We work on the problem of the safe design of real-time control systems. This area is related to control theory as well as computer science. Application domains are typically safety-critical systems, as in transportation (avionics, railways), production, medical or energy production systems. Both methods and formal models for the construction of correct systems, as well as their implementation in computer assisted design tools, targeted to specialists of the applications, are needed. We contribute to propose solutions all along the design flow, from the specification to the implementation: we develop techniques for the specification and automated generation of safe real-time executives for control systems, as well as static analysis techniques to check additional properties on the generated systems. Our research themes concern:

implementations of synchronous reactive programs, generated automatically by compilation, particularly from the point of view of distribution (in relation with the
Lustre

high-level design and programming methods, with support for automated code generation, including: the automated generation of correct controllers using discrete control
synthesis (in relation with Mode Automata and
Signal

static analysis and abstract interpretation techniques, which are applied both to low-level synchronous models/programs and to more general imperative programs; this includes the verification of general safety properties and the absence of runtime errors.

Our applications are in embedded systems, typically in the robotics, automotive, and telecommunications domains with a special emphasis on dependability issues (
*e.g.*, fault tolerance, availability). International and industrial relations feature:

an
ISTEuropean FP7 network of excellence:
ArtistDesign

an FP7 European STREP project:
Combest

an
ArtemisiaEuropean project:
Cesar

three ANR French projects: Asopt(on static analysis), AutoChem(on chemical programming), and Vedecy(on cyber-physical systems);

a MinalogicPôle de Compétitivité project: OpenTLM, dedicated to the design flow for next generation SoC and SystemC;

an
Inrialarge scale action:
Synchronics

The context of our work is the area of embedded real-time control systems, at the intersection between control theory and computer science. Our contribution consists of methods and tools for their safe design. The systems we consider are intrinsically safety-critical because of the interaction between the embedded, computerized controller, and a physical process having its own dynamics. What is important is to analyze and design the safe behavior of the whole system, which introduces an inherent complexity. This is even more crucial in the case of systems whose malfunction can have catastrophic consequences, for example in transport systems (avionics, trains), production, medical, or energy production systems.

Therefore, there is a need for methods and tools for the design of safe systems. The definition of adequate mathematical models of the behavior of the systems allows the definition of formal calculi. They in turn form a basis for the construction of algorithms for the analysis, but also for the transformation of specifications towards an implementation. They can then be implemented in software environments made available to the users. A necessary complement is the setting-up of software engineering, programming, modeling, and validation methodologies. The motivation of these problems is at the origin of significant research activity, internationally and in particular, in the European ISTnetwork of excellence ArtistDesign(Advanced Real-Time Systems).

The state of the art upon which we base our contributions, is twofold.

From the point of view of discrete control, there is a set of theoretical results and tools, in particular in the synchronous approach, often founded on finite or infinite labeled transition systems , . During the past years, methodologies for the formal verification , , control synthesis and compilation, as well as extensions to timed and hybrid systems , have been developed. Asynchronous models consider the interleaving of events or messages, and are often applied in the field of telecommunications, in particular for the study of protocols. A well-known formalism for reactive systems is StateCharts , which can be encoded in a synchronous model .

From the point of view of verification, we use the methods and tools of symbolic model-checking and of abstract interpretation. From symbolic model-checking, we reuse BDD techniques
for manipulating Boolean functions and sets, and their MTBDD
extension for more general functions. Abstract interpretation
is used to formalize complex static analysis, in particular when
one wants to analyze the possible values of variables and pointers of a program. Abstract interpretation is a theory of approximate solving of fix-point equations applied to program analysis.
Most program analysis problems, among others reachability analysis, come down to solving a fix-point equation on the state space of the program. The exact computation of such an equation is
generally not possible for undecidability (or complexity) reasons. The fundamental principles of abstract interpretation are:
(
i)to substitute to the state-space of the program a simpler domain and to transpose the equation accordingly (static approximation); and
(
i
i)to use extrapolation (widening) to force the convergence of the iterative computation of the fix-point in a finite number of steps (dynamic approximation).
Examples of static analysis based on abstract interpretation are linear relation analysis
and shape analysis
.

The synchronous approach

The design of safe real-time control systems is difficult due to various issues, among them their complexity in terms of the number of interacting components, their parallelism, the difference of the considered time scales (continuous or discrete), and the distance between the various theoretical concepts and results that allow the study of different aspects of their behaviors, and the design of controllers.

A currently very active research direction focuses on the models and techniques that allow the automatic use of formal methods. In the field of verification, this concerns in particular the technique of model checking. The verification takes place after the design phase, and requires, in case of problematic diagnostics, expensive backtracks on the specification. We want to provide a more constructive use of formal models, employing them to derive correct executives by formal computation and synthesis, integrated in a compilation process. We therefore use models throughout the design flow from specification to implementation, in particular by automatic generation of embeddable executives.

Applicative needs initially come from the fields of safety-critical systems (avionics, energy) and complex systems (telecommunication), embedded in an environment with which they strongly interact (comprising aspects of computer science and control theory). Fields with less criticality, or which support variable degrees of quality of service, such as in the multi-media domain, can also take advantage of methodologies that improve the quality and reliability of software, and reduce the costs of test and correction in the design.

Industrial acceptance, the dissemination, and the deployment of the formal techniques inevitably depend on the usability of such techniques by specialists in the application domain — and not in formal techniques themselves — and also on the integration in the whole design process, which concerns very different problems and techniques. Application domains where the actors are ready to employ specialists in formal methods or advanced control theory are still uncommon. Even then, design methods based on the systematic application of these theoretical results are not ripe. In fields like industrial control, where the use of PLC (Programmable Logic Controller ) is dominant, this question can be decisive.

Essential elements in this direction are the proposal of realistic formal models, validated by experiments, of the usual entities in control theory, and functionalities (
*i.e.*, algorithms) that correspond indeed to services useful for the designer. Take for example the compilation and optimization taking into account the platforms of execution,
possible failures, or the interactions between the defined automatic control and its implementation. A notable example for the existence of an industrial need is the activity of the
Athyscompany (now belonging to
Dassault
Systemes) concerning the development of a specialized programming environment,
CellControl, which integrates synchronous tools for compilation and verification, tailored to the application domain. In these areas, there are
functionalities that commercial tools do not have yet, and to which our results contribute.

