Created on January 1st, 2000, the Vasyproject focuses on formal methods for the design of reliable systems.

We are interested in any system (hardware, software, telecommunication) that comprises
*asynchronous concurrency*, i.e., any system whose behavior can be modeled as a set of parallel processes governed by interleaving semantics.

For the design of reliable systems, we advocate the use of formal description techniques together with software tools for simulation, rapid prototyping, verification, and test generation.

Among all existing verification approaches, we focus on
*enumerative verification*(also known as
*explicit state verification*) techniques. Although less general than theorem proving, these techniques enable an automatic, cost-efficient detection of design errors in complex systems.

Our research combines two main directions in formal methods, the
*model-based*and the
*language-based*approaches:

Models provide mathematical representations for parallel programs and related verification problems. Examples of models are automata, networks of communicating automata, Petri nets, binary decision diagrams, boolean equation systems, etc. From a theoretical point of view, research on models seeks for general results, independently from any particular description language.

In practice, models are often too elementary to describe complex systems directly (this would be tedious and error-prone). Higher level formalisms are needed for this task, as well as compilers that translate high level descriptions into models suitable for verification algorithms.

To verify complex systems, we believe that model issues and language issues should be mastered equally.

By verification, we mean comparison — at some abstraction level — of a complex system against a set of
*properties*characterizing the intended functioning of the system (for instance, deadlock freedom, mutual exclusion, fairness, etc.).

Most of the verification algorithms we develop are based on the
*labeled transition systems*(or, simply,
*automata*or
*graphs*) model, which consists of a set of states, an initial state, and a transition relation between states. This model is often generated automatically from high level descriptions of the system under study, then compared against the system properties using various decision
procedures. Depending on the formalism used to express the properties, two approaches are possible:

*Behavioral properties*express the intended functioning of the system in the form of automata (or higher level descriptions, which are then translated into automata). In such a case, the natural approach to verification is
*equivalence checking*, which consists in comparing the system model and its properties (both represented as automata) modulo some equivalence or preorder relation. We develop equivalence checking tools that compare and minimize automata modulo various equivalence and preorder
relations; some of these tools also apply to stochastic and probabilistic models (such as Markov chains).

*Logical properties*express the intended functioning of the system in the form of temporal logic formulas. In such a case, the natural approach to verification is
*model checking*, which consists in deciding whether the system model satisfies or not the logical properties. We develop model checking tools for a powerful form of temporal logic, the
*modal
-calculus*, which we extend with typed variables and expressions so as to express predicates over the data contained in the model. This extension (the practical usefulness of which was highlighted in many examples) provides for properties that could not be expressed in the
standard
-calculus (for instance, the fact that the value of a given variable is always increasing along any execution path).

Although these techniques are efficient and automated, their main limitation is the
*state explosion*problem, which occurs when models are too large to fit in computer memory. We provide software technologies (see §
) for handling models in two complementary ways:

Small models can be represented
*explicitly*, by storing in memory all their states and transitions (
*exhaustive*verification);

Larger models are represented
*implicitly*, by exploring only the model states and transitions needed for the verification (
*on the fly*verification).

Our research focuses on high level languages with an
*executable*and
*formal*semantics. The former requirement stems from enumerative verification, which relies on the efficient execution of high level descriptions. The latter requirement states that languages lacking a formal semantics are not suitable for safety critical systems (as language ambiguities
usually lead to interpretation divergences between designers and implementors). Moreover, enumerative techniques are not always sufficient to establish the correctness of an infinite system (they only deal with finite abstractions); one might need theorem proving techniques, which only apply
to languages with a formal semantics.

We are working on several languages with the above properties:

Lotosis an international standard for protocol description ( Iso/ Iecstandard 8807:1989), which combines the concepts of process algebras (in particular Ccsand Csp) and algebraic abstract data types. Thus, Lotoscan describe both asynchronous concurrent processes and complex data structures. We use Lotosfor various industrial case studies and we develop Lotoscompilers, which are part of the Cadptoolbox (see § ).

Between 1992 and 2001, we contributed to the revision of
Lotosundertaken within
Iso. This led to the definition of
E-Lotos(
*Enhanced*-
Lotos,
Iso/
Iecstandard 15437:2001), which tries to provide a greater expressiveness (for instance, by introducing quantitative time to describe systems with real-time constraints) together with a better user friendliness. Our contributions to
E-Lotosare available on the
Web(see
http://www.inrialpes.fr/vasy/elotos).

We are also working on an
E-Lotosvariant, named
Lotos NT(
Lotos
*New Technology*)
,
, in which we can experiment new ideas more freely than in the constrained framework of an international standard.
Like
E-Lotos,
Lotos NTconsists of three parts: A
*data part*, which allows the description of data types and functions, a
*process part*, which extends the
Lotosprocess algebra with new constructs such as exceptions and quantitative time, and
*modules*, which provide for structure and genericity. Both languages differ in that
Lotos NTcombines imperative and functional features, and is also simpler than
E-Lotosin some respects (static typing, operator overloading, arrays), which should make it easier to implement. We are developing for
Lotos NTa prototype compiler named
Traian(see §
).

As much as possible, we try to validate our results by developing tools that we apply to complex (often industrial) case studies. Such a systematic confrontation to implementation and experimentation issues is central to our research.

The theoretical framework we use (automata, process algebras, bisimulations, temporal logics, etc.) and the software tools we develop are general enough to fit the needs of many application domains. They are virtually applicable to any system or protocol made of distributed agents communicating by asynchronous messages. The list of recent case studies performed with the Cadptoolbox (see in particular § ) illustrates the diversity of applications:

*Hardware architectures:*asynchronous circuits, bus arbitration protocols, cache coherency protocols, hardware/software codesign;

*Databases:*transaction protocols, distributed knowledge bases, stock management;

*Consumer electronics:*audiovisual remote control, video on-demand,
FireWirebus, home networking;

*Security protocols:*authentication, electronic transactions, cryptographic key distribution;

*Embedded systems:*smart-card applications, air traffic control;

*Distributed systems:*virtual shared memory, distributed file systems, election algorithms, dynamic reconfiguration algorithms, fault tolerance algorithms;

*Telecommunications:*high speed networks, network management, mobile telephony, feature interaction detection;

*Human-machine interaction:*graphical interfaces, biomedical data visualization, etc.

We maintain and enhance
Cadp(
*Construction and Analysis of Distributed Processes*– formerly known as
*Cæsar /
AldébaranDevelopment Package), a toolbox for protocols and distributed systems engineering (see
http://www.inrialpes.fr/vasy/cadp). In this toolbox, we develop the following
tools:*

Caesar_Graph, which provides the programming interface for graph exploration,

Caesar_Hash, which contains several hash functions,

Caesar_Solve, which resolves boolean equation systems on the fly,

Caesar_Stack, which implements stacks for depth-first search exploration,

Caesar_Table, which handles tables of states, transitions, labels, etc.

A number of tools have been developed within the Open/Cæsarenvironment, among which:

Bisimulator, which checks bisimulation equivalences and preorders on the fly,

Determinator, which eliminates nondeterminism in normal, probabilistic, or stochastic systems,

Distributor, which generates the graph of reachable states using several machines,

Evaluator, which evaluates regular alternation-free -calculus formulas,

Executor, which performs random execution,

Exhibitor, which searches for execution sequences matching a given regular expression,

Generator, which constructs the graph of reachable states,

Projector, which computes abstractions of communicating systems,

Reductor, which constructs and minimizes the graph of reachable states modulo various equivalence relations,

Simulator, Xsimulator, and Ocis, which allow interactive simulation, and

Terminator, which searches for deadlock states.

