

INSTITUT NATIONAL DE RECHERCHE EN INFORMATIQUE ET EN AUTOMATIQUE

# Project-Team VASY

Validation of Systems

Rhône-Alpes



## ${\bf Contents}$

| 1        | Tea  | Team 3                                  |            |  |  |  |  |
|----------|------|-----------------------------------------|------------|--|--|--|--|
| <b>2</b> | Ove  | erall Objectives                        | 4          |  |  |  |  |
|          | 2.1  | Introduction                            | 4          |  |  |  |  |
|          | 2.2  | Models and Verification Techniques      | 4          |  |  |  |  |
|          | 2.3  | Languages and Compilation Techniques    | 5          |  |  |  |  |
|          | 2.4  | Implementation and Experimentation      | 6          |  |  |  |  |
|          | 2.1  |                                         | O          |  |  |  |  |
| 3        | App  | olication Domains                       | 6          |  |  |  |  |
| 4        | Soft | ware                                    | 7          |  |  |  |  |
|          | 4.1  | The CADP Toolbox                        | 7          |  |  |  |  |
|          | 4.2  | The TRAIAN Compiler                     | 9          |  |  |  |  |
| 5        | New  | v Results                               | 10         |  |  |  |  |
| •        | 5.1  |                                         | 10         |  |  |  |  |
|          | 0.1  | 1                                       | 10         |  |  |  |  |
|          |      |                                         | 11         |  |  |  |  |
|          |      |                                         | 12         |  |  |  |  |
|          |      |                                         | 13         |  |  |  |  |
|          |      |                                         | 13         |  |  |  |  |
|          |      | 1                                       |            |  |  |  |  |
|          |      |                                         | 14         |  |  |  |  |
|          | - 0  | *                                       | 16         |  |  |  |  |
|          | 5.2  |                                         | 17         |  |  |  |  |
|          |      | •                                       | 17         |  |  |  |  |
|          |      | 1                                       | 17         |  |  |  |  |
|          |      | 0 0                                     | 18         |  |  |  |  |
|          | 5.3  | Case Studies and Practical Applications | 21         |  |  |  |  |
| 6        |      | v                                       | <b>25</b>  |  |  |  |  |
|          | 6.1  |                                         | 25         |  |  |  |  |
|          | 6.2  | J                                       | 26         |  |  |  |  |
|          | 6.3  | ı                                       | 27         |  |  |  |  |
|          | 6.4  | The Topcased Project                    | 27         |  |  |  |  |
|          | 6.5  | Forthcoming Projects                    | 28         |  |  |  |  |
| 7        | Oth  | er Grants and Activities                | <b>2</b> 8 |  |  |  |  |
|          | 7.1  | National Collaborations                 | 28         |  |  |  |  |
|          | 7.2  | International Collaborations            | 29         |  |  |  |  |
|          | 7.3  | Visits and Invitations                  | 29         |  |  |  |  |
| 8        | Diss | semination                              | 30         |  |  |  |  |
| ٠        | 8.1  |                                         | 30         |  |  |  |  |
|          | 8.2  |                                         | 30         |  |  |  |  |
|          | 8.3  |                                         | 30         |  |  |  |  |
|          | 8.4  |                                         | 33         |  |  |  |  |
|          | 0.4  | reading mentines                        | oo         |  |  |  |  |

| 2 | Activity report INRIA        | 2006 |
|---|------------------------------|------|
|   | 8.5 Miscellaneous Activities | . 34 |
| 9 | Bibliography                 | 34   |

## 1 Team

#### **Head of Team**

Hubert Garavel [DR2 INRIA]

#### Administrative Assistant

Elodie Toihein

#### Inria Staff

Radu Mateescu [CR1 INRIA]

Frédéric Lang [CR1 INRIA]

Wendelin Serwe [CR2 INRIA]

## Software Engineers

David Champelovier

Marie Vidal [since September 1st, 2006]

#### Post-Doctoral Fellows

Gwen Salaün [until December 10, 2006]

Olivier Ponsini [since October 2nd, 2006]

#### Ph. D. Students

Christophe Joubert [until January 4, 2006]

Jan Stoecker [since September 1st, 2006]

#### **Student Interns**

Jérôme Fereyre [CNAM Grenoble, until November 29, 2006]

Nathalie Lépy [CNAM Grenoble, until August 11, 2006]

Abdul Malik Khan [Université Joseph Fourier (Grenoble), until June 30, 2006]

Damien Thivolle [Epita Paris, until June 30, 2006]

## 2 Overall Objectives

#### 2.1 Introduction

Created on January 1st, 2000, the VASY project focuses on formal methods for the design of reliable systems.

We are interested in any system (hardware, software, telecommunication) that comprises asynchronous concurrency, i.e., any system whose behavior can be modeled as a set of parallel processes governed by interleaving semantics.

For the design of reliable systems, we advocate the use of formal description techniques together with software tools for simulation, rapid prototyping, verification, and test generation.

Among all existing verification approaches, we focus on *enumerative verification* (also known as *explicit state verification*) techniques. Although less general than theorem proving, these techniques enable an automatic, cost-efficient detection of design errors in complex systems.

Our research combines two main directions in formal methods, the *model-based* and the *language-based* approaches:

- Models provide mathematical representations for parallel programs and related verification problems. Examples of models are automata, networks of communicating automata, Petri nets, binary decision diagrams, boolean equation systems, etc. From a theoretical point of view, research on models seeks for general results, independently from any particular description language.
- In practice, models are often too elementary to describe complex systems directly (this would be tedious and error-prone). Higher level formalisms are needed for this task, as well as compilers that translate high level descriptions into models suitable for verification algorithms.

To verify complex systems, we believe that model issues and language issues should be mastered equally.

## 2.2 Models and Verification Techniques

By verification, we mean comparison — at some abstraction level — of a complex system against a set of *properties* characterizing the intended functioning of the system (for instance, deadlock freedom, mutual exclusion, fairness, etc.).

Most of the verification algorithms we develop are based on the *labeled transition systems* (or, simply, *automata* or *graphs*) model, which consists of a set of states, an initial state, and a transition relation between states. This model is often generated automatically from high level descriptions of the system under study, then compared against the system properties using various decision procedures. Depending on the formalism used to express the properties, two approaches are possible:

• Behavioral properties express the intended functioning of the system in the form of automata (or higher level descriptions, which are then translated into automata). In such

a case, the natural approach to verification is *equivalence checking*, which consists in comparing the system model and its properties (both represented as automata) modulo some equivalence or preorder relation. We develop equivalence checking tools that compare and minimize automata modulo various equivalence and preorder relations; some of these tools also apply to stochastic and probabilistic models (such as Markov chains).

• Logical properties express the intended functioning of the system in the form of temporal logic formulas. In such a case, the natural approach to verification is model checking, which consists in deciding whether the system model satisfies or not the logical properties. We develop model checking tools for a powerful form of temporal logic, the modal  $\mu$ -calculus, which we extend with typed variables and expressions so as to express predicates over the data contained in the model. This extension (the practical usefulness of which was highlighted in many examples) provides for properties that could not be expressed in the standard  $\mu$ -calculus (for instance, the fact that the value of a given variable is always increasing along any execution path).

Although these techniques are efficient and automated, their main limitation is the *state* explosion problem, which occurs when models are too large to fit in computer memory. We provide software technologies (see  $\S$  4.1) for handling models in two complementary ways:

- Small models can be represented *explicitly*, by storing in memory all their states and transitions (*exhaustive* verification);
- Larger models are represented *implicitly*, by exploring only the model states and transitions needed for the verification (on the fly verification).

## 2.3 Languages and Compilation Techniques

Our research focuses on high level languages with an executable and formal semantics. The former requirement stems from enumerative verification, which relies on the efficient execution of high level descriptions. The latter requirement states that languages lacking a formal semantics are not suitable for safety critical systems (as language ambiguities usually lead to interpretation divergences between designers and implementors). Moreover, enumerative techniques are not always sufficient to establish the correctness of an infinite system (they only deal with finite abstractions); one might need theorem proving techniques, which only apply to languages with a formal semantics.

We are working on several languages with the above properties:

- Lotos is an international standard for protocol description (Iso/IEC standard 8807:1989), which combines the concepts of process algebras (in particular Ccs and Csp) and algebraic abstract data types. Thus, Lotos can describe both asynchronous concurrent processes and complex data structures. We use Lotos for various industrial case studies and we develop Lotos compilers, which are part of the Cadp toolbox (see § 4.1).
- We contributed to the definition of E-Lotos (*Enhanced*-Lotos, Iso/Iec standard 15437:2001), a deep revision of Lotos, which tries to provide a greater expressiveness (for instance, by introducing quantitative time to describe systems with real-time

- constraints) together with a better user friendliness. Our contributions to E-LOTOS are available on the Web (see http://www.inrialpes.fr/vasy/elotos).
- We are also working on an E-Lotos variant, named Lotos NT (Lotos New Technology) [7, 12], in which we can experiment new ideas more freely than in the constrained framework of an international standard. Like E-Lotos, Lotos NT consists of three parts: a data part, which allows the description of data types and functions, a process part, which extends the Lotos process algebra with new constructs such as exceptions and quantitative time, and modules, which provide for structure and genericity. Both languages differ in that Lotos NT combines imperative and functional features, and is also simpler than E-Lotos in some respects (static typing, operator overloading, arrays), which should make it easier to implement. We are developing several tools for Lotos NT: a prototype compiler named Traian (see § 4.2), a translator from (a subset of) Lotos NT to Lotos (see § 5.2.2), and an intermediate semantic model named NTIF (New Technology Intermediate Form) [4].

## 2.4 Implementation and Experimentation

As much as possible, we try to validate our results by developing tools that we apply to complex (often industrial) case studies. Such a systematic confrontation to implementation and experimentation issues is central to our research.

## 3 Application Domains

The theoretical framework we use (automata, process algebras, bisimulations, temporal logics, etc.) and the software tools we develop are general enough to fit the needs of many application domains. They are virtually applicable to any system or protocol made of distributed agents communicating by asynchronous messages. The list of recent case studies performed with the CADP toolbox (see in particular § 5.3) illustrates the diversity of applications:

- Hardware architectures: asynchronous circuits, bus arbitration protocols, cache coherency protocols, hardware/software codesign;
- Databases: transaction protocols, distributed knowledge bases, stock management;
- Consumer electronics: audiovisual remote control, video on-demand, FIREWIRE bus, home networking;
- Security protocols: authentication, electronic transactions, cryptographic key distribution;
- Embedded systems: smart-card applications, air traffic control;
- Distributed systems: virtual shared memory, distributed file systems, election algorithms, dynamic reconfiguration algorithms, fault tolerance algorithms;
- *Telecommunications:* high speed networks, network management, mobile telephony, feature interaction detection;

• Human-machine interaction: graphical interfaces, biomedical data visualization, etc.

## 4 Software

#### 4.1 The CADP Toolbox

**Participants**: David Champelovier, Hubert Garavel [contact person], Christophe Joubert, Frédéric Lang, Radu Mateescu, Wendelin Serwe.

We maintain and enhance CADP (Construction and Analysis of Distributed Processes – formerly known as CÆSAR/ALDÉBARAN Development Package), a toolbox for protocols and distributed systems engineering (see http://www.inrialpes.fr/vasy/cadp). In this toolbox, we develop the following tools:

- Cæsar.adt [10] is a compiler that translates Lotos abstract data types into C types and C functions. The translation involves pattern-matching compiling techniques and automatic recognition of usual types (integers, enumerations, tuples, etc.), which are implemented optimally.
- CÆSAR [6] is a compiler that translates Lotos processes into either C code (for rapid prototyping and testing purposes) or finite graphs (for verification purpose). The translation is done using several intermediate steps, among which the construction of a Petri net extended with typed variables, data handling features, and atomic transitions.
- OPEN/Cæsar [11] is a generic software environment for developing tools that explore graphs on the fly (for instance, simulation, verification, and test generation tools). Such tools can be developed independently from any particular high level language. In this respect, OPEN/Cæsar plays a central role in Cadp by connecting language-oriented tools with model-oriented tools. Open/Cæsar consists of a set of 16 code libraries with their programming interfaces, such as:
  - CAESAR\_GRAPH, which provides the programming interface for graph exploration,
  - Caesar\_Hash, which contains several hash functions,
  - CAESAR\_SOLVE, which resolves boolean equation systems on the fly,
  - CAESAR\_STACK, which implements stacks for depth-first search exploration,
  - Caesar\_Table, which handles tables of states, transitions, labels, etc.