We are proposing effective trade-offs between, on the one hand, expressiveness and formal power, and on the other hand, usability and automation. We focus on the area of specification and construction of correct real-time executives for discrete and continuous control, while keeping an interest in tackling major open problems, relating to the deployment of formal techniques in computer science, especially at the border with control theory. Regarding the applications, we propose new automated functionalities, to be provided to the users in integrated design and programming environments.

The objective of the
Pop Artteam is the
**safe design of real-time control systems**. This area is related to control theory as well as computer science. Application domains are typically safety-critical systems, as in
transportation (avionics, railways), production, medical or energy production systems. Both methods and formal models for the construction of correct systems are needed. Such methods must be
implemented in computer-assisted design tools, targeted at specialists of the application domains.

Our contribution is to propose solutions covering the entire design flow, from the specification to the implementation. We develop techniques for the specification and automated generation of safe real-time executives for control systems, as well as static analysis techniques to check additional properties on the generated systems.

The integration of formal methods in an automated process of generation/compilation is founded on the formal modeling of the considered mechanisms. This modeling is the base for the automation, which operates on models well-suited for their efficient exploitation, by analysis and synthesis techniques that are difficult to use by end-users.

The creation of easily usable models aims at giving the user the role rather of a pilot than of a mechanics
*i.e.*, to offer her/him pre-defined functionalities which respond to concrete demands, for example in the generation of fault tolerant or distributed executives, by the intermediary
use of dedicated environments and languages.

The proposal of validated models with respect to their faithful representation of the application domain is done through case studies in collaboration with our partners, where the typical multidisciplinarity of questions across control theory and computer science is exploited.

The overall consistency of our approach comes from the fact that the main research directions address, under different aspects, the specification and generation of safe real-time control
executives based on
*formal models*.

We explore this field by linking, on the one hand, the techniques we use, with on the other hand, the functionalities we want to offer. We are interested in questions related to:

We investigate two main directions: (i) compositional analysis and design techniques; (ii) adapter synthesis and converter verification.

Programming for embedded real-time systems is considered within Pop Artalong three axes: (i) synchronous programming languages, (ii) aspect-oriented programming, (iii) static analysis (type systems, abstract interpretation, ...).

Here we address the following research axes: (i) static multiprocessor scheduling for fault-tolerance, (ii) multi-criteria scheduling for reliability, (iii) automatic program transformations, (iv) formal methods for fault-tolerant real-time systems.

Component-based construction techniques are crucial to overcome the complexity of embedded systems design. However, two major obstacles need to be addressed: the heterogeneous nature of the models, and the lack of results to guarantee correction of the composed system.

The heterogeneity of embedded systems comes from the need to integrate components using different models of computation, communication, and execution, on different levels of abstraction and different time scales. The BIP component framework has been designed, in cooperation with Verimag, to support this heterogeneous nature of embedded systems.

Our work focuses on the underlying analysis and construction algorithms, in particular compositional techniques and approaches ensuring correctness by construction (adapter synthesis, strategy mapping). This work is motivated by the strong need for formal, heterogeneous component frameworks in embedded systems design.

Programming for embedded real-time systems is considered along three directions: (i) synchronous programming languages to implement real-time systems; (ii) aspect-oriented programming to specify non-functional properties separately from the base program; (iii) abstract interpretation to ensure safety properties of programs at compile time. We advocate the need for well defined programming languages to design embedded real-time systems with correct-by-construction guarantees, such as bounded time and bounded memory execution. Our original contribution resides in programming languages inheriting features from both synchronous languages and functional languages. In collaboration with Marc Pouzet (University of Orsay – Paris Sud, LRI lab), we have designed the programming language heptagon, the key features of which are: data-flow formal synchronous semantics, strong typing with type inference, and polymorphism. In particular, we are working on type systems for the clock calculus and the spatial modular distribution.

The goal of Aspect-Oriented Programming (AOP) is to isolate aspects (such as security, synchronization, or error handling) that cross-cut the program basic functionality and whose implementation usually yields tangled code. In AOP, such aspects are specified separately and integrated into the program by an automatic transformation process called weaving. Although this new paradigm has great practical potential, it still lacks formalization and undisciplined uses make reasoning on programs very difficult. Our work on AOP addresses these issues by studying foundational issues of AOP (semantics, analysis, verification) and by considering domain-specific aspects (availability or fault tolerance aspects) as formal properties.

Finally, the aim of the verification activity in Pop Artis to check (safety) properties on programs, with emphasis on the analysis of the values of data variables (numerical variables, memory heap), mainly in the context of embedded and control-command systems, which exibit concurrency features. The applications are not only the proof of functional properties on programs, but also test selection and generation, program transformation, controller synthesis, and fault-tolerance. Our approach is based on abstract interpretation, which consists in inferring properties of the program, by solving semantic equations on abstract domains. Much effort is spent on implementing developed techniques in tools for experimentation and diffusion.

Embedded systems must often satisfy safety critical constraints. We address this issue by providing methods and algorithms to design embedded real-time systems with guarantees on their fault-tolerance and/or reliability level.

A research direction concerns static multiprocessor scheduling of an application specification on a distributed target architecture. We increase the fault-tolerance level of the system by
replicating the computations and the communications, and we schedule the redundant computations according to the faults to be tolerated. We also optimize the schedule
*w.r.t.*several criteria, including the schedule length, the reliability, and the power consumption.

A second research direction concerns the fault-tolerance management, by reconfigurating the system (for instance by migrating the tasks that were running on a processor upon the failure of this processor) following objectives of fault-tolerance, consistent execution, functionality fulfillment, boundedness and optimality of response time. We base such formal methods on discrete controller synthesis.

A third research direction concerns AOP to weave fault-tolerance aspects in programs as mentioned in the previous section.

Our applications are the embedded system area, typically: robotics, automotive, telecommunications, systems on chip (SoC). In some areas, safety is critical, and motivates the investment in formal methods and techniques for design. But even in less critical contexts, like telecommunications and multimedia, these techniques can be beneficial in improving the efficiency and quality of designs, as well as the design, production and test costs themselves.

Industrial acceptance of formal techniques, as well as their deployment, goes necessarily through their usability by specialists of the application domain, rather than of the formal
techniques themselves. Hence our orientation towards the proposal of domain-specific (but generic) realistic models, validated through experience (
*e.g.*, control tasks systems), based on formal techniques with a high degree of automation (
*e.g.*, synchronous models), and tailored for concrete functionalities (
*e.g.*, code generation).

