Created on January 1st, 2000, the Vasyproject focuses on formal methods for the design of reliable systems.
We are interested in any system (hardware, software, telecommunication) that comprises asynchronous concurrency, i.e., any system whose behavior can be modeled as a set of parallel processes governed by interleaving semantics.
For the design of reliable systems, we advocate the use of formal description techniques together with software tools for simulation, rapid prototyping, verification, and test generation.
Among all existing verification approaches, we focus on enumerative verification(also known as explicit state verification) techniques. Although less general than theorem proving, these techniques enable an automatic, cost-efficient detection of design errors in complex systems.
Our research combines two main directions in formal methods, the model-basedand the language-basedapproaches:
Models provide mathematical representations for parallel programs and related verification problems. Examples of models are automata, networks of communicating automata, Petri nets, binary decision diagrams, boolean equation systems, etc. From a theoretical point of view, research on models seeks for general results, independently from any particular description language.
In practice, models are often too elementary to describe complex systems directly (this would be tedious and error-prone). Higher level formalisms are needed for this task, as well as compilers that translate high level descriptions into models suitable for verification algorithms.
To verify complex systems, we believe that model issues and language issues should be mastered equally.
By verification, we mean comparison — at some abstraction level — of a complex system against a set of propertiescharacterizing the intended functioning of the system (for instance, deadlock freedom, mutual exclusion, fairness, etc.).
Most of the verification algorithms we develop are based on the labeled transition systems(or, simply, automataor graphs) model, which consists of a set of states, an initial state, and a transition relation between states. This model is often generated automatically from high level descriptions of the system under study, then compared against the system properties using various decision procedures. Depending on the formalism used to express the properties, two approaches are possible:
Behavioral propertiesexpress the intended functioning of the system in the form of automata (or higher level descriptions, which are then translated into automata). In such a case, the natural approach to verification is equivalence checking, which consists in comparing the system model and its properties (both represented as automata) modulo some equivalence or preorder relation. We develop equivalence checking tools that compare and minimize automata modulo various equivalence and preorder relations; some of these tools also apply to stochastic and probabilistic models (such as Markov chains).
Logical propertiesexpress the intended functioning of the system in the form of temporal logic formulas. In such a case, the natural approach to verification is model checking, which consists in deciding whether the system model satisfies or not the logical properties. We develop model checking tools for a powerful form of temporal logic, the modal -calculus, which we extend with typed variables and expressions so as to express predicates over the data contained in the model. This extension (the practical usefulness of which was highlighted in many examples) provides for properties that could not be expressed in the standard -calculus (for instance, the fact that the value of a given variable is always increasing along any execution path).
Although these techniques are efficient and automated, their main limitation is the state explosionproblem, which occurs when models are too large to fit in computer memory. We provide software technologies (see § ) for handling models in two complementary ways:
Small models can be represented explicitly, by storing in memory all their states and transitions ( exhaustiveverification);
Larger models are represented implicitly, by exploring only the model states and transitions needed for the verification ( on the flyverification).
Our research focuses on high level languages with an executableand formalsemantics. The former requirement stems from enumerative verification, which relies on the efficient execution of high level descriptions. The latter requirement states that languages lacking a formal semantics are not suitable for safety critical systems (as language ambiguities usually lead to interpretation divergences between designers and implementors). Moreover, enumerative techniques are not always sufficient to establish the correctness of an infinite system (they only deal with finite abstractions); one might need theorem proving techniques, which only apply to languages with a formal semantics.
We are working on several languages with the above properties:
Lotosis an international standard for protocol description ( Iso/ Iecstandard 8807:1989), which combines the concepts of process algebras (in particular Ccsand Csp) and algebraic abstract data types. Thus, Lotoscan describe both asynchronous concurrent processes and complex data structures. We use Lotosfor various industrial case studies and we develop Lotoscompilers, which are part of the Cadptoolbox (see § ).
We contributed to the definition of E-Lotos( Enhanced- Lotos, Iso/ Iecstandard 15437:2001), a deep revision of Lotos, which tries to provide a greater expressiveness (for instance, by introducing quantitative time to describe systems with real-time constraints) together with a better user friendliness. Our contributions to E-Lotosare available on the Web(see http://www.inrialpes.fr/vasy/elotos).
We are also working on an E-Lotosvariant, named Lotos NT( Lotos New Technology) , , in which we can experiment new ideas more freely than in the constrained framework of an international standard. Like E-Lotos, Lotos NTconsists of three parts: a data part, which allows the description of data types and functions, a process part, which extends the Lotosprocess algebra with new constructs such as exceptions and quantitative time, and modules, which provide for structure and genericity. Both languages differ in that Lotos NTcombines imperative and functional features, and is also simpler than E-Lotosin some respects (static typing, operator overloading, arrays), which should make it easier to implement. We are developing several tools for Lotos NT: a prototype compiler named Traian(see § ), a translator from (a subset of) Lotos NTto Lotos(see § ), and an intermediate semantic model named Ntif( New Technology Intermediate Form) .
As much as possible, we try to validate our results by developing tools that we apply to complex (often industrial) case studies. Such a systematic confrontation to implementation and experimentation issues is central to our research.
The theoretical framework we use (automata, process algebras, bisimulations, temporal logics, etc.) and the software tools we develop are general enough to fit the needs of many application domains. They are virtually applicable to any system or protocol made of distributed agents communicating by asynchronous messages. The list of recent case studies performed with the Cadptoolbox (see in particular § ) illustrates the diversity of applications:
Hardware architectures:asynchronous circuits, bus arbitration protocols, cache coherency protocols, hardware/software codesign;
Databases:transaction protocols, distributed knowledge bases, stock management;
Consumer electronics:audiovisual remote control, video on-demand, FireWirebus, home networking;
Security protocols:authentication, electronic transactions, cryptographic key distribution;
Embedded systems:smart-card applications, air traffic control;
Distributed systems:virtual shared memory, distributed file systems, election algorithms, dynamic reconfiguration algorithms, fault tolerance algorithms;
Telecommunications:high speed networks, network management, mobile telephony, feature interaction detection;
Human-machine interaction:graphical interfaces, biomedical data visualization, etc.
We maintain and enhance Cadp( Construction and Analysis of Distributed Processes– formerly known as Cæsar/ AldébaranDevelopment Package), a toolbox for protocols and distributed systems engineering (see http://www.inrialpes.fr/vasy/cadp). In this toolbox, we develop the following tools:
Caesar_Graph, which provides the programming interface for graph exploration,
Caesar_Hash, which contains several hash functions,
Caesar_Solve, which resolves boolean equation systems on the fly,
Caesar_Stack, which implements stacks for depth-first search exploration,
Caesar_Table, which handles tables of states, transitions, labels, etc.
A number of tools have been developed within the Open/Cæsarenvironment, among which:
Bisimulator, which checks bisimulation equivalences and preorders,
Determinator, which eliminates nondeterminism in normal, probabilistic, or stochastic systems,
Distributor, which generates the graph of reachable states using several machines,
Evaluator, which evaluates regular alternation-free -calculus formulas,
Executor, which performs random execution,
Exhibitor, which searches for execution sequences matching a given regular expression,
Generator, which constructs the graph of reachable states,
Projector, which computes abstractions of communicating systems,
Reductor, which constructs and minimizes the graph of reachable states modulo various equivalence relations,
Simulator, Xsimulator, and Ocis, which allow interactive simulation, and
Terminator, which searches for deadlock states.
