2025​​​‌Activity reportProject-TeamSYCOMORES​

3.1 Axis​‌ 1: Design and implementation​​ of RT-components

In this​​​‌ research axis we will​ focus on the programming​‌ of RT-components. We will​​ cover programming aspects at​​​‌ different levels of the​ development process, from high-level​‌ design, to low-level implementation​​ on distributed heterogeneous embedded​​​‌ platforms.

3.2​ Axis 2: Formal methods​‌

In this research axis,​​ we will focus on​​​‌ compositional techniques for proving​ compositional system properties. On​‌ one hand, we will​​ design static program analysis​​​‌ techniques for RT components​ at the binary level.​‌ While these techniques will​​ mainly focus on WCET​​​‌ analysis, some results will​ also be reused to​‌ analyze security properties instead.​​ On the other hand,​​​‌ we will focus on​ compositional techniques for proving​‌ RT components of operating​​ systems. Our plan is​​​‌ to focus mainly on​ RT schedulers.

3.3 Long term

In​ the long term, we​‌ will integrate the elements​​ studied during the medium​​​‌ term phase, in order​ to provide a seamless​‌ framework that goes from​​ high-level design to final​​​‌ implementation. Translations will be​ automated and proved correct.​‌ These objectives are transverse​​ by nature, so all​​​‌ members of the project-team​ will participate. Since these​‌ objectives focus on integration​​ of our previous results,​​​‌ they are related to​ all of our short​‌ and medium term objectives.​​

7.1 Latest​​ software developments

8.1 CUTECat:​​​‌ Concolic Execution for Computational​ Law

Many legal computations,​‌ including the amount of​​ tax owed by a​​​‌ citizen, whether they are​ eligible to social benefits,​‌ or the wages due​​ to civil state servants,​​​‌ are specified by computational​ laws. Their application, however,​‌ is performed by expert​​ computer programs intended to​​​‌ faithfully transcribe the law​ into computer code. Bugs​‌ in these programs can​​ lead to dramatic societal​​​‌ impact, e.g., paying employees​ incorrect amounts, or not​‌ awarding benefits to families​​ in need. To address​​​‌ this issue, we consider​ concolic unit testing, a​‌ combination of concrete execution​​ with SMT-based symbolic execution,​​​‌ and propose CUTECat, a​ concolic execution tool targeting​‌ implementations of computational laws.​​ Such laws typically follow​​​‌ a pattern where a​ base case is later​‌ refined by many exceptions​​ in following law articles,​​​‌ a pattern that can​ be formally modeled using​‌ default logic. We show​​ how to handle default​​​‌ logic inside a concolic​ execution tool, and implement​‌ our approach in the​​ context of Catala, a​​​‌ recent domain-specific language tailored​ to implement computational laws.​‌ We evaluate CUTECat on​​ several programs, including the​​​‌ Catala implementation of the​ French housing benefits and​‌ Section 132 of the​​ US tax code. We​​​‌ show that CUTECat can​ successfully generate hundreds of​‌ thousands of testcases covering​​ all branches of these​​​‌ bodies of law. Through​ several heuristics, we improve​‌ CUTECat’s scalability and usability,​​ making the testcases understandable​​​‌ by lawyers and programmers​ alike. We believe CUTECat​‌ thus paves the way​​ for the use of​​​‌ formal methods during legislative​ processes.

This work 20​‌ has been presented at​​ ESOP'25, and received a​​​‌ distinguished artifact award.

Participants:​ Pierre Goutagny, Raphael​‌ Monat.

