstraction ;

safety verification of fault-tolerant distributed components ;

verification of mobile ad hoc networks ;

model checking Erlangapplications ;

model-checking dataflow in service compositions ;

verification of a key chain based Ttptransparent Cemprotocol ;

semantics tuning of Uml/SysMl ;

atomicity maintenance in Epcreportof Ale ;

cost analysis of semantic composability validation ;

rigorous development of prompting dialogs ;

scalably verifiable cache coherence .

Multival(
*Validation of Multiprocessor Multithreaded Architectures*) is a project of
Minalogic, the
*pôle de compétitivité mondial*dedicated to micro-nano technologies and embedded software for systems on chip (
EmSoCcluster of
Minalogic). It is funded by the French government (
*Fonds Unique Interministériel*) and the
*Conseil Général de l'Isère*.
Multivaladdresses verification and performance evaluation issues for three innovative asynchronous architectures developed by
Bull,
Cea/
Leti, and
STMicroelectronics.

Multivalstarted in December 2006 and was extended until May 2011. In 2011, we focused our activities on the enhancement of Cadp(see § and § ) and, in collaboration with our partners, on the verification of the Dtd(see § ).

Topcased(
*Toolkit in OPen-source for Critical Application and SystEms Development*) is a project of
Aese, the French
*pôle de compétitivité mondial*dedicated to aeronautics, space, and embedded systems. This project gathers 23 partners, including companies developing safety-critical systems such as
Airbus(leader),
Astrium,
Atos Origin,
Cs,
Siemens Vdo, and
Thales Aerospace.

Topcaseddevelops a modular, open-source, generic
Case(
*Computer-Aided Software Engineering*) environment providing methods and tools for embedded system development, ranging from system and architecture specifications to software and hardware
implementation through equipment definition.
Vasycontributes to the combination of model-driven engineering and formal methods for asynchronous systems.

Topcasedstarted in August 2006 and completed in December 2010. In 2011, we enhanced the Flactranslator from Fiacreto Lotos(see § ). We participated in the final review of Topcasedand gave three lectures during the TopcasedDays (see § ).

During the International Paris Air Show (
*salon international du Bourget*), the
Topcasedproject received the
Aesetrophy of the best R&D project (category
*Systèmes, équipements et logiciels pour l'aéronautique et l'espace*).

Additionally, we collaborated in 2011 with the following Inriaproject teams:

Oasis(Sophia-Antipolis): distributed verification tools (Eric Madelaine);

Pop-Art(Rhône-Alpes): behavioral adaptation of software services and conformance checking of choreography specifications (Gregor Gössler);

Sardes(Rhône-Alpes): verification of protocols for component-based architectures and virtualization (Fabienne Boyer, Olivier Gruber, and Noël de Palma).

Beyond Inria, we had sustained scientific relations with the following researchers:

Gaëlle Calvary and Sophie Dupuy ( Lig, Grenoble);

Pascal Poizat ( Lri, Orsay);

Meriem Ouederni ( Lina, Nantes);

Xavier Blanc and Cédric Teyton ( Labri, Bordeaux).

The
Vasyproject team is member of the
Fmics(
*Formal Methods for Industrial Critical Systems*) working group of
Ercim(see
http://

In addition to our partners in aforementioned contractual collaborations, we had scientific relations in 2011 with several European universities and research centers, including:

Polytechnic University of Bucharest (Valentin Cristea);

Saarland University (Jonathan Bogdoll, Pepijn Crouzen, Arnd Hartmanns, and Holger Hermanns);

University of Coimbra (Javier Camara);

University of Málaga (Carlos Canal, Meriem Ouederni, and Ernesto Pimentel).

D. Thivolle defended his PhDthesis at the Polytechnic University of Bucharest on April 29, 2011.

Our long-term partnership with Saarland University has been strengthened by the Humboldt Forschungspreis received by H. Garavel, who started regular visits to Saarland University.

H. Garavel has participated in the review of the
Dfg(
*Deutsche Forschungsgemeinschaft*) transregional project
Avacs (
*Automatic Verification And Analysis of Complex Systems*, see
http://

H. Garavel is a member of
Ifip(
*International Federation for Information Processing*) Technical Committee 1 (
*Foundations of Computer Science*) Working Group 1.8 on Concurrency Theory chaired successively by Luca Aceto and Jos Baeten.

