The Spades project-team aims at contributing to meet the challenge of designing and programming dependable embedded systems in an increasingly distributed and dynamic context. Specifically, by exploiting formal methods and techniques, Spades aims to answer three key questions:

How to program open distributed embedded systems as dynamic adaptive modular structures?

How to program reactive systems with real-time and resource constraints?

How to program fault-tolerant and explainable embedded systems?

These questions above are not new, but answering them in the context
of modern embedded systems, which are increasingly distributed, open
and dynamic in nature , makes them more
pressing and more difficult to address: the targeted system properties
– dynamic modularity, time-predictability, energy efficiency, and
fault-tolerance – are largely antagonistic (*e.g.*, having a highly
dynamic software structure is at variance with ensuring that resource
and behavioral constraints are met). Tackling these questions
together is crucial to address this antagonism, and constitutes a key
point of the Spades research program.

A few remarks are in order:

We consider these questions to be central in the construction of future embedded systems, dealing as they are with, roughly, software architecture and the provision of real-time and fault-tolerance guarantees. Building a safety-critical embedded system cannot avoid dealing with these three concerns.

The three questions above are highly connected. For instance, composability along time, resource consumption and reliability dimensions are key to the success of a component-based approach to embedded systems construction.

For us, “Programming” means any constructive process to build a running system. It can encompass traditional programming as well as high-level design or “model-based engineering” activities, provided that the latter are supported by effective compiling tools to produce a running system.

We aim to provide semantically sound programming tools for embedded systems. This translates into an emphasis on formal methods and tools for the development of provably dependable systems.

The SPADES research program is organized around three main themes,
*Design and Programming Models*, *Certified real-time
programming*, and *Fault management and causal analysis*, that
seek to answer the three key questions identified in
Section . We plan to do so by developing and/or
building on programming languages and techniques based on formal
methods and formal semantics (hence the use of *“sound
programming”* in the project-team title). In particular, we seek to
support design where correctness is obtained by construction, relying
on proven tools and verified constructs, with programming languages
and programming abstractions designed with verification in mind.

Work on this theme aims to develop models , languages and tools to support a “correct-by-construction” approach to the development of embedded systems.

On the programming side, we focus on the definition of domain specific programming models and languages supporting static analyses for the computation of precise resource bounds for program executions. We propose dataflow models supporting dynamicity while enjoying effective analyses. In particular, we study parametric extensions where properties such as liveness and boundedness remain statically analyzable.

On the design side, we focus on the definition of component-based models
for software architectures combining distribution, dynamicity, real-time and fault-tolerant
aspects.
Component-based construction has long been advocated as a key approach
to the “correct-by-construction” design of complex embedded
systems . Witness component-based toolsets such
as Ptolemy , BIP , or
the modular architecture frameworks used, for instance, in the
automotive industry (AUTOSAR) . For building large,
complex systems, a key feature of component-based construction is the
ability to associate with components a set of *contracts*, which
can be understood as rich behavioral types that can be composed and
verified to guarantee a component assemblage will meet desired
properties.

Formal models for component-based design are an active area of
research. However, we are
still missing a comprehensive formal model and its associated
behavioral theory able to deal *at the same time* with different
forms of composition, dynamic component structures, and quantitative
constraints (such as timing, fault-tolerance, or energy consumption).

We plan to develop our component theory by progressing on two fronts: a semantical framework and domain-specific programming models. The work on the semantical framework should, in the longer term, provide abstract mathematical models for the more operational and linguistic analysis afforded by component calculi. Our work on component theory will find its application in the development of a Coq-based toolchain for the certified design and construction of dependable embedded systems, which constitutes our first main objective for this axis.

Programming real-time systems (*i.e.*, systems whose correct behavior
depends on meeting timing constraints) requires appropriate languages
(as exemplified by the family of synchronous
languages ), but also the support of
efficient scheduling policies, execution time and schedulability
analyses to guarantee real-time constraints (*e.g.*, deadlines) while
making the most effective use of available (processing, memory, or
networking) resources. Schedulability analysis involves analyzing the
worst-case behavior of real-time tasks under a given scheduling
algorithm and is crucial to guarantee that time constraints are met in
any possible execution of the system. Reactive programming and
real-time scheduling and schedulability for multiprocessor systems are
old subjects, but they are nowhere as mature as their uniprocessor
counterparts, and still feature a number of open research
questions , , in particular in
relation with mixed criticality systems. The main goal in this theme
is to address several of these open questions.

We intend to focus on two issues: multicriteria scheduling on
multiprocessors, and schedulability analysis for real-time
multiprocessor systems. Beyond real-time aspects, multiprocessor
environments, and multicore ones in particular, are subject to several
constraints *in conjunction*, typically involving real-time,
reliability and energy-efficiency constraints, making the scheduling
problem more complex for both the offline and the online
cases. Schedulability analysis for multiprocessor systems, in
particular for systems with mixed criticality tasks, is still very
much an open research area.

