The Spades project-team aims at contributing to meet the challenge of designing and programming dependable embedded systems in an increasingly distributed and dynamic context. Specifically, by exploiting formal methods and techniques, Spades aims to answer three key questions:

How to program open networked embedded systems as dynamic adaptive modular structures?

How to program reactive systems with real-time and resource constraints on multicore architectures?

How to program reliable, fault-tolerant embedded systems with different levels of criticality?

These questions above are not new, but answering them in the context of modern embedded systems, which are
increasingly distributed, open and dynamic in nature ,
makes them more pressing and more difficult to address:
the targeted system properties – dynamic modularity, time-predictability, energy efficiency, and fault-tolerance –
are largely antagonistic (*e.g.*, having a highly dynamic software structure is at variance with ensuring that resource and behavioral constraints are met).
Tackling these questions together is crucial to address this antagonism,
and constitutes a key point of the Spades research program.

A few remarks are in order:

We consider these questions to be central in the construction of future embedded systems, dealing as they are with, roughly, software architecture and the provision of real-time and fault-tolerance guarantees. Building a safety-critical embedded system cannot avoid dealing with these three concerns.

The three questions above are highly connected. For instance, composability along time, resource consumption and reliability dimensions are key to the success of a component-based approach to embedded systems construction.

For us, “Programming” means any constructive process to build a running system. It can encompass traditional programming as well as high-level design or “model-based engineering” activities, provided that the latter are supported by effective compiling tools to produce a running system.

We aim to provide semantically sound programming tools for embedded systems. This translates into an emphasis on formal methods and tools for the development of provably dependable systems.

The SPADES research program is organized around three main themes,
*Components and contracts*, *Real-time multicore programming*, and
*Language-based fault tolerance*, that seek to answer the three key questions identified in Section .
We plan to do so by developing and/or building on programming languages and techniques based on formal methods and formal semantics
(hence the use of *“sound programming”* in the project-team title).
In particular, we seek to support design where correctness is obtained by construction, relying on proven tools and verified constructs,
with programming languages and programming abstractions designed with verification in mind.

Component-based construction has long been advocated as a key approach
to the “correct-by-construction” design of complex embedded systems .
Witness component-based toolsets such as UC Berkeley's Ptolemy ,
Verimag's BIP , or the modular architecture frameworks used, for
instance, in the automotive industry (AUTOSAR) .
For building large, complex systems, a key feature of component-based
construction is the ability to associate with components a set of
*contracts*, which can be understood as rich behavioral types that can be composed and verified
to guarantee a component assemblage will meet desired properties.
The goal in this theme is to study the formal foundations of the component-based construction of embedded systems,
to develop component and contract theories dealing with real-time, reliability and fault-tolerance aspects of components,
and to develop proof-assistant-based tools for the computer-aided design and verification of component-based systems.

Formal models for component-based design are
an active area of research (see *e.g.*, , ). However, we are still missing a comprehensive
formal model and its associated behavioral theory able to deal *at the same time* with different forms of composition,
dynamic component structures, and
quantitative constraints (such as timing, fault-tolerance, or energy consumption).
Notions of contracts and interface theories have been proposed to support
modular and compositional design of correct-by-construction
embedded systems (see *e.g.*, ,
and the references therein), but having a comprehensive theory of contracts that deals with all the above
aspects is still an open question . In particular, it is not clear how to accomodate different forms of composition,
reliability and fault-tolerance aspects, or to deal with evolving component structures in a theory of contracts.

Dealing in the same component theory with heterogeneous forms of composition,
different quantitative aspects, and dynamic configurations, requires
to consider together the three elements that comprise a component model: behavior, structure and types.
*Behavior* refers to behavioral (interaction and execution) models that characterize the behavior of components and component assemblages
(*e.g.*, transition systems and their multiple variants – timed, stochastic, etc.).
*Structure* refers to the organization of component assemblages or configurations, and the composition operators they involve.
*Types* refer to properties or contracts that can be attached to components and component interfaces to facilitate separate development
and ensure the correctness of component configurations with respect to certain properties.
Taking into account dynamicity requires to establish an explicit link between behavior and structure,
as well as to consider higher-order systems, both of which have a direct impact on types.

