Activity Report 2015

Project-Team AOSTE

Models and methods of analysis and optimization for systems with real-time and embedding constraints

IN COLLABORATION WITH: Laboratoire informatique, signaux systèmes de Sophia Antipolis (I3S)
Table of contents

1. Members ........................................................................................................ 1
2. Overall Objectives .......................................................................................... 3
3. Research Program ........................................................................................... 3
   3.1. Models of Computation and Communication (MoCCs) .......................... 3
       3.1.1. K-periodic static scheduling and routing in Process Networks ...... 4
       3.1.2. Endochrony and GALS implementation of conflict-free polychronous programs .................. 4
   3.2. Logical Time in Model-Driven Embedded System Design ................. 4
   3.3. The AAA (Algorithm-Architecture Adequation) methodology and Real-Time Scheduling .......... 5
       3.3.1. Algorithm-Architecture Adequation ........................................ 5
       3.3.2. Distributed Real-Time Scheduling and Optimization ................. 6
4. Application Domains ....................................................................................... 7
   4.1. System Engineering Environments ....................................................... 7
   4.2. Many-Core Embedded Architectures ................................................... 7
   4.3. Transportation and the avionic domain ................................................. 7
5. Highlights of the Year .................................................................................... 7
6. New Software and Platforms ........................................................................ 8
   6.1. SynDEx ................................................................................................. 8
   6.2. TimeSquare .......................................................................................... 8
   6.3. Lopht ................................................................................................... 9
   6.4. EVT Kopernic ...................................................................................... 9
   6.5. SAS ...................................................................................................... 10
7. New Results .................................................................................................... 10
   7.1. CCSL as a Logical Clock Calculus Algebra: expressiveness and decidability results .................. 10
   7.2. Industrial design flow for Embedded System Engineering .................. 11
   7.3. Coordination of heterogeneous Models of Computation as Domain-Specific Languages .......... 11
   7.4. SoC multiview (meta)modeling for performance, power, and thermal aspects ......................... 11
   7.5. Networks-on-Board: between NoCs and rack connector buses ............ 12
   7.6. Solving AAA constraints analytically ................................................. 12
   7.7. Stochastic extension of MARTE/CCSL for CPS modeling .................. 13
   7.9. Code generation for time-triggered platforms based on Real-Time Scheduling ......................... 13
   7.10. Real-time systems compilation ......................................................... 14
   7.11. Uniprocessor Real-Time Scheduling .................................................. 14
   7.12. Multiprocessor Real-Time Scheduling .............................................. 15
   7.13. Probabilistic and statistical temporal analysis .................................... 15
8. Bilateral Contracts and Grants with Industry ............................................... 16
   8.1. Kontron CIFRE .................................................................................... 16
   8.2. Airbus CIFRE .................................................................................... 16
   8.3. CNES/Airbus DS .............................................................................. 17
9. Partnerships and Cooperations ................................................................. 17
   9.1. Regional Initiatives ............................................................................ 17
   9.2. National Initiatives ............................................................................ 17
       9.2.1. ANR ............................................................................................ 17
       9.2.1.1. HOPE .................................................................................. 17
       9.2.1.2. GeMoC ................................................................................ 17
       9.2.2. FUI ............................................................................................. 18
       9.2.2.1. FUI P .................................................................................... 18
9.2.2.2. FUI CLISTINE 18
9.2.2.3. FUI Waruna 18
9.2.3. Investissements d’Avenir 18
  9.2.3.1. DEPARTS 18
  9.2.3.2. CLARITY 18
  9.2.3.3. Capacites 19
9.3. European Initiatives 19
  9.3.1. FP7 & H2020 Projects 19
  9.3.2. Collaborations in European Programs, except FP7 & H2020 19
9.4. International Initiatives 19
9.5. International Research Visitors 20
  9.5.1. Visits of International Scientists 20
    9.5.1.1. Invited Professor 20
    9.5.1.2. Internships 20
  9.5.2. Visits to International Teams 20
10. Dissemination ................................................................. 21
  10.1. Promoting Scientific Activities 21
    10.1.1. Scientific events organisation 21
    10.1.2. Scientific events selection 21
    10.1.2.1. Chair of conference program committees 21
    10.1.2.2. Member of the conference program committees 21
    10.1.3. Journal 21
    10.1.4. Invited talks 21
    10.1.5. Scientific expertise 21
    10.1.6. Research administration 21
  10.2. Teaching - Supervision - Juries 21
    10.2.1. Teaching 21
    10.2.2. Supervision 22
    10.2.3. Juries 23
11. Bibliography ................................................................. 23
Project-Team AOSTE

Creation of the Project-Team: 2004 July 01

Keywords:

**Computer Science and Digital Science:**

1.1.1. - Multicore
1.1.12. - Non-conventional architectures
1.1.2. - Hardware accelerators (GPGPU, FPGA, etc.)
1.2.3. - Routing
1.2.5. - Internet of things
1.2.7. - Cyber-physical systems
1.5.1. - Systems of systems
1.5.2. - Communicating systems
2.1.1. - Semantics of programming languages
2.1.10. - Domain-specific languages
2.1.6. - Concurrent programming
2.1.8. - Synchronous languages
2.2.4. - Parallel architectures
2.2.5. - GPGPU, FPGA, etc.
2.3. - Embedded and cyber-physical systems
2.4.1. - Analysis
2.4.2. - Verification
4.5. - Formal methods for security
6.1.5. - Multiphysics modeling
6.2.7. - High performance computing
7.11. - Performance evaluation
7.2. - Discrete mathematics, combinatorics

**Other Research Topics and Application Domains:**

5.1. - Factory of the future
5.4. - Microelectronics
6.1.1. - Software engineering
6.4. - Internet of things
6.6. - Embedded systems
8.1. - Smart building/home

1. Members

**Research Scientists**

Robert de Simone [Team leader, Inria, Senior Researcher, Sophia Antipolis - Méditerranée, HdR]
Yves Sorel [Team co-leader, Inria, Senior Researcher, Paris - Rocquencourt]
Liliana Cucu [Inria, Researcher, Paris - Rocquencourt, HdR]
Dumitru Potop Butucaru [Inria, Researcher, Paris - Rocquencourt, HdR]
Robert Davis [Inria International Chair, Paris - Rocquencourt]
Faculty Members
Julien Deantoni [Univ. Nice, Associate Professor, Inria delegation from Sept. 2015, Sophia Antipolis - Méditerranée]
Frederic Mallet [Univ. Nice, Professor, Inria delegation until Aug. 2015, Sophia Antipolis - Méditerranée, HdR]
Marie Agnes Peraldi Frati [Univ. Nice, Associate Professor, Sophia Antipolis - Méditerranée]
Sid Touati [Univ. Nice, Professor, Sophia Antipolis - Méditerranée, HdR]

Engineers
Mihail Asavoae [Inria, from Mar 2015, funded on PIA Capacites project, Paris - Rocquencourt]
Abderraouf Benyahia [Inria, until Apr 2015, funded by FUI P projet, Paris - Rocquencourt]
Daniel de Rauglaudre [Inria, until Sept. 2015, Paris - Rocquencourt]
Adriana Gogonel [Inria, funded by FP7 PROXIMA project, Paris - Rocquencourt]
Raul-Adrian Gorcitz [Inria, funded by ITEA3 Assume project, Paris - Rocquencourt]
Luc Hogie [CNRS, Sophia Antipolis - Méditerranée]
Code Lo [Inria, until Feb 2015, granted by FP7 -PROXIMA project, Paris - Rocquencourt]
Ales Mishchenko [Inria, on PIAVE Clarity project, from Nov 2015, Sophia Antipolis - Méditerranée]
Albert Savary [Inria, on FUI Clistine project, from Sep 2015, Sophia Antipolis - Méditerranée]

PhD Students
Mohamed Bergach [Inria, until Oct 2015, on CIFRE contract with Kontron, Sophia Antipolis - Méditerranée]
Yann Bondue [Inria, until Mar 2015, resigned, Sophia Antipolis - Méditerranée]
Keryan Didier [Inria, from Apr 2015, funded by ITEA3 Assume project, Paris - Rocquencourt]
Amani Khecharem [Inria, granted by ANR HOPE project, Sophia Antipolis - Méditerranée]
Emilien Kofman [Univ. Nice, funded by Labex UCNsophia, jointly with UMR LEAT, Sophia Antipolis - Méditerranée]
Cristian Maxim [AIRBUS, granted by FP7 -PROXIMA project, Paris - Rocquencourt]
Amin Oueslati [Inria, funded by FUI Clistine project, Sophia Antipolis - Méditerranée]
Salah Eddine Saidi [funded by IFP Energies nouvelles, Paris - Rocquencourt]
Walid Talaboulma [Inria, from Nov. 2015, Paris - Rocquencourt]
Matias Vara Larsen [CNRS, Sophia Antipolis - Méditerranée]