The commercially available design tools (such as
UMLwith real-time extensions,
Matlab/
Simulink/ d
Space

Regarding the synchronous approach, commercial tools are available:
Scade(based on
Lustre),
Esterel Studio

Regarding applications and case studies with industrial end-users of our techniques, we cooperate with STMicroelectronics on compositional analysis and abstract interpretation for the TLM-based System-on-Chip design flow.

NBac(Numerical and Boolean Automaton Checker)

NBacis connected to two input languages: the synchronous dataflow language Lustre, and a symbolic automaton-based language, AutoC/Auto, where a system is defined by a set of symbolic hybrid automata communicating via valued channels. It can perform reachability analysis, co-reachability analysis, and combination of the above analyses. The result of an analysis is either a verdict to a verification problem, or a set of states together with a necessary condition to stay in this set during an execution. NBacis founded on the theory of abstract interpretation: sets of states are approximated by abstract values belonging to an abstract domain, on which fix-point computations are performed.

It has been used for verification and debugging of
Lustreprograms
. It is connected to the
Lustretoolset

The BIP component model (Behavior, Interaction model, Priority) has been designed to support the construction of heterogeneous reactive systems involving different models of computation, communication, and execution, on different levels of abstraction. By separating the notions of behavior, interaction model, and execution model, it enables both heterogeneous modeling, and separation of concerns.

The verification and design tool Prometheus implements the BIP component framework. Prometheus is regularly updated to implement new developments in the framework and the analysis algorithms. It has allowed us to carry out several complex case studies from the system-on-chip and bioinformatics domains.

Ocrepdistributes automatically synchronous programs according to specifications given by the user. Concretely, starting from a centralized source synchronous program obtained either with the Lustreor the Esterelcompiler, from a number of desired computing locations, and an indication of where each input and output of the source program must be computed, Ocrepproduces several programs, one for each location, each one computing only its assigned variables and outputs, and communicating harmoniously. Their combined behavior is equivalent to the behavior of the centralized source program.

Currently,
Ocrepis distributed in the form of executable on the web

We have been cooperating for several years with the
Inriateam
Aoste(
InriaSophia-Antipolis and Rocquencourt) on the subject of fault tolerance. In particular, we have implemented several new heuristics for fault
tolerance and reliability within their software
SynDEx
*i.e.*, buses)
. Our results on fault-tolerance are summarized in a web page

The
Apronlibrary

The Apronlibrary aims to provide:

a uniform API for existing numerical abstract domains;

a higher-level interface to the client tools, by factorizing functionalities that are largely independent of abstract domains.

From an abstract domain implementor point of view, the benefits of the Apronlibrary are:

the ability to focus on core, low-level functionalities;

the help of generic services adding higher-level services for free.

For the client static analysis community, the benefits are a unified, higher-level interface, that allows experimenting, comparing and combining abstract domains.

The
BDDApronlibrary

The
Apronlibrary (Fig.
) is written in ANSI C, with an object-oriented and thread-safe design. Both
multi-precision and floating-point numbers are supported. A wrapper for the
Ocamllanguage is available, and a C++ wrapper is on the way. It is distributed since June 2006 under the LGPL license and available at
http://

The BDDApronlibrary is written in Ocaml, using polymorphism features of Ocamlto make it generic. It is also thread-safe. It provides two different implementations of the same domain, each one presenting pros and cons depending on the application. It is currently used by the ConcurInterprocinterprocedural and concurrent program analyzer.

We have developed a software tool chain to allow the specification of models, the controller synthesis, and the execution or simulation of the results. It is based on existing synchronous
tools, and thus consists primarily in the use and integration of
Sigali

Useful component templates and relevant properties can be materialized, on one hand by libraries of task models, and, on the other hand, by properties and synthesis objectives.

Rapture
is a verification tool that was developed jointly by BRICS
(Denmark) and
Inriain years 2000–2002. The tool is designed to verify reachability properties on Markov Decision Processes (MDP), also known as Probabilistic
Transition Systems. This model can be viewed both as an extension to classical (finite-state) transition systems extended with probability distributions on successor states, or as an
extension of Markov Chains with non-determinism. We have developed a simple automata language that allows the designer to describe a set of processes communicating over a set of channels
*à la*CSP. Processes can also manipulate local and global variables of finite type. Probabilistic reachability properties are specified by defining two sets of initial and final states
together with a probability bound. The originality of the tool is to provide two reduction techniques that limit the state space explosion problem: automatic abstraction and refinement
algorithms, and the so-called essential states reduction.

We also develop and maintain smaller libraries of general use for people working in the static analysis and abstract interpretation community.

extends Interproc with concurrency, for the analysis of multithreaded programs interacting via shared global variables. It is also deployed through a web-interface

We have extended our work on bicriteria (length, reliability) scheduling
,
in two directions. The first direction takes into account the
power consumption as a third criterion to be minimized. We have designed a scheduling heuristics called TSH that, given a software application graph and a multiprocessor architecture,
produces a static multiprocessor schedule that optimizes three criteria: its
*length*(crucial for real-time systems), its
*reliability*(crucial for dependable systems), and its
*power consumption*(crucial for autonomous systems). Our tricriteria scheduling heuristics, TSH, uses the
*active replication*of the operations and the data-dependencies to increase the reliability, and uses
*dynamic voltage scaling*to lower the power consumption. This work is conducted in collaboration with Hamoudi Kalla (University of Batna, Algeria).

The second direction studies the mapping of chains of tasks on multi-processor platforms. We have proposed
*mapping by interval techniques*, where the chain of tasks is divided in a sequence of intervals, each interval being executed on a different processor in a pipe-lined manner, and each
processor executing no more than one interval. Because of this pipe-lined execution, we have two antagonistic criteria, the input-output latency and the period. Then, to increase the
reliability, we replicate the intervals by mapping them to several processors. We have proved that, for homogeneous platforms, computing a mapping that optimizes the reliability only is
*polynomial*, but that optimizing both the reliability and the period is
*NP-complete*, as well as optimizing both the reliability and the latency. For heterogeneous platforms, we have proved that optimizing the reliability only is
*NP-complete*, and hence all the multi-criteria mapping problems that include the reliability in their criteria are also
*NP-complete*. This work is done in collaboration with Anne Benoit, Fanny Dufossé, and Yves Robert (ENS Lyon and
Graalteam).

Unlike most work found in the literature, all our contributions are truly bicriteria in the sense that the user can gain several orders of magnitude on the reliability of his schedule, thanks to the active replication of tasks onto processors. In contrast, most of the other algorithms do not replicate the tasks, and hence have a very limited impact on the reliability.

