5.1.1 CADP

• Name:
  Construction and Analysis of Distributed Processes
• Keywords:
  Formal methods, Verification
• Functional Description:

  CADP (Construction and Analysis of Distributed Processes – formerly known as CAESAR/ALDEBARAN Development Package) 4 is a toolbox for protocols and distributed systems engineering.

  In this toolbox, we develop and maintain the following tools:

  • CAESAR.ADT  30 is a compiler that translates LOTOS abstract data types into C types and C functions. The translation involves pattern-matching compiling techniques and automatic recognition of usual types (integers, enumerations, tuples, etc.), which are implemented optimally.
  • CAESAR  36, 35 is a compiler that translates LOTOS processes into either C code (for rapid prototyping and testing purposes) or finite graphs (for verification purposes). The translation is done using several intermediate steps, among which the construction of a Petri net extended with typed variables, data handling features, and atomic transitions.

  • OPEN/CAESAR  34 is a generic software environment for developing tools that explore graphs on the fly (for instance, simulation, verification, and test generation tools). Such tools can be developed independently of any particular high level language. In this respect, OPEN/CAESAR plays a central role in CADP by connecting language-oriented tools with model-oriented tools. OPEN/CAESAR consists of a set of 16 code libraries with their programming interfaces, such as:

    Toggle sub-subsection view
    • CAESAR  GRAPH, which provides the programming interface for graph exploration,
    • CAESAR  HASH, which contains several hash functions,
    • CAESAR  SOLVE, which resolves Boolean equation systems on the fly,
    • CAESAR  STACK, which implements stacks for depth-first search exploration, and
    • CAESAR  TABLE, which handles tables of states, transitions, labels, etc.

    A number of on-the-fly analysis tools have been developed within the OPEN/CAESAR environment, among which:

    • BISIMULATOR, which checks bisimulation equivalences and preorders,
    • CUNCTATOR, which performs steady-state simulation of continuous-time Markov chains,
    • DETERMINATOR, which eliminates stochastic nondeterminism in normal, probabilistic, or stochastic systems,
    • DISTRIBUTOR, which generates the graph of reachable states using several machines,
    • EVALUATOR, which evaluates MCL formulas,
    • EXECUTOR, which performs random execution,
    • EXHIBITOR, which searches for execution sequences matching a given regular expression,
    • GENERATOR, which constructs the graph of reachable states,
    • PROJECTOR, which computes abstractions of communicating systems,
    • REDUCTOR, which constructs and minimizes the graph of reachable states modulo various equivalence relations,
    • SIMULATOR, XSIMULATOR, and OCIS, which enable interactive simulation, and
    • TERMINATOR, which searches for deadlock states.
  • BCG (Binary Coded Graphs) is both a file format for storing very large graphs on disk (using efficient compression techniques) and a software environment for handling this format. BCG also plays a key role in CADP as many tools rely on this format for their inputs/outputs. The BCG environment consists of various libraries with their programming interfaces, and of several tools, such as:Toggle sub-subsection view
    • BCG  CMP, which compares two graphs,
    • BCG  DRAW, which builds a two-dimensional view of a graph,
    • BCG  EDIT, which allows the graph layout produced by BCG  DRAW to be modified interactively,
    • BCG  GRAPH, which generates various forms of practically useful graphs,
    • BCG  INFO, which displays various statistical information about a graph,
    • BCG  IO, which performs conversions between BCG and many other graph formats,
    • BCG  LABELS, which hides and/or renames (using regular expressions) the transition labels of a graph,
    • BCG  MIN, which minimizes a graph modulo strong or branching equivalences (and can also deal with probabilistic and stochastic systems),
    • BCG  STEADY, which performs steady-state numerical analysis of (extended) continuous-time Markov chains,
    • BCG  TRANSIENT, which performs transient numerical analysis of (extended) continuous-time Markov chains, and

    • XTL (eXecutable Temporal Language), which is a high level, functional language for programming exploration algorithms on BCG graphs. XTL provides primitives to handle states, transitions, labels, successor and predecessor functions, etc.

      For instance, one can define recursive functions on sets of states, which allow evaluation and diagnostic generation fixed point algorithms for usual temporal logics (such as HML  37, CTL 27, ACTL 28, etc.) to be defined in XTL.

  • PBG (Partitioned BCG Graph) is a file format implementing the theoretical concept of Partitioned LTS  33 and providing a unified access to a graph partitioned in fragments distributed over a set of remote machines, possibly located in different countries. The PBG format is supported by several tools, such as:Toggle sub-subsection view
    • PBG  CP, PBG  MV, and PBG  RM, which facilitate standard operations (copying, moving, and removing) on PBG files, maintaining consistency during these operations,
    • PBG  MERGE (formerly known as BCG  MERGE), which transforms a distributed graph into a monolithic one represented in BCG format,
    • PBG  INFO, which displays various statistical information about a distributed graph.
  • The connection between explicit models (such as BCG graphs) and implicit models (explored on the fly) is ensured by OPEN/CAESAR-compliant compilers, e.g.:Toggle sub-subsection view
    • BCG  OPEN, for models represented as BCG graphs,
    • CAESAR.OPEN, for models expressed as LOTOS descriptions,
    • EXP.OPEN, for models expressed as communicating automata,
    • FSP.OPEN, for models expressed as FSP  41 descriptions,
    • LNT.OPEN, for models expressed as LNT descriptions, and
    • SEQ.OPEN, for models represented as sets of execution traces.

  The CADP toolbox also includes TGV (Test Generation based on Verification), which has been developed by the VERIMAG laboratory (Grenoble) and Inria Rennes – Bretagne-Atlantique.

  The CADP tools are well-integrated and can be accessed easily using either the EUCALYPTUS graphical interface or the SVL  32 scripting language. Both EUCALYPTUS and SVL provide users with an easy and uniform access to the CADP tools by performing file format conversions automatically whenever needed and by supplying appropriate command-line options as the tools are invoked.

• URL:
  http://­cadp.­inria.­fr/
• Contact:
  Hubert Garavel
• Participants:
  Hubert Garavel, Frederic Lang, Radu Mateescu, Wendelin Serwe

5.1.2 TRAIAN

• Keywords:
  Compilation, LOTOS NT
• Functional Description:

  TRAIAN is a compiler for translating LOTOS NT descriptions into C programs, which will be used for simulation, rapid prototyping, verification, and testing.