8.2 Compositional​​ Static Value Analysis for​​​‌ Higher-Order Numerical Programs

Static​ analyzers have been successfully​‌ developed to detect runtime​​ errors in many languages.​​ However, the automatic analysis​​​‌ of functional languages remains‌ a challenge due to‌​‌ their recursive functions, recursive​​ algebraic data types, and​​​‌ higher-order functions. Classic type‌ systems provide compositional methods‌​‌ that are in general​​ not precise enough to​​​‌ prove the absence of‌ runtime errors such as‌​‌ assertion failures. At the​​ other end of the​​​‌ spectrum, deductive methods are‌ more expressive but may‌​‌ require user guidance to​​ prove invariants. Our work​​​‌ describes a static value‌ analysis by abstract interpretation‌​‌ for a higher-order pure​​ functional language. This analysis​​​‌ provides a sound and‌ automatic approach to discover‌​‌ invariants and prevent assertion​​ and match failures. We​​​‌ have designed a compositional‌ analysis: functions are analyzed‌​‌ only once, at their​​ definition site, generating a​​​‌ summary of their behavior.‌ The summaries can be‌​‌ viewed as input-output relations​​ expressed with relational abstract​​​‌ domains. We present two‌ new abstract domains. A‌​‌ first abstract domain summarizes​​ recursive algebraic data types.​​​‌ A second abstract domain‌ lifts existing disjunctive relational‌​‌ summaries to higher-order by​​ formalizing them as domains​​​‌ able to abstract higher-order‌ functions. Both abstractions are‌​‌ parameterized by the abstractions​​ of basic types (strings,​​​‌ integers, . . .‌ ). Thanks to this‌​‌ parametric nature, both domains​​ can be combined, allowing​​​‌ the analysis of higher-order‌ functions manipulating algebraic data‌​‌ types and, conversely, algebraic​​ data types using functions​​​‌ as first-class values. We‌ have implemented this analysis‌​‌ in the open-source MOPSA​​ platform. Preliminary evaluation confirms​​​‌ the precision of our‌ approach on a set‌​‌ of 40 handwritten toy​​ programs as well as​​​‌ 20 programs from the‌ state-of-the-art Salto analyzer benchmark.‌​‌

This work 24 has​​ been published at ECOOP​​​‌ 2025.

Participants: Raphael Monat‌.

8.3 Stop treating‌​‌ code like an afterthought:​​ record, share and value​​​‌ it

From short scripts‌ to vast simulations of‌​‌ Earth’s climate, protein structures​​ or even the cosmos,​​​‌ it is hard to‌ imagine scientific research without‌​‌ software. Scientists use software​​ code in myriad ways​​​‌ -to plan experiments; to‌ record, organize, analyse, visualize‌​‌ and archive data; to​​ control scientific instruments, and​​​‌ more. But software evolves.‌ Most open-source software used‌​‌ in research is refined​​ both iteratively and collectively,​​​‌ and has no published‌ ‘version of record’. Updates‌​‌ can target various versions​​ and releases, meaning that​​​‌ each aspect of the‌ software -the project as‌​‌ a whole, a specific​​ version or a single​​​‌ file -can require a‌ different way to refer‌​‌ to it. This creates​​ confusion. And so software​​​‌ comes with a double‌ bind: like data, it‌​‌ supports the findings of​​ a study and should​​​‌ be preserved and published.‌ Yet it should also‌​‌ remain available and supported,​​ and possibly be improved,​​​‌ over time. Scholars, librarians,‌ research institutions and funding‌​‌ agencies are wrestling with​​ how to reconcile these​​​‌ two requirements.

This work‌ has been published as‌​‌ a commentary in Nature​​ 14.

Participants: Raphael​​​‌ Monat.

8.4 Easing‌ Maintenance of Academic Static‌​‌ Analyzers

Academic research in​​ static analysis produces software​​​‌ implementations. These implementations are‌ time-consuming to develop and‌​‌ some need to be​​​‌ maintained in order to​ enable building further research​‌ upon the implementation. While​​ necessary, these processes can​​​‌ be quickly challenging. This​ article documents the tools​‌ and techniques we have​​ come up with to​​​‌ simplify the maintenance of​ Mopsa since 2017. Mopsa​‌ is a static analysis​​ platform that aims at​​​‌ being sound. First, we​ describe an automated way​‌ to measure precision that​​ does not require any​​​‌ baseline of true bugs​ obtained by manually inspecting​‌ the results. Further, it​​ improves transparency of the​​​‌ analysis, and helps discovering​ regressions during continuous integration.​‌ Second, we have taken​​ inspiration from standard tools​​​‌ observing the concrete execution​ of a program to​‌ design custom tools observing​​ the abstract execution of​​​‌ the analyzed program itself,​ such as abstract debuggers​‌ and profilers. Finally, we​​ report on some cases​​​‌ of automated testcase reduction.​

This work has been​‌ published in a special​​ issue of the STTT​​​‌ journal 15.

Participants:​ Raphael Monat.

8.5​‌ Mopsa at the Software​​ Verification Competition

Mopsa is​​​‌ a multilanguage static analysis​ platform relying on abstract​‌ interpretation. It is able​​ to analyze C, Python,​​​‌ and programs mixing these​ two languages.

