We work on the problem of the safe design of real-time control systems. This area is related to (discrete) control theory as well as computer science. Application domains are typically safety-critical systems, as in transportation (avionics, railways), production, medical, or energy production systems. These application domains require both formal methods and models for the construction of correct systems, as well as their implementation in computer assisted design tools, targeted to specialists of the applications. We contribute to this research domain by offering solutions all along the design flow, from the specification to the implementation: we develop techniques for the specification, the programmation and the automated generation of safe real-time executives for control systems, as well as static analysis techniques to check additional properties on the generated systems. Our research themes concern:

implementations of synchronous reactive programs, generated automatically by compilation, particularly from the point of view of automatic distribution and fault tolerance;

high-level design and programming methods, with support for automated code generation, including: the automated generation of correct controllers using discrete control synthesis, compositionality for the verification and construction of correct systems; reactive programming, and aspect-oriented programming;

static analysis and abstract interpretation techniques, which are applied both to low-level synchronous models/programs and to more general imperative or concurrent programs; this includes the verification of general safety properties and the absence of runtime errors.

Our applications are in embedded systems, typically in the robotics, automotive, and telecommunications domains with a special emphasis on dependability issues (
*e.g.*, fault tolerance, availability). International and industrial relations feature:

an
ISTEuropean FP7 network of excellence:
ArtistDesign

an FP7 European STREP project:
Combest

an
ArtemisiaEuropean project:
Cesar

three ANR French projects: Asopt(on static analysis), AutoChem(on chemical programming), and Vedecy(on cyber-physical systems);

a MinalogicPôle de Compétitivité project: OpenTLM, dedicated to the design flow for next generation SoC and SystemC;

an Inrialarge scale action: Synchronicson a language platform for embedded system design;

an
Inriaassociated team with the University of Auckland (New Zealand), called
Afmes

The context of our work is the area of embedded real-time control systems, at the intersection between control theory and computer science. Our contribution consists of methods and tools
for their safe design. The systems we consider are intrinsically safety-critical because of the interaction between the embedded, computerized controller, and a physical process having its
own dynamics. Such systems are known under various names, notably
*cyberphysical systems*and
*embedded control systems*. What is important is to design and to analyze the safe behavior of the whole system, which introduces an inherent complexity. This is even more crucial in the
case of systems whose malfunction can have catastrophic consequences, for example in transport systems (avionics, railways), production, medical, or energy production systems.

Therefore, there is a need for methods and tools for the design of safe systems. The definition of adequate mathematical models of the behavior of the systems allows the definition of formal calculi. They in turn form a basis for the construction of algorithms for the analysis, but also for the transformation of specifications towards an implementation. They can then be implemented in software environments made available to the users. A necessary complement is the setting-up of software engineering, programming, modeling, and validation methodologies. The motivation of these problems is at the origin of significant research activity, internationally and, in particular, in the European ISTnetwork of excellence ArtistDesign(Advanced Real-Time Systems).

The state of the art upon which we base our contributions is twofold.

From the point of view of discrete control, there is a set of theoretical results and tools, in particular in the synchronous approach, often founded on finite or infinite labeled transition systems , . During the past years, methodologies for the formal verification , , control synthesis and compilation, as well as extensions to timed and hybrid systems , have been developed. Asynchronous models consider the interleaving of events or messages, and are often applied in the field of telecommunications, in particular for the study of protocols.

From the point of view of verification, we use the methods and tools of symbolic model-checking and of abstract interpretation. From symbolic model-checking, we use BDD techniques
for manipulating Boolean functions and sets, and their MTBDD
extension for more general functions. Abstract interpretation
is used to formalize complex static analysis, in particular when
one wants to analyze the possible values of variables and pointers of a program. Abstract interpretation is a theory of approximate solving of fix-point equations applied to program analysis.
Most program analysis problems, among which reachability analysis, come down to solving a fix-point equation on the state space of the program. The exact computation of such an equation is
generally not possible for undecidability (or complexity) reasons. The fundamental principles of abstract interpretation are:

The synchronous approach

The design of safe real-time control systems is difficult due to various issues, among them their complexity in terms of the number of interacting components, their parallelism, the difference of the considered time scales (continuous or discrete), and the distance between the various theoretical concepts and results that allow the study of different aspects of their behaviors, and the design of controllers.

A currently very active research direction focuses on the models and techniques that allow the automatic use of formal methods. In the field of verification, this concerns in particular the technique of model checking. The verification takes place after the design phase, and requires, in case of problematic diagnostics, expensive backtracks on the specification. We want to provide a more constructive use of formal models, employing them to derive correct executives by formal computation and synthesis, integrated in a compilation process. We therefore use models throughout the design flow from specification to implementation, in particular by automatic generation of embeddable executives.

Applicative needs initially come from the fields of safety-critical systems (avionics, energy) and complex systems (telecommunications), embedded in an environment with which they strongly interact (comprising aspects of computer science and control theory). Fields with less criticality, or which support variable degrees of quality of service, such as in the multi-media domain, can also take advantage of methodologies that improve the quality and reliability of software, and reduce the costs of test and correction in the design.

Industrial acceptance, the dissemination, and the deployment of the formal techniques inevitably depend on the usability of such techniques by specialists in the application domain — and not in formal techniques themselves — and also on the integration in the whole design process, which concerns very different problems and techniques. Application domains where the actors are ready to employ specialists in formal methods or advanced control theory are still uncommon. Even then, design methods based on the systematic application of these theoretical results are not ripe. In fields like industrial control, where the use of PLC (Programmable Logic Controller ) is dominant, this question can be decisive.

Essential elements in this direction are the proposal of realistic formal models, validated by experiments, of the usual entities in control theory, and functionalities (
*i.e.*, algorithms) that correspond indeed to services useful for the designer. Take, for example, the compilation and optimization taking into account the platforms of execution,
the possible failures, or the interactions between the defined automatic control and its implementation. A notable example for the existence of an industrial need is the activity of the
Athyscompany (now belonging to
Dassault
Systemes) concerning the development of a specialized programming environment,
CellControl, which integrates synchronous tools for compilation and verification, tailored to the application domain. In these areas, there are
functionalities that commercial tools do not have yet, and to which our results contribute.

We are proposing effective trade-offs between, on the one hand, expressiveness and formal power, and on the other hand, usability and automation. We focus on the area of specification and construction of correct real-time executives for discrete and continuous control, while keeping an interest in tackling major open problems, relating to the deployment of formal techniques in computer science, especially at the border with control theory. Regarding the applications, we propose new automated functionalities, to be provided to the users in integrated design and programming environments.

The overall consistency of our approach comes from the fact that the main research directions address, under different aspects, the specification and generation of safe real-time control
executives based on
*formal models*.

We explore this field by linking, on the one hand, the techniques we use, with on the other hand, the functionalities we want to offer. We are interested in questions related to:

We investigate two main directions: (i) compositional analysis and design techniques; (ii) adapter synthesis and converter verification.

