2023Activity reportProject-TeamCONVECS

6.1.1 CADP

• Name:
  Construction and Analysis of Distributed Processes
• Keywords:
  Formal methods, Verification
• Functional Description:

  CADP (Construction and Analysis of Distributed Processes – formerly known as CAESAR/ALDEBARAN Development Package) 4 is a toolbox for protocols and distributed systems engineering.

  In this toolbox, we develop and maintain the following tools:

  • CAESAR.ADT  25 is a compiler that translates LOTOS abstract data types into C types and C functions. The translation involves pattern-matching compiling techniques and automatic recognition of usual types (integers, enumerations, tuples, etc.), which are implemented optimally.
  • CAESAR  31, 30 is a compiler that translates LOTOS processes into either C code (for rapid prototyping and testing purposes) or finite graphs (for verification purposes). The translation is done using several intermediate steps, among which the construction of a Petri net extended with typed variables, data handling features, and atomic transitions.

  • OPEN/CAESAR  29 is a generic software environment for developing tools that explore graphs on the fly (for instance, simulation, verification, and test generation tools). Such tools can be developed independently of any particular high level language. In this respect, OPEN/CAESAR plays a central role in CADP by connecting language-oriented tools with model-oriented tools. OPEN/CAESAR consists of a set of 16 code libraries with their programming interfaces, such as:

    • CAESAR  GRAPH, which provides the programming interface for graph exploration,
    • CAESAR  HASH, which contains several hash functions,
    • CAESAR  SOLVE, which resolves Boolean equation systems on the fly,
    • CAESAR  STACK, which implements stacks for depth-first search exploration, and
    • CAESAR  TABLE, which handles tables of states, transitions, labels, etc.

    A number of on-the-fly analysis tools have been developed within the OPEN/CAESAR environment, among which:

    • BISIMULATOR, which checks bisimulation equivalences and preorders,
    • CUNCTATOR, which performs steady-state simulation of continuous-time Markov chains,
    • DETERMINATOR, which eliminates stochastic nondeterminism in normal, probabilistic, or stochastic systems,
    • DISTRIBUTOR, which generates the graph of reachable states using several machines,
    • EVALUATOR, which evaluates MCL formulas,
    • EXECUTOR, which performs random execution,
    • EXHIBITOR, which searches for execution sequences matching a given regular expression,
    • GENERATOR, which constructs the graph of reachable states,
    • PROJECTOR, which computes abstractions of communicating systems,
    • REDUCTOR, which constructs and minimizes the graph of reachable states modulo various equivalence relations,
    • SIMULATOR, XSIMULATOR, and OCIS, which enable interactive simulation, and
    • TERMINATOR, which searches for deadlock states.
  • BCG (Binary Coded Graphs) is both a file format for storing very large graphs on disk (using efficient compression techniques) and a software environment for handling this format. BCG also plays a key role in CADP as many tools rely on this format for their inputs/outputs. The BCG environment consists of various libraries with their programming interfaces, and of several tools, such as:
    • BCG  CMP, which compares two graphs,
    • BCG  DRAW, which builds a two-dimensional view of a graph,
    • BCG  EDIT, which allows the graph layout produced by BCG  DRAW to be modified interactively,
    • BCG  GRAPH, which generates various forms of practically useful graphs,
    • BCG  INFO, which displays various statistical information about a graph,
    • BCG  IO, which performs conversions between BCG and many other graph formats,
    • BCG  LABELS, which hides and/or renames (using regular expressions) the transition labels of a graph,
    • BCG  MIN, which minimizes a graph modulo strong or branching equivalences (and can also deal with probabilistic and stochastic systems),
    • BCG  STEADY, which performs steady-state numerical analysis of (extended) continuous-time Markov chains,
    • BCG  TRANSIENT, which performs transient numerical analysis of (extended) continuous-time Markov chains, and

    • XTL (eXecutable Temporal Language), which is a high level, functional language for programming exploration algorithms on BCG graphs. XTL provides primitives to handle states, transitions, labels, successor and predecessor functions, etc.

      For instance, one can define recursive functions on sets of states, which allow evaluation and diagnostic generation fixed point algorithms for usual temporal logics (such as HML  32, CTL 20, ACTL 21, etc.) to be defined in XTL.

  • PBG (Partitioned BCG Graph) is a file format implementing the theoretical concept of Partitioned LTS  28 and providing a unified access to a graph partitioned in fragments distributed over a set of remote machines, possibly located in different countries. The PBG format is supported by several tools, such as:
    • PBG  CP, PBG  MV, and PBG  RM, which facilitate standard operations (copying, moving, and removing) on PBG files, maintaining consistency during these operations,
    • PBG  MERGE (formerly known as BCG  MERGE), which transforms a distributed graph into a monolithic one represented in BCG format,
    • PBG  INFO, which displays various statistical information about a distributed graph.
  • The connection between explicit models (such as BCG graphs) and implicit models (explored on the fly) is ensured by OPEN/CAESAR-compliant compilers, e.g.:
    • BCG  OPEN, for models represented as BCG graphs,
    • CAESAR.OPEN, for models expressed as LOTOS descriptions,
    • EXP.OPEN, for models expressed as communicating automata,
    • FSP.OPEN, for models expressed as FSP  33 descriptions,
    • LNT.OPEN, for models expressed as LNT descriptions, and
    • SEQ.OPEN, for models represented as sets of execution traces.

  The CADP toolbox also includes TGV (Test Generation based on Verification), which has been developed by the VERIMAG laboratory (Grenoble) and Inria Rennes – Bretagne-Atlantique.