We have defined a new framework for the
*automatic*design of fault tolerant embedded systems, based on discrete controller synthesis (DCS), a formal approach based on the same state-space exploration algorithms as
model-checking
. Its interest lies in the ability to obtain automatically systems
satisfying by construction formal properties specified
*a priori*. Our aim is to demonstrate the feasibility of this approach for fault tolerance. We start with a fault intolerant program, modeled as the synchronous parallel composition of
finite labeled transition systems. We specify formally a fault hypothesis, state fault tolerance requirements and use DCS to obtain automatically a program, having the same behavior as the
initial fault intolerant one in the absence of faults, and satisfying the fault tolerance requirements under the fault hypothesis. Our original contribution resides in the demonstration that
DCS can be elegantly used to design fault tolerant systems, with guarantees on key properties of the obtained system, such as the fault tolerance level, the satisfaction of quantitative
constraints, and so on. We have shown with numerous examples taken from case studies that our method can address different kinds of failures (crash, value, or Byzantine) affecting different
kinds of hardware components (processors, communication links, actuators, or sensors). Besides, we have shown that our method also offers an optimality criterion very useful to synthesize
fault tolerant systems compliant to the constraints of embedded systems, like power consumption. In summary, our framework for fault tolerance has the following advantages
:

The
**automatization**, because DCS produces automatically a fault tolerant system from an initial fault intolerant one.

The
**separation of concerns**, because the fault intolerant system can be designed independently from the fault tolerance requirements.

The
**flexibility**, because, once the system is entirely modeled, it is easy to try several fault hypotheses, several environment models, several fault tolerance goals, several degraded
modes, and so on.

The
**safety**, because, in case of positive result obtained by DCS, the specified fault tolerance properties are guaranteed by construction on the controlled system.

The
**optimality**when optimal synthesis is used, modulo the potential numerical equalities (hence a non strict optimality).

In collaboration with Emil Dumitrescu (INSA Lyon), Hervé Marchand ( Vertecsteam from Rennes), and Eric Rutten ( Sardesteam from Grenoble), we are extending this work in the direction of optimal synthesis considering weights cumulating along bounded-length paths, and its application to the control of sequences of reconfigurations. We are adapting models in order to take into account the additive costs of e.g., execution time or power consumption, and adapting synthesis algorithms in order to support the association of costs with transitions, and the handling of these new weight functions in the optimal synthesis. We therefore combine, on the one hand, guarantees on the safety of the execution by tolerating faults, and on the other hand, guarantees on the worst cumulated consumption of the resulting dynamically reconfiguring fault tolerant system.

In collaboration with Tolga Ayav (University of Izmir, Turkey), we are also working on an AOP approach for fault tolerance. This is described in details in Section .

Synchronous programming languages describe functionally centralized systems, where every value, input, output, or function are always directly available for every operation. However, most
embedded systems are nowadays composed of several computing resources. The aim of this work is to provide a language-oriented solution to describe
*functionally distributed reactive systems*. This research is conducted within the INRIA large scale action
Synchronicsand is a joint work with Gwenaël Delaval (
Sardesteam from Grenoble) and Marc Pouzet (Orsay University and
Provalteam from Saclay).

We are working on type systems to formalize, in an uniform way, both the clock calculus and the location calculus of a synchronous data-flow programming language (the
Heptagonlanguage, inspired from
Lucid Synchrone
). On one hand, the clock calculus infers the clock of each
variable in the program and checks the clock consistency: e.g., a time-homogeneous function, like
`+`, should not be applied to variables of different clocks. On the other hand, the location calculus infers the spatial distribution of computations and checks the spatial
consistency: e.g., a centralized operator, like
`+`, should not be applied to variables located on different locations. Compared to the recent PhD of Gwenaël Delaval
,
, the goal is to achieve
*modular*distribution. By modular, we mean that we want to compile each function of the program into a single function capable of running on any computing location. We make use of our
uniform type system to express the computing locations as first-class abstract types, exactly like clocks, which allows us to compile a typed variable (typed by both the clock and the
location calculi) into
`if ... then ... else ...`structures.

Model-based design (MBD) involves designing a model of a control system, simulating and debugging it with dedicated tools, and finally generating automatically code corresponding to this
model. In the domain of embedded systems, it offers the huge advantage of avoiding the time-consuming and error-prone final coding phase. The main issue raised by MBD is the faithfulness of
the generated code with respect to the initial model, the latter being defined by the simulation semantics. To bridge the gap between the high-level model and the low-level implementation, we
use the synchronous programming language Lustre as an intermediary formal model
. Concretely, starting from a high-level model specified in the
de-facto standard Simulink, we first generate Lustre code along with some necessary structured “glue code”, and then we generate embedded real-time code for the Xenomai RTOS

We have studied the verification of hybrid systems built as the composition of a discrete software controller interacting with a physical environment exhibiting a continuous behavior. Our goal is to tackle the problem of the combinatorial explosion of discrete states that may happen when a complex software controller is considered. We propose to extend an existing abstract interpretation technique, namely dynamic partitioning, to hybrid systems. Dynamic partitioning, which shares some common principles with predicate abstraction, allows us to finely tune the tradeoff between precision and efficiency in the analysis.

We have extended the NBactool (Section ) according to these principle, and showed the efficiency of the approach by a case study that combines a non trivial controller specified in the synchronous dataflow programming language Lustrewith its physical environment . A journal version is in preparation.

We are also working on the definition of a synchronous hybrid language for the design, simulation, and verification of discrete-continuous hybrid systems. This is the topic of the PhD of Peter Schrammel, co-advised by A. Girault and B. Jeannet, and funded by Synchronics.

This work addresses the verification of properties of imperative programs with recursive procedure calls, heap-allocated storage, and destructive updating of pointer-valued fields, i.e., interprocedural shape analysis. It presents a way to apply some previously known approaches to interprocedural dataflow analysis — which in past work have been applied only to a much less rich setting — so that they can be applied to programs that use heap-allocated storage and perform destructive updating.

Our submission to ACM TOPLAS, accepted in october 2008 has been revised this year and should be published in 2010 . This work has been done in collaboration with T. Reps (Univ. of Madison-Wisconsin), M. Sagiv (Univ. of Tel-Aviv) and A. Loginov (GrammaTech).