In Fall​‌ 2025, Raphaël Monat participated​​ to the Software Verification​​​‌ Competition (SV-Comp) by submitting​ the Mopsa static analyzer​‌ he is co-developing. Mopsa​​ earned a silver medal​​​‌ in the SoftwareSystems category​; this category aims​‌ at "representing verification tasks​​ from real software systems".​​​‌ There were 22 competing​ tools.

This third participation​‌ is described in 21​​.

Participants: Raphaël Monat​​​‌.

8.6 Implementing CNN​ on embedded real-time systems​‌

Many Artificial Intelligence algorithms​​ (e.g. Convolutional Neural Networks​​​‌ -CNNs) can be modeled​ as a collection of​‌ functions which communicate with​​ each other according to​​​‌ a directed acyclic graph.​ The main goal of​‌ 16 is to optimize​​ the execution of CNNs​​​‌ on real-time embedded systems​ based on a multicore​‌ architecture with scratchpad memory.​​

In a typical multicore​​​‌ platform, cores share a​ complex memory hierarchy with​‌ one or more levels​​ of cache memories, leading​​​‌ to potential interference and​ contention on the shared​‌ communication buses. To reduce​​ contention, it is possible​​​‌ to use architectures based​ on scratchpads, where every​‌ processor has a dedicated​​ programmable fast memory to​​​‌ perform its local computations,​ and data is moved​‌ between the main memory​​ and the local memories​​​‌ according to a timed​ schedule. We studied the​‌ problem of allocating CNN​​ inference functions to processor​​​‌ cores, and scheduling the​ execution and memory communications.​‌ We proposed an Integer​​ Linear Programming (ILP) model​​​‌ that accounts for both​ the cost of copying​‌ data to and from​​ scratchpad memories and the​​​‌ parallel computation costs on​ the cores, with the​‌ goal of meeting real-time​​ temporal constraints.

This work​​​‌ is part of the​ PhD thesis of Chiara​‌ Daini 25.

Participants:​​ Giuseppe Lipari, Chiara​​​‌ Daini.

8.7 A​ Kleene Algebra with Tests​‌ for Union Bound Reasoning​​ About Probabilistic Programs

Kleene​​​‌ algebras with tests (KAT)​ are an algebraic approach​‌ for reasoning on imperative​​ programs with equational proofs,​​ which has been shown​​​‌ by Kozen to be‌ as expressive as propositional‌​‌ Hoare logic. We have​​ proposed in 18 an​​​‌ extension of KAT for‌ reasoning on imperative programs‌​‌ with probabilistic primitives. Our​​ system can prove that​​​‌ a probabilistic program satisfies‌ a given postcondition except‌​‌ with a given probability.​​ We have proved that​​​‌ it is as expressive‌ as a probabilistic variant‌​‌ of propositional Hoare logic​​ from the literature (Union​​​‌ bound program logic). These‌ results have been obtained‌​‌ as part of Leandro​​ Gomes’ postdoc and presented​​​‌ at the conference CSL2025‌  18.

Participants: Patrick‌​‌ Baillot, Leandro Gomes​​.

8.8 BiGKAT: an​​​‌ algebraic framework for relational‌ verification of probabilistic programs‌​‌

The paper 19 is​​ devoted to formal reasoning​​​‌ on relational properties of‌ probabilistic imperative programs. Relational‌​‌ properties are properties which​​ relate the execution of​​​‌ two programs (possibly the‌ same one) on two‌​‌ initial memories.We aim at​​ extending the algebraic approach​​​‌ of Kleene Algebras with‌ Tests (KAT) to relational‌​‌ properties of probabilistic programs.​​ For that we consider​​​‌ the approach of Guarded‌ Kleene Algebras with Tests‌​‌ (GKAT), which can be​​ used for representing probabilistic​​​‌ programs, and define a‌ relational version of it,‌​‌ called Bi-guarded Kleene Algebras​​ with Tests (BiGKAT) together​​​‌ with a semantics. We‌ show that the setting‌​‌ of BiGKAT is expressive​​ enough to encode a​​​‌ finitary version of probabilistic‌ Relational Hoare Logic (pRHL)‌​‌ (without the While rule),​​ a program logic that​​​‌ has been introduced in‌ the literature for the‌​‌ verification of relational properties​​ of probabilistic programs. We​​​‌ also discuss the additional‌ expressivity brought by BiGKAT.‌​‌

This work has been​​ carried out as part​​​‌ of Leandro Gomes’ postdoc‌ and presented at the‌​‌ conference FoSSaCS 2025 19​​.