  The current version of TRAIAN, which handles LOTOS NT types and functions only, has useful applications in compiler construction  31, being used in all recent compilers developed by CONVECS.

• URL:
  http://­convecs.­inria.­fr/­software/­traian/
• Contact:
  Hubert Garavel
• Participants:
  Hubert Garavel, Frederic Lang, Wendelin Serwe

6.1.1 LNT and LOTOS NT Specification Languages

Participants: Hubert Garavel, Frédéric Lang, Wendelin Serwe.

LNT 526 is a next-generation formal description language for asynchronous concurrent systems. The design of LNT at CONVECS is the continuation of the efforts undertaken in the 80s to define sound languages for concurrency theory and, indeed, LNT is derived from the ISO standards LOTOS (1989) and E-LOTOS (2001). In a nutshell, LNT attempts to combine the best features of imperative programming languages, functional languages, and value-passing process calculi.

LNT is not a frozen language: its definition started in 2005, as part of an industrial project. Since 2010, LNT has been systematically used by CONVECS for numerous case studies (many of which being industrial applications — see § 6.5). LNT is also used as a back-end by other research teams who implement various languages by translation to LNT. It is taught in university courses, e.g., at University Grenoble Alpes and ENSIMAG, where it is positively accepted by students and industry engineers. Based on the feedback acquired by CONVECS, LNT is continuously improved.

LOTOS NT is a language predecessor of LNT, equipped with the TRAIAN compiler, which is used for the construction of most CADP compilers and translators. Since TRAIAN 3.0, the lexer and parser of TRAIAN are built using the SYNTAX compiler-generation system developed at Inria Paris and the abstract syntax tree of LOTOS NT, the library of predefined LOTOS NT types and functions, the static semantics checking (identifier binding, type checking, dataflow analysis, etc.), and the C code generation are implemented in LOTOS NT itself, so that TRAIAN is capable of bootstrapping itself.

In 2024, our efforts led to the release of four new major versions of TRAIAN, which introduce various changes to the LOTOS NT language in order to further align it with LNT:

• TRAIAN 3.13 brings a new syntax for the "select" and "trap" constructs, as well as enhancements to static analysis and code generation.
• TRAIAN 3.14 focuses on static analysis and increased convergence with LNT2LOTOS, as the semantic checks of LNT2LOTOS are progressively migrated to TRAIAN.
• TRAIAN 3.15 pursues the progressive migration to TRAIAN of the semantic checks formerly done by LNT2LOTOS. Following a systematic review and comparison with the checks implemented in LNT2LOTOS, the error and warning messages displayed by TRAIAN are now more complete and informative.
• TRAIAN 3.16 is a consolidation release that completes the migration to TRAIAN of all static semantic checks formerly implemented in LNT2LOTOS. This release also introduces the concept of virtual processes that enable generic modules parameterized by processes.

Each version of TRAIAN includes various compiler and code-generation changes accomodating the newly introduced features. For each version, the “traian_upc” conversion tool was extended to ease the upgrade of existing LOTOS NT source code whenever possible, and the user manual of TRAIAN, as well as the demo examples, were constantly updated.

The LNT language continued its evolution to become a better language and to achieve convergence between LNT and the LOTOS NT language supported by the TRAIAN compiler. In 2024, the LNT2LOTOS and TRAIAN compilers have been progressively aligned with each other, leading to changes in the definition of LNT:

• The “select” keyword was renamed to “alt” (as a tribute to Tony Hoare).
• LNT2LOTOS was enhanced to support “library” directives for including LNT files, definitions of synonym types, clauses “with nil” and “with cons” in lists and sets, clauses “with diff” and “with minus” in sorted lists and sets, virtual processes (i.e., imported processes that are neither defined in the current module, nor in its transitively included modules).
• Patterns of the form “P where V” can now appear everywhere a pattern is accepted, and LNT2LOTOS implements a large subset of them.
• A predefined channel EXIT was introduced for LNT events that model exceptions, in particular for the UNEXPECTED event, and channel definitions with the “raise” attribute are now supported by LNT2LOTOS.
• The ambiguity of expressions of the form “X [Y]” is now resolved using semantic information (either X is an array and Y an index, or X is a function and Y an event).

The tighter compatibility between TRAIAN and LNT2LOTOS, and the fact that TRAIAN is now systematically invoked before LNT2LOTOS, enabled simplifications and code factorization between the various tools for LNT:

• Many messages formerly emitted by LNT2LOTOS have been changed (165 error messages and 23 warning messages also emitted by TRAIAN have been suppressed, and 18 error messages now display as “limitations”, to indicate that the corresponding problems are due to advanced features that LNT2LOTOS does not handle yet). The removal of these static-semantics checks reduced by $10\%$ the number of lines of code in LNT2LOTOS, making it noticeably faster on correct LNT programs.
• The LNT_CHECK and LNT_DEPEND auxiliary tools were removed from CADP, being now subsumed by TRAIAN. Also the LPP preprocessor was suppressed, since the translation to LOTOS of LNT constants (natural numbers, reals, characters, and strings) is now done by LNT2LOTOS instead of LPP. Consequently, the “-lnt” option of LOTOS.OPEN, the “-pidlist” and “-notraian” options of LNT.OPEN, and the “-depend”, “-pidlist”, and “-traian” options of LNT2LOTOS have been removed. These changes significantly improved the speed of the LNT tool chain, the time needed by LNT.OPEN to compile $13,500+$ correct LNT programs being reduced from 25 hours down to 11 hours 40 minutes.

Twelve bugs have been fixed in the various tools for LNT. New verifications and better error messages have been added to LNT_MERGE and LNT.OPEN. The following algorithmic enhancements have been brought to LNT2LOTOS:

• The algorithm for inlining simple functions in the generated LOTOS code was revised, dividing by 15 the execution time of LNT2LOTOS on certain large examples.
• LNT2LOTOS no longer generates dead LOTOS code when translating “B1; B2” if it detects that all the execution paths in B1 lead to deadlocks, infinite loops, breaks of an enclosing loop, or raises of events that are not trapped.
• LNT2LOTOS no longer generates extra LOTOS code for checking that each event properly matches its channel (as this check is done by TRAIAN), and now generates modified C code to avoid raising the GCC 12 warnings about infinite recursion.