Bcg( Binary Coded Graphs) is both a file format for storing very large graphs on disk (using efficient compression techniques) and a software environment for handling this format. Bcgalso plays a key role in Cadpas many tools rely on this format for their inputs/outputs. The Bcgenvironment consists of various libraries with their programming interfaces, and of several tools, such as:
Bcg_Draw, which builds a two-dimensional view of a graph,
Bcg_Edit, which allows to modify interactively the graph layout produced by Bcg_Draw,
Bcg_Graph, which generates various forms of practically useful graphs,
Bcg_Info, which displays various statistical information about a graph,
Bcg_Io, which performs conversions between Bcgand many other graph formats,
Bcg_Labels, which hides and/or renames (using regular expressions) the transition labels of a graph,
Bcg_Merge, which gathers graph fragments obtained from distributed graph construction,
Bcg_Min, which minimizes a graph modulo strong or branching equivalences (and can also deal with probabilistic and stochastic systems),
Bcg_Steady, which performs steady-state numerical analysis of (extended) continuous-time Markov chains,
Bcg_Transient, which performs transient numerical analysis of (extended) continuous-time Markov chains, and
Xtl( eXecutable Temporal Language), which is a high level, functional language for programming exploration algorithms on Bcggraphs. Xtlprovides primitives to handle states, transitions, labels, successorand predecessorfunctions, etc. For instance, one can define recursive functions on sets of states, which allow to specify in Xtlevaluation and diagnostic generation fixed point algorithms for usual temporal logics (such as Hml , Ctl , Actl , etc.).
The connection between explicit models (such as Bcggraphs) and implicit models (explored on the fly) is ensured by Open/Cæsar-compliant compilers, e.g.:
Cæsar.open, for models expressed as Lotosdescriptions,
Bcg_Open, for models represented as Bcggraphs,
Exp.open, for models expressed as communicating automata, and
Seq.open, for models represented as sets of execution traces.
The Cadptoolbox also includes additional tools, such as Aldébaranand Tgv( Test Generation based on Verification) developed by the Verimaglaboratory (Grenoble) and the Vertecsproject team of InriaRennes.
The Cadptools are well-integrated and can be accessed easily using either the Eucalyptusgraphical interface or the Svl scripting language. Both Eucalyptusand Svlprovide users with an easy, uniform access to the Cadptools by performing file format conversions automatically whenever needed and by supplying appropriate command-line options as the tools are invoked.
We develop a compiler named Traianfor translating descriptions written in the Lotos NTlanguage (see § ) into C programs, which will be used for simulation, rapid prototyping, verification, and testing.
The current version of Traianperforms lexical analysis, syntactic analysis, abstract syntax tree construction, static semantics analysis, and C code generation for Lotos NTtypes and functions.
Although this version of Traianis still incomplete (it does not handle Lotos NTprocesses), it already has useful applications in compiler construction . The recent compilers developed by the Vasyproject team — namely Aal, Chp2Lotos(see § ), Evaluator 4.0, Exp.open 2.0 (see § ), Fsp2Lotos(see § ), Lnt2Lotos(see § ), Ntif(see § ), and Svl(see § ) — all contain a large amount of Lotos NTcode, which is then translated into C code by Traian.
Our approach consists in using the Syntaxtool (developed at InriaRocquencourt) for lexical and syntactic analysis together with Lotos NTfor semantical aspects, in particular the definition, construction, and traversals of abstract trees. Some involved parts of the compiler can also be written directly in C if necessary. The combined use of Syntax, Lotos NT, and Traianproves to be satisfactory, as regards both the rapidity of development and the quality of resulting compilers.
The Traiancompiler can be freely downloaded from the Vasy Website (see http://www.inrialpes.fr/vasy/traian).
Cæsar_Solveis a generic software library for solving boolean equation systems of alternation depth 1 (i.e., without mutual recursion between minimal and maximal fixed point equations) on the fly. This library is at the core of several Cadpverification tools, namely the equivalence checker Bisimulator(see § ), the model checker Evaluator 3.5 (see § ), and the minimization tool Reductor 5.0 (see § ). The resolution method is based on boolean graphs, which provide an intuitive representation of dependencies between boolean variables, and which are handled implicitly, in a way similar to the Open/Cæsarinterface .
The Cæsar_Solvelibrary provides five different resolution algorithms. A1 and A2 are general algorithms based upon depth-first, respectively breadth-first, traversals of boolean graphs. A3 and A4, based upon memory-efficient depth-first traversals of boolean graphs, are optimized for the case of acyclic, respectively disjunctive/conjunctive, boolean graphs. A5 is a general algorithm based upon a depth-first traversal of boolean graphs; it generalizes Tarjan's algorithm for computing strongly connected components and is much faster than A1 and A2 when it is invoked many times on the same equation block. All these algorithms can generate diagnostics explaining why a result is true or false (examples and counterexamples).
In 2006, the Cæsar_Solvelibrary ( 12, 200lines of C code) was improved as follows:
The primitive for writing a boolean equation system to a text file was enhanced in order to write not only the whole system, but also the portion of the system representing the diagnostic produced after solving a given boolean variable.
The primitive for reading a boolean equation system from a text file was enhanced in order to handle the cases where the equation blocks and the boolean variables in the left-hand sides of the equations of a block are numbered neither contiguously, nor increasingly. This allows to read text files containing diagnostics of resolutions, which do not necessarily fulfill these two conditions.
The primitives for reading and writing a boolean equation system from/to a text file were enhanced in order to support on the fly compression, which can reduce the size of text files by several orders of magnitude. This possibility is exploited by Bisimulator(see § ) and Evaluator(see § ).
The A4 algorithm was enhanced to detect cycles of the boolean graph that contain certain boolean variables marked by a predicate provided by the user application. This feature is useful for encoding the evaluation of certain temporal logic properties describing infinite, unfair execution sequences. Also, a bug was corrected in algorithm A4 when detecting disjunctive/conjunctive boolean graphs.
An article about Cæsar_Solvewas published in an international journal .
Bisimulatoris an equivalence checker that takes as input two graphs to be compared (one represented implicitly using the Open/Cæsarenvironment, the other represented explicitly as a Bcgfile) and determines whether they are equivalent (modulo a given equivalence relation) or whether one of them is included in the other (modulo a given preorder relation). Bisimulatorworks on the fly, meaning that only those parts of the implicit graph pertinent to verification are explored. Due to the use of Open/Cæsar, Bisimulatorcan be applied directly to descriptions written in high level languages (for instance, Lotos). This is a significant improvement compared to older tools (such as Aldébaranand Fc2Implicit) which only accepted lower level models (networks of communicating automata).
Bisimulatorworks by reformulating the graph comparison problem in terms of a boolean equation system, which is solved on the fly using the Cæsar_Solvelibrary (see § ). A useful functionality of Bisimulatoris the generation of a ``negative'' diagnostic (i.e., a counterexample), which explains why two graphs are not equivalent (or not included one in the other). The diagnostics generated by Bisimulatorare directed acyclic graphs and are usually much smaller than those generated by other tools (such as Aldébaran) that can only generate counterexamples restricted to sets of traces.
In 2006, we continued the development of Bisimulator( 15, 900lines of C code). In addition to a bug fix related to the counterexample generation for branching equivalence:
A new command-line option was added to Bisimulatorto apply -confluence reduction on the implicit graph when comparing modulo branching or observational equivalence. When the implicit graph contains interleavings due to the presence of loosely-coupled parallel processes, this option can reduce the time and memory required for the verification by up to one order of magnitude.
The encoding of observational equivalence in terms of boolean equation systems was enhanced in order to simplify the equations when the explicit graph is deterministic and does not
contain
-transitions. In this case, observational equivalence becomes identical to
^{*}.
aequivalence, except for the states of the implicit graph from which a deadlock state can be reached after zero or more
-transitions. These states are now detected during the computation of
-closures (transitive reflexive closures over
-transitions) and used to simplify the equations accordingly. This can reduce the number of boolean variables by up to
30%.