We plan to develop our component theory by progressing on two fronts: component calculi, and semantical framework. The work on typed component calculi aims to elicit process calculi that capture the main insights of component-based design and programming and that can serve as a bridge towards actual architecture description and programming language developments. The work on the semantical framework should, in the longer term, provide abstract mathematical models for the more operational and linguistic analysis afforded by component calculi. Our work on component theory will find its application in the development of a Coq-based toolchain for the certified design and construction of dependable embedded systems, which constitutes our third main objective for this axis.

Programming real-time systems (i.e. systems whose correct behavior depends on meeting timing constraints)
requires appropriate languages (as exemplified by the family of synchronous languages ),
but also the support of efficient scheduling policies, execution time and schedulability analyses
to guarantee real-time constraints (*e.g.*, deadlines) while making the most effective use of available (processing, memory, or networking) resources.
Schedulability analysis involves analyzing the worst-case behavior of real-time tasks under a given scheduling algorithm and is crucial to
guarantee that time constraints are met in any possible execution of the system.
Reactive programming and real-time scheduling and schedulability for multiprocessor systems are old subjects,
but they are nowhere as mature as their uniprocessor counterparts,
and still feature a number of open research questions , ,
in particular in relation with mixed criticality systems.
The main goal in this theme is to address several of these open questions.

We intend to focus on two issues: multicriteria scheduling on multiprocessors,
and schedulability analysis for real-time multiprocessor systems. Beyond real-time aspects, multiprocessor environments, and multicore ones
in particular, are subject to several constraints *in conjunction*, typically involving real-time, reliability and energy-efficiency constraints,
making the scheduling problem more complex for both the offline and the online cases. Schedulability analysis for multiprocessor systems, in particular
for systems with mixed criticality tasks, is still very much an open research area.

Distributed reactive programming is rightly singled out as a major open issue in the recent, but heavily biased (it essentially ignores recent research in synchronous and dataflow programming), survey by Bainomugisha et al. . For our part, we intend to focus on two questions: devising synchronous programming languages for distributed systems and precision-timed architectures, and devising dataflow languages for multiprocessors supporting dynamicity and parametricity while enjoying effective analyses for meeting real-time, resource and energy constraints in conjunction.

Tolerating faults is a clear and present necessity in networked embedded systems. At the hardware level, modern multicore architectures are manufactured using inherently unreliable technologies , . The evolution of embedded systems towards increasingly distributed architectures highlighted in the introductory section means that dealing with partial failures, as in Web-based distributed systems, becomes an important issue. While fault-tolerance is an old and much researched topic, several important questions remain open: automation of fault-tolerance provision, composable abstractions for fault-tolerance, fault diagnosis, and fault isolation.

The first question is related to the old question of “system structure for fault-tolerance” as originally discussed by Randell for software fault tolerance , and concerns in part our ability to clearly separate fault-tolerance aspects from the design and programming of purely “functional” aspects of an application. The classical arguments in favor of a clear separation of fault-tolerance concerns from application code revolve around reduced code and maintenance complexity .
The second question concerns the definition of appropriate abstractions for the modular construction of fault-tolerant embedded systems.
The current set of techniques available for building such systems spans a wide range, including exception handling facilities, transaction management
schemes, rollback/recovery schemes, and replication protocols.
Unfortunately, these different techniques do not necessarily compose well
– for instance, combining exception handling and transactions is non trivial, witness the flurry of recent work on the topic, see *e.g.*, and the references therein –,
they have no common semantical basis, and they suffer from limited programming language support.
The third question concerns the identification of causes for faulty behavior in component-based assemblages.
It is directly related to the much researched area of fault diagnosis, fault detection and isolation .