Bcg(
*Binary Coded Graphs*) is both a file format for storing very large graphs on disk (using efficient compression techniques) and a software environment for handling this format.
Bcgalso plays a key role in
Cadpas many tools rely on this format for their inputs/outputs. The
Bcgenvironment consists of various libraries with their programming interfaces, and of several tools, such as:

Bcg_Draw, which builds a two-dimensional view of a graph,

Bcg_Edit, which allows to modify interactively the graph layout produced by Bcg_Draw,

Bcg_Graph, which generates various forms of practically useful graphs,

Bcg_Info, which displays various statistical information about a graph,

Bcg_Io, which performs conversions between Bcgand many other graph formats,

Bcg_Labels, which hides and/or renames (using regular expressions) the transition labels of a graph,

Bcg_Merge, which gathers graph fragments obtained from distributed graph construction,

Bcg_Min, which minimizes a graph modulo strong or branching equivalences (and can also deal with probabilistic and stochastic systems),

Bcg_Steady, which performs steady-state numerical analysis of (extended) continuous-time Markov chains,

Bcg_Transient, which performs transient numerical analysis of (extended) continuous-time Markov chains, and

Xtl(
*eXecutable Temporal Language*), which is a high level, functional language for programming exploration algorithms on
Bcggraphs.
Xtlprovides primitives to handle states, transitions, labels,
*successor*and
*predecessor*functions, etc. For instance, one can define recursive functions on sets of states, which allow to specify in
Xtlevaluation and diagnostic generation fixed point algorithms for usual temporal logics (such as
Hml
,
Ctl
,
Actl
, etc.).

The connection between explicit models (such as Bcggraphs) and implicit models (explored on the fly) is ensured by Open/Cæsar-compliant compilers, e.g.:

Cæsar.Open, for models expressed as Lotosdescriptions,

Bcg_Open, for models represented as Bcggraphs,

Exp.Open, for models expressed as communicating automata, and

Seq.Open, for models represented as sets of execution traces.

The
Cadptoolbox also includes additional tools, such as
Aldébaranand
Tgv(
*Test Generation based on Verification*) developed by the
Verimaglaboratory (Grenoble) and the
Vertecsteam of
InriaRennes.

The Cadptools are well-integrated and can be accessed easily using either the Eucalyptusgraphical interface or the Svl scripting language. Both Eucalyptusand Svlprovide users with an easy, uniform access to the Cadptools by performing file format conversions automatically whenever needed and by supplying appropriate command-line options as the tools are invoked.

We develop a compiler named Traianfor translating descriptions written in the Lotos NTlanguage (see § ) into C programs, which will be used for simulation, rapid prototyping, verification, and testing.

The current version of Traianperforms lexical analysis, syntactic analysis, abstract syntax tree construction, static semantics analysis, and C code generation for Lotos NTtypes and functions.

Although this version of Traianis still incomplete (it does not handle Lotos NTprocesses), it already has useful applications in compiler construction . The recent compilers developed by the Vasyteam — namely Aal(see § ), Chp2Lotos(see § ), Evaluator 4.0, Exp.Open 2.0 (see § ), Ntif(see § ), and Svl(see § ) — all contain a large amount of Lotos NTcode, which is then translated into C code by Traian.

Our approach consists in using the Syntaxtool (developed at InriaRocquencourt) for lexical and syntactic analysis together with Lotos NTfor semantical aspects, in particular the definition, construction, and traversals of abstract trees. Some involved parts of the compiler can also be written directly in C if necessary. The combined use of Syntax, Lotos NT, and Traianproves to be satisfactory, as regards both the rapidity of development and the quality of resulting compilers.

The Traiancompiler can be freely downloaded from the Vasy Website (see http://www.inrialpes.fr/vasy/traian).

Cæsar_Solveis a generic software library for solving boolean equation systems of alternation depth 1 (i.e., without mutual recursion between minimal and maximal fixed point equations) on the fly. This library is at the core of several Cadpverification tools, namely the equivalence checker Bisimulator(see § ), the model checker Evaluator 3.5 (see § ), and the minimization tool Reductor 4.0 (see § ). The resolution method is based on boolean graphs, which provide an intuitive representation of dependencies between boolean variables, and which are handled implicitly, in a way similar to the Open/Cæsarinterface .

The Cæsar_Solvelibrary provides four different resolution algorithms: A1 and A2 are general algorithms based upon depth-first, respectively breadth-first, traversals of boolean graphs; A3 and A4 are optimized for the case of acyclic, respectively disjunctive/conjunctive, boolean graphs; they are based upon memory-efficient depth-first traversals of boolean graphs. All these algorithms can generate diagnostics explaining why a result is true or false (examples and counterexamples).

In 2005, the Cæsar_Solvelibrary ( 11, 600lines of C code) was extended and improved as follows:

The library interface was enhanced with new types and functions to facilitate the definition of boolean equation systems. Also, a bug was corrected in the diagnostic generation mechanism of algorithm A2.

A new resolution algorithm A5 was added to the library. This algorithm, based upon a depth-first search of the boolean graph, improves over algorithms A1–A4 by performing an early detection of examples (resp. counterexamples) in greatest (resp. least) fixed point equation blocks. This detection is based upon a generalization of Tarjan's algorithm for computing strongly connected components. Algorithm A5 proves to be much faster (between one and two orders of magnitude) than all the other algorithms of Cæsar_Solvewhen it is invoked many times on the same equation block, e.g., for detecting -confluent or redundant transitions during the on the fly reductions performed by the Reductortool (see § ).

A journal paper about the Cæsar_Solvelibrary was accepted for publication .

Bisimulatoris an equivalence checker, which takes as input two graphs to be compared (one represented implicitly using the Open/Cæsarenvironment, the other represented explicitly as a Bcgfile) and determines whether they are equivalent (modulo a given equivalence relation) or whether one of them is included in the other (modulo a given preorder relation). Bisimulatorworks on the fly, meaning that only those parts of the implicit graph pertinent to verification are explored. Due to the use of Open/Cæsar, Bisimulatorcan be applied directly to descriptions written in high level languages (for instance, Lotos). This is a significant improvement compared to older tools (such as Aldébaranand Fc2Implicit) which only accepted lower level models (networks of communicating automata).

Bisimulatorworks by reformulating the graph comparison problem in terms of a boolean equation system, which is solved on the fly using the Cæsar_Solvelibrary (see § ). A useful functionality of Bisimulatoris the generation of a ``negative'' diagnostic (i.e., a counterexample), which explains why two graphs are not equivalent (or not included one in the other). The diagnostics generated by Bisimulatorare directed acyclic graphs and are usually much smaller than those generated by other tools (such as Aldébaran) that can only generate counterexamples restricted to sets of traces.

In 2005, we continued the development of the Bisimulatortool ( 15, 300lines of C code):

The tool was enhanced with comparisons modulo the trace equivalence relation, the weak trace equivalence relation (which considers only visible transitions), and their associated preorder relations. The generation of counterexamples for these equivalences and their preorders was also implemented.

The encoding of branching equivalence in terms of boolean equation systems was enhanced in order to reduce the number of
-closures (transitive reflexive closures over
-transitions) computed when one of the states being compared does not have outgoing
-transitions. The new encoding allows to identify on the fly the cases when branching equivalence becomes identical to
^{*}.
aequivalence, and to simplify the equations accordingly. This can reduce the number of boolean variables by up to
40%.

