The Spades project-team aims at contributing to meet the challenge of designing and programming dependable embedded systems in an increasingly distributed and dynamic context. Specifically, by exploiting formal methods and techniques, Spades aims to answer three key questions:

How to program open networked embedded systems as dynamic adaptive modular structures?

How to program reactive systems with real-time and resource constraints on multicore architectures?

How to program reliable, fault-tolerant embedded systems with different levels of criticality?

These questions above are not new, but answering them in the context
of modern embedded systems, which are increasingly distributed, open
and dynamic in nature , makes them more
pressing and more difficult to address: the targeted system properties
– dynamic modularity, time-predictability, energy efficiency, and
fault-tolerance – are largely antagonistic (*e.g.*, having a highly
dynamic software structure is at variance with ensuring that resource
and behavioral constraints are met). Tackling these questions
together is crucial to address this antagonism, and constitutes a key
point of the Spades research program.

A few remarks are in order:

We consider these questions to be central in the construction of future embedded systems, dealing as they are with, roughly, software architecture and the provision of real-time and fault-tolerance guarantees. Building a safety-critical embedded system cannot avoid dealing with these three concerns.

The three questions above are highly connected. For instance, composability along time, resource consumption and reliability dimensions are key to the success of a component-based approach to embedded systems construction.

For us, “Programming” means any constructive process to build a running system. It can encompass traditional programming as well as high-level design or “model-based engineering” activities, provided that the latter are supported by effective compiling tools to produce a running system.

We aim to provide semantically sound programming tools for embedded systems. This translates into an emphasis on formal methods and tools for the development of provably dependable systems.

The SPADES research program is organized around three main themes,
*Components and contracts*, *Real-time multicore
programming*, and *Language-based fault tolerance*, that seek
to answer the three key questions identified in
Section . We plan to do so by developing and/or
building on programming languages and techniques based on formal
methods and formal semantics (hence the use of *“sound
programming”* in the project-team title). In particular, we seek
to support design where correctness is obtained by construction,
relying on proven tools and verified constructs, with programming
languages and programming abstractions designed with verification in
mind.

Component-based construction has long been advocated as a key approach
to the “correct-by-construction” design of complex embedded
systems . Witness component-based toolsets such
as UC Berkeley's Ptolemy , Verimag's
BIP , or the modular architecture frameworks
used, for instance, in the automotive industry
(AUTOSAR) . For building large, complex systems, a
key feature of component-based construction is the ability to
associate with components a set of *contracts*, which can be
understood as rich behavioral types that can be composed and verified
to guarantee a component assemblage will meet desired properties. The
goal in this theme is to study the formal foundations of the
component-based construction of embedded systems, to develop component
and contract theories dealing with real-time, reliability and
fault-tolerance aspects of components, and to develop
proof-assistant-based tools for the computer-aided design and
verification of component-based systems.

Formal models for component-based design are an active area of
research (see *e.g.*, , ). However, we are
still missing a comprehensive formal model and its associated
behavioral theory able to deal *at the same time* with different
forms of composition, dynamic component structures, and quantitative
constraints (such as timing, fault-tolerance, or energy consumption).
Notions of contracts and interface theories have been proposed to
support modular and compositional design of correct-by-construction
embedded systems (see
*e.g.*, , and
the references therein), but having a comprehensive theory of
contracts that deals with all the above aspects is still an open
question . In particular, it is not clear how to
accomodate different forms of composition, reliability and
fault-tolerance aspects, or to deal with evolving component structures
in a theory of contracts.

Dealing in the same component theory with heterogeneous forms of
composition, different quantitative aspects, and dynamic
configurations, requires to consider together the three elements that
comprise a component model: behavior, structure and types.
*Behavior* refers to behavioral (interaction and execution)
models that characterize the behavior of components and component
assemblages (*e.g.*, transition systems and their multiple variants –
timed, stochastic, etc.). *Structure* refers to the organization
of component assemblages or configurations, and the composition
operators they involve. *Types* refer to properties or contracts
that can be attached to components and component interfaces to
facilitate separate development and ensure the correctness of
component configurations with respect to certain properties. Taking
into account dynamicity requires to establish an explicit link between
behavior and structure, as well as to consider higher-order systems,
both of which have a direct impact on types.

We plan to develop our component theory by progressing on two fronts: component calculi, and semantical framework. The work on typed component calculi aims to elicit process calculi that capture the main insights of component-based design and programming and that can serve as a bridge towards actual architecture description and programming language developments. The work on the semantical framework should, in the longer term, provide abstract mathematical models for the more operational and linguistic analysis afforded by component calculi. Our work on component theory will find its application in the development of a Coq-based toolchain for the certified design and construction of dependable embedded systems, which constitutes our third main objective for this axis.