We intend to address these questions by leveraging programming language techniques
(programming constructs, formal semantics, static analyses, program transformations) with the goal to achieve provable fault-tolerance,
i.e. the construction of systems whose fault-tolerance can be formally ensured using verification tools and proof assistants.
We aim in this axis to address some of the issues raised by the above open questions
by using aspect-oriented programming techniques and program transformations to automate
the inclusion of fault-tolerance in systems (software as well as hardware), by exploiting reversible programming models to investigate
composable recovery abstractions, and by leveraging causality analyses to study fault-ascription in component-based systems.
Compared to the huge literature on fault-tolerance in general, in particular in the systems area (see *e.g.*,
for an interesting but not so recent survey), we find by comparison much less work exploiting formal language techniques and tools
to achieve or support fault-tolerance.
The works reported in , , , , , ,
provide a representative sample of recent such works.

A common theme in this axis is the use and exploitation of causality information.
Causality, i.e., the logical dependence of an effect on a cause, has long been studied in disciplines such as
philosophy , natural sciences, law , and statistics ,
but it has only recently emerged as an important focus of research in computer science.
The analysis of logical causality has applications in many areas of computer science. For instance,
tracking and analyzing logical causality between events in the execution of a concurrent system is required to ensure
reversibility , to allow the diagnosis of faults in a complex concurrent system ,
or to enforce accountability , that is, designing systems in such a way that it can be determined without
ambiguity whether a required safety or security property has been violated, and why. More generally, the goal of fault-tolerance
can be understood as being to prevent certain causal chains from occurring by designing systems such that each causal chain
either has its premises outside of the fault model (*e.g.*, by introducing redundancy ),
or is broken (*e.g.*, by limiting fault propagation ).

Our applications are in the embedded system area, typically: transportation, energy production, robotics, telecommunications, systems on chip (SoC). In some areas, safety is critical, and motivates the investment in formal methods and techniques for design. But even in less critical contexts, like telecommunications and multimedia, these techniques can be beneficial in improving the efficiency and the quality of designs, as well as the cost of the programming and the validation processes.

Industrial acceptance of formal techniques, as well as their
deployment, goes necessarily through their usability by
specialists of the application domain, rather than of the formal
techniques themselves. Hence, we are looking to propose
domain-specific (but generic) realistic models,
validated through experience (*e.g.*, control tasks systems), based
on formal techniques with a high degree of automation (*e.g.*, synchronous models), and tailored for concrete functionalities
(*e.g.*, code generation).

The commercially available design tools (such as UML with
real-time extensions, Matlab/ Simulink/
dSpace

Regarding the synchronous approach, commercial tools are
available:
Scade

Regarding applications and case studies with industrial end-users of our techniques, we cooperate with STMicroelectronics on dynamic data-flow models of computation for streaming applications, dedicated to high definition video applications for their new Sthorm manycore chip.

We are developing LoCa, a prototype tool written in Scala that implements the analysis of logical causality described in . LoCa currently supports causality analysis in Bip and networks of timed automata. The core analysis engine is implemented as an abstract class, such that support for other models of computation (MoC) can be added by instantiating the class with the basic operations of the MoC.

We have developed Cosyma, a tool for automatic controller synthesis for incrementally stable switched systems based on multi-scale discrete abstractions. The tool accepts a description of a switched system represented by a set of differential equations and the sampling parameters used to define an approximation of the state-space on which discrete abstractions are computed. The tool generates a controller — if it exists — for the system that enforces a given safety or time-bounded reachability specification.

The SIAAM abstract machine is an object-based realization of the Actor model of concurrent computation. Actors can exchange arbitrary object graphs in messages while still enjoying a strong isolation property. It guarantees that each actor can only directly access objects in its own local heap, and that information between actors can only flow via message exchange. The SIAAM machine has been implemented for Java as a modified Jikes virtual machine. The resulting SIAAM software comprises:

A modified Jikes RVM that implements actors and actor isolation as specified by the SIAAM machine.