  The CADP tools are well-integrated and can be accessed easily using either the EUCALYPTUS graphical interface or the SVL  27 scripting language. Both EUCALYPTUS and SVL provide users with an easy and uniform access to the CADP tools by performing file format conversions automatically whenever needed and by supplying appropriate command-line options as the tools are invoked.

• URL:
  http://­cadp.­inria.­fr/
• Contact:
  Hubert Garavel
• Participants:
  Hubert Garavel, Frederic Lang, Radu Mateescu, Wendelin Serwe

6.1.2 TRAIAN

• Keywords:
  Compilation, LOTOS NT
• Functional Description:

  TRAIAN is a compiler for translating LOTOS NT descriptions into C programs, which will be used for simulation, rapid prototyping, verification, and testing.

  The current version of TRAIAN, which handles LOTOS NT types and functions only, has useful applications in compiler construction  26, being used in all recent compilers developed by CONVECS.

• URL:
  http://­convecs.­inria.­fr/­software/­traian/
• Contact:
  Hubert Garavel
• Participants:
  Hubert Garavel, Frederic Lang, Wendelin Serwe

7.1.1 LNT and LOTOS NT Specification Languages

Participants: Hubert Garavel, Frédéric Lang, Wendelin Serwe.

LNT 518 is a next-generation formal description language for asynchronous concurrent systems. The design of LNT at CONVECS is the continuation of the efforts undertaken in the 80s to define sound languages for concurrency theory and, indeed, LNT is derived from the ISO standards LOTOS (1989) and E-LOTOS (2001). In a nutshell, LNT attempts to combine the best features of imperative programming languages, functional languages, and value-passing process calculi.

LNT is not a frozen language: its definition started in 2005, as part of an industrial project. Since 2010, LNT has been systematically used by CONVECS for numerous case studies (many of which being industrial applications — see § 7.5). LNT is also used as a back-end by other research teams who implement various languages by translation to LNT. It is taught in university courses, e.g., at University Grenoble Alpes and ENSIMAG, where it is positively accepted by students and industry engineers. Based on the feedback acquired by CONVECS, LNT is continuously improved.

LOTOS NT is a language predecessor of LNT, equipped with the TRAIAN compiler, which is used for the construction of most CADP compilers and translators. Since TRAIAN 3.0, the lexer and parser of TRAIAN are built using the SYNTAX compiler-generation system developed at Inria Paris and the abstract syntax tree of LOTOS NT, the library of predefined LOTOS NT types and functions, the static semantics checking (identifier binding, type checking, dataflow analysis, etc.), and the C code generation are implemented in LOTOS NT itself, so that TRAIAN is capable of bootstrapping itself.

In 2023, our efforts led to the release of four new major versions of TRAIAN, which introduce various changes to the LOTOS NT language in order to further align it with LNT:

• TRAIAN 3.9 brings twelve language changes, mostly improving the readability of value expressions and patterns, and extending the predefined libraries with new operators, as well as ten static-semantics changes refining the dataflow analysis and extending the class of accepted constructs (record field manipulation, patterns, set notations). Four bugs were fixed.
• TRAIAN 3.10 brings seven language changes enhancing pragmas, “with” clauses, and patterns, as well as six library changes improving the implementation of basic types. Thirteen bugs were fixed.
• TRAIAN 3.11 brings three language changes improving value expressions and the “of” notation, as well as fourteen library changes enhancing basic, array, and set types. Seven bugs were fixed. This release achieves a complete convergence between LOTOS NT and LNT. Measured on a test suite of $13,600+$ correct LNT programs totalling more than 9 million non-blank lines of LNT code, TRAIAN 3.11 accepts 100% of them, both syntactically and semantically.
• TRAIAN 3.12 brings eight static-semantics changes refining synchronized events, parallel composition, "case" instructions, and record field manipulation, as well as seven library changes improving the list and set types. Twelve bugs were fixed.

Each version of TRAIAN includes various compiler and code-generation changes accomodating the newly introduced features. For each version, the “traian_upc” conversion tool was extended to ease the upgrade of existing LOTOS NT source code whenever possible, and the user manual of TRAIAN, as well as the demo examples, were constantly updated.

The LNT language has continued its evolution to become a better language and to achieve convergence with the LOTOS NT language supported by the TRAIAN compiler. A major step was achieved in 2023 when version 3.11 of TRAIAN (and later, version 3.12) was integrated in the CADP distribution. Such integration brings two major benefits for the users of LNT:

• TRAIAN provides a full-fledged, native compiler front-end for LNT. TRAIAN is stricter than LNT2LOTOS, as it detects errors that LNT2LOTOS cannot catch because of its “lightweight” translation approach. For instance, TRAIAN does complete type checking, whereas LNT2LOTOS does not check types, simply generating LOTOS code and deferring type-checking duties to the LOTOS compilers CAESAR.ADT and CAESAR.
• The error and warning messages emitted by TRAIAN are easier to understand, since they refer to the LNT source code, while many messages of LNT2LOTOS refer to the generated LOTOS code.

The integration of TRAIAN in CADP is done by the LNT.OPEN shell script, which (unless it is called with the new “-notraian” option) invokes TRAIAN before invoking LNT2LOTOS. LNT.OPEN no longer invokes LNT_CHECK as the warning messages of TRAIAN about incomplete “case” statements are more informative than those of LNT_CHECK. If TRAIAN detects a fatal error, then LNT.OPEN stops and does not invoke LNT2LOTOS.