Post-Doctoral Fellow
Dorin Maxim [Inria, from Oct. 2015, Paris - Rocquencourt]

Visiting Scientist
Qingguo Xu [Invited Professor, until Jun 2015, Sophia Antipolis - Méditerranée]

Administrative Assistants
Christine Anocq [Inria, Paris - Rocquencourt]
Patricia Lachaume [Inria, Sophia Antipolis - Méditerranée]

Others
Stefano Centomo [Inria, Intern, from Oct 2015, Sophia Antipolis - Méditerranée]
Mamadou Diallo [Inria, Intern, from Apr 2015 until Sep 2015, Paris - Rocquencourt]
Michele Fabbri [Inria, Intern, from Apr 2015 until Aug 2015, Sophia Antipolis - Méditerranée]
Luis Agustin Nieto [Inria, International Inria Internship, from Sep 2015, Sophia Antipolis - Méditerranée]
Rui Song [Inria, Intern, from Jul 2015 until Sep 2015, Sophia Antipolis - Méditerranée]
Laurent George [Univ. Paris XII, Associate Professor, Paris - Rocquencourt, HdR]
2. Overall Objectives

2.1. Embedded System Design

Typical embedded software applications display a mix of multimedia signal/data processing with modal interfaces, resulting in heterogenous concurrent data-flow streaming models, and often stringent real-time constraints. Similarly, embedded architectural platforms are becoming increasingly parallel, with dedicated hardware accelerators and manycore processors. The optimized compilation of such kinds of applications onto such execution platforms involves complex mapping issues, both in terms of spatial distribution and in terms of temporal scheduling. Currently, it is far from being a fully automatic compilation process as in the case of commodity PC applications. Models are thus needed, both as formal mathematical objects from theoretical computer science to provide foundations for embedded system design, and also as engineering models to support an effective design flow.

Our general approach is directly inspired from the theories of synchronous languages, process networks, and of real-time distributed scheduling. We insist on the introduction of logical time as functional design ingredient to be explicitly considered as first-class modeling element of systems. Logical time is based on logical clocks, where such a clock can be defined as any meaningful sequence of event occurrences, usually meant as activation/trIGGERing conditions for actions and operations in the systems. So logical time can be multiform, a global partial order built from local total orders of clocks. In the course of the design flow time refinement takes place, as decision are made towards placement and timing of various tasks and operations. This solves in part the constraints between clocks, committing to schedule and placement decisions. The final version should be totally ordered, and then subject to physical timing verification as to physical constraints.

The general (logical) Time Model has been standardized as part of the OMG profile for Modeling and Analysis of Real-Time Embedded systems (MARTE).

Work on polychronous formalisms (descending from ESTEREL), on a Clock Constraint Specification Language (CCSL) handling logical time, on Application-Architecture Adequation approach and real-time scheduling results has been progressed over the years, resulting in software environments such as SYNDEX or TimeSquare.

3. Research Program

3.1. Models of Computation and Communication (MoCCs)

Participants: Julien Deantoni, Robert de Simone, Frédéric Mallet, Jean-Vivien Millo, Dumitru Potop Butucaru.

Esterel, SyncCharts, synchronous formalisms, Process Networks, Marked Graphs, Kahn networks, compilation, synthesis, formal verification, optimization, allocation, refinement, scheduling

Formal Models of Computation form the basis of our approach to Embedded System Design. Because of the growing importance of communication handling, it is now associated with the name, MoCC in short. The appeal of MoCCs comes from the fact that they combine features of mathematical models (formal analysis, transformation, and verification) with those of executable specifications (close to code level, simulation, and implementation). Examples of MoCCs in our case are mainly synchronous reactive formalisms and dataflow process networks. Various extensions or specific restrictions enforce respectively greater expressivity or more focused decidable analysis results.
DataFlow Process Networks and Synchronous Reactive Languages such as ESTEREL/SYNCHRONY [65], [66], [60], [15], [4], [13] share one main characteristic: they are specified in a self-timed or loosely timed fashion, in the asynchronous data-flow style. But formal criteria in their semantics ensure that, under good correctness conditions, a sound synchronous interpretation can be provided, in which all treatments (computations, signaling communications) are precisely temporally mapped. This is referred to as clock calculus in synchronous reactive systems, and leads to a large body of theoretical studies and deep results in the case of DataFlow Process Networks [61], [59] (consider SDF balance equations for instance [67]).

As a result, explicit schedules become an important ingredient of design, which ultimately can be considered and handled by the designer him/herself. In practice such schedules are sought to optimize other parts of the design, mainly buffering queues: production and consumption of data can be regulated in their relative speeds. This was specially taken into account in the recent theories of Latency-Insensitive Design [62], or N-synchronous processes [63], with some of our contributions [6].

Explicit schedule patterns should be pictured in the framework of low-power distributed mapping of embedded applications onto manycore architectures, where they could play an important role as theoretical formal models on which to compute and optimize allocations and performances. We describe below two lines of research in this direction. Striking in these techniques is the fact that they include time and timing as integral parts of early functional design. But this original time is logical, multiform, and only partially ordering the various functional computations and communications. This approach was radically generalized in our team to a methodology for logical time based design, described next (see 3.2).

3.1.1. K-periodic static scheduling and routing in Process Networks

In the recent years we focused on the algorithm treatments of ultimately k-periodic schedule regimes, which are the class of schedules obtained by many of the theories described above. An important breakthrough occurred when realizing that the type of ultimately periodic binary words that were used for reporting static scheduling results could also be employed to record a completely distinct notion of ultimately k-periodic route switching patterns, and furthermore that commonalities of representation could ease combine them together. A new model, by the name of K-periodical Routed marked Graphs (KRG) was introduced, and extensively studied for algebraic and algorithmic properties [5].

The computations of optimized static schedules and other optimal buffering configurations in the context of latency-insensitive design led to the K-Passa software tool development (now terminated).

3.1.2. Endochrony and GALS implementation of conflict-free polychronous programs

The possibility of exploring various schedulings for a given application comes from the fact that some behaviors are truly concurrent, and mutually conflict-free (so they can be executed independently, with any choice of ordering). Discovering potential asynchronous inside synchronous reactive specifications then becomes something highly desirable. It can benefit to potential distributed implementation, where signal communications are restricted to a minimum, as they usually incur loss in performance and higher power consumption. This general line of research has come to be known as Endochrony, with some of our contributions [11].

3.2. Logical Time in Model-Driven Embedded System Design

Participants: Julien Deantoni, Frédéric Mallet, Marie Agnès Peraldi Frati, Robert de Simone.

Starting from specific needs and opportunities for formal design of embedded systems as learned from our work on MoCCs (see 3.1), we developed a Logical Time Model as part of the official OMG UML profile MARTE for Modeling and Analysis of Real-Time Embedded systems. With this model is associated a Clock Constraint Specification Language (CCSL), which allows to provide loose or strict logical time constraints between design ingredients, be them computations, communications, or any kind of events whose repetitions can be conceived as generating a logical conceptual clock (or activation condition). The definition of CCSL is provided in [1].
Our vision is that many (if not all) of the timing constraints generally expressed as physical prescriptions in real-time embedded design (such as periodicity, sporadicity) could be expressed in a logical setting, while actually many physical timing values are still unknown or unspecified at this stage. On the other hand, our logical view may express much more, such as loosely stated timing relations based on partial orderings or partial constraints.

So far we have used CCSL to express important phenomena as present in several formalisms: AADL (used in avionics domain), EAST-ADL2 (proposed for the AutoSar automotive electronic design approach), IP-Xact (for System-on-Chip (SoC) design). The difference here comes from the fact that these formalisms were formerly describing such issues in informal terms, while CCSL provides a dedicated formal mathematical notation. Close connections with synchronous and polychronous languages, especially Signal, were also established; so was the ability of CCSL to model dataflow process network static scheduling.

In principle the MARTE profile and its Logical Time Model can be used with any UML editor supporting profiles. In practice we focused on the PAPYRUS open-source editor, mainly from CEA LIST. We developed under Eclipse the TIMESQUARE solver and emulator for CCSL constraints (see 6.2), with its own graphical interface, as a stand-alone software module, while strongly coupled with MARTE and Papyrus.

While CCSL constraints may be introduced as part of the intended functionality, some may also be extracted from requirements imposed either from real-time user demands, or from the resource limitations and features from the intended execution platform. Sophisticated detailed descriptions of platform architectures are allowed using MARTE, as well as formal allocations of application operations (computations and communications) onto platform resources (processors and interconnects). This is of course of great value at a time where embedded architectures are becoming more and more heterogeneous and parallel or distributed, so that application mapping in terms of spatial allocation and temporal scheduling becomes harder and harder. This approach is extensively supported by the MARTE profile and its various models. As such it originates from the Application-Architecture-Adequation (AAA) methodology, first proposed by Yves Sorel, member of Aoste.