Evaluatoris a model checker that evaluates a temporal logic property on a graph represented implicitly using the Open/Cæsarenvironment. Properties are described in regular alternation-free -calculus, a logic built from boolean operators, possibility and necessity modalities containing regular expressions denoting transition sequences, and fixed point operators without mutual recursion between least and greatest fixed points. The input language of the tool also allows to define parameterized temporal operators and to group them into separate libraries.
Evaluatorworks on the fly, meaning that only those parts of the implicit graph pertinent to verification are explored. The model checking problem is reformulated in terms of solving a boolean equation system. A useful feature of Evaluatoris the generation of diagnostics (examples and counterexamples) explaining why a formula is true or false.
In 2006, we continued the development of the Evaluator 3.5 tool. In particular, the translation in regular alternation-free -calculus of the inevitability operator of Actlwas improved. When using Evaluator 3.5 to check temporal formulas containing this operator, the new translation leads to gains in time and memory up to a factor 8.
We also continued our work (undertaken in 2003) for extending the regular alternation-free -calculus with new operators dedicated to the specification of properties involving data values. This led to a prototype Evaluator 4.0 ( 37, 600lines of Syntax/ Lotos NTcode and 11, 100lines of C code), which brings the following enhancements with respect to Evaluator 3.5:
State formulas are extended with data-handling operators inspired from programming languages, such as `` if-then-else'' and `` case''. Fixed point operators are enhanced with data parameters allowing arbitrary calculations to be performed on the fly while exploring the graph. Action formulas are extended with action patterns that extract the data values contained in transition labels and store them in variables that can be referred to in the formula. Regular expressions occurring inside modalities are extended with iteration operators ranging over natural intervals, and also with programming language constructs such as `` while'', `` until'', and `` for''. Finally, special operators are introduced for capturing states of the graph and manipulating them in formulas; this allows to express non-standard properties, such as the existence of self-loops (transitions from a state to itself) and past-time properties (occurence of actions before a certain state). This new language of formulas is called Mcl( Model Checking Language). It supersedes the regular alternation-free -calculus accepted as input by Evaluator 3.5.
The problem of evaluating an Mclformula on the fly amounts to the local resolution of a boolean equation system, which is performed using the Cæsar_Solvelibrary. The translation consists of several phases: lexical, syntactic, and semantic analysis of the Mclformula; type checking and replacement of the derived operators by primitive ones; conversion to positive normal form by propagating negations down to the atomic formulas; generation of modal equation systems containing parameterized propositional variables in the left-hand sides and modal formulas in the right-hand sides; elimination of regular expressions by translating them into terms of modalities and fixed point equations. Then, the resulting modal equation system and the graph (represented implicitly using the Open/Cæsarenvironment) are combined together into a boolean equation system (represented implicitly according to the Cæsar_Solveinterface) containing a distinguished variable, whose local resolution yields the truth value of the Mclformula on the initial state of the graph.
The translation of a state formula into a modal equation system was optimized in order to maximize the number of blocks in the final boolean equation system whose corresponding boolean graphs are disjunctive/conjunctive. These blocks are solved using the memory-efficient algorithm A4 of Cæsar_Solve, which avoids storing the transitions of the boolean graphs (and hence the transitions of the graph on which the formula is evaluated). In practice, all temporal formulas built from the operators of Ctl, Actl, and Pdlare translated into boolean equation systems containing only disjunctive/conjunctive blocks, and are therefore evaluated with a quasi-optimal memory consumption using A4.
The prototype version Evaluator 4.0 was successfully tested on 2, 300examples of Mclformulas and on all regular alternation-free -calculus formulas available in the demo examples of the Cadpdistribution.
The Reductor 4.0 tool of Cadp, developed in 2005, implements several forms of (partial or total) graph reductions. Some of these reductions are obtained by encoding the reduction problem into a boolean equation system that is solved on the fly using the Cæsar_Solvelibrary (see § ).
Cadpalso contains a tool named Determinator, which eliminates nondeterminism from ordinary or stochastic graphs.
In 2006, we released a new version 5.0 of Reductor, together with a new version of Determinator. Reductor 5.0 includes several functionalities previously available in Determinator. The main changes are the following:
We fixed a bug in reduction modulo safety equivalence, which caused the generated labeled transition system to be not minimal in some cases.
Three new equivalences were added to Reductor, namely trace reduction (previously available in Determinatoras normal determinization), weak trace reduction (previously available in Determinatoras determinization with -elimination), and divergence reduction.
The Cadptoolbox contains various tools dedicated to compositional verification, among which Projector 2.0, Exp.open 2.0, and Svlplay a central role.
Projector 2.0 implements behavior abstraction , by taking into account interface constraints.
Exp.open 2.0 explores on the fly the graph corresponding to a network of communicating automata (represented as a set of Bcgfiles).
Svl( Script Verification Language) is both a high level language for expressing complex verification scenarios and a compiler dedicated to this language.
In 2006, we enhanced these tools along the following lines:
We corrected one bug in Projector 2.0, two bugs in Exp.open 2.0, and four bugs in Svl.
We enhanced Exp.open 2.0 to convert networks of communicating automata into Petri nets encoded in the Tpnformat of the Tinatoolbox developed at Laas-Cnrs.
We added to Exp.open 2.0 a new operator for specifying priorities between the transitions of a network of communicating automata.
We extended the Svllanguage to support the new equivalences available in Reductor 5.0 (see § ) and the new features of Bisimulator(see § ) and Evaluator(see § ), e.g., selection between depth-first or breadth-first search algorithms, selection of algorithms dedicated to acyclic graphs, etc.
An article on refined interface generation using Exp.openand Svl(see the Vasy 2005 activity report) was published in an international conference .
Enumerative verification algorithms need to explore and store very large graphs and, thus, are often limited by the capabilities of one single sequential machine. To push forward the limits, we are studying parallel and distributed algorithms adapted to the clusters of Pcs and networks of workstations available in most research laboratories.
As a first goal, we focused on parallelizing the graph construction algorithm, which is a bottleneck for verification, as it requires a considerable amount of memory to store all reachable
states. For this purpose, we developed two tools
:
Distributorsplits the construction of a graph over
Nmachines communicating using
Tcp/Ipsockets; each machine builds a graph fragment, the distribution of states between the machines being determined by a static hash function;
Bcg_Mergemerges the
Ngraph fragments constructed by
Distributorto produce the entire graph.
Distributor 3.0 and Bcg_Merge 3.0 are now properly documented and integrated into Cadp. A tool paper was published at an international conference .
In 2006, this work progressed as follows:
We studied various enhancements of our Cæsar_Networklibrary, which implements generic communication primitives for distributed verification tools. We simplified its programming interface by reducing the number of primitives needed to initialize and terminate a distributed computing session. We also designed an extension of the Gcf( Grid Configuration File) format used by Cæsar_Networkin order to support the mainstream job schedulers available in clusters and grids.
Each graph generated by executing Distributoron a set of machines is represented as a Pbg( Partitioned Bcg Graph) file, which consists of a set of graph fragments generated on each machine and stored as Bcgfiles. The Pbgformat provides various information for handling these fragments (number of states and transitions of each fragment, Gcffile used to generate the fragments, log files produced on each machine, etc.). So far, the only tool of Cadphandling the Pbgformat was Bcg_Merge, which translates a Pbgfile into a Bcgfile by merging all fragments into a single graph. In 2006, we developed four new prototype tools operating on Pbgfiles:
Pbg_Cpcopies a Pbgfile and its dependencies (fragments, log files, and Gcffile) from a machine to another,
Pbg_Mvmoves a Pbgfile (and its dependencies) between two machines,
Pbg_Rmremoves a Pbgfile (and its dependencies), and
Pbg_Openprovides a distributed algorithm that implements the Open/Cæsarprogramming interface , thus allowing to explore on the fly a Pbgfile (without merging its fragments first as Bcg_Mergedoes).