Bisimulatorwas coupled with the Ocisinteractive simulator in order to allow a scenario contained in a Bcggraph to be replayed interactively during the current Ocissimulation session. Typically, the Bcggraph can be either a simulation scenario previously explored and saved using Ocis, or an execution trace produced by Exhibitoror Executor, or a diagnostic generated by Evaluator(see § ) for a temporal logic property. Bisimulatorallows Ocisto determine whether this Bcggraph is a subset or not of the graph being explored during the current Ocissession, which amounts to checking graph inclusion modulo the preorder associated to strong equivalence. If so, a ``positive'' diagnostic (i.e., an example) is generated, which can be subsequently read and replayed by Ocisas an ordinary simulation scenario. This feature required the generation of ``positive'' diagnostics by Bisimulator, which so far only generated ``negative'' ones.

The Bisimulatortool led to a publication .

Evaluatoris a model checker that evaluates a temporal logic property on a graph represented implicitly using the Open/Cæsarenvironment. Properties are described in regular alternation-free -calculus, a logic built from boolean operators, possibility and necessity modalities containing regular expressions denoting transition sequences, and fixed point operators without mutual recursion between least and greatest fixed points. The input language of the tool also allows to define parameterized temporal operators and to group them into separate libraries.

Evaluatorworks on the fly, meaning that only those parts of the implicit graph pertinent to verification are explored. The model checking problem is reformulated in terms of solving a boolean equation system. A useful feature of Evaluatoris the generation of diagnostics (examples and counterexamples) explaining why a formula is true or false.

In 2005, we continued the development of the Evaluatortool. This led to a new version Evaluator 3.5 ( 5, 600lines of Syntax/ Fnc2code and 5, 100 lines of C code) that supersedes the previous version 3.0, with the following enhancements:

Evaluator 3.5 uses the resolution algorithms provided by the Cæsar_Solvelibrary (see § ) whereas Evaluator 3.0 contained an ad hoc resolution engine. This improves modularity by clearly separating the translation of the verification problem into a boolean equation system (this is done in Evaluator) from the resolution itself (this is done in Cæsar_Solve).

The analysis of regular alternation-free -calculus formulas was enhanced with the detection of formulas that lead to disjunctive or conjunctive boolean equation systems. These systems can be solved more efficiently using algorithm A4 of Cæsar_Solve, which does not keep in memory the dependencies between boolean variables. Since most of the formulas encountered in practice are of this type, this enhancement resulted in important memory reductions (proportional to the number of transitions in the graph being checked) with respect to Evaluator 3.0.

Another optimization, performed on the system of modal equations used as intermediate representation by the tool, consisted in expanding on-line the propositional variables which occurred only once in the right-hand side of an equation. On most practical examples, this reduced by a factor of 3 the number of variables and induced the same reduction on the time and memory necessary for resolution.

The generation of diagnostics (examples and counterexamples) was improved in order to reflect more accurately the structure of the temporal formulas. In the diagnostics produced by
Evaluator 3.0, each state was associated to a state of the graph being checked, which caused the duplication of transitions in the diagnostic. For instance, when evaluating the formula ``
'' on the graph consisting of a single
a-loop ``
'', the diagnostic produced by
Evaluator 3.0 was the graph with a single state
sand three
a-loop transitions attached to
s. Instead, the diagnostic produced by
Evaluator 3.5 is the sequence
, which is a better explanation that the formula requires to traverse three successive
a-transitions.

Several new command-line options were added to Evaluator 3.5 to benefit from all features of Cæsar_Solve, namely: use of the breadth-first search based algorithm A2 to produce small-depth diagnostics, use of the memory-efficient algorithm A3 to check properties on acyclic graphs, and possibility to display the underlying boolean equation system in a textual form.

A detailed manual page for Evaluator 3.5 was written and the tool became part of Cadpin February 2005.

The
Cadptoolbox contains a tool named
Reductor 3.0 that performs exhaustive reachability analysis combined with elimination of internal transitions on the fly (this preserves
^{*}.
aequivalence).

Also, the Vasyteam developed in 2003 a prototype tool implementing -confluence reduction , a form of partial order reduction that preserves branching equivalence. This reduction is a mean to fight state explosion by trying to avoid the exploration of redundant interleavings resulting from independent -transitions. Indeed, experiments on various communication protocols and distributed systems have shown that -confluence may reduce the number of states and transitions by up to 3 orders of magnitude.

In 2005, both tools were merged into a single one, leading to version 4.0 of Reductor. This new tool ( 2, 000lines of C code) operates on graphs represented implicitly using the Open/Cæsarenvironment and provides six reduction algorithms:

It can eliminate both
-transitions and the so-called
*redundant*transitions
, still preserving safety equivalence.

It can eliminate all
-transitions, still preserving
^{*}.
aequivalence.

It can eliminate all circuits of transitions, still preserving branching equivalence (this reduction is called -compression).

It can perform -confluence reduction, still preserving branching equivalence.

It can eliminate duplicate transitions, still preserving strong equivalence.

It can fully minimize a graph modulo strong equivalence.

The 1st, 4th, and 6th reductions above are obtained by encoding the reduction problem into a boolean equation system that is resolved on the fly using algorithm A5 of the Cæsar_Solvelibrary (see § ). The 6th reduction is ``orthogonal'' in the sense that it can be combined with any of the five other reductions.

A detailed manual page for Reductor 4.0 was written and the tool became part of Cadpin October 2005. The -compression and -confluence reductions led to a publication .

The Cadptoolbox contains various tools dedicated to compositional verification, among which Projector 2.0, Exp.Open 2.0, and Svlplay a central role.

Projector 2.0 is a tool (totally rewritten in 2002) that implements behaviour abstraction , by taking into account interface constraints. In 2005, we improved its efficiency by introducing a hash function specifically adapted to state products. On real examples provided by the Technical University of Eindhoven, the execution time of Projectorwas divided by a factor of up to four.

Exp.Open 2.0 is a tool that explores on the fly the graph corresponding to a network of communicating automata (represented as a set of Bcgfiles). These automata are composed together in parallel using either algebraic operators (as in Ccs, Csp, Lotos, and μCrl), ``graphical'' operators (as in E-Lotos and Lotos NT), or synchronization vectors (as in the Mecand Fc2tools). Additional operators are available to hide and/or rename labels (using regular expressions) and to cut certain transitions. In 2005, we enhanced Exp.Openalong the following lines:

Following joint work with Jaco van de Pol ( Cwi, Amsterdam) in the framework of the Senvacollaboration (see § ), we corrected two problems related to the support of μCrlin Exp.Open.

We added options to obtain static information about the network of communicating automata, such as a list of the labels that potentially belong to the product and the size of each Bcggraph in the network.

We improved the algorithm for enumerating the successors of a given state, which reduced the generation time by 20 %on average, with a constant negligible memory overhead.

We implemented two partial order reduction techniques, one preserving the deadlocks and the other one preserving the weak traces of the network of automata, thus extending the family of partial order reductions already available in Exp.Open.

Exp.Openwas used in the framework of the Fiacrenational action (see § ) and we developed three new demo examples to illustrate the recent functionalities of Exp.Open(see § ). An article about Exp.Openwas published in an international conference .

Svl(
*Script Verification Language*) is both a high level language for expressing complex verification scenarios and a compiler dedicated to this language. In 2005, we enhanced
Svlalong the following lines:

We added support for two new equivalence relations, namely trace and weak trace equivalences, which can be used for graph comparison and reduction.

We added a new operator called ``
*refined abstraction*'', which allows to generate the graph of a process under constraints generated automatically using
Exp.Open.

We adapted Svlso that, depending on the equivalence to be preserved, it invokes Exp.Openwith the most appropriate partial order reduction, which is inferred from the semantic context automatically.

Enumerative verification algorithms need to explore and store very large graphs and, thus, are often limited by the capabilities of current sequential machines. To push forward the limits, we are studying parallel and distributed algorithms adapted to the clusters of Pcs and networks of workstations available in most research laboratories.