A number of tools have been developed within the OPEN/CÆSAR environment, among which:

- BISIMULATOR, which checks bisimulation equivalences and preorders,
- Determinator, which eliminates nondeterminism in normal, probabilistic, or stochastic systems,
- Distributor, which generates the graph of reachable states using several machines,

- EVALUATOR, which evaluates regular alternation-free  $\mu$ -calculus formulas,
- EXECUTOR, which performs random execution,
- EXHIBITOR, which searches for execution sequences matching a given regular expression,
- Generator, which constructs the graph of reachable states,
- Projector, which computes abstractions of communicating systems,
- REDUCTOR, which constructs and minimizes the graph of reachable states modulo various equivalence relations,
- SIMULATOR, XSIMULATOR, and OCIS, which allow interactive simulation, and
- TERMINATOR, which searches for deadlock states.
- BCG (Binary Coded Graphs) is both a file format for storing very large graphs on disk (using efficient compression techniques) and a software environment for handling this format. BCG also plays a key role in CADP as many tools rely on this format for their inputs/outputs. The BCG environment consists of various libraries with their programming interfaces, and of several tools, such as:
  - Bcg\_Draw, which builds a two-dimensional view of a graph,
  - BCG\_EDIT, which allows to modify interactively the graph layout produced by BCG\_DRAW,
  - BCG\_GRAPH, which generates various forms of practically useful graphs,
  - BCG\_INFO, which displays various statistical information about a graph,
  - Bcg\_Io, which performs conversions between Bcg and many other graph formats,
  - BCG\_LABELS, which hides and/or renames (using regular expressions) the transition labels of a graph,
  - BCG\_MERGE, which gathers graph fragments obtained from distributed graph construction,
  - BCG\_MIN, which minimizes a graph modulo strong or branching equivalences (and can also deal with probabilistic and stochastic systems),
  - Bcg\_Steady, which performs steady-state numerical analysis of (extended) continuous-time Markov chains,
  - Bcg\_Transient, which performs transient numerical analysis of (extended) continuous-time Markov chains, and
  - XTL (eXecutable Temporal Language), which is a high level, functional language for programming exploration algorithms on BCG graphs. XTL provides primitives to handle states, transitions, labels, successor and predecessor functions, etc. For instance, one can define recursive functions on sets of states, which allow to specify in XTL evaluation and diagnostic generation fixed point algorithms for usual

temporal logics (such as HML [HM85], CTL [CES86], ACTL [DV90], etc.).

- The connection between explicit models (such as BCG graphs) and implicit models (explored on the fly) is ensured by Open/Cæsar-compliant compilers, e.g.:
  - Cæsar.open, for models expressed as Lotos descriptions,
  - Bcg\_Open, for models represented as Bcg graphs,
  - Exp. open, for models expressed as communicating automata, and
  - Seq.open, for models represented as sets of execution traces.

The Cadp toolbox also includes additional tools, such as Aldébaran and Tgv (*Test Generation based on Verification*) developed by the Verimag laboratory (Grenoble) and the Vertecs project team of Inria Rennes.

The Cadp tools are well-integrated and can be accessed easily using either the Eucalyptus graphical interface or the Svl [3] scripting language. Both Eucalyptus and Svl provide users with an easy, uniform access to the Cadp tools by performing file format conversions automatically whenever needed and by supplying appropriate command-line options as the tools are invoked.

## 4.2 The TRAIAN Compiler

Participants: David Champelovier, Hubert Garavel [contact person], Frédéric Lang.

We develop a compiler named Traian for translating descriptions written in the Lotos NT language (see § 2.3) into C programs, which will be used for simulation, rapid prototyping, verification, and testing.

The current version of Traian performs lexical analysis, syntactic analysis, abstract syntax tree construction, static semantics analysis, and C code generation for Lotos NT types and functions.

Although this version of Traian is still incomplete (it does not handle Lotos NT processes), it already has useful applications in compiler construction [2]. The recent compilers developed by the Vasy project team — namely Aal, Chp2Lotos (see § 5.2.3), Evaluator 4.0, Exp.open 2.0 (see § 5.1.5), Fsp2Lotos (see § 5.2.3), Lnt2Lotos (see § 5.2.2), Ntif (see § 2.3), and Svl (see § 5.1.5) — all contain a large amount of Lotos NT code, which is then translated into C code by Traian.

Our approach consists in using the Syntax tool (developed at Inria Rocquencourt) for lexical and syntactic analysis together with Lotos NT for semantical aspects, in particular the definition, construction, and traversals of abstract trees. Some involved parts of the compiler

<sup>[</sup>HM85] M. Hennessy, R. Milner, "Algebraic Laws for Nondeterminism and Concurrency", *Journal of the ACM 32*, 1985, p. 137–161.

<sup>[</sup>CES86] E. M. CLARKE, E. A. EMERSON, A. P. SISTLA, "Automatic Verification of Finite-State Concurrent Systems using Temporal Logic Specifications", ACM Transactions on Programming Languages and Systems 8, 2, April 1986, p. 244–263.

<sup>[</sup>DV90] R. DE NICOLA, F. W. VAANDRAGER, Action versus State Based Logics for Transition Systems, Lecture Notes in Computer Science, 469, Springer Verlag, 1990, p. 407–419.

can also be written directly in C if necessary. The combined use of Syntax, Lotos NT, and Traian proves to be satisfactory, as regards both the rapidity of development and the quality of resulting compilers.

The TRAIAN compiler can be freely downloaded from the VASY WEB site (see http://www.inrialpes.fr/vasy/traian).

## 5 New Results

## 5.1 Models and Verification Techniques

## 5.1.1 The CÆSAR\_SOLVE Library

Participant: Radu Mateescu.

CÆSAR\_SOLVE is a generic software library for solving boolean equation systems of alternation depth 1 (i.e., without mutual recursion between minimal and maximal fixed point equations) on the fly. This library is at the core of several CADP verification tools, namely the equivalence checker BISIMULATOR (see § 5.1.2), the model checker EVALUATOR 3.5 (see § 5.1.3), and the minimization tool REDUCTOR 5.0 (see § 5.1.4). The resolution method is based on boolean graphs, which provide an intuitive representation of dependencies between boolean variables, and which are handled implicitly, in a way similar to the OPEN/CÆSAR interface [11].

The Cæsar\_Solve library provides five different resolution algorithms. A1 and A2 are general algorithms based upon depth-first, respectively breadth-first, traversals of boolean graphs. A3 and A4, based upon memory-efficient depth-first traversals of boolean graphs, are optimized for the case of acyclic, respectively disjunctive/conjunctive, boolean graphs. A5 is a general algorithm based upon a depth-first traversal of boolean graphs; it generalizes Tarjan's algorithm for computing strongly connected components and is much faster than A1 and A2 when it is invoked many times on the same equation block. All these algorithms can generate diagnostics explaining why a result is true or false (examples and counterexamples).

In 2006, the Cæsar\_Solve library (12, 200 lines of C code) was improved as follows:

- The primitive for writing a boolean equation system to a text file was enhanced in order to write not only the whole system, but also the portion of the system representing the diagnostic produced after solving a given boolean variable.
- The primitive for reading a boolean equation system from a text file was enhanced in order to handle the cases where the equation blocks and the boolean variables in the left-hand sides of the equations of a block are numbered neither contiguously, nor increasingly. This allows to read text files containing diagnostics of resolutions, which do not necessarily fulfill these two conditions.
- The primitives for reading and writing a boolean equation system from/to a text file were enhanced in order to support on the fly compression, which can reduce the size of text files by several orders of magnitude. This possibility is exploited by BISIMULATOR (see § 5.1.2) and EVALUATOR (see § 5.1.3).

• The A4 algorithm was enhanced to detect cycles of the boolean graph that contain certain boolean variables marked by a predicate provided by the user application. This feature is useful for encoding the evaluation of certain temporal logic properties describing infinite, unfair execution sequences. Also, a bug was corrected in algorithm A4 when detecting disjunctive/conjunctive boolean graphs.

An article about Cæsar\_Solve was published in an international journal [22].

#### 5.1.2 The BISIMULATOR Tool

Participant: Radu Mateescu.

BISIMULATOR is an equivalence checker that takes as input two graphs to be compared (one represented implicitly using the OPEN/CÆSAR environment, the other represented explicitly as a BCG file) and determines whether they are equivalent (modulo a given equivalence relation) or whether one of them is included in the other (modulo a given preorder relation). BISIMULATOR works on the fly, meaning that only those parts of the implicit graph pertinent to verification are explored. Due to the use of OPEN/CÆSAR, BISIMULATOR can be applied directly to descriptions written in high level languages (for instance, LOTOS). This is a significant improvement compared to older tools (such as Aldébaran and Fc2Implicit) which only accepted lower level models (networks of communicating automata).

BISIMULATOR works by reformulating the graph comparison problem in terms of a boolean equation system, which is solved on the fly using the Cæsar\_Solve library (see § 5.1.1). A useful functionality of BISIMULATOR is the generation of a "negative" diagnostic (i.e., a counterexample), which explains why two graphs are not equivalent (or not included one in the other). The diagnostics generated by BISIMULATOR are directed acyclic graphs and are usually much smaller than those generated by other tools (such as Aldébaran) that can only generate counterexamples restricted to sets of traces.

In 2006, we continued the development of BISIMULATOR (15,900 lines of C code). In addition to a bug fix related to the counterexample generation for branching equivalence:

- A new command-line option was added to BISIMULATOR to apply  $\tau$ -confluence reduction on the implicit graph when comparing modulo branching or observational equivalence. When the implicit graph contains interleavings due to the presence of loosely-coupled parallel processes, this option can reduce the time and memory required for the verification by up to one order of magnitude.
- The encoding of observational equivalence in terms of boolean equation systems was enhanced in order to simplify the equations when the explicit graph is deterministic and does not contain  $\tau$ -transitions. In this case, observational equivalence becomes identical to  $\tau^*.a$  equivalence, except for the states of the implicit graph from which a deadlock state can be reached after zero or more  $\tau$ -transitions. These states are now detected during the computation of  $\tau$ -closures (transitive reflexive closures over  $\tau$ -transitions) and used to simplify the equations accordingly. This can reduce the number of boolean variables by up to 30%.

#### 5.1.3 The EVALUATOR Tool

Participants: Radu Mateescu, Damien Thivolle.

EVALUATOR is a model checker that evaluates a temporal logic property on a graph represented implicitly using the OPEN/CÆSAR environment. Properties are described in regular alternation-free  $\mu$ -calculus, a logic built from boolean operators, possibility and necessity modalities containing regular expressions denoting transition sequences, and fixed point operators without mutual recursion between least and greatest fixed points. The input language of the tool also allows to define parameterized temporal operators and to group them into separate libraries.

EVALUATOR works on the fly, meaning that only those parts of the implicit graph pertinent to verification are explored. The model checking problem is reformulated in terms of solving a boolean equation system. A useful feature of EVALUATOR is the generation of diagnostics (examples and counterexamples) explaining why a formula is true or false.

In 2006, we continued the development of the EVALUATOR 3.5 tool. In particular, the translation in regular alternation-free  $\mu$ -calculus of the inevitability operator of ACTL was improved. When using EVALUATOR 3.5 to check temporal formulas containing this operator, the new translation leads to gains in time and memory up to a factor 8.