In 2023, the LNT language has been subject to numerous changes, among which:

• The syntax of LNT patterns was restricted: it is no longer allowed to write two (or more) consecutive unary operators without using parentheses.
• The usage of “with” clauses for LNT types was enhanced and made clearer, by permitting “with” clauses defining equality and (lexicographic) order relations for all types, permitting “with INSERT” clauses only for set and list types, restricting “with CARD” clauses to set types only, and allowing “with =” clauses (in addition to “with ==”) for all LNT types.
• The LNT_V1 library of predefined LNT types has been enhanced by adding eighteen new functions and renaming five other ones to make them more intuitive.
• The LNT2LOTOS Reference Manual and the LNT tools have been updated to document and implement these changes. The editor style files for LNT and many CADP demos have been also updated. The “upc” shell script was extended to ease the migration of LNT programs. Fourteen bugs have been fixed in the LNT tools.

To increase its interoperability with TRAIAN, the LNT2LOTOS translator was enhanced as follows:

• The grammar used for the syntax analysis of LNT2LOTOS was modified to be aligned with that of TRAIAN.
• Sets were implemented more efficiently, the worst-case complexity of set equality becoming linear instead of quadratic.
• LNT2LOTOS now supports field-selection and field-update expressions with event parameters, “with FIRST” and “with LAST” clauses in cascade types, as well as “with PRED” and “with SUCC” clauses in ranges, enumerations, and cascade types.
• The handling of warnings was improved by refining the dataflow analysis of the “for” loops in LNT functions to produce additional warnings (similar to the ones emitted by TRAIAN), displaying more precise line numbers in warning messages, and by no longer emitting warnings redundant with those of TRAIAN when LNT2LOTOS is invoked after TRAIAN (i.e., with its new “-traian” option).

7.1.2 Nested-Unit Petri Nets

Participants: Pierre Bouvier, Hubert Garavel.

Nested-Unit Petri Nets (NUPNs) is a model of computation that can be seen as an upward-compatible extension of P/T nets, which are enriched with structural information on their concurrent and hierarchical structure. Such structural information can easily be produced when NUPNs are generated from higher-level specifications (e.g., process calculi) and allows logarithmic reductions in the number of bits required to represent reachable states, thus enabling verification tools to perform better. For this reason, NUPNs have been so far implemented in thirteen verification tools developed in four countries, and adopted by two international competitions (the Model Checking Contest and the Rigorous Examination of Reactive Systems challenge). The complete theory of NUPNs is formalized in a journal article 6 and their PNML representation is described here.

In 2023, we continued our work on NUPNs, focusing on their connections with other formal models of concurrent systems, such as communicating automata, ordinary Petri nets, and process algebras. We proposed decompositions of NUPNs into communicating automata, decompositions of ordinary (safe) Petri nets into hierarchical NUPNs, and a translation from NUPNs to LNT. These results are presented in P. Bouvier's PhD thesis 16.

7.1.3 Formal Modeling and Analysis of BPMN

Participants: Gwen Salaün [correspondent], Ahang Zuo.

Business Process Model and Notation (BPMN) is a workflow-based notation that has been published as an ISO standard and has become the main language for business process modeling. Resource allocation is a critical problem in business processes due to the simultaneous execution of tasks and resource sharing among them. The number of allocated resources affects both the execution cost and time of the process. In the context of runtime processes, a well-defined resource allocation strategy is essential for optimising waiting times and costs by mitigating delays and enhancing resource utilisation.

In 2023, in the context of the MOAP project (see § 9.5.1), in collaboration with Yliès Falcone (CORSE project-team), we improved our prior work  24, 23 and proposed a generic approach for dynamically adjusting resource allocation when executing BPMN processes. The BPMN process is monitored in real-time, and the execution traces produced during its multiple executions are analysed. These execution traces are used to compute various properties or metrics of interest, including resource usage and average execution time. The approach then relies on predictive analytics to compute the future values of the aforementioned metrics. Based on these predicted results, strategies for the dynamic allocation of resources are defined, which anticipate changes in resource usage and thus dynamically update the number of resources in advance. This approach is fully automated using a toolchain and has been validated with multiple examples. This work led to a paper submitted to an international conference.

7.1.4 SYNTAX Compiler Generator

Participants: Pierre Boullier, Hubert Garavel, Frédéric Lang, Wendelin Serwe.

SYNTAX is a compiler-generation tool that generates lexical analyzers (scanners) and syntactic analyzers for deterministic and nondeterministic context-free grammars. Developed since 1970, SYNTAX is probably the oldest software of INRIA that is still actively used and maintained. In particular, SYNTAX serves to produce the front-end part of TRAIAN and of most compilers of CADP.

Since the closing of the INRIA Gforge in 2021, the SYNTAX code is hosted on the RENATER SVN repository.

In 2023, the development of SYNTAX has been particularly active in the following directions:

• The overall architecture of SYNTAX evolved, with a division of its code into four parts: “trunk”, which gathers tools for deterministic grammars (i.e., computer languages); “extensions”, which gathers tools for nondeterministic grammars (i.e., natural languages); and “outdated”, which gathers tools that are not longer maintained. The latter part was divided into two sub-parts: “oldies”, which contains tools that could be still of interest, and “deleted”, which archives abandoned tools.
• Significant cleanup was done, with deletion of duplicated files and archiving of obsolete software components.
• The quality of SYNTAX code improved by removing all warnings emitted by recent versions of the GCC and CLANG compilers. Many useless type casts have also been removed. Redundant macro-definitions (SXBOOLEAN, SXEXIT, SXFALSE, SXSHORT, SXTRUE, SXVOID, etc.) have been eliminated.
• SYNTAX was ported to 64-bit Windows and to recent versions of macOS. Support for obsolete architectures (Sparc, 32-bit Solaris, 32-bit macOS, etc.) has been dropped.
• The build system for SYNTAX, which was a complex mixture of scripts, makefiles, autogenesis/hypergenesis, and autotools has been dismantled, and merged into a unique script "sxmake" that centralises all operations. All SYNTAX tools have been simplified accordingly. In particular, their local hierarchy (“incl”, “src”, and “spec” directories) has been flattened, but "boot" directories and skeleton files have been created to highlight places where bootstrapping occurs.
• The LECL tool has been enhanced by P. Boullier, who introduced the notion of “zombie” lexical tokens to suppress warnings about unused tokens.
• The TABC tool, the name of which created confusion with another tool named TABLES_C, was renamed to SEMC.
• The documentation has been carefully enhanced and updated. The SYNTAX distribution has been enriched with published papers, presentation slides, and many README files based on explanations provided by P. Boullier.
• A new SXML library was added by H. Garavel, which helps generating directly an XML or JSON output from an input file, without building an (explicit) abstract syntax tree. This library has a reduced memory footprint due to the use of circular lists.
• The demo examples of SYNTAX have been enhanced. A new demo “simproc” has been added, which uses the LNT language and the TRAIAN compiler to build and traverse the abstract syntax tree. Three rarely used SYNTAX tools (pplecl, pprecor, and pptdef) have been turned into demo examples.
• The “lustre” demo has been enhanced. The grammar has been revised, to be closer to the official LUSTRE grammar. An syntax tree in XML is now produced as output, using the SEMC tool and the SXML library.
• The “f77” demo has been largely rewritten in the framework of a new collaboration with the RMOD/EVREF project-team (Lille). P. Boullier adapted the FORTRAN 77 grammar to pass the 192 official NIST tests. The grammar was also modified to factorize duplicated definitions, and to support "DO" loops without labels and loops terminated with “END DO”. The lexer and parser were modified to retain the comments present in FORTRAN 77 programs. The FORTRAN 77 pretty-printer was updated and made functional. On this basis, the RMOD/EVREF team started extending the grammar to generate an abstract tree in JSON, using the SEMC tool and the SXML library.
• H. Garavel, F. Lang, and W. Serwe gave various presentations of SYNTAX at ENS Ulm (Paris, France), LIG Grenoble, Saarland University (Germany), and Aix-les-Bains (France).

7.2.1 Verification of Emergent Properties in Multi-agent Systems

Participants: Frédéric Lang.

Multi-agent systems are collections of autonomous components that interact with each other and with their shared environment. These systems may display collective properties that arise from the interplay between agents. Reasoning about these properties turns out to be hard, due to the very large state space that these systems usually exhibit. Therefore, automatic procedures to formally guarantee the emergence of such properties may prove helpful in the design of reliable artificial multi-agent systems.

In collaboration with Luca Di Stefano (Chalmers University, Sweden), we adapted the existing translation procedure from LAbS  37 to LNT, so that agents are now represented by networks of parallel LNT processes, enabling the application of compositional verification. We combined compositional verification with a static value analysis to prune the state space of individual agents and demonstrated the effectiveness of our approach by verifying a collection of representative systems. In 2023, this work led to a publication in an international conference 12.

7.3.1 Quantitative Analysis of BPMN Processes

Participants: Gwen Salaün [correspondent], Quentin Nivon, Ahang Zuo.

Business process optimisation is a strategic activity in organisations because of its potential to increase profit margins and reduce operational costs. We consider business processes described using an extension of BPMN with quantitative aspects for modelling execution times and resources associated with tasks. A process is not executed once but multiple times, and multiple concurrent executions of a process compete for using the shared resources. In this context, it is particularly difficult to ensure correctness and efficiency of the multiple executions of a process.

In 2023, we followed two different research directions for analyzing quantitatively business processes:

• We considered process refactoring, a specific technique used for process optimisation, and we proposed a refactoring approach whose goal is to reduce the total execution time of a process and optimize the usage of the shared resources. This approach works by entirely refactoring the BPMN process in one step. First, a new version of the process is generated, which is as parallel as possible, while respecting the dependencies between tasks and gateways. Then, the resource usage of this process is computed. If some resources are overused, some tasks are put back in sequence to avoid possible delays involved by merge gateways. Finally, this optimised process is returned to the user. This process refactoring technique is fully automated by a tool that we implemented and applied on several examples for validation purposes. This work led to a publication in an international conference 14.
• In the context of the MOAP project (see § 9.5.1), in collaboration with Yliès Falcone (CORSE project-team), we improved our prior work  24, which relied on probabilistic model checking to automatically verify that multiple executions of a process respect some specific probabilistic property. This approach applies at runtime, thus the evaluation of the property is periodically carried out and the corresponding results updated. However, we go beyond runtime probabilistic analysis for BPMN, since we propose runtime enforcement techniques to keep executing the process while avoiding the violation of the property. We achieve this by monitoring techniques, computation of probabilistic models, probabilistic model checking, and runtime enforcement techniques. The approach has been implemented as a toolchain and its effectiveness has been validated on several realistic BPMN processes. This work led to a paper accepted for publication in an international conference.

7.4.1 Compositional Verification

Participants: Frédéric Lang.

The CADP toolbox contains various tools dedicated to compositional verification, among which EXP.OPEN, BCG_MIN, BCG_CMP, and SVL play a central role. EXP.OPEN explores on the fly the graph corresponding to a network of communicating automata (represented as a set of BCG files). BCG_MIN and BCG_CMP respectively minimize and compare behavior graphs modulo strong or branching bisimulation and their stochastic extensions. SVL (Script Verification Language) is both a high-level language for expressing complex verification scenarios and a compiler dedicated to this language.