Distributed reactive programming is rightly singled out as a major open issue in the recent, but heavily biased (it essentially ignores recent research in synchronous and dataflow programming), survey by Bainomugisha et al. . For our part, we intend to focus on devising synchronous programming languages for distributed systems and precision-timed architectures.

Managing faults is a clear and present necessity in networked embedded systems. At the hardware level, modern multicore architectures are manufactured using inherently unreliable technologies , . The evolution of embedded systems towards increasingly distributed architectures highlighted in the introductory section means that dealing with partial failures, as in Web-based distributed systems, becomes an important issue.

In this axis we intend to address the question of *how to cope
with faults and failures in embedded systems?*. We will tackle this
question by exploiting reversible programming models and by developing
techniques for fault ascription and explanation in component-based
systems.

A common theme in this axis is the use and exploitation of causality
information. Causality, *i.e.*, the logical dependence of an effect on a
cause, has long been studied in disciplines such as
philosophy , natural sciences,
law , and statistics , but it
has only recently emerged as an important focus of research in
computer science. The analysis of logical causality has applications
in many areas of computer science. For instance, tracking and
analyzing logical causality between events in the execution of a
concurrent system is required to ensure
reversibility , to allow the diagnosis of faults
in a complex concurrent system , or to enforce
accountability , that is, designing systems in
such a way that it can be determined without ambiguity whether a
required safety or security property has been violated, and why. More
generally, the goal of fault-tolerance can be understood as being to
prevent certain causal chains from occurring by designing systems such
that each causal chain either has its premises outside of the fault
model (*e.g.*, by introducing redundancy ), or is
broken (*e.g.*, by limiting fault propagation ).

Our applications are in the embedded system area, typically: transportation, energy production, robotics, telecommunications, the Internet of things (IoT), systems on chip (SoC). In some areas, safety is critical, and motivates the investment in formal methods and techniques for design. But even in less critical contexts, like telecommunications and multimedia, these techniques can be beneficial in improving the efficiency and the quality of designs, as well as the cost of the programming and the validation processes.

Industrial acceptance of formal techniques, as well as their
deployment, goes necessarily through their usability by specialists of
the application domain, rather than of the formal techniques
themselves. Hence, we are looking to propose domain-specific (but
generic) realistic models, validated through experience (*e.g.*, control
tasks systems), based on formal techniques with a high degree of
automation (*e.g.*, synchronous models), and tailored for concrete
functionalities (*e.g.*, code generation).

Regarding applications and case studies with industrial end-users of our techniques, we cooperate with Orange Labs on software architecture for cloud services.

*Analysis tool for weakly-hard real-time systems*

Keywords: Real time - Scheduling analyses

Functional Description: pyCPA_TWCA is a pyCPA plugin for Typical Worst-Case Analysis. pyCPA is an open-source Python implementation of Compositional Performance Analysis developed at TU Braunschweig, which allows in particular response-time analysis. pyCPA_TWCA is an extension of that tool that is co-developed by Sophie Quinton and Zain Hammadeh at TU Braunschweig. It allows in particular the computation of weakly-hard guarantees for real-time tasks, i.e. number of deadline misses out of a sequence of executions. So far, pyCPA_TWCA is restricted to uniprocessor systems of independent tasks. pyCPA_TWCA can handle the following scheduling policies: Fixed Priority Preemptive, Fixed Priority Non-Preemptive, Weighted Round-Robin, Earliest Deadline First.

Contact: Sophie Quinton

*Certifier of CAN bus analysis results*

Keywords: Certification - CAN bus - Real time - Static analysis

Functional Description: CertiCAN is a tool, produced using the Coq proof assistant, allowing the formal certification of the correctness of CAN bus analysis results. Result certification is a process that is light-weight and flexible compared to tool certification, which makes it a practical choice for industrial purposes. The analysis underlying CertiCAN, which is based on a combined use of two well-known CAN analysis techniques, is computationally efficient. Experiments demonstrate that CertiCAN is able to certify the results of RTaW-Pegase, an industrial CAN analysis tool, even for large systems. Furthermore, CertiCAN can certify the results of any other RTA tool for the same analysis and system model (periodic tasks with offsets in transactions).

Contact: Xiaojie Guo

The location graph framework we have introduced in has evolved into the Hypercell framework presented in . The Hypercell framework allows the definition of different component models for dynamic software architectures featuring both sharing and encapsulation. The basic behavioral theory of hypercells in the form of a contextual bisimulation has been developed and we are currently developing proofs of correctness for encapsulation policies based on this theory.

In collaboration with the Spirals team at Inria Lille – Nord Europe, and Orange, we have used hypercells as a pivot model for developing interpretations, formally defined with the Alloy specification language, of various languages and formalisms for the description of software configurations for cloud computing environments. Configuration languages considered include the TOSCA and OCCI standards, as well as the Open Stack Heat Orchestration Template (HOT), Docker Compose, and the Aeolus component model for cloud deployment. This work, developed as part of a bilateral contract with Orange, allowed the development of a verification tool for the correctness of HOT configurations, and helped uncover several flaws in the ETSI NFV standard.