Of course, while logical time in design is promoted here, and our works show how many current notions used in real-time and embedded systems synthesis can naturally be phrased in this model, there will be in the end a phase of validation of the logical time assumptions (as is the case in synchronous circuits and SoC design with timing closure issues). This validation is usually conducted from Worst-Case Execution Time (WCET) analysis on individual components, which are then used in further analysis techniques to establish the validity of logical time assumptions (as partial constraints) asserted during the design.

### 3.3. The AAA (Algorithm-Architecture Adequation) methodology and Real-Time Scheduling

**Participants:** Laurent George, Dumitru Potop Butucaru, Yves Sorel.

Note: The AAA methodology and the SynDEx environment are fully described at [http://www.syndex.org/](http://www.syndex.org/), together with relevant publications.

#### 3.3.1. Algorithm-Architecture Adequation

The AAA methodology relies on distributed real-time scheduling and relevant optimization to connect an Algorithm/Application model to an Architectural one. We now describe its premises and benefits.

The Algorithm model is an extension of the well known data-flow model from Dennis [64]. It is a directed acyclic hyper-graph (DAG) that we call “conditioned factorized data dependence graph”, whose vertices are “operations” and hyper-edges are directed “data or control dependences” between operations. The data dependences define a partial order on the operations execution. The basic data-flow model was extended in three directions: first infinite (resp. finite) repetition of a sub-graph pattern in order to specify the reactive aspect of real-time systems (resp. in order to specify the finite repetition of a sub-graph consuming different data similar to a loop in imperative languages), second “state” when data dependences are necessary between different infinite repetitions of the sub-graph pattern introducing cycles which must be avoided by introducing
specific vertices called “delays” (similar to $z^{-n}$ in automatic control), third “conditioning” of an operation by a control dependence similar to conditional control structure in imperative languages, allowing the execution of alternative subgraphs. Delays combined with conditioning allow the programmer to specify automata necessary for describing “mode changes”.

The Architecture model is a directed graph, whose vertices are of two types: “processor” (one sequencer of operations and possibly several sequencers of communications) and “medium” (support of communications), and whose edges are directed connections.

The resulting implementation model [9] is obtained by an external compositional law, for which the architecture graph operates on the algorithm graph. Thus, the result of such compositional law is an algorithm graph, “architecture-aware”, corresponding to refinements of the initial algorithm graph, by computing spatial (distribution) and timing (scheduling) allocations of the operations onto the architecture graph resources. In that context “Adequation” refers to some search amongst the solution space of resulting algorithm graphs, labelled by timing characteristics, for one algorithm graph which verifies timing constraints and optimizes some criteria, usually the total execution time and the number of computing resources (but other criteria may exist). The next section describes distributed real-time schedulability analysis and optimization techniques for that purpose.

3.3.2. Distributed Real-Time Scheduling and Optimization

We address two main issues: uniprocessor and multiprocessor real-time scheduling where constraints must mandatorily be met, otherwise dramatic consequences may occur (hard real-time) and where resources must be minimized because of embedded features.

In the case of uniprocessor real-time scheduling, besides the classical deadline constraint, often equal to a period, we take into consideration dependences between tasks and several, latencies. The latter are complex related “end-to-end” constraints. Dealing with multiple real-time constraints raises the complexity of the scheduling problems. Moreover, because the preemption leads, at least, to a waste of resources due to its approximation in the WCET (Worst Execution Time) of every task, as proposed by Liu and Leyland [68], we first studied non-preemptive real-time scheduling with dependences, periodicities, and latencies constraints. Although a bad approximation of the preemption cost, may have dramatic consequences on real-time scheduling, there are only few researches on this topic. We have been investigating preemptive real-time scheduling since few years, and we focus on the exact cost of the preemption. We have integrated this cost in the schedulability conditions that we propose, and in the corresponding scheduling algorithms. More generally, we are interested in integrating in the schedulability analyses the cost of the RTOS (Real-Time Operating System), for which the cost of preemption is the most difficult part because it varies according to the instance (job) of each task.

In the case of multiprocessor real-time scheduling, we chose at the beginning the partitioned approach, rather than the global approach, since the latter allows task migrations whose cost is prohibitive for current commercial processors. The partitioned approach enables us to reuse the results obtained in the uniprocessor case in order to derive solutions for the multiprocessor case. We consider also the semi-partitioned approach which allows only some migrations in order to minimize the overhead they involve. In addition to satisfy the multiple real-time constraints mentioned in the uniprocessor case, we have to minimize the total execution time (makespan) since we deal with automatic control applications involving feedback loops. Furthermore, the domain of embedded systems leads to solving minimization resources problems. Since these optimization problems are NP-hard we develop exact algorithms (B & B, B & C) which are optimal for simple problems, and heuristics which are sub-optimal for realistic problems corresponding to industrial needs. Long time ago we proposed a very fast “greedy” heuristics [8] whose results were regularly improved, and extended with local neighborhood heuristics, or used as initial solutions for metaheuristics.

In addition to the spatial dimension (distributed) of the real-time scheduling problem, other important dimensions are the type of communication mechanisms (shared memory vs. message passing), or the source of control and synchronization (event-driven vs. time-triggered). We explore real-time scheduling
on architectures corresponding to all combinations of the above dimensions. This is of particular impact in application domains such as automotive and avionics (see 4.3).

The arrival of complex hardware responding to the increasing demand for computing power in next generation systems exacerbates the limitations of the current worst-case real-time reasoning. Our solution to overcome these limitations is based on the fact that worst-case situations may have a extremely low probability of appearance within one hour of functioning ($10^{-45}$), compared to the certification requirements for instance ($10^{-9}$ for the highest level of certification in avionics). Thus we model and analyze the real-time systems using probabilistic models and we propose results that are fundamental for the probabilistic worst-case reasoning over a given time window.

4. Application Domains

4.1. System Engineering Environments

Participants: Robert de Simone, Julien Deantoni, Frédéric Mallet, Marie-Agnès Peraldi Frati.

In the case of Embedded and Cyber-Physical Systems, the cyber/digital design of discrete controllers is only a part of a larger design process, we other aspects of the physical environment need to be considered as well, involving constraints and requirements on the global system (people even talk of Systems of Systems). Dedicated environments are now being defined, also considering system life-cycle and component reuse in this larger setting, under the name of Atelier Génie Système (in French). Such efforts usually involve large industrial end-users, together with software houses of tool vendors, and academic partners altogether. An instance of such environment is the Cappella (open-source, Eclipse) environment, promoted by the Clarity project and its associated consortium 9.2.3.2.

4.2. Many-Core Embedded Architectures

Participants: Robert de Simone, Dumitru Potop Butucaru, Liliana Cucu, Yves Sorel.

The AAA approach (fitting embedded applications onto embedded architectures) requires a sufficiently precise description of (a model of) the architecture (description platform). Such platforms become increasingly heterogeneous, and we had to consider a number of emerging ones with that goal in mind, such as Kalray MPPA (in the CAPACITES project 9.2.3.3, IntelCore dual CPU/GPU structure in a collaboration with Kontron 8.1.1, ARM big.LITTLE architecture in the course of the HOPE ANR project 9.2.1.1, or a dedicated supercomputer based on Network-on-Board interconnect in the Clistine project 9.2.2.2.

4.3. Transportation and the avionic domain

Participants: Robert de Simone, Julien Deantoni, Frédéric Mallet, Marie-Agnès Peraldi Frati, Dumitru Potop Butucaru, Liliana Cucu, Yves Sorel.

A large number of our generic activities, both on modeling and design, and on analysis and implementation of real-time embedded systems, found specific applications in the avionic field (with partners such as Airbus, Thales, Safran,...), while other targets remained less attainable (car industry for instance).

5. Highlights of the Year

5.1. Highlights of the Year

Robert Davis, from York University, got awarded an Inria International Chair to spend a year over a duration of five years as full member of the Aoste EPI.
6. New Software and Platforms

6.1. SynDEx

**KEYWORDS**: Embedded systems - Real time - Optimization - Distributed - Scheduling analyses

**SCIENTIFIC DESCRIPTION**

SynDEx is a system level CAD software implementing the AAA methodology for rapid prototyping and for optimizing distributed real-time embedded applications. It is developed in OCaML.

Architectures are represented as graphical block diagrams composed of programmable (processors) and non-programmable (ASIC, FPGA) computing components, interconnected by communication media (shared memories, links and busses for message passing). In order to deal with heterogeneous architectures it may feature several components of the same kind but with different characteristics.

Two types of non-functional properties can be specified for each task of the algorithm graph. First, a period that does not depend on the hardware architecture. Second, real-time features that depend on the different types of hardware components, ranging amongst execution and data transfer time, memory, etc.. Requirements are generally constraints on deadline equal to period, latency between any pair of tasks in the algorithm graph, dependence between tasks, etc.