We have studied the extension of the relational approach to interprocedural analysis of sequential programs to concurrent programs, composed of a fixed number of threads .

In the relational approach, a sequential program is analyzed by computing summaries of procedures, and by propagating reachability information using these summaries. We propose an extension to concurrent programs, which is technically based on an instrumentation of the standard operational semantics, followed by an abstraction of tuple of call-stacks into sets. This approach allows us to extend relational interprocedural analysis to concurrent programs. We have implemented it for programs with scalar variables, in the ConcurInterproconline analyzer (see § ).

We have experimented several classical synchronisation protocols in order to investigate the precision of our technique, but also to analyze the approximations it performs.

We are also working on modular analyzes of concurrent programs with abstract interpretation techniques. This is the topic of the PhD of Lies Lakhdar-Chaouch, co-advised by A. Girault and B. Jeannet, and funded by OpenTLM.

As explained in previous section, controller synthesis aims at modifying an existing specification/system in order to make it satisfy a property. We study this problem in the particular case of distributed systems modeled as a set of sequential machines communicating via unbounded FIFO channels, for which we want to ensure safety properties.

The static analysis of stacks and FIFO queues was the topic of the PhD of Tristan Le Gall, defended in June 2008. We proposed in a new abstract domain for languages on infinite alphabets, which acts as a functor taking an abstract domain for a concrete alphabet, and lifts it to an abstract domain for words on this alphabet.

We studied this year the application of this technique to the controller synthesis of a set of sequential machines communicating via unbounded FIFO channels, for which we consider simple state-avoidance properties. It is well-known that there exists no optimal (most permissive) controller in such a context, so our ambition is to propose a technique for computing “permissive-enough” controller. Our approach is based on the computation of global controller, which is then projected on local sites so as to obtain a controller per site in the controlled distributed system. We exploit the abstract domain mentioned above in the fixpoint computations involved in the computation of a correct controller, and we take into account the following partial observation constraints: the global controller cannot observe the contents of the FIFO channels to take its decisions (they model communication links), and the projected local controller has a knowledge only on their local state.

This work is conducted in collaboration with H. Marchand and T. Le Gall ( Vertecsteam from InriaRennes).

Several man/month efforts have been devoted to the developpement of libraries and tools (see
). This year has been more particularly devoted to the
BDDApronlibrary, which has been publicy released as a deliverable of the ASOPT project (§
), and the FIXPOINT library.

Protocol conversion deals with the automatic synthesis of an additional component or glue logic, often referred to as an
*adaptor*or an
*interface*, to bridge mismatches between interacting components, often referred to as
*protocols*. A formal solution, called convertibility verification, has been recently proposed, which produces such a glue logic, termed as a
*converter*, so that the parallel composition of the protocols and the converter also satisfies some desired specification. A converter is responsible for bridging different kinds of
mismatches such as
*control*,
*data*, and
*clock*mismatches. Mismatches are usually removed by the converter (similar to controllers in supervisory control of discrete event systems) by
*disabling undesirable paths*in the protocol composition.

We have formulated a generalization of this convertibility verification problem, by using a new refinement relation called
*Specification Enforcing Refinement*(SER) between a protocol composition and a desired specification. The existence of such a refinement is shown to be a necessary and sufficient
condition for the existence of suitable a converter. We have also proposed an approach to automatically synthesize a converter if a SER refinement relation exists. These results have been
published in
.

We are currently working on an improvement of this framework that supports incremental converter synthesis.

In the context of our work on compositionality and reconfigurability, we are studying the issue of implementing a component system on a lower-level platform. With the increasing complexity
of embedded systems, coupled with the need for faster time-to-market and high confidence in the reliability of the product, design methods that ensure correctness by construction are, when
available, the solution of choice. When dealing with reactive systems, which interact with their environment, the behavior of the system to be designed has to be considered in terms of
*strategies*: can some desired behavior be enforced in spite of the — potentially non cooperative — environment?

Computing a strategy satisfying some property is expensive, and although modular and compositional controller synthesis have been studied for some decades, this remains a hard problem. In particular, progress properties are notoriously more difficult to tackle compositionally than safety properties.

We are interested in a design flow supporting the refinement of strategies, rather than in controller synthesis performed on some given level of abstraction. We consider a platform-based design process consisting of successive mapping steps . The goal of each step is to constructively map a strategy constructed so far onto a lower-level platform. The mapping is performed component-wise, using an abstraction of the environment of each component. We have developed compositionality results ensuring that the refinement carries over to the global strategy .

The result of strategy mapping is a strategy for each target component, such that the composition of the strategies over-approximates the source strategy. We are currently investigating an improvement of this technique in order to effectively derive an implementation on the target platform, rather than an over-approximation.

Contracts have first been introduced as a type system for classes
: a method guarantees some post-condition under the assumption
that its pre-condition is satisfied. In the component-based programming community, contracts are increasingly focus of research as a means to achieve one of the main goals of the component
paradigm, namely the deployment and reuse of components in different, a priori unknown contexts. As components may interact under various models of communication, the notion of contract has
been generalized from pre- and post-conditions in the form of predicates to
*behavioral interfaces*such as
*interface automata*
, allowing to reason about the temporal behavior of environments
with which a component can be composed.

We define contracts as pairs
(
A,
G)of
*modal automata*
: one describes an assumption on the usage of the component made
by its environment; the other one corresponds to a guarantee offered by the component as long as the assumption is satisfied
. Modal automata extend automata with a modality that indicates
for each transition whether it
*may*or
*must*be implemented. Modal contracts leverage the well-established theory of modal automata. They finitely represent an infinite number of implementations. In contrast to a premature
choice of implementing or not a given transition, which would prematurely narrow the design space and rule out possible implementations, modal contracts allow to preserve a larger solution
space along the design process.

In contrast to a
*specification*defining how a component
*must*behave, contracts can be seen as implications, providing a guarantee depending on an assumption on the context. Accordingly, different semantics of contract composition are
conceivable, with the two special cases of
*conjunction of implications*yielding a
*lazy*composition, and
*implication of a conjunction*for an
*eager*composition. The latter approach is adopted by
, where the assumption of the composed contract is defined as
the weakest assumption ensuring the conjunction of both guarantees. In the present work we choose the former approach: a component satisfying the composition of two contracts must satisfy
each guarantee if and only if the corresponding assumption holds. This notion of composition is consistent with the component paradigm mentioned above, enabling the component to offer
different guarantees depending on the context.