Programming real-time systems (*i.e.*, systems whose correct behavior
depends on meeting timing constraints) requires appropriate languages
(as exemplified by the family of synchronous
languages ), but also the support of
efficient scheduling policies, execution time and schedulability
analyses to guarantee real-time constraints (*e.g.*, deadlines) while
making the most effective use of available (processing, memory, or
networking) resources. Schedulability analysis involves analyzing the
worst-case behavior of real-time tasks under a given scheduling
algorithm and is crucial to guarantee that time constraints are met in
any possible execution of the system. Reactive programming and
real-time scheduling and schedulability for multiprocessor systems are
old subjects, but they are nowhere as mature as their uniprocessor
counterparts, and still feature a number of open research
questions , , in particular in
relation with mixed criticality systems. The main goal in this theme
is to address several of these open questions.

We intend to focus on two issues: multicriteria scheduling on
multiprocessors, and schedulability analysis for real-time
multiprocessor systems. Beyond real-time aspects, multiprocessor
environments, and multicore ones in particular, are subject to several
constraints *in conjunction*, typically involving real-time,
reliability and energy-efficiency constraints, making the scheduling
problem more complex for both the offline and the online
cases. Schedulability analysis for multiprocessor systems, in
particular for systems with mixed criticality tasks, is still very
much an open research area.

Distributed reactive programming is rightly singled out as a major open issue in the recent, but heavily biased (it essentially ignores recent research in synchronous and dataflow programming), survey by Bainomugisha et al. . For our part, we intend to focus on two questions: devising synchronous programming languages for distributed systems and precision-timed architectures, and devising dataflow languages for multiprocessors supporting dynamicity and parametricity while enjoying effective analyses for meeting real-time, resource and energy constraints in conjunction.

Tolerating faults is a clear and present necessity in networked embedded systems. At the hardware level, modern multicore architectures are manufactured using inherently unreliable technologies , . The evolution of embedded systems towards increasingly distributed architectures highlighted in the introductory section means that dealing with partial failures, as in Web-based distributed systems, becomes an important issue. While fault-tolerance is an old and much researched topic, several important questions remain open: automation of fault-tolerance provision, composable abstractions for fault-tolerance, fault diagnosis, and fault isolation.

The first question is related to the old question of “system
structure for fault-tolerance” as originally discussed by Randell for
software fault tolerance , and concerns in part
our ability to clearly separate fault-tolerance aspects from the
design and programming of purely “functional” aspects of an
application. The classical arguments in favor of a clear separation of
fault-tolerance concerns from application code revolve around reduced
code and maintenance complexity . The second
question concerns the definition of appropriate abstractions for the
modular construction of fault-tolerant embedded systems. The current
set of techniques available for building such systems spans a wide
range, including exception handling facilities, transaction management
schemes, rollback/recovery schemes, and replication protocols.
Unfortunately, these different techniques do not necessarily compose
well – for instance, combining exception handling and transactions is
non trivial, witness the flurry of recent work on the topic, see
*e.g.*, and the references therein –, they have
no common semantical basis, and they suffer from limited programming
language support. The third question concerns the identification of
causes for faulty behavior in component-based assemblages. It is
directly related to the much researched area of fault diagnosis, fault
detection and isolation .

We intend to address these questions by leveraging programming
language techniques (programming constructs, formal semantics, static
analyses, program transformations) with the goal to achieve provable
fault-tolerance, *i.e.*, the construction of systems whose
fault-tolerance can be formally ensured using verification tools and
proof assistants. We aim in this axis to address some of the issues
raised by the above open questions by using aspect-oriented
programming techniques and program transformations to automate the
inclusion of fault-tolerance in systems (software as well as
hardware), by exploiting reversible programming models to investigate
composable recovery abstractions, and by leveraging causality analyses
to study fault-ascription in component-based systems. Compared to the
huge literature on fault-tolerance in general, in particular in the
systems area (see *e.g.*, for an interesting but
not so recent survey), we find by comparison much less work exploiting
formal language techniques and tools to achieve or support
fault-tolerance. The works reported
in , , , , , ,
provide a representative sample of recent such works.

A common theme in this axis is the use and exploitation of causality
information. Causality, *i.e.*, the logical dependence of an effect on a
cause, has long been studied in disciplines such as
philosophy , natural sciences,
law , and statistics , but it
has only recently emerged as an important focus of research in
computer science. The analysis of logical causality has applications
in many areas of computer science. For instance, tracking and
analyzing logical causality between events in the execution of a
concurrent system is required to ensure
reversibility , to allow the diagnosis of faults
in a complex concurrent system , or to enforce
accountability , that is, designing systems in
such a way that it can be determined without ambiguity whether a
required safety or security property has been violated, and why. More
generally, the goal of fault-tolerance can be understood as being to
prevent certain causal chains from occurring by designing systems such
that each causal chain either has its premises outside of the fault
model (*e.g.*, by introducing redundancy ), or is
broken (*e.g.*, by limiting fault propagation ).