As a first goal, we focused on parallelizing the graph construction algorithm, which is a bottleneck for verification, as it requires a considerable amount of memory to store all reachable states. For this purpose, we developed two tools
:
Distributorsplits the construction of a graph over
Nmachines communicating using
Tcp/Ipsockets; each machine builds a graph fragment, the distribution of states between the machines being determined by a static hash function;
Bcg_Mergemerges the
Ngraph fragments constructed by
Distributorto produce the entire graph.

In 2005, this first phase was completed. Distributor 3.0 and Bcg_Merge 3.0 became parts of Cadpin January 2005 and a manual page for Distributorwas written . These tools were demonstrated at several occasions, including the Pdmc'2005international workshop (see § ). A tool paper was accepted for publication .

As a second goal, we aim at parallelizing on the fly verification itself. Because the Cæsar_Solvelibrary (see § ) is our central verification engine for both model checking, e.g., in the Evaluatortool (see § ), and equivalence checking, e.g., in the Bisimulator(see § ) and Reductortools (see § ), we target at the development of a distributed version of the Cæsar_Solvelibrary that could solve boolean equation systems on the fly using several machines.

In 2005, this work progressed as follows:

We continued the development of a distributed version of Cæsar_Solve(currently 17, 000lines of C code) . The former distributed resolution algorithm , which could only handle boolean equation systems containing one single equation block, was enhanced to deal with multiple blocks. The enhanced algorithm combines a depth-first search traversal of the dependency graph between blocks (which is supposed to be acyclic) and a breadth-first search traversal of the boolean graphs associated to blocks, both performed in a distributed manner. For single block boolean equation systems, the enhanced algorithm exhibits almost the same performance as the former algorithm.

The distributed algorithm for generating diagnostics on the fly was also enhanced to handle boolean equations systems with multiple blocks.

The distributed algorithm for termination detection was improved to detect partial resolutions of the blocks, i.e., the fact that all boolean variables present in a region of a block have their final value computed. This allows to propagate the values of these variables along backward dependencies and, thus, to achieve a good distribution of the simultaneous resolution of all equation blocks.

We implemented a prototype connection of the Evaluator 3.5 model checker to the distributed version of Cæsar_Solve. Experiments were performed on the Idpotcluster of Pcs using various graphs taken from the Vltsbenchmark suite and Cadpdemo examples. We checked properties ranging from basic deadlock and livelock detection (on the Vltsgraphs) to more complex response properties that must be encoded into boolean equation systems with several blocks. Compared to the sequential version of Evaluator 3.5, the distributed version shows quasi-linear speedups, a good load balancing, and a low memory overhead. As regards deadlock and livelock detection, it compared favourably with UppDmc , another distributed model checker for modal -calculus developed at Rwth(Aachen, Germany). A paper on this work was accepted for publication .

We implemented a prototype connection of Reductor's -confluence reduction algorithm to the distributed version of Cæsar_Solve. Experiments were performed on the Idpotcluster using various graphs taken from Cadpdemo examples. Each experiment consisted in generating a reduced graph using both the sequential version (based on algorithm A2 of Cæsar_Solve) and the distributed version. We observed that the latter was faster by up to three orders of magnitude, with a low memory overhead. For some examples, the distributed version succeeded where the sequential one would fail due to memory exhaustion .

We developed two versions of Extractor, a sequential one ( 1, 200lines of C code) based on the sequential resolution algorithms of Cæsar_Solve, and a distributed one ( 1, 300lines of C code) based on the distributed version of Cæsar_Solve. Experiments were performed on various graphs (taken from the Vltsbenchmark suite and the Cadpdemo examples) by using generic test purposes expressing the reachability of certain visible actions. All Ctgs obtained by applying Extractorand Determinatorwere strongly equivalent to those produced by Tgv, although slightly larger. On some examples, however, the generation of the Ctgsucceeded using Extractorand Determinator, whereas Tgvwould fail because of memory shortage. These results have been accepted for publication .

Late 2004 and early 2005, a significant number of new tools and libraries were integrated to the Cadptoolbox, among which Bcg_Merge, Bcg_Steady, Bcg_Transient, Bisimulator, Caesar_Area, Caesar_Mask, Cæsar_Solve, Determinator, Distributor, Evaluator 3.5, and Projector 2.0. This also implied an important effort in writing the corresponding manual pages and correcting the bugs reported by users worldwide.

Additionally, we improved the following Cadptools and libraries:

The Caesar_Hashlibrary was improved by adding new hash functions and rewriting several existing ones.

The
Caesar_Tablelibrary was enhanced by extending the table maximal capacity from
(2
^{24})-1to
2
^{29}elements, which increases the memory cost of a table, but in a reasonable manner. We also reduced (up to a factor of 2) the memory cost for ``small'' tables, the size of which can be known statically.

The Aldébarantool, no longer maintained by its authors, was replaced by a shell wrapper (680 lines of shell-script) that invokes the new Cadptools Bcg_Min, Bisimulator, Reductor 4.0, and Exp.Open 2.0 transparently, while keeping exactly the same command-line interface as the old Aldébarantool. Except in a few cases (graph comparison and minimization modulo delay equivalence, and minimization modulo observational equivalence), the old Aldébarantool is no longer used, which is a way to avoid 24 known bugs in this tool.

We updated most of the Cadpdemo examples in order to take advantage of recent features and tools of Cadp.

We have continued adapting Cadpto the latest computing platforms:

We ported Cadpto the most recent Linuxdistributions Fedora Core 3 and 4.

We upgraded the Windowsversion of Cadpto support recent versions of Microsoft's Msvcrtand Mingwin's W32apilibraries.

We finished porting the Cadptools with a graphical user-interface to the Mac OS Xoperating system and we took provisions to support its most recent version 10.4 `` Tiger''.

Besides Cadp, F. Lang updated the source code of the Rtltimed verification tool developped by Christophe Lohr (formerly at Laas/Cnrs) to make it accepted by recent C++ compilers.

The Cadptoolbox contains several tools dedicated to the Lotoslanguage, namely: the Cæsar.adtcompiler for the data type part of Lotos, the Cæsarcompiler for the process part of Lotos, and the Cæsar.Indentpretty-printer.

In 2005, we performed maintenance activities for these tools (1 bug fixed in Cæsar.adt, 1 bug fixed in Cæsar, and 3 bugs fixed in Cæsar.Indent) and we improved the C code generated by Cæsarand Cæsar.adtto avoid warnings emitted by the most recent C compilers. We also enhanced the Cæsarcompiler in two ways:

In the framework of the FormalFame Pluscontract (see § ), we simplified the use of the Exec/Cæsarenvironment . Exec/Cæsarallows to interconnect, on the one hand, the C code generated by Cæsarfrom the Lotosdescription of a system and, on the other hand, the ``real'' environment with which this system interacts. This interconnection is implemented as a collection of C functions, one per visible gate declared in the Lotosspecification, which have to be written by hand.

The new version of Cæsargreatly automates this task by generating automatically, for each function, a C code skeleton that implements appropriate pattern-matching actions for checking gate parameters — since, in Lotos, the same gate can be overloaded with several parameter lists that differ in number, types and direction (input or output) — as well as logging actions to trace the execution of these functions.

We pursued our study of state space reduction techniques, our goal being to decrease the size of the graphs generated by Cæsar, still preserving strong bisimulation between the original and reduced graphs.

Our previous work on state space reduction based on live variable analysis led to an improved version of Cæsar(named Cæsar.New), which became part of Cadpin April 2005. A journal paper was also accepted for publication .

Additionally, W. Serwe experimented further uses of data-flow analysis so as to reduce memory requirements for enumerative verification.