A set of static analyses build using the Soot Java optimization framework for optimizing the execution of the SIAAM/Jikes virtual machine, and for helping programmers diagnose potential performance issues.

A formal proof using the Coq proof assistant of the SIAAM isolation property.

The SIAAM machine is the subject of Quentin Sabah's PhD thesis .

We are developing pyCPA_TCA, a pyCPA plugin for Typical Worst-Case Analysis as described in Section . pyCPA is an open-source Python implementation of Compositional Performance Analysis developed at TU Braunschweig, which allows in particular response-time analysis. pyCPA_TCA is an extension of this tool that is co-developed by Sophie Quinton and Zain Hammadeh at TU Braunschweig. It allows in particular the computation of weakly-hard guarantees for real-time tasks, i.e. number of deadline misses out of a sequence of executions. So far, pyCPA_TCA is restricted to uniprocessor systems of independent tasks, scheduled according to static priority scheduling.

The design of configurable systems can be streamlined and made more systematic by adopting a component-based structure, as demonstrated with the Fractal component model . However, the formal foundations for configurable component-based systems, featuring higher-order capabilities where components can be dynamically instantiated and passivated, and non-hierarchical structures where components can be contained in different composites at the same time, are still an open topic. We have developed recently the location graph model , where components are understood as graphs of locations hosting higher-order processes, and where component structures can be arbitrary graphs. We have developed a compositional operational semantics for the location graph model, which is parametric with respect to the family of processes. We have shown that the location graph model constitutes a conservative extension of a previous model, called CAB, that captures the key features of the BIP component model . We have further worked on the behavioral theory of the location graph model, characterizing contextual equivalence in the model by means of a higher-order bisimularity relation, and begun the study of the encoding of different models, including the Synchronized Hyperedge Replacement model .

Recent data-flow programming environments support applications whose
behavior is characterized by dynamic variations in resource
requirements. The high expressive power of the underlying models (*e.g.*, Kahn Process Networks or the CAL actor language) makes it challenging to
ensure predictable behavior. In particular, checking *liveness*
(*i.e.*, no part of the system will deadlock) and *boundedness* (*i.e.*, the system can be executed in finite memory) is known to be hard or
even undecidable for such models. This situation is troublesome for
the design of high-quality embedded systems.

Recently, we have introduced the *schedulable parametric data-flow* (SPDF)
MoC for dynamic streaming applications .
SPDF extends the standard dataflow model by allowing rates to be parametric.
Last year, we have proposed the *Boolean Parametric Data Flow* (BPDF)
MoC which combines integer parameters (to express dynamic rates) and
boolean parameters (to express the activation and deactivation of communication channels).
High dynamicity is provided by integer parameters which can
change at each basic iteration and boolean parameters which
can change even within the iteration.
We have presented static analyses which ensure the liveness
and the boundedness of BDPF graphs.

Recently, we have proposed a generic and flexible framework to generate parallel schedules for BPDF applications . The parametric dataflow graph is associated with user-defined specific constraints aimed at minimizing, timing, buffer sizes, power consumption, or other criteria. The scheduling algorithm executes with minimal overhead and can be adapted to different scheduling policies just by changing some constraints. The safety of both the dataflow graph and constraints can be checked statically and all schedules are guaranteed to be bounded and deadlock free. Our case studies are video decoders for high definition video streaming such as VC-1. One of the target architectures is the Sthorm many-core platform designed by STMicroelectronics.

This research is the central topic of Vagelis Bebelis' PhD thesis. It is conducted in collaboration with STMicroelectronics.

Weakly hard time constraints have been proposed for applications where occasional deadline misses are permitted. We have recently developed Typical Worst Case Analysis (TWCA) to exploit similar constraints and bound response times of systems with sporadic overload. This year, we have applied this approach to a real-life automotive network . Additionally, we have extended the approach for static priority preemptive (SPP) and static priority non-preemptive (SPNP) scheduling to determine the maximum number of deadline misses of a given task . The approach is based on an optimization problem which trades off higher priority interference versus miss count. We formally derived a lattice structure for these combinations that lays the ground for an integer linear programming (ILP) formulation. The ILP solution was evaluated and provided far better results than previous TWCA.