Exploration of alternative allocations of the algorithm onto the architecture may be performed manually and/or automatically. The latter is achieved by performing real-time multiprocessor schedulability analyses and optimization heuristics based on the minimization of temporal or resource criteria. For example while satisfying deadline and latency constraints they can minimize the total execution time (makespan) of the application onto the given architecture, as well as the amount of memory. The results of each exploration is visualized as timing diagrams simulating the distributed real-time implementation.

Finally, real-time distributed embedded code can be automatically generated for dedicated distributed real-time executives, possibly calling services of resident real-time operating systems such as Linux/RTAI or Osek for instance. These executives are deadlock-free, based on off-line scheduling policies. Dedicated executives induce minimal overhead, and are built from processor-dependent executive kernels. To this date, executives kernels are provided for: TMS320C40, PIC18F2680, i80386, MC68332, MPC555, i80C196 and Unix/Linux workstations. Executive kernels for other processors can be achieved at reasonable cost following these examples as patterns.

**FUNCTIONAL DESCRIPTION**

Software for optimising the implementation of embedded distributed real-time applications and generating efficient and correct by construction code

- Participants: Yves Sorel
- Contact: Yves Sorel
- URL: http://www.syndex.org

6.2. TimeSquare

**KEYWORDS**: Profil MARTE - Embedded systems - UML - IDM

**SCIENTIFIC DESCRIPTION**

TimeSquare offers six main functionalities:

* graphical and/or textual interactive specification of logical clocks and relative constraints between them,
* definition and handling of user-defined clock constraint libraries,
* automated simulation of concurrent behavior traces respecting such constraints, using a Boolean solver for consistent trace extraction,
* call-back mechanisms for the traceability of results (animation of models, display and interaction with waveform representations, generation of sequence diagrams...).
TimeSquare is a software environment for the modeling and analysis of timing constraints in embedded systems. It relies specifically on the Time Model of the Marte UML profile, and more accurately on the associated Clock Constraint Specification Language (CCSL) for the expression of timing constraints.

- Participants: Frédéric Mallet, and Julien Deantoni
- Contact: Frédéric Mallet
- URL: http://timesquare.inria.fr

6.3. Lopht

**KEYWORDS**: Real-time scheduling, compilation, ARINC 653, TTEthernet, Many-core, Network-on-chip

**SCIENTIFIC DESCRIPTION**

Lopht is an acronym for Logical to Physical Time Compiler. Lopht has been designed as an implementation of the AAA methodology. Like SynDEx, Lopht relies on off-line allocation and scheduling techniques to allow real-time implementation of dataflow synchronous specifications (e.g. Scade/Heptagon) onto multiprocessor systems. The main originality is that Lopht takes a compilation-like approach based on:

- Precise modeling of its implementation platforms. For this reason, Lopht targets novel, more complex architectures such as many-core chips and time-triggered embedded systems based on standards such as ARINC 653 and TTEthernet.
- Taking into account complex non-functional specifications covering real-time (release dates and deadlines possibly different from period, major time frame, end-to-end flow constraints), ARINC 653 partitioning, the possibility to preempt or not each task, and finally SynDEx-like allocation
- Tight integration of program analysis, scheduling, and optimization approaches coming from 3 research fields (real-time scheduling, compilation, and synchronous languages) to improve the efficiency of resulting implementations while ensuring functional correctness, the respect of non-functional requirements, and scalability.

**FUNCTIONAL DESCRIPTION**

Lopht is a software tool similar in functioning to a compiler. It takes as input one file defining the functional and non-functional specification of a system (including a model of the execution platform and non-functional requirements). It automatically produces all files needed to build a running implementation (the C code for each processor cores and the configuration files).

- Participants: Dumitru Potop-Butucaru, Keryan Didier
- Contact: Dumitru Potop-Butucaru (dumitru.potop@inria.fr)

6.4. EVT Kopernic

**KEYWORD**: Embedded systems

EVT Kopernic provides a probabilistic worst case execution time estimation for a program on a processor. The tool takes a set of measurements (execution times of the program on the processor) as input and it provides a probability distribution. The first version released in 2015 is restricted to independent data and a second version has been obtained for dependent data during the last part of the year. A third version provides rules for obtaining the measurements is to be released in the first part of 2016.

- Participants: Liliana Cucu and Adriana Gogonel
- Contact: Liliana Cucu
- URL: Currently restricted distribution
6.5. SAS

Simulation and Analysis of Scheduling

Scientific Description

The SAS (Simulation and Analysis of Scheduling) software allows the user to perform the schedulability analysis of periodic task systems in the monoprocessor case.

The main contribution of SAS, when compared to other commercial and academic softwares of the same kind, is that it takes into account the exact preemption cost between tasks during the schedulability analysis. Beside usual real-time constraints (precedence, strict periodicity, latency, etc.) and fixed-priority scheduling policies (Rate Monotonic, Deadline Monotonic, Audsley++, User priorities), SAS additionaly allows to select dynamic scheduling policy algorithms such as Earliest Deadline First (EDF). The resulting schedule is displayed as a typical Gantt chart with a transient and a permanent phase, or as a disk shape called "dameid", which clearly highlights the idle slots of the processor in the permanent phase.

Functional Description

The SAS software allows the user to perform the schedulability analysis of periodic task systems in the monoprocessor case.

- Participants: Daniel De Rauglaudre and Yves Sorel
- Contact: Yves Sorel
- URL: http://pauillac.inria.fr/~ddr/sas-dameid/

7. New Results

7.1. CCSL as a Logical Clock Calculus Algebra: expressiveness and decidability results

Participants: Robert de Simone, Julien Deantoni, Frédéric Mallet, Qingguo Xu.

CCSL is a language dedicated to the expression of time constraints, based on so-called logical clocks. Its declarative nature is akin to the Lustre or (even closer to) the Signal language, but without values (to clock/event occurrences) and with both synchronous and asynchronous constraints. Solving a set of CCSL constraints amounts to the production of a feasible schedule of the system. While the TimeSquare tool may attempt to generate such a schedule trace by insightful simulation, it is not guaranteed to be complete in its search. So the issue of expressiveness and decidability was left open to this day.

Still, in previous years, we had established the CCSL constraints could be translated into parallel products (extended, transition-labelled) Büchi machines, but some of these machines had to contain integer shift counters, and were thus not fully FSMs. Our (misled) conjecture that CCSL had semilinear, Presburger-arithmetic power was defeated by a new translation expressing (unitary then general) Petri Nets and Vector Addition Systems into CCSL by encoding. The new conjecture that CCSL was then as powerful as Petri Nets was again defeated by a construction interpreting the features of inhibitor arcs in CCSL. As such inhibitor arcs extend the expressive power of Petri Nets to become universal (Turing-complete), CCSL enjoys the same universal property (which makes it unfortunately impossible to solve automatically in general).

Despite this negative result we could show that, under natural restrictions such as the assumption that "input" clocks have bounded jitter around a mean rate, and even if those bounds are not exactly known (but may be used as a parameter), then expressiveness remains in the semi-linear, Presburger-arithmetic range.

As a side-effect of this work we provided the translation of CCSL constraints into Büchi components by using a well-defined fragment of the Esterel syntax to express the Buchi automata.

Preliminary results are exposed in a research report. A much more ambitious article is in preparation.
As part of Professor Xu sabbatical in Aoste, we also considered the topic of machine-assisted proof of schedulability using theorem-provers (in our case PVS) [54]).

7.2. Industrial design flow for Embedded System Engineering

Participants: Julien Deantoni, Frédéric Mallet, Marie Agnes Peraldi Frati, Robert de Simone, Ales Mishchenko.

As part of the PIA LEOC Clarity collaborative project we attempt to instill some of our theoretical and methodological ideas into the framework of the (open-source, Polarsys Eclipse) Capella environment. This environment was initially developed inside Thales, under the name ARCADIA/Melody, as a modeling tool flow for System-Level Design in-the-large. As such, several aspects were not fully considered, specially those regarding safe sound simulation semantics at this level, or the role of states and modes in variability regarding both the software applicative and hardware architectural platform models. This research is in part motivated by concrete needs as expressed by end-users such as Airbus, Areva/EDF and Thales. Results on methodological enhancements are described

7.3. Coordination of heterogeneous Models of Computation as Domain-Specific Languages

Participants: Matias Vara Larsen, Julien Deantoni, Frédéric Mallet.

In the context of the collaborative ANR GEMOC project (9.2.1.2, we investigated the way the multiview approach generally promoted in Aoste could deal with analysis and simulation of systems specified using multiple heterogeneous languages. Coordinated use of heterogeneous domain specific languages (DSL) led to so-called globalization of modeling language. We wrote a chapter related to these concerns [50], as part of a book dedicated to the challenges of the field, gathering industrial and academic contributors.

This goal was achieved in two steps. First step consisted in specifying a language able to support appropriate information (i.e., the one required for the coordination) in a Language Behavioral Interface (LBI). Second step consisted in using the LBI to define coordination patterns from which the coordination of models can be automatically inferred. Design is supported by an heterogeneous simulation engine that has been developed and integrated in the Gemoc studio environment. Gemoc Studio, enhanced with our new research ideas, won the 9th execution tool contest at ...