As regards the E-Lotoslanguage — and, more specifically, its Lotos NTvariant elaborated by the Vasyteam — we worked in two directions:

We continued to improve the Traiancompiler (see § ), which generates C code from Lotos NTdata type and function definitions. Traianis distributed on the Internet (see § ) and used intensively within the Vasyteam as a development tool for compiler construction .

In 2005, we released a new version 2.5 of Traian. It corrects four bugs and makes the C code generated by Traiancompatible with the latest versions of Gccand Intel's Icccompilers. In addition, the Traianlibraries and shell-scripts have been ported to the Itanium64-bit platform running the Linuxoperating system.

In the framework of the FormalFame Pluscontract (see § ), we undertook the development of a translator from Lotos NTto Lotos, so as to ease the development of large specifications by Bulland to reuse the existing Lotostools for analyzing concurrent systems described in Lotos NT.

In 2005, a first version of this translator was delivered to Bull. It consists of a Lotospreprocessing tool named Lpp( 1, 280 lines of C code) and a translation tool named Lnt2Lotosdeveloped using the aforementioned Syntax/ Traiantechnology (760 lines of Syntaxcode, 1, 920 lines of Lotos NTcode, and 980 lines of C code). A reference manual was written .

Although process algebras are, from a technical point of view, the best formalism to describe concurrent systems, they are not used as widely as they could be. Besides the steep learning curve of process algebras, which is traditionally mentioned as the main reason for this situation, it seems also that the process algebra community scattered its efforts by developing too many languages, similar in concept but incompatible in practice. Even the advent of two international standards, such as Lotos(in 1989) and E-Lotos(in 2001), did not remedy this fragmentation.

To address this problem, we started investigating source-level translators from various process algebras into Lotos, so as to widen the applicability of the Cadptools. One first example is the aforementioned translator from Lotos NTto Lotos(see § ). In 2005, we have also been studying translators for two other process algebras:

We considered the process algebra
Fsp(
*Finite State Processes*) defined in a popular textbook on concurrency
. For the ``basic
Fsp'' fragment (i.e.,
Fspwithout its data part), a prototype translator to
Lotos(700 lines of
Syntaxcode,
2, 300lines of
Lotos NTcode, and 300 lines of C code) was developed. While extending this translator to ``full
Fsp'', ambiguities were found in the reference
Fspgrammar. A collaboration with Jeff Kramer and Jeff Magee (Imperial College, London) was initiated to handle these issues.

In the framework of the
Inria/Leticollaboration (see §
), we focused on the process algebra
Chp(
*Communicating Hardware Processes*) for which the
Timalaboratory has developed a circuit synthesis tool named
Tast
and which is used by the
Letilaboratory to describe complex, asynchronous circuits at a high abstraction level. The goal is to integrate formal verification into the design flow of complex microelectronic circuits.

First, we defined a structural operational semantics for Chp, which so far lacked a formal semantics. In particular, our semantics gives an unambiguous meaning to the hardware-specific ``probe'' operator of Chp, the semantics of which has been debated for long beforehand.

We then proposed a translation scheme from Chpto Lotosfor a fragment of Chprestricted to simple data types (booleans and natural numbers) and to one single probe operator in boolean guards. For this fragment we developed a prototype translator named Chp2Lotos, which we used successfully to verify an asynchronous circuit implementing the Desencryption standard (see § ). The operational semantics and the translation scheme for this Chpfragment led to an international publication .

We then revised our translation scheme to handle all the data types of
Chp(including vectors, arrays, and enumerated types of arbitrary size) and to allow boolean guards containing several probe operators. The
Chp2Lotostranslator was extended accordingly (currently,
2, 100lines of
Syntaxcode,
11, 500lines of
Lotos NTcode, and
4, 000lines of C code) and started to be applied to an asynchronous
NoC(
*Network on Chip*) circuit under design at the
Letilaboratory (see §
).

In 2005, the Vasyteam also worked on the following case studies:

We continued our collaboration with Antonella Chirichiello (University ``La Sapienza'', Rome) on the use of process algebras as a convenient design formalism for Webservices. This led to a new publication on the use of Cadpfor the verification of an e-business application specified in the standard orchestration language Bpeland translated to Lotos.

In the context of the
Inria/Leticollaboration (see §
), we pursued the study (undertaken in 2004) of an asynchronous circuit, designed by the
Letiand
Timalaboratories, which implements the
Des(
*Data Encryption Standard*). We applied our
Chp2Lotostranslator (see §
) to a description of this circuit given in the
Chpprocess algebra (
1, 700 lines) and the translator produced a
Lotosdescription of
3, 800lines.

Because of the high degree of concurrency in this circuit (25 concurrent processes), direct generation of the state space was not appropriate (more than 17 million states and 139 million transitions). However, the compositional verification techniques of Cadp(see § ) allowed to generate a smaller, yet equivalent state space ( 16, 910states and 85, 840transitions) in 8 minutes, on which we verified several properties (absence of deadlocks, correct number of iterations, correct synchronisation between iterations).

Also in the context of the
Inria/Leticollaboration, we started working on another circuit developed by the
Letilaboratory, namely the asynchronous communication interconnect of a
NoC(
*Network on Chip*) described in
Chp
. Our first results are encouraging: using our
Chp2Lotostranslator, we were able to find several small mistakes in the
Chpdescription.

We continued the work undertaken in collaboration with Grégory Batt, Hidde de Jong, and Delphine Ropers (
Helixteam of
InriaRhône-Alpes) for connecting the
Gna(
*Genetic Network Analyzer*) tool developed by
Helixwith
Cadpin order to verify temporal properties of genetic regulatory networks.

Gnaprovides a simulator of qualitative models of genetic regulatory networks in the form of piecewise-linear differential equations. The output of the simulator is a Kripke structure, i.e., a state-transition graph in which the relevant information is associated to states. We defined a translation from Kripke structures to labeled transition systems (the graphs used by Cadp) that preserves strong bisimulation and is succinct, i.e., the produced labeled transition system has the same number of states and transitions as the Kripke structure. This translation was implemented as a back-end of the Gnasimulator, which became in this way directly connected to Cadp.

We also defined a translation from propositional -calculus to modal -calculus (the temporal logics used to express properties on Kripke structures and labeled transition systems, respectively) that preserves the truth of formulas. In conjunction with the translation between Kripke structures and labeled transition systems, this enabled to use the model checkers Xtland Evaluator 3.5 of Cadpfor verifying various temporal properties of genetic regulatory networks. It is worth noticing that certain properties (e.g., the presence of oscillations of protein concentrations), expressible in the -calculus fragment of alternation depth 2 but not in Ctl, could not be verified using the nuSMVmodel checker, but were handled successfully using Xtl. These activities led to two publications , .

A number of case-studies tackled by Vasyduring the past years have been finalized and properly integrated in Cadp, which makes them available widely:

a randomized binary distributed consensus protocol,

a computer integrated manufacturing architecture,

a distributed summation algorithm,

a distributed Erathostene's sieve,

a trader process for open distributed processing,

a turntable system for drilling products, and

an asynchronous circuit implementing the Desencryption standard.

Other teams also used the Cadptoolbox for various case studies. To cite only recent work, we can mention:

the verification of a reliable large scale multipoint transmission protocol combining terrestrial transmission with transmission via satellites ,

the analysis of an industrial manufacturing system ,

the behavioural verification of service composition ,

the modeling and verification of hierarchical components , ,

the generation of conformance tests for radiotherapy accelerators , and

the use of Lotosfor constraint solving .

Other research teams took advantage of the software components provided by Cadp(e.g., the Bcgand Open/Cæsarenvironments) to build their own research software. We can mention the following developments:

the Chp2Iftool, developed by Menouer Boubekeur ( Timalaboratory, Grenoble), which allows the verification of asynchronous hardware via a translation of Chpdescriptions to networks of communicating automata.

the Ttooltool, developed by Ludovic Apvrille ( Enst, LabSoClaboratory, Sophia-Antipolis), which allows the verification of reachability graphs of Umldiagrams using the Turtle Umlreal-time profile.