Our applications are in the embedded system area, typically: transportation, energy production, robotics, telecommunications, the Internet of things (IoT), systems on chip (SoC). In some areas, safety is critical, and motivates the investment in formal methods and techniques for design. But even in less critical contexts, like telecommunications and multimedia, these techniques can be beneficial in improving the efficiency and the quality of designs, as well as the cost of the programming and the validation processes.

Industrial acceptance of formal techniques, as well as their
deployment, goes necessarily through their usability by specialists of
the application domain, rather than of the formal techniques
themselves. Hence, we are looking to propose domain-specific (but
generic) realistic models, validated through experience (*e.g.*, control
tasks systems), based on formal techniques with a high degree of
automation (*e.g.*, synchronous models), and tailored for concrete
functionalities (*e.g.*, code generation).

The commercially available design tools (such as UML with real-time
extensions, Matlab/ Simulink/
dSpace

Regarding the synchronous approach, commercial tools are available:
Scade

Regarding applications and case studies with industrial end-users of our techniques, we cooperate with Thales on schedulability analysis for evolving or underspecified real-time embedded systems, with Orange Labs on software architecture for cloud services and with Daimler on reduction of nondeterminism and analysis of deadline miss models for the design of automotive systems.

Functional Description: We are developing pyCPA_TCA , a pyCPA plugin for Typical Worst-Case Analysis as described in Section. pyCPA is an open-source Python implementation of Compositional Performance Analysis developed at TU Braunschweig, which allows in particular response-time analysis. pyCPA_TCA is an extension of this tool that is co-developed by Sophie Quinton and Zain Hammadeh at TU Braunschweig. It allows in particular the computation of weakly-hard guarantees for real-time tasks, i.e. number of deadline misses out of a sequence of executions. So far, pyCPA_TCA is restricted to uniprocessor systems of independent tasks, scheduled according to static priority scheduling.

Contact: Sophie Quinton

*Coq proofs of circuit transformations for fault-tolerance*

Keywords: Fault-tolerance - Transformation - Coq - Semantics

Functional Description: We have been developing a Coq-based framework to formally verify the functional and fault-tolerance properties of circuit transformations. Circuits are described at the gate level using LDDL, a Low-level Dependent Description Language inspired from muFP. Our combinator language, equipped with dependent types, ensures that circuits are well-formed by construction (gates correctly plugged, no dangling wires, no combinational loops, . . . ). Faults like Single-Event Upsets (SEUs) (i.e., bit-flips in flipflops) and SETs (i.e., glitches propagating in the combinational circuit) and fault-models like "at most 1 SEU or SET within n clock cycles" are described in the operational semantics of LDDL. Fault-tolerance techniques are described as transformations of LDDL circuits.

The framework has been used to prove the correctness of three fault-tolerance techniques: TMR, TTR and DTR. The size of specifications and proofs for the common part (LDDL syntax and semantics, libraries) is 5000 lines of Coq (excluding comments and blank lines), 700 for TMR, 3500 for TTR and 7000 for DTR.

Authors: Pascal Fradet and Dmitry Burlyaev

Contact: Pascal Fradet

We address the issue of change during design and after deployment in
safety-critical embedded system applications, in collaboration with
Thales and also in the context of the CCC project
(http://

In collaboration with Thales, we mostly focus on timing aspects with the objective to anticipate, at design time, future software evolutions and identify potential schedulability bottlenecks. This year we have paved the way for an extension, to more complex systems, of the approach developed last year to quantify the flexibility of a system with respect to timing. Specifically, we have focused on systems with task chains, and have proposed new methods for computing upper and lower bounds on task chain latencies. This work will be submitted to a conference early 2018. Our methods are also being implemented in the Thales tool chain, in order to be used in industry.

The design of configurable systems can be streamlined and made more systematic by adopting a component-based structure, as demonstrated with the Fractal component model . However, the formal foundations for configurable component-based systems, featuring higher-order capabilities where components can be dynamically instantiated and passivated, and non-hierarchical structures where components can be contained in different composites at the same time, are still an open topic. We have recently introduced the location graph model , where components are understood as graphs of locations hosting higher-order processes, and where component structures can be arbitrary graphs.

We have continued the development of location graphs, revisiting the underlying structural model (hypergraphs instead of graphs), and simplifying its operational semantics while preserving the model expressivity. Towards the development of a behavioral theory of location graphs, we have defined different notions of bisimilarity for location graphs and shown them to be congruences, although a fully fledged co-inductive characterization of contextual equivalence for location graphs is still in the works. This work has not yet been published.