As a second goal, we aim at parallelizing on the fly verification itself. Because the Cæsar_Solvelibrary (see § ) is our central verification engine for both model checking, e.g., in the Evaluatortool (see § ), and equivalence checking, e.g., in the Bisimulator(see § ) and Reductor(see § ) tools, we have been designing a distributed version of the Cæsar_Solvelibrary to solve boolean equation systems on the fly using several machines.
In 2006, we continued the development of this library. The library code ( 16, 000lines of C code) was thoroughly reviewed and simplified. The error management was improved. The primitive for writing a boolean equation system (or the portion of the system corresponding to the diagnostic of a given variable) to a file was also implemented in the distributed version of Cæsar_Solve. The distributed resolution algorithm for boolean equation systems was enhanced to detect on the fly cyclic dependencies between equation blocks (the presence of such dependencies indicates that the boolean equation system has an alternation depth greater than one).
An article about the distributed version of Cæsar_Solveand its applications was published in an international conference .
We developed a new tool, named Bes_Solve, which supersedes two existing prototype tools for generating random boolean equation systems and for reading and writing boolean equation systems from/to text files, respectively. Bes_Solveallows to compare and cross-check the various resolution algorithms provided by the sequential and distributed versions of Cæsar_Solve. It constructs a boolean equation system in memory either by reading it from a (possibly compressed) text file, or by generating it randomly according to various parameters (number of equation blocks, minimum and maximum number of variables in each block, length of the equations, percentage of boolean constants, percentage of disjunctive and conjunctive variables in the right-hand sides of the equations, seed value for initializing the random number generator, etc.). Then, a boolean variable defined in some equation block of the boolean system can be solved by invoking any sequential or distributed algorithm of Cæsar_Solve. Bes_Solveserved to experiment intensively the resolution algorithms and allowed to correct a bug in algorithm A4 of the sequential version of Cæsar_Solve.
We undertook the design of an integrated development environment for Cadpwithin the Eclipseframework. This environment comprises both a Lotoseditor and a graphical user-interface (inspired from Eucalyptusbut based on Eclipse) for the Cadptools.
Additionally, we improved the following Cadptools and libraries:
We fixed one bug in the Caesar_Regexplibrary and two bugs in Xtl.
We enhanced Determinatorand Bcg_Minto support double precision floating point numbers.
We improved the Eucalyptusgraphical user-interface to provide access to all recent features and tools of Cadp.
We added a new Cadpdemo example ( Webservices for stock management and an on-line book auction) and we updated most of the other demo examples to take advantage of the most recent features and tools of Cadp.
We continued adapting Cadpto the latest computing platforms:
We finished porting Cadpto recent Linuxdistributions and Mac OS 10.4 `` Tiger''.
We modified Cadpto support recent C compilers ( Gcc 4, Intel Icc 9.0, Sun Studio 11).
We improved the portability of Cadpby adding new ``wrappers'', i.e., shell scripts that make Cadpless dependent on the underlying operating system.
As regards 64-bit architectures:
We wrote a portability guide for 64-bit applications.
We started porting the shell scripts of Cadpas well as third party software used by Cadp(e.g., Cudd, Sparse, Tcl-Tk/Tix, garbage collector) to 64-bit architectures.
The Cadptoolbox contains several tools dedicated to the Lotoslanguage, namely: the Cæsar.adtcompiler for the data type part of Lotos, the Cæsarcompiler for the process part of Lotos, and the Cæsar.indentpretty-printer.
In 2006, we performed maintenance activities for these tools (two bugs fixed in Cæsar, one bug fixed in the Cæsar.bddtool invoked by Cæsar, and two enhancements in Cæsar.indent). We also improved the C code generated by Cæsarand Cæsar.adtto avoid warnings emitted by the most recent C compilers.
We pursued our study of state space reduction techniques, our goal being to decrease the size of the graphs generated by Cæsar, still preserving strong bisimulation between the original and reduced graphs.
Our work on state space reduction based on live variable analysis resulted in version 7.0 of Cæsar(previously named Cæsar.new), which was officially released as part of Cadpin July 2006. On all Cadpdemos, Cæsar 7.0 reduced the state space by a mean factor of 45 (we observed a maximum factor of 4,400) as regards the number of states and by a mean factor of 38 (we observed a maximum factor of 3,100) as regards the number of transitions. This work led to a journal publication .
Additionally, W. Serwe experimented further uses of data-flow analysis to improve the efficiency for enumerative verification. A prototype version of Cæsarwas developed and experimented in the framework of the FormalFame Pluscontract (see § ): we obtained a memory reduction by a factor of 1.4 and a time reduction by a factor of 2.
As regards the E-Lotoslanguage — and, more specifically, its Lotos NTvariant elaborated by the Vasyproject team — we worked in two directions:
The Traiancompiler (see § ) remained stable in 2006, but we developed a new tool, named Traian.indent, for indenting Lotos NTprograms, similar to the existing tool Cæsar.indent(see § ).
In the framework of the FormalFame Pluscontract (see § ), we continued the development of a tool suite for the translation from Lotos NTto Lotos, which aims at easing the development of large specifications by Bulland to reuse the existing Lotostools for analyzing concurrent systems described in Lotos NT. The tool suite consists of a Lotos/ Lotos NTpreprocessing tool named Lpp, a translator from Lotos NTdata types to Lotosnamed Lnt2Lotos, and a shell script named Lnt_Compile, which calls Lppand Lnt2Lotos.
In 2006, the tool suite was improved as follows:
The predefined comparison functions (`` ='', `` <'', `` '', etc.), which were only available for enumerated types in 2005, were made available to all constructor types, using a recursive lexicographic ordering of constructors and constructor fields.
A new predefined type ``
sorted list of
T'' was added. The elements of a sorted list are sorted automatically using the order relation ``
<'' on
T, which can be either generated automatically as explained in the previous item, or given by the user.
We implemented the translation from Lotos NTfunctions into Lotosequations, starting from an algorithm that translates into Horn clauses a subset of the C language (`` while'' loops without `` break'' statements and functions with value passing parameters only and a single `` return'' statement located at the end of the function). We extended this algorithm so as to handle reference passing parameters, pattern matching (`` case'' statement), loop interruptions (`` break'' statement), multiple `` return'' statements within the body of functions, uncatchable exceptions (`` raise'' statement), and function name overloading.
The Lnt_Compiletool was improved to allow the generated Lotoscode to be combined with handwritten Lotoscode and/or C code provided by the user.
Lnt2Lotosis developed using the Syntax/ Traiantechnology . It grew from 3, 660lines (760 lines of Syntaxcode, 1, 920lines of Lotos NTcode, and 980 lines of C code) at the end of 2005 up to 17, 300lines ( 2, 100lines of Syntaxcode, 14, 000lines of Lotos NTcode, and 1, 200lines of C code) at the end of 2006.
In 2006, we delivered 7 successive versions of the tool suite to Bull, who uses Lotos NTto model a critical part of its Fame2 multiprocessor architecture for high-end servers (see § ). A non-regression test suite of 67 programs representing more than 6, 000lines of Lotos NTcode was developed. The reference manual was updated and grew from 29 pages (at the end of 2005) up to 47 pages (at the end of 2006). A forge was set up under Inria GForgeto track bugs and feature requests, and to serve as a repository where our Bullpartners can download the new versions of the Lnt2Lotostool suite.
Although process algebras are, from a technical point of view, the best formalism to describe concurrent systems, they are not used as widely as they could be. Besides the steep learning curve of process algebras, which is traditionally mentioned as the main reason for this situation, it seems also that the process algebra community scattered its efforts by developing too many languages, similar in concept but incompatible in practice. Even the advent of two international standards, such as Lotos(in 1989) and E-Lotos(in 2001), did not remedy this fragmentation.