The LNT2LOTOS Reference Manual, the LNT tools, the EUCALYPTUS user interface, the editor style files for LNT, the CADP manual pages, many CADP demos, and the web sites for CADP and TRAIAN have been updated to implement and document the changes described above. In particular, a manual page for TRAIAN was added to CADP and there is now one single entry point gathering all information available about LNT. The “upc” shell script was extended to ease the migration of LNT programs.

6.1.2 Nested-Unit Petri Nets

Participants: Hubert Garavel.

Nested-Unit Petri Nets (NUPNs) is a model of computation that can be seen as an upward-compatible extension of P/T nets, which are enriched with structural information on their concurrent and hierarchical structure. Such structural information can easily be produced when NUPNs are generated from higher-level specifications (e.g., process calculi) and allows logarithmic reductions in the number of bits required to represent reachable states, thus enabling verification tools to perform better. For this reason, NUPNs have been so far implemented in thirteen verification tools developed in four countries, and adopted by two international competitions (the Model Checking Contest and the Rigorous Examination of Reactive Systems challenge). The complete theory of NUPNs is formalized in a journal article 6 and their PNML representation is described here.

In 2024, in collaboration with Pierre Bouvier (Kalray), we proposed efficient techniques for detecting isomorphism between nets, i.e., for identifying, in large collections of (safe) Petri nets or NUPNs, all the nets that are identical modulo a permutation of places, a permutation of transitions, and/or a permutation of units. Our approach relies upon the successive application of diverse algorithms of increasing complexities: net signatures, net canonizations, and characterization of isomorphic nets in terms of isomorphic graphs. We implemented this approach in a complete tool chain that we successfully assessed on four collections, the largest of which comprises $241,000+$ nets with many duplicates. This work led to a publication in an international conference 12.

6.1.3 Formal Modeling and Analysis of BPMN

Participants: Quentin Nivon, Gwen Salaün [correspondent].

Modelling and designing business processes has become a crucial activity for companies in the last 20 years. As a consequence, multiple workflow modelling notations were proposed. BPMN (Business Process Modelling Notation) is one of them and is now considered as the de facto standard for process modelling.

The BPMN notation offers a rich syntax that requires a certain level of expertise before being able to write correct and well-structured processes corresponding to some expected requirements. The BPMN modelling phase can thus be tedious and error-prone if carried out by non-experts. The main goal of the approach presented in this paper is to help users modelling BPMN processes. To do so, the approach takes as input the requirements of the user in a textual format informally describing the tasks and their ordering constraints, and generates as output a BPMN process satisfying them. This work led to a publication in an international conference 22.

6.1.4 SYNTAX Compiler Generator

Participants: Pierre Boullier, Hubert Garavel [correspondent], Frédéric Lang, Wendelin Serwe.

SYNTAX is a compiler-generation tool that generates lexical analyzers (scanners) and syntactic analyzers (parsers) for deterministic and nondeterministic context-free grammars. Developed since 1970, SYNTAX is probably the oldest software of INRIA that is still actively used and maintained. In particular, SYNTAX serves to produce the front-end part of TRAIAN and of most compilers of CADP.

Since the closing of the INRIA Gforge in 2021, the SYNTAX code is hosted on the RENATER SVN repository.

In 2024, the development of SYNTAX has been particularly active, with nearly 900 commits. Significant progress was made following three directions.

6.2.1 Automated Repair of Violated Eventually Properties in Concurrent Programs

Participants: Irman Faqrizal, Quentin Nivon, Gwen Salaün [correspondent].

Model checking automatically verifies that a model, e.g., a Labelled Transition System (LTS), obtained from higher-level specification languages, satisfies a given temporal property. When the model violates the property, the model checker returns a counterexample, but this counterexample does not precisely identify the source of the bug. Moreover, manually correcting the given specification or model can be a painful and complicated task. To alleviate this task, we propose some techniques for computing patches that can correct an erroneous specification violating an eventually property. These techniques first extract from the whole behavioural model the part which does not satisfy the given property. In a second step, this erroneous part is analysed using several algorithms in order to compute the minimal number of patches in the specification so as to make it satisfy the given property. This work led to a publication in an international conference 16.

6.3.1 Quantitative Analysis of BPMN Processes

Participants: Quentin Nivon, Gwen Salaün [correspondent], Ahang Zuo.

Business process optimisation is a strategic activity in organisations because of its potential to increase profit margins and reduce operational costs. We consider business processes described using an extension of BPMN with quantitative aspects for modelling execution times and resources associated with tasks. A process is not executed once but multiple times, and multiple concurrent executions of a process compete for using the shared resources. In this context, it is particularly difficult to ensure correctness and efficiency of the multiple executions of a process.

In 2024, we followed two different research directions for analyzing quantitatively business processes:

• We continued our work on process refactoring, a specific technique used for process optimisation, and we proposed a refactoring approach whose goal is to reduce the total execution time of a process. We considered BPMN processes enriched with time and resources, and executed multiple times. The proposed optimisation method consists in restructuring the processes by changing the position of their tasks. The goal of this restructuring is to limit the overuse of the resources and consequently reduce the execution time of the processes. To avoid generating unsuitable processes, the designer is involved in the restructuring phase, as s/he validates each restructuring step. This work led to a publication in an international conference 23.
• In the context of the MOAP project (see § 8.5.1), in collaboration with Yliès Falcone (CORSE project-team), we addressed resource allocation, which is a critical problem in business processes due to the simultaneous execution of tasks and resource sharing among them. The number of allocated resources affects both the execution cost and time of the process. In the context of runtime processes, a well-defined resource allocation strategy is essential for optimising waiting times and costs by mitigating delays and enhancing resource utilisation. We proposed a novel approach to dynamically adjust resource allocation during the execution of BPMN processes. The BPMN process is monitored in real-time, and the execution traces produced during its multiple executions are analysed. These execution traces are used to compute various properties or metrics of interest, including resource usage and average execution time. The approach then relies on predictive analytics to compute the future values of the aforementioned metrics. Based on these predicted results, strategies for the dynamic allocation of resources are defined, which anticipate changes in resource usage and thus dynamically update the number of resources in advance. This approach was fully automated using a toolchain and has been validated with multiple examples. This work led to a publication in an international conference 13. A detailed account of the work carried out on the quantitative analysis of BPMN processes in the framework of MOAP is available in Ahang Zuo's PhD thesis  47.