In parallel, we have contributed to a systematic co-engineering approach that integrates TWCA into functional analysis . We combine physical, control and timing models by representing them as a network of hybrid automata. Closed-loop properties can then be verified on this hybrid automata network by using standard model checkers for hybrid systems. The use of the Logical Execution Time (LET) semantics where data is written back deterministically at the typical worst-case response time (rather than the usual worst-case bound) is a new and particularly powerful approach for addressing the computational complexity of the model checking problem.

In the context of the Rippes associated team with UC Berkeley and
U Auckland, we have finalized ongoing work on our synchronous
programming language for time predictability
Pret-C . Pret-C extends C with synchronous
constructs inspired by Esterel, to allow an easy programming of
concurrent reactive programs. These constructs allow the programmer to
express concurrency, interaction with the environment, looping, and a
synchronization barrier (like the `pause` statement in
Esterel). Pret-C's semantics is deterministic, and it can be
efficiently compiled towards sequential code, either executed on a
dedicated processor for the best predictability of the program's
Worst-Case Reaction Time (WCRT), or executed on a generic processor.

We have also continued our work on ForeC, a time predictable synchronous programming language for multi-core chips. Like Pret-C, it extends C with a small set of Esterel-like synchronous primitives. ForeC threads communicate with each other via shared variables, the values of which are combined at the end of each tick to maintain deterministic execution. ForeC is compiled into threads that are then statically scheduled for a target multi-core chip. This is the main difference with Pret-C. We have finalized the semantics of ForeC, which led us to propose several ways to combine shared variables at the tick boundaries, such that the semantics remains deterministic. This part was inspired by the so-called concurrent revisions .

Finally, with colleagues from the former ArtistDesign European Network of Excellence, we have also participated in a survey on predictable embedded systems .

We have continued our work on multi-criteria scheduling, in the particular context of dynamic applications that are launched and terminated on an embedded multi-core chip, under execution time and energy consumption constraints. We have proposed a two layer adaptive scheduling method. In the first layer, each application (represented as a DAG of tasks) is scheduled statically on sets of cores: 2 cores, 3 cores, 4 cores, and so on. For each size of these sets (2, 3, 4, ...), there may be only one topology or several topologies. For instance, for 2 or 3 cores there is only one topology (a “line”), while for 4 cores there are three distinct topologies (“line”, “square”, and “T shape”). Moreover, for each topology, we generate statically several schedules, each one subject to a different total energy consumption constraint, and consequently with a different Worst-Case Reaction Time (WCRT). Coping with the energy consumption constraints is achieved thanks to Dynamic Frequency and Voltage Scaling (DVFS). In the second layer, we use these pre-generated static schedules to reconfigure dynamically the applications running on the multi-core each time a new application is launched or an existing one is stopped. The goal of the second layer is to perform a global optimization of the configuration, such that each running application meets a pre-defined quality-of-service constraint (translated into an upper bound on its WCRT) and such that the total energy consumption is minimized. For this, we (1) allocate a sufficient number of cores to each active application, (2) allocate the unassigned cores to the applications yielding the largest gain in energy, and (3) choose for each application the best topology for its subset of cores (i.e., better than the by default “line” topology).

This is a joint work with Ismail Assayad (U. Casablanca, Morocco) who visits the team regularly.