Participants: Patrick Baillot​​​‌, Leandro Gomes.‌

8.9 Session Types for‌​‌ the Concurrent Composition of​​ Interactive Differential Privacy

Differential​​​‌ privacy (DP) is a‌ statistical definition of privacy‌​‌ which ensures that the​​ outcome of a computation​​​‌ by an analyst only‌ depends in a negligible‌​‌ way on the presence​​ of a single record​​​‌ in the dataset. This‌ framework has been extended‌​‌ first to the interactive​​ setting where the analyst​​​‌ can ask an adaptive‌ sequence of queries, and‌​‌ then to the concurrent​​ interactive setting where the​​​‌ adaptive queries can be‌ performed concurrently to the‌​‌ same database. An important​​ advantage of these frameworks​​​‌ is the presence of‌ composition theorems, which enable‌​‌ data curators to combine​​ multiple differentially private algorithms,​​​‌ resulting in a new‌ algorithm that still satisfies‌​‌ differential privacy. Deriving composition​​ theorems within the concurrent​​​‌ interactive framework, as well‌ as for advanced notions‌​‌ of DP, is a​​ complex task, for which​​​‌ some progress has been‌ made recently. On the‌​‌ other hand a variety​​ of tools have been​​​‌ proposed for certifying that‌ some given algorithms are‌​‌ differentially private. Among them,​​ the typing approach embodied​​​‌ by the Fuzz language‌ consists in using a‌​‌ functional programming language endowed​​ with a type system​​​‌ ensuring that well-typed programs‌ can automatically be rendered‌​‌ differentially private. However this​​​‌ setting does not allow​ to represent concurrent interactive​‌ systems. In  23 we​​ therefore propose to extend​​​‌ it by using a​ process calculus similar to​‌ the $\pi$-calculus as​​ the language. This calculus​​​‌ is equipped with operational​ semantics that enable us​‌ to express the DP​​ property as a form​​​‌ of approximate trace equivalence.​ Moreover, we introduce a​‌ type system in the​​ form of session types​​​‌ and prove a soundness​ result stating that if​‌ a system of processes​​ is well-typed, then it​​​‌ is differentially private.

This​ work is part of​‌ the ongoing thesis of​​ Victor Sannier, advised by​​​‌ Patrick Baillot and co-advised​ by Marco Gaboardi (Boston​‌ University). It has been​​ presented at the conference​​​‌ Computer Security Foundations (CSF​ 2025) 23.

Participants:​‌ Patrick Baillot, Victor​​ Sannier.

8.10 A​​​‌ characterization of Basic Feasible​ Functionals through higher-order rewriting​‌ and tuple interpretations

The​​ class of type-two basic​​​‌ feasible functionals (BFF2) is​ the analogue of FP​‌ (polynomial time functions) for​​ type-2 functionals, that is,​​​‌ functionals that can take​ (first-order) functions as arguments.​‌ BFF2 can be defined​​ through Oracle Turing Machines​​​‌ with running time bounded​ by second-order polynomials. On​‌ the other hand, higher-order​​ term rewriting provides an​​​‌ elegant formalism for expressing​ higher-order computation. In  11​‌ we address the problem​​ of characterizing BFF2 by​​​‌ higher-order term rewriting. Various​ kinds of interpretations for​‌ first-order term rewriting have​​ been introduced in the​​​‌ literature for proving termination​ and characterizing first-order complexity​‌ classes. In this paper,​​ we consider a recently​​​‌ introduced notion of cost–size​ tuple interpretations for higher-order​‌ term rewriting and see​​ second order rewriting as​​​‌ ways of computing type-2​ functionals. We then prove​‌ that the class of​​ functionals represented by higher-order​​​‌ terms admitting polynomially bounded​ cost–size interpretations exactly corresponds​‌ to BFF2.

Participants: Patrick​​ Baillot.

This work​​​‌ has been published in​ the journal Logical Methods​‌ in Computer Science 11​​.