6.4.1 Probabilistic Runtime Enforcement of Executable BPMN Processes

Participants: Gwen Salaün [correspondent], Ahang Zuo.

A business process is a collection of structured tasks corresponding to a service or a product. Business processes do not execute once and for all, but are executed multiple times, resulting in multiple instances. In this context, it is particularly difficult to ensure correctness and efficiency of the multiple executions of a process.

In 2024, in the framework of the MOAP project (see § 8.5.1), in collaboration with Yliès Falcone (CORSE project-team), we propose to rely on Probabilistic Model Checking (PMC) to automatically verify that multiple executions of a process respect some specific probabilistic property. This approach applies at runtime, thus the evaluation of the property is periodically verified and the corresponding results updated. However, we go beyond runtime PMC for BPMN, since we propose runtime enforcement techniques to keep executing the process while avoiding the violation of the property. To do so, our approach combines monitoring techniques, computation of probabilistic models, PMC, and runtime enforcement techniques. The approach has been implemented as a toolchain and has been validated on several realistic BPMN processes. This work led to a publication in an international conference 14.

6.4.2 Other Component Developments

Participants: Hubert Garavel, Frédéric Lang, Radu Mateescu, Abdelilah Mejdoubi, Wendelin Serwe.

In 2024, in addition to various bug fixes in BCG_STEADY and BCG_TRANSIENT (generation of throughput files), in XTL (compiler and “radius.xtl” library), in FSP2LOTOS and CAESAR.INDENT, in EXP.OPEN (the “-network” option), and in SVL (expansion of “leaf” and “root leaf” reduction operators), various enhancements have been brought to the following CADP tools:

• The “-diag” option of BCG_CMP now invokes BISIMULATOR to produce much smaller diagnostics, whose generation is controlled by two new options “-bfs” and “-dfs”.
• BCG_STEADY and BCG_TRANSIENT were enhanced to check that, in their “parameter=value” options, all “parameter” names are pairwise distinct, and to produce throughput files with columns sorted alphabetically, easier to exploit. CUNCTATOR received two new options “-thr” and “-append”, which produce an output compatible with BCG_STEADY.
• The BCG MONITOR graphical interface was deeply revised, by making its window more compact, adding two new menus “File” and “View”, extending the “Edit” menu with font zooming features, adding keyboard shortcuts, and saving user settings automatically for reuse at future executions.
• The XTL language was extended with “replace” functions for the predefined type “action” and for any external XTL type defined in C, which are useful in “for” loops to update the values of accumulator variables. The predefined libraries of MCL and XTL were moved into separate directories, and the EVALUATOR 3 model checker was progressively replaced by EVALUATOR 4.
• A new option “-depth N” was added to the GENERATOR tool so as to generate an LTS fragment containing all states at distance N from the initial state.
• The SVL language was enhanced to support “condensed” priority behaviours, to control the generation of diagnostics by passing “bfs” or “dfs” options to BCG_CMP, to handle the smart reduction heuristic more efficiently, to emit clearer error messages for missing file extensions, and to make SVL scripts more concise by providing a new predefined function SVL_ECHO.
• Two new demo examples were added, namely demo 10 (collection of parallel algorithms for mutual exclusion on shared-memory machines) and demo 15 (Erlangen mainframe). The demo 40 example (Web services for stock management and on-line book auction) was translated to LNT, and several other demos were enhanced by simplifying their SVL scripts, complying with the recent checks of TRAIAN, and enriching them with related publications.

The evolutions of operating systems and C compilers dictated many changes in the CADP infrastructure, among which:

• The “mac64” version of CADP was ported to macOS 15 “Sequoia” and Xcode version 16.1. The “win64” version of CADP for Windows/Cygwin was subject to minor corrections, and the “x64” version of CADP for Windows/WSL2 (which had stopped working due to changes in WSL2 and/or the various Linux applications of the Microsoft Store) was repaired.
• Style files for Visual Studio Code have been added for various languages and file formats supported by CADP. The style files for the Sublime Text editor and EMACS have been enhanced and updated to reflect the latest changes of the LNT, MCL, and SVL languages.
• A long-term work was undertaken to upgrade the source code of CADP so that it compiles without warning using C24, the latest revision of the C language. As of April 2024, $15\%$ of the CADP programs and code libraries had been upgraded.

6.5.1 Autonomous Car

Participants: Wei Chen, Jean-Baptiste Horel, Radu Mateescu [correspondent], Wendelin Serwe, Aline Uwimbabazi.

Devising scenarios for testing autonomous vehicles (AV) is still a challenging task that requires a tradeoff between cost and achieved coverage of the considered operational design domain. Often scenarios are derived from accident statistics and real traffic datasets. Expertise knowledge for the tasks of selecting the scenarios for testing and/or simulation is highly required. This task is carried out mostly manually, and would benefit from a precise method to assess scenario relevance and compare scenarios.

In the framework of the PRISSMA project (see § 8.4.2) and in collaboration with Lina Marsso (University of Toronto, Canada), Christian Laugier, and Alessandro Renzaglia (CHROMA project-team), we proposed an automatic approach to generate a large number of relevant critical scenarios for autonomous driving simulators. The approach relies on the generation of behavioral conformance tests using the TESTOR tool  43, from an LNT model (specifying the ground truth configuration with the range of vehicle behaviors) and a test purpose (specifying the critical feature under analysis). The obtained test cases (which cover all possible executions exercising a given feature) are automatically translated into the inputs of autonomous driving simulators.

In 2024, in the framework of the A-IQ Ready project (see § 8.3.1), we continued this line of work along two directions:

• In collaboration with Anne Spalanzani (CHROMA project-team), we undertook the formal modeling of an AV in its environment to assist test scenario assessment and selection. We started the development of an LNT model of the interactions between an AV and groups of pedestrians in shared spaces, following the agent-based approach proposed in  45. The pedestrian behavior is defined by several parameters capturing the physical, perceptive, and decision-making characteristics. We considered three key contexts: individual pedestrians, social groups, and interactions with AVs. This LNT model will serve as basis for generating various interaction scenarios using CADP to ensure a comprehensive coverage of pedestrian-AV interactions.
• We also used probabilistic model checking to assess the driving scenarios relevance and determine the critical ones. We considered several scenarios inspired by recent French traffic accident statistics studies, from which we selected five major scenarios, three of which involving an interaction with vehicles, and the other two involving an interaction with a pedestrian (visible and occluded). We formally modeled in LNT each driving scenario, comprising the road scenery, the behaviour of dynamic obstacles (other vehicles, pedestrians, etc.), and constraints on the behaviour of the AV (e.g., the traversal of the scene). We computed the probabilities of user-defined event sequences (e.g., a successful arrival, a collision with an obstacle, duration, perception, near misses, etc.) capturing a variety of situations. This provides a quantitative way of comparing driving scenarios, assessing their criticality, and suggesting how to improve their relevance for testing AVs.