ArchWare(
*Architecting Evolvable Software*) is a project of the European ``Information Society Technologies'' program (
Ist-2001-32360). Started on January 1st, 2002,
ArchWaregathers the Research Consortium of Pisa (
Cpr), the Engineering company (Italy), the University of Savoie (
Listiclaboratory and ``Association Interaction Université-Economie'' —
InterUnec), the
Thésamecompany (France), the Universities of Manchester and St Andrews (United Kingdom), and the
Vasyteam of
Inria.

The aim of ArchWareis to build an integrated environment for architecting evolvable software systems with functional and performance requirements .

In this context,
Vasycontributed to the definition of
Aal(
*Architecture Analysis Language*), a language dedicated to the description of behavioral properties of software architectures.
Aalcontains operators borrowed from first-order logic and modal
-calculus, extended with predicates specific to architectural descriptions. It allows to specify both style-related structural properties (e.g., connectivity between components, cardinality, etc.) and architecture-related behavioral properties (e.g., safety, liveness, fairness).

Vasyidentified a fragment of Aalexpressive enough for a large number of property patterns relevant to software architectures and developed a model checker for this fragment. This model checker translates the temporal formulas into boolean equation systems, which are solved on the models produced by the execution of the ArchWarevirtual machine; the model checker is also equiped with diagnostics generation facilities.

Initially planned to terminate at the end of 2004, ArchWarewas extended until June 30, 2005, this additional period being mainly devoted to integration and maintenance activities, dissemination, and preparation of the project final review. From our participation to ArchWare, we draw two main conclusions:

The compiler construction technology promoted by Vasy proved to be effective for the development of the Aalmodel checker ( 16, 400lines of code).

The verification technology produced by Vasy was successfully applied to Aaland allowed to check complex correctness properties on large event traces produced by the ArchWarevirtual machine.

There is a long-standing collaboration between Vasyand Bull, which aims at demonstrating that the formal methods and tools developed at Inriacan be successfully applied to Bull's multiprocessor architectures. The objective is to develop a complete and integrated solution supporting formal specification, simulation, rapid prototyping, verification, and testing.

Between 1995 and 1998, two case studies were successfully tackled using Cadp: the PowerScalebus arbitration protocol and the PolyKidmultiprocessor architecture ).

Between 1998 and 2004, the collaboration focused on
Fame, the
Cc-Numamultiprocessor architecture used in
Bull's
NovaScaleseries of high-performance servers based on
Intel Itaniumprocessors. The
Cadptools have been used to validate a crucial circuit of
Fame– the
Fss(
*Fame Scalability Switch*) – that implements the cache coherency protocol. The technology transfer is complete, in the sense that the
Cadptools are now part of
Bull's validation methodology and that
Bullmaintains itself the
Lotosspecifications developed for
Fame.

In 2004, the collaboration was renewed by a followup contract named FormalFame Plus, which, in 2005, was extended for two more years. The general goal of FormalFame Plusis to enhance the performance and usability of the Cadptools in prevision of the next multiprocessor architectures under design at Bull.

In 2005, the contributions of Vasywere the following:

A new functionality was added to the Cæsarcompiler, which allows to generate code skeletons automatically for the C functions that, in the Exec/Cæsarsoftware , connect the C code generated by Cæsarfrom the Lotosdescription of a system to ``real'' environment with which the system interacts (see § ). This will ease the task of writing such interface functions.

We undertook the definition of an automatic translator from Lotos NTto Lotos(see § ). This will allow Bullto develop formal models in a faster way, as Lotos NTis more concise than Lotosand closer to mainstream programming languages.

TopCased(
*Toolkit in OPen-source for Critical Application and SystEms Development*) is a project of
Aese, the French
*pôle de compétitivité*dedicated to aeronautics, space, and embedded systems. This project gathers 23 partners, including companies developing safety-critical systems such as
Airbus(leader),
Astrium,
Atos Origin,
Cs,
Siemens VDO, and
Thales Aerospace.

TopCaseddevelops a modular, open-source, generic Caseenvironment providing methods and tools for embedded system development, ranging from system and architecture specifications to software and hardware implementation through equipment definition.

In 2005, the Vasyteam contributed to TopCasedas regards the combination of model-driven engineering and formal methods for asynchronous systems. H. Garavel is the Inriarepresentative at the TopCasedexecutive committee, as well as the secretary of this committee. H. Garavel and F. Lang gave several tutorials and demonstrations of the Cadptools to the TopCasedparticipants. Finally, N. Lépy attended a 5-day training session on Eclipseorganized at Airbus(Toulouse, France).

In 2005, the Vasyteam contributed to the preparation of two future projects:

OpenEmbeDDis a French national project of
Rntl(
*Réseau National des Technologies Logicielles*). The goal of
OpenEmbeDDis to develop an open-source, generic, standard software engineering platform for real-time embedded systems, such as those developed by
Airbus,
Cs,
France Telecom, and
Thales. Within an
Eclipseframework, this platform will combine the principles of model-driven engineering with those of formal methods. Officially approved in 2005,
OpenEmbeDDwill start in January 2006 for three years.

Multival(
*Validation of Multiprocessor Multithreaded Architectures*) is a project proposed in the framework of
Minalogic, the French
*pôle de compétitivité*dedicated to micro-nano technologies and embedded software for systems on chip.
Multivaladdresses verification and performance evaluation issues for three innovative asynchronous architectures developed by
Bull,
Cea/Leti, and
ST Microelectronics. In December 2005,
Multivalwas officially approved by
Minalogicas part of its
Emsoc/
*Atelier du Futur*program.

The
Vasyteam plays an active role in the joint research center launched in 2004 between
InriaRhône-Alpes and the
Letilaboratory of
Cea-Grenoble. In co-operation with
Letiscientists (Edith Beigné, François Bertrand, Fabien Clermidy, Yvain Thonnart, and Pascal Vivet),
Vasydevelops software tools for the design of asynchronous circuits and architectures such as
Gals(
*Globally Asynchronous Locally Synchronous*),
NoCs (
*Networks on Chip*), and
SoCs (
*Systems on Chip*). The
Timalaboratory (Dominique Borrione and Marc Renaudin) also contributes to this research action. In 2005, our work focused on a translator that connects the verification tools developed by
Vasyto the hardware synthesis tools developed by
Tima(see §
).

Together with the
Oasisteam of
InriaSophia-Antipolis (Tomas Barros and Eric Madelaine), the
Ltciteam of
Enst-Paris (Hamid Irfan, Elie Najm, and Sylvie Vignes), the
Svfteam of the
Laas/Cnrslaboratory (Bernard Berthomieu and François Vernadat), and the
Mvrteam of
Irit(Mamoun Filali),
Vasyis part of the national action
Fiacre–
Aci
*Sécurité Informatique*started in 2004 (see
http://www-sop.inria.fr/oasis/fiacre). In 2005, we investigated semantic
interconnections between the
Cadptoolbox and the tools developed by the other
Fiacrepartners.

Additionally, we collaborated in 2005 with several Inriateams:

Helix(Rhône-Alpes): applications of model checking to biological systems (Grégory Batt, Delphine Ropers, and Hidde de Jong);

Oasis(Sophia-Antipolis): collaboration in the framework of Fiacrenational action (Tomas Barros and Eric Madelaine);

Pop Art(Rhône-Alpes): combination of the Cadpand Prometheuscompositional verification tools (Gregor Goessler);

Wam(Rhône-Alpes): application of satisfiability of the modal -calculus to optimize XPathsearch queries on Xmldocuments (Pierre Genevès and Nabil Layaïda).