Recent dataflow programming environments support applications whose
behavior is characterized by dynamic variations in resource
requirements. The high expressive power of the underlying models (*e.g.*, Kahn Process Networks or the CAL actor language) makes it challenging
to ensure predictable behavior. In particular, checking
*liveness* (*i.e.*, no part of the system will deadlock) and
*boundedness* (*i.e.*, the system can be executed in finite memory)
is known to be hard or even undecidable for such models. This
situation is troublesome for the design of high-quality embedded
systems. In the past few years, we have proposed several parametric
dataflow models of computation (MoCs) , , we have
written a survey providing a comprehensive description of the existing
parametric dataflow MoCs , and we have studied
*symbolic* analyses of dataflow graphs . More
recently, we have proposed an original method to deal with lossy
communication channels in dataflow graphs .

We are nowadays studying models allowing *dynamic reconfigurations* of
the *topology* of the dataflow graphs. This is required by
many modern streaming applications that have a strong need for
reconfigurability, for instance to accommodate changes in the input
data, the control objectives, or the environment.

This is the research topic of Arash Shafiei's PhD, in collaboration with Orange Labs.

Time predictability (PRET) is a topic that emerged in 2007 as a solution to the ever increasing unpredictability of today's embedded processors, which results from features such as multi-level caches or deep pipelines . For many real-time systems, it is mandatory to compute a strict bound on the program's execution time. Yet, in general, computing a tight bound is extremely difficult . The rationale of PRET is to simplify both the programming language and the execution platform to allow more precise execution times to be easily computed .

Within the Caphca project, we have proposed a new approach for predictable inter-core communication between tasks allocated on different cores. Our approach is based on the execution of synchronous programs written in the ForeC parallel programming language on PREcision Timed (hence deterministic) architectures , . The originality resides in the time-triggered model of computation and communication that allows for a very precise control over the thread execution. Synchronization is done via configurable Time Division Multiple Access (TDMA) arbitrations (either physical or conceptual) where the optimal size and offset of the time slots are computed to reduce the inter-core synchronization costs. Results show that our model guarantees time-predictable inter-core communication, the absence of concurrent accesses (without relying on hardware mechanisms), and allows for optimized execution throughput . This is a collaboration with Nicolas Hili and Eric Jenn, the postdoc of Nicolas Hili being funded by the Caphca project.

We have also proposed a *multi-rate* extension of
ForeC . Indeed, up to now ForeC programs
were constrained to operate at a single rate, meaning that all the
parallel threads had to share the same execution rate. While this
simplified the semantics, it also represented a significant
limitation.

Finally, we have extended the compiler of the Pret-C programming language , in order to make it energy aware. Pret-C is a parallel programming language in the same sense as Esterel , meaning that the parallelism is “compiled away”: the Pret-C compiler generates sequential code where the parallel threads from the source program are interleaved according to the synchronous semantics, and produces a classical Control Flow Graph (CFG). This CFG is then turned into a Timed Control Flow Graph (TCFG) by labeling each basic block with the number of clock cycles required to execute it on the chosen processor, based on its micro-architectural characteristics. From the TCFG, we use the method described in Section to compute a Pareto front of non-dominated (worst-case execution time – WCET, worst-case energy consumption – WCEC) compromises.

The use of discrete abstractions for continuous dynamics has become
standard in hybrid systems design (see *e.g.*, and
the references therein). The main advantage of this approach is that
it offers the possibility to leverage controller synthesis techniques
developed in the areas of supervisory control of discrete-event
systems . The first attempts to compute discrete
abstractions for hybrid systems were based on traditional systems
behavioral relationships such as simulation or bisimulation, initially
proposed for discrete systems most notably in the area of formal
methods. These notions require inclusion or equivalence of observed
behaviors which is often too restrictive when dealing with systems
observed over metric spaces. For such systems, a more natural
abstraction requirement is to ask for closeness of observed
behaviors. This leads to the notions of approximate simulation and
bisimulation introduced in .
These approaches are based on sampling of time and space where the
sampling parameters must satisfy some relation in order to obtain
abstractions of a prescribed precision. In particular, the smaller the
time sampling parameter, the finer the lattice used for approximating
the state-space; this may result in abstractions with a very large
number of states when the sampling period is small. However, there
are a number of applications where sampling has to be fast; though
this is generally necessary only on a small part of the state-space.

In previous work we have proposed an approach using mode sequences as symbolic states for our abstractions . By using mode sequences of variable length we are able to adapt the granularity of our abstraction to the dynamics of the system, so as to automatically trade off precision against controllability of the abstract states . We have shown the effectiveness of the approach on examples inspired by road traffic regulation.