8.11 Dependent Coeffects​​​‌ for Local Sensitivity Analysis​

Differential privacy is a​‌ formal definition of privacy​​ that bounds the maximum​​​‌ acceptable information leakage when​ a query is performed​‌ on sensitive data. To​​ ensure this property, a​​​‌ key technique involves bounding​ the query’s sensitivity (how​‌ much input variations affect​​ the output) and adding​​​‌ noise to the result​ according to this quantity.​‌ While prior work like​​ the Fuzz type system​​​‌ focuses on global sensitivity,​ many useful queries have​‌ infinite global sensitivity, restricting​​ the scope of such​​​‌ approaches. This limitation can​ be addressed by considering​‌ a more fine-grained measure:​​ local sensitivity, which quantifies​​​‌ output change for inputs​ adjacent to a specific​‌ dataset. In  22 we​​ introduce Local Fuzz, a​​​‌ type system with dependent​ coeffects designed to bound​‌ the local sensitivity of​​ programs written in a​​​‌ simple functional language. We​ provide a denotational semantics​‌ for this system in​​ the category of extended​​​‌ premetric spaces, leveraging the​ recently introduced construction of​‌ a dependently graded comonad.​​ Finally, we illustrate how​​​‌ Local Fuzz can lead​ to better differential privacy​‌ guarantees than Fuzz, both​​ for mechanisms that rely​​ on global sensitivity and​​​‌ for those that leverage‌ local sensitivity, such as‌​‌ the Propose-Test-Release framework.

This​​ work is part of​​​‌ the ongoing thesis of‌ Victor Sannier, advised by‌​‌ Patrick Baillot and co-advised​​ by Marco Gaboardi (Boston​​​‌ University). It has been‌ presented at the conference‌​‌ Principles of Programming Languages​​ (POPL 2026) 22.​​​‌

Participants: Patrick Baillot,‌ Victor Sannier.

8.12‌​‌ Towards determinism in PDL:​​ relations and proof theory​​​‌

Propositional dynamic logic (PDL)‌ has been presented as‌​‌ a very powerful modal​​ logic to reason about​​​‌ imperative programming languages, allowing‌ in particular to express‌​‌ nondeterminism. It is known​​ that deciding program equivalence​​​‌ in full PDL is‌ EXPTIMEcomplete. In  12 we‌​‌ took a first step​​ to optimize the complexity​​​‌ of dynamic logic equivalence:‌ we have presented a‌​‌ fragment of PDL that​​ allows only if-then-else and​​​‌ while statements, equipped with‌ a semantics over relational‌​‌ models and a sound​​ axiomatisation. Although this fragment​​​‌ is less expressive than‌ full PDL, it is‌​‌ sufficient to encode standard​​ imperative programming constructions. We​​​‌ then presented a Natural‌ Deduction system for this‌​‌ logic, proving its soundness​​ and completeness with respect​​​‌ to the axiomatisation.

This‌ work has been published‌​‌ in the Journal of​​ Logic and Computation  12​​​‌.

Participants: Leandro Gomes‌.

8.13 A Domain-Theoretic‌​‌ Framework for Composing Effectful​​ Programs and Their Equations​​​‌

Interaction trees are a‌ uniform compositional framework for‌​‌ representing effectful and potentially​​ non-terminating computations. In 26​​​‌. David Nowak (2XS‌ team) and myself have‌​‌ developed a domain-theoretic formalization​​ of interaction trees in​​​‌ the Rocq prover. Domain‌ theory enables us to‌​‌ handle (co)recursion naturally, without​​ being held back by​​​‌ the frailty of Rocq's‌ builtin (co)recursion mechanisms. We‌​‌ show that coproducts of​​ interaction trees exist, allowing​​​‌ the modular combination of‌ effect signatures, and that‌​‌ the equations defining each​​ individual effect are seamlessly​​​‌ integrated through this structure.‌ This enables modular equational‌​‌ reasoning for programs combining​​ multiple effects. To illustrate​​​‌ the expressiveness of our‌ approach, we verify the‌​‌ correctness of a stateful​​ probabilistic computation and prove​​​‌ the equivalence between two‌ programs whose termination depends‌​‌ on a mathematical conjecture.​​