Programming for embedded real-time systems is considered within Pop Artalong three axes: (i) synchronous programming languages, (ii) aspect-oriented programming, (iii) static analysis (type systems, abstract interpretation, ...).

Here we address the following research axes: (i) static multiprocessor scheduling for fault-tolerance, (ii) multi-criteria scheduling for reliability, (iii) automatic program transformations, (iv) formal methods for fault-tolerant real-time systems.

The creation of easily usable models aims at giving the user the role rather of a pilot than of a mechanics
*i.e.*, to offer her/him pre-defined functionalities which respond to concrete demands, for example in the generation of fault tolerant or distributed executives, by the intermediary
use of dedicated environments and languages.

The proposal of validated models with respect to their faithful representation of the application domain is done through case studies in collaboration with our partners, where the typical multidisciplinarity of questions across control theory and computer science is exploited.

Component-based construction techniques are crucial to overcome the complexity of embedded systems design. However, two major obstacles need to be addressed: the heterogeneous nature of the models, and the lack of results to guarantee correction of the composed system.

The heterogeneity of embedded systems comes from the need to integrate components using different models of computation, communication, and execution, at different levels of abstraction and different time scales. The BIP component framework has been designed, in cooperation with Verimag, to support this heterogeneous nature of embedded systems.

Our work focuses on the underlying analysis and construction algorithms, in particular compositional techniques and approaches ensuring correctness by construction (adapter synthesis, strategy mapping). This work is motivated by the strong need for formal, heterogeneous component frameworks in embedded systems design.

Programming for embedded real-time systems is considered along three directions: (i) synchronous programming languages to implement real-time systems; (ii) aspect-oriented programming to specify non-functional properties separately from the base program; (iii) abstract interpretation to ensure safety properties of programs at compile time. We advocate the need for well defined programming languages to design embedded real-time systems with correct-by-construction guarantees, such as bounded time and bounded memory execution. Our original contribution resides in programming languages inheriting features from both synchronous languages and functional languages. We contribute to the compiler of the Heptagonlanguage (whose main inventor is Marc Pouzet, ENS Uml, Parkasteam), the key features of which are: data-flow formal synchronous semantics, strong typing, modular compilation. In particular, we are working on type systems for the clock calculus and the spatial modular distribution.

The goal of Aspect-Oriented Programming (AOP) is to isolate aspects (such as security, synchronization, or error handling) that cross-cut the program basic functionality and whose
implementation usually yields tangled code. In AOP, such aspects are specified
*separately*and integrated into the program by an automatic transformation process called
*weaving*. Although this paradigm has great practical potential, it still lacks formalization, and undisciplined uses make reasoning on programs very difficult. Our work on AOP addresses
these issues by studying foundational issues of AOP (semantics, analysis, verification) and by considering domain-specific aspects (availability or fault tolerance aspects) as formal
properties.

Finally, the aim of the verification activity in Pop Artis to check safety properties on programs, with emphasis on the analysis of the values of data variables (numerical variables, memory heap), mainly in the context of embedded and control-command systems that exibit concurrency features. The applications are not only the proof of functional properties on programs, but also test selection and generation, program transformation, controller synthesis, and fault-tolerance. Our approach is based on abstract interpretation, which consists in inferring properties of the program by solving semantic equations on abstract domains. Much effort is spent on implementing developed techniques in tools for experimentation and diffusion.

Embedded systems must often satisfy safety critical constraints. We address this issue by providing methods and algorithms to design embedded real-time systems with guarantees on their fault-tolerance and/or reliability level.

A first research direction concerns static multiprocessor scheduling of an application specification on a distributed target architecture. We increase the fault-tolerance level of the
system by replicating the computations and the communications, and we schedule the redundant computations according to the faults to be tolerated. We also optimize the schedule
*w.r.t.*several criteria, including the schedule length, the reliability, and the power consumption.

A second research direction concerns the fault-tolerance management, by reconfigurating the system (for instance by migrating the tasks that were running on a processor upon the failure of this processor) following objectives of fault-tolerance, consistent execution, functionality fulfillment, boundedness and optimality of response time. We base such formal methods on discrete controller synthesis.

A third research direction concerns AOP to weave fault-tolerance aspects in programs and electronic circuits (seen as synthesizable HDL programs) as mentioned in the previous section.

Our applications are in the embedded system area, typically: robotics, automotive, telecommunications, systems on chip (SoC). In some areas, safety is critical, and motivates the investment in formal methods and techniques for design. But even in less critical contexts, like telecommunications and multimedia, these techniques can be beneficial in improving the efficiency and the quality of designs, as well as the cost of the programmation and the validation processes.

Industrial acceptance of formal techniques, as well as their deployment, goes necessarily through their usability by specialists of the application domain, rather than of the formal
techniques themselves. Hence our orientation towards the proposal of domain-specific (but generic) realistic models, validated through experience (
*e.g.*, control tasks systems), based on formal techniques with a high degree of automation (
*e.g.*, synchronous models), and tailored for concrete functionalities (
*e.g.*, code generation).

The commercially available design tools (such as
UMLwith real-time extensions,
Matlab/
Simulink/ d
Space

Regarding the synchronous approach, commercial tools are available:
Scade

Regarding applications and case studies with industrial end-users of our techniques, we cooperate with STMicroelectronics on two topics: (i) compositional analysis and abstract interpretation for the TLM-based System-on-Chip design flow, and (ii) dynamic data-flow models of computation for streaming applications.

NBac(Numerical and Boolean Automaton Checker)

NBacis connected to two input languages: the synchronous dataflow language Lustre, and a symbolic automaton-based language, AutoC/Auto, where a system is defined by a set of symbolic hybrid automata communicating via valued channels. It can perform reachability analysis, co-reachability analysis, and combination of the above analyses. The result of an analysis is either a verdict to a verification problem, or a set of states together with a necessary condition to stay in this set during an execution. NBacis founded on the theory of abstract interpretation.

It has been used for verification and debugging of
Lustreprograms
. It is connected to the
Lustretoolset

The BIP component model (Behavior, Interaction model, Priority) has been designed to support the construction of heterogeneous embedded systems involving different models of computation, communication, and execution, at different levels of abstraction. By separating the notions of behavior, interaction model, and execution model, it enables both heterogeneous modeling, and separation of concerns.

The verification and design tool Prometheus implements the BIP component framework. Prometheus is regularly updated to implement new developments in the framework and the analysis algorithms. It has allowed us to carry out several complex case studies from the system-on-chip and bioinformatics domains .

We have been cooperating for several years with the
Inriateam
Aoste(
InriaSophia-Antipolis and Rocquencourt) on the topic of fault tolerance and reliability of safety critical embedded systems. In particular, we have
implemented several new heuristics for fault tolerance and reliability within their software
SynDEx
*i.e.*, buses)
. Our second scheduling heuristic is multi-criteria: it produces a
static schedule multiprocessor schedule such that the reliability is maximized, the power consumption is minimized, and the execution time is minimized
. Our results on fault tolerance are summarized in a web page

The
Apronlibrary

The Apronlibrary aims to provide:

a uniform API for existing numerical abstract domains;

a higher-level interface to the client tools, by factorizing functionalities that are largely independent of abstract domains.