In 2023, in addition to a bug fix for the macOS version of SVL, five enhancements have been brought: SVL now produces shorter log files that better take into account user interrupts and run-time errors; the error and warning messages issued by SVL have been aligned on those of other CADP compilers and now provide line numbers; better error or warning messages are emitted when reduction fails for some probabilistic or stochastic equivalence, and when both variables $DEFAULT_LOTOS_FILE and $DEFAULT_PROCESS_FILE are undefined; SVL only retries reduction using a stronger equivalence relation when this is possibly fruitful.

The BCG_MIN tool was improved so as to remove those transitions that became unreachable after applying probabilistic or stochastic equivalences (e.g., due to maximal progress).

In collaboration with Luca Di Stefano (Chalmers University, Sweden), we extended sharp bisimulation to the framework of systems with priorities (with an application to multi-agent systems). This work led to a publication in an international journal 10.

7.4.2 On-the-fly Resolution of Boolean Equation Systems

Participants: Hubert Garavel, Radu Mateescu.

OPEN/CAESAR is an extensible, modular, language-independent software framework for exploring implicit graphs (i.e., defined by their post function, which enumerates the transitions going out of each vertex). This key component of CADP is used to build simulation, execution, verification, and test generation tools.

CAESAR_SOLVE_1 is a generic software library, based on OPEN/CAESAR, for solving Boolean Equation Systems (BESs) of alternation depth 1 (i.e., without mutual recursion between minimal and maximal fixed point equations) on the fly. This library is at the core of several CADP verification tools, namely the equivalence checker BISIMULATOR, the minimization tool REDUCTOR, and the model checker EVALUATOR. The resolution method is based on Boolean graphs, which provide an intuitive representation of dependencies between Boolean variables, and which are handled implicitly, in a way similar to the OPEN/CAESAR interface  29.

In 2023, a data base of $10,500$+ BESs has been prepared, on which the CAESAR_SOLVE_1 library and the BES_SOLVE tool have been tested systematically. This effort led to six bug fixes: the “unique” and “mode N” pragmas contained in BES files were ignored; the “-parallel” option of BES_SOLVE could fail if a non-writable BES_SOLVE binary was already present on some remote machine; the resolution algorithm A8 could stop with a “memory shortage” error; the resolution algorithm A9 could halt with a segmentation fault; the resolution algorithms A8, A10, and A11 could generate incorrect diagnostics. Also, the memory used for resolution was reduced by a factor between 10% and 50% by better dimensioning the internal table that stores Boolean variables.

7.4.3 Runtime Enforcement for Adaptive Industrial Control Systems

Participants: Irman Faqrizal, Gwen Salaün [correspondent].

Adaptive industrial control systems can reliably adapt to specific requirements with minimal effort. IEC 61499 is a promising standard that allows downtimeless system evolution such that an application can be modified at runtime to satisfy the requirements. However, an IEC 61499 application consisting of multiple Function Blocks (FBs) can be modified in many different ways, such as inserting or deleting FBs, creating new FBs with their respective internal behaviours, and adjusting the connections between FBs. These changes require considerable effort and cost, and there is no guarantee to satisfy the requirements.

In 2023, in the framework of the D-IIoT project (see § 9.5.2), in collaboration with Yliès Falcone (CORSE project-team), we applied runtime enforcement techniques to support adaptive IEC 61499 applications. This set of techniques can modify the runtime behaviour of a system according to specific requirements. Our approach begins with specifying the requirements as a state machine-based notation called contract automaton. This contract automaton is then used to synthesise an enforcer as an FB. Finally, the new FB is integrated into the application to execute according to the requirements. A tool support has been developed to automate the approach. In addition, experiments were performed to evaluate the performance of enforcers by measuring the execution time of several applications before and after the integration of enforcers. This work led to a paper submitted to an international journal.

7.4.4 Other Component Developments

Participants: Hubert Garavel, Frédéric Lang, Radu Mateescu, Wendelin Serwe.

In 2023, in addition to seven bug fixes in CAESAR (invoked with its “-graph” option), EUCALYPTUS, EVALUATOR 4 and 5 (on Solaris architecture only), EXP.OPEN (on large composition expressions containing priority operators), MCL_EXPAND (when invoking EVALUATOR 5 with its “-acyclic” option on probabilistic formulas), and XTL (when manipulating label fields of type String), various enhancements have been brought to the following CADP tools:

• The BCG monitor was made much faster when generating labelled transition systems containing many different labels.
• BCG_MIN (unless when called with “-class” option) now removes, before undertaking probabilistic or stochastic minimization, all states and transitions that are unreachable due to the “maximal progress” assumption.
• XTL no longer emits warnings on Linux when evaluating an XTL program on a BCG file containing no transitions.
• The two functions ADT_GCD_NAT() and ADT_SCM_NAT() of the natural number library now use faster algorithms that are less prone to numeric overflow.
• In CADP, better file compression is now achieved using “gzip” instead of “compress”.
• The memory efficiency of demo 16 was enhanced by adding a “!card” type pragma. The LOTOS code of demos 23 and 25 was shortened, without loss of functionality, by 42% (from 2090 down to 1208 non-blank lines) and 27% (from 767 down to 560 non-blank lines), respectively. Also, demos 23, 24, and 25 have been translated from LOTOS to LNT, still preserving strong bisimilarity.