To address this problem, we started investigating source-level translators from various process algebras into Lotos, so as to widen the applicability of the Cadptools. One first example was the Lnt2Lotostool suite (see § ). In 2006, we studied also translators for other concurrent languages:
We considered the process algebra Fsp( Finite State Processes) defined in a popular textbook on concurrency . Continuing the collaboration initiated in 2005 with Jeff Kramer and Jeff Magee (Imperial College, London, see § ), we removed the ambiguities found in the reference Fspgrammar and provided a new unambiguous Lalr(1) grammar for Fsp. We redesigned our Fsp2Lotosprototype, undertaken in 2005, that translated the ``basic Fsp'' fragment (i.e., Fspwithout its data part and without syntactic sugar) to Lotos. The new Fsp2Lotosprototype ( 5, 000lines of Syntaxcode, 20, 000lines of Lotos NTcode, and 500 lines of C code) translates ``full Fsp'' into Lotos. It is available on Solaris, Linux, and Windowsand has been tested on 10, 500lines of Fspcode, including many examples given in the Fsptextbook .
In the framework of the Fiacre(see § ), OpenEmbeDD(see § ), and TopCased(see § ) projects, and in cooperation with the Laas-Cnrsand Iritlaboratories, we undertook the definition of a new intermediate model named Fiacre( Format Intermédiaire pour les Architectures de Composants Répartis Embarqués). Derived from Ntif and V-Cotre , Fiacrewill be used as a pivot formalism between modeling languages (such as Aadl, Uml, or SysML) and verification tools (such as Cadpand Tina). After several meetings, intensive technical correspondence (80 e-mail exchanges), and 8 drafts, we converged to a 14-page document describing Fiacre.
In the framework of the Inria/Leticollaboration (see § ), we focused on the process algebra Chp( Communicating Hardware Processes) for which the Timalaboratory has developed a circuit synthesis tool named Tast and which is used by the Letilaboratory to describe complex, asynchronous circuits at a high abstraction level. The goal is to integrate formal verification into the design flow of complex microelectronic circuits.
In 2006, we improved the Chp2Lotostranslator by developing code specialisation techniques that optimize the translation of each channel depending on its profile (i.e., whether and how the Chp``probe'' operator is applied to this channel). Computing channel profiles in a pre-processing step and optimizing the translation accordingly allows to reduce the state space significantly: on the example of the Faustcircuit, an asynchronous No c( Network on Chip) developed at the Letilaboratory (see § ), we observed a reduction of the number of states (respectively, transitions) by a factor of 89 (respectively, 156).
Our Chp2Lotostranslator (currently, 2, 200lines of Syntaxcode, 13, 400lines of Lotos NTcode, and 3, 900lines of C code) was extended accordingly. We also added more examples to the test base (currently, about 500 Chpspecifications, corresponding to 14, 500lines of Chpcode). Chp2Lotoshas been tested on Solaris, Linux, and Windows.
We also started to investigate the verification of Tlm( Transaction Level Model) specifications. Compared to traditional Rtl( Register Transfer Level) models, Tlmmodels are more suitable for faster simulation, simultaneous development of software and hardware, and earlier hardware/software partitioning.
In this perspective, we are currently investigating the translation of (a Tlmsubset of) SystemCinto Lotosor Lotos NT(see § ). For this purpose, we studied the SystemCfront-end Pinapa , which we ported to the Solarisoperating system.
In collaboration with Gregor Goessler ( PopArtproject), we designed a translator that connects to Cadpthe Prometheustool developed by PopArt. This translator takes as input a model in the Bipformat of Prometheusand performs four main tasks:
It converts each sequential component of the Bipbehavior layer (a typical condition/action model) into a sequential Lotosprocess that will be translated automatically into a labeled transition system ( Bcgfile) using Cadp.
It converts the Bipinteraction layer into an Exp.openfile, which composes the Bcggraphs using synchronization vectors.
It takes into account the global constraints expressed in the Bipexecution layer either as invariants, or as interaction constraints that determine which transition can be fired (a special case of interaction constraints being priorities between transitions).
Such constraints impact the generation of Lotosand Exp.opendescribed in items 1. and 2. above in three ways. First, special actions, called observers, are added in Lotossequential processes to enable observation of local variables occurring in state invariants and/or interaction constraints. Second, synchronization vectors between observers are added to the Exp.openmodel to identify all states in which the invariants or interaction constraints are violated. Third, priorities are added to the Exp.openmodel to cut each transition that violates some interaction constraints, or whose source state violates some invariant.
It generates an Svlscript that manages the generation of the Bcgfiles described in item 2 above. This script can then be extended to explore the state space of the input Bipmodel on the fly using Exp.openand other Cadptools.
This translator was integrated as a new module in the Prometheustool. It was experimented on a hardware architecture.
In 2006, the Vasyproject team also worked on the following case studies:
We continued our collaboration with Antonella Chirichiello (University ``La Sapienza'', Rome) on the use of Lotosand Cadpto design and verify Webservices. This led to a new publication describing an e-business application specified in Lotos, verified with Cadp, and translated into the standard orchestration language Bpel.
In the context of the Senvacollaboration (see § ), we continued the study (undertaken in 2005) of a turntable system for drilling products. This industrial critical system is interesting because its distributed embedded controller is simple enough to have a concise formal description, but sufficiently complex to require formal analysis. This system was previously specified by Cwiand the University of Eindhoven using several languages ( , Crl, Promela, and timed automata) and analyzed with various tools .
We formally specified in Lotosa sequential and a distributed version of the controller embedded in the turntable system, and we formulated in regular alternation-free -calculus a set of safety and liveness properties characterizing its correct behavior. Using the Bisimulator(see § ) and Evaluator 3.5 (see § ) tools of Cadp, we checked the compatibility between both versions of the controller and their correctness with respect to the temporal properties. This activity led to the publication of a book chapter .
In the context of the FormalFame Pluscontract (see § ), we worked on a critical part of Bull's Fame2 multiprocessor architecture, the Pab( Pipeline and Active transaction Block), for which Bullwrote a Lotos NTspecification ( 3, 977lines of Lotos NT) that was translated to Lotos( 5, 145lines of Lotos) using our Lnt2Lotostool suite (see § ).
This specification was used for two purposes. On the one hand, it allowed to generate execution traces that were used to test the Verilogcode of the Pab; this allowed Bullto detect coding errors. On the other hand, it was used to verify the correctness of the Pabprotocol itself. Confronted to state explosion issues, we performed several experiments:
We first optimized the Lotosspecification, taking into account the symmetries induced by lists containing the same elements in different order. We introduced sorted lists instead of simple lists and provided external C code to reduce memory usage. This divided the state space size by a factor of 2.4(from 900, 000states down to 379, 000states), the generation time by 37 (from 1 hour 19 minutes to 2 minutes 8 seconds), and the memory usage by 6.3(from 189 down to 30 MBytes).
Using the Distributortool running on the GrImagecluster of InriaRhône-Alpes (36 processors: 10 bi- Opteronat 2 GHz and 8 bi- Xeonat 3 GHz with 1 GByte Rameach), we were able to generate a state space of 10 million states and 14 million transitions in 2 minutes.
Finally, Bullmanaged to split the Pabspecification in two independent parts, replacing the generation of one single, large graph by the generation of two separate, smaller graphs. Bullalso simplified the specification based on symmetry arguments. After these simplifications, Bullcould generate the graph on a single sequential machine in a few hours.
In the context of the Inria/Leticollaboration (see § ), we pursued the study (undertaken in 2005) of the FaustNo c( Network on Chip) circuit developed by the Letilaboratory.