From an abstract domain designer point of view, the benefits of the Apronlibrary are:

the ability to focus on core, low-level functionalities;

the help of generic services adding higher-level services for free.

For the client static analysis community, the benefits are a unified, higher-level interface, which allows experimenting, comparing, and combining abstract domains.

In 2011, the Taylor1plus domain , which is the underlying abstract domain of the tool Fluctuat has been improved. Glue code has also been added to enable the connection of an abstract domain implemented in OCaml to the Aproninfrastructure written in C (this requires callbacks from C to OCaml that are safe w.r.t. garbage collection). This will enable the integration in Apronof the MaxPlus polyhedra library written by X. Allamigeon in the context of the ANR Asoptproject.

The
BddApronlibrary

The
Apronlibrary (Fig.
) is written in ANSI C, with an object-oriented and thread-safe design. Both
multi-precision and floating-point numbers are supported. A wrapper for the
Ocamllanguage is available, and a C++ wrapper is on the way. It has been distributed since June 2006 under the LGPL license and available at
http://

The BddApronlibrary is written in Ocaml, using polymorphism features of Ocamlto make it generic. It is also thread-safe. It provides two different implementations of the same domain, each one presenting pros and cons depending on the application. It is currently used by the ConcurInterprocinterprocedural and concurrent program analyzer.

We have developed LoCa, a new prototype tool written in Scala that implements the analysis of logical causality described in . LoCacurrently supports causality analysis in Bip. The core analysis engine is implemented as an abstract class, such that support for other models of computation (MOC) can be added by instantiating the class with the basic operations of the MOC.

We have developed a software tool chain to allow the specification of models, the controller synthesis, and the execution or simulation of the results. It is based on existing synchronous
tools, and thus consists primarily in the use and integration of
Sigali

Useful component templates and relevant properties can be materialized, on one hand by libraries of task models, and, on the other hand, by properties and synthesis objectives.

Rapture*à la*CSP. Processes can also manipulate local and global variables of finite type. Probabilistic reachability properties are specified by defining two sets of initial and final states
together with a probability bound. The originality of the tool is to provide two reduction techniques that limit the state space explosion problem: automatic abstraction and refinement
algorithms, and the so-called essential states reduction.

These analyzers and libraries are of general use for people working in the static analysis and abstract interpretation community, and serve as an experimental platform for the ANR project ASOPT (see § ).

a generic fix-point engine written in Ocaml. It allows the user to solve systems of fix-point equations on a lattice, using a parameterized strategy for the iteration order and the application of widening. It also implements recent techniques for improving the precision of analysis by alternating post-fixpoint computation with widening and descending iterations in a sound way .

a simple interprocedural static analyzer that infers properties on the numerical variables of programs in a toy language. It is aimed at demonstrating the use of the
previous library and the above-described
Apronlibrary, and more generally at disseminating the knowledge in abstract interpretation. It is also deployed through a web-interface

extends Interproc with concurrency, for the analysis of multithreaded programs interacting via shared global variables. It is also deployed through a web-interface

extends Interproc with pointers to local variables. It is also deployed through a web-interface

Heptagonis a dataflow synchronous language, inspired from
Lucid Synchrone

Heptagonhas been used to built BZR

For autonomous critical real-time embedded systems (e.g., satellite), guaranteeing a very high level of reliability is as important as keeping the power consumption as low as possible. We
have designed an off-line scheduling heuristics which, from a given software application graph and a given multiprocessor architecture (homogeneous and fully connected), produces a static
multiprocessor schedule that optimizes three criteria: its
*length*(crucial for real-time systems), its
*reliability*(crucial for dependable systems), and its
*power consumption*(crucial for autonomous systems). Our tricriteria scheduling heuristics,
**TSH**, uses the
*active replication*of the operations and the data-dependencies to increase the reliability, and uses
*dynamic voltage and frequency scaling*to lower the power consumption
. By running TSH on a single problem instance, we are able to
provide the Pareto front for this instance in 3D, therefore exposing the user to several tradeoffs between the power consumption, the reliability and the execution time. Thanks to
extensive simulation results, we have shown how TSH behaves in practice. Firstly, we have compared TSH versus an optimal Mixed Linear Integer Program on small instances; the experimental
results show that TSH behaves very well compared to the the ILP. Secondly, we have compared TSH versus the ECS heuristic (Energy-Conscious Scheduling
); the experimental results show that TSH performs systematically
better than ECS.

This is a joint work with Ismail Assayad (U. Casablanca, Morocco) and Hamoudi Kalla (U. Batna, Algeria), who both visit the team regularly.

In collaboration with Emil Dumitrescu (INSA Lyon), Hervé Marchand (
Vertecsteam from Rennes), and Eric Rutten (
Sardesteam from Grenoble), we have defined a complete framework for the
*automatic*design of fault tolerant embedded systems, based on discrete controller synthesis (DCS)
. Its interest lies in the ability to obtain automatically systems
satisfying by construction formal properties specified
*a priori*. Our aim is to demonstrate the feasibility of this approach for fault tolerance. We start with a fault intolerant program, modeled as the synchronous parallel composition of
finite labeled transition systems. We specify formally a fault hypothesis, state fault tolerance requirements and use DCS to obtain automatically a program having the same behavior as the
initial fault intolerant one in the absence of faults, and satisfying the fault tolerance requirements under the fault hypothesis. Our original contribution resides in the demonstration that
DCS can be elegantly used to design fault tolerant systems, with guarantees on key properties of the obtained system, such as the fault tolerance level, the satisfaction of quantitative
constraints, and so on. We have shown with numerous examples taken from case studies that our method can address different kinds of failures (crash, value, or Byzantine) affecting different
kinds of hardware components (processors, communication links, actuators, or sensors). Besides, we have shown that our method also offers an optimality criterion very useful to synthesize
fault tolerant systems compliant to the constraints of embedded systems, like power consumption or execution times. In summary, our framework for fault tolerance has the following
advantages
:

The
**automation**, because DCS produces automatically a fault tolerant system from an initial fault intolerant one.

The
**separation of concerns**, because the fault intolerant system can be designed independently from the fault tolerance requirements.

The
**flexibility**, because, once the system is entirely modeled, it is easy to try several fault hypotheses, several environment models, several fault tolerance goals, several degraded
modes, and so on.

The
**safety**, because, in case of positive result obtained by DCS, the specified fault tolerance properties are guaranteed by construction on the controlled system.

The
**optimality**when optimal synthesis is used, modulo the potential numerical equalities (hence a non strict optimality). We consider weights cumulated along bounded-length paths. We
have adapted our models in order to take into account the additive costs of,
*e.g.*, execution time or power consumption, and adapting synthesis algorithms in order to support the association of costs with transitions, and the handling of these new cost
functions in the optimal synthesis
.