The evolutions of operating systems and C compilers dictated many changes in the CADP infrastructure, among which:

• Update of shell scripts to use modern PostScript viewers (e.g., Atril and Evince) and to avoid warnings emitted by recent versions of GNU grep.
• Update of shell scripts and documentation to support Solaris 11 and recent versions of Oracle's C compiler; with these changes, CADP properly runs on Solaris 11.4.
• Updates of scripts, include files, and documentation to avoid warnings emitted by the recent versions of Clang and to support macOS 14 “Sonoma”, Xcode version 14.3, and recent versions of XQuartz.
• Complete port of CADP to 64-bit Windows, with an upgrade of TCL/TK/TIX to their latest versions and subsequent adaptation of the CADP graphical tools (XSIMULATOR, OCIS); progressive migration from 32-bit to 64-bit Windows executables, the latter eventually replacing the former since they are faster; support of Windows 11 and the most recent versions of Cygwin.

7.5.1 Autonomous Car

Participants: Jean-Baptiste Horel, Philippe Ledent, Radu Mateescu [correspondent], Lucie Muller, Wendelin Serwe.

A common practice to evaluate autonomous vehicles is simulation, which requires to specify realistic scenarios, in particular critical ones, occurring rarely and potentially dangerous to reproduce on the road. Such scenarios may be either generated randomly, or specified manually. Randomly generating scenarios is easy, but their relevance might be difficult to assess. Manually specified scenarios can focus on a given feature, but their design might be difficult and time-consuming, especially to achieve satisfactory coverage.

In the framework of the ArchitectECA2030 (see § 9.3.2) and PRISSMA (see § 9.4.1) projects and in collaboration with Lina Marsso (University of Toronto, Canada), Christian Laugier, Anshul Paigwar, and Alessandro Renzaglia (CHROMA project-team), we proposed an automatic approach to generate a large number of relevant critical scenarios for autonomous driving simulators. The approach relies on the generation of behavioral conformance tests using the TESTOR tool  34, from an LNT model (specifying the ground truth configuration with the range of vehicle behaviors) and a test purpose (specifying the critical feature under analysis). The obtained test cases (which cover all possible executions exercising a given feature) are automatically translated into the inputs of autonomous driving simulators.

In 2023, we extended this approach with a statistical analysis to assess the collision-risk estimation of a perception component. We applied the approach to analyze more complex scenarios, with a non-linear behavior of vehicle and obstacles (varying speeds and curved trajectories), in order to evaluate the output of the perception component in more realistic situations. These results have been published in Lucie Muller's PhD thesis  36 and in an international journal 11.

7.5.2 Manufacturing Application

Participants: Irman Faqrizal, Gwen Salaün [correspondent].

The ever-increasing complexity of industrial control systems generates a demand for reliable development methods. IEC 61499, a recent industrial standard, helps to develop complex distributed systems based on their positive characteristics, namely reusability, reconfigurability, interoperability, and portability. Formal verification techniques, such as model checking, have been proposed to ensure the correctness of these systems during the design time. However, they do not consider the presence of the environment that can impact the application behaviour at runtime.

In 2023, in collaboration with Tatiana Liakh, Valeriy Vyatkin, and Midhun Xavier (Lulea University of Technology, Sweden), we applied probabilistic model checking on an IEC 61499-based manufacturing application. We devised several probabilistic properties to be checked. The results were visualised graphically to be analyzed, which allows one to optimise the system's quantitative features, such as productivity. This work led to a paper accepted for publication in an international conference.

8.2.1 ST Microelectronics

Participants: Philippe Ledent, Radu Mateescu [correspondent], Wendelin Serwe.

Ph. Ledent is supported by a CIFRE PhD grant (from October 2020 to September 2023) from ST Microelectronics (Grenoble) on the formal validation of security requirements for Systems-on-Chip, under the supervision of Hajer Ferjani (ST Microelectronics), Radu Mateescu (CONVECS), and Wendelin Serwe (CONVECS).

9.1.1 Other international collaborations

In 2023, we had scientific relations with several universities and institutes abroad, including:

• University of Málaga, Spain (Francisco Durán),
• Saarland University, Germany (Holger Hermanns),
• University of Urbino, Italy (Marco Bernardo),
• University of Toronto, Canada (Lina Marsso),
• Lulea University of Technology, Sweden (Tatiana Liakh, Valeriy Vyatkin, and Midhun Xavier),
• Chalmers University, Sweden (Luca Di Stefano).

9.2.1 Visits of international scientists

• Lina Marsso (University of Toronto, Canada) visited our team on May 9, 2023. She gave a talk entitled “Early Verification of Legal Compliance via Bounded Satisfiability Checking”.
• Marco Bernardo (University of Urbino, Italy) visited our team on August 24–25, 2023. He gave on August 25, 2023 a talk entitled “A Process Algebraic Theory of Reversible Systems” on August 25, 2023.

9.2.2 Visits to international teams

9.3.1 Horizon Europe

9.3.2 H2020 projects

9.3.3 Other european programs/initiatives

The CONVECS project-team is member of the FMICS (Formal Methods for Industrial Critical Systems) working group of ERCIM. H. Garavel and R. Mateescu are members of the FMICS board, H. Garavel being in charge of dissemination actions.

9.4.1 Fonds pour l'innovation et l'industrie

9.4.2 Other national collaborations

We had sustained scientific relations with the following researchers:

• Nicolas Amat and Silvano Dal Zilio (LAAS-CNRS, Toulouse),
• Pierre Boullier (formerly ALPAGE project-team, Paris),
• Stéphane Ducasse, Nicolas Anquetil, and Larisa Safina (RMOD/EVREF project-team, Lille).

9.5.1 Pack ambition recherche région Auvergne-Rhône-Alpes

9.5.2 Persyval Labex

10.1.1 Scientific events: organisation

10.1.2 Scientific events: selection

10.1.3 Journal

10.1.4 Software Dissemination and Internet Visibility

The CONVECS project-team distributes several software tools, among which the CADP toolbox.