We also continued our work (undertaken in 2003) for extending the regular alternation-free  $\mu$ -calculus with new operators dedicated to the specification of properties involving data values. This led to a prototype EVALUATOR 4.0 (37,600 lines of SYNTAX/LOTOS NT code and 11,100 lines of C code), which brings the following enhancements with respect to EVALUATOR 3.5:

- State formulas are extended with data-handling operators inspired from programming languages, such as "if-then-else" and "case". Fixed point operators are enhanced with data parameters allowing arbitrary calculations to be performed on the fly while exploring the graph. Action formulas are extended with action patterns that extract the data values contained in transition labels and store them in variables that can be referred to in the formula. Regular expressions occurring inside modalities are extended with iteration operators ranging over natural intervals, and also with programming language constructs such as "while", "until", and "for". Finally, special operators are introduced for capturing states of the graph and manipulating them in formulas; this allows to express non-standard properties, such as the existence of self-loops (transitions from a state to itself) and past-time properties (occurence of actions before a certain state). This new language of formulas is called MCL (Model Checking Language). It supersedes the regular alternation-free μ-calculus accepted as input by EVALUATOR 3.5.
- The problem of evaluating an MCL formula on the fly amounts to the local resolution of a boolean equation system, which is performed using the CÆSAR\_SOLVE library. The translation consists of several phases: lexical, syntactic, and semantic analysis of the MCL formula; type checking and replacement of the derived operators by primitive ones; conversion to positive normal form by propagating negations down to the atomic formulas; generation of modal equation systems containing parameterized propositional variables in the left-hand sides and modal formulas in the right-hand sides; elimination of regular expressions by translating them into terms of modalities and fixed point equations. Then, the resulting modal equation system and the graph (represented implicitly

using the OPEN/CÆSAR environment) are combined together into a boolean equation system (represented implicitly according to the CÆSAR\_SOLVE interface) containing a distinguished variable, whose local resolution yields the truth value of the MCL formula on the initial state of the graph.

• The translation of a state formula into a modal equation system was optimized in order to maximize the number of blocks in the final boolean equation system whose corresponding boolean graphs are disjunctive/conjunctive. These blocks are solved using the memory-efficient algorithm A4 of Cæsar\_Solve, which avoids storing the transitions of the boolean graphs (and hence the transitions of the graph on which the formula is evaluated). In practice, all temporal formulas built from the operators of CTL, ACTL, and PDL are translated into boolean equation systems containing only disjunctive/conjunctive blocks, and are therefore evaluated with a quasi-optimal memory consumption using A4.

The prototype version EVALUATOR 4.0 was successfully tested on 2,300 examples of MCL formulas and on all regular alternation-free  $\mu$ -calculus formulas available in the demo examples of the CADP distribution.

#### 5.1.4 The REDUCTOR and DETERMINATOR Tools

Participants: Frédéric Lang, Radu Mateescu.

The Reductor 4.0 tool of Cadp, developed in 2005, implements several forms of (partial or total) graph reductions. Some of these reductions are obtained by encoding the reduction problem into a boolean equation system that is solved on the fly using the Cæsar\_Solve library (see § 5.1.1).

CADP also contains a tool named Determinator, which eliminates nondeterminism from ordinary or stochastic graphs.

In 2006, we released a new version 5.0 of Reductor, together with a new version of Determinator. Reductor 5.0 includes several functionalities previously available in Determinator. The main changes are the following:

- We fixed a bug in reduction modulo safety equivalence, which caused the generated labeled transition system to be not minimal in some cases.
- Three new equivalences were added to Reductor, namely trace reduction (previously available in Determinator as normal determinization), weak trace reduction (previously available in Determinator as determinization with  $\tau$ -elimination), and  $\tau$  divergence reduction.

## 5.1.5 Compositional Verification Tools

Participants: Hubert Garavel, Frédéric Lang.

The CADP toolbox contains various tools dedicated to compositional verification, among which PROJECTOR 2.0, EXP.OPEN 2.0, and SVL play a central role.

Projector 2.0 implements behavior abstraction [GSL96,KM97] by taking into account interface constraints.

EXP.OPEN 2.0 explores on the fly the graph corresponding to a network of communicating automata (represented as a set of BCG files).

SVL (Script Verification Language) is both a high level language for expressing complex verification scenarios and a compiler dedicated to this language.

In 2006, we enhanced these tools along the following lines:

- We corrected one bug in Projector 2.0, two bugs in Exp.open 2.0, and four bugs in Svl.
- We enhanced Exp.open 2.0 to convert networks of communicating automata into Petri nets encoded in the Tpn format of the Tina toolbox developed at Laas-Cnrs.
- We added to Exp.open 2.0 a new operator for specifying priorities between the transitions of a network of communicating automata.
- We extended the SVL language to support the new equivalences available in REDUCTOR 5.0 (see § 5.1.4) and the new features of BISIMULATOR (see § 5.1.2) and EVALUATOR (see § 5.1.3), e.g., selection between depth-first or breadth-first search algorithms, selection of algorithms dedicated to acyclic graphs, etc.

An article on refined interface generation using Exp.open and Svl (see the Vasy 2005 activity report) was published in an international conference [29].

#### 5.1.6 Parallel and Distributed Verification Tools

Participants: Jérôme Fereyre, Hubert Garavel, Radu Mateescu.

Enumerative verification algorithms need to explore and store very large graphs and, thus, are often limited by the capabilities of one single sequential machine. To push forward the limits, we are studying parallel and distributed algorithms adapted to the clusters of PCs and networks of workstations available in most research laboratories.

As a first goal, we focused on parallelizing the graph construction algorithm, which is a bottleneck for verification, as it requires a considerable amount of memory to store all reachable states. For this purpose, we developed two tools [5]: DISTRIBUTOR splits the construction of a graph over N machines communicating using TCP/IP sockets; each machine builds a graph fragment, the distribution of states between the machines being determined by a static hash function; BCG\_MERGE merges the N graph fragments constructed by DISTRIBUTOR to produce the entire graph.

[GSL96] S. Graf, B. Steffen, G. Lüttgen, "Compositional Minimization of Finite State Systems using Interface Specifications", Formal Aspects of Computation 8, 5, September 1996, p. 607–616.

[KM97] J.-P. KRIMM, L. MOUNIER, "Compositional State Space Generation from LOTOS Programs", in: Proceedings of TACAS'97 Tools and Algorithms for the Construction and Analysis of Systems (University of Twente, Enschede, The Netherlands), E. Brinksma (editor), Lecture Notes in Computer Science, 1217, Springer Verlag, Berlin, April 1997. Extended version with proofs available as Research Report VERIMAG RR97-01.

DISTRIBUTOR 3.0 and BCG\_MERGE 3.0 are now properly documented and integrated into CADP. A tool paper was published at an international conference [27].

In 2006, this work progressed as follows:

- We studied various enhancements of our Cæsar\_Network library, which implements generic communication primitives for distributed verification tools. We simplified its programming interface by reducing the number of primitives needed to initialize and terminate a distributed computing session. We also designed an extension of the Gcf (Grid Configuration File) format used by Cæsar\_Network in order to support the mainstream job schedulers available in clusters and grids.
- Each graph generated by executing DISTRIBUTOR on a set of machines is represented as a PBG (Partitioned BCG Graph) file, which consists of a set of graph fragments generated on each machine and stored as BCG files. The PBG format provides various information for handling these fragments (number of states and transitions of each fragment, GCF file used to generate the fragments, log files produced on each machine, etc.). So far, the only tool of CADP handling the PBG format was BCG\_MERGE, which translates a PBG file into a BCG file by merging all fragments into a single graph. In 2006, we developed four new prototype tools operating on PBG files:
  - PBG\_CP copies a PBG file and its dependencies (fragments, log files, and GCF file) from a machine to another,
  - Pbg\_Mv moves a Pbg file (and its dependencies) between two machines,
  - PBG\_RM removes a PBG file (and its dependencies), and
  - PBG\_OPEN provides a distributed algorithm that implements the OPEN/CÆSAR programming interface [11], thus allowing to explore on the fly a PBG file (without merging its fragments first as BCG\_MERGE does).

As a second goal, we aim at parallelizing on the fly verification itself. Because the Cæsar\_Solve library (see  $\S$  5.1.1) is our central verification engine for both model checking, e.g., in the Evaluator tool (see  $\S$  5.1.3), and equivalence checking, e.g., in the Bisimulator (see  $\S$  5.1.2) and Reductor (see  $\S$  5.1.4) tools, we have been designing a distributed version of the Cæsar\_Solve library to solve boolean equation systems on the fly using several machines.

In 2006, we continued the development of this library. The library code (16,000 lines of C code) was thoroughly reviewed and simplified. The error management was improved. The primitive for writing a boolean equation system (or the portion of the system corresponding to the diagnostic of a given variable) to a file was also implemented in the distributed version of Cæsar\_Solve. The distributed resolution algorithm for boolean equation systems was enhanced to detect on the fly cyclic dependencies between equation blocks (the presence of such dependencies indicates that the boolean equation system has an alternation depth greater than one).

An article about the distributed version of Cæsar\_Solve and its applications was published in an international conference [28].

We developed a new tool, named BES\_SOLVE, which supersedes two existing prototype tools for generating random boolean equation systems and for reading and writing boolean equation systems from/to text files, respectively. BES\_SOLVE allows to compare and cross-check the various

resolution algorithms provided by the sequential and distributed versions of Cæsar\_Solve. It constructs a boolean equation system in memory either by reading it from a (possibly compressed) text file, or by generating it randomly according to various parameters (number of equation blocks, minimum and maximum number of variables in each block, length of the equations, percentage of boolean constants, percentage of disjunctive and conjunctive variables in the right-hand sides of the equations, seed value for initializing the random number generator, etc.). Then, a boolean variable defined in some equation block of the boolean system can be solved by invoking any sequential or distributed algorithm of Cæsar\_Solve. Bes\_Solve served to experiment intensively the resolution algorithms and allowed to correct a bug in algorithm A4 of the sequential version of Cæsar\_Solve.

## 5.1.7 Other Tool Developments

**Participants**: David Champelovier, Jérôme Fereyre, Hubert Garavel, Frédéric Lang, Nathalie Lépy, Radu Mateescu, Wendelin Serwe, Marie Vidal.

We undertook the design of an integrated development environment for CADP within the ECLIPSE framework. This environment comprises both a LOTOS editor and a graphical user-interface (inspired from EUCALYPTUS but based on ECLIPSE) for the CADP tools.

Additionally, we improved the following CADP tools and libraries:

- We fixed one bug in the CAESAR\_REGEXP library and two bugs in XTL.
- We enhanced Determinator and Bcg\_Min to support double precision floating point numbers.
- We improved the Eucalyptus graphical user-interface to provide access to all recent features and tools of CADP.
- We added a new CADP demo example (WEB services for stock management and an online book auction) and we updated most of the other demo examples to take advantage of the most recent features and tools of CADP.

We continued adapting CADP to the latest computing platforms:

- We finished porting CADP to recent LINUX distributions and MAC OS 10.4 "TIGER".
- We modified CADP to support recent C compilers (GCC 4, INTEL ICC 9.0, SUN STUDIO 11).
- We improved the portability of CADP by adding new "wrappers", i.e., shell scripts that make CADP less dependent on the underlying operating system.
- As regards 64-bit architectures:
  - We wrote a portability guide for 64-bit applications.
  - We started porting the shell scripts of CADP as well as third party software used by CADP (e.g., CUDD, SPARSE, TCL-TK/TIX, garbage collector) to 64-bit architectures.

## 5.2 Languages and Compilation Techniques

## 5.2.1 Compilation of LOTOS

Participants: Hubert Garavel, Wendelin Serwe.

The CADP toolbox contains several tools dedicated to the LOTOS language, namely: the Cæsar.ADT compiler [10] for the data type part of LOTOS, the Cæsar compiler [6] for the process part of LOTOS, and the Cæsar.INDENT pretty-printer.