We also developed MoCCML (Model of Concurrency and Communication Modeling Language), an imperative extension of the CCSL language in the form of constraint automata [28]. MoCCML defines the concurrent and communication part of the semantics of a language, and is used by the LBI to exhibit internal causalities and synchronizations. Finally, we defined a protocol combining the concurrency aspects and the execution functions (i.e., the rewriting rules) so as to be able to develop, in a modular way, the whole behavioral semantics of a language [30], [31].

Our work this on coordination of heterogeneous languages produced two major results. The first one is the development of BCOoL (Behavioral Coordination Operator Language [33]). BCOoL is a language dedicated to the specification of coordination patterns between heterogeneous languages. It comes with a tool chain allowing the generation of the coordination given a BCOoL operator and specific models. Our second result is the development of an heterogeneous execution engine, integrated to Gemoc studio, to run conjointly different models [44]. Both works were mainly realized by Matias Vara Larsen, as part of his upcoming PhD.

7.4. SoC multiview (meta)modeling for performance, power, and thermal aspects

Participants: Amani Khecharem, Robert de Simone, Emilien Kofman, Julien Deantoni.
In the framework of the ANR HOPE project we progressed the definition of multiview metamodels for the design of Systems-on-Chip (SoC systems integrating performance, power and thermal aspects. The main concern was to stress regularity and commonality between those views, each developed on "domains" defined as partitions of the original block diagram (clock domains, voltage domains, floorplans,...), and with finite state machine controllers setting the levels of these domains; links between distinct views are originally provided by laws of physics, but then usually identified on discrete allowable values by engineers. The application view, meant to provide typical use-cases to help dimension the SoC platform by abstract simulation, also fits in this framework. This methodological work was presented in the local forum SAME (Sophia-Antipolis MicroElectronics) [53]. It is supposed to work in two ways, both by allowing the application of analytic methods to compute an optimized mapping of application tasks onto platform resources, and then to translate these results towards sophisticated simulation environments (such as MCO Platform Architect by Synopsys or ACEplorer by Docea Power/Intel, both partners in the HOPE consortium) which consider non-functional aspects of power and thermal modeling in their simulation environments. The various approaches considered in Aoste to define mapping constraints and solve them algorithmically are presented elsewhere. All this should soon be reported in Ameni Khacharem PhD document.

7.5. Networks-on-Board: between NoCs and rack connector buses

Participants: Amine Oueslati, Robert de Simone, Albert Savary, Emilien Kofman.

The recent paradigm of Massively Parallel Processor Arrays (MPPA), or more generally manycore Systems-on-Chip, rely on the existence of a high-throughput on-Chip Network (NoC) to interconnect the various cores and processing clusters. Despite its benefits, it requires that all components are put on the same dye, and thus designed monolithically. On the other end, supercomputers are built by assembling racks or blades of processors, connected by fast buses (fast ethernet or infinyband usually), with low predictivity of throughput. A third, intermediate path is explored in the context of the FUI Clistine project, based on a notion of Network-on-Board (or Network-in-Package), aiming at the benefits of NoCs brought to the level of a single PCB board, where the various components can be assembled in a modular fashion. We consider the application of our previous expertise on modeling and analysis of NoC-based architecture, with their implications on the optimized mapping of dataflow models of applications onto such interconnects, to adapt them in this new context. The objective is to consider alternative network topologies, and to transate optimal mappings into the concrete network operations on a prototype implementation realized by SynergieCAD, the company heading the project. This topic reflects the PhD thesis of Amine Oueslati, and the engineering work of Albert Savary.

7.6. Solving AAA constraints analytically

Participants: Emilien Kofman, Dumitru Potop Butucaru, Thomas Carle, Raul Gorcitz, Robert de Simone, Mohamed Bergach, Amine Oueslati.

Given two abstract modeling descriptions, one of a dataflow process network for the application, one of a block diagram structure for the computing platform and its interconnects, together with cost functions for the elementary computations and communications, one is bound to seek optimal mappings pairing the two. Amongst all the possible techniques, one obvious one consists in solving constraint using general solvers (real, integer, or boolean constraint programming, SMT solvers, etc). Given the NP-hard nature of the problem, the issue here is to scale to the dimensions of realistic problems. We conducted extensive experiments on several case studies, with as extra objective the concern of studying how the formulation of constraints, or the exploitation of additional information (in concurency or exclusion of tasks, structural symmetries,...) could impact favorably or negatively the process. Results were compiled in a publication [57].

In the framework of the PhD thesis of Mohamed Bergach, under CIFRE funding with Kontron Toulon, we studied how to adjust a radar application, that typically computes extensively FFT convolutions, on an hybrid CPU/GPU architecture such as IntelCore IvyBridge and Haswell processors. This approach works in two stages: first we considered how to implement a FFT redex as large as possible in exactly one core (either a CPU core or a GPU Execution Unit), so as to make full use of the local register memories and SIMD/vectorial...
instructions. Not by accident certainly FFT blocks of size exactly 8 and 16 respectively can so be fitted on
a GPU (resp. CPU) block. This provides a new "compound" instruction, on which to build modularly and
optimization the allocation of larger applications based on such basic block. This is fully described in Mohamed
Bergach PhD document [16].

7.7. Stochastic extension of MARTE/CCSL for CPS modeling

Participant: Frédéric Mallet.

This work was conducted during the sabbatical period of Frédéric Mallet at ECNU Shanghai, in the context of
the associated team FM4CPS (9.4.1.1).

As a declarative language, CCSL allows the specification of causal and temporal properties of systems
expressed as constraints in a specific syntax. While each constraint reduces the set of possible behaviors,
there may still be multiple (schedule) solutions, or none at all. When several solutions remain feasible, our
TIMESQUARE tool allows to set up a resolving policy, to choose whether we want to attempt exploring
exhaustively all these solutions, or else narrow the solution space according to an auxiliary criterion.

The extension of CCSL with stochastic features and probabilistic information is meant to help provide such an
additional criterion, while modeling temporal constraints on the environment which are not necessarily well-
known or controllable, specially in the domain of Cyber-Physical Systems. Then, such features should help
reducing the set of possible behaviors, narrowing for instance to the most likely ones (in a formal quantitative
meaning).

We are currently relying on UPPAAL SMC (Stochastic Model-Checking) toolset as prototype analyzer for the
resulting specifications.

7.8. Coupling SystemC and FMI for co-simulation of Cyber-Physical Systems

Participants: Stefano Centomo, Julien Deantoni, Robert de Simone.

In the context of Stefano Centoma master internship, and in collaboration with his global supervisor Professor
Davide Quaglia, from the University of Verona, we considered the possibility to build heterogeneous, multi-
physics co-simulation schemes for hybrid continuous-discrete Cyber-Physical systems. The first step consisted
in extracting relevant interface information from IP component described in the SystemC language; it
was naturally inspired from some of our former work. But currently IP-XACT is meant to address easy
component assembly at the structural (static) level, and is not concerned with dynamical aspects of behavior
simulation. This extension, and the proper combination with the FMI standard for its purpose, allowing hybrid
and multiform co-simulation of SystemC components (and also others describing the continuous physical
environment) are the next-step objective being currently tacked.

7.9. Code generation for time-triggered platforms based on Real-Time

Scheduling

Participants: Dumitru Potop Butucaru, Raul Gorcitz, Yves Sorel.

We have continued this year the work on real-time scheduling and code generation for time-triggered
platforms. Much of this work was carried out as part of a trilateral collaboration with Airbus DS and the
CNES, which have funded an (onerous) TTEthernet-based test platform and partly funded the post-doctorate
of Raul Gorcitz. The remainder of Raul Gorcitz’ post-doc has been funded by the ITEA3 Assume project.

This year, the objective has been to allow code generation on an industry-grade platform comprising ARINC
653-based computers connected through a TTEthernet network. The novelty with respect to previous years
comes from the time-triggered TTEthernet network, whose scheduling properties raise new problems. Unlike
in classical field buses, resource reservation in a TTEthernet network is done at the level of directed links
(physical wires that connect routers and end stations). Each of these links is controlled by an arbiter that
determines the scheduling of both time-triggered data transfers and control messages needed to ensure the
global time synchronization. This year we have built a model of the TTEthernet network allowing precise
real-time scheduling, and worked on code generation aspects. We expect to have a fully running prototype in
the next 2 months, and to demonstrate it to our funders. Relevant publications are [18], [38].
For teaching purposes and to achieve a finer understanding of ARINC 653-based operating systems, we have also developed an implementation of the standard on inexpensive RaspberryPi platforms, and published a scientific vulgarization paper [55].

7.10. Real-time systems compilation

Participants: Dumitru Potop Butucaru, Keryan Didier, Mihail Asavoae.