In 2023, the main facts are the following:

• We prepared and distributed twelve successive versions (2023-a to 2023-l) of CADP.
• We granted CADP licenses for 145 different computers in the world.

The CONVECS Web site was updated with scientific contents, announcements, publications, etc.

By the end of December 2023, the CADP forum, opened in 2007 for discussions regarding the CADP toolbox, had over 481 registered users and over 1975 messages had been exchanged.<br>

Other teams used the CADP toolbox for various case studies:

• Vulnerability identification of operational technology protocols  17
• Using process algebra for validating UML statecharts  22
• Verification of circuits for systolic array parallel computation  19

10.1.5 Invited talks

• H. Garavel and F. Lang participated to the scientific workshop ProgLang@Inria (ENS Ulm, Paris, January 8-9, 2023). H. Garavel gave a talk entitled “Introduction au système SYNTAX pour la génération de compilateurs et de traducteurs”. F. Lang gave a talk entitled “Construction de compilateurs en utilisant SYNTAX et LNT”.
• H. Garavel and W. Serwe participated to the workshop organized by the MFML (Méthodes Formelles, Modèles et Langages) axis of the LIG laboratory (Grenoble) on May 11, 2023. H. Garavel gave a talk entitled “Introduction au système SYNTAX pour la génération de compilateurs et de traducteurs”. W. Serwe gave a talk entitled “Compiler Construction using SYNTAX and LNT”.
• H. Garavel participated in Open Problems in Concurrency Theory OPCT (Bertinoro, Italy) on June 26–30, 2023. On June 26, 2023, he gave a lecture entitled “What Was Wrong with Process Calculi – and How To Recover?”.
• H. Garavel visited the DEPEND group led by Holger Hermanns (Saarland University, Germany) from August 28 to September 1, 2023. On August 31, 2023, he gave a lecture entitled “A Simple Approach for Building Compiler Front-ends”.
• G. Salaün participated to the VELVET days workshop organized by the GDR GPL (Nantes) on December 13-14, 2023. On December 14, 2023, he gave a talk entitled “Automated Verification of TOSCA Workflows”.

10.1.6 Scientific expertise

• G. Salaün was president of the CES25 evaluation committee of ANR, domain Sciences et Technologies Logicielles - Réseaux, Infrastructures, Calcul Haute Performance.
• G. Salaün was member of the expert committee for the HCERES evaluation of the laboratory FEMTO-ST (Franche-Comté Électronique, Mécanique, Thermique et Optique – Sciences et Technologies, UMR CNRS 6174) held on January 17–19, 2023.

10.1.7 Research administration

• Until July 2023, F. Lang was chair of the “Commission du développement technologique”, which is in charge of selecting R&D projects for Inria Grenoble, and giving an advice on the recruitment of temporary engineers. W. Serwe succeeded him on this date.
• R. Mateescu is the scientific correspondent of the International Partnerships for Inria Grenoble.
• R. Mateescu is a member of the “Comité d'Orientation Scientifique” for Inria Grenoble. In 2021, he also participated to the recruitment jury for CRCN (Chargé de Recherche de Classe Normale) and ISFP (Inria Starting Faculty Positions) at Inria Grenoble.
• R. Mateescu is representative of Inria Grenoble at the International Relations and Outreach of Université Grenoble Alpes (UGA).
• R. Mateescu is member of the council of the Mathematics, Information and Communication Sciences (MSTIC) research department of UGA.
• G. Salaün is the director of the MSTIC research department of UGA since September 2023.
• G. Salaün is the head of the Métiers du Multimédia et de l'Internet (MMI) department at IUT1/UGA.
• G. Salaün is a member of the administration council of the IUT1/UGA.
• G. Salaün is a member of the Scientific Committee of the PCS (Pervasive Computing Systems) action of the PERSYVAL Labex.
• G. Salaün is a member of the council of the LIG laboratory.
• W. Serwe is a member of the “Comité de Centre” at Inria Grenoble.

10.2.1 Teaching

CONVECS is a host team for the computer science master MOSIG (Master of Science in Informatics at Grenoble), common to Grenoble INP and UGA.

In 2023, we carried out the following teaching activities:

• I. Faqrizal gave courses on “Introduction to Node.js” (32 hours “équivalent TD”) to L3 students of IUT1/UGA.
• H. Garavel gave lectures on “Probabilistic Models, Stochastic Models, and Static/Dynamic Fault Trees” (12 hours “équivalent TD” as part of a course on “System Design: Real-Time, Stochastic, and Analog/Digital” to second year students of the MOSIG.
• H. Garavel was a jury member for the MOSIG master defenses (June and September 2023).
• F. Lang gave a course on “Formal Software Development Methods” (7.5 hours “équivalent TD”) in the framework of the “Software Engineering” lecture given to first year students of the MOSIG.
• F. Lang gave a course on “Programming Languages, Compilers, and Semantics” (27 hours “équivalent TD”) to first year students of the MOSIG and of the Master 1 Informatique.
• F. Lang and R. Mateescu gave a lecture on “Modeling and Analysis of Concurrent Systems: Models and Languages for Model Checking” (27 hours “équivalent TD”) to third year students of ENSIMAG and second year students of the MOSIG.
• Q. Nivon participated on lectures on “Management of Relational Data and Applications” (39 hours “équivalent TD”) to L2 students of UGA and on “Semantics of Programming Languages and Compilation” (30 hours “équivalent TD”) to students of the Master 1 Informatique of UGA.
• G. Salaün taught about 240 hours of classes (algorithmics, Web development, object-oriented programming) at the MMI department of IUT1/UGA. He is also headmaster of the “Services Mobiles et Interface Nomade” (SMIN) professional licence (third year of university) at IUT1/UGA, and co-headmaster of the “alternance” (apprenticeship) at the MMI department.
• W. Serwe supervised a group of six teams in the context of the “projet Génie Logiciel” (55 hours “équivalent TD”, consisting in 13.5 hours of lectures, plus supervision and evaluation), ENSIMAG, January 2023.
• A. Zuo gave courses on “Data Extraction” (21 hours “équivalent TD”) to L3 (License Pro) students of IUT2/UGA and on “Basics of software development: modularisation and testing” (67 hours “équivalent TD”) to L2 students of UGA.