In 2006, we performed maintenance activities for these tools (two bugs fixed in Cæsar, one bug fixed in the Cæsar.Bdd tool invoked by Cæsar, and two enhancements in Cæsar.Indent). We also improved the C code generated by Cæsar and Cæsar.Add to avoid warnings emitted by the most recent C compilers.

We pursued our study of state space reduction techniques, our goal being to decrease the size of the graphs generated by Cæsar, still preserving strong bisimulation between the original and reduced graphs.

Our work on state space reduction based on live variable analysis resulted in version 7.0 of Cæsar (previously named Cæsar.new), which was officially released as part of Cadr in July 2006. On all Cadr demos, Cæsar 7.0 reduced the state space by a mean factor of 45 (we observed a maximum factor of 4,400) as regards the number of states and by a mean factor of 38 (we observed a maximum factor of 3,100) as regards the number of transitions. This work led to a journal publication [20].

Additionally, W. Serwe experimented further uses of data-flow analysis to improve the efficiency for enumerative verification. A prototype version of Cæsar was developed and experimented in the framework of the FormalFame Plus contract (see § 6.1): we obtained a memory reduction by a factor of 1.4 and a time reduction by a factor of 2.

#### 5.2.2 Compilation of E-LOTOS and LOTOS NT

Participants: David Champelovier, Hubert Garavel, Frédéric Lang, Wendelin Serwe.

As regards the E-Lotos language — and, more specifically, its Lotos NT variant elaborated by the Vasy project team — we worked in two directions:

- The Traian compiler (see § 4.2) remained stable in 2006, but we developed a new tool, named Traian.indent, for indenting Lotos NT programs, similar to the existing tool Cæsar.indent (see § 5.2.1).
- In the framework of the FORMALFAME PLUS contract (see § 6.1), we continued the development of a tool suite for the translation from LOTOS NT to LOTOS, which aims at easing the development of large specifications by Bull and to reuse the existing LOTOS tools for analyzing concurrent systems described in LOTOS NT. The tool suite consists of a LOTOS/LOTOS NT preprocessing tool named LPP, a translator from LOTOS NT data types to LOTOS named LNT2LOTOS, and a shell script named LNT\_COMPILE, which calls LPP and LNT2LOTOS.

In 2006, the tool suite was improved as follows:

- The predefined comparison functions ("=", "<", "≤", etc.), which were only available for enumerated types in 2005, were made available to all constructor types, using a recursive lexicographic ordering of constructors and constructor fields.
- A new predefined type "sorted list of T" was added. The elements of a sorted list are sorted automatically using the order relation "<" on T, which can be either generated automatically as explained in the previous item, or given by the user.</p>
- We implemented the translation from Lotos NT functions into Lotos equations, starting from an algorithm [PFK05] that translates into Horn clauses a subset of the C language ("while" loops without "break" statements and functions with value passing parameters only and a single "return" statement located at the end of the function). We extended this algorithm so as to handle reference passing parameters, pattern matching ("case" statement), loop interruptions ("break" statement), multiple "return" statements within the body of functions, uncatchable exceptions ("raise" statement), and function name overloading.
- The Lnt\_Compile tool was improved to allow the generated Lotos code to be combined with handwritten Lotos code and/or C code provided by the user.

LNT2LOTOS is developed using the SYNTAX/TRAIAN technology [2]. It grew from 3,660 lines (760 lines of SYNTAX code, 1,920 lines of LOTOS NT code, and 980 lines of C code) at the end of 2005 up to 17,300 lines (2,100 lines of SYNTAX code, 14,000 lines of LOTOS NT code, and 1,200 lines of C code) at the end of 2006.

In 2006, we delivered 7 successive versions of the tool suite to Bull, who uses Lotos NT to model a critical part of its Fame2 multiprocessor architecture for high-end servers (see § 6.1). A non-regression test suite of 67 programs representing more than 6,000 lines of Lotos NT code was developed. The reference manual was updated [35] and grew from 29 pages (at the end of 2005) up to 47 pages (at the end of 2006). A forge was set up under Inria GForge to track bugs and feature requests, and to serve as a repository where our Bull partners can download the new versions of the Lnt2Lotos tool suite.

#### 5.2.3 Source-Level Translations between Concurrent Languages

**Participants**: Hubert Garavel, Abdul Malik Khan, Frédéric Lang, Olivier Ponsini, Gwen Salaün, Wendelin Serwe.

Although process algebras are, from a technical point of view, the best formalism to describe concurrent systems, they are not used as widely as they could be. Besides the steep learning curve of process algebras, which is traditionally mentioned as the main reason for this situation, it seems also that the process algebra community scattered its efforts by developing too many languages, similar in concept but incompatible in practice. Even the advent of two international standards, such as LOTOS (in 1989) and E-LOTOS (in 2001), did not remedy this fragmentation.

To address this problem, we started investigating source-level translators from various process algebras into Lotos, so as to widen the applicability of the CADP tools. One first example was the Lnt2Lotos tool suite (see § 5.2.2). In 2006, we studied also translators for other concurrent languages:

- We considered the process algebra FSP (Finite State Processes) defined in a popular textbook on concurrency [MK99]. Continuing the collaboration initiated in 2005 with Jeff Kramer and Jeff Magee (Imperial College, London, see § 8.3), we removed the ambiguities found in the reference FSP grammar and provided a new unambiguous LALR(1) grammar for FSP. We redesigned our FSP2LOTOS prototype, undertaken in 2005, that translated the "basic FSP" fragment (i.e., FSP without its data part and without syntactic sugar) to LOTOS. The new FSP2LOTOS prototype (5,000 lines of SYNTAX code, 20,000 lines of LOTOS NT code, and 500 lines of C code) translates "full FSP" into LOTOS. It is available on SOLARIS, LINUX, and WINDOWS and has been tested on 10,500 lines of FSP code, including many examples given in the FSP textbook [MK99].
- In the framework of the Fiacre (see § 7.1), Openembed (see § 6.3), and TopCased (see § 6.4) projects, and in cooperation with the Laas-Cnrs and Irit laboratories, we undertook the definition of a new intermediate model named Fiacre (Format Intermédiaire pour les Architectures de Composants Répartis Embarqués). Derived from Ntif [4] and V-Cotre [BrV+03], Fiacre will be used as a pivot formalism between modeling languages (such as Aadl, Uml, or SysML) and verification tools (such as Cadp and Tina). After several meetings, intensive technical correspondence (80 e-mail exchanges), and 8 drafts, we converged to a 14-page document describing Fiacre.
- In the framework of the Inria/Leti collaboration (see § 7.1), we focused on the process algebra Chp (Communicating Hardware Processes) for which the Tima laboratory has developed a circuit synthesis tool named Tast [Ren05] and which is used by the Leti laboratory to describe complex, asynchronous circuits at a high abstraction level. The goal is to integrate formal verification into the design flow of complex microelectronic circuits.

In 2006, we improved the CHP2LOTOS translator by developing code specialisation techniques that optimize the translation of each channel depending on its profile (i.e., whether and how the CHP "probe" operator is applied to this channel). Computing channel profiles in a pre-processing step and optimizing the translation accordingly allows to reduce the state space significantly: on the example of the FAUST circuit, an asynchronous NoC (Network on Chip) developed at the LETI laboratory (see § 5.3), we observed a reduction of the number of states (respectively, transitions) by a factor of 89 (respectively, 156).

[Ren05] M. Renaudin, TAST Compiler and TAST-CHP Language – Version 0.6, TIMA Laboratory, CIS Group, 2005.

<sup>[</sup>MK99] J. Magee, J. Kramer, Concurrency: State Models and Java Programs, Wiley, 1999.

<sup>[</sup>BRV<sup>+</sup>03] B. BERTHOMIEU, P. RIBET, F. VERNADAT, J. BERNARTT, J.-M. FARINES, J.-P. BODEVEIX, M. FILALI, G. PADIOU, P. MICHEL, P. FARAIL, P. GAUFILLET, P. DISSAUX, J.-L. LAMBERT, "Towards the verification of real-time systems in avionics: the COTRE approach", in: Proceedings of the 8th International Workshop on Formal Methods for Industrial Critical Systems FMICS'2003 (Trondheim, Norway), T. Arts, W. Fokkink (editors), Electronic Notes on Theoretical Computer Science, 80, Elsevier, p. 201–216, June 2003.

Our Chp2Lotos translator (currently, 2,200 lines of Syntax code, 13,400 lines of Lotos NT code, and 3,900 lines of C code) was extended accordingly. We also added more examples to the test base (currently, about 500 Chp specifications, corresponding to 14,500 lines of Chp code). Chp2Lotos has been tested on Solaris, Linux, and Windows.

• We also started to investigate the verification of TLM (*Transaction Level Model*) specifications. Compared to traditional RTL (*Register Transfer Level*) models, TLM models are more suitable for faster simulation, simultaneous development of software and hardware, and earlier hardware/software partitioning.

Among all TLM languages, SystemC <sup>[IEE05]</sup> emerges as an industrial standard. SystemC is a C++ library providing both a high-level description language and a simulation kernel. However, integrating formal verification with a system design flow based on SystemC/Tlm is still an open question as the process scheduler of the SystemC simulation kernel may differ from the actual hardware behavior.

In this perspective, we are currently investigating the translation of (a TLM subset of) SystemC into Lotos or Lotos NT (see § 5.2.2). For this purpose, we studied the SystemC front-end Pinapa [MMMC05], which we ported to the Solaris operating system.

- In collaboration with Gregor Goessler (Popart project), we designed a translator that connects to Cadp the Prometheus tool developed by Popart. This translator [36] takes as input a model in the Bip format of Prometheus and performs four main tasks:
  - 1. It converts each sequential component of the BIP behavior layer (a typical condition/action model) into a sequential LOTOS process that will be translated automatically into a labeled transition system (BCG file) using CADP.
  - 2. It converts the BIP interaction layer into an EXP.OPEN file, which composes the BCG graphs using synchronization vectors.
  - 3. It takes into account the global constraints expressed in the BIP execution layer either as invariants, or as interaction constraints that determine which transition can be fired (a special case of interaction constraints being priorities between transitions).

Such constraints impact the generation of Lotos and Exp.open described in items 1. and 2. above in three ways. First, special actions, called observers, are added in Lotos sequential processes to enable observation of local variables occurring in state invariants and/or interaction constraints. Second, synchronization vectors between observers are added to the Exp.open model to identify all states in which the invariants or interaction constraints are violated. Third, priorities are added to the Exp.open model to cut each transition that violates some interaction constraints, or whose source state violates some invariant.

[IEE05] IEEE, "IEEE Standard SystemC Language Reference Manual", IEEE Standard number 1666-2005, Institution of Electrical and Electronic Engineers, December 2005.

[MMMC05] M. MOY, F. MARANINCHI, L. MAILLET-CONTOZ, "PINAPA: An Extraction Tool for SystemC descriptions of Systems-on-a-Chip", in: EMSOFT, W. Wolf (editor), ACM, September 2005.

4. It generates an SVL script that manages the generation of the BCG files described in item 2 above. This script can then be extended to explore the state space of the input BIP model on the fly using EXP.OPEN and other CADP tools.

This translator was integrated as a new module in the Prometheus tool. It was experimented on a hardware architecture.