We therefore combine, on the one hand, guarantees on the safety of the execution by tolerating faults, and on the other hand, guarantees on the worst cumulated consumption of the resulting
dynamically reconfiguring fault tolerant system. Recently, we have incorporated multi-criteria optimization results in this work, to take into account
*several*weight functions: for instance the execution costs of several tasks, the execution of which must be controlled thanks to DCS. We therefore propose several synthesis algorithms,
to aggregate the costs into a single cost function, to hierarchize the costs (
*e.g.*, to reflect the priorities of the tasks), or to compute the Pareto front of non-dominated solutions.

The use of discrete abstractions for continuous dynamics has become standard in hybrid systems design (see e.g. and the references therein). The main advantage of this approach is that it offers the possibility to leverage controller synthesis techniques developed in the areas of supervisory control of discrete-event systems . The first attempts to compute discrete abstractions for hybrid systems were based on traditional systems behavioral relationships such as simulation or bisimulation, initially proposed for discrete systems most notably in the area of formal methods. These notions require inclusion or equivalence of observed behaviors which is often too restrictive when dealing with systems observed over metric spaces. For such systems, a more natural abstraction requirement is to ask for closeness of observed behaviors. This leads to the notions of approximate simulation and bisimulation introduced in .

These notions enabled the computation of approximately equivalent discrete abstractions for several classes of dynamical systems, including nonlinear control systems with or without disturbances, and switched systems. These approaches are based on sampling of time and space where the sampling parameters must satisfy some relation in order to obtain abstractions of a prescribed precision. In particular, the smaller the time sampling parameter, the finer the lattice used for approximating the state-space; this may result in abstractions with a very large number of states when the sampling period is small. However, there are a number of applications where sampling has to be fast; though this is generally necessary only on a small part of the state-space.

These abstractions allow us to use multiscale iterative approaches for controller synthesis as follows. An initial controller is synthesized based on the dynamics of the abstraction at the coarsest scale where only transitions of longer duration are enabled. An analysis of this initial controller allows us to identify regions of the state-space where transitions of shorter duration may be useful (e.g. to improve the performance of the controller). Then, the controller is refined by enabling transitions of shorter duration in the identified regions. The last two steps can be repeated until we are satisfied with the obtained controller.

Our motivation w.r.t. DCS concerns its modular application, improving the scalability of the technique by using contract enforcement and abstraction of components. Moreover, our aim is to integrate DCS into a compilation chain, and thereby improve its usability by programmers, not experts in discrete control. This work has been implemented into the Heptagon/BZR language and compiler . This work is done in collaboration with Hervé Marchand ( Vertecsteam from Rennes) and Éric Rutten ( Sardesteam from Grenoble).

The implemented tool allows the generation of the synthesized controller under the form of an Heptagonnode, which can in turn be analyzed and compiled, together with the Heptagonsource from which it has been generated. This full integration allows this method to aim different target languages (currently C, Javaor VHDL), and its integrated use in different contexts.

A formal semantics of BZR has been defined, taking into account its underlying nondeterminism related to the presence of controllable variables.

This language has been used in different contexts. In
, BZR is used for the generation of discrete handlers of real-time
continuous control tasks, in the framework of the ORCCAD

Synchronous programming languages describe functionally centralized systems, where every value, input, output, or function is always directly available for every operation. However, most
embedded systems are nowadays composed of several computing resources. The aim of this work is to provide a language-oriented solution to describe
*functionally distributed reactive systems*. This research is conducted within the INRIA large scale action
Synchronicsand is a joint work with Marc Pouzet (ENS,
Parkasteam from Rocquencourt) and Xavier Nicollin (Grenoble INP,
Verimaglab).

We are working on type systems to formalize, in a uniform way, both the clock calculus and the location calculus of a synchronous data-flow programming language (the
Heptagonlanguage, inspired from
Lucid Synchrone
). On one hand, the clock calculus infers the clock of each
variable in the program and checks the clock consistency: e.g., a time-homogeneous function, like
`+`, should be applied to variables with identical clocks. On the other hand, the location calculus infers the spatial distribution of computations and checks the spatial consistency:
e.g., a centralized operator, like
`+`, should be applied to variables located at the same location. Compared to the PhD of Gwenaël Delaval
,
, the goal is to achieve
*modular*distribution. By modular, we mean that we want to compile each function of the program into a single function capable of running on any computing location. We make use of our
uniform type system to express the computing locations as first-class abstract types, exactly like clocks, which allows us to compile a typed variable (typed by both the clock and the
location calculi) into
`if ... then ... else ...`structures, whose conditions will be valuations of the clock and location variables.

We currently work on an example of software-defined radio. We have shown on this example how to use a modified clock calculus to describe the localisation of values as clocks, and the architecture as clocks (for the computing resources) and their relations (for communication links).

With the objective to distribute synchronous data-flow programs (e.g. LUSTRE) over GALS architectures, preserving only explicitly specified properties, we have developed a quantitative clock calculus to (1) describe timing properties of the architecture's clock domain, and (2) describe the properties of the synchronous program to be preserved. The clock calculus is inspired by the network calculus , with the difference that clocks are described only with respect to one-another, not with respect to real-time.

As a first result, we have applied our clock calculus to analyze the properties of periodic synchronous data-flow programs executed on a network of processors. Because our clock calculus is relational, it can model and preserve correlated variations of streams. In particular, the common case of a data-flow system that splits a stream for separate treatment, and joins them afterwards, this analysis yields more precise result than comparable methods.

We aim to extend the analysis to account for shared resources and synchronization protocols, so as to distribute synchronous programs preserving specified properties.

In collaboration with Avinash Malik (IBM Watson) and Zoran Salcic (University of Auckland), we have designed the
SystemJprogramming language
, which implements the Globally Asynchronous Locally Synchronous
(GALS) Model of Computation (MoC) over
Java. In a nutshell,
SystemJuses the notion of
*clock domains*(CD) to design portions of the system that must operate at unrelated clocks. CDs communicate with each other via asynchronous rendez-vous. Then, a CD consists of one or
several
*reactions*, which react synchronously in lock-step and communicate with each other via synchronous broadcast of signals. Finally, all the data computations are implemented in
Java.

We have further extended
SystemJto allow programmers to design
*dynamic*GALS systems: this is the new language
DSystemJ
,
, aimed at dynamic distributed systems that use socket based
communication protocols for communicating between components.
DSystemJallows the creation and control at runtime of CDs, their mobility on a distributed execution platform, as well as the runtime
reconfiguration of the system’s functionality and topology. We have defined the formal semantics of
DSystemJ, based on the Dynamic GALS MoC: it offers very safe mechanisms for implementation of distributed systems, as well as potential for their
formal verification. The runtime support is implemented in the
SystemJlanguage, which can as such be considered as a static subset of
DSystemJ.