In the context of independent real-time sporadic jobs running on a
single-core processor equipped with Dynamic Voltage and Frequency
Scaling (DVFS), we have proposed a Markov Decision Process approach
(MDP) to minimize the energy consumption while guaranteeing that each
job meets its deadline. The idea is to leverage on the
*statistical information* on the jobs' characteristics available
at design time: release time, worst-case execution time (WCET), and
relative deadline. This is the topic of Stephan Plassart's PhD, funded by the
Caserm Persyval project. We have considered several cases depending
on the amount of information available at design time:

In the offline case, all the information
is known and we have proposed the first linear complexity offline
scheduling algorithm that minimizes the total energy
consumption : our complexity is

In the clairvoyant case, the
characteristics of the jobs are only known statistically, and each
job's WCET and relative deadline are only known at release time. We
want to compute the *optimal* online scheduling speed policy
that minimizes the *expected* energy consumption while
guaranteeing that each job meets its deadline. This general
constrained optimization problem can be modeled as an unconstrained
MDP by choosing a proper state space that also encodes the
constraints of the problem. In the finite horizon case we use a
dynamic programming algorithm, while in the infinite horizon case we
use a value iteration algorithm .

In the non-clairvoyant case, the
actual execution time (AET) of a job is only known only when this
job completes its execution. This AET is of course assumed to be
less than the WCET, which is known at the job's release time. Again,
by building an MDP for the system with a well chosen state, we
compute the *optimal* online scheduling speed policy that
minimizes the *expected* energy
consumption .

In the learning case, the only
information known for the jobs are a bound on the jobs' WCETs and a
bound on their deadlines. We have proposed two *reinforcement
learning* algorithms, one that learns the optimal value of the
expected energy (Q-learning), and another one that learns the
probability transition matrix of the system, from which we derive
the optimal online speed policy.

This work led us to compare several existing speed policies with
respect to their feasibility. Indeed, the policies
(OA) , (AVR) , and
(BKP) all assume that the maximal speed

a better understanding of the role played by some assumptions in existing proofs;

a formal verification and comparison of different analysis techniques; and

the certification of results of existing (*e.g.*, industrial) analysis tools.

We have further developed CertiCAN, a tool produced using Coq for the formal certification of CAN analysis results . Result certification is a process that is light-weight and flexible compared to tool certification, which makes it a practical choice for industrial purposes. The analysis underlying CertiCAN is based on a combined use of two well-known CAN analysis techniques . Additional optimizations have been implemented (and proved correct) to make CertiCAN computationally efficient. Experiments demonstrate that CertiCAN is able to certify the results of RTaW-Pegase, an industrial CAN analysis tool, even for large systems.

In addition, we have started investigating how to connect Prosa with implementations and less abstract models. Specifically, we have used Prosa to provide a schedulability analysis proof for RT-CertiKOS, a single-core sequential real-time OS kernel verified in Coq . A connection with a timed-automata based formalization of the CAN specification is also in progress. Our objective with this line of research is to understand and bridge the gap between the abstract models used for real-time systems analysis and actual real-time systems implementation.

Finally, we contributed to a major refactoring of the Prosa library to make it more easily extendable and usable.

We have completed a major work on embedded systems subject to multiple non-functional constraints, by proposing the first of its kind multi-criteria scheduling heuristics for a DAG of tasks onto an homogeneous multi-core chip , . Given an application modeled as a Directed Acyclic Graph (DAG) of tasks and a multicore architecture, we produce a set of non-dominated (in the Pareto sense) static schedules of this DAG onto this multicore. The criteria we address are the execution time, reliability, power consumption, and peak temperature. These criteria exhibit complex antagonistic relations, which make the problem challenging. For instance, improving the reliability requires adding some redundancy in the schedule, which penalizes the execution time. To produce Pareto fronts in this 4-dimension space, we transform three of the four criteria into constraints (the reliability, the power consumption, and the peak temperature), and we minimize the fourth one (the execution time of the schedule) under these three constraints. By varying the thresholds used for the three constraints, we are able to produce a Pareto front of non-dominated solutions. Each Pareto optimum is a static schedule of the DAG onto the multicore. We propose two algorithms to compute static schedules. The first is a ready list scheduling heuristic called ERPOT (Execution time, Reliability, POwer consumption and Temperature). ERPOT actively replicates the tasks to increase the reliability, uses Dynamic Voltage and Frequency Scaling to decrease the power consumption, and inserts cooling times to control the peak temperature. The second algorithm uses an Integer Linear Programming (ILP) program to compute an optimal schedule. However, because our multi-criteria scheduling problem is NP-complete, the ILP algorithm is limited to very small problem instances, namely DAGs of at most 8 tasks. Comparisons showed that the schedules produced by ERPOT are on average only 9% worse than the optimal schedules computed by the ILP program, and that ERPOT outperforms the PowerPerf-PET heuristic from the literature on average by 33%. This is a joint work with Athena Abdi and Hamid Zarandi from Amirkabir University in Tehran, Iran.