Our theory of modal assume/guarantee contracts relies on
*weak implication*. This operation computes a modal specification whose implementations are also implementations of a given assume/guarantee contract
C= (
A,
G). This modal specification is thus called the
*implicit form*of
C. Based on weak implication, we have introduced three composition operations between modal contracts, responding to different requirements in the design flow and satisfying different
properties. This is the first work formalizing and allowing to effectively combine these contract composition operations.

A contract may be used to describe the guarantees a component is able to give, depending on its environment. We call this a
*component contract*. For component contracts over disjoint components we define a “best effort” composition operation that is parametrized by an
*interaction model*inspired by the BIP framework
. The composition ensures each guarantee depending on the
satisfaction of its assumption, provided that the guarantee is feasible under the specified interaction model. We show that this composition is the
*strongest*contract satisfying the property of independent implementability: the component composition of two contracts is satisfied by the composition of any pair of
implementations of both contracts, which allows to reason about contracts in a bottom-up manner.

On the other hand, a contract may specify a
*requirement*as a guarantee that must be ensured under some hypothesis. We call this a requirement contract, or
*aspect*. Aspects are usually implemented top-down. For a set of aspects on the same component or sub-system, a crucial question is whether they are consistent, and how to compute
a common implementation, also called their
*shared refinement*
. We define a composition operation based on modal
conjunction, as the
*weakest*contract refining both arguments. This is motivated by the fact that different aspects express different requirements whose conjunction is to be satisfied. The conjunction
of contracts is shown to be sound and, under some conditions, complete.

Therefore, contracts are an elegant way to combine bottom-up construction of a system from simpler components, and top-down design by successive refinement of abstract components.

In practice, aspects are not equally important. For instance, an aspect “safety” may be chosen to override an aspect “quality of service”. Therefore we define the
operation of
*priority*which composes aspects in a hierarchical order, such that in case of inconsistency, an aspects of higher priority overrides a lower-priority contract.

We are studying probabilistic contracts as a means to reason about reliability in a component-based framework. A probabilistic contract is an interactive Markov chain specification (IMCS) where each state is either an interaction state or a probabilistic state. From interaction states, only interactions (in the sense of the BIP component framework) are enabled. From probabilistic states, only probabilistic transitions are enabled. Each of the latter is labeled with an interval of allowed probabilities. We have defined operations such as refinement and composition allowing to reason about probabilistic contracts. This work is still in progress.

Nowadays, OEM perform system design and integration by importing/reusing entire subsystems provided by equipment suppliers. It is crucial that the subsystems are designed according to some rules; which highlights the importance of providing good notions of component interfaces. According to our understanding of industrial needs, the following list of requirements applies to the notion of interface in the context of embedded systems: (i) Interfaces act as legal bindings and therefore must clearly identify roles and responsibilities. (ii) Interfaces must support the operation of conjunction; the two reasons for this are, one the one hand, that current practice of requirements capture leads to large data bases of requirements to be seen in a conjunctive way, and, on the other hand, that large systems possess multiple viewpoints (functional, timing, safety, etc) that concern the same sub-systems or component and apply conjunctively. (iii) Interface-based design must allow for flexible architecture choices. The mathematical requirements for interfaces are then:

Interfaces must explicit roles (component versus environment, at least)

They must be equipped with a parallel composition and a conjunction; in addition, it is useful to have the adjoint of parallel composition to address incomplete designs, the latter is called quotient or residuation.

They must support the following fundamental relations, involving interfaces and their associated implementations (or models): satisfaction, consistency, compatibility, and refinement.

Last but not least, interfaces must support local alphabets of actions.

We have reviewed candidate classes for interface theories failing to address all these requirements. Then we have advocated using modal interfaces, a unification of interface automata by de Alfaro and Henzinger and modal specifications by Larsen. (see and ). This work is conducted in collaboration with E. Badouel, A. Benveniste, B. Caillaud and A. Legay (S4 team from Irisa/ Inria-Rennes) and R. Passerone (University of Trento).

As we have seen, modal interfaces are classic, convenient, and expressive mathematical objects to represent interfaces of component-based systems. On the other hand, time is a crucial aspect of systems for practical applications, e.g. in the area of embedded systems. And yet, only few results exist on the design of timed component-based systems. In , we have proposed a timed extension of modal specifications, defined their notions of refinement and consistency, and established their decidability. In , we have considered the subclass of modal event-clock automata, where clock resets are easy to handle. We then have developed an entire theory with conjunction, product, and quotient, that promotes efficient incremental design techniques and that enables to reason in a compositional way about timed system. This work is conducted in collaboration with N. Bertrand ( Vertecsteam from Irisa/ Inria-Rennes) and S. Pinchinat (S4 team from Irisa/ Inria-Rennes).

The goal of Aspect-Oriented Programming (
AOP) is to isolate aspects (such as security, synchronization, or error handling) which cross-cut the program basic functionality and whose
implementation usually yields tangled code. In
AOP, such aspects are specified separately and integrated into the program by an automatic transformation process called
*weaving*.

Although this paradigm has great practical potential, it still lacks formalization and undisciplined uses make reasoning on programs very difficult. Our work on AOPaddresses these issues by studying foundational issues (semantics, analysis, verification) and by considering domain-specific aspects (availability or fault tolerance aspects) as formal properties.

Aspect Oriented Programming can arbitrarily distort the semantics of programs. In particular, weaving can invalidate crucial safety and liveness properties of the base program.

We have identified categories of aspects that preserve some classes of properties
,
. Our categories of aspects comprise, among others, observers,
aborters, and confiners. Observers do not modify the base program's state and control-flow (
*e.g.*, persistence, profiling, and debugging aspects). Aborters are observers which may also abort executions (
*e.g.*, security aspects). Confiners only ensure that the executions remain in the set of reachable states of the base program (
*e.g.*, optimization or fault-tolerance aspects).

These categories are defined formally based on a language independent abstract semantic framework. The classes of properties are defined as subsets of LTL for deterministic programs and CTL* for non-deterministic ones. We have formally proved that, for any program, the weaving of any aspect in a category preserves any property in the related class.

In a second step, we have designed for each aspect category a specialized aspect language which ensures that any aspect written in that language belongs to the corresponding category
,
. These languages preserve the corresponding classes of properties
by construction. The aspect languages share the same expressive pointcut language and are designed
*w.r.t.*a common imperative base language.