Recent dataflow programming environments support applications whose
behavior is characterized by dynamic variations in resource
requirements. The high expressive power of the underlying models (*e.g.*, Kahn Process Networks or the CAL actor language) makes it challenging
to ensure predictable behavior. In particular, checking
*liveness* (*i.e.*, no part of the system will deadlock) and
*boundedness* (*i.e.*, the system can be executed in finite memory)
is known to be hard or even undecidable for such models. This
situation is troublesome for the design of high-quality embedded
systems. In the past few years, we have proposed several parametric dataflow
models of computation.

We have written a survey that provides a comprehensive description of the existing parametric dataflow MoCs (constructs, constraints, properties, static analyses) and compares them using a common example . The main objectives are to help designers of streaming applications to choose the most suitable model for their needs and to pave the way for the design of new parametric MoCs.

We have proposed an original method to deal with lossy communication channels in dataflow graphs. Lossy channels intrinsically violate the dataflow model of computation. Yet, many real-life applications encounter some form of lossy channels, for instance IoT applications. The challenge that is raised is how to manage the retransmissions in case of lost or corrupted tokens. The solution that we have proposed involves decomposing the execution of the dataflow graph into three phases: (i) an upstream phase where all the actors before the lossy channel are executed as usual; (ii) a lossy phase where only the two actors linked by the lossy channel are executed, as many times as required until all the tokens are correctly transmitted; and (iii) a downstream phase where all the actors after the lossy channel are executed as usual. When a graph includes several lossy channels, things become more complex. We rely on the Boolean parameters of BPDF to encode enabling conditions on channels so that the execution follows this upstream-lossy-downstream semantics .

We are now studying models allowing
dynamic reconfigurations of the *topology* of the dataflow graphs.
This would be of interest for C-RAN and 5G telecommunication applications.
This is one of the research topic of Arash Shafiei's PhD in collaboration with Orange Labs.

The use of discrete abstractions for continuous dynamics has become
standard in hybrid systems design (see *e.g.*, and
the references therein). The main advantage of this approach is that
it offers the possibility to leverage controller synthesis techniques
developed in the areas of supervisory control of discrete-event
systems . The first attempts to compute discrete
abstractions for hybrid systems were based on traditional systems
behavioral relationships such as simulation or bisimulation, initially
proposed for discrete systems most notably in the area of formal
methods. These notions require inclusion or equivalence of observed
behaviors which is often too restrictive when dealing with systems
observed over metric spaces. For such systems, a more natural
abstraction requirement is to ask for closeness of observed
behaviors. This leads to the notions of approximate simulation and
bisimulation introduced in .

These approaches are based on sampling of time and space where the sampling parameters must satisfy some relation in order to obtain abstractions of a prescribed precision. In particular, the smaller the time sampling parameter, the finer the lattice used for approximating the state-space; this may result in abstractions with a very large number of states when the sampling period is small. However, there are a number of applications where sampling has to be fast; though this is generally necessary only on a small part of the state-space. We have been exploring two approaches to overcome this state-space explosion .

We are currently investigating an approach using mode sequences of given length as symbolic states for our abstractions. By using mode sequences of variable length we are able to adapt the granularity of our abstraction to the dynamics of the system, so as to automatically trade off precision against controllability of the abstract states.

We focus on the problem of computing tight deadline miss models for real-time systems, which bound the number of potential deadline misses in a given sequence of activations of a task. In practical applications, such guarantees are often sufficient because many systems are in fact not hard real-time .

We have developed an extension of sensitivity analysis for budgeting
in the design of weakly-hard real-time systems . During
design, it often happens that some parts of a task set are fully
specified while other parameters, *e.g.*, regarding recovery or
monitoring tasks, will be available only much later. In such cases,
sensitivity analysis can help anticipate how these missing parameters
can influence the behavior of the whole system so that a resource
budget can be allocated to them. We have developed an extension of
sensitivity analysis for deriving task budgets for systems with hard
and weakly-hard requirements. This approach has been validated on
synthetic test cases and a realistic case study given by our partner
Thales.