6.5.2 Job-Shop Scheduling

Participants: Wendelin Serwe [correspondent], Aline Uwimbabazi.

The job-shop scheduling problem is a well-known NP-hard scheduling problem, where a set of jobs (consisting of a sequence of tasks) have to be executed on a set of machines, each task specifying its duration and the required machine.

In 2024, in the framework of the A-IQ Ready project (see § 8.3.1), we considered the Job-Shop Scheduling Problem to compute schedules for autonomous robots. We aimed at studying whether the state-space exploration algorithms of CADP can be used to compute optimal schedules. We have experimented several encodings of the problem in the LNT language.

Our models are based on the heuristics approach to execute the tasks as soon as possible, i.e., if a machine $m$ is free and there is some job searching to execute a task $t$ on $m$, then $t$ is immediately assigned to $m$. The main objective of our research work was to develop efficient models that can perform better by providing better solutions (than those found in some benchmark instances and the ones found by using reinforcement learning), where the execution of all jobs can be completed as fast as possible, while still considering assumptions such as, respecting the order of tasks for execution in each job, assigning each operation to one and only one of its eligible machines (no interruption of an operation is allowed once it is started), and allowing each machine to perform at most one task at a time. Our models can be used to study the Job-Shop Scheduling Problem because we were able to generate the complete Labelled Transition System (LTS) of a given instance, which allowed us to find all possible solutions.

6.5.3 IEEE 1394 Link Layer

Participants: Hubert Garavel.

IEEE 1394 (also called “FireWire”) is an interface standard that specifies a serial bus architecture for high-speed communications. It can connect up to 63 peripherals in a tree or daisy-chain topology, and can perform both asynchronous and isochronous transfers simultaneously. It was developed between 1987 and 1995 by a large consortium gathering Apple, Panasonic, Philips, Sony, and many others contributors. This work resulted in an IEEE standard, followed by integration in many industrial products (in particular, Apple products until 2016).

In the framework of the COST-247 action, a pan-European academic collaboration that took place between 1994 and 1997, the asynchronous mode of the link layer protocol of IEEE 1394 was selected as an interesting case study for formal methods. At CWI Amsterdam, Bas Luttik developed a formal model in the $\mu$CRL language and stated five correctness properties that the protocol should satisfy. At INRIA Grenoble, Mihaela Sighireanu translated this model to LOTOS and, using the XTL model checker with the help of R. Mateescu, discovered that the deadlock-freeness property did not hold, i.e., that the protocol could enter a deadlock state after a specific sequence of 50 transitions  46.

In 2024, in collaboration with Bas Luttik (Eindhoven University of Technology, The Netherlands), we revisited this case study to present, along with the original $\mu$CRL model, three companion models: a model written in mCRL2 by Jan Friso Groote, a recent revision of the LOTOS model developed by M. Sighireanu, and a novel model written in LNT, which is now available as the CADP demo 23. This work led to a publication in an international workshop 18.

6.5.4 Erlangen Mainframe

Participants: Hubert Garavel.

The Erlangen mainframe was a multiprocessor computer for processing jobs of different priorities and subject to hardware failures. The formal modelling and quantitative analysis of the Erlangen mainframe was proposed in 1994 as a challenging problem by Ulrich Herzog and Vassilis Merksiotakis (IMMD-7 team, Erlangen University).

Using the stochastic process algebra TIPP, a formal model of this mainframe was specified, which makes intensive use of parallel composition, multiway synchronisation between two or more concurrent processes, and compound transitions combining synchronised actions with rates of Continuous-Time Markov Chains. From this formal model, probabilistic results about availability, performability, and proper dimensioning of the mainframe were obtained  39, 38 using the TIPP software tools, which are no longer maintained.

In 2024, in collaboration with Holger Hermanns (Saarland University, Germany) and Dave Parker (University of Oxford, United Kingdom), we developed two novel formal models for the Erlangen mainframe, one in the automata-based language PRISM, and another one in LNT. Using three different tools, namely PRISM, Storm, and CADP, we performed all numerical experiments and successfully reproduced the same figures as in the original publications. The fact that three different tools developed independently give identical results on the same model suggest that these tools could be used in combination to support safety/security certification of critical systems. This work led to an international publication 24.

6.5.5 Manufacturing Application

Participants: Irman Faqrizal, Gwen Salaün [correspondent].

The ever-increasing complexity of industrial automation systems generates a demand for reliable development methods. IEC 61499 is a recent standard devoted to the development of industrial automation systems by promoting reusability, reconfigurability, interoperability, and portability.

In 2024, in the framework of the D-IIoT project (see § 8.5.2), we contributed to the formal modeling and analysis of IEC 61499 automation systems along two directions:

• Formal verification techniques, such as model checking, are useful to ensure the correctness of IEC 61499 applications at design time. However, they do not consider the impact of the environment on the application behaviour at runtime. In collaboration with Tatiana Liakh, Midhun Xavier, and Valeriy Vyatkin (Lulea University of Technology, Sweden), we combined design time and runtime analyses to apply probabilistic model checking on an IEC-61499-based manufacturing application. We proposed several probabilistic properties to be checked, and visualise the results graphically for analysis purposes, making possible to optimise the system’s quantitative features, such as productivity. This work led to a publication in an international conference 15.
• During their life cycle, industrial automation systems need to evolve according to requirements, and modifying the applications to satisfy these requirements can be complex and error-prone. In collaboration with Yliès Falcone (CORSE project-team), we proposed techniques to guide the evolution of IEC 61499 applications. Given an initial application and the evolution requirements, we generate guidelines for modifying the application to satisfy the requirements. The application is first translated into a behavioural model describing all possible sequences of events the application can trigger. We then apply algorithms to extract relevant submodels of the application and modify them according to the requirements. Finally, the submodels are analysed to generate guidelines for modifying the application. These guidelines can bridge the gap between the requirements and the target application. Instead of only considering the requirements when exploring possible modifications, the developers can use the guidelines to make necessary changes to the application. A mixing tank system is used as a running example to illustrate the approach. In addition, a prototype to automate the evolution techniques is developed. This work led to a publication in an international conference 17 and a publication in an international journal 11.