This work was the central topic of Simplice Djoko Djoko's PhD thesis, which has been defended in June 2009. It is conducted in collaboration with Rémi Douence from the Ascola Inriateam at École des Mines de Nantes.

We have studied the use of aspect-oriented programming for resource management with the aim of enforcing availability properties . Our technique allows us to keep resource management and availability issues separate from the rest of the system.

We have proposed a domain-specific aspect language aimed at preventing denial of service caused by resource management (
*e.g.*, starvation, deadlocks, etc.). The aspects specify time or frequency limits in the allocation of resources. They can be seen as formal temporal properties on execution traces
that specify availability policies. The semantics of base programs and aspects are expressed as
*timed automata*. The automaton representing a program specifies a superset of all possible (timed) execution traces whereas the automaton representing an aspect specifies a set of
desired/allowed (timed) execution traces. Weaving can be seen as a
*product*of two timed automata (
*i.e.*, the intersection of execution traces) which restricts the execution of the base program to the behaviors allowed by the aspect. The main advantage of such a formal approach
is two-fold:

aspects are expressed at a higher-level and the semantic impact of weaving is kept under control;

model checking tools can be used to optimize weaving and verify the enforcement of general availability properties.

Here, our objective is to design a domain-specific language for specifying fault tolerance aspects as well as efficient techniques based on static analysis, program transformation and/or instrumentation to weave them into real-time programs.

We have studied the implementation of specific fault tolerance techniques in real-time embedded systems using program transformation . Failure detection is implemented using heartbeating, and failure masking using checkpointing and roll-back. These techniques are described and implemented by automatic program transformations of the tasks' source programs.

We are currently working on an aspect language allowing users to specify and tune a wider range of fault tolerance techniques. For example, the user may want to use checkpointing, code or data replication at different places of the same program. For checkpointing, the user may also want to specify the subset of variables which must be saved. We are currently working on the definition of an aspect language allowing the designer to specify such choices. This work is conducted in collaboration with T. Ayav from Izmir University who spent a one-month visit in Pop Artlast June.

The chemical reaction metaphor describes computation in terms of a chemical solution in which molecules (representing data) interact freely according to reaction rules (representing the program). Chemical programs can be formalized as associative-commutative rewritings (reactions) of multisets (chemical solutions). This model of computation is well-suited to the specification of complex computing infrastructures. In particular, the orderless interactions between elements that occur in large parallel or open systems as well as autonomicity (e.g. self-healing, self-protection, self-optimization, etc.) are naturally expressed as reaction rules. We have described classical coordination mechanisms and parallel programming models (Linda, Petri Nets, Kahn Networks) in the same chemical setting . All these examples put forward the simplicity and expressivity of the chemical paradigm.

A drawback of chemical languages is that their very high-level nature usually leads to very inefficient programs. We are currently looking at approaches to refine chemical programs to more efficient lower-level programs. The idea is to specify separately the data structures, the selection of elements and the scheduling of rules using domain specific languages. The goal is to use these additional components to automatically refine chemical programs into C-like programs. The overall approach is related to aspect-oriented programming where the chemical program represents the base functionality and the other components can be seen as implementation aspects.

This line of research is followed by Marnes Hoff in his PhD thesis. It takes place within the AutoChemproject (see Section ).

Genetic regulatory networks usually encompass a multitude of complex, interacting feedback loops. Being able to model and analyze their behavior is crucial for understanding the interactions between the proteins, and their functions. Genetic regulatory networks have been modeled as discrete transition systems by many approaches, benefiting from a large number of formal verification algorithms available for the analysis of discrete transition systems. However, most of these approaches face the problem of state space explosion, as even models of modest size (from a biological point of view) usually lead to large transition systems, due to a combinatorial blow-up of the number of states. This problem has been addressed with the component-based approach of — based on the mathematically well-founded formalism of qualitative simulation — where the discrete abstraction is constructed and analyzed modularly, allowing to deal with complex, high-dimensional systems.

We have further improved this technique by allowing for a more precise, conservative abstraction, and provided both correctness and completeness results .

We are currently working, in cooperation with H. de Jong ( Ibisteam from Grenoble) and G. Batt ( Contraintesteam from Rocquencourt), on parametric models of genetic networks that reflect the lack of knowledge about the position of focal points with respect to the thresholds, and the ordering of thresholds. The goal is to determine automatically feasible parameter values corresponding to an observed or desired behavior.

In the context of the Pôle de Compétitivité Minalogic, we participate in the four-year project OpenTLMon analysis of systems-on-chip modeled at the transaction level in SystemC . We intend to develop methods for abstraction, and interprocedural and compositional analysis of SystemC models. Interesting results have been obtained regarding (see Section ). One PhD student and one engineer have been hired on this topics, resp. in April and May 2008.

We participate in the regional cluster ISLE (“Informatique, Systèmes et Logiciels Embarqués”) of the Région Rhône-Alpes, which funds the PhD of Mouaiad Alras (see Section ).

The AutoChemproject aims at investigating and exploring the use of chemical languages (see Section ) to program complex computing infrastructures such as grids and real-time deeply-embedded systems. The consortium includes Irisa( Paristeam, Rennes), InriaGrenoble Rhône-Alpes ( Pop Artteam, Montbonnot), IBISC ( CNRS/Université d'Evry) and CEAList (Saclay). The project started at the end of 2007.

The Asopt(Analyse Statique et OPTimisation) project [end of 2008-2011] brings together static analysis (INRIA- Pop Art, VERIMAG, CEA LMeASI), optimisation, and control/game theory experts (CEA LMeASI, INRIA-MAXPLUS) around some program verification problems. Pop Artis the project coordinator.

Many abstract interpretations attempt to find “good” geometric shapes verifying certain constraints; this not only applies to purely numerical abstractions (for numerical program variables), but also to abstractions of data structures (arrays and more complex shapes). This problem can often be addressed by optimisation techniques, opening the possibility of exploiting advanced techniques from mathematical programming.

The purpose of Asoptis to develop new abstract domains and new resolution techniques for embedded control programs, and in the longer run, for numerical simulation programs.

The Vedecyproject aims at pursuing fundamental research towards the development of algorithmic approaches to verification and design of cyber-physical systems. Cyber-physical systems result from the integration of computations with physical processes: embedded computers control physical processes which in return affect computations through feedback loops. They are ubiquitous in current technology and their impact on lives of citizens is meant to grow in the future (autonomous vehicles, robotic surgery, energy efficient buildings, ...).