Participant: Vlad Rusu.​​​‌

8.14 Pleasant Imperative Program‌ Proofs with GallinaC

In‌​‌ 17, we present​​ GallinaC, a shallow embedding​​​‌ of a Turing-complete imperative‌ language directly inside the‌​‌ functional programming language of​​ the Rocq proof assistant,​​​‌ Gallina. In particular, it‌ features a truly generic‌​‌ and unbounded while loop.​​ Having a functional core​​​‌ means proofs about GallinaC‌ programs may use the‌​‌ same tactics as proofs​​ about pure functional ones.​​​‌ Compilation from GallinaC to‌ binary is possible through‌​‌ the CompCert certified compiler.​​ A chain of forward​​​‌ simulations guarantees that compilation‌ passes preserve semantics. Work‌​‌ on GallinaC is still​​ under progress, but we​​​‌ present first promising results.‌ A prototype implementation has‌​‌ shown the viability of​​ GallinaC with the correctness​​​‌ proof of a list‌ reversal procedure for linked-lists‌​‌ of unknown size. We​​ currently focus on the​​​‌ forward simulation between the‌ GallinaC intermediate representation (IR)‌​‌ and Cminor, the entry​​​‌ language of the CompCert​ back-end. The GallinaC sources​‌ are available here.​​

Participant: Vlad Rusu.​​​‌

9.1​‌ Bilateral Grants with Industry​​

Raphael Monat has been​​​‌ awarded an Amazon Research​ Award on Resource-Aware Conservative​‌ Static Analysis.

Participant: Raphael​​ Monat.

10.1 International​ initiatives

10.2​ International research visitors

10.3 National initiatives​​

10.4 Public‌ policy support

Raphaël Monat‌​‌ , Pierre Goutagny participate​​ to AEx AVoCat, which​​​‌ aims at bringing state-of-the-art‌ verification techniques within the‌​‌ Catala language, currently trialed​​ to be used in​​​‌ some public administrations.

11.1 Promoting scientific‌​‌ activities

11.2​​​‌ Teaching - Supervision -‌ Juries - Educational and‌​‌ pedagogical outreach

11.3 Popularization​‌

12.1​​ Major publications

• 1 inproceedings​​​‌C.Clément Ballabriga,​ J.Julien Forget,​‌ S.Sandro Grebant and​​ G.Giuseppe Lipari.​​​‌ New challenges in adaptive​ real-time systems with parametric​‌ WCET.RTSOPS 2023​​ - 12th International Real-Time​​​‌ Scheduling Open Problems Seminar​Vienne, AustriaJuly 2023​‌HAL
• 2 articleC.​​Clément Ballabriga, J.​​​‌Julien Forget and J.​Jordy Ruiz. Relational​‌ abstract interpretation of arrays​​ in assembly code.​​​‌Formal Methods in System​ DesignOctober 2022HAL​‌DOI
• 3 articleF.​​Fabien Bouquillon, S.​​​‌Smail Niar and G.​Giuseppe Lipari. Reducing​‌ the fault vulnerability of​​ hard real-time systems.​​​‌Journal of Systems Architecture​133December 2022,​‌ 102758HALDOI
• 4​​ articleH.Horatiu Cheval​​​‌, D.David Nowak​ and V.Vlad Rusu​‌. Formal Definitions and​​ Proofs for Partial (Co)Recursive​​​‌ Functions.Journal of​ Logic and Algebraic Methods​‌ in Programming141October​​ 2024, 27HAL​​​‌DOI
• 5 inproceedingsS.​Sandro Grebant, C.​‌Clément Ballabriga, J.​​Julien Forget and G.​​​‌Giuseppe Lipari. WCET​ analysis with procedure arguments​‌ as parameters.RTNS​​ 2023: The 31st International​​​‌ Conference on Real-Time Networks​ and SystemsDortmund, Germany​‌ACM2023, 11-22​​HALDOI
• 6 inproceedings​​​‌R.Raphaël Monat,​ A.Aymeric Fromherz and​‌ D.Denis Merigoux.​​ Formalizing Date Arithmetic and​​​‌ Statically Detecting Ambiguities for​ the Law.Lecture​‌ Notes in Computer Science​​ESOP 2024 - 33rd​​​‌ European Symposium on Programming​14577Lecture Notes in​‌ Computer ScienceLuxembourg City,​​ LuxembourgSpringer Nature Switzerland​​​‌April 2024, 421-450​HALDOI
• 7 inproceedings​‌R.Raphaël Monat,​​ A.Abdelraouf Ouadjaout and​​​‌ A.Antoine Miné.​ Mopsa-C: Modular Domains and​‌ Relational Abstract Interpretation for​​ C Programs (Competition Contribution)​​​‌.Tools and Algorithms​ for the Construction and​‌ Analysis of Systems (TACAS​​ 2023)13994Lecture Notes​​​‌ in Computer ScienceParis,​ FranceSpringer, ChamApril​‌ 2023, 565-570HAL​​DOI
• 8 inproceedingsD.​​​‌David Nowak and V.​Vlad Rusu. While​‌ Loops in Coq.​​Electronic Proceedings in Theoretical​​​‌ Computer Science7th Symposium​ on Working Formal Methods​‌ (FROM 2023)389Bucarest,​​ RomaniaSeptember 2023,​​ 96 - 109HAL​​​‌DOI
• 9 inproceedingsF.‌Florian Vanhems, V.‌​‌Vlad Rusu, D.​​David Nowak and G.​​​‌Gilles Grimaud. A‌ Formal Correctness Proof for‌​‌ an EDF Scheduler Implementation​​.Proc. 28th IEEE​​​‌ Real-Time and Embedded Technology‌ and Applications SymposiumRTAS‌​‌ 2022: 28th IEEE Real-Time​​ and Embedded Technology and​​​‌ Applications SymposiumMilan, Italy‌May 2022HALDOI‌​‌
• 10 inproceedingsJ.June​​ Wunder, A. A.​​​‌Arthur Azevedo De Amorim‌, P.Patrick Baillot‌​‌ and M.Marco Gaboardi​​. Bunched Fuzz: Sensitivity​​​‌ for Vector Metrics.‌ESOP 2023 - European‌​‌ Symposium on ProgrammingProceedings​​ of ESOP 2023 (European​​​‌ Symposium on Programming)Paris,‌ FranceSpringerApril 2023‌​‌HALDOI