In a related line of work, we have considered the bi-criteria minimization problem in the (worst-case execution time – WCET, worst-case energy consumption – WCEC) space for real-time programs. To the best of our knowledge, this is the first contribution of this kind in the literature.

A real-time program is abstracted as a Timed Control Flow Graph
(TCFG), where each basic block is labeled with the number of clock
cycles required to execute it on the chosen processor at the nominal
frequency. This timing information can be obtained, for instance, with
WCET analysis tools. The target processor is equipped with dynamic
voltage and frequency scaling (DVFS) and offers several
(frequency

From the TCFG we extract the longest execution path, therefore
deriving the WCET and the WCEC for a chosen fixed *i.e.*, those not
belonging to the longest path) such that all the other execution paths
have a shorter WCET and a lesser WCEC. A key result is that we
demonstrate that any two frequencies assignment where the two
frequencies are not contiguous is dominated either by a single
frequency assignment or by a two frequencies assignment with
contiguous frequencies. A corollary is that the Pareto front is a
continuous piece-wise affine function. Finally, we generalize these
results to the case where the frequency switching costs are not
negligible. This is the topic of Jia Jie Wang's postdoc.

We evaluate our method and heuristic on a set of hard real time benchmark programs and we show that they perform extremely well. Our DVFS assignment algorithm can also be used as a back-end for the compiler of the Pret-C programming language , in order to make it energy aware, thanks to the ability of this compiler to generate TCFGs (see Section ).

Fault ascription is a precise form of fault diagnosis that relies on counterfactual analysis for pinpointing the causes of system failures. Research on counterfactual causality has been marked, until today, by a succession of definitions of causation that are informally validated against human intuition on mostly simple examples. This approach suffers from its dependence on the tiny number and incompleteness of examples in the literature, and from the lack of objective correctness criteria .

Model-Based Diagnosis of discrete event systems (DES) usually aims at
detecting failures and isolating faulty event occurrences based on a
behavioural model of the system and an observable execution log. The
strength of a diagnostic process is to determine *what*
happened that is consistent with the observations. In order to go a
step further and explain *why* the observed outcome occurred,
we borrow techniques from causal analysis.

In we have presented two constructions of explanations that are able to extract the relevant part of a property violation that can be understood by a human operator. Both support partial observability of events. The first construction is based on minimal sub-sequences of the traces of the log that entail a violation of the property. The second approach is based on a construction of layers similar to , in which the explanation is constructed from the choices that definitely move the system closer to the violation of the property. Both approaches are complementary: while subsequence-based explanations are well suited to “condense” the execution trace in sequential portions of the model but are prone to keep non-pertinent parts such as initialisation sequences in the explanation, effective choice explanations highlight the “fateful” choices in an execution, as well as alternative events that would have helped avoid the outcome. Effective choice explanations are therefore able to explain failures stemming from non-deterministic choices, such as concurrency bugs.

From a more applied point of view we have been investigating, in the context of Sihem Cherrared's PhD thesis, approaches for fault explanation and localization in virtualized networks. In essence, Network Function Virtualization (NFV), widely adopted by the industry and the standardization bodies, is about running network functions as software workloads on commodity hardware to optimize deployment costs and simplify the life-cycle management of network functions. However, it introduces new fault management challenges including dynamic topology and multi-tenant fault isolation.

Finally, in our survey on fault management in network virtualization environments we have addressed the impact of virtualization on fault management, proposed a new classification of the recent fault management research achievements in network virtualization environments, and compared their major contributions and shortcomings.

Inria and Orange Labs have established in 2015 a joint virtual research laboratory, called I/O Lab. We have been heavily involved in the creation of the laboratory and are actively involved in its operation (Jean-Bernard Stefani is one of the two co-directors of the lab). I/O Lab focuses on the network virtualization and cloudification. As part of the work of I/O Lab, we have cooperated with Orange Lab, as part of a cooperative research contract funded by Orange, on defining architectural principles and frameworks for network cloud infrastructures encompassing control and management of computing, storage and network resources.

With Orange:

Fault Management in Multi-Tenant Programmable Networks. This CIFRE grant funds the PhD of Sihem Cherrared.

Dynamic dataflow models of computation. This CIFRE grant funds the PhD of Arash Shafiei.

The Caserm project represents a significant effort towards a Coq-based design method for reconfigurable multi-view embedded systems, in order to formalize the structure and behavior of systems and to prove their main properties. The use of a proof assistant to support such a framework is motivated by the fact that the targeted systems are both extremely complex and critical. The challenges addressed are threefold:

to model software architectures for embedded systems taking into account their dynamicity and multiple constraints (functional as well as non functional);

to propose novel scheduling techniques for dynamically reconfiguring embedded systems; and

to advance the state of the art in automated proving for such systems.