This research line develops over various results of the team over the years, its aim being to develop fully automatic implementation flows going fully automatically from functional and non-functional specification to correct and efficient running implementation. We advocate for a real-time systems compilation approach that combines aspects of both real-time scheduling and compilation of both classical and synchronous languages. Like a classical compiler such as GCC, a real-time systems compiler should use fast and efficient scheduling and code generation heuristics, to ensure scalability. Similarly, it should provide traceability support under the form of informative error messages enabling an incremental trial-and-error design style, much like that of classical application software. This is more difficult than in a classical compiler, given the complexity of the transformation flow (creation of tasks, allocation, scheduling, synthesis of communication and synchronization code, etc.), and requires a full formal integration along the whole flow, including the crucial issue of correct hardware abstraction. A real-time systems compiler should perform precise, conservative timing accounting along the whole scheduling and code generation flow, allowing it to produce safe and tight real-time guarantees. More generally, and unlike in classical compilers, the allocation and scheduling algorithms must take into account a variety of non-functional requirements, such as real-time constraints, criticality, partitioning, preemptibility, allocation constraints, etc. As the accent is put on the respect of requirements (as opposed to optimization of a metric, like in classical compilation), resulting scheduling problems are quite different.

We are currently building such a real-time systems compiler, called Lopht. The construction of the Lopht tool, which takes into account complex functional and non-functional specifications is discussed in the corresponding section and in [17].

This year, we have initiated work on two fundamental topics. The first one is sound architecture abstraction – ensuring that the platform models used for real-time scheduling and code generation are conservative abstractions of the real hardware and basic software, allowing the generation of implementations that are functionally and non-functionally correct. This work is performed in the framework of the LEOC Capacites project, which funds the post-doc of Mihail Asavoae. The second line of work aims at formally proving that the output of Lopht is correct with respect to its input models (including functional specification and platform model). This work is performed in the ITEA3 Assume project, which funds the PhD thesis of Keryan Didier. Together with the Parkas team-project we have also considered the implementation of mixed-criticality systems [26].

7.11. Uniprocessor Real-Time Scheduling

Participants: Mamadou Diallo, Yves Sorel, Walid Talaboulma, Robert Davis.

In the context of the master internship of Mamadou Diallo we implemented the offline time trigger scheduler proposed in his PhD thesis by Falou Ndoye on a development board based on an ARM Cortex M4. We used this ARM version since it is better suited to embedded systems, since more predictable, than the ARM 7 we used last year. Especially, it allows to determine more accurately the cost of the scheduler and of the preemptions we use in our offline schedulability analysis. We remind that the schedulability analysis provides a scheduling table which is exploited by the scheduler during the real-time execution of the tasks. This approach allows a low and fixed cost for the scheduler and the preemptions whereas these costs are variable in the case of classical online schedulers. For several task sets we compared the timing diagrams predicted by the schedulability analysis with the real-time timing diagrams measured on the ARM Cortex M4. It turns out that those timings are very close, as expected.
A new direction opened with the arrival of Rob Davis was to consider by studying the impact of the non-preemptivity constraints on the optimality of the schedulers [37], or by considering fixed priorities while scheduling messages in the context of Control Area Networks [36].

7.12. Multiprocessor Real-Time Scheduling

Participants: Aderraouf Benyahia, Laurent George, Salah Eddine Saidi, Yves Sorel, Robert Davis, Liliana Cucu.

In the context of the PhD thesis of Salah Eddine Saidi we considered the co-simulation of several process models specified in continuous time and several controllers models specified in discrete time according to a real-time hardware in the loop approach. These models specified with different tools such as Simulink, AMESim, Modelica, etc., cooperate according to the FMI standard. They are translated in a dataflow graph that is compliant with the conditioned repetitive dataflow model of our AAA methodology for functional specification. Each model considers the feed-through function as well as the functions which depend of the state, and the state computation itself. In order to meet the real-time constraints of such complex co-simulation we need to execute them on multicore platforms. We studied the limitations of greedy and local search distributed real-time scheduling heuristics we developed in the past for control applications. The first limitation is related to the FMI standard which requires that the functions belonging to a model are allocated to the same core. We first try to introduce additional semaphores in the real-time code generated automatically to avoid these situations. Unfortunately, this solution decreases significantly the acceleration brought by the multicore. Therefore, we started to investigate graph based techniques that add non directed edges to specify the FMI relation and search solutions where some non oriented edges can be oriented to minimize locally the makespan.

In the context of the master internship of Mamadou Diallo we studied the possibilities to extend the offline time trigger scheduler implemented on a uniprocessor to the multiprocessor case. Since the embedded board based on the ARM Cortex M4 we utilize features an ethernet interface, we conducted several experimentations on ethernet switches to measure the end-to-end communication time between several real-time tasks running on such boards with such schedulers.

We completed the work on the gateway with modeling languages for certified code generation carried out in the P FUI project 9.2.2 which ended in June 2015. Mainly, we tested the P modeling language to SynDEx gateway on four industrial use cases provided by AdaCore, Continental and Aboard Engineering. We specified these applications with the P language and translated them in the SynDEx format. With SynDEx we analysed the schedulability and automatically generated the corresponding code for an Intel 8 cores Xeon ES-1620v2 3.70Ghz. For these applications ranging from 103 to 1403 blocks we obtained an acceleration factor equal to the number of cores.

Thanks in part to the arrival of Rob Davis, our team has participated to the proposition of a new framework in the context of multicore platforms: Multicore Response Time Analysis framework [34]. This proposal was made in close collaboration with academic partners such as the University of Luxembourg, Verimag and ISEP Porto. The framework is extensible to different multicore architectures, with various types and arrangements of local memory, and different arbitration policies for the common interconnects. The MRTA framework provides a general approach to timing verification for multicore systems, parametric in the hardware configuration, and so can be used architectural design stage to compare the guaranteed levels of performance that can be obtained with different hardware configurations. The MRTA framework decouples response time analysis from a reliance on context independent WCET values. Instead, the analysis specifies response times directly according to requirements on different hardware resources.

7.13. Probabilistic and statistical temporal analysis

Participants: Liliana Cucu, Robert Davis, Adriana Gogonel, Walid Talaboulma, Dorin Maxim, Cristian Maxim.
Real-time constraint guarantees require worst-case reasoning to provide sound solutions. We have proposed to define and use worst-case reasoning in different contexts: optimal scheduling algorithms, response time analysis, estimation of worst-case execution times. These results have laid the foundations for certifiable probabilistic solutions to real-time systems.

In particular, we have studied the probabilistic response time analysis for systems with multiple probabilistic parameters, either by using bounds based on real-time calculus, extreme value theory, direct calculation or in a context of component-based systems. Generally, probabilistic methods have high complexity cost; using upper-bounds for the input probability distributions we provide conservative (safe) results faster. Worst-case reasoning is also provided for the statical estimation of a task probabilistic worst-case execution time.

Results were published in [22], [24], [58], [56], [42], [46], [23], [42], [43], [40]


Participant: Sid Touati.

This research activity is a continuation of our joint research effort with Julien Worms, Assistant Professor at University of Versailles Saint-Quentin (UVSQ), dealing with statistical program performance analysis and comparison, in presence of performance variability. In the previous study (called Speedup-Test), we gave a rigorous statistical methodology for analysis of program speedups based on mean or median performance metrics: execution time, energy consumption, etc. However mean or median observed performances do not always reflect the user’s feeling of performance, especially when the performances are really unstable. In the current study, we propose additional precise performance metrics, based on performance modeling using gaussian mixtures. We explore the difference between parametric and non parametric statistics applied on program performance analysis. Our additional statistical metrics for analysing and comparing program performances give to the user more precise decision tools to select best code versions, not necessarily based on mean or median numbers. Also, we provide a new metric to estimate performance variability based on gaussian mixture model. Our statistical methods are implemented in R, and distributed as open source code. A research report is under completion, before submission as article.

8. Bilateral Contracts and Grants with Industry

8.1. Bilateral Contracts with Industry

8.1.1. Kontron CIFRE

This contract, ended in April 2015, provided partial support for the PhD thesis of Mohamed Bergach. It was extended until the end of September with a direct collaborative contrat funded by Kontron until the PhD defense [16]

The topic is to study how to efficiently implement various sizes of the FFT (Fast Fourier Transform) algorithm on multicore and GP-GPU architectures from the range of processors used at Kontron, in order to understand in a second phase how to best allocate several such algorithms in parallel, as part of a single application, in the most efficient way (regarding performance but also power consumption and thermal constraints).

8.1.2. Airbus CIFRE

This contract, started on March 2014, provides full support for the PhD thesis of Cristian Maxim. The thesis concerns the statistical timing analysis while different variability factors are taken into account. This method is built on top of existing statistical approaches while proving appropriate programs for training these methods and thus learning from the history of the execution.
8.1.3. CNES/Airbus DS

Financing comes here through the CNES R&T programme, which has partly funded the post-doctorate of Raul Gorcitz (Sep 2013-Aug 2015) and the acquisition of an industry-grade evaluation platform based on TTEthernet and VxWorks 653.