In 2011, we had the following scientific exchanges:

Nicolas Halbwachs (
Verimag) visited us on January 28, 2011 and gave a talk entitled “
*Analyse de programmes: propriétés numériques et tableaux*”.

Thomas Lambolais and Thanh-Liem Phan (Ecole des Mines d'Alès) visited us on February 9, 2011.

Meriem Ouederni (University of Málaga, Spain) visited us from June 27 to July 1, 2011 and from November 21 to November 25, 2011.

Freark van der Berg (University of Twente, The Netherlands) visited us on October 17–21, 2011.

Farhad Arbab (
Cwi, Amsterdam, The Netherlands) visited us on November 22, 2011 and gave a talk entitled “
*Interaction-Based Concurrency*”.

Gianluigi Zavattaro (University of Bologna, Italy) visited us on November 22, 2011 and gave a talk entitled “
*Parameterized Verification of Ad Hoc Network Protocols*”.

The annual Vasyseminar was held in Autrans (France) on November 28–30, 2011.

Xavier Blanc (La
bri, Bordeaux) attended the
Vasyannual seminar and gave on November 28, 2011 a talk entitled “
*Vpraxis et évolution d'applications Internet*”.

Christian Attiogbe (
Lina, Nantes) attended the
Vasyannual seminar and gave on November 29, 2011 a talk entitled “
*Composition dynamique de processus dans les systèmes complexes*”.

Grégory Batt (
InriaRocquencourt) attended the
Vasyannual seminar and gave on November 30, 2011 a talk entitled “
*A general computational method for robustness analysis with applications to synthetic gene networks*”.

Holger Hermanns (Saarland University) visited us on December 1st, 2011 and gave a
Ligkeynote entitled “
*From Concurrency Models to Numbers: Performance, Dependability, Energy*”.

The Vasyproject team distributes two main software tools: the Cadptoolbox (see § ) and the Traiancompiler (see § ). In 2011, the main facts are the following:

We prepared and distributed 11 successive beta-versions (from 2009-f to 2009-i and from 2010-a to 2010-g “Zurich”) of Cadp.

The number of license contracts signed for Cadpincreased from 429 to 441.

We were requested to grant Cadplicenses for 631 different computers in the world.

We co-operated with the legal department to simplify the distribution procedure for academic users of Cadp, who can now obtain the software using an entirely electronic procedure, which no longer requires the signature of paper copies of the license agreement.

We migrated all
Cadpdocumentation and Web site to reflect recent changes in email addresses (
`cadp@inria.fr`instead of
`cadp@inrialpes.fr`) and URLs (
http://

The
Vasy
Website (see
http://

In September 2007, we opened the “
CadpForum” (see
http://

In 2011, the members of Vasytook on the following responsibilities:

H. Garavel was a program committee member for the
*Topcased Daysconference, Toulouse, France, February 2–4, 2011.*

F. Lang was a program committee member for
Neptune'11 (
*Nice Environment with a Process and Tools Using Norms and Example*), Paris, France, May 17–18, 2011.

G. Salaün was publicity chair for
Discotec'11 (
*6th International Federated Conferences on Distributed Computing Techniques*), Reykjavik, Iceland, June 6–9, 2011.

H. Garavel was a program committee member for
Dcds'11 (
*3rd International Workshop on Dependable Control of Discrete Systems*), Saarbrücken, Germany, June 15–17, 2011.

G. Salaün was a program committee member for
Csse'11 (
*CSI International Symposium on Computer Science and Software Engineering*), Tehran, Iran, June 15–16, 2011.

G. Salaün was a program committee member for
Ammse'11 (
*2nd International Workshop on Algebraic Methods in Model-based Software Engineering*), Zürich, Switzerland, June 30, 2011.

R. Mateescu was a program committee member for
Pdmc'11 (
*10th International Workshop on Parallel and Distributed Methods in verifiCation*), Cliff Lodge, Snowbird, Utah, July 14, 2011.