A detailed account of the work carried out on industrial automation systems in the framework of D-IIoT is available in Irman Faqrizal's PhD thesis  29.

6.5.6 Systems-on-Chip

Participants: Philippe Ledent, Radu Mateescu [correspondent], Wendelin Serwe.

SoC (System-on-Chip) architectures, which are widely used in smartphones and IoT devices, integrate a complete computing system on a single chip. The complexity of SoCs, together with their potential use in critical applications, call for thorough verification; however, the current industrial practice is still mainly based on hardware simulators using directed tests and/or execution-time assertions. A major challenge in SoC verification is to devise meaningful system-level tests involving many components of the SoC.

PSS (Portable test and Stimulus Standard), defined by the Accellera consortium of hardware design tool vendors and users, provides a language to specify both a verification intent (e.g., a sequence of actions) and an implicit description of the SoC’s behavior (as a collection of ordering constraints on the actions). PSS also defines a methodology to derive from a verification intent, by automatic inference of (intermediate) actions, complete tests to be executed on the actual SoC.

In 2024, we sought to improve the testing methodologies for SoCs along two directions:

• Since PSS emphasizes the verification intent and limits the modeling of the SoC’s behavior to a set of constraints, the actually modeled behavior becomes difficult to grasp. Also, PSS promotes the derivation of complete tests using a backward exploration of the verification intent that favors shortest-path solutions, possibly missing interesting and more complex tests. To improve the PSS testing methodology, we suggested to formally express the behavior of a PSS model as a composition of communicating LTSs, obtained by an automated translation from PSS to the LNT and EXP languages of CADP. This makes possible to formally verify temporal logic properties of the model and thus increase the confidence in the model and the generated tests. Also, applying conformance testing techniques with coverage guarantees  42 enables to improve the coverage of the generated tests. This work led to a publication in an international conference 20.
• Hardware attacks consist in forcing a SoC to perform operations in order to access functionalities or information that should normally not be available. A critical security requirement is resource isolation, which forbids applications (or programs) running on a same SoC to access data not intended for them. Even though there is still no generally accepted technique to generate appropriate tests, it became clear that tests should be generated at the system level. We illustrated the modeling aspects in test generation for resource isolation, namely modeling the behavior and expressing the intended test scenario. We studied both aspects using the industrial standard PSS and an academic approach based on conformance testing. This work led to a publication in an international conference 21.

A detailed account of the work carried out on formal modeling and analysis of SoCs is available in Ph. Ledent's PhD thesis  40.

7.1.1 Euris

Participants: Suraj Gupta, Frédéric Lang, Gwen Salaün [correspondent].

S. Gupta is supported by a CIFRE grant (from February 2024 to January 2027) from Euris (Paris) on the formal modeling and analysis of blockchain protocols in the health domain, under the supervision of Gwen Salaün, Frédéric Lang, and Umar Ozeer (Euris).

8.2.1 Visits of international scientists

• Holger Hermanns (Saarland University, Germany) visited our team on October 17–18, 2024.

8.2.2 Visits to international teams

8.2.3 Other international collaborations

In 2024, we had scientific relations with several universities and institutes abroad, including:

• Technical University of Eindhoven, The Netherlands (Bas Luttik, Jan Friso Groote),
• University of Málaga, Spain (Francisco Durán),
• University of Oxford, United Kingdom (Dave Parker),
• Saarland University, Germany (Holger Hermanns),
• University of Toronto, Canada (Lina Marsso).

8.3.1 Horizon Europe

8.3.2 Other european programs/initiatives

The CONVECS project-team is member of the FMICS (Formal Methods for Industrial Critical Systems) working group of ERCIM. H. Garavel and R. Mateescu are members of the FMICS board, H. Garavel being in charge of dissemination actions.

8.4.1 PEPR Cloud

The cloud has become an essential ingredient of IT systems. Its model, initially based on large data centers, has evolved towards “edge computing” or “digital continuum”, developing secure, interoperable hybrid clouds to process large volumes of data quickly and efficiently. This change is crucial for future applications such as smart cities or autonomous vehicles. However, cloud software needs to be rethought to adapt to the diversity of operators, multiple access points, user and resource mobility, while addressing the challenges of security and energy consumption control.

The PEPR Cloud is a research program promoted by the French government as part of the France 2030 “Cloud” strategy to develop secure and frugal Cloud technologies. PEPR Cloud aims to advance Cloud technologies and facilitate the transfer of innovations and solutions from research to industry. PEPR Cloud started in April 2024 for seven years. CONVECS is involved in two projects of PEPR Cloud, described below.

8.4.2 Fonds pour l'innovation et l'industrie

8.4.3 Other national collaborations

We had sustained scientific relations with the following researchers:

• César Fuguet (MADMAX project-team),
• Mario Cortes Cornax, Akram Idani, Lucie Muller, and Germán Vega (VASCO team, LIG),
• Nicolas Anquetil, Stéphane Ducasse, and Larisa Safina (EVREF project-team, Lille).

8.5.1 Region Auvergne-Rhône-Alpes

Participants: Gwen Salaün [correspondent], Ahang Zuo.

MOAP is a project funded by the Auvergne-Rhône-Alpes region within the Pack Ambition Recherche programme. The project involves the project-teams CONVECS and CORSE, and the SOITEC company. MOAP aims at providing modelling and automated analysis techniques for enabling companies to master the complexity of their internal processes and for optimizing those processes with the final goal of improving the quality and productivity of their businesses.

MOAP started in October 2020 for five years. The main contributions of CONVECS to MOAP are the formal modeling and automated verification of BPMN processes.

8.5.2 Persyval Labex

Participants: Irman Faqrizal, Gwen Salaün [correspondent].

D-IIoT is a project funded by the Persyval Labex via the ANR (“Agence Nationale de la Recherche”). The project involves research teams of three local laboratories (CEA, LIG, VERIMAG). D-IIoT aims at studying and proposing new techniques to support the execution of long-running and evolving IIoT (Industrial IoT) applications with dependability guarantees (e.g., security, correctness).