The objective of our collaboration with Airbus Defence and Space and the CNES is to determine how the design and implementation of embedded software and system/network configuration can be largely automated in an aerospace context, while preserving an assurance level superior to that of the Ariane 5 flight program. We are exploring the novel algorithms developed and implemented in the Lopht tool.

9. Partnerships and Cooperations

9.1. Regional Initiatives

9.1.1. CIM PACA Design Platform

Participant: Robert de Simone.

The objective of this platform, run by a French association under the same name, is to provide mutualized equipments and tools for the design of embedded connected objects, and in our case mostly EDA software for hardware and SoC synthesis at high-level. We collaborate to the definition of the user needs and the choice of purchases, mostly to promote the construction of collaborative R&D projects using those resources. ANR HOPE project is a good example of such project.

CIM PACA also runs the eSAME yearly forum, a meeting point for various partners in the field around Sophia-Antipolis, with our active contribution. Further moves towards embedded software and IoT design form the upcoming roadmap.

9.2. National Initiatives

9.2.1. ANR

9.2.1.1. HOPE

Participants: Carlos Gomez Cardenas, Ameni Khecharem, Emilien Kofman, Robert de Simone.

The ANR HOPE project focuses on hierarchical aspects for the high-level modeling and early estimation of power management techniques, with potential synthesis in the end if feasible. Although this project was officially started in November 2013, it was in part postponed due to the replacement of a major partner (Texas Instruments) by another one (Intel). Current partners are CNRS/UNS UMR LEAT, Intel, Synopsys, Docea Power, Magillem, and ourselves. A publication on multiview modeling (including performance, power, and temperature) was presented at eSAME’2014, reflecting Ameni Khecharem ongoing PhD work.

9.2.1.2. GeMoC

Participants: Matias Vara Larsen, Julien Deantoni, Frédéric Mallet.

This project is administratively handled by CNRS for our joint team, on the UMR I3S side. Partners are Inria (Triskell EPI), ENSTA-Bretagne, IRIT, Obeo, Thales TRT. The project focuses on the modeling of heterogeneous systems using Models of Computation and Communication for embedded and real-time systems, described using generic means of MDE techniques (and in our case the MARTE profile, and most specifically its Time Model, which allows to specify precise timely constraints for operational semantic definition).

As part of the project dissemination purpose we organize a community-building international workshop [47], whose third edition gathered a growing number of participants.
9.2.2. FUI

9.2.2.1. FUI P

**Participants:** Abderraouf Benyahia, Dumitru Potop Butucaru, Yves Sorel.

The goal of project P is to support the model-driven engineering of high-integrity embedded real-time systems by providing an open code generation framework able to verify the semantic consistency of systems described using safe subsets of heterogeneous modeling languages, then to generate optimized source code for multiple programming (Ada, C/C++) and synthesis (VHDL, SystemC) languages, and finally to support a multi-domain (avionics, space, and automotive) certification process by providing open qualification material. Modeling languages range from behavioural to architectural languages and present a synchronous and asynchronous semantics (Simulink/Matlab, Scicos, Xcos, SysML, MARTE, UML).

See also: http://www.open-do.org/projects/p/

Partners of the project are: industrial partners (Airbus, Astrium, Continental, Rockwell Collins, Safran, Thales), SMEs (AdaCore, Altair, Scilab Enterprise, STI), service companies (ACG, Aboard Engineering, Atos Origins) and research centers (CNRS, ENPC, Inria, ONERA).

9.2.2.2. FUI CLISTINE

**Participants:** Robert de Simone, Amin Oueslati, Emilien Kofman.

This project was started in Oct 2013, and provides PhD funding for Amine Oueslati. Partners are SynergieCAD (coordinator), Avantis, Optis, and the two EPIs Aoste and Nachos. The goal is to study the feasibility of building a low-cost, low-power "supercomputer", reusing ideas from SoC design, but this time with out-of-chip network "on-board", and out-of-the-shelf processor elements organized as an array. The network itself should be time predictable and highly parallel (far more than PCI-e for instance). We started a thorough classification of parallel program types (known as "Dwarfs" in the literature), to provide benchmarks and evaluate the platform design options.

9.2.2.3. FUI Waruna

**Participants:** Liliana Cucu, Adriana Gogonel, Walid Talaboulma, Dorin Maxim.

This recent project was started in September 2015. It targets the creation of a framework allowing to connect different existing methods while enriching the description with Waruna results. This framework allows timing analyses for different application domains like avionics, railways, medical, aerospace, automotive, etc.

9.2.3. Investissements d’Avenir

9.2.3.1. DEPARTS

**Participants:** Liliana Cucu-Grosjean, Adriana Gogonel, Walid Talaboulma.

This project is funded by the BGLE Call (*Briques Logicielles pour le Logiciel Embarqué*) of the national support programme *Investissements d’Avenir*. Formally started on October 1st, 2012 with the kick-off meeting held on April, 2013 for administrative reasons. Research will target solutions for probabilistic component-based models, and a Ph.D. thesis should start at latest on September 2015. The goal is to unify in a common framework probabilistic scheduling techniques with compositional assume/guarantee contracts that have different levels of criticality.

9.2.3.2. CLARITY

**Participants:** Frédéric Mallet, Julien Deantoni, Ales Mishchenko, Robert de Simone, Marie Agnès Peraldi-Frati, Yann Bondue.

This project is funded by the LEOC Call (*Logiciel Embarqué et Objets Connectés*) of the national support programme *Investissements d’Avenir*. It was started in September 2014, and a kick-of meeting was held on October 9th. Partners are: Thales (several divisions), Airbus, Areva, Altran, All4Tec, Artal, the Eclipse Fondation, Scilab Enterprises, CESAMES, U. Rennes, and Inria. The purpose of the project is to develop and promote an open-source version of the ARCADIA Melody system design environment from Thales, renamed CAPPELLa for that purpose.
Our technical contributions to the project achievement are described in subsection 7.2.

9.2.3.3. Capacities

Participants: Liliana Cucu-Grosjean, Dumitru Potop-Butucaru, Yves Sorel, Walid Talaboulma.

This project is funded by the LEOC Call (Logiciel Embarqué et Objets Connectés) of the national support programme Investissements d’Avenir. It has started on November 1st, 2014 with the kick-off meeting held on November, 12th 2014. The project coordinator is Kalray, and the objective of the project is to study the relevance of Kalray-style MPPA processor array for real-time computation in the avionic domain (with partners such as Airbus for instance). The post-doc of Mihail Asavoae and the PhD of Walid Talaboulma are funded on this contract.

9.3. European Initiatives

9.3.1. FP7 & H2020 Projects

9.3.1.1. FP7 PROXIMA

Participants: Liliana Cucu, Adriana Gogonel, Walid Talaboulma, Dorin Maxim, Cristian Maxim.

PROXIMA is a Integrated Project (IP) of the Seventh framework programme for research and technological development (FP7). The PROXIMA project provides industry ready software timing analysis using probabilistic analysis for many-core and multi-core critical real-time embedded systems and will enable cost-effective verification of software timing analysis including worst case execution time. Our technical results in this project are described in 7.13.

9.3.2. Collaborations in European Programs, except FP7 & H2020

9.3.2.1. ITEA3 Assume

Project title: Affordable Safe And Secure Mobility Evolution
Duration: Oct. 2015 - Sept. 2018
Coordinator: Daimler AG (Germany)
Other partners: Airbus, Thales, Safran, Ansys/Esterel Technologies, Kalray, Sagem, UPMC, ENS Ulm, Inria (France). AbsInt, BTC, FZI, Karlsruhe IT, Kiel U. Offis, Bosch, TU Muenchen (Germany), NXP, Recore, VDL, Verum, TU Eindhoven, U. Twente (Netherlands), Arcelik, Ericsson, Ford, Havelsan, KocSistem, Unit, Koc University (Turkey), Arcticus, FindOut, Scania, KTH, Malardalen U. (Sweden)
Abstract: ASSUME aims at providing a seamless engineering methodology for affordable, safe multi-core development that allows industry to deliver new trustworthy functions at competitive prices. The project started on September 1st, 2015, and the kick-off meeting was held on October 1-2. The project coordinator is Daimler AG. The expected contributions of the Aoste team-project include the improvement of the Lopht tool, with the definition of a back-end targeting the Kalray MPPA256 many-core, and the proof of its scheduling algorithms.

9.4. International Initiatives

9.4.1. Inria International Labs

LIAMA
Associate Team involved in the International Lab:
9.4.1.1. FM4CPS

Title: Formal Models and tools for Cyber-Physical Systems

International Partner (Institution - Laboratory - Researcher):

ECNU (China) - Artificial Intelligence Lab - Jifeng He

Start year: 2015

See also: https://project.inria.fr/fm4cps/

The FM4CPS Associated team is tightly linked to the SACCADIES LIAMA project. It is also involved in the International Key Laboratory on Trustworthy Computing by ECNU Shanghai on the Chinese side.