12.2 Publications​​ of the year

12.3 Cited publications​

• 27 miscANSYS.​‌ SCADE Suite.2018​​back to text
• 28​​​‌ articleL.Luca Abeni​, L.Luigi Palopoli​‌, C.Claudio Scordino​​ and G.Giuseppe Lipari​​​‌. Resource Reservations for​ General Purpose Applications.​‌IEEE Trans. Ind. Informatics​​512009,​​​‌ 12--21URL: https://doi.org/10.1109/TII.2009.2013633DOI​back to text
• 29​‌ inproceedingsC.Clément Ballabriga​​, J.Julien Forget​​​‌, L.Laure Gonnord​, G.Giuseppe Lipari​‌ and J.Jordy Ruiz​​. Static Analysis Of​​​‌ Binary Code With Memory​ Indirections Using Polyhedra.​‌International Conference on Verification,​​ Model Checking, and Abstract​​ Interpretation (VMCAI'19)Lisbon, Portugal​​​‌1 2019HALback‌ to textback to‌​‌ textback to text​​
• 30 articleC.Clément​​​‌ Ballabriga, J.Julien‌ Forget and G.Giuseppe‌​‌ Lipari. Symbolic WCET​​ Computation.ACM Transactions​​​‌ on Embedded Computing Systems‌ (TECS)172December‌​‌ 2017, 1--26HAL​​DOIback to text​​​‌back to text
• 31‌ inproceedingsS.Sanjoy Baruah‌​‌. Resource-Efficient Execution of​​ Conditional Parallel Real-Time Tasks​​​‌.Euro-Par 2018: Parallel‌ ProcessingChamSpringer International‌​‌ Publishing2018, 218--231​​back to text
• 32​​​‌ articleE.Enrico Bini‌ and G.Giorgio Buttazzo‌​‌. The space of​​ EDF deadlines: the exact​​​‌ region and a convex‌ approximation.Real-Time Systems‌​‌4112009,​​ 27--51back to text​​​‌
• 33 articleE.Enrico‌ Bini, M.Marco‌​‌ Di Natale and G.​​Giorgio Buttazzo. Sensitivity​​​‌ analysis for fixed-priority real-time‌ systems.Real-Time Systems‌​‌391-32008,​​ 5--30back to text​​​‌
• 34 inproceedingsT.Timothy‌ Bourke, L.Lélio‌​‌ Brun, P.-É.Pierre-Évariste​​ Dagand, X.Xavier​​​‌ Leroy, M.Marc‌ Pouzet and L.Lionel‌​‌ Rieg. A formally​​ verified compiler for Lustre​​​‌.ACM SIGPLAN Notices‌526ACM2017‌​‌, 586--601back to​​ text
• 35 inproceedingsR.​​​‌Rémy Boutonnet and N.‌Nicolas Halbwachs. Disjunctive‌​‌ relational abstract interpretation for​​ interprocedural program analysis.​​​‌International Conference on Verification,‌ Model Checking, and Abstract‌​‌ InterpretationSpringer2019,​​ 136--159back to text​​​‌
• 36 inproceedingsG.Guy‌ Durrieu, M.Madeleine‌​‌ Faugere, S.Sylvain​​ Girbal, D. G.​​​‌Daniel Gracia Pérez,‌ C.Claire Pagetti and‌​‌ W.Wolfgang Puffitsch.​​ Predictable flight management system​​​‌ implementation on a multicore‌ processor.Embedded Real‌​‌ Time Software (ERTS'14)2014​​back to text