## 5.3 Case Studies and Practical Applications

**Participants**: David Champelovier, Hubert Garavel, Frédéric Lang, Radu Mateescu, Gwen Salaün, Wendelin Serwe.

In 2006, the VASY project team also worked on the following case studies:

- We continued our collaboration with Antonella Chirichiello (University "La Sapienza", Rome) on the use of Lotos and Cadp to design and verify Web services. This led to a new publication [26] describing an e-business application specified in Lotos, verified with Cadp, and translated into the standard orchestration language Bpel.
- In the context of the Senva collaboration (see § 7.2), we continued the study (undertaken in 2005) of a turntable system for drilling products. This industrial critical system is interesting because its distributed embedded controller is simple enough to have a concise formal description, but sufficiently complex to require formal analysis. This system was previously specified by CWI and the University of Eindhoven using several languages ( $\chi$ ,  $\mu$ CRL, PROMELA, and timed automata) and analyzed with various tools [BTW+05].
  - We formally specified in LOTOS a sequential and a distributed version of the controller embedded in the turntable system, and we formulated in regular alternation-free  $\mu$ -calculus a set of safety and liveness properties characterizing its correct behavior. Using the BISIMULATOR (see § 5.1.2) and EVALUATOR 3.5 (see § 5.1.3) tools of CADP, we checked the compatibility between both versions of the controller and their correctness with respect to the temporal properties. This activity led to the publication of a book chapter [23].
- In the context of the FormalFame Plus contract (see § 6.1), we worked on a critical part of Bull's Fame2 multiprocessor architecture, the Pab (*Pipeline and Active transaction Block*), for which Bull wrote a Lotos NT specification (3,977 lines of Lotos NT) that was translated to Lotos (5,145 lines of Lotos) using our Lnt2Lotos tool suite (see § 5.2.2).

This specification was used for two purposes. On the one hand, it allowed to generate execution traces that were used to test the Verilog code of the Pab; this allowed Bull to detect coding errors. On the other hand, it was used to verify the correctness of the Pab protocol itself. Confronted to state explosion issues, we performed several experiments:

<sup>[</sup>BTW<sup>+</sup>05] E. BORTNIK, N. TRCKA, A. J. WIJS, S. P. LUTTIK, J. M. VAN DE MORTEL-FRONCZAK, W. J. F. J. C. M. BAETEN, J. E. ROODA, "Analyzing a  $\chi$  Model of a Turntable System using Spin, CADP and UPPAAL", Journal of Logic and Algebraic Programming 65, 2, November–December 2005, p. 51–104.

- We first optimized the Lotos specification, taking into account the symmetries induced by lists containing the same elements in different order. We introduced sorted lists instead of simple lists and provided external C code to reduce memory usage. This divided the state space size by a factor of 2.4 (from 900,000 states down to 379,000 states), the generation time by 37 (from 1 hour 19 minutes to 2 minutes 8 seconds), and the memory usage by 6.3 (from 189 down to 30 MBytes).
- Using the Distributor tool running on the Grimage cluster of Inria Rhône-Alpes (36 processors: 10 bi-Opteron at 2 GHz and 8 bi-Xeon at 3 GHz with 1 GByte Ram each), we were able to generate a state space of 10 million states and 14 million transitions in 2 minutes.
- Finally, Bull managed to split the PAB specification in two independent parts, replacing the generation of one single, large graph by the generation of two separate, smaller graphs. Bull also simplified the specification based on symmetry arguments. After these simplifications, Bull could generate the graph on a single sequential machine in a few hours.
- In the context of the INRIA/LETI collaboration (see § 7.1), we pursued the study (undertaken in 2005) of the FAUST Noc (*Network on Chip*) circuit developed by the LETI laboratory.

In 2006, we focused on the communication interconnect part of FAUST <sup>[BCV+05]</sup>, which routes packets (consisting of several 34-bit flits) between the 23 components of the FAUST circuit. This interconnect is described in the hardware process calculus CHP (Communicating Hardware Processes) and implemented, at the RTL level, in asynchronous logic. The interconnect has 23 communication nodes, one per component. Each communication node consists of five input and five output controllers. Each input controller dispatches incoming flits to one out of four output controllers, and each output controller arbitrates between four input controllers.

To carry out the compositional verification of an input controller, we used the following steps:

- First, applying the idea of data independence, we reduced the potential state space from 10<sup>25</sup> to 5.10<sup>16</sup> states by setting parts of the flits to a fixed bit pattern. Then, we further reduced the state space to a manageable size by considering several scenarios (sequences of 4 flits) carefully chosen according to the properties to be verified (e.g., data integrity and correct routing of flits/packets). These two reductions were obtained by introducing additional CHP processes, called "traffic generators", which restrict the environment of the input controller by providing meaningful inputs only. Applying our CHP2LOTOS translator (see § 5.2.3) to the CHP description of the input controller (500 lines of CHP code) connected to each traffic generator (about 700 lines of CHP code), we produced a set of LOTOS specifications in less than one second.

[BCV<sup>+</sup>05] E. BEIGNÉ, F. CLERMIDY, P. VIVET, A. CLOUARD, M. RENAUDIN, "An Asynchronous NoC Architecture Providing Low Latency Service and its Multi-Level Design Framework", in: Proceedings of the 11th IEEE International Symposium on Asynchronous Circuits and Systems ASYNC'05 (New York, USA), IEEE Computer Society Press, p. 54–63, March 2005.

- Second, for each Lotos specification, we generated the corresponding state space using the compositional verification techniques of CADP (see § 5.1.5) using a generic SVL script (41 steps, 450 lines of SVL code); for a typical scenario, the generated state space had 1,300 states and 3,116 transitions, and the largest intermediate state space had 295,893 states and 812,283 transitions.
- Third, we used the equivalence checking and model checking tools of CADP to verify seven properties, such as absence of deadlocks, correctness of the communication protocol, integrity of the transmitted data, and correctness of flit/packet routing. These verification steps were automated using an SVL script (250 lines of SVL code).

We were able to exhibit a routing error in the CHP description. Although this error had been already found (and fixed) manually during the synthesis of the FAUST circuit (it required more than 500,000 steps to replay the error in the TAST native simulator for CHP), our approach based on CHP2LOTOS and CADP allowed to detect the error automatically in less than 15 minutes.

This work led to a joint INRIA/LETI publication [34].

• We continued our collaboration with Estelle Dumas, Hidde de Jong, and Delphine Ropers (Helix project team of Inria Rhône-Alpes) for connecting Cadp and the Gna (*Genetic Network Analyzer*) tool developed by Helix in order to verify temporal properties of genetic regulatory networks.

GNA provides a simulator of qualitative models of genetic regulatory networks in the form of piecewise-linear differential equations. The output of the simulator is a Kripke structure (i.e., a state-transition graph in which the relevant information is associated to states) that can also be exported by GNA as a labeled transition system, thus enabling a direct connection with CADP. This allows to enhance GNA with verification features.

In practice, GNA is used mainly by biologists, who are not necessarily familiar with computer science and formal verification. For this community, we are studying a transparent connection between CADP and GNA based on a client-server architecture, in which CADP is installed on a single server and several instances of GNA are running on remote client machines. A client sends Kripke structure files and temporal properties to the server and gets back verdicts and diagnostics. A prototype connection based on WEB services was developed and experimented on several biologically-relevant examples.

Other teams also used the CADP toolbox for various case studies. To cite only recent work not already described in previous VASY activity reports, we can mention:

- the verification of the Transport Layer Security protocol [CM02],
- the test case generation using mutation-based testing techniques [DA04,AD06],
- [CM02] A. CALIXTO, R. MONROY, "Formal Analysis of TLS", Studia Informatica Universalis 2, 2, 2002, p. 235–249.
- [DA04] C. C. Delgado, B. K. Aichernig, "Test Purpose Generation by Specification Mutation in Distributed Systems", research report number 313, International Institute for Software Technology, United Nations University, Macau (China), September 2004.
- [AD06] B. K. AICHERNIG, C. C. DELGADO, "From Faults via Test Purposes to Test Cases: On the

- the verification of fault-tolerant Erlang programs [BF05,BFD05],
- the solving of scheduling problems using untimed model checking [WvdP05,WvdP06],
- the verification of software components [AAA06a,AAA06b],
- the formal analysis of an automatic document feeder [PS06],
- the formal analysis and verification of a digital rights management protocol [JND06],
- the verification of privacy using observational determinism [HWS06],
- the performability analysis of the European Train Control System [BHH<sup>+</sup>06],
- the verification of a WiFi Internet access system available in airports [BCMR06].

Fault-Based Testing of Concurrent Systems", in: Proceedings of the 9th International Conference on Fundamental Approaches to Software Engineering FASE'06 (Vienna, Austria), L. Baresi, R. Heckel (editors), Lecture Notes in Computer Science, 3922, Springer Verlag, p. 324–338, March 2006.

- [BF05] C. Benac Earle, L.-Å. Fredlund, "Verification of Language Based Fault-Tolerance", in: Proceedings of the 10th International Conference on Computer Aided Systems Theory EUROCAST 2005 (Las Palmas de Gran Canaria, Spain), R. Moreno-Díaz, F. Pichler, A. Quesada-Arencibia (editors), Lecture Notes in Computer Science, 3643, Springer Verlag, p. 140–149, February 2005.
- [BFD05] C. Benac Earle, L.-Å. Fredlund, J. Derrick, "Verifying Fault-Tolerant Erlang Programs", in: Proceedings of the 2005 ACM SIGPLAN Workshop on Erlang (Tallinn, Estonia), K. F. Sagonas, J. Armstrong (editors), ACM Press, p. 26–34, September 2005.
- [WvdP05] A. J. Wijs, J. van de Pol, "Solving Scheduling Problems by Untimed Model Checking The Clinical Chemical Analyser Case Study", in: Proceedings of the 10th International Workshop on Formal Methods for Industrial Critical Systems FMICS'05 (Lisbon, Portugal), ACM, p. 54–61, September 2005. Also available as CWI Technical Report SEN-R0608.
- [WvdP06] A. J. Wijs, J. van de Pol, "Solving Scheduling Problems by Untimed Model Checking", Technical Report number SEN-R0608, CWI, Amsterdam, The Netherlands, 2006.
- [AAA06a] P. André, G. Ardourel, C. Attiogbé, "Spécification d'architectures logicielles en Kmélia: hiérarchie de connexion et composition", in: Proceedings of 1ère Conférence Francophone sur les Architectures Logicielles CAL'06 (Nantes, France), F. Oquendo, M. Oussalah (editors), Hermès Science/Lavoisier, September 2006.
- [AAA06b] C. Attiogbé, G. Ardourel, P. André, "Checking Component Composability", in: Proceedings of the 5th International Symposium on Software Composition SC'06 (Vienna, Austria), W. Lowe, M. Sudholt (editors), Lecture Notes in Computer Science, 4089, Springer Verlag, p. 18–33, March 2006.
- [PS06] B. Ploeger, L. Somers, "Analysis and Verification of an Automatic Document Feeder", CS-Report number 06–25, Eindhoven University of Technology, 2006.
- [JND06] H. JONKER, S. K. NAIR, M. T. DASHTI, "Nuovo DRM Paradiso: Formal Specification and Verification of a DRM Protocol", in: Proceedings of the 1st Benelux Workshop on Information and System Security WISSec 2006 (Antwerpen, Belgium), Lecture Notes in Computer Science, Springer Verlag, November 2006.
- [HWS06] M. Huisman, P. Worah, K. Sunesen, "A Temporal Logic Characterisation of Observational Determinism", in: Proceedings of the 19th IEEE Computer Security Foundations Workshop CSFW'06 (Venice, Italy), IEEE Computer Society Press, July 2006.
- [BHH<sup>+</sup>06] E. BÖDE, M. HERBSTRITT, H. HERMANNS, S. JOHR, T. PEIKENKAMP, R. PULUNGAN, R. WIMMER, B. BECKER, "Compositional Performability Evaluation for Statemate", in: Proceedings of the 3rd International Conference on the Quantitative Evaluation of Systems QUEST'06 (Riverside, California, USA), IEEE Computer Society Press, p. 167–178, September 2006.
- [BCMR06] T. BARROS, A. CANSADO, E. MADELAINE, M. RIVERA, "Model-Checking Distributed Compo-

Other research teams took advantage of the software components provided by CADP (e.g., the BCG and OPEN/CÆSAR environments) to build their own research software. We can mention the following developments:

- an environment for the verification of the VoDka video-on-demand system [Sán06],
- the Adaptor tool, developed at the Ibisc laboratory (Evry), which allows the automatic generation of adaptors between differing component interfaces,
- the Vesta tool  $^{[BJMO06,Oud06]}$ , developed at the Lift laboratory (Besançon), which allows the verification of divergence-sensitive and stability respecting  $\tau$ -simulation for component-based timed systems,
- the Annotator tool [dMGJM06], developed at the University of Málaga (Spain), for the static analysis of software,
- a framework for model checking socket-based concurrent C programs [dMGMS06], developed at the University of Málaga (Spain),
- the Vercors platform [BCMR06] for model checking distributed components, developed by the Oasis project team at Inria Sophia-Antipolis.