In 2006, we focused on the communication interconnect part of Faust , which routes packets (consisting of several 34-bit flits) between the 23 components of the Faustcircuit. This interconnect is described in the hardware process calculus Chp( Communicating Hardware Processes) and implemented, at the Rtllevel, in asynchronous logic. The interconnect has 23 communication nodes, one per component. Each communication node consists of five input and five output controllers. Each input controller dispatches incoming flits to one out of four output controllers, and each output controller arbitrates between four input controllers.
To carry out the compositional verification of an input controller, we used the following steps:
First, applying the idea of data independence, we reduced the potential state space from 10 ^{25}to 5.10 ^{16}states by setting parts of the flits to a fixed bit pattern. Then, we further reduced the state space to a manageable size by considering several scenarios (sequences of 4 flits) carefully chosen according to the properties to be verified (e.g., data integrity and correct routing of flits/packets). These two reductions were obtained by introducing additional Chpprocesses, called ``traffic generators'', which restrict the environment of the input controller by providing meaningful inputs only. Applying our Chp2Lotostranslator (see § ) to the Chpdescription of the input controller (500 lines of Chpcode) connected to each traffic generator (about 700 lines of Chpcode), we produced a set of Lotosspecifications in less than one second.
Second, for each Lotosspecification, we generated the corresponding state space using the compositional verification techniques of Cadp(see § ) using a generic Svlscript (41 steps, 450 lines of Svlcode); for a typical scenario, the generated state space had 1,300 states and 3,116 transitions, and the largest intermediate state space had 295,893 states and 812,283 transitions.
Third, we used the equivalence checking and model checking tools of Cadpto verify seven properties, such as absence of deadlocks, correctness of the communication protocol, integrity of the transmitted data, and correctness of flit/packet routing. These verification steps were automated using an Svlscript (250 lines of Svlcode).
We were able to exhibit a routing error in the Chpdescription. Although this error had been already found (and fixed) manually during the synthesis of the Faustcircuit (it required more than 500,000 steps to replay the error in the Tastnative simulator for Chp), our approach based on Chp2Lotosand Cadpallowed to detect the error automatically in less than 15 minutes.
This work led to a joint Inria/Letipublication .
We continued our collaboration with Estelle Dumas, Hidde de Jong, and Delphine Ropers ( Helixproject team of InriaRhône-Alpes) for connecting Cadpand the Gna( Genetic Network Analyzer) tool developed by Helixin order to verify temporal properties of genetic regulatory networks.
Gnaprovides a simulator of qualitative models of genetic regulatory networks in the form of piecewise-linear differential equations. The output of the simulator is a Kripke structure (i.e., a state-transition graph in which the relevant information is associated to states) that can also be exported by Gnaas a labeled transition system, thus enabling a direct connection with Cadp. This allows to enhance Gnawith verification features.
In practice, Gnais used mainly by biologists, who are not necessarily familiar with computer science and formal verification. For this community, we are studying a transparent connection between Cadpand Gnabased on a client-server architecture, in which Cadpis installed on a single server and several instances of Gnaare running on remote client machines. A client sends Kripke structure files and temporal properties to the server and gets back verdicts and diagnostics. A prototype connection based on Webservices was developed and experimented on several biologically-relevant examples.
Other teams also used the Cadptoolbox for various case studies. To cite only recent work not already described in previous Vasyactivity reports, we can mention:
the verification of the Transport Layer Security protocol ,
the test case generation using mutation-based testing techniques , ,
the solving of scheduling problems using untimed model checking , ,
the formal analysis of an automatic document feeder ,
the formal analysis and verification of a digital rights management protocol ,
the verification of privacy using observational determinism ,
the performability analysis of the European Train Control System ,
the verification of a WiFiInternet access system available in airports .
Other research teams took advantage of the software components provided by Cadp(e.g., the Bcgand Open/Cæsarenvironments) to build their own research software. We can mention the following developments:
an environment for the verification of the VoDkavideo-on-demand system ,
the Adaptortool, developed at the Ibisclaboratory (Evry), which allows the automatic generation of adaptors between differing component interfaces,
the Ve statool , , developed at the Lifclaboratory (Besançon), which allows the verification of divergence-sensitive and stability respecting -simulation for component-based timed systems,
the Annotatortool , developed at the university of Málaga (Spain), for the static analysis of software,
a framework for model checking socket-based concurrent C programs , developed at the university of Málaga (Spain),
the Vercorsplatform for model checking distributed components, developed by the Oasisproject team at InriaSophia-Antipolis.
Finally, a textbook was published, which uses Cadpas a software support for teaching concurrency theory.
There is a long-standing collaboration between Vasyand Bull, which aims at demonstrating that the formal methods and tools developed at Inriacan be successfully applied to Bull's multiprocessor architectures. The objective is to develop a complete and integrated solution supporting formal specification, simulation, rapid prototyping, verification, and testing.
Between 1995 and 1998, two case studies were successfully tackled using Cadp: the PowerScalebus arbitration protocol and the PolyKidmultiprocessor architecture .
Between 1998 and 2004, the collaboration focused on Fame, the Cc-Numamultiprocessor architecture used in Bull's NovaScaleseries of high-performance servers based on Intel Itaniumprocessors. The Cadptools have been used to validate a crucial circuit of Fame– the Fss( Fame Scalability Switch) – that implements the cache coherency protocol.
In 2004, the collaboration was renewed by a followup contract named FormalFame Plus, which, in 2005, was extended for two more years. FormalFame Plusaims at enhancing the performance and usability of the Cadptools to address the Fame2 multiprocessor architecture under design at Bullfor their future high-end servers.
In 2006, the contributions of Vasyto FormalFame Pluswere the following:
We continued the development of our Lnt2Lotostool suite (see § ), which was used by Bull.
We experimented various abstraction and verification techniques on a critical part of Bull's Fame2 multiprocessor architecture (see § ).
The FormalFame Pluscontract will find its continuation in the Multivalproject (see § ).
Multival( Validation of Multiprocessor Multithreaded Architectures) is a project of Minalogic, the French pôle de compétitivitédedicated to micro-nano technologies and embedded software for systems on chip ( Emsoccluster). Multivaladdresses verification and performance evaluation issues for three innovative asynchronous architectures developed by Bull, Cea/Leti, and ST Microelectronics.
In 2006, Multivalwas approved for joint funding by the French government ( Fonds de compétitivité des entreprises) and Conseil général de l'Isère. Multivalstarted in December 2006 for three years.
OpenEmbeDDis a French national project of Rntl( Réseau National des Technologies Logicielles). The goal of OpenEmbeDDis to develop an open-source, generic, standard software engineering platform for real-time embedded systems, such as those developed by Airbus, Cs, France Telecom, and Thales. Within an Eclipseframework, this platform will combine the principles of model-driven engineering with those of formal methods.
OpenEmbeDDstarted in May 2006 for three years. In 2006, our contributions focused on the identification of a model-based architecture for Cadpand the definition of the Fiacreintermediate model for embedded systems (see § ).
TopCased( Toolkit in OPen-source for Critical Application and SystEms Development) is a project of Aese, the French pôle de compétitivitédedicated to aeronautics, space, and embedded systems. This project gathers 23 partners, including companies developing safety-critical systems such as Airbus(leader), Astrium, Atos Origin, Cs, Siemens Vdo, and Thales Aerospace.
TopCaseddevelops a modular, open-source, generic Caseenvironment providing methods and tools for embedded system development, ranging from system and architecture specifications to software and hardware implementation through equipment definition. Vasycontributes in the combination of model-driven engineering and formal methods for asynchronous systems.
TopCasedstarted in August 2006 for four years. In 2006, we worked along the following lines:
We contributed actively to the Airbusproposal for adding a behavioral annex to Aadl( Architecture Analysis & Design Language), the Sae( Society of Automotive Engineers) standard architecture description language for embedded real-time systems. The behavioral annex provides structured statements inspired from Ntif that describe data computations using a ``big steps'' semantics, which avoids splitting these computations into many smaller, less efficient steps. The behavioral annex will be submitted for balloting in early 2007.