G. Salaün was co-chair of the program committee and co-editor of the proceedings for
Fmics'11 (
*16th International Workshop on Formal Methods for Industrial Critical Systems*), Trento, Italy, August 29-30, 2011. F. Lang was program committee member for
Fmics'11.

G. Salaün was a program committee member for
Vatss'11 (
*1st International Workshop on Verification, Analysis, and Testing of Service Systems*), Szeged, Hungary, September 4, 2011.

G. Salaün was a program committee member for
Foclasa'11 (
*10th International Workshop on the Foundations of Coordination Languages and Software Architectures*, Aachen, Germany, September 10, 2011.

R. Mateescu was a program committee member for
Ecows'11 (
*9th European Conference on Web Services*), Lugano, Switzerland, September 14–16, 2011.

G. Salaün was a program committee member for
Facs'11 (
*8th International Symposium on Formal Aspects of Component Software*), Oslo, Norway, September 14–16, 2011.

G. Salaün was a program committee member for
Qasba'11 (
*International Workshop on Quality Assurance for Service-Based Applications*), Lugano, Switzerland, September 14, 2011.

G. Salaün was a program committee member for
Flacos'11 (
*5th Workshop on Formal Languages and Analysis of Contract-Oriented Software*), Málaga, Spain, September 22–23, 2011.

G. Salaün was a program committee member for
Vader'11 (
*2nd International Workshop on Variability, Adaptation and Dynamism in software systEms and seRvices*), Hersonissos, Crete, Greece, October 2011.

G. Salaün is an editorial board member of the journal “
*Service Oriented Computing and Applications*” published by Springer Verlag.

In 2011, we gave talks in several international conferences and workshops (see bibliography below). Additionally:

R. Mateescu and G. Salaün participated in the
Sardesteam seminar held at Allevard (France) on January 13, 2011. G. Salaün gave a talk entitled “
*Translating Pi-calculus into
Lotos NT
”.*

H. Garavel participated in the seminar of the 3rd-year license students of
Ens-Lyon (
*Ecole Normale Superieure de Lyon*) held in Le Pleynet (France) on January 26, 2011. He gave a talk entitled “
*Modélisation et vérification de systèmes informatiques complexes*”.

H. Garavel, F. Lang, and D. Thivolle participated in the
*Topcased Daysconference held in Toulouse (France) on February 2–4, 2011. F. Lang gave a talk entitled “
Formal Verification of Avionics Protocols using
Cadp
in
Topcased
Wp3
” on February 3, 2011. D. Thivolle gave a talk entitled “
Verification of GALS Systems using
Topcased
and
Cadp
with an Application to a Ground/Plane Communication Protocol” on February 4, 2011.*

H. Garavel gave a talk entitled “
*Cadp 2010: A Toolbox for the Construction and Analysis of Distributed Processes” at
Verimagon March 3, 2011.*

G. Salaün gave a talk entitled “
*Realizability of Choreographies using Process Algebra Encodings*” at
Lri(Orsay, France) on March 28, 2011.

G. Salaün gave a talk entitled “
*Specifying and Verifying the*
Synergy
*Reconfiguration Protocol with
Lotos NT
and
Cadp
” at the University of Málaga (Spain) on May 11, 2011.*

F. Lang participated in the
Rocks(
*RigorOus dependability analysis using model ChecKing techniques for Stochastic systems*) held in Saarbrücken (Germany) on March 26–27, 2011. He gave a talk entitled “
*Ten Years of Performance Evaluation of Concurrent Systems using
Cadp
”.*

H. Garavel participated in the
Dcds'11 (
*3rd International Workshop on Dependable Control of Discrete Systems*) held in Saarbrücken (Germany) on June 15–17, 2011.

H. Garavel participated in the 8th
LaserSummer School on “Software Engineering – Tools for Practical Software Verification” held on Elba Island (Italy) on September 4–10, 2011. He
gave a talk entitled “
*Cadp 2010: A Toolbox for the Construction and Analysis of Distributed Processes”.*

R. Mateescu gave a keynote presentation entitled “
*Model Checking and Performance Evaluation with
Cadp
Illustrated on Shared-Memory Mutual Exclusion Protocolsat the
Safa'2012 workshop held in Sophia-Antipolis (France) on October 12, 2011.*

M. Güdemann participated in the seminar “
*Journées scientifiques EA-ARC-ADT*” held in Paris (France) on November 16–17, 2011.