D-IIoT started in October 2021 for three years. The main contributions of CONVECS to D-IIoT are the formal modeling, verification and reconfiguration of IIoT applications.

9.1.1 Scientific events: organisation

9.1.2 Scientific events: selection

9.1.3 Journal

9.1.4 Software Dissemination and Internet Visibility

The CONVECS project-team distributes several software tools, including the CADP toolbox.

In 2024, the main facts are the following:

• We prepared and distributed twelve successive versions (2024-a to 2024-l) of CADP.
• We granted CADP licenses for 378 different computers in the world.

The CONVECS Web site was updated with scientific contents, announcements, publications, etc.

By the end of December 2024, the CADP forum, opened in 2007 for discussions regarding the CADP toolbox, had over 482 registered users and over 1987 messages had been exchanged.

Also, for the 2024 edition of the Model Checking Contest, we provided 4 families of models (totalling 84 Nested-Unit Petri Nets) derived from our LNT models.

9.1.5 Invited talks

• Ph. Ledent gave a talk entitled “Enhancing SoC Architecture Verification” at the “Café Tech Pizza” event organized at Grenoble INP on September 19, 2024.
• Ph. Ledent and Q. Nivon participated to the workshop organized by the MFML (Méthodes Formelles, Modèles et Langages) axis of the LIG laboratory (Grenoble) on May 29, 2024. Ph. Ledent gave a talk entitled “Testing Resource Isolation for System-on-Chip Architectures”. Q. Nivon gave a talk entitled “From Textual Requirements to BPMN”.
• G. Salaün gave a talk entitled “Automated Verification of Textual Process Descriptions” at the Colloquium of the Formal System Analysis research group at the Eindhoven University of Technology (The Netherlands) on November 5, 2024.

9.1.6 Research administration

• R. Mateescu is the scientific correspondent of the International Partnerships for Inria Grenoble.
• R. Mateescu is a member of the “Comité d'Orientation Scientifique” for Inria Grenoble.
• R. Mateescu is representative of Inria Grenoble at the International Relations and Outreach of Université Grenoble Alpes (UGA).
• R. Mateescu was a member of the council of the Mathematics, Information and Communication Sciences (MSTIC) research department of UGA until November 2024.
• G. Salaün is the director of the MSTIC research department of UGA.
• G. Salaün was the head of the Métiers du Multimédia et de l'Internet (MMI) department at IUT1/UGA until August 31, 2024.
• W. Serwe is the chair of the “Commission du développement technologique”, which is in charge of selecting R&D projects for Inria Grenoble, and giving an advice on the recruitment of temporary engineers.
• W. Serwe is a member of the “Comité de Centre” at Inria Grenoble.

9.2.1 Teaching

CONVECS is a host team for the computer science master MOSIG (Master of Science in Informatics at Grenoble), common to Grenoble INP and UGA.

In 2024, we carried out the following teaching activities:

• F. Lang gave a course on “Formal Software Development Methods” (7.5 hours “équivalent TD”) in the framework of the “Software Engineering” lecture given to first year students of the MOSIG.
• F. Lang gave a course on “Programming Languages, Compilers, and Semantics” (27 hours “équivalent TD”) to first year students of the MOSIG and of the Master 1 Informatique.
• F. Lang and R. Mateescu gave a lecture on “Modeling and Analysis of Concurrent Systems: Models and Languages for Model Checking” (27 hours “équivalent TD”) to third year students of ENSIMAG.
• F. Lang gave a course on “Modeling and Analysis of Asynchronous Concurrent Systems” (15 hours “équivalent TD”) in the framework of the “Safety Critical Systems” lecture given to second year students of the MOSIG.
• Q. Nivon gave a course on “Gestion de données relationnelles et applications” (39 hours “équivalent TD”) to L2 students of UGA.
• Q. Nivon gave a course on “Sémantique des langages de programmation et compilation” (30 hours “équivalent TD”) to M1 students of UGA.
• G. Salaün taught about 200 hours of classes (algorithmics, Web development, object-oriented programming) at the MMI department of IUT1/UGA.
• W. Serwe supervised a group of six teams in the context of the “projet Génie Logiciel” (55 hours “équivalent TD”, consisting in 13.5 hours of lectures, plus supervision and evaluation), ENSIMAG, January 2024.

9.2.2 Supervision

• PhD: I. Faqrizal, “Quantitative Verification and Runtime Techniques for Industrial Automation Systems”, Université Grenoble Alpes, defended on December 5, 2024, G. Salaün and Y. Falcone
• PhD: P. Ledent, “Formal Modeling for Testing of System-on-Chip Resource Isolation”, Université Grenoble Alpes, defended on October 24, 2024, R. Mateescu, W. Serwe, and Hajer Ferjani (ST Microelectronics)
• PhD: Chukri Soueidi, “Ingénierie de l'instrumentation pour la vérification de l'exécution”, Université Grenoble Alpes, defended on May 13, 2024, G. Salaün and Y. Falcone
• PhD: A. Zuo, “Modelling, Runtime Analysis and Quantitative Verification of Business Processes”, Université Grenoble Alpes, defended on April 11, 2024, G. Salaün and Y. Falcone
• PhD in progress: Z. Assoumani, “Conception rigoureuse de circuits basée sur les méthodes formelles”, Université Grenoble Alpes, since October 2024, R. Mateescu and W. Serwe
• PhD in progress: S. Gupta, “Using blockchains for managing EHRs (Electronic Health Records)”, Université Grenoble Alpes, since January 2024, G. Salaün, F. Lang, and Umar Ozeer (Euris)
• PhD in progress: J-B. Horel, “Validation des composants de perception basés sur l'IA dans les véhicules autonomes”, Université Grenoble Alpes, since April 2021, R. Mateescu, Alessandro Renzaglia, and Christian Laugier (CHROMA project-team)
• PhD in progress: A. Khebbeb, “Formal Modelling and Automated Analysis of Resource Provisioning Languages”, Université Grenoble Alpes, since December 2024, G. Salaün and Philippe Merle (SPIRALS project-team, Lille)
• PhD in progress: Q. Nivon, “Analyse, optimisation et debugging de processus BPMN”, Université Grenoble Alpes, since October 2022, G. Salaün

9.2.3 Juries

• G. Salaün was reviewer of Olav Bunte’s PhD thesis, entitled “Cracking OIL: A Formal Perspective on an Industrial DSL for Modelling Control Software”, defended at Eindhoven University of Technology (The Netherlands) on September 5, 2024.
• G. Salaün was jury president for Giovanni Fabbretti's PhD thesis, entitled “A Theory of Distributed Reversible Systems with Failures and Recovery”, defended at UGA on October 11, 2024.
• G. Salaün was jury president for Pietro Lami's PhD thesis, entitled “Reversibility for Concurrent Memory Models”, defended at UGA on December 16, 2024.