We undertook the design of an integrated development environment for Cadpbased on Eclipse (see § ).
We started a study of time models so as to identify time models which are both equipped with effective verification algorithms and appropriate to describe asynchronous systems with data and time.
H. Garavel is the Inriarepresentative at the TopCasedexecutive committee, for which he served as the secretary during the elaboration phase of the TopCasedproposal.
In 2006, Vasycontributed to the submission of the Ec-Moan( Scalable modeling and analysis techniques to study emergent cell behavior: Understanding the E. coli stress response) proposal, which was accepted for funding within the Nest PathfinderEuropean program. Ec-Moanaims at the development of new, scalable methods for modeling and analyzing integrated genetic, metabolic, and signaling networks, and the application of these methods for a better understanding of a bacterial model system. Ec-Moanwill start in February 2007 for three years.
The Vasyproject team plays an active role in the joint research center launched in 2004 between InriaRhône-Alpes and the Letilaboratory of Cea-Grenoble. In co-operation with Letiscientists (Edith Beigné, François Bertrand, Fabien Clermidy, Yvain Thonnart, and Pascal Vivet), Vasydevelops software tools for the design of asynchronous circuits and architectures such as Gals( Globally Asynchronous Locally Synchronous), No cs ( Networks on Chip), and So cs ( Systems on Chip). In 2006, our work focused on the Chp2Lotostranslator (see § ) and its application to the Faustarchitecture (see § ).
Together with the Oasisproject team of InriaSophia-Antipolis (Antonio Cansado and Eric Madelaine), the Ltciteam of Enst-Paris (Irfan Hamid, Elie Najm, and Sylvie Vignes), the Svfteam of the Laas-Cnrslaboratory (Bernard Berthomieu, Florent Peres, and François Vernadat), and the Mvrteam of Irit(Mamoun Filali), Vasyparticipates to the national action Fiacre( Aci Sécurité Informatique) started in 2004 (see http://www-sop.inria.fr/oasis/fiacre). In 2006, we implemented new interconnections (see § ) between Cadp, the Tinatoolbox developed by Svf, and the Vercorsplatform developed by Oasis. We also undertook the definition of the Fiacreintermediate model (see § ).
Additionally, we collaborated in 2006 with several Inriaproject teams:
Helix(Rhône-Alpes): applications of model checking to biological systems (Estelle Dumas, Hidde de Jong, Pedro Monteiro, Michel Page, and Adrien Richard);
Oasis(Sophia-Antipolis): collaboration in the framework of the Fiacrenational action (Antonio Cansado and Eric Madelaine);
PopArt(Rhône-Alpes): combination of the Cadpand Prometheuscompositional verification tools (Gregor Goessler).
Beyond Inria, we had sustained scientific relations with the following teams:
Laas-Cnrslaboratory (Toulouse): collaboration in the framework of the Fiacre, OpenEmbeDD, and TopCasedprojects (Bernard Berthomieu and François Vernadat);
Liplaboratory (Lyon): until November 2006, R. Mateescu had a part-time (20%) collaboration with the Plumeteam;
Le2ilaboratory (Dijon): since December 2006, R. Mateescu is hosted by the computer science team of Le2i.
The Vasyproject team of Inriaand the Sen2team of Cwicollaborate in Senva, a joint research team on safety-critical systems (see http://www.inrialpes.fr/vasy/senva). Launched in 2004, the Senvateam is supported by Inria's European and International Affairs Department and by Cwi. The first three years of Senvahave been favorably evaluated by a panel of international experts in November 2006.
The Vasyproject team is member of the Fmics( Formal Methods for Industrial Critical Systems) working group of Ercim(see http://www.inrialpes.fr/vasy/fmics). From July 1999 to July 2001, H. Garavel chaired this working group. Since July 2002, he is member of the FmicsBoard, in charge of dissemination actions. Within Fmics, R. Mateescu contributes to the preparation of a ``Formal Methods Handbook''.
H. Garavel is a member of Ifip( International Federation for Information Processing) Technical Committee 1 ( Foundations of Computer Science) Working Group 1.8 on Concurrency Theory, launched in 2005 and chaired by Luca Aceto.
H. Garavel is a member of the technical committee ( ETItorial Board) of the Eti( Electronic Tool Integration) software development platform (see http://jeti.cs.uni-dortmund.de/).
In addition to our partners in aforementioned contractual collaborations, we had scientific relations in 2006 with several international universities and research centers, including:
Imperial College (Jeff Kramer and Jeff Magee),
University of Málaga (Carlos Canal and Pedro Merino) , , and
University ``La Sapienza'' of Rome (Antonella Chirichiello and Benjamin Habegger) .
In 2006, we had the following scientific exchanges:
Jaco van de Pol ( Cwi, Amsterdam, The Netherlands) visited us on January 26, 2006.
Christian Attiogbé (University of Nantes) visited us on March 6, 2006 and gave a talk entitled `` Composants logiciels : spécification, composition et vérification avec Kmelia''.
Pascal Poizat (University of Evry – Val d'Essonne) visited us on May 15–19, 2006. He gave a talk entitled `` Adaptation logicielle – une approche automatisée basée sur des expressions régulières de vecteurs de synchronisation''.
The annual Senvaseminar was held in Venosc on June 12–14, 2006. In addition to the Vasyproject team, Manuel Baclet ( Enseeiht), Jens Calamé, Natalia Ioustinova, Jaco van de Pol, Michael Weber, and Anton Wijs ( Cwi, Amsterdam), Wan Fokking (Free University of Amsterdam), Rodolfo S. Gomez and Li Su (University of Kent), and Sylvain Peyronnet ( Epita) attended this seminar. The list of talks is available from http://www.inrialpes.fr/vasy/senva/workshop2006.
Sylvie Lesmanne, Jacques Abily, and Azedine Abdelli ( Bull) visited us on June 29–30, 2006.
The Vasyproject team distributes two main software tools: the Cadptoolbox (see § ) and the Traiancompiler (see § ). In 2006, the main facts are the following:
We prepared and distributed 15 successive beta-versions (2004-h, ..., 2004-k, 2005-a, ..., 2005-k) of Cadp, leading to a stable version named Cadp2006 ``Edinburgh'', released on December 12, 2006.
The number of license contracts signed for Cadpincreased from 345 to 366.
We were requested to grant Cadplicenses for 822 different computers in the world.
The Traiancompiler was downloaded by 59 different sites.
The Vasy Website (see http://www.inrialpes.fr/vasy) was regularly updated with scientific contents, announcements, publications, etc.
In 2006, the members of Vasyassumed the following responsibilities:
H. Garavel was, together with John Hatcliff (Kansas State University), responsible for a special issue of the Sttt( Software Tools for Technology Transfer) journal, which gathers the best software-oriented papers of Tacas'2003.
H. Garavel was, together with John Hatcliff (Kansas State University), responsible for a special issue of the Tcs( Theoretical Computer Science) journal, which gathers the best theory-oriented papers of Tacas'2003.
H. Garavel was a steering committee member of the Pdmc( Parallel and Distributed Methods in Verification) series of international workshops.
H. Garavel was a program committee member of Tacas'2006 ( 12th International Conference on Tools and Algorithms for the Construction and Analysis of Systems, Vienna, Austria, March 25 – April 2, 2006).
R. Mateescu was a program committee member of Msvveis'2006 ( 4th International Workshop on Modeling, Simulation, Verification, and Validation of Enterprise Information Systems, Paphos, Cyprus, May 23–24, 2006).
R. Mateescu was a program committee member of Iccgi'2006 ( International Conference on Computing in the Global Information Technology, Bucharest, Romania, August 1–3, 2006).