Finally, a textbook <sup>[BG06]</sup> was published, which uses CADP as a software support for teaching concurrency theory.

## 6 Contracts and Grants with Industry

#### 6.1 The FormalFame Plus Contract

Participants: David Champelovier, Hubert Garavel, Frédéric Lang, Radu Mateescu,

- nents: The Vercors Platform", in: Proceedings of the 3rd International Workshop on Formal Aspects of Component Software FACS'06 (Prague, Czech Republic), Electronic Notes in Theoretical Computer Science, Elsevier, September 2006.
- [Sán06] J. J. SÁNCHEZ PENAS, From Software Architecture to Formal Verification of a Distributed System, PdD Thesis, University of Coruña (Spain), November 2006.
- [BJMO06] F. Bellegarde, J. Julliand, H. Mountassir, E. Oudot, "The Tool VeSTA: Verification of Simulations for Timed Automata", *Technical Report number RT2006-01*, LIFC, Université de Franche-Comté, Besançon, France, July 2006.
- [Oud06] E. Oudot, Contributions à la vérification incrémentale des systèmes temporisés à composants, PdD Thesis, Université de Franche-Comté, December 2006.
- [dMGJM06] M. DEL MAR GALLARDO, C. JOUBERT, P. MERINO, "Implementing Influence Analysis using Parameterised Boolean Equation Systems", in: Proceedings of the 2nd International Symposium on Leveraging Applications of Formal Methods, Verification and Validation ISOLA'06 (Paphos, Cyprus), IEEE Computer Society Press, November 2006.
- [dMGMS06] M. DEL MAR GALLARDO, P. MERINO, D. SANÁN, "Towards Model Checking C Code with OPEN/CÆSAR", in: Proceedings of the 4th International Workshop on Modelling, Simulation, Verification, and Validation of Enterprise Information Systems MSVVEIS'06 (Paphos, Cyprus), J. Barjis, U. Ultes-Nitsche, J. C. Augusto (editors), INSTICC Press, p. 198–201, May 2006.
- [BG06] H. BOWMAN, R. GOMEZ, Concurrency Theory: Calculi and Automata for Modelling Untimed and Timed Concurrent Systems, Springer Verlag, 2006.

Wendelin Serwe.

There is a long-standing collaboration between VASY and BULL, which aims at demonstrating that the formal methods and tools developed at INRIA can be successfully applied to BULL's multiprocessor architectures. The objective is to develop a complete and integrated solution supporting formal specification, simulation, rapid prototyping, verification, and testing.

Between 1995 and 1998, two case studies were successfully tackled using CADP: the POWER-SCALE bus arbitration protocol <sup>[CGM+96]</sup> and the POLYKID multiprocessor architecture [9].

Between 1998 and 2004, the collaboration focused on Fame, the Cc-Numa multiprocessor architecture used in Bull's NovaScale series of high-performance servers based on Intel Itanium processors. The Cadp tools have been used to validate a crucial circuit of Fame – the Fss (Fame Scalability Switch) – that implements the cache coherency protocol.

In 2004, the collaboration was renewed by a followup contract named FORMALFAME PLUS, which, in 2005, was extended for two more years. FORMALFAME PLUS aims at enhancing the performance and usability of the CADP tools to address the FAME2 multiprocessor architecture under design at Bull for their future high-end servers.

In 2006, the contributions of VASY to FORMALFAME Plus were the following:

- We continued the development of our LNT2LOTOS tool suite (see § 5.2.2), which was used by Bull.
- We experimented various abstraction and verification techniques on a critical part of Bull's Fame2 multiprocessor architecture (see § 5.3).

The FORMALFAME PLUS contract will find its continuation in the MULTIVAL project (see § 6.2).

## 6.2 The Multival Project

**Participants**: David Champelovier, Hubert Garavel, Frédéric Lang, Radu Mateescu, Olivier Ponsini, Wendelin Serwe.

Multival (Validation of Multiprocessor Multithreaded Architectures) is a project of Minalogic, the French pôle de compétitivité dedicated to micro-nano technologies and embedded software for systems on chip (Emsoc cluster). Multival addresses verification and performance evaluation issues for three innovative asynchronous architectures developed by Bull, Cea/Leti, and ST Microelectronics.

[CGM<sup>+</sup>96] G. CHEHAIBAR, H. GARAVEL, L. MOUNIER, N. TAWBI, F. ZULIAN, "Specification and Verification of the PowerScale Bus Arbitration Protocol: An Industrial Experiment with LOTOS", in: Proceedings of the Joint International Conference on Formal Description Techniques for Distributed Systems and Communication Protocols, and Protocol Specification, Testing, and Verification FORTE/PSTV'96 (Kaiserslautern, Germany), R. Gotzhein, J. Bredereke (editors), IFIP, Chapman & Hall, p. 435–450, October 1996. Full version available as INRIA Research Report RR-2958, http://www.inria.fr/rrrt/rr-2958.html.

In 2006, Multival was approved for joint funding by the French government (Fonds de compétitivité des entreprises) and Conseil général de l'Isère. Multival started in December 2006 for three years.

## 6.3 The OpenEmbeDD Project

Participants: Hubert Garavel, Frédéric Lang, Radu Mateescu, Wendelin Serwe.

OPENEMBEDD is a French national project of RNTL (*Réseau National des Technologies Logicielles*). The goal of OPENEMBEDD is to develop an open-source, generic, standard software engineering platform for real-time embedded systems, such as those developed by AIRBUS, CS, FRANCE TELECOM, and THALES. Within an ECLIPSE framework, this platform will combine the principles of model-driven engineering with those of formal methods.

OPENEMBEDD started in May 2006 for three years. In 2006, our contributions focused on the identification of a model-based architecture for CADP and the definition of the FIACRE intermediate model for embedded systems (see § 5.2.3).

## 6.4 The Topcased Project

Participants: Hubert Garavel, Frédéric Lang, Nathalie Lépy, Jan Stoecker.

TOPCASED (Toolkit in OPen-source for Critical Application and SystEms Development) is a project of Aese, the French pôle de compétitivité dedicated to aeronautics, space, and embedded systems. This project gathers 23 partners, including companies developing safety-critical systems such as Airbus (leader), Astrium, Atos Origin, Cs, Siemens Vdo, and Thales Aerospace.

TOPCASED develops a modular, open-source, generic CASE environment providing methods and tools for embedded system development, ranging from system and architecture specifications to software and hardware implementation through equipment definition. VASY contributes in the combination of model-driven engineering and formal methods for asynchronous systems.

TOPCASED started in August 2006 for four years. In 2006, we worked along the following lines:

- We contributed actively to the AIRBUS proposal for adding a behavioral annex to AADL (Architecture Analysis & Design Language), the SAE (Society of Automotive Engineers) standard architecture description language for embedded real-time systems. The behavioral annex provides structured statements inspired from NTIF [4] that describe data computations using a "big steps" semantics, which avoids splitting these computations into many smaller, less efficient steps. The behavioral annex will be submitted for balloting in early 2007.
- We undertook the design of an integrated development environment for CADP based on ECLIPSE (see § 5.1.7).

 We started a study of time models so as to identify time models which are both equipped with effective verification algorithms and appropriate to describe asynchronous systems with data and time.

H. Garavel is the Inria representative at the TopCased executive committee, for which he served as the secretary during the elaboration phase of the TopCased proposal.

## 6.5 Forthcoming Projects

Participants: Hubert Garavel, Radu Mateescu.

In 2006, VASY contributed to the submission of the EC-MOAN (Scalable modeling and analysis techniques to study emergent cell behavior: Understanding the E. coli stress response) proposal, which was accepted for funding within the NEST PATHFINDER European program. EC-MOAN aims at the development of new, scalable methods for modeling and analyzing integrated genetic, metabolic, and signaling networks, and the application of these methods for a better understanding of a bacterial model system. EC-MOAN will start in February 2007 for three years.

## 7 Other Grants and Activities

#### 7.1 National Collaborations

The VASY project team plays an active role in the joint research center launched in 2004 between Inria Rhône-Alpes and the Leti laboratory of Cea-Grenoble. In co-operation with Leti scientists (Edith Beigné, François Bertrand, Fabien Clermidy, Yvain Thonnart, and Pascal Vivet), VASY develops software tools for the design of asynchronous circuits and architectures such as Gals (Globally Asynchronous Locally Synchronous), Nocs (Networks on Chip), and Socs (Systems on Chip). In 2006, our work focused on the Chp2Lotos translator (see § 5.2.3) and its application to the Faust architecture (see § 5.3).

Together with the Oasis project team of Inria Sophia-Antipolis (Antonio Cansado and Eric Madelaine), the LTCI team of Enst-Paris (Irfan Hamid, Elie Najm, and Sylvie Vignes), the SVF team of the Laas-Cnrs laboratory (Bernard Berthomieu, Florent Peres, and François Vernadat), and the MVR team of Irit (Mamoun Filali), Vasy participates to the national action Fiacre (Aci Sécurité Informatique) started in 2004 (see http://www-sop.inria.fr/oasis/fiacre). In 2006, we implemented new interconnections (see § 5.1.5) between Cadp, the Tina toolbox developed by SVF, and the Vercors platform developed by Oasis. We also undertook the definition of the Fiacre intermediate model (see § 5.2.3).

Additionally, we collaborated in 2006 with several INRIA project teams:

- Helix (Rhône-Alpes): applications of model checking to biological systems (Estelle Dumas, Hidde de Jong, Pedro Monteiro, Michel Page, and Adrien Richard);
- Oasis (Sophia-Antipolis): collaboration in the framework of the Fiacre national action (Antonio Cansado and Eric Madelaine);

• POPART (Rhône-Alpes): combination of the CADP and PROMETHEUS compositional verification tools (Gregor Goessler).

Beyond Inria, we had sustained scientific relations with the following teams:

- LAAS-CNRS laboratory (Toulouse): collaboration in the framework of the FIACRE, OPENEMBEDD, and TOPCASED projects (Bernard Berthomieu and François Vernadat);
- LIP laboratory (Lyon): until November 2006, R. Mateescu had a part-time (20%) collaboration with the Plume team;
- Le21 laboratory (Dijon): since December 2006, R. Mateescu is hosted by the computer science team of Le21.

#### 7.2 International Collaborations

The VASY project team of INRIA and the SEN2 team of CWI collaborate in SENVA, a joint research team on safety-critical systems (see http://www.inrialpes.fr/vasy/senva). Launched in 2004, the SENVA team is supported by INRIA's European and International Affairs Department and by CWI. The first three years of SENVA have been favorably evaluated by a panel of international experts in November 2006.

The VASY project team is member of the FMICS (Formal Methods for Industrial Critical Systems) working group of ERCIM (see http://www.inrialpes.fr/vasy/fmics). From July 1999 to July 2001, H. Garavel chaired this working group. Since July 2002, he is member of the FMICS Board, in charge of dissemination actions. Within FMICS, R. Mateescu contributes to the preparation of a "Formal Methods Handbook".

- H. Garavel is a member of IFIP (*International Federation for Information Processing*) Technical Committee 1 (*Foundations of Computer Science*) Working Group 1.8 on Concurrency Theory, launched in 2005 and chaired by Luca Aceto.
- H. Garavel is a member of the technical committee (ETItorial Board) of the ETI (Electronic Tool Integration) software development platform (see http://eti.cs.uni-dortmund.de).