This work has been done within the Afmesassociated team with the Electric and Computer Engineering Department of the University of Auckland.

Typical safety critical embedded applications, ranging from complex aircraft flight controllers to embedded health devices require worst case guarantees on their timing behavior. The problem is that general-purpose processors, being highly speculative, are intrinsically non-deterministic, and thus are not ideally suited for implementing such systems: either the computed worst-case execution time is highly pessimistic, or heroic efforts are required to accurately model the caches, pipeline, and speculative execution . For similar reasons, using an RTOS to guarantee the determinism of a program’s behavior, along with temporal guarantees, is not feasible. The ability to analyze temporal bounds is dependent on the selected programming language, compiler tool chain, operating system, and the target hardware.

To alleviate these problems, we have defined a synchronous variant of C called PRET-C, together with Sidharta Andalam and Partha Roop (University of Auckland). PRET-C offers constructs for reactive inputs/outputs; it supports a notion of logical time, synchronous concurrency, and preemption . We have also designed the ARPRET architecture for efficient and predictable execution of PRET-C. ARPRET inherits from the long lasting research effort on reactive processors conducted at the University of Auckland. Finally, all timing constraints are precisely verified using a Worst Case Reaction Time (WCRT) analyzer. While there has been a considerable body of work on the timing analysis of procedural programs , such analysis for synchronous programs has received less attention. Current state-of-the-art analyses for synchronous programs use integer linear programming (ILP) combined with path pruning techniques to achieve tight results. These approaches first convert a concurrent synchronous program into a sequential program. ILP constraints are then derived from this sequential program to compute the longest tick length. For PRET-C, we have proposed an alternative approach based on model checking . Unlike conventional programs, synchronous programs are concurrent and state-space oriented, making them ideal for model checking based analysis. Our analysis of the abstracted state-space of the program is combined with expressive data-flow information, to facilitate effective path pruning. We have demonstrated through extensive experimentation that the proposed approach is both scalable and about 67% tighter compared to the existing approaches (namely Protothreads and SC ).

This overall framework provides an ideal platform for designing and verifying precision timed real-time systems. It has been conducted within the Afmesassociated team with the Electric and Computer Engineering Department of the University of Auckland, and is the topic of the PhD of Sidharta Andalam.

Recent data-flow programming environments support applications whose behavior is characterized by dynamic variations in resource requirements. The high expressive power of the underlying
models (
*e.g.*, Kahn Process Networks, the CAL actor language) makes it challenging to ensure predictable behavior. In particular, checking
*liveness*(
*i.e.*, no part of the system will deadlock) and
*boundedness*(
*i.e.*, the system can be executed in finite memory) is known to be hard or even undecidable for such models. This situation is troublesome for the design of high-quality embedded
systems.

We have introduced the
*schedulable parametric data-flow (SPDF)*model of computation (MoC) for dynamic streaming applications
,
,
,
,
. SPDF extends the standard data flow model by allowing rates to
be parametric (
*e.g.*, of the form

We are now considering other kinds of analyses for this new data-flow MoC. The objective of these analyses is to generate distributed schedules optimizing both the power consumption and the execution time of applications. The targeted hardware is P2012, a new embedded many-core platform designed by STMicroelectronics consisting of several clusters (9 in the current implementation) interconnected through a 2D mesh asynchronous NoC. Each cluster comprises 16 identical computing cores and is equipped with a hardware mechanism for DVFS (dynamic voltage and frequency scaling). As a first step, we have studied energy efficient scheduling of simple data-flow graphs for that platform . The next step is to extend the approach to SPDF.

This line of research will be followed in the PhD thesis of Vagelis Bebelis which has just started. It will be conducted in collaboration with STMicroelectronics.

Hybrid systems are used to model embedded computing systems interacting with their physical environment. There is a conceptual mismatch between high-level hybrid system languages like Simulink, which are used for simulation, and hybrid automata, the most suitable representation for safety verification. Indeed, in simulation languages the interaction between discrete and continuous execution steps is specified using the concept of zero-crossings, whereas hybrid automata exploit the notion of staying conditions.

In the context of the Inrialarge scale action Synchronics(see § ), we studied how to translate the Zelushydrid data-flow language developped in this project into logico-numerical hybrid automata by carefully pointing out this issue. We investigated various zero-crossing semantics, proposed a sound translation, and discussed to which extent the original semantics is preserved. This work has been accepted to the conference HSCC'2012 (Hybrid Systems: Computation and Control).

This work is part of the PhD thesis of Peter Schrammel.

Acceleration methods are used for computing precisely the effects of loops in the reachability analysis of counter machine models. Applying these methods to synchronous data-flow programs with Boolean and numerical variables, e.g., Lustreprograms, firstly requires the enumeration of the Boolean states in order to obtain a control graph with numerical variables only. Secondly, acceleration methods have to deal with the non-determinism introduced by numerical input variables.

Concerning the latter problem, we pushed further the work presented in
that extended the concept of abstract acceleration of Gonnord et
al.
,
to numerical input variables, and we wrote a journal version
. The original contributions of
compared to
is abstract
*backward*acceleration (for backward analysis) and a detailed comparison of the abstract acceleration approach with the derivative closure approach of
, which is related to methods based on transitive closures of
relations.

We then worked more on the first point, which is to apply acceleration techniques to data-flow programs without resorting to an exhaustive enumeration of Boolean states. To this end, we
introduced (1)
*logico-numerical abstract acceleration methods*for CFGs with Boolean and numerical variables and (2) partitioning techniques that make logical-numerical abstract acceleration effective.
Experimental results showed that incorporating these methods in a verification tool based on abstract interpretation provides not only significant advantage in terms of accuracy, but also a
gain in performance in comparison to standard techniques. This work was published in
.

This line of work is part of the PhD thesis of Peter Schrammel.

Abstract interpretation formalizes two kind of approximations that can be done in the static analysis of programs:

Static approximations, defined by the choice of an abstract domain of abstract properties (for instance, intervals or convex polyhedra that approximates set of points
in numerical spaces), and the definition of sound approximations in this domain of concrete operations (variable assignments, tests, ...). These abstract properties and operations are
substitutes to the concrete properties and operations defined by the semantics of the analyzed program. This stage results into a abstract fixpoint equation
*Kleene iteration*, which consists in computing the sequence

Dynamic approximations, that makes the Kleene iteration sequence converge in finite time by applying an extrapolation operator called
*widening*and denoted with

The problem addressed here is that the extrapolation performed by widening often loses crucial information for the analysis goal.

A classical technique for improving the precision is “widening with thresholds”, which bounds the extrapolation. The idea is to parameterize
*threshold constraints*, and to keep in the result

The benefit of this refinement strongly depends on the choice of relevant thresholds. In , we proposed a semantic-based technique for automatically inferring such thresholds, which applies to any control graph, be it intraprocedural, interprocedural or concurrent, without specific assumptions on the abstract domain. Despite its technical simplicity, we showed that our technique is able to infer the relevant thresholds in many practical cases.