10.2.2 Supervision

• PhD: P. Bouvier, “Systèmes concurrents hiérarchiques :équivalence, analyse et structuration”, Université Grenoble Alpes, defended on October 12, 2023, H. Garavel and R. Mateescu
• PhD: L. Muller, “Modélisation formelle et validation pour des véhicules automatisés”, Université Grenoble Alpes, defended on December 15, 2023, R. Mateescu and W. Serwe
• PhD in progress: I. Faqrizal, “Monitoring and Deployment of IIoT Applications”, Université Grenoble Alpes, since October 2021, G. Salaün and Yliès Falcone
• PhD in progress: J-B. Horel, “Validation des composants de perception basés sur l'IA dans les véhicules autonomes”, Université Grenoble Alpes, since April 2021, R. Mateescu, Alessandro Renzaglia, and Christian Laugier
• PhD in progress: P. Ledent, “Formal Validation of Security Requirements for a System-on-Chip Architecture”, Université Grenoble Alpes, since October 2020, R. Mateescu, W. Serwe, and Hajer Ferjani
• PhD in progress: Q. Nivon, “Analyse, optimisation et debugging de processus BPMN”, Université Grenoble Alpes, since October 2022, G. Salaün
• PhD in progress: Choukri Soueidi, “Instrumentation expressive et correcte de programmes distribués et vérification à l’exécution”, Université Grenoble Alpes, since October 2020, G. Salaün and Y. Falcone
• PhD in progress: A. Zuo, “Modelling, Optimization and Predictive Analysis of Business Processes”, Université Grenoble Alpes, since October 2020, G. Salaün and Y. Falcone

10.2.3 Juries

• G. Salaün was jury president for Léo Gourdin's PhD thesis, entitled “Validation formelle de transformations intra-procédurales par simulation symbolique défensive”, defended at UGA on December 12, 2023.
• G. Salaün was jury president for Asfand Yar's PhD thesis, entitled “An xDSL-Based Framework for Validation of Railway Models: Application to ERTMS/ETCS and EULYNX”, defended at UGA on December 19, 2023.
• G. Salaün was jury president for Diego Diaz's PhD thesis, entitled “Process Performance Indicators Variability integrated to Customizable Process Models”, defended at UGA on December 20, 2023.
• G. Salaün was jury member for Rabéa Ameur-Boulifa's Habilitation thesis, entitled “Contributions to the Design of Safe Complex Systems”, defended at Université Côte d'Azur on January 27, 2023.

International journals

• 9 articleN.Nicolas Amat, P.Pierre Bouvier and H.Hubert Garavel. A Toolchain to Compute Concurrent Places of Petri Nets.LNCS Transactions on Petri Nets and Other Models of Concurrency14150November 2023, 1-26HALDOI
• 10 articleL.Luca Di Stefano and F.Frédéric Lang. Compositional verification of priority systems using sharp bisimulation.Formal Methods in System DesignMay 2023HALDOIback to text
• 11 articleJ.-B.Jean-Baptiste Horel, P.Philippe Ledent, L.Lina Marsso, L.Lucie Muller, C.Christian Laugier, R.Radu Mateescu, A.Anshul Paigwar, A.Alessandro Renzaglia and W.Wendelin Serwe. Verifying Collision Risk Estimation using Autonomous Driving Scenarios Derived from a Formal Model.Journal of Intelligent and Robotic Systems1074April 2023, 1-45HALDOIback to text

International peer-reviewed conferences

• 12 inproceedingsL.Luca Di Stefano and F.Frederic Lang. Compositional Verification of Stigmergic Collective Systems.VMCAI 2023 - 24th International Conference on Verification, Model Checking , and Abstract InterpretationBoston, United StatesJanuary 2023, 1-22HALback to text
• 13 inproceedingsJ.-B.Jean-Baptiste Horel, R.Robin Baruffa, L.Lukas Rummelhard, A.Alessandro Renzaglia and C.Christian Laugier. A Navigation-Based Evaluation Metric for Probabilistic Occupancy Grids: Pathfinding Cost Mean Squared Error.IEEE International Conference on Intelligent Transportation SystemsITCS 2023 - 26th IEEE International Conference on Intelligent Transportation SystemsBilbao, Spain, SpainIEEE2023, 1-6HAL
• 14 inproceedingsQ.Quentin Nivon and G.Gwen Salaün. Refactoring of Multi-instance BPMN Processes with Time and Resources.Lecture Notes in Computer ScienceSEFM 2023 - International Conference on Software Engineering and Formal Methods14323Lecture Notes in Computer ScienceEindhoven, NetherlandsSpringer Nature SwitzerlandOctober 2023, 226-245HALDOIback to text

Edition (books, proceedings, special issue of a journal)

• 15 periodicalEditorial for FACS 2021 special section (SoSyM).Software and Systems Modeling222February 2023, 471-472HALDOI

Doctoral dissertations and habilitation theses

• 16 thesisP.Pierre Bouvier. Hierarchical concurrent systems : equivalence, analysis and structuring.Université Grenoble Alpes [2020-....]October 2023HALback to text