H. Garavel and R. Mateescu participated in the
Fmicsworking group seminar held in Paris on December 12th, 2011. H. Garavel gave a talk entitled “
*Three Decades of Success Stories in Formal Methods*”. R. Mateescu gave a talk entitled “
*Analysis of Mutual Exclusion Protocols using
Cadp
”.*

The
Vasyproject team is a host team for the computer science master entitled “
*Mathématiques, Informatique, spécialité : Systèmes et Logiciels*”, common to Grenoble
Inpand Université Joseph Fourier.

In 2011:

H. Garavel, F. Lang, and W. Serwe gave, jointly with Pascal Raymond (
Cnrs,
Verimag), a course on “
*Méthodes formelles de développement*” to the computer science engineering students of
Cnam(
*Conservatoire National des Arts et Métiers*) Grenoble (30 hours).

F. Lang and W. Serwe gave a course on “
*Modélisation et Vérification des Systèmes Concurrents et Temps-Réel*” to the 3rd year students of
Ensimag(18 hours).

G. Salaün gave lectures on “
*Algorithmics and Object-Oriented Programming*” to the 2nd year students of
Ensimag(36 hours).

G. Salaün gave a course on “
*Specification, Verification, and Adaptation of Web Services*” to master students in Málaga, Spain, in May 2011 (10 hours).

G. Salaün is co-responsible of the
Isi(
*Ingénierie des systèmes d'information*) department of
Ensimagsince September 1, 2011.

R. Mateescu was a reviewer for Eric Madelaine's habilitation thesis, entitled “
*Specification, Model Generation, and Verification of Distributed Applications*”, defended at the University of Nice – Sophia-Antipolis on September 29, 2011.

G. Salaün co-supervised the PhD thesis of Meriem Ouederni (University of Málaga, Spain), defended at the University of Málaga, Spain, on October 28, 2011.

H. Garavel was a jury member for Matthias Raffelsiepers's PhD thesis, entitled “
*Cell Libraries and Verification*”, defended at the Technical University of Eindhoven on November 2, 2011.

G. Salaün defended an habilitation thesis on November 22, 2011.

R. Mateescu was a reviewer for Rodrigo Tacla Saad's PhD thesis, entitled “
*Parallel Model Checking for Multiprocessor Architecture*”, defended at
InsaToulouse on December 20, 2011.

Within the
Minalogic
*pôle de compétitivité mondial*, H. Garavel is a member of the operational committee of the
EmSoCcluster (
*Embedded System on Chip*).

H. Garavel is a member of the scientific council of the
Gis(
*Groupement d'Intérêt Scientifique*) consortium
3sgson supervision, safety, and security of large systems.

H. Garavel is a member of the evaluation committee for the
Anr(
*Agence Nationale de la Recherche*) programme “
*Ingénierie Numérique et Sécurité*”.

H. Garavel is a member of the Ligworking group in charge of restructuring the scientific themes of the laboratory.

H. Garavel participated in the selection committee for a
*professeur des universités*position at the University of Nice – Sophia-Antipolis.

H. Garavel was a reviewer for the German Research Foundation ( Dfg), the Netherlands Organisation for Scientific Research ( Nwo), and the Dutch Technology Foundation ( Stw).

F. Lang is a member of the “
*commission du développement technologique*”, which is in charge of selecting R&D projects for
InriaGrenoble Rhône-Alpes.

R. Mateescu is the correspondent of the “
*Département des Partenariats Européens*” for
InriaGrenoble Rhône-Alpes.

On November 1st, 2011, R. Mateescu was elected coordinator of the ErcimWorking Group Fmics(Formal Methods for Industrial Critical Systems) for the next three years.

G. Salaün is a member of the
LigCouncil (
*Conseil de laboratoire*).

G. Salaün is a member of the
EnsimagCouncil (
*Conseil de l'école*).