A second contribution in this area is the application of our method for computing deadline miss models, called Typical Worst-Case Analysis (TWCA), to systems with finite queue capacity . Finite ready queues, implemented by buffers, are a system reality in embedded real-time computing systems and networks. The dimensioning of queues is subject to constraints in industrial practice, and often the queue capacity is sufficient for typical system behavior, but is not sufficient in peak overload conditions. This may lead to overflow and consequently to the discarding of jobs. In this paper, we explore whether finite queue capacity can also be used as a mean of design in order to reduce workload peaks and thus shorten a transient overload phase. We have proposed an analysis method which is to the best of our knowledge the first one able to give (a) worst-case response times guarantees as well as (b) weakly-hard guarantees for tasks which are executed on a computing system with finite queues. Experimental results show that finite queue capacity may only have weak overload limiting effect. This unexpected outcome can be explained by the system behavior in the worst-case corner cases. The analysis shows nevertheless that a trade-off between weakly-hard guarantees and queue sizes is possible.

Finally, in collaboration with TU Braunschweig and Daimler we have worked on the application of the Logical Execution Time (LET) paradigm, according to which data are read and written at predefined time instants, to the automotive industry. Specifically, we have bridged the gap between LET, as it was originally proposed , and its current use in the automotive industry. One interesting outcome of this research is that it can nicely be combined with the use of TWCA. This work has not been published yet.

In the context of independent real-time sporadic jobs running on a
single-core processor equipped with Dynamic Voltage and Frequency
Scaling (DVFS), we have proposed a Markov Decision Process approach
(MDP) to compute the scheduling policy that dynamically chooses the
voltage and frequency level of the processor such that each job meets
its deadline and the total energy consumption is minimized. We
distinguish two cases: the finite case (there is a fixed time horizon)
and the infinite case. In the finite case, several *offline*
solutions exist, which all use the complete knowledge of all the jobs
that will arrive within the time horizon , *i.e.*, their
size and deadlines. But clearly this is unrealistic in the embedded
context where the characteristics of the jobs are not known in
advance. Then, an optimal offline policy called Optimal Available (OA)
has been proposed in . Our goal was to improve this
result by taking into account the *statistical characteristics* of the
upcoming jobs. When such information is available (for instance by
profiling the jobs based on execution traces), we have proposed
several speed policies that optimize the *expected* energy
consumption. We have shown that this general constrained optimization
problem can be modeled as an unconstrained MDP by choosing a proper
state space that also encodes the constraints of the problem. In
particular, this implies that the optimal speed at each time can be
computed using a *dynamic programming* algorithm, and that the
optimal speed at any time

We have started to lay the foundations for computer-assisted formal verification of schedulability analysis results. Specifically, we contribute to Prosa , a foundational Coq library of reusable concepts and proofs for real-time schedulability analysis. A key scientific challenge is to achieve a modular structure of proofs for response time analysis. We intend to use this library for:

a better understanding of the role played by some assumptions in existing proofs;

a formal comparison of different analysis techniques; and

the verification of proof certificates generated by instrumenting (existing and efficient) analysis tools.

Two schedulability analyses for uniprocessor systems have been formalized and mechanically verified in Coq for:

sporadic task sets scheduled according to the Time Division Multiple Access (TDMA) policy.

periodic task sets with offsets scheduled according to the Fixed Priority Preemptive (FPP) policy .

The analysis for TDMA has mainly served to familiarize ourselves with the Prosa library. Schedulability analysis in presence of offsets is a non-trivial problem with a high computational complexity. In contrast to the traditional (offset oblivious) analysis, many scenarios must be tested and compared to identify which one represents the worst-case scenario. We have formalized and proved in Coq the basic analysis presented by Tindell . This has allowed us to: (1) underline implicit assumptions made in Tindell’s informal analysis; (2) ease the generalization of the verified analysis; (3) generate a certifier and an analyzer. We are investigating these two tools in terms of computational complexity and implementation effort, in order to provide a good solution to guarantee schedulability of industrial systems.

In parallel, we have worked on a Coq formalization of Typical Worst
Case Analysis (TWCA). We aim to provide certified generic results for
weakly-hard real-time systems in the form of *e.g.*, bounded buffers) and providing
instantiations of our results for other scheduling policies.

The failure of one component may entail a cascade of failures in other components; several components may also fail independently. In such cases, elucidating the exact scenario that led to the failure is a complex and tedious task that requires significant expertise.

The notion of causality *(did an event $e$ cause an event ${e}^{\text{'}}$?)*
has been studied in many disciplines, including philosophy, logic,
statistics, and law. The definitions of causality studied in these
disciplines usually amount to variants of the counterfactual test
“

In we have discussed several shortcomings
of existing approaches to counterfactual causality from the computer
science perspective, and sketched lines of work to try and overcome
these issues. In particular, research on counterfactual causality
analysis has been marked, since its early days, by a succession of
definitions of causality that are informally (in)validated against
human intuition on mostly simple examples, see
*e.g.*, , . We call
this approach TEGAR, *textbook example guided analysis
refinement*. As pointed out in , it
suffers from its dependence on the tiny number and incompleteness of
examples in the literature, and from the lack of stability of the intuitive
judgments against which the definitions are validated. We have argued
that we need a formalization of counterfactual causality based on *first principles*, in the sense that causality definitions should
not be driven by individual examples but constructed from a set of
precisely specified requirements. Example of such requirements are
robustness of causation under equivalence of models, and well-defined
behavior under abstraction and refinement. To the best of our
knowledge, none of the existing causality analysis techniques provides
sufficient guarantees in this regard.