The objectives of Caserm that address these challenges are organized in three tasks. They consist respectively in designing an architecture description framework based on a process calculus, in proposing online optimization methods for dynamic reconfiguration systems (this is the topic of Stephan Plassart's PhD), and in developing a formal framework for real-time analysis in the Coq proof assistant (this is the topic of Xiaojie Guo's and Maxime Lesourd's PhD).

The Caserm consortium gathers researchers from the LIG and Verimag laboratories who are reknowned specialists in these fields. The project started in November 2016 and was completed in November 2019.

In cyber-physical systems (CPS), software interacts with physical processes so as achieve desired functionalities. CPS are usually subject to safety and reliability requirements. Depending on the application, their failure may have unacceptable consequences, it is therefore crucial to ensure their correctness at design time. In addition, explainability of increasingly autonomous CPS is becoming crucial in order for the CPS to be socially acceptable.

The goal of this project is twofold. First, we will investigate a contract-based design approach for safe CPS in which different aspects – such as functional requirements, real-time constraints, and continuous behaviors – are modeled and verified separately. Second, we will leverage the contracts in order to ensure explainability of the system behavior by construction. By explainability we understand, informally, that for any behavior of the system we can automatically construct, from a log generated by the execution, an excerpt that retains only the events that causally contributed to the outcome, and that is easy to understand by a human expert.

The SEC project is supported by the “Initiatives de Recherche Stratégiques (IRS)” program of the IDEX UGA. It funds the PhD thesis of Thomas Mari, who will be co-advised by Gregor Gössler and Thao Dang (Verimag).

RT-proofs is an ANR/DFG project between Inria, MPI-SWS, Onera, TU Braunschweig and Verimag, running from 2018 until 2022.

The overall objective of the RT-proofs project is to lay the foundations for computer-assisted formal verification of timing analysis results. More precisely, the goal is to provide:

a strong formal basis for schedulability, blocking, and response-time analysis supported by the Coq proof assistant, that is as generic, robust, and modular as possible;

correctness proofs for new and well-established generalized response-time analysis results, and a better, precise understanding of the role played by key assumptions and formal connections between competing analysis techniques;

an approach for the generation of proof certificates so that analysis results – in contrast to analysis tools – can be certified.

The results obtained in 2019 in connection with the RT-proofs project are described in Section .

DCore is an ANR project between Inria project teams Antique, Focus and Spades, and the Irif lab, running from 2019 to 2023.

The overall objective of the project is to develop a semantically
well-founded, novel form of concurrent debugging, which we call *causal debugging*, that aims to alleviate the deficiencies of
current debugging techniques for large concurrent software systems.
The causal debugging technology developed by DCore will comprise and
integrate two main novel engines:

*a reversible execution engine* that allows programmers to
backtrack and replay a concurrent or distributed program execution,
in a way that is both precise and efficient (only the exact threads
involved by a return to a target anterior or posterior program state
are impacted);

a *causal analysis engine* that allows programmers to analyze concurrent
executions, by asking questions of the form “what
caused the violation of this program property?”, and that allows for
the precise and efficient investigation of past and potential program executions.

Caphca is a project within the Antoine de Saint Exupéry IRT in Toulouse. The general objective of the project is to provide methods and tools to achieve both performance and determinism on modern, high-performance, multi-core and FPGA-enabled SOCs. Our specific contribution lies withing work packages dedicated to the design of novel PRET architectures and programming languages (see Section ). This contract has yielded two publications so far , .

Program: Celtic-Plus

Project acronym: SENDATE

Project title: Secure Networking for a Data center cloud in Europe

Duration: April 2016 - March 2019

Coordinator: Nokia France

Other partners: Nokia, Orange, IMT, Inria

Abstract: The SENDATE project aims to develop a clean-slate architecture for converged telecommunications networks and distributed data centers supporting 5G cellular networks and the needs from the Industrial Internet and the Internet of Things. It aims to provide scientific and technical solutions for intra and inter data centrers security, control, management and orchestration, placement and management of virtual network functions, as well as high-speed transport networks for data centers access and interconnection.

We have a strong collaboration with the Technische Universität Braunschweig in Germany and the MPI-SWS in Kaiserslautern (Germany) on formal proofs for the analysis real-time systems. This collaboration is formalized by the ANR-PRCI project called RT-proofs started in 2018, which involves MPI-SWS, TU Braunschweig, Inria, and Onera.

Title: Quantitative systems formal verification

International Partner (Institution - Laboratory - Researcher):

CAS (China) - Department of Informatics - Lijun Zhang

Start year: 2019

The general scientific objectives are to extend formal analysis and verification methods such as model checking, process algebra and interactive theorem proving (Coq) to quantitative systems, more specifically probabilistic and quantum computing systems. Application fields include compositional modeling for dynamic real-time probabilistic software architectures and risk analysis. The collaboration will involve active scientists on all these fields not only from Inria and Inst Soft. CAS, but also from CWI, Verimag Grenoble, ECNU Shanghai, and partners of CWI (VU Amsterdam and Twente).