Beyond Inria, we had sustained scientific relations with the following teams:

Id-Imaglaboratory (Montbonnot): use of the Idpotcluster to experiment parallel and distributed verification algorithms (see § );

Laas-Cnrslaboratory (Toulouse): collaboration in the framework of Fiacrenational action, TopCasedproject, and forthcoming OpenEmbeDDproject (Bernard Berthomieu and François Vernadat);

Lamilaboratory (Evry) and Ecole des Mines de Nantes: coordination, adaptation, and analysis of component systems (Pascal Poizat and Jean-Claude Royer);

Letilaboratory of Cea-Grenoble: collaboration in the framework of the Inria/ Letijoint research center and of the forthcoming Multivalproject (Edith Beigné, François Bertrand, Fabien Clermidy, Yvain Thonnart, and Pascal Vivet);

Liplaboratory (Lyon) and InriaRhône-Alpes: between April and October 2005, R. Mateescu was hosted by the Arenaireteam and, since October 2005, he has a part-time (20%) collaboration with the Plumeteam.

The Vasyteam of Inriaand the Sen2team of Cwicollaborate in Senva, a joint research team on safety-critical systems (see http://www.inrialpes.fr/vasy/senva). Launched in 2004, the Senvateam is supported by Inria's European and International Affairs Department and by Cwi.

The
Vasyteam is member of the
Fmics(
*Formal Methods for Industrial Critical Systems*) working group of
Ercim(see
http://www.inrialpes.fr/vasy/fmics). From July 1999 to July 2001, H. Garavel
chaired this working group. Since July 2002, he is member of the
FmicsBoard, in charge of dissemination actions. Within
Fmics, R. Mateescu contributes to the preparation of a ``Formal Methods Handbook''.

H. Garavel is a member of
Ifip(
*International Federation for Information Processing*) Technical Committee 1 (
*Foundations of Computer Science*) Working Group 1.8 on Concurrency Theory, launched in 2005 and chaired by Luca Aceto.

H. Garavel is a member of the technical committee (
*ETItorial Board*) of the
Eti(
*Electronic Tool Integration*) software development platform (see
http://eti.cs.uni-dortmund.de).

In addition to our partners in aforementioned contractual collaborations, we had scientific relations in 2005 with several international universities and research centers, including:

Eindhoven University of Technology (Judi Romijn and Xing Huo),

Imperial College (Jeff Kramer and Jeff Magee),

University of Konstanz (Husain Aljazzar and Paiam Salavati),

University of Málaga (Carlos Canal and Pedro Merino) , and

University ``La Sapienza'' of Rome (Antonella Chirichiello and Benjamin Habegger) .

In 2005, we had the following scientific exchanges:

Jean-Luc Nougaret and Franck Di Maio ( Cern, Geneva, Switzerland) visited us on January 20, 2005.

Benjamin Habegger ( InriaFuturs, Mostrareteam) visited us on May 10–13, 2005.

Pascal Poizat (University of Evry – Val d'Essonne) visited us on May 23, 2005.

The annual Senvaseminar was held in St. Pierre de Chartreuse on May 30–June 1st, 2005. In addition to the Vasyteam, Wan Fokking (Free University of Amsterdam), Jeff Kramer and Jeff Magee (Imperial College, London), Aad Mathijssen (University of Eindhoven), Jaco van de Pol and Anton Wijs ( Cwi, Amsterdam), Mihaela Sighireanu (University of Paris 7), and Michael Weber ( RwthAachen) attended this seminar. The list of talks is available from http://www.inrialpes.fr/vasy/senva/workshop2005.

In the framework of the Fiacrenational action, we organized a meeting at InriaRhône-Alpes on September 26–27, 2005 attended by the following visitors: Tomas Barros and Eric Madelaine ( InriaSophia Antipolis), Irfan Hamid, Elie Najm, and Sylvie Vignes ( EnstParis), Mamoun Filali and François Vernadat ( Feria/Cnrs, Toulouse), and Jean-Bernard Stefani ( InriaRhône-Alpes).

In the framework of the
Senvacollaboration, we organized an international meeting on ``
*Clusters and Grids for Verification and Performance Evaluation*'' held at
InriaRhône-Alpes on November 16–17, 2005. In addition to the
Vasyteam, this meeting was attended by Jiri Barnat, Lubos Brim, and Ivana Cerna (Masaryk University Brno), Gerd Behrmann and Josva Kleist (Aalborg University), Anne Benoit (
Inria,
Graalteam, Lyon), Stefan Blom (Innsbruck University), François Brown de Colstoun (
Inria), Boudewijn Haverkort (University of Twente), William Knottenbelt and Tamas Suto (Imperial College, London), Marta Kwiatkowska (University of Birmingham), Matthias Kuntz (Universität der Bundeswehr, Munich), Martin Leucker (Technical
University of Munich), Simona Orzan (Technical University of Eindhoven), Jaco van de Pol (
Cwi, Amsterdam), and Michael Weber (
RwthAachen). The list of talks is available from
http://www.inrialpes.fr/vasy/senva/meeting2005.

The Vasyteam distributes two main software tools: the Cadptoolbox (see § ) and the Traiancompiler (see § ). In 2005, the main facts are the following:

We prepared and distributed 15 successive beta-versions (2003-s, ..., 2003-z, 2004-a, ..., 2004-g) of Cadp.

The number of license contracts signed for Cadpincreased from 330 to 345.

We were requested to grant Cadplicenses for 663 different computers in the world.

The distribution of the Traiancompiler continued and a new version 2.5 of Traian(see § ) was released on October 6, 2005.

The Traiancompiler was downloaded by 51 different sites.

The Vasy Website (see http://www.inrialpes.fr/vasy/cadp) was regularly updated with scientific contents, announcements, publications, etc.

In 2005, the members of Vasyassumed the following responsibilities:

H. Garavel was, together with John Hatcliff (Kansas State University), responsible for a special issue of the
Tcs(
*Theoretical Computer Science*) journal, to appear in 2006, which gathers the best theory-oriented papers of
Tacas'2003.

H. Garavel was, together with John Hatcliff (Kansas State University), responsible for a special issue of the
Sttt(
*Software Tools for Technology Transfer*) journal, to appear in 2006, which gathers the best software-oriented papers of
Tacas'2003.

H. Garavel was a steering committee member of
Pdmc(
*Parallel and Distributed Methods in Verification*) series of international workshops.

H. Garavel was a program committee member of
Pdmc'2005 (
*4th International Workshop on Parallel and Distributed Methods in VerifiCation*, Lisbon, Portugal, July 10, 2005).

H. Garavel was a program committee member of
SoftMC'2005 (
*3rd International Workshop on Software Model Checking*, Edinburgh, Scotland, United Kingdom, July 11, 2005).

R. Mateescu was a program committee member of
Tacas'2005 (
*11th International Conference on Tools and Algorithms for the Construction and Analysis of Systems*, Edinburgh, Scotland, United Kingdom, April 4-8, 2005).

R. Mateescu was a program committee member of
Vveis'2005 (
*3rd International Workshop on Verification and Validation of Enterprise Information Systems*, Miami, Florida, USA, May 13, 2005).

R. Mateescu was a program committee member of
Ewsa'2005 (
*2nd European Workshop on Software Architecture*, Pisa, Italy, June 13-14, 2005).

R. Mateescu was a program committee member of
Fmics'2005 (
*10th International Workshop on Formal Methods for Industrial Critical Systems*, Lisbon, Portugal, September 5-6, 2005).

R. Mateescu was a program committee member of
Etr'2005 (
*Ecole d'été temps réel 2005*, Nancy, France, September 13-16, 2005).