Another direction we investigated for solving the fix-point equation
*Policy Iteration*, which is a method for the exact solving of optimization and game theory problems, formulated as equations on min max affine expressions. In this context, a
*policy*
*Policy iteration*iterates on policies rather than iterating the application of

We first investigated the integration of the concept of Policy Iteration in a generic way into existing numerical abstract domains. We implemented it in the Apronlibrary (see module ). This allows the applicability of Policy Iteration in static analysis to be considerably extended.

In particular we considered the verification of programs manipulating Boolean and numerical variables, and we provided an efficient method to integrate the concept of policy in the logico-numerical abstract domain BddApronthat mixes Boolean and numerical properties (see module ). This enabled the application of the policy iteration solving method to much more complex programs, that are not purely numerical any more. This work was published in .

We also studied the analysis of imperative programs. Even if it is preferable to analyze embedded systems described in higher-level languages such as synchronous languages, it is also useful to be able to analyze C programs. Moreover, it enables a wider diffusion of the analysis techniques developed in the team.

This work is a step in the project of connecting the C language to our analysis tool Interproc/ ConcurInterproc(see section ). The starting point is the connection made by the industrial partner EADS-IW in the context of the ANR project ASOPT (§ ) from a subset of the C language to Interproc. This translation uses the Newspeakintermediate language promoted by EADS .

The problem addressed here is that the C language does not have a specific Boolean type: Boolean values are encoded with integers. This is also true for enumerated types, that may be freely and silently cast to and from integers. On the other hand, our verification tool Interprocthat infers the possible values of variables at each program point may benefit from the information that some integer variables are used solely as Boolean or as enumerated type variables, or more generally as finite type variables with a small domain. Indeed, specialized and efficient symbolic representations such as BDDs are used for representing properties on such variables, whereas approximated representations like intervals and octagons are used for larger domain integers and floating-points variables.

Driven by this motivation, we proposed in
a static analysis for inferring more precise types for the
variables of a C program, corresponding to their effective use. The analysis addresses a subset of the C99 language, including pointers, structures and dynamic allocation. The principle of
the method is very different from type inference techniques used in functional programming languages such as ML, where the types are inferred from the context of use. Instead, our analysis
can be seen as a simple points-to analysis, followed by a disjunction version of a constant propagation analysis, and terminated by a program transformation that generates a strongly typed
program. Fig.
illustrates this process. On this example, we discover that the program is a
finite-state one, to which
*exact*analysis technique can be applied.

This work addressed the problem of interprocedural analysis when side-effect are performed on the stack containing local variables. Indeed, in any language with procedures calls and pointers as parameters (C, Ada) an instruction can modify memory locations anywhere in the call-stack. The presence of such side effects breaks most generic interprocedural analysis methods, which assume that only the top of the stack may be modified. In we presented a method that addresses this issue, based on the definition of an equivalent local semantics in which writing through pointers has a local effect on the stack. Our second contribution in this context is an adequate representation of summary functions that models- the effect of a procedure, not only on the values of its scalar and pointer variables, but also on the values contained in pointed memory locations. Our implementation in the interprocedural analyzer PInterproc(see § ) results in a verification tool that infers relational properties on the value of Boolean, numerical, and pointer variables.

We have proposed and implemented a formal incremental converter-generation algorithm for system-on-chip (SoC) designs. The approach generates a converter, if one exists, to control the interaction between multiple intellectual property (IP) protocols with possible control and data mismatches, and allows pre-converted systems to be re-converted with additional IPs in the future. IP protocols are represented using labeled transition systems (LTS), a simple but elegant abstraction framework which can be extracted from and converted to standard IP description languages such as VHDL. The user can provide control properties, each stated as an LTS with accepting states, to describe desired aspects of the converted system, including fairness and liveness. Furthermore, data specifications can be provided to bound data channels between interacting IPs such that they do not over/under flow. The approach takes into account the uncontrollable environment of a system by allowing users to identify signals exchanged between the SoC and the environment, which the converter can neither suppress nor generate.

Given these inputs, the conversion algorithm first computes the reachable state-space of a maximal non-deterministic converter that ensures (i) the satisfaction of the given data specifications and (ii) the trace equivalence with the given control specifications, using a greatest fix-point computation. It then checks, using the standard algorithm for Büchi games, whether the converter can ensure the satisfaction of the given control specifications (reachability of accepting states) regardless of how the environment behaves. If this is found to be true, deterministic converters can be automatically generated from the maximal non-deterministic converter generated during the first step. The algorithm is proven to be sound and complete, with a polynomial complexity in the state-space sizes of given IP protocols and specifications. It is also shown that it can be used for incremental design of SoCs, where IPs and specifications are added to an SoC in steps. Incremental design allows to constrain the combinatorial explosion of the explored state-space in each step, and also reduces on-chip wire congestion by decentralizing the conversion process.

A Java implementation has been created, and experimental results show that the algorithm can handle complex IP mismatches and specifications in medium to large AMBA based SoC systems. Future work involves creating a library of commonly-encountered specifications in SoC design such as sharing of control signals between interacting IPs using buffers, signal lifespans, and the generation of optimal converters based on quantitative criteria such as minimal power usage.

This work has been done within the Afmesassociated team with the Electric and Computer Engineering Department of the University of Auckland.

Establishing liabilities in case of litigation is generally a delicate matter. It becomes even more challenging when IT systems are involved. Generally speaking, a party can be declared liable for a damage if a fault can be attributed to that party and this fault has caused the damage. The two key issues are thus to establish convincing evidence with respect to (1) the occurrence of the fault and (2) the causality relation between the fault and the damage. The first issue concerns the technique used to log the relevant events of the system and to ensure that the logs can be produced (and have some value) in court. The second issue is especially complex when several faults are detected in the logs and the impact of these faults on the occurrence of the failure has to be assessed. In we have focused on this second issue and proposed a formal framework for reasoning about causality. A system based on this framework could be used to provide relevant information to the expert, the judge, or the parties themselves (in case of amicable settlement) to analyze the origin of the failure of an IT system.

The notion of causality has been studied for a long time in computer science, but with very different perspectives and goals. In the distributed systems community, causality (following
Lamport's seminal paper
) is seen essentially as a temporal property. In our context, the
temporal ordering contributes to the analysis, but it is obviously not sufficient to establish the
*logical causality*required to rule on a matter of liability: the fact that an event

Our formal model is based on components interacting according to well identified
*interaction models*
. Each component is associated with an individual
*contract*which specifies its expected behavior. The system itself is associated with a
*global contract*which is assumed to be implied by the composition of the individual contracts.

We are currently extending to framework to other models of computation and communication, in particular, to timed automata.

Choreography specification languages describe from a global point of view interactions among a set of services in a system to be designed. Given a choreography specification, the goal is
to obtain a distributed implementation of the choreography as a system of communicating peers. These peers can be given as input (
*e.g.*, obtained using discovery techniques) or automatically generated by projection from the choreography. Checking whether some set of peers implements a choreography specification is
called
*realizability*. This check is in general undecidable if asynchronous communication is considered, that is, services interact through message buffers.