In addition to our partners in aforementioned contractual collaborations, we had scientific relations in 2006 with several international universities and research centers, including:

- Imperial College (Jeff Kramer and Jeff Magee),
- University of Málaga (Carlos Canal and Pedro Merino) [25, 30], and
- University "La Sapienza" of Rome (Antonella Chirichiello and Benjamin Habegger) [26].

#### 7.3 Visits and Invitations

In 2006, we had the following scientific exchanges:

• Jaco van de Pol (CWI, Amsterdam, The Netherlands) visited us on January 26, 2006.

- Christian Attiogbé (University of Nantes) visited us on March 6, 2006 and gave a talk entitled "Composants logiciels: spécification, composition et vérification avec Kmelia".
- Pascal Poizat (University of Evry Val d'Essonne) visited us on May 15–19, 2006. He gave a talk entitled "Adaptation logicielle une approche automatisée basée sur des expressions régulières de vecteurs de synchronisation".
- The annual Senva seminar was held in Venosc on June 12–14, 2006. In addition to the Vasy project team, Manuel Baclet (Enseeiht), Jens Calamé, Natalia Ioustinova, Jaco van de Pol, Michael Weber, and Anton Wijs (Cwi, Amsterdam), Wan Fokking (Free University of Amsterdam), Rodolfo S. Gomez and Li Su (University of Kent), and Sylvain Peyronnet (Epita) attended this seminar. The list of talks is available from http://www.inrialpes.fr/vasy/senva/workshop2006.
- Sylvie Lesmanne, Jacques Abily, and Azedine Abdelli (Bull) visited us on June 29–30, 2006.

## 8 Dissemination

## 8.1 Software Dissemination and Internet Visibility

The VASY project team distributes two main software tools: the CADP toolbox (see  $\S 4.1$ ) and the Traian compiler (see  $\S 4.2$ ). In 2006, the main facts are the following:

- We prepared and distributed 15 successive beta-versions (2004-h, ..., 2004-k, 2005-a, ..., 2005-k) of CADP, leading to a stable version named CADP 2006 "Edinburgh", released on December 12, 2006.
- The number of license contracts signed for CADP increased from 345 to 366.
- We were requested to grant CADP licenses for 822 different computers in the world.
- The Traian compiler was downloaded by 59 different sites.

The VASY WEB site (see http://www.inrialpes.fr/vasy) was regularly updated with scientific contents, announcements, publications, etc.

## 8.2 Program Committees

In 2006, the members of VASY assumed the following responsibilities:

- H. Garavel was, together with John Hatcliff (Kansas State University), responsible for a special issue [19] of the Sttt (Software Tools for Technology Transfer) journal, which gathers the best software-oriented papers of Tacas'2003.
- H. Garavel was, together with John Hatcliff (Kansas State University), responsible for a special issue [18] of the Tcs (*Theoretical Computer Science*) journal, which gathers the best theory-oriented papers of Tacas'2003.

- H. Garavel was a steering committee member of the PDMC (Parallel and Distributed Methods in Verification) series of international workshops.
- H. Garavel was a program committee member of Tacas'2006 (12th International Conference on Tools and Algorithms for the Construction and Analysis of Systems, Vienna, Austria, March 25 April 2, 2006).
- R. Mateescu was a program committee member of Msvveis'2006 (4th International Workshop on Modeling, Simulation, Verification, and Validation of Enterprise Information Systems, Paphos, Cyprus, May 23–24, 2006).
- R. Mateescu was a program committee member of ICCGI'2006 (International Conference on Computing in the Global Information Technology, Bucharest, Romania, August 1–3, 2006).
- R. Mateescu was a program committee member of FMICS'2006 (11th International Workshop on Formal Methods for Industrial Critical Systems, Bonn, Germany, August 26–27, 2006).
- H. Garavel was a program committee member of PDMC'2006 (5th International Workshop on Parallel and Distributed Methods in Verification, Bonn, Germany, August 31, 2006).
- R. Mateescu was a program committee member of Ewsa'2006 (3rd European Workshop on Software Architectures, Nantes, France, September 4–5, 2006).
- R. Mateescu was a program committee member of Cal'2006 (1ère Conférence Francophone sur les Architectures Logicielles, Nantes, France, September 6–8, 2006).
- H. Garavel was a program committee member of FORTE'2006 (26th IFIP WG 6.1 International Conference on Formal Techniques for Networked and Distributed Systems, Paris, France, September 26–29, 2006).
- R. Mateescu was a program committee member of ICSEA'2006 (*International Conference on Software Engineering Advances*, Tahiti, French Polynesia, October 29 November 1st, 2006).

#### 8.3 Lectures and Invited Conferences

In 2006, we gave talks in several international conferences and workshops (see bibliography below). Additionally:

- R. Mateescu gave a talk entitled "Vérification à la volée basée sur les systèmes d'équations booléennes" at the Lifc laboratory (Besançon, France) on January 19, 2006.
- R. Mateescu gave a talk entitled "Modélisation et analyse des systèmes parallèles asynchrones" at the LE2I laboratory (Dijon, France) on February 8, 2006.
- G. Salaün visited the research group of professors Jeff Kramer and Jeff Magee, Imperial College (London, UK) between January 19 and February 17, 2006.

- F. Lang gave a talk entitled "Propositions d'extensions temporisées pour NTIF" at ENST (Paris, France) on February 13–14, 2006.
- G. Salaün gave a talk entitled "How Process Algebra Can Contribute to the Formal Development of Web Services" at the University of Málaga (Spain) on March 16, 2006.
- H. Garavel and R. Mateescu visited CWI (Amsterdam, The Netherlands) on April 2–4, 2006. R. Mateescu gave a talk entitled "Sequential and Distributed Test Generation using Boolean Equation Systems". H. Garavel gave a talk entitled "State Space Reduction for Process Algebra Specifications" and a position statement on future projects.
- H. Garavel gave a talk entitled "Validation d'architectures multiprocesseurs à l'aide des outils CADP" at the Labri laboratory (Bordeaux, France) on April 27, 2006.
- H. Garavel gave a talk entitled "Validation d'architectures multi-processeurs : 10 ans de collaboration Bull-Inria" at Cea/Dam (Bordeaux, France) on April 28, 2006.
- F. Lang gave two talks entitled "An Overview of CADP 2006" and "Translating the LOTOS NT Data Part into LOTOS Abstract Data Types" at INRIA Sophia-Antipolis (France) on July 6–7, 2006.
- W. Serwe gave a talk entitled "An Overview of CADP 2006" at the Dagstuhl seminar Nr. 06351 on August 27–September 1st, 2006.
- G. Salaün gave a talk entitled "Translating Chp into Lotos for the Verification of Asynchronous Hardware Designs with Cadp" at Microsoft Research (Cambridge, United Kingdom) on November 2, 2006.
- H. Garavel and R. Mateescu visited CWI (Amsterdam, The Netherlands) on November 6–9, 2006. R. Mateescu gave a PAM (*Process Algebra Meeting*) talk entitled "Cæsar\_Solve: A Generic On-the-Fly Solver for Alternation-Free Boolean Equation Systems and its Applications to Verification" on November 8, 2006.
- H. Garavel gave a talk entitled "Practical applications of process calculi in industrial projects" at the Lix Colloquium on Emerging Trends in Concurrency Theory (Ecole Polytechnique, Palaiseau, France) on November 13–15, 2006.
- F. Lang gave a talk entitled "Refined Interfaces for Compositional Verification" at LAAS-CNRS laboratory (Toulouse, France) on November 20–21, 2006.
- G. Salaün gave a talk entitled "Software Adaptation: An Approach based on Synchronization Vectors and Regular Expressions" at the University of Málaga (Spain) on November 22, 2006.
- H. Garavel gave a talk entitled "CADP 2006 from a Model Driven Perspective" at INRIA Rennes (France) on November 22–23, 2006.

## 8.4 Teaching Activities

The VASY project team is a host team for the computer science master entitled "Mathématiques, Informatique, spécialité : Systèmes et Logiciels", common to Institut National Polytechnique de Grenoble and Université Joseph Fourier.

In 2006:

- F. Lang and W. Serwe gave the course on "Temps Réel" to the 3rd year students of Ensimag (18 hours).
- R. Mateescu was a jury member of Gavril Godza's PhD thesis entitled "Contribuţii la elaborarea sistemelor distribuite tolerante la defecte", defended at Polytechnic University of Bucharest (Romania) on February 27, 2006.
- F. Lang was a jury member of Ylies Falcone's MSc thesis (DEA) entitled "Un cadre formel pour le test de politiques de sécurité", defended at Université Joseph Fourier (Grenoble) on June 21, 2006.
- F. Lang supervised, jointly with Gregor Goessler (Popart project team), the MSc thesis of A. M. Khan entitled "Connection of Compositional Verification Tools for Embedded Systems", defended at Université Joseph Fourier (Grenoble) on June 21, 2006.
- R. Mateescu was a jury member of Rémi Brochenin's MSc thesis entitled "Techniques d'automates pour raisonner sur la mémoire", defended at Ecole Normale Supérieure de Lyon on June 26, 2006.
- R. Mateescu supervised the internship (mémoire d'ingénieur) of D. Thivolle entitled "Développement d'un évaluateur pour une logique temporelle étendue", defended at EPITA (Paris) on July 3, 2006.
- H. Garavel was a jury member of Marie Lalire's PhD thesis [15] entitled "Développement d'une notation algorithmique pour le calcul quantique", defended at Institut National Polytechnique de Grenoble on October 19, 2006.
- R. Mateescu was a jury member of Emilie Oudot's PhD thesis entitled "Contributions à la vérification incrémentale des systèmes temporisés à composants", defended at Université de Franche Comté (Besançon) on December 7, 2006.
- R. Mateescu was elected suppliant member of the "Commission de spécialistes" at Université de Bourgogne (section 27).
- H. Garavel was a jury member of Leila Kloul's habilitation thesis entitled "From Performance Analysis to Performance Engineering: Some Ideas and Experiments", defended at Université de Versailles-Saint-Quentin-en-Yvelines on December 8, 2006.
- H. Garavel supervised the internship (mémoire CNAM) of J. Fereyre entitled "Conception et amélioration d'outils logiciels pour la vérification distribuée", to be defended in 2007.
- F. Lang and H. Garavel supervised the internship (mémoire CNAM) of N. Lépy entitled "Environnement de développement intégré sous Eclipse pour la vérification des systèmes concurrents", to be defended in 2007.

#### 8.5 Miscellaneous Activities

- D. Champelovier participated to the design group for the new INRIA Rhône-Alpes WEB site.
- H. Garavel is a member of the computing facilities committee of INRIA Rhône-Alpes.
- H. Garavel is a member of the recruitment committees for "chargés de recherche 2ème classe" and "ingénieurs associés" at INRIA Rhône-Alpes.

Within the EMSOC/Atelier du Futur program of the MINALOGIC pôle de compétitivité, H. Garavel is a member of the working group (6 persons) in charge of making proposals for governance and project selection.

- F. Lang participates to the consultative organizational committee of Inria Rhône-Alpes.
- F. Lang leads the working group (5 persons) in charge of proposing a new distribution of offices among the research and administrative teams located in the INRIA building of Montbonnot.
- W. Serwe is a member of the continuous training committee of Inria Rhône-Alpes.