In 2005, we gave talks in several international conferences and workshops (see bibliography below). Additionally:

R. Mateescu gave a talk entitled ``
*Vérification à la volée de systèmes parallèles asynchrones*'' at the
Liplaboratory –
InriaRhône-Alpes (Lyon, France) on February 1st, 2005.

G. Salaün gave a talk entitled ``
*Describing and Reasoning on Web Services using Process Algebra*'' at
InriaLorraine (Nancy, France) on February 7, 2005.

W. Serwe participated to the ``
*First German Verification Day*'' (Oldenburg, Germany) on March 4, 2005.

G. Salaün gave a talk entitled ``
*Describing and Reasoning on Web Services using Process Algebra*'' at
InriaRennes (France) on March 17, 2005.

G. Salaün gave a talk entitled ``
*Describing and Reasoning on Web Services using Process Algebra*'' at Ecole des Mines de Nantes (France) on April 4, 2005.

F. Lang gave a talk entitled ``
*Verification of the ODP Trader using
Exp.Open
2.0 and
Cadp
'' at the
Laas/Cnrslaboratory (Toulouse, France) on April 18–19, 2005.*

G. Salaün gave two talks entitled ``
*Describing and Reasoning on Web Services using Process Algebra*'' and ``
*Formal Coordination of Distributed Entities Described with Behavioural Interfaces*'' at the
Laas/Cnrslaboratory (Toulouse, France) on April 18–19, 2005.

C. Joubert gave a talk entitled ``
*Distributed On-the-Fly Verification of Finite-State Systems*'' at the Technical University of Valencia (Spain) on May 9, 2005.

R. Mateescu gave a talk entitled ``
*Résolution à la volée des systèmes d'équations booléennes et applications*'' at the
Lsvlaboratory (Cachan, France) on May 24, 2005.

R. Mateescu gave a talk entitled ``
Cæsar_Solve:
*A Generic Library for On-the-Fly Resolution of Boolean Equation Systems and its Applications to Verification*'' at the University of Málaga (Spain) on June 27, 2005.

H. Garavel gave a tool demonstration entitled ``
*DISTRIBUTOR and BCG_MERGE: Tools for Distributed Explicit State Space Generation*'' at
Pdmc'2005 (
*4th International Workshop on Parallel and Distributed Methods in VerifiCation*, Lisbon, Portugal) on July 10, 2005.

H. Garavel gave an invited talk entitled ``
*How to Interface Algebraic Process Calculi with the Real World?*'' at the international seminar ``
*Algebraic Process Calculi: The First Twenty Five Years and Beyond*'' held in Bertinoro (Forlí, Italy) on August 1–5, 2005.

R. Mateescu gave a public demonstration of
Cadpat the summer school ``
*Ecole d'été temps réel*'' (Nancy, France) on September 14, 2005.

F. Lang gave a public demonstration of Cadpat a meeting of the TopCasedproject ( Laas/Cnrs, Toulouse, France) on September 1, 2005.

F. Lang and W. Serwe visited Cwi(Amsterdam, The Netherlands) on September 12–16, 2005:

F. Lang gave a talk entitled ``
*Exp.Open 2.0: A Flexible Tool Integrating Partial Order, Compositional and On-the-fly Verification Methods'' at the
Pam(
Process Algebra Meeting) held at
Cwion September 14, 2005.*

W. Serwe gave a talk entitled ``
*State Space Reduction for Process Algebra Specifications*'' at the
Pam(
*Process Algebra Meeting*) held at
Cwion September 14, 2005.

G. Salaün gave a talk entitled ``
*How Formal Methods Can Contribute to the Formal Development of Web Services*'' at the
LaMIlaboratory (Evry, France) on September 19, 2005.

F. Lang participated to the
TopCasedIndustrial Workshop on System Verification held at
Airbus(Toulouse, France) on October 11, 2005, where he gave a talk entitled ``
*Description des comportements synchrones et asynchrones*'' and demonstrated the
Cadptoolbox.

W. Serwe represented Inriaduring a visit, organized by the French Embassy in Tokyo, of Japanese public and industrial research institutes working in the field of systems on chip (Tokyo, Japon, November 7–11, 2005).

H. Garavel gave an invited talk entitled ``
*An Overview of
Cadp
2005'' at the German Transregional Collaborative Research Center
Avacs(
Automatic Verification and Analysis of Complex Systems) in Freiburg (Germany) — simultaneously transmitted to Oldenburg and Saarbrücken — on November 25, 2005.*

H. Garavel gave a talk entitled ``
*Systèmes asynchrones, algèbres de processus et espaces d'états*'' at the
Liplaboratory –
InriaRhône-Alpes (Lyon, France) on December 13, 2005.

C. Joubert gave a talk entitled ``
*Distributed On-the-Fly Verification of Large State Spaces*'' at the University of Málaga (Spain) on December 22, 2005.

The Vasyteam is a host team for:

The computer science master entitled ``
*Informatique : Systèmes et Logiciels*'', common to Institut National Polytechnique de Grenoble and Université Joseph Fourier,

The computer science master entitled ``
*Informatique : communication et coopération dans les systèmes à agents*'' of Université de Savoie.

In 2005:

F. Lang and W. Serwe gave the course on ``
*Temps Réel*'' to the 3rd year students of
Ensimag(18 hours).

C. Joubert gave a course on ``
*Tools for Software Engineering*'' to the 4th year students of Université Joseph Fourier (9 hours).

C. Joubert gave lectures and programming assignments for the ``
*Formal Specification*'', ``
*Computer Networks*'', ``
*Software Architecture*'', and ``
*Operating Systems*'' courses at Université Joseph Fourier (87 hours).

H. Garavel supervised the internship (
*mémoire de probatoire*
Cnam
*) of Vincent Doucet entitled ``
Vérification distribuée de programmes parallèles'', defended in Grenoble on March 31, 2005.*

R. Mateescu was a jury member of Loïc Strus' MSc thesis (DEA) entitled ``
*Test de propriétés*'', defended at the University Joseph Fourier (Grenoble) on June 22, 2005.

R. Mateescu was a jury member of Jesús Martínez Cruz's PhD thesis entitled ``
*Un enfoque basado en estándares para la integración de técnicas y herramientas de Ingeniería de Protocolos*'', defended at the University of Málaga (Spain) on June 28, 2005.

F. Lang supervised the internship (
*mémoire de probatoire*
Cnam
*) of N. Lépy entitled ``
Etude de l'environnement ouvert de développement intégré
Eclipse
dans l'optique d'une extension'', defended in Grenoble on July 1st, 2005.*

F. Lang was a jury member of Arnaud Lanoix's PhD thesis entitled ``
*Systèmes à composants synchronisés : contributions à la vérification compositionnelle du raffinement et des propriétés*'', defended at Université de Franche Comté (Besançon) on August 31, 2005.

F. Lang was a jury member of Tomas Barros's PhD thesis entitled ``
*Formal specification and verification of distributed components*'', defended at Université de Nice Sophia-Antipolis on November 25, 2005.

H. Garavel and R. Mateescu supervised the PhD thesis of C. Joubert entitled ``
*Vérification distribuée à la volée de grands espaces d'états*'', defended on December 12, 2005
.

D. Champelovier participates to the design group for the new InriaRhône-Alpes Website.

H. Garavel is a member of the budget and computing facilities committees of InriaRhône-Alpes.

Within the
Emsoc/
*Atelier du Futur*program of the
Minalogic
*pôle de compétitivité*, H. Garavel is a member of the working group (6 persons) in charge of making proposals for governance and project selection.

F. Lang participates to the consultative organizational committee of InriaRhône-Alpes.

W. Serwe is a member of the continuous training committee of InriaRhône-Alpes.