In we consider conversation protocols as a choreography specification language, and leverage a recent decidability result to check automatically the realizability of these specifications by a set of peers under an asynchronous communication model with a priori unbounded buffers.

The goal of Aspect-Oriented Programming (
AOP) is to isolate aspects (such as security, synchronization, or error handling) which cross-cut the program basic functionality and whose
implementation usually yields tangled code. In
AOP, such aspects are specified separately and integrated into the program by an automatic transformation process called
*weaving*.

Although this paradigm has great practical potential, it still lacks formalization and undisciplined uses make reasoning on programs very difficult. Our work on AOPaddresses these issues by studying foundational issues (semantics, analysis, verification) and by considering domain-specific aspects (availability, fault tolerance or refinement aspects) as formal properties.

Aspect Oriented Programming can arbitrarily distort the semantics of programs. In particular, weaving can invalidate crucial safety and liveness properties of the base program.

We have identified categories of aspects that preserve some classes of properties
. Our categories of aspects comprise, among others, observers,
aborters, and confiners. For example, observers do not modify the base program's state and control-flow (
*e.g.*, persistence, profiling, and debugging aspects). These categories are defined formally based on a language independent abstract semantic framework. The classes of properties
are defined as subsets of LTL for deterministic programs and CTL* for non-deterministic ones. We have formally proved that, for any program, the weaving of any aspect in a category preserves
any property in the related class.

In a second step, we have designed for each aspect category a specialized aspect language which ensures that any aspect written in that language belongs to the corresponding category. These languages preserve the corresponding classes of properties by construction.

This work was conducted in collaboration with Rémi Douence from the Ascola Inriateam at École des Mines de Nantes.

In the recent years, we have studied the implementation of specific fault tolerance techniques in real-time embedded systems using program transformation . We are now investigating the use of fault-tolerance aspects in digital circuits. To this aim, we consider program transformations for hardware description languages (HDL). Our goal is to design an aspect language allowing users to specify and tune a wide range of fault tolerance techniques, while ensuring that the woven HDL program remains synthesizable. The advantage would be to produce fault-tolerant circuits by specifying fault-tolerant strategies separately from the functional specifications.

We have reviewed the different fault tolerant techniques used in integrated circuits: concurrent error detection, error detecting and correcting codes (Hamming, Berger codes, ...), spatial
and time redundancy. We have designed a simple hardware description language inspired from Lustre and Lucid Synchrone. It is a core functional language manipulating synchronous boolean
streams. Faults are represented by bit flips and we take into account all fault models of the form “at most

Chemical programming describes computation in terms of a
*chemical*
*solution*in which molecules (representing data) interact freely according to
*reaction rules*(representing the program). Solutions are represented by multisets of elements and reactions by rewrite rules which consume and produce new elements according to
conditions. This paradigm makes it possible to express programs without artificial sequentiality in a very abstract way. It bridges the gap between specification and implementation
languages.

A drawback of chemical languages is that their very high-level nature usually leads to very inefficient programs. We have proposed a refinement oriented approach where the basic functionality is expressed as a chemical program whereas efficiency is achieved separately by:

structuring the multiset with a data type defining neighborhood relations;

describing the selection of elements according to their neighborhood;

specifying the evaluation strategy (
*i.e.*, the application of rules and termination).

Using these three implementation aspects (data structure, selection and strategy), the chemical program can then be refined automatically into an efficient low-level program. The crucial methodological advantage is that logical issues are decoupled from efficiency issues.

This research, that takes place within the AutoChemproject (see Section ), is done in collaboration with Jean-Louis Giavitto (Ircam, Paris). It is the subject matter of Marnes Hoff's PhD thesis.

STMicroelectronics, starting in 12/2011: CIFRE contract for the PhD of Vagelis Bebelis.

The AutoChemproject aims at investigating and exploring the use of chemical languages (see Section ) to program complex computing infrastructures such as grids and real-time deeply-embedded systems. The consortium includes InriaRennes – Bretagne Atlantique ( Paristeam, Rennes), InriaGrenoble – Rhône-Alpes ( Pop Artteam, Montbonnot), IBISC ( CNRS/Université d'Evry) and CEAList (Saclay). The project started at the end of 2007 and ended in November 2011.

The Asopt(Analyse Statique et OPTimisation) project [end of 2008-2011] brings together static analysis (INRIA- Pop Art, VERIMAG, CEA LMeASI), optimisation, and control/game theory experts (CEA LMeASI, INRIA-MAXPLUS) around some program verification problems. Pop Artis the project coordinator.

Many abstract interpretations attempt to find “good” geometric shapes verifying certain constraints; this not only applies to purely numerical abstractions (for numerical program variables), but also to abstractions of data structures (arrays and more complex shapes). This problem can often be addressed by optimisation techniques, opening the possibility of exploiting advanced techniques from mathematical programming.

The purpose of Asoptis to develop new abstract domains and new resolution techniques for embedded control programs, and in the longer run, for numerical simulation programs.

The Vedecyproject brings together hybrid systems and formal methods experts. Three partners are involved: Laboratoire Jean Kuntzmann (LJK), INRIA Pop Art, and VERIMAG.

Vedecyaims at pursuing fundamental research towards the development of algorithmic approaches to the verification and design of cyber-physical systems. Cyber-physical systems result from the integration of computations with physical processes: embedded computers control physical processes which in return affect computations through feedback loops. They are ubiquitous in current technology and their impact on lives of citizens is meant to grow in the future (autonomous vehicles, robotic surgery, energy efficient buildings, ...).

Cyber-physical systems applications are often safety critical and therefore reliability is a major requirement. To provide assurance of reliability, model based approaches and formal methods are appealing. Models of cyber-physical systems are heterogeneous by nature: discrete dynamic systems for computations and continuous differential equations for physical processes. The theory of hybrid systems offers a sound modeling framework for cyber-physical systems. The purpose of Vedecyis to develop hybrid systems techniques for the verification and the design of cyber-physical systems.

The Synchronics(Language Platform for Embedded System Design) project [mid-2008 to mid-2012] gathers 9 permanent researchers on the topic of embedded systems design: B. Caillaud ( InriaRennes – Bretagne Atlantique), A. Cohen, L. Mandel, and M. Pouzet (INRIA-Saclay and ENS Ulm), G. Delaval, A. Girault, and B. Jeannet ( InriaGrenoble – Rhône-Alpes), E. Jahier and P. Raymond (VERIMAG).

Synchronicscapitalizes on recent extensions of data-flow synchronous languages, as well as relaxed forms of synchronous composition or compilation techniques for various platform, to address two main challenges with a language-centered approach: (i) the co-simulation of mixed discrete-continuous specifications, and more generally the co-simulation of programs and properties (either discrete or continuous); (ii) the ability, inside the programming model, to account for the architecture constraints (execution time, memory footprint, energy, power, reliability, etc.).