In the past years, we have studied the implementation of specific
fault tolerance techniques in real-time embedded systems using program
transformation .
We are now investigating the use of automatic transformations to ensure
fault-tolerance properties in digital circuits. To this aim,
we consider program transformations for hardware description languages (HDL).
We consider both single-event upsets (SEU) and single-event transients (SET)
and fault models of the form
“at most 1 SEU or SET within

We have expressed several variants of triple modular redundancy (TMR)
as program transformations.
We have proposed a verification-based approach to minimize the
number of voters in TMR .
Our technique guarantees that the resulting circuit *(i)* is fault
tolerant to the soft-errors defined by the fault model and *(ii)* is
functionally equivalent to the initial one. Our approach operates
at the logic level and takes into account the input and output
interface specifications of the circuit. Its implementation makes
use of graph traversal algorithms, fixed-point iterations, and
BDDs. Experimental results on the ITC’99 benchmark suite
indicate that our method significantly decreases the number of
inserted voters, which entails a hardware reduction of up to
55% and a clock frequency increase of up to 35% compared
to full TMR. We address scalability issues arising from formal
verification with approximations and assess their efficiency and
precision.

We have proposed novel fault-tolerance transformations based on time-redundancy. In particular, we have presented a transformation using double-time redundancy (DTR) coupled with micro-checkpointing, rollback and a speedup mode . The approach is capable to mask any SET every 10 cycles and keeps the same input/output behavior regardless error occurrences. Experimental results on the ITC'99 benchmark suite indicate that the hardware overhead is 2.7 to 6.1 times smaller than full TMR with double loss in throughput. It is an interesting alternative to TMR for logic intensive designs.

We have also designed a transformation that allows the circuit to change its level of time-redundancy. This feature permits to dynamically and temporarily give up (resp. increase) fault-tolerance and speed up (resp. slow down) the circuit. The motivations for such changes can be based on the observed change in radiation environment or the processing of (non)critical data. These different time redundancy transformations have been patented

We have started the formal certification of such transformations using
the Coq proof assistant .
The transformations are described on a simple gate-level hardware
description language inspired from

In the recent years, we have been investigating reversible concurrent computation, and investigated various reversible concurrent programming models, with the hope that reversibility can shed some light on the common semantic features underlying various forms of fault recovery techniques (including, exceptions, transactions, and checkpoint/rollback schemes).

We have revisited our encoding of our reversible higher-order

The failure of one component may entail a cascade of failures in other components; several components may also fail independently. In such cases, elucidating the exact scenario that led to the failure is a complex and tedious task that requires significant expertise.

The notion of causality *(did an event $e$ cause an event ${e}^{\text{'}}$?)*
has been studied in many disciplines, including philosophy, logic,
statistics, and law. The definitions of causality studied in these
disciplines usually amount to variants of the counterfactual test
“

We have proposed in an approach for
blaming in component-based real-time systems whose component
specifications are given as timed automata. The analysis is based on a
single execution trace violating a safety property

We have integrated a complete workflow to synthesize and implement correct-by-construction fault tolerant distributed embedded systems consisting of real-time periodic tasks. Correct-by-construction is provided by the use of discrete controller synthesis (DCS), a formal method thanks to which we are able to guarantee that the synthe-sized controlled system satisfies the functionality of its tasks even in the presence of processor failures. For this step, our workflow uses the Heptagon domain specific language and the Sigali DCS tool . The correct implementation of the resulting distributed system is a challenge, all the more since the controller itself must be tolerant to the processor failures. We achieve this step thanks to the libDGALS real-time library (1) to generate the glue code that will migrate the tasks upon processor failures, maintaining their internal state through migration, and (2) to make the synthesized controller itself fault-tolerant. We have demonstrated the feasibility of our work-flow on a multi-tasks multi-processor fault-tolerant distributed system.

With Orange Labs: software architecture for GlobalOS

ST Microelectronics: CIFRE contract for the PhD of Vagelis Bebelis. This work is described in Section .

The goal of the PiCoq project is to develop an environment for the formal verification of properties of distributed, component-based programs. The project's approach lies at the interface between two research areas: concurrency theory and proof assistants. Achieving this goal relies on three scientific advances, which the project intends to address:

Finding mathematical frameworks that ease modular reasoning about concurrent and distributed systems: due to their large size and complex interactions, distributed systems cannot be analysed in a global way. They have to be decomposed into modular components, whose individual behaviour can be understood.