Cyber-physical systems applications are often safety critical and therefore reliability is a major requirement. To provide assurance of reliability, model based approaches and formal methods are appealing. Models of cyber-physical systems are heterogeneous by nature: discrete dynamic systems for computations and continuous differential equations for physical processes. The theory of hybrid systems offers a sound modeling framework for cyber-physical systems. The purpose of Vedecyis to develop hybrid systems techniques for the verification and the design of cyber-physical systems.

The Synchronics(Language Platform for Embedded System Design) project [beginning of 2008-2011] gathers 9 permanent researchers on the topic of embedded systems design: B. Caillaud ( Irisa), A. Cohen, L. Mandel, and M. Pouzet (INRIA-Saclay), A. Girault and B. Jeannet ( InriaGrenoble Rhône-Alpes), E. Jahier and P. Raymond (VERIMAG).

Synchronicscapitalizes on recent extensions of data-flow synchronous languages, as well as relaxed forms of synchronous composition or compilation techniques for various platform, to address two main challenges with a language-centered approach: (i) the co-simulation of mixed discrete-continuous specifications, and more generally the co-simulation of programs and properties (either discrete or continuous); (ii) the ability, inside the programming model, to account for the architecture constraints (execution time, memory footprint, energy, power, reliability, etc.).

Aosteat Inria-Rocquencourt is working with us on fault tolerant heuristics for their software SynDEx.

Vertecsat Irisa/ Inria-Rennes is working with us on applications of discrete controller synthesis, and in particular on the tool Sigali.

P. Fradet cooperates with J.-P. Banâtre and T. Priol ( Paris, Irisa/ Inria-Rennes) and with R. Douence ( Ascola, Ecole des Mines de Nantes).

A. Girault cooperates with the Moaisand Graalprojects (CR Grenoble – Rhône-Alpes) on multi-criteria scheduling. A. Girault cooperates also with the Verimaglab on model-based design and a compilation tool chain from Simulinkto distributed platforms, and with the Demonteam of LRI (Orsay) on the distribution of higher-order synchronous data-flow programs.

G. Gössler cooperates with D. Le Métayer ( Licitaction, CR Rhône-Alpes), H. de Jong ( Ibisproject, CR Rhône-Alpes), and G. Batt ( Contraintesproject, CR Rocquencourt).

B. Jeannet cooperates with T. Le Gall ( Vertecs, Irisa/ Inria-Rennes) on the analysis of communicating systems, and with C. Constant, T. Jéron and F. Ployette ( Vertecs, Irisa/ Inria-Rennes) on test generation.

J.-B. Raclet cooperates with E. Badouel, A. Benveniste, B. Caillaud and A. Legay (S4 team from Irisa/ Inria-Rennes) on interface theories, and with N. Bertrand ( Vertecsteam from Irisa/ Inria-Rennes) and S. Pinchinat (S4 team from Irisa/ Inria-Rennes) on timed modal specifications.

P. Fradet cooperates with J.-L. Giavitto ( CNRS/Université d'Evry).

A. Girault cooperates with P. Raymond ( Verimag), M. Pouzet ( LRI, University of Paris VI), P. Roop, Z. Salcic, A. Malik, and S. Andalam (University of Auckland, New Zealand), and H. Kalla (University of Batna, Algeria).

P. Fradet and A. Girault collaborate with T. Ayav (University of Izmir, Turkey).

G. Gössler cooperates with A. Girard (LJK, Grenoble), T. Dang, J. Sifakis, and S. Bensalem ( Verimag).

A. Girault and G. Gössler collaborate with P. Roop and R. Sinha (University of Auckland, New Zealand).

B. Jeannet cooperates with N. Halbwachs and M. Péron ( Verimag) on static analysis and abstract interpretation.

J.-B. Raclet cooperates with R. Passerone (University of Trento) on interface theories.

ArtistDesignis a European Network of Excellence on embedded system design, successor of Artist II in FP7. The objective for ArtistDesignis to build on existing structures and links forged in Artist II, to become a virtual Center of Excellence in Embedded Systems Design. This will be mainly achieved through tight integration between the central players of the European research community. The long-term vision for embedded systems in Europe, established in Artist II, will advance the emergence of Embedded Systems as a mature discipline. G. Gössler is the administrator of ArtistDesignfor Inria.

Combestis a European STREP on formal component-based design of complex embedded systems

Cesaris a European
Artemisiaproject on cost-efficient methods and processes for safety relevant embedded systems

We are particularly involved in the following sub-programs:

Task Force Safety 1.5.1 (State of the art survey on safety and diagnosability for cost-efficient safety critical emebedded systems) and 1.5.2 (Identification of requirements for comon cross domain core safety and diagnosability techniques and methods).

Requirements Engineering, along with two other Inriateams (S4 and Triskell, from InriaRennes). We shall work on contracts based design for traceability.

We have a cooperation in the framework of CMCU (
*Comité Mixte pour la Coopération Universitaire*), on the topic of analysis and verification of the safety of safety-critical systems, with ENSI (
*Ecole Nationale des Sciences de l'Informatique*) at La Manouba in Tunisia. The other French partner is GIPSA (team of H. Alla).

P. Fradet served in the program committees of FOAL'09 (
*International Workshop on Foundations of Aspect-Oriented Languages*), RV'09 (
*International Workshop on Runtime Verification*) and AOSD'10 (
*International Conference on Aspect-Oriented Software Development*).

A. Girault served in the programme committee of the DATE'09 Conference

Simplice Djoko Djoko, co-advised by P. Fradet (with R. Douence, Ascola, Ecole des Mines de Nantes), since 10/2005, PhD in computer science, University of Nantes, defended on June 26th, 2009.

Marnes Hoff, co-advised by P. Fradet (with J.-L. Giavitto, Université d'Evry), since 04/2008, PhD in computer science, Grenoble INP.

Mouaiad Alras, co-advised by Alain Girault (with P. Raymond, VerimagGrenoble), since 10/2006, PhD in computer science, UJF, Grenoble.

Lies Lakhdar-Chaouch, co-advised by Alain Girault and Bertrand Jeannet since 05/2008, PhD in computer science, Grenoble INP.

Peter Schrammel, co-advised by Alain Girault and Bertrand Jeannet since 07/2009, PhD in computer science, Grenoble INP.

Gideon Smeding, co-advised by Gregor Gössler and Joseph Sifakis ( Verimag/INRIA) since 12/2009, PhD in computer science, UJF, Grenoble.