• 37​​​‌ inproceedingsA.Arne Hamann‌, D.Dakshina Dasari‌​‌, S.Simon Kramer​​, M.Michael Pressler​​​‌ and F.Falk Wurst‌. Communication Centric Design‌​‌ in Complex Automotive Embedded​​ Systems.29th Euromicro​​​‌ Conference on Real-Time Systems‌ (ECRTS 2017)Dubrovnik, Croatia‌​‌2017back to text​​
• 38 miscX.Xavier​​​‌ Leroy. The CompCert‌ C verified compiler.‌​‌2018back to text​​
• 39 inproceedingsG.Giuseppe​​​‌ Lipari and S. K.‌Sanjoy K. Baruah.‌​‌ Greedy reclamation of unused​​ bandwidth in constant-bandwidth servers​​​‌.12th Euromicro Conference‌ on Real-Time Systems (ECRTS‌​‌ 2000), 19-21 June 2000,​​ Stockholm, Sweden, ProceedingsIEEE​​​‌ Computer Society2000,‌ 193--200URL: https://doi.org/10.1109/EMRTS.2000.854007DOI‌​‌back to text
• 40​​ inproceedingsG.Giuseppe Lipari​​​‌ and E.Enrico Bini‌. Resource Partitioning among‌​‌ Real-Time Applications.Proc.​​ 15th Euromicro Conf. Real-Time​​​‌ SystemsIEEE Computer Society‌2003, 151--158DOI‌​‌back to text
• 41​​ miscMathWorks. Simulink​​​‌.2018back to‌ text
• 42 articleC.‌​‌Claire Pagetti, J.​​Julien Forget, F.​​​‌Frédéric Boniol, M.‌Mikel Cordovilla and D.‌​‌David Lesens. Multi-task​​ implementation of multi-periodic synchronous​​​‌ programs.Discrete Event‌ Dynamic Systems213‌​‌2011, 307-338back​​ to textback to​​​‌ text
• 43 inproceedingsC.‌Claire Pagetti, J.‌​‌Julien Forget, H.​​​‌Heiko Falk, D.​Dominic Oehlert and A.​‌Arno Luppold. Automated​​ generation of time-predictable executables​​​‌ on multi-core.RTNS​ 2018October 2018back​‌ to text
• 44 inproceedings​​R.Rodolfo Pellizzoni,​​​‌ E.Emiliano Betti,​ S.Stanley Bak,​‌ G.Gang Yao,​​ J.John Criswell,​​​‌ M.Marco Caccamo and​ R.Russell Kegley.​‌ A predictable execution model​​ for COTS-based embedded systems​​​‌.Real-Time and Embedded​ Technology and Applications Symposium​‌ (RTAS)IEEE2011back​​ to text
• 45 inproceedings​​​‌P.Pascal Raymond.​ A general approach for​‌ expressing infeasibility in implicit​​ path enumeration technique.​​​‌2014 International Conference on​ Embedded Software (EMSOFT)IEEE​‌2014, 1--9back​​ to text
• 46 article​​​‌A.A. Saifullah,​ D.D. Ferry,​‌ J.J. Li,​​ K.K. Agrawal,​​​‌ C.C. Lu and​ C. D.C. D.​‌ Gill. Parallel Real-Time​​ Scheduling of DAGs.​​​‌IEEE Transactions on Parallel​ and Distributed Systems25​‌1212 2014,​​ 3242-3252DOIback to​​​‌ text
• 47 miscThe​ Coq proof assistant reference​‌ manual.2021back​​ to text
• 48 misc​​​‌The Pip protokernel.​2018back to text​‌