We are currently working on a revised version of our general semantic
framework for fault ascription in that
satisfies a set of formally stated requirements, and on its
instantiation to acyclic models of computation, in order to compare
our approach with the standard definition of *actual causality*
proposed by Halpern and Pearl.

We have continued our work on multi-criteria scheduling, in two
directions. First, in the context of dynamic applications that are
launched and terminated on an embedded homogeneous multi-core chip,
under execution time and energy consumption constraints, we have
proposed a two layer adaptive scheduling
method . In the first layer, each
application (represented as a DAG of tasks) is scheduled statically on
subsets of cores: 2 cores, 3 cores, 4 cores, and so on. For each size
of these sets (2, 3, 4, ...), there may be only one topology or
several topologies. For instance, for 2 or 3 cores there is only one
topology (a “line”), while for 4 cores there are three distinct
topologies (“line”, “square”, and “T shape”). Moreover, for each
topology, we generate statically several schedules, each one subject
to a different total energy consumption constraint, and consequently
with a different Worst-Case Reaction Time (WCRT). Coping with the
energy consumption constraints is achieved thanks to Dynamic Frequency
and Voltage Scaling (DVFS). In the second layer, we use these
pre-generated static schedules to reconfigure dynamically the
applications running on the multi-core each time a new application is
launched or an existing one is stopped. The goal of the second layer
is to perform a dynamic global optimization of the configuration, such
that each running application meets a pre-defined quality-of-service
constraint (translated into an upper bound on its WCRT) and such that
the total energy consumption be minimized. For this, we *(i)*
allocate a sufficient number of cores to each active application,
*(ii)* allocate the unassigned cores to the applications yielding
the largest gain in energy, and *(iii)* choose for each
application the best topology for its subset of cores (*i.e.*, better than
the by default “line” topology). This is a joint work with Ismail Assayad (U. Casablanca, Morocco) who visits the team regularly.

Second, we have proposed the first of its kind multi-criteria
scheduling heuristics for a DAG of tasks onto an homogeneous
multi-core chip, optimizing the execution time, the reliability, the
power consumption, and the temperature. Specifically, we have worked
on the static scheduling minimizing the execution time of the
application under the multiple constraints that the reliability, the
power consumption, and the temperature remain below some given
thresholds. There are multiple difficulties: *(i)* the
reliability is not an invariant measure w.r.t. time, which makes it
impossible to use backtrack-free scheduling algorithms such as list
scheduling ; to overcome this, we adopt instead the
Global System Failure Rate (GSFR) as a measure of the system's
reliability, which is invariant with time ;
*(ii)* keeping the power consumption under a given threshold
requires to lower the voltage and frequency, but this has a negative
impact both on the execution time and on the GSFR; keeping the GSFR
below a given threshold requires to replicate the tasks on multiple
cores, but this has a negative impact both on the execution time, on
the power consumption, and on the temperature; *(iii)* keeping
the temperature below a given threshold is even more difficult because
the temperature continues to increase even after the activity stops,
so each scheduling decision must be assessed not based on the current
state of the chip (*i.e.*, the temperature of each core) but on the state
of the chip at the end of the candidate task, and cooling slacks must
be inserted. We have proposed a multi-criteria scheduling heuristics
to address these challenges. It produces a static schedule of the
given application graph and the given architecture description, such
that the GSFR, power, and temperature thresholds are satisfied, and
such that the execution time is minimized. We then combine our
heuristic with a variant of the

Reversible concurrent models of computation provide natively what appears to be very fine-grained checkpoint and recovery capabilities. We have made this intuition clear by formally comparing a distributed algorithm for checkpointing and recovery based on causal information, and the distributed backtracking algorithm that lies at the heart of our reversible higher-order pi-calculus. We have shown that (a variant of) the reversible higher-order calculus with explicit rollback can faithfully encode a distributed causal checkpoint and recovery algorithm. The reverse is also true but under precise conditions, which restrict the ability to rollback a computation to an identified checkpoint. This work has currently not been published.

Inria and Orange Labs have established in 2015 a joint virtual research laboratory, called I/O Lab. We have been heavily involved in the creation of the laboratory and are actively involved in its operation (Jean-Bernard Stefani is one of the two co-directors of the lab). I/O Lab focuses on the network virtualization and cloudification. As part of the work of I/O Lab, we have cooperated with Orange Lab, as part of a cooperative research contract funded by Orange, on defining architectural principles and frameworks for network cloud infrastructures encompassing control and management of computing, storage and network resources.