Improving existing proof techniques for distributed/modular systems: while behavioural theories of first-order concurrent languages are well understood, this is not the case for higher-order ones. We also need to generalise well-known modular techniques that have been developed for first-order languages to facilitate formalisation in a proof assistant, where source code redundancies should be avoided.

Defining core calculi that both reflect concrete practice in distributed component programming and enjoy nice properties *w.r.t.* behavioural equivalences.

The project partners include Inria (Celtique and Spades teams), LIP (Plume team), and Université de Savoie. The project runs from November 2010 to October 2014.

The REVER project aims to develop semantically well-founded and composable abstractions for dependable distributed computing on the basis of a reversible programming model, where reversibility means the ability to undo any program execution and to revert it to a state consistent with the past execution. The critical assumption behind REVER is that by combining reversibility with notions of compensation and modularity, one can develop systematic and composable abstractions for dependable programming.

The REVER work program is articulated around three major objectives:

To investigate the semantics of reversible concurrent processes.

To study the combination of reversibility with notions of compensation, isolation and modularity in a concurrent and distributed setting.

To investigate how to support these features in a practical (typically, object-oriented and functional) programming language design.

The project partners are Inria (Focus and Spades teams), Université de Paris VII (PPS laboratory), and CEA (List laboratory). The project runs from December 2011 to November 2015.

Program: COST

Project acronym: IC1405

Project title: Reversible Computation

Duration: 2015-2019

Coordinator: I. Ulidowski (U. Leicester, UK)

Abstract: This recently launched COST Action aims to establisjh a research network of excellence on reversible commputation. Reversible computation is an emerging paradigm that extends the standard forward-only mode of computation with the ability to execute in reverse, so that computation can run backwards as naturally as it can go forwards. It aims to deliver novel computing devices and software. the potential benefits include the design of new reversible logic gates and circuits – leading to low-power computing –, and new conceptual frameworks, language abstractions and software tools for reliable and recovery-oriented distributed systems.

Title: RIgorous Programming of Predictable Embedded Systems

International Partner (Institution - Laboratory - Researcher):

University of California Berkeley (USA)

University of Auckland (New Zealand)

Duration: 2013 - 2015

See also: https://

The RIPPES associated teams gathers the SPADES team from Inria Grenoble Rhône-Alpes, the Ptolemy group from UC Berkeley (EECS Department), and the Embedded Systems Research group from U. Auckland (ECE Department). The planned research seeks to reconcile two contradictory objectives of embedded systems, more predictability and more adaptivity. We propose to address these issues by exploring two complementary research directions: (1) by starting from a classical concurrent C or Java programming language and enhancing it to provide more predictability, and (2) by starting from a very predictable model of computation (SDF) and enhancing it to provide more adaptivity.

University of Bologna, Department of Computer Science (Italy)

Topics: reversibility in concurrent languages

TU Braunschweig, (Germany)

Topics: typical worst-case schedulability analysis

April 2014: Eugene Yip (PhD student, U. Auckland) visited Inria Grenoble to work on the semantics of the ForeC PRET programming language (Rippes associated team).

April 2014: David Broman (Ass. Prof. KTH Stockholm and UC Berkeley) visited Inria Grenoble to attend the RePP'14 workshop and to work on PRET programming (Rippes associated team).

September 2014: Ismail Assayad (Ass. Prof. U. Casablanca) visited Inria Grenoble to work on multi-criteria optimization and scheduling for embedded system.

September 2014: Lilia Sfaxi (Ass. Prof. ENSI Tunis) and Imen Boudabous (PhD student, ENSI Tunis) visited Inria Grenoble to work on scheduling and energy optimization of data-flow applications on multi-core chips.

November and December 2014: Partha Roop (Senior Lecturer, U. Auckland) and Hugh Wang (PhD student, U. Auckland) visited Inria Grenoble to work on the ForeC PRET programming language (Rippes associated team).