NB: We support the idea of an additional section in future Activity Reports that would be dedicated to actions in connection with our environmental and societal responsibility. We write below content that would fit into it for 2019.

A discussion on computer ethics was scheduled at our last team seminar. There have been several meetings between permanent researchers to discuss how we can better align our research agenda with the current needs of our society. Our discussions cover aspects such as the environmental and societal impact of ICT (Information and Communication Technologies), and more broadly the role that ICT play in our lives, our role as researchers in computer science, etc. These discussions have led us to consider these issues as a research topic that we should investigate in the near future.

Sophie Quinton and Jean-Bernard Stefani contributed to the so-called “MakeSEnS” working group appointed by the CEO of Inria to propose a list of concrete actions that the institute could take to tackle the current environmental crisis .

Sophie Quinton has been mandated by Patrick Gros (Director of the Inria Grenoble – Rhône-Alpes research center) to organize discussions and actions regarding the environmental and societal impact of our research at Inria Grenoble Rhône-Alpes.

Sophie Quinton is a member of the GDS EcoInfo
(https://

Sophie Quinton co-chairs a working group of the GDR CIS associated with
the Center for Internet and Society (http://

Sophie Quinton is part of the scientific committee of the upcoming “COP2
étudiante” (https://

Alain Girault is member of the steering committee of the International Federated Conference on Distributed Computing Techniques (DISCOTEC) and of the ACM International Conference on Embedded Software (EMSOFT).

Gregor Gössler is member of the steering committee of the International Workshop on Causal Reasoning for Embedded and Safety-critical Systems Technologies (CREST).

Jean-Bernard Stefani is the current chair of the steering committee of the IFIP FORTE international conference series, a member of the steering committee of the IFIP DISCOTEC conference series, and the current chair of the IFIP Working Group 6.1.

Alain Girault was co-organizer of the Workshop on Synchronous Programming
(SYNCHRON'19) http://

Gregor Gössler was co-organizer of a Shonan seminar on *Causal
reasoning in systems* https://

Sophie Quinton was the program chair of 31st Euromicro Conference on Real-Time
Systems (ECRTS'19)
https://

Alain Girault served in the program committees of the Forum on specification and Design Languages (FDL'19) and the Conference on Applications of Concurrency to System Design (ACSD'19).

Gregor Gössler served in the program committees of the ACM/IEEE International Conference on Embedded Software (EMSOFT'19), the 26th SPIN Symposium on Model Checking of Software (SPIN'19), the 17th ACM-IEEE International Conference on Formal Methods and Models for System Design (MEMOCODE'19), and the 4th international Workshop on Formal Reasoning about Causation, Responsibility, and Explanations in Science and Technology (CREST'19).

Alain Girault reviewed an article for the International Conference on Fundamental Approaches to Software Engineering (FASE'19).

Sophie Quinton reviewed an article for the ACM International Conference on Embedded Software (EMSOFT'19).

Pascal Fradet reviewed an article for the ACM International Conference on Embedded Software (EMSOFT'19).

Alain Girault is a member of the editorial board of the Journal on Embedded Systems.

Alain Girault reviewed articles for IEEE Transactions on Service Computing (TSC) and for the International Journal on Software Tools for Technology Transfer (STTT).

Gregor Gössler reviewed an article for IEEE Transactions on Automatic Control (TAC).

Sophie Quinton is a member of the ACM SIGBED Executive Committee and Associate Editor of the SIGBED Review.

Pascal Fradet is head of the committee for doctoral studies (“Responsable du comité des études doctorales”) of the Inria Grenoble – Rhône-Alpes research center and local correspondent for the young researchers Inria mission (“Mission jeunes chercheurs”).

Alain Girault is Deputy Scientific Director at Inria in charge of the
domain “Algorithmics, Programming, Software and Architecture”. He
is also Scientific Manager of the Cyber-Physical Systems axis of
the Persyval-Lab labex https://

Xavier Nicollin is member of the committee for computing resources users (“Comité des Utilisateurs des Moyens Informatiques”) of the Inria Grenoble – Rhône-Alpes research center.

Jean-Bernard Stefani is Head of Science (délégué scientifique) of the Inria Grenoble – Rhône-Alpes research center and a member of the Inria Evaluation Committee.