With Daimler (subcontracting via iUTBS): We have bridged the gap between LET as it was originally proposed and its current use in the automotive industry.

With Thales: Early Performance assessment for evolving and variable Cyber-Physical Systems. This CIFRE grant funds the PhD of Christophe Prévot.

With Orange: Programming IoT and sofware defined radio with dynamic dataflow models of computation. This CIFRE grant funds the PhD of Arash Shafiei.

Despite recent advances, there exists currently no integrated formal methods and tools for the design and analysis of reconfigurable multi-view embedded systems. This is the goal of the Caserm project.

The Caserm project represents a significant effort towards a Coq-based design method for reconfigurable multi-view embedded systems, in order to formalize the structure and behavior of systems and to prove their main properties. The use of a proof assistant to support such a framework is motivated by the fact that the targeted systems are both extremely complex and critical. The challenges addressed are threefold:

to model software architectures for embedded systems taking into account their dynamicity and multiple constraints (functional as well as non functional);

to propose novel scheduling techniques for dynamically reconfiguring embedded systems; and

to advance the state of the art in automated proving for such systems.

The objectives of Caserm that address these challenges are organized in three tasks. They consist respectively in designing an architecture description framework based on a process calculus, in proposing online optimization methods for dynamic reconfiguration systems (this is the topic of Stephan Plassart's PhD), and in developing a formal framework for real-time analysis in the Coq proof assistant (this is the topic of Xiaojie Guo's and Maxime Lesourd's PhD). A fourth task focuses on common case studies for the evaluation of the obtained results.

The Caserm consortium gathers researchers from the G-Scop, LIG and Verimag laboratories who are reknown specialists in these fields. The project started in November 2016 and will last three years.

An ANR-PRCI project called RT-PROOFS will start in 2018, which involves the Spades project-team, MPI-SWS, TU Braunschweig, and Onera.

We have a strong collaboration with the Technische Universität
Braunschweig in Germany. In particular, Sophie Quinton is involved in the CCC
project (http://

We also have a recent collaboration with the MPI-SWS in Kaiserslautern (Germany) on formal proofs for real-time systems. This collaboration will be concretized by an ANR-PRCI project called RT-PROOFS starting in 2018, which involves MPI-SWS, TU Braunschweig, Inria, and Onera.

Title: Causality Analysis for Safety-Critical Embedded Systems

International Partner (Institution - Laboratory - Researcher):

University of Pennsylvania (United States) - PRECISE center - Oleg Sokolsky

Start year: 2015

See also: https://

Today's embedded systems become more and more complex, while an increasing number of safety-critical functions rely on them. Determining the cause(s) of a system-level failure and elucidating the exact scenario that led to the failure is today a complex and tedious task that requires significant expertise. The CAUSALYSIS project will develop automated approaches to causality analysis on execution logs.

Alain Girault is member of the steering committee of the International Federated Conference on Distributed Computing Techniques (DISCOTEC) and of the ACM International Conference on Embedded Software (EMSOFT).

Gregor Gössler is member of the steering committee of the International Workshop on Causal Reasoning for Embedded and Safety-critical Systems Technologies (CREST).

Sophie Quinton was part of the organization committee of the 25th International Conference on Real-Time Networks and Systems (RTNS'17).

Sophie Quinton was co-chair of the 2nd Tutorial on Tools for Real-Time
Systems (TuToR'17), held as a satellite event of
RTSS'17. http://

Sophie Quinton was co-organizer of a tutorial entitled “Multicore
Architectures in the Automotive Industry: Existing Solutions,
Current Problems and Future Challenges” at
ESWeek'17. http://

Sophie Quinton was the organizer of a industry panel entitled “Beyond the
Deadline: New Interfaces Between Control and Scheduling for the
Design and Analysis of Critical Embedded Systems” at
ESWeek'17. https://

Alain Girault was co-chair of the track “Model-based Design and Verification for Embedded Systems” of the Design Automation and Test in Europe Conference (DATE'17, track E3).

Sophie Quinton was co-chair of the 8th International Workshop on Analysis
Tools and Methodologies for Embedded and Real-time Systems
(WATERS'17), held as a satellite event of ECRTS'17.
http://

Alain Girault served in the program committees of the Symposium on Industrial Embedded Systems (SIES'17) and the Forum on specification and Design Languages (FDL'17).

Gregor Gössler served in the program committees of the 15th ACM-IEEE International Conference on Formal Methods and Models for System Design (MEMOCODE'17) and the 2nd international Workshop on Causal Reasoning for Embedded and Safety-critical Systems Technologies (CREST'17).