International journals

• 9 articleM.Maurice ter Beek, R.Rod Chapman, R.Rance Cleaveland, H.Hubert Garavel, R.Rong Gu, I.Ivo ter Horst, J.Jeroen Keiren, T.Thierry Lecomte, M.Michael Leuschel, K. Y.Kristin Yvonne Rozier, A.Augusto Sampaio, C.Cristina Seceleanu, M.Martyn Thomas, T.Tim Willemse and L.Lijun Zhang. Formal Methods in Industry.Formal Aspects of ComputingAugust 2024, 1-34HALDOIback to text
• 10 articleL.Luca Di Stefano and F.Frédéric Lang. Compositional verification of priority systems using sharp bisimulation.Formal Methods in System Design622024, 1-40HALDOI
• 11 articleI.Irman Faqrizal, G.Gwen Salaün and Y.Yliès Falcone. Adaptive Industrial Control Systems via IEC 61499 and Runtime Enforcement.ACM Transactions on Autonomous and Adaptive Systems2024, 1-31In press. HALDOIback to text

International peer-reviewed conferences

• 12 inproceedingsP.Pierre Bouvier and H.Hubert Garavel. Identifying Duplicates in Large Collections of Petri Nets and Nested-Unit Petri Nets.Lecture Notes in Computer SciencePETRI NETS 2024 - 45th International Conference on Application and Theory of Petri Nets and Concurrency14628Genève, SwitzerlandSpringer Nature SwitzerlandJune 2024, 379-401HALback to text
• 13 inproceedingsY.Yliès Falcone, G.Gwen Salaün and A.Ahang Zuo. Dynamic Resource Allocation for Executable BPMN Processes Leveraging Predictive Analytics.QRS 2024 - 24th International Conference on Software Quality, Reliability, and SecurityCambridge, United Kingdom2024, 1-12HALback to text
• 14 inproceedingsY.Yliès Falcone, G.Gwen Salaün and A.Ahang Zuo. Probabilistic Runtime Enforcement of Executable BPMN Processes.FASE 2024 - 27th International Conference on Fundamental Approaches to Software EngineeringLuxembourg City, LuxembourgApril 2024, 1-21HALDOIback to text
• 15 inproceedingsI.Irman Faqrizal, T.Tatiana Liakh, M.Midhun Xavier, G.Gwen Salaün and V.Valeriy Vyatkin. Probabilistic Model Checking for IEC 61499: A Manufacturing Application.ICIT 2024 - 25th IEEE International Conference on Industrial TechnologyBristol, United KingdomIEEE2024, 1-6HALback to text
• 16 inproceedingsI.Irman Faqrizal, Q.Quentin Nivon and G.Gwen Salaün. Automated Repair of Violated Eventually Properties in Concurrent Programs.FormaliSE 2024 - 12th IEEE/ACM International Conference on Formal Methods in Software EngineeringLisbon, PortugalIEEE2024, 1-11HALDOIback to text
• 17 inproceedingsI.Irman Faqrizal, G.Gwen Salaün and Y.Yliès Falcone. Guided Evolution of IEC 61499 Applications.ETFA 2024 - 29th IEEE International Conference on Emerging Technologies and Factory AutomationPadova, ItalyIEEE2024, 1-8HALback to text
• 18 inproceedingsH.Hubert Garavel and B.Bas Luttik. Four Formal Models of IEEE 1394 Link Layer.arXiv:2403.17862Proceedings of the 6th Workshop on Models for Formal Analysis of Real Systems (MARS 2O24)Luxembourg, LuxembourgarXiv2024HALDOIback to text
• 19 inproceedingsJ.-B.Jean-Baptiste Horel, A.Alessandro Renzaglia, R.Radu Mateescu and C.Christian Laugier. Scenario-based Validation of Autonomous Vehicles using Augmented Reality.ICRA 2024 - 40th Anniversary of the IEEE Conference on Robotics and AutomationRotterdam, Netherlands2024, 1-3HAL
• 20 inproceedingsP.Philippe Ledent, R.Radu Mateescu and W.Wendelin Serwe. Improving PSS Test Generation Using Model Checking and Conformance Testing.FDL 2024 - 27th Forum on specification and Design LanguagesStockholm, SwedenIEEE2024, 1-9HALDOIback to text
• 21 inproceedingsP.Philippe Ledent, R.Radu Mateescu and W.Wendelin Serwe. Testing Resource Isolation for System-on-Chip Architectures.Electronic Proceedings in Theoretical Computer ScienceMARS 2024 - 6th Workshop on Models for Formal Analysis of Real Systems399Luxembourg, Luxembourg2024, 1-40HALDOIback to text
• 22 inproceedingsQ.Quentin Nivon and G.Gwen Salaün. Automated Generation of BPMN Processes from Textual Requirements.ICSOC 2024 - 22nd International Conference on Service-Oriented ComputingTunis, Tunisia2024, 1-16HALback to text
• 23 inproceedingsQ.Quentin Nivon and G.Gwen Salaün. Semi-Automated Refactoring of BPMN Processes.QRS 2024 - IEEE 24th International Conference on Software Quality, Reliability, and SecurityCambridge, United KingdomIEEE2024, 1-12HALback to text

Scientific book chapters

• 24 inbookH.Hubert Garavel, H.Holger Hermanns and D.David Parker. Revisiting a Pioneering Concurrent Stochastic Problem: The Erlangen Mainframe.15261Principles of Verification: Cycling the Probabilistic LandscapeLecture Notes in Computer ScienceSpringer Nature SwitzerlandNovember 2024, 46-74HALDOIback to text

Other scientific publications

• 25 miscJ.-B.Jean-Baptiste Horel, A.Alessandro Renzaglia, R.Radu Mateescu and C.Christian Laugier. Scenario-based Validation of Autonomous Vehicles using Augmented Reality: Video of the Experiments.March 2024HAL