Licence : Pascal Fradet, Théorie des Langages 1 & 2, 36 HeqTD, niveau L3, Grenoble INP (Ensimag), France

Licence : Pascal Fradet, Modèles de Calcul :

Master : Pascal Fradet, Langages et Traducteurs, 16 HeqTD, niveau M1, Polytech Grenoble, Univ. Grenoble Alpes, France

Master : Xavier Nicollin, Analyse de Code pour la Sûreté et la Sécurité, 45 HeqTD, niveau M1, Grenoble INP (Ensimag), France

Licence : Xavier Nicollin, Théorie des Langages 1, 48 HeqTD, niveau L3. Grenoble INP (Ensimag), France

Licence : Xavier Nicollin, Théorie des Langages 2, 37,5 HeqTD, niveau L3, Grenoble INP (Ensimag), France

Licence : Xavier Nicollin, Bases de la Programmation Impérative, 30 HeqTD, niveau L3, Grenoble INP (Ensimag), France

Licence : Sophie Quinton, Théorie des Langages 2, 20 HeqTD, niveau L3, Grenoble INP (Ensimag), France

Master : Sophie Quinton, Performance and Quantitative Properties, 8 HeqTD, MOSIG, Univ. Grenoble Alpes, France

Master: Jean-Bernard Stefani, Formal Aspects of Component Software, 9h, MOSIG, Univ. Grenoble Alpes, France.

PhD in progress: Sihem Cherrared, “Fault Management in Multi-Tenant Programmable Networks”; Univ. Rennes 1; since October 2016; co-advised by Eric Fabre and Gregor Gössler.

PhD in progress: Thomas Mari, “Construction of Safe Explainable Cyber-physical systems”; Grenoble INP; since October 2019; co-advised by Gregor Gössler and Thao Dang.

PhD: Christophe Prévot, “Early Performance assessment for evolving and variable Cyber-Physical Systems”, Univ. Grenoble Alpes; defended on November 15th, 2019; co-advised by Alain Girault and Sophie Quinton.

PhD: Zain A. H. Hammadeh, “Deadline Miss Models for Temporarily Overloaded Systems”, TU Braunschweig; defended on May 28th, 2019; co-advised by Rolf Ernst and Sophie Quinton.

PhD in progress: Stephan Plassart, “On-line optimization in dynamic real-time systems”; Univ. Grenoble Alpes; since September 2016; co-advised by Bruno Gaujal and Alain Girault.

PhD in progress: Xiaojie Guo, “Formal Proofs for the Analysis of Real-Time Systems in Coq”; Univ. Grenoble Alpes; since December 2016; co-advised by Pascal Fradet, Jean-François Monin, and Sophie Quinton.

PhD in progress: Maxime Lesourd, “Generic Proofs for the Analysis of Real-Time Systems in Coq”; Univ. Grenoble Alpes; since September 2017; co-advised by Pascal Fradet, Jean-François Monin, and Sophie Quinton.

PhD in progress: Arash Shafiei, “RDF: A reconfigurable dataflow MoC supporting dynamic topological transformations and static analyzability”; Univ. Grenoble Alpes; since September 2017; co-advised by Pascal Fradet, Alain Girault, and Xavier Nicollin.

PhD in progress: Martin Vassor, “Analysis and types for safe dynamic software reconfigurations”; Univ. Grenoble Alpes; since November 2017; co-advised by Pascal Fradet and Jean-Bernard Stefani.

Internships: Jonathan Julou and Martin Portalier, “Formal proofs for real-time systems analysis”; Ensimag; co-advised by Pascal Fradet, Xiaojie Guo, Maxime Lesourd and Sophie Quinton.

Alain Girault was referee for the Habilitation thesis of Julien De Antoni (Université Côte d'Azur) and was member of the PhD thesis of Pierre Donat-Bouillud (Sorbonne Université). He was also vice-president of the Inria Starting Research Position (SRP) Advanced Research Position (ARP) jurys.

Jean-Bernard Stefani was examiner for the Habilitation (HDR) jury of Thomas Ledoux (Université de Nantes).

Sophie Quinton was a member of the PhD thesis committee of Hugo Daigmorte (Université de Toulouse).

Software is a fundamental pillar of modern scientific research, across all fields and disciplines. However, there is a lack of adequate means to cite and reference software due to the complexity of the problem in terms of authorship, roles and credits. This complexity is further increased when it is considered over the lifetime of a software that can span up to several decades. Building upon the internal experience of Inria, we have provided a contribution to the ongoing efforts in order to develop proper guidelines and recommendations for software citation and reference. Namely, we recommend: (1) a richer taxonomy for software contributions with a qualitative scale; (2) to put humans at the heart of the evaluation; and (3) to distinguish citation from reference . This has been a joint work between Alain Girault and colleagues from Software Heritage (Roberto Di Cosmo), from Inria's Evaluation Committee (Pierre Alliez, Benjamin Guedj, Mohand-Saïd Hacid, Nicolas Rougier), and a specialist in reproducible research (Arnaud Legrand).

Sophie Quinton played the role of one of the experts in the fictional trial of a robot during the Transfo Festival in Grenoble. She also gave a lecture on the design and verification of real-time systems as part of the ISN curriculum for high school teachers.

Alain Girault played the role of one of the experts in the fictional trial of a robot during the Fête de la Science in Grenoble.

All Spades members have contributed to the scenario of an animated movie, commissioned by the communication service of Inria, in order to popularise the research activities of Spades.