Alain Girault visited UC Berkeley (USA) in February 2014 to work on the parametric dataflow model of computation and on PRET programming (Rippes associated team).

Sophie Quinton was PC co-chair and organizing committee member of the *First Workshop on Formal Methods for Timing Verification* (FMTV'14).

Alain Girault was PC co-chair and co-organizer
of the *Second Workshop on Reconciling
Performance with Predictability* (RePP'14), which
took place on March 5th 2014, in Grenoble, France.

Alain Girault was co-chair and co-organizer of
the *Workshop on Synchronous Programming*
(SYNCHRON'14), which took place in December 2014 in
Aussois, France.

Jean-Bernard Stefani is the current chair of the Steering Committee of the *IFIP FORTE* conference series,
and a member of the Stering Committee of the *DisCoTec* federated conference series.

Pascal Fradet served in the program committees of the
*13th International Conference on Modularity* (MODULARITY'14) and of *Journées
Francophones des Langages Applicatifs* (JFLA'14).

Gregor Goessler served in the program committees of the *17th International Symposium on Component-Based Software
Engineering* (CBSE'14) and *Design, Automation, and Test in
Europe* (DATE'14).

Sophie Quinton served in the program committees of the *26th Euromicro Conference on Real-Time Systems* (ECRTS'14), *34th IFIP International Conference on Formal Techniques for Distributed Objects, Components and Systems* (FORTE'14) and *12th IEEE International Symposium on Parallel and Distributed Processing with Applications* (ISPA'14) conferences as well as the *First International Workshop on Multi-Objective Many-Core Design* (MOMAC'14) and *2nd International Workshop on Mixed Criticality Systems* (WMC'14) workshops and the Work-in-Progress session of ECRTS'14.

Alain Girault served on the program committees of the
*International Conference on Design and Test in Europe*
(DATE'14), the *Design Automation Conference* (DAC'14), the
*International Symposium on Industrial Embedded Systems*
(SIES'14), and the *International Conference on Pervasive and
Embedded Computing and Communication Systems* (PECCS'14).

Gregor Goessler reviewed articles for CDC'14, POST'14, and TACAS'14.

Sophie Quinton reviewed an article for the *51th Design Automation Conference* (DAC'14).

Jean-Bernard Stefani is a member of the editorial board of Annals of Telecommunications.

Alain Girault is a member of the editorial board of the EURASIP Journal on Embedded Systems.

Jean-Bernard Stefani reviewed articles for *Theoretical Computer Science*.

Gregor Goessler reviewed articles for *Science of
Computer Programming* and *ACM Transactions on Embedded
Computing Systems*.

Sophie Quinton reviewed articles for *ACM Transactions on Embedded Computing*, *ACM Transactions on
Design Automation of Electronic Systems* and *Real-Time Systems*.

Alain Girault reviewed articles for *IEEE Trans. on
Parallel and Distributed Systems* and *ACM Trans. on Design
Automation of Electronic Systems*

PhD in progress: Vagelis Bebelis, “Boolean Parametric Data Flow. Modeling - Analyses -Implementation”, Grenoble University, since 12/2011, co-advised by Pascal Fradet and Alain Girault.

PhD in progress: Dmitry Burlyaev, “Specification and synthesis of fault-tolerant circuits”, Grenoble University, since 12/2011, co-advised by Pascal Fradet and Alain Girault.

PhD in progress: Yoann Geoffroy, “Towards a general causality analysis framework”, Grenoble University, since 10/2013, advised by Gregor Goessler.

Alain Girault was president of the PhD defense jury of Pranav Tendulkar (University Grenoble Alpes).

Alain Girault was president of the PhD defense jury of Christian von Essen (University Grenoble Alpes).

Alain Girault was referee for the computer science PhD thesis of Guillaume Aupy (ENS-Lyon).

Jean-Bernard Stefani was president of the jury for Bertrand Jeannet's HDR defense (University Grenoble Alpes).

Jean-Bernard Stefani was rapporteur for Helene Martorell's PhD defense (Toulouse University)