FM4CPS addresses several facets of Formal Model-Driven Engineering for Cyber-Physical Systems and Internet of Things. The design of such large heterogeneous systems calls for hybrid modeling, and the combination of classes of models, most previously well-established in their own restricted area: Formal Models of Computations drawn from Concurrency Theory for the “cyber” discrete processors, timed extension and continuous behaviors for physical environments, requirement models and user constraints extended to non-functional aspects, new challenges for designing and analyzing large and highly dynamic communicating software entities. Orchestration and comparison of models, with their expressive power vs. their decidable aspects, shall be considered with the point of view of hybrid/heterogeneous modeling here. Main aspects are the various timing or quantitative structure extensions relying for instance on a hybrid logical clock model for the orchestration of underlying components.

The associated team aims at various level of research, from formal models, semantics, or complexity, to experimental tools development. This will start for example on one side with building a formal orchestration model for CPSs, based on an hybrid clock model that combine discrete and physical time, synchronous and asynchronous computations or communications. Another goal will be the study of expressiveness and decidability for CPS, based on dedicated sub-families of well-structured push-down systems, addressing both unbounded communication and time-sensitive models.

9.5. International Research Visitors

9.5.1. Visits of International Scientists

9.5.1.1. Invited Professor

Qingguo XU

Date: July 2014 to June 2015
Institution: Shanghai University (China)

9.5.1.2. Internships

Nieto Luis Agustin

Date: Sep 2015 - Feb 2016
Institution: Universidad de Buenos Aires (Argentina)

9.5.2. Visits to International Teams

9.5.2.1. Sabbatical programme

Mallet Frédéric

Date: Sep 2014 - Aug 2015
Institution: ECNU (China)
10. Dissemination

10.1. Promoting Scientific Activities

10.1.1. Scientific events organisation

10.1.1.1. Member of the organizing committees

- Liliana Cucu: Dagstuhl seminar on Mixed Criticality Systems
- Robert Davis: Dagstuhl seminar on Mixed Criticality Systems

10.1.2. Scientific events selection

10.1.2.1. Chair of conference program committees

- Liliana Cucu: RTNS2015, WMC2015
- Robert Davis: RTAS2016, WMC2015

10.1.2.2. Member of the conference program committees

- Julien Deantoni: DAC’2015, MiSE’2015, GEMOC’2015
- Adriana Gogonel: ACM RACS2015, RTNS2015 and WMC2015
- Dorin Maxim: DATE2015 and RTNS2015

10.1.3. Journal

10.1.3.1. Member of the editorial boards


10.1.4. Invited talks

- Liliana Cucu: VECOS2015

10.1.5. Scientific expertise

- Robert de Simone: Board of Administrators of CIM-France Design Platform.

10.1.6. Research administration

- Robert de Simone is member of the Board of the UNS Doctoral School EDSTIC.
- Liliana Cucu is member of Inria Evaluation Commission.

10.2. Teaching - Supervision - Juries

10.2.1. Teaching

Master: Robert de Simone, Models of Computation for Networks-on-Chips (MoCs for NoCs), 36h, M2 International, UNS.
Master: Robert de Simone, Functional and Temporal Correctness, 36h, M1 International, UNS.
Master: Optimization of distributed real-time embedded systems, 24H, M2, University of Paris Sud
Master: Distributed real-time systems, 26H, M2, University of Paris Est
Master: Specification and formal models for embedded systems, 28H, M2, ENSTA Engineering School Paris
Master: Correct by construction design of reactive systems, 18H, M2, ESIEE Engineering School, Noisy-Le-Grand
Master: Julien Deantoni, Systèmes embarqués et Ambient, 10h, M2, Polytech’Nice, France.
Master: Julien Deantoni, Langage C++, 88h, M1, Polytech’Nice, France.
Master: Julien Deantoni, Ingénierie Dirigée par les modèles par la pratique, 24h, M2, Polytech’Nice, France.
Master: Dumitru Potop Butucaru, Une approche synchrone des systèmes embarqués temps réel, 12h, M1, EPITA Paris
Master: Dumitru Potop Butucaru and Thomas Carle, L’approche synchrone de la construction des systèmes embarqués temps réel, 12h, M2, Polytech Paris UPMC.
Licence: Laurent George, Java and Shell programming 48h, L1, IUT RT UPEC, France
Master: Laurent George, Distributed Real-Time Systems, 24h, M2, UPEC, France
Licence : Marie-Agnes Peraldi-Frati, Algorithms and programming 60h, L1, UNS Institute of technology.
Licence : Marie-Agnes Peraldi-Frati, System and Networks administration 80h, L2, UNS Institute of technology.
Licence: Frédéric Mallet, Conception Orientée Objet, 45h, L3, UNS.
Licence: Frédéric Mallet, Programmation Orientée Objet, 45h, L3, UNS.
Master: Frédéric Mallet, Programmation Avancée et Design Patterns, 45h, M1, UNS.
Master: Frédéric Mallet, Vérification temporelle et fonctionnelle, 24h, M1, UNS.
Master: Frédéric Mallet, Model-Driven Engineering, 24h, M1, UNS.
Master: Liliana Cucu, Distributed Databases, 56h, U. Dunarea de Jos, Romania
Master: Dumitru Potop Butucaru, Une approche synchrone des systèmes embarqués temps réel, 12h, M1, EPITA Paris

10.2.2. Supervision
PhD in progress: Matias Vara-Larsen, *Toward a formal and hierarchical timed model for concurrent heterogeneous model*, UNS, started November 2012, supervised by Frédéric Mallet, co-supervised by Julien Deantoni.
PhD in progress: Ameni Khecharem, *High-Level modeling of hierarchical power management policies in SoCs*, UNS, started October 2012, supervised by Robert de Simone.
PhD in progress: Amin Oueslati, *Modélisation conjointe d’applications et d’architectures parallèles embarqués en pratique*, UNS, started Jan 2014, supervised by Robert de Simone
PhD in progress: Yuanrui Zhang, ECNU-SEI/China, started Sep 2015, co-supervised by Frederic Mallet (joint supervision with Pr. Chen Yixiang(ECNU)).
PhD in progress: Cristian Maxim, *End to end constraints using probabilistic approaches*, UPMC, started on March 2014, supervised by Liliana Cucu

PhD in progress: Walid Talaboulma, *Probabilistic timing analysis in presence of dependences*, UPMC, started on November 2015, co-supervised by Liliana Cucu and Adriana Gogonel

PhD in progress: Salah Edinne Saidi, *Distributed real-time scheduling for the co-simulation of several control models*, University of UMPC-Paris-Sorbonne, started December 2014, co-supervised by Nicolas Pernet (IFPEN) and Yves Sorel.

PhD in progress: Keryan Didier, *Formal certification of real-time implementations*, Université Pierre et Marie Curie/EDITE, started November 2015, supervised by Dumitru Potop Butucaru.

### 10.2.3. Juries


Julien Deantoni: reviewer of Erwan Bousse (IRISA, University of Rennes)

Liliana Cucu: reviewer of Antoine Bertout (LIFL, November 2015)

Dumitru Potop Butucaru: examiner of José Echeveste (Université Pierre et Marie Curie/EDITE).

### 11. Bibliography

**Major publications by the team in recent years**


Publications of the year

Doctoral Dissertations and Habilitation Theses


Articles in International Peer-Reviewed Journals


Invited Conferences


International Conferences with Proceedings


[31] F. LATOMBE, X. CRÉGUT, J. DEANTONI, M. PANTEL, B. COMBEMALE. Coping with Semantic Variation Points in Domain-Specific Modeling Languages, in "1st International Workshop on Executable Modeling (EXE'15), co-located with MODELS'15", Ottawa, Canada, CEUR, 2015, https://hal.inria.fr/hal-01222999


Conferences without Proceedings


[40] D. GRIFFIN, B. LESAGE, I. BATE, F. SOBOCZENSKI, R. I. DAVIS. Modelling Fault Dependencies when Execution Time Budgets are Exceeded, in "23rd International Conference on Real-Time Networks and Systems (RTNS 2015)", Lille, France, November 2015, pp. 129-138 [DOI : 10.1145/2834848.2834870], https://hal.inria.fr/hal-01230443


Scientific Books (or Scientific Book chapters)

[46] Mixed Criticality on Multicore/Manycore Platforms (Dagstuhl Seminar 15121), 2015 [DOI : 10.4230/DAGREP.5.3.84], https://hal.inria.fr/hal-01244394


[48] Proceedings of the 3rd International Workshop on Mixed Criticality Systems, 2015, https://hal.inria.fr/hal-01244384

[49] Proceedings of the 23rd International Conference on Real-Time Networks and Systems, ACM Digital Library, Lille, France, 2015, https://hal.inria.fr/hal-01244383


**Research Reports**


**Scientific Popularization**


**Other Publications**


**References in notes**