R. Mateescu was a program committee member of Fmics'2006 ( 11th International Workshop on Formal Methods for Industrial Critical Systems, Bonn, Germany, August 26–27, 2006).
H. Garavel was a program committee member of Pdmc'2006 ( 5th International Workshop on Parallel and Distributed Methods in Verification, Bonn, Germany, August 31, 2006).
R. Mateescu was a program committee member of Ewsa'2006 ( 3rd European Workshop on Software Architectures, Nantes, France, September 4–5, 2006).
R. Mateescu was a program committee member of Cal'2006 ( 1ère Conférence Francophone sur les Architectures Logicielles, Nantes, France, September 6–8, 2006).
H. Garavel was a program committee member of Forte'2006 ( 26th IFIP WG 6.1 International Conference on Formal Techniques for Networked and Distributed Systems, Paris, France, September 26–29, 2006).
R. Mateescu was a program committee member of Icsea'2006 ( International Conference on Software Engineering Advances, Tahiti, French Polynesia, October 29 – November 1st, 2006).
In 2006, we gave talks in several international conferences and workshops (see bibliography below). Additionally:
R. Mateescu gave a talk entitled `` Vérification à la volée basée sur les systèmes d'équations booléennes'' at the Lifclaboratory (Besançon, France) on January 19, 2006.
R. Mateescu gave a talk entitled `` Modélisation et analyse des systèmes parallèles asynchrones'' at the Le2ilaboratory (Dijon, France) on February 8, 2006.
G. Salaün visited the research group of professors Jeff Kramer and Jeff Magee, Imperial College (London, UK) between January 19 and February 17, 2006.
F. Lang gave a talk entitled `` Propositions d'extensions temporisées pour Ntif '' at Enst(Paris, France) on February 13–14, 2006.
G. Salaün gave a talk entitled `` How Process Algebra Can Contribute to the Formal Development of Web Services'' at the University of Málaga (Spain) on March 16, 2006.
H. Garavel and R. Mateescu visited Cwi(Amsterdam, The Netherlands) on April 2–4, 2006. R. Mateescu gave a talk entitled `` Sequential and Distributed Test Generation using Boolean Equation Systems''. H. Garavel gave a talk entitled `` State Space Reduction for Process Algebra Specifications'' and a position statement on future projects.
H. Garavel gave a talk entitled `` Validation d'architectures multiprocesseurs à l'aide des outils Cadp '' at the La brilaboratory (Bordeaux, France) on April 27, 2006.
H. Garavel gave a talk entitled `` Validation d'architectures multi-processeurs : 10 ans de collaboration Bull - Inria '' at Cea/Dam(Bordeaux, France) on April 28, 2006.
F. Lang gave two talks entitled `` An Overview of Cadp 2006'' and `` Translating the Lotos NT Data Part into Lotos Abstract Data Types'' at InriaSophia-Antipolis (France) on July 6–7, 2006.
W. Serwe gave a talk entitled `` An Overview of Cadp 2006'' at the Dagstuhl seminar Nr. 06351 on August 27–September 1st, 2006.
G. Salaün gave a talk entitled `` Translating Chp into Lotos for the Verification of Asynchronous Hardware Designs with Cadp '' at Microsoft Research (Cambridge, United Kingdom) on November 2, 2006.
H. Garavel and R. Mateescu visited Cwi(Amsterdam, The Netherlands) on November 6–9, 2006. R. Mateescu gave a Pam( Process Algebra Meeting) talk entitled `` Cæsar_Solve: A Generic On-the-Fly Solver for Alternation-Free Boolean Equation Systems and its Applications to Verification'' on November 8, 2006.
H. Garavel gave a talk entitled `` Practical applications of process calculi in industrial projects'' at the LixColloquium on Emerging Trends in Concurrency Theory (Ecole Polytechnique, Palaiseau, France) on November 13–15, 2006.
F. Lang gave a talk entitled `` Refined Interfaces for Compositional Verification'' at Laas-Cnrslaboratory (Toulouse, France) on November 20–21, 2006.
G. Salaün gave a talk entitled `` Software Adaptation: An Approach based on Synchronization Vectors and Regular Expressions'' at the University of Málaga (Spain) on November 22, 2006.
H. Garavel gave a talk entitled `` Cadp 2006 from a Model Driven Perspective'' at InriaRennes (France) on November 22–23, 2006.
The Vasyproject team is a host team for the computer science master entitled `` Mathématiques, Informatique, spécialité : Systèmes et Logiciels'', common to Institut National Polytechnique de Grenoble and Université Joseph Fourier.
In 2006:
F. Lang and W. Serwe gave the course on `` Temps Réel'' to the 3rd year students of Ensimag(18 hours).
R. Mateescu was a jury member of Gavril Godza's PhD thesis entitled `` Contribuţii la elaborarea sistemelor distribuite tolerante la defecte'', defended at Polytechnic University of Bucharest (Romania) on February 27, 2006.
F. Lang was a jury member of Ylies Falcone's MSc thesis (DEA) entitled `` Un cadre formel pour le test de politiques de sécurité'', defended at Université Joseph Fourier (Grenoble) on June 21, 2006.
F. Lang supervised, jointly with Gregor Goessler ( PopArtproject team), the MSc thesis of A. M. Khan entitled `` Connection of Compositional Verification Tools for Embedded Systems'', defended at Université Joseph Fourier (Grenoble) on June 21, 2006.
R. Mateescu was a jury member of Rémi Brochenin's MSc thesis entitled `` Techniques d'automates pour raisonner sur la mémoire'', defended at Ecole Normale Supérieure de Lyon on June 26, 2006.
R. Mateescu supervised the internship ( mémoire d'ingénieur) of D. Thivolle entitled `` Développement d'un évaluateur pour une logique temporelle étendue'', defended at EPITA(Paris) on July 3, 2006.
H. Garavel was a jury member of Marie Lalire's PhD thesis entitled `` Développement d'une notation algorithmique pour le calcul quantique'', defended at Institut National Polytechnique de Grenoble on October 19, 2006.
R. Mateescu was a jury member of Emilie Oudot's PhD thesis entitled `` Contributions à la vérification incrémentale des systèmes temporisés à composants'', defended at Université de Franche Comté (Besançon) on December 7, 2006.
R. Mateescu was elected suppliant member of the `` Commission de spécialistes'' at Université de Bourgogne (section 27).
H. Garavel was a jury member of Leila Kloul's habilitation thesis entitled `` From Performance Analysis to Performance Engineering: Some Ideas and Experiments'', defended at Université de Versailles-Saint-Quentin-en-Yvelines on December 8, 2006.
H. Garavel supervised the internship ( mémoire Cnam ) of J. Fereyre entitled `` Conception et amélioration d'outils logiciels pour la vérification distribuée'', to be defended in 2007.
F. Lang and H. Garavel supervised the internship ( mémoire Cnam ) of N. Lépy entitled `` Environnement de développement intégré sous Eclipse pour la vérification des systèmes concurrents'', to be defended in 2007.
D. Champelovier participated to the design group for the new InriaRhône-Alpes Website.
H. Garavel is a member of the computing facilities committee of InriaRhône-Alpes.
H. Garavel is a member of the recruitment committees for `` chargés de recherche 2ème classe'' and `` ingénieurs associés'' at InriaRhône-Alpes.
Within the Emsoc/ Atelier du Futurprogram of the Minalogic pôle de compétitivité, H. Garavel is a member of the working group (6 persons) in charge of making proposals for governance and project selection.
F. Lang participates to the consultative organizational committee of InriaRhône-Alpes.
F. Lang leads the working group (5 persons) in charge of proposing a new distribution of offices among the research and administrative teams located in the Inriabuilding of Montbonnot.
W. Serwe is a member of the continuous training committee of InriaRhône-Alpes.