Sophie Quinton served in the program committees of the 29th Euromicro Conference on Real-Time Systems (ECRTS'17) and the ACM SIGBED International Conference on Embedded Software (EMSOFT'17).

Alain Girault is a member of the editorial board of the Journal on Embedded Systems.

Alain Girault reviewed articles for IEEE Embedded Systems Letters (ESL), Microprocessors and Microsystems, IEEE Trans. on Industrial Informatics (TII), and ACM Trans. on Embedded Computing Systems (TECS).

Gregor Gössler reviewed articles for Formal Methods in System Design (FMSD) and Engineering Applications of Artificial Intelligence (EAAI).

Pascal Fradet is head of the committee for doctoral studies (“Responsable du comité des études doctorales”) of the Inria Grenoble – Rhône-Alpes research center and local correspondent for the young researchers Inria mission (“Mission jeunes chercheurs”).

Alain Girault is vice-chair of the Inria Evaluation Committee.

Licence : Pascal Fradet, Théorie des Langages 1 & 2, 36 HeqTD, niveau L3, Grenoble INP (Ensimag), France

Licence : Pascal Fradet, Modèles de Calcul :

Master : Pascal Fradet, Langages et Traducteurs, 16 HeqTD, niveau M1, Polytech Grenoble, Univ. Grenoble Alpes, France

Licence : Gregor Gössler, Théorie des Langages 2, 36 HeqTD, niveau L3, Grenoble INP (Ensimag), France

Master : Xavier Nicollin, Sémantique et Analyse des Programmes, 45 HeqTD, niveau M1, Grenoble INP (Ensimag), France

Licence : Xavier Nicollin, Théorie des Langages 2, 36 HeqTD, niveau L3, Grenoble INP (Ensimag), France

Licence : Xavier Nicollin, Bases de la Programmation Impérative, 81 HeqTD (2016-2017), niveau L3, Grenoble INP (Ensimag), France

Licence : Sophie Quinton, Théorie des Langages 2, 18 HeqTD, niveau L3, Grenoble INP (Ensimag), France

Master : Sophie Quinton, Performance and Quantitative Properties, 6h, MOSIG, Univ. Grenoble Alpes, France

PhD in progress: Sihem Cherrared, “Fault Management in Multi-Tenant Programmable Networks”, Univ. Rennes 1, since October 2016, co-advised by Eric Fabre and Gregor Gössler.

PhD in progress: Christophe Prévot, “Early Performance assessment for evolving and variable Cyber-Physical Systems”, Univ. Grenoble Alpes, since November 2015, co-advised by Alain Girault and Sophie Quinton.

PhD in progress: Stephan Plassart, “On-line optimization in dynamic real-time systems”, Univ. Grenoble Alpes, since September 2016, co-advised by Bruno Gaujal and Alain Girault.

PhD in progress: Xiaojie Guo, “Formal Proofs for the Analysis of Real-Time Systems in Coq”, Univ. Grenoble Alpes, since December 2016, co-advised by Pascal Fradet, Jean-François Monin, and Sophie Quinton.

PhD in progress: Maxime Lesourd, “Generic Proofs for the Analysis of Real-Time Systems in Coq”, Univ. Grenoble Alpes, since September 2017, co-advised by Pascal Fradet, Jean-François Monin, and Sophie Quinton.

PhD in progress: Arash Shafiei, “Programming IoT and sofware defined radio with dynamic dataflow models of computation”, Univ. Grenoble Alpes, since September 2017, co-advised by Pascal Fradet, Alain Girault, and Xavier Nicollin.

PhD in progress: Martin Vassor, “Analysis and types for safe dynamic software reconfigurations”, Univ. Grenoble Alpes, since November 2017, co-advised by Pascal Fradet and Jean-Bernard Stefani.

M2 MOSIG: Leila Jamshidian Sales, “Towards a Dataflow Model of Computation (MoC) for Internet of Things (IoT)”, Univ. Grenoble Alpes and Grenoble INP, September 2017, co-supervised by Pascal Fradet, Alain Girault, and Xavier Nicollin.

M2 MOSIG: Ebrahim Naeimimoshirian, “Hierarchical actor model with encapsulation”, Univ. Grenoble Alpes and Grenoble INP, September 2017, co-supervised by Xavier Nicollin and Jean-Bernard Stefani.

Alain Girault was examiner for the PhD jury of Maalej Maroua (ENS-Lyon) and president for the PhD jury of Aurélien Cavelan (ENS-Lyon).

Sophie Quinton was member of the PhD jury of Antoine Blin (U. Pierre et Marie Curie à Paris).