Vertecsat InriaRennes – Bretagne Atlantique is working with us on applications of discrete controller synthesis, and in particular on the tool Sigali.

P. Fradet cooperates with R. Douence ( Ascola, École des Mines de Nantes) on aspect-oriented programming.

A. Girault cooperates with D. Trystram ( Moais, InriaGrenoble – Rhône-Alpes) on scheduling and dependability, with E. Rutten ( Sardes, InriaGrenoble – Rhône-Alpes) and H. Marchand ( Vertecs, InriaRennes – Bretagne Atlantique) on optimal discrete controller synthesis, and with A. Benoit, F. Dufossé and Y. Robert ( Graal, InriaGrenoble – Rhône-Alpes) on multi-criteria scheduling.

G. Goessler cooperates with D. Le Métayer ( Licit, InriaGrenoble – Rhône-Alpes) on logical causality and with G. Salaün ( Vasy, InriaGrenoble – Rhône-Alpes) on realizability of choreographies with asynchronous communication.

B. Jeannet cooperates with A. Miné and X. Rival ( Abstraction, InriaParis – Rocquencourt) and X. Allamigeon ( MaxPlus, InriaSaclay – Île-de-France) on static analysis and abstract interpretation.

G. Delaval cooperates with H. Marchand ( Vertecs, InriaRennes – Bretagne Atlantique) and É. Rutten ( Sardes, InriaGrenoble – Rhône-Alpes) on modular controller synthesis and its applications.

G. Delaval, A. Girault and B. Jeannet collaborate with the Parkasteam of ENS Ulm ( InriaParis – Rocquencourt) on the distribution of higher-order synchronous data-flow programs and on static analysis of hybrid programs.

P. Fradet cooperates with J.-L. Giavitto ( CNRS/Ircam) on refinement of chemical programs.

A. Girault collaborates with P. Roop, Z. Salcic, and S. Andalam (University of Auckland, New Zealand) and A. Malik (IBM Watson, USA) in the context of the Afmesassociated team, with H. Kalla (University of Batna, Algeria) and I. Assayad (University of Casablanca, Morocco) on multicriteria scheduling.

G. Goessler collaborates with A. Girard (LJK, Grenoble) on multi-scale controller synthesis, with J. Sifakis (EPFL) on distribution under real-time constraints, with J.-B. Raclet (IRIT, Toulouse) on modal contracts, with I. Lee and O. Sokolsky (U. of Pennsylvania) on causality analysis for medical devices, and with M. Bozga ( Verimag) and B. Bonakdarpour (U. of Waterloo, Canada) on fault tolerance in component-based systems.

A. Girault and G. Goessler collaborate with P. Roop (University of Auckland, New Zealand) on incremental converter synthesis.

B. Jeannet collaborates with N. Halbwachs and M. Péron ( Verimag), E. Goubault and S. Putot ( CEASaclay) on static analysis and abstract interpretation.

G. Delaval and A. Girault collaborate with X. Nicollin ( Verimag) on the automatic distribution of synchronous programs.

Program: Artemisia.

Project acronym:
Cesar

Project title: Cost-efficient methods and processes for safety relevant embedded systems.

Duration: January 2009 – April 2012.

Partners: There are 59 partners from academia and industry (both SMEs and large companies).

Abstract: We are particularly involved in the following sub-programs:

Task Force Safety 1.5.1 (State of the art survey on safety and diagnosability for cost-efficient safety critical emebedded systems) and 1.5.2 (Identification of requirements for comon cross domain core safety and diagnosability techniques and methods).

Requirements Engineering, along with two other Inriateams (S4 and Triskell, from InriaRennes). We shall work on contracts based design for traceability.

Title: Advanced Formal Methods for Embedded Systems.

INRIA principal investigator: Alain Girault.

International Partner:

Institution: University of Auckland (New Zealand).

Laboratory: Department of Electrical and Computer Engineering.

Principal investigator: Zoran Salcic.

Duration: January 2010 – December 2012.

See also:
http://

Embedded systems are characterized by several constraints, such as determinism and bounded reaction time. Accordingly, design methods for embedded systems should, when possible, guarantee these properties by construction. This allows the shifting of the burden of checking these constraints from the programmer to the design method and the associated compilers and code generation tools. In order to achieve this, our goal is to improve the existing design methods in several key directions: (1) Incremental converter synthesis. (2) Programming language for adaptive computing (SystemJ and beyond). (3) Time predictable programming language and execution architectures. Together, these advanced methods will provide a higher level of safety in the design of embedded systems.

Hamoudi Kalla, assistant professor at University of Batna, Algeria, September 2011.

Ismail Assayad, assistant professor at University of Casablanca, Morocco, September 2011.

Emmanouil Komninos, 02-07/2011, co-advised by Pascal Fradet and Alain Girault, Power consumption optimization of data-flow applications on many-core systems, MSc at KTH, Sweden.

Gwenaël Delaval was co-organizer of the international workshop SYNCHRON'11 (international open workshop on Synchronous Programming).

P. Fradet served in the external review committee of PLDI'2011 (
*ACM SIGPLAN conference on Programming Language Design and Implementation*). He was examiner for the PhD of Julien Tesson (University of Orléans).

Alain Girault served in the programme committees of the international conferences DATE'2011, DAC'2011, MEMOCODE'2011, LAFT'2011, MSR'2011, and APSIPA-ASC'2011. He was referee for the PhD of Alexandru Drobila (University of Besançon) and Mohamed Fellahi (University of Paris Sud), and examiner for the PhD of Fanny Duffossé (ENS Lyon).

Gregor Goessler served in the programme committees of the international conference DATE'2012 and of the international workshops FOCLASA'2011 and LAFT'2011.

Bertrand Jeannet served in the programme committee of the international conference DATE'2012. He was examiner for the PhD of Assalé Adjé (Ecole Polytechnique) and of Khalil Gorbhal (Ecole Polytechnique).

Marnes Hoff, co-advised by P. Fradet (with J.-L. Giavitto, Université d'Evry), since 04/2008 until 05/2011, PhD in computer science, Grenoble University.

Henri-Charles Blondeel, co-advised by P. Fradet and A. Girault, until 06/2011, PhD in computer science, Grenoble University.

Peter Schrammel, co-advised by B. Jeannet and A. Girault since 07/2009, PhD in computer science, Grenoble University.

Gideon Smeding, co-advised by G. Goessler and J. Sifakis since 12/2009, PhD in computer science, Grenoble University.

Vagelis Bebelis, co-advised by P. Fradet and A. Girault, since 12/2011, PhD in computer science, Grenoble University.

Emmanouil Komninos, 02-07/2011, co-advised by Pascal Fradet and Alain Girault, Power consumption optimization of data-flow applications on many-core systems, MSc at KTH.

Gwenaël Delaval teaches algorithmics and programming at Université Joseph Fourier (170h in 2011–2012).