## 9 Bibliography

## Reference Publications by the Team

- [1] H. GARAVEL, H. HERMANNS, "On Combining Functional Verification and Performance Evaluation using CADP", in: Proceedings of the 11th International Symposium of Formal Methods Europe FME'2002 (Copenhagen, Denmark), L.-H. Eriksson, P. A. Lindsay (editors), Lecture Notes in Computer Science, 2391, Springer Verlag, p. 410–429, July 2002. Full version available as INRIA Research Report 4492, http://www.inria.fr/rrrt/rr-4492.html.
- [2] H. GARAVEL, F. LANG, R. MATEESCU, "Compiler Construction using LOTOS NT", in: Proceedings of the 11th International Conference on Compiler Construction CC 2002 (Grenoble, France), N. Horspool (editor), Lecture Notes in Computer Science, 2304, Springer Verlag, p. 9–13, April 2002.
- [3] H. GARAVEL, F. LANG, "SVL: a Scripting Language for Compositional Verification", in: Proceedings of the 21st IFIP WG 6.1 International Conference on Formal Techniques for Networked and Distributed Systems FORTE'2001 (Cheju Island, Korea), M. Kim, B. Chin, S. Kang, D. Lee (editors), IFIP, Kluwer Academic Publishers, p. 377–392, August 2001. Full version available as INRIA Research Report RR-4223, http://www.inria.fr/rrrt/rr-4223.html.
- [4] H. GARAVEL, F. LANG, "NTIF: A General Symbolic Model for Communicating Sequential Processes with Data", in: Proceedings of the 22nd IFIP WG 6.1 International Conference on Formal Techniques for Networked and Distributed Systems FORTE'2002 (Houston, Texas, USA), D. Peled, M. Vardi (editors), Lecture Notes in Computer Science, 2529, Springer Verlag, p. 276— 291, November 2002. Full version available as INRIA Research Report RR-4666, http://www. inria.fr/rrrt/rr-4666.html.
- [5] H. GARAVEL, R. MATEESCU, I. SMARANDACHE, "Parallel State Space Construction for Model-Checking", in: Proceedings of the 8th International SPIN Workshop on Model Checking of Software SPIN'2001 (Toronto, Canada), M. B. Dwyer (editor), Lecture Notes in Computer Science, 2057, Springer Verlag, p. 217–234, Berlin, May 2001. Full version available as INRIA Research Report RR-4341, http://www.inria.fr/rrrt/rr-4341.html.

- [6] H. GARAVEL, J. SIFAKIS, "Compilation and Verification of LOTOS Specifications", in: Proceedings of the 10th International Symposium on Protocol Specification, Testing and Verification (Ottawa, Canada), L. Logrippo, R. L. Probert, H. Ural (editors), IFIP, North-Holland, p. 379–394, June 1990.
- [7] H. GARAVEL, M. SIGHIREANU, "Towards a Second Generation of Formal Description Techniques Rationale for the Design of E-LOTOS", in: Proceedings of the 3rd International Workshop on Formal Methods for Industrial Critical Systems FMICS'98 (Amsterdam, The Netherlands), J.-F. Groote, B. Luttik, J. van Wamel (editors), CWI, p. 187–230, Amsterdam, May 1998. Invited talk.
- [8] H. GARAVEL, M. SIGHIREANU, "A Graphical Parallel Composition Operator for Process Algebras", in: Proceedings of the Joint International Conference on Formal Description Techniques for Distributed Systems and Communication Protocols, and Protocol Specification, Testing, and Verification FORTE/PSTV'99 (Beijing, China), J. Wu, Q. Gao, S. T. Chanson (editors), IFIP, Kluwer Academic Publishers, p. 185–202, October 1999.
- [9] H. GARAVEL, C. VIHO, M. ZENDRI, "System Design of a CC-NUMA Multiprocessor Architecture using Formal Specification, Model-Checking, Co-Simulation, and Test Generation", Springer International Journal on Software Tools for Technology Transfer (STTT) 3, 3, July 2001, p. 314– 331, Full version available as INRIA Research Report RR-4041, http://www.inria.fr/rrrt/ rr-4041.html.
- [10] H. GARAVEL, "Compilation of LOTOS Abstract Data Types", in: Proceedings of the 2nd International Conference on Formal Description Techniques FORTE'89 (Vancouver B.C., Canada),
  S. T. Vuong (editor), North-Holland, p. 147–162, December 1989.
- [11] H. GARAVEL, "OPEN/CÆSAR: An Open Software Architecture for Verification, Simulation, and Testing", in: Proceedings of the First International Conference on Tools and Algorithms for the Construction and Analysis of Systems TACAS'98 (Lisbon, Portugal), B. Steffen (editor), Lecture Notes in Computer Science, 1384, Springer Verlag, p. 68–84, Berlin, March 1998. Full version available as Inria Research Report RR-3352, http://www.inria.fr/rrrt/rr-3352.html.
- [12] H. GARAVEL, "Défense et illustration des algèbres de processus", in: Actes de l'Ecole d'été Temps Réel ETR 2003 (Toulouse, France), Z. Mammeri (editor), Institut de Recherche en Informatique de Toulouse, September 2003.
- [13] R. MATEESCU, M. SIGHIREANU, "Efficient On-the-Fly Model-Checking for Regular Alternation-Free Mu-Calculus", *Science of Computer Programming* 46, 3, March 2003, p. 255–281.
- [14] G. Salaün, W. Serwe, "Translating Hardware Process Algebras into Standard Process Algebras Illustration with CHP and LOTOS", in: Proceedings of the 5th International Conference on Integrated Formal Methods IFM'2005 (Eindhoven, The Netherlands), J. van de Pol, J. Romijn, G. Smith (editors), Lecture Notes in Computer Science, 3771, Springer Verlag, p. 287–306, November 2005. Full version available as Inria Research Report RR-5666.

#### Doctoral Dissertations and "Habilitation" Theses

[15] M. Lalire, Développement d'une notation algorithmique pour le calcul quantique, Thèse de doctorat, Institut National Polytechnique de Grenoble, October 2006.

## Journal Articles and Book Chapters

[16] C. Attiogbé, P. Poizat, G. Salaün, "A Formal and Tool-Equipped Approach for the Integration of State Diagrams and Formal Datatypes", *IEEE Transactions on Software Engineering*, 2007, to appear.

- [17] A. CHIRICHIELLO, G. SALAÜN, "Encoding Process Algebraic Descriptions of Web Services into BPEL", International Journal on Web Intelligence and Agent Systems, 2007, to appear.
- [18] H. GARAVEL, J. HATCLIFF, "TACAS 2003 Special Issue Preface", Theoretical Computer Science 354, 2, March 2006, p. 169–172.
- [19] H. GARAVEL, J. HATCLIFF, "Why you should definitely read this special section", Springer International Journal on Software Tools for Technology Transfer (STTT) 8, 1, February 2006, p. 1–3.
- [20] H. GARAVEL, W. SERWE, "State Space Reduction for Process Algebra Specifications", Theoretical Computer Science 351, 2, February 2006, p. 131–145.
- [21] F. Lang, "Explaining the Lazy Krivine Machine Using Explicit Substitution and Addresses", Journal of Higher-Order and Symbolic Computation, special issue on Krivine's machine, 2007, to appear.
- [22] R. MATEESCU, "CAESAR\_SOLVE: A Generic Library for On-the-Fly Resolution of Alternation-Free Boolean Equation Systems", Springer International Journal on Software Tools for Technology Transfer (STTT) 8, 1, February 2006, p. 37–56, Full version available as INRIA Research Report RR-5948, July 2006, https://hal.inria.fr/inria-00084628.
- [23] R. MATEESCU, Modélisation et analyse de systèmes asynchrones avec CADP, Traité IC2, Lavoisier, 2006, ch. 5, p. 151–180, Full version available as INRIA Research Report RR 5953, https://hal.inria.fr/inria-00088076.
- [24] G. Salaün, L. Bordeaux, M. Schaerf, "Describing and Reasoning on Web Services using Process Algebra", International Journal of Business Process Integration and Management 1, 2, 2006, p. 116–128.

## Publications in Conferences and Workshops

- [25] C. CANAL, P. POIZAT, G. SALAÜN, "Synchronizing Behavioural Mismatch in Software Composition", in: Proceedings of the 8th IFIP International Conference on Formal Methods for Open Object-based Distributed Systems FMOODS'2006 (Bologna, Italy), R. Gorrieri, H. Wehrheim (editors), Lecture Notes in Computer Science, 4037, Springer Verlag, p. 63–77, June 2006.
- [26] A. CHIRICHIELLO, G. SALAÜN, "Formal Development of Web Services", in: Proceedings of the 4th International Workshop on Artificial Intelligence for Service Composition AISC'06 (Trento, Italy), p. 36–43, August 2006.
- [27] H. GARAVEL, R. MATEESCU, D. BERGAMINI, A. CURIC, N. DESCOUBES, C. JOUBERT, I. SMARANDACHE-STURM, G. STRAGIER, "DISTRIBUTOR and BCG\_MERGE: Tools for Distributed Explicit State Space Generation", in: Proceedings of the 12th International Conference on Tools and Algorithms for the Construction and Analysis of Systems TACAS'2006 (Vienna, Austria), H. Hermanns, J. Palberg (editors), Lecture Notes in Computer Science, 3920, Springer Verlag, p. 445–449, March-April 2006.
- [28] C. JOUBERT, R. MATEESCU, "Distributed On-the-Fly Model Checking and Test Case Generation", in: Proceedings of the 13th International SPIN Workshop on Model Checking of Software SPIN'2006 (Vienna, Austria), A. Valmari (editor), Lecture Notes in Computer Science, 3925, Springer Verlag, p. 126–145, March–April 2006.

- [29] F. LANG, "Refined Interfaces for Compositional Verification", in: Proceedings of the 26th IFIP WG 6.1 International Conference on Formal Techniques for Networked and Distributed Systems FORTE'2006 (Paris, France), E. Najm, J.-F. Pradat-Peyre, V. Viguié Donzeau-Gouge (editors), Lecture Notes in Computer Science, 4229, Springer Verlag, p. 159–174, September 2006. Full version available as INRIA Research Report RR-5996.
- [30] P. Poizat, C. Canal, G. Salaün, "Adaptation logicielle: une approche basée sur des expressions régulières de vecteurs de synchronisation", in: Proceedings of 1ère Conférence franco-phone sur les Architectures Logicielles CAL'06 (Nantes, France), M. C. Oussalah, F. Oquendo, D. Tamzalit, T. Khammaci (editors), Hermes Science, p. 31–39, September 2006.
- [31] P. Poizat, J.-C. Royer, G. Salaün, "Bounded Analysis and Decomposition for Behavioural Descriptions of Components", in: Proceedings of the 8th IFIP International Conference on Formal Methods for Open Object-based Distributed Systems FMOODS'2006 (Bologna, Italy), R. Gorrieri, H. Wehrheim (editors), Lecture Notes in Computer Science, 4037, Springer Verlag, p. 33–47, June 2006.
- [32] P. Poizat, G. Salaün, M. Tivoli, "An Adaptation-based Approach to Incrementally Build Component Systems", in: Proceedings of the 3rd International Workshop on Formal Aspects of Component Software FACS'06 (Prague, Czech Republic), F. de Boer, V. Mencl (editors), Electronic Notes in Theoretical Computer Science, September 2006.
- [33] P. Poizat, G. Salaün, M. Tivoli, "On Dynamic Reconfiguration of Software Adaptations", in: Proceedings of the 3rd International Workshop on Coordination and Adaptation for Software Entities WCAT'06 (Nantes, France), July 2006.
- [34] G. Salaün, W. Serwe, Y. Thonnart, P. Vivet, "Formal Verification of CHP Specifications with CADP Illustration on an Asynchronous Network-on-Chip", in: Proceedings of the 13th IEEE International Symposium on Asynchronous Circuits and Systems ASYNC 2007 (Berkeley, California, USA), IEEE Computer Society Press, 2007. to appear.

#### Miscellaneous

- [35] D. CHAMPELOVIER, H. GARAVEL, "Reference Manual of the Lotos NT to Lotos Translator — Version 2E", INRIA/VASY, 47 pages, 2006.
- [36] A. M. Khan, Connection of Compositional Verification Tools for Embedded Systems, Mémoire master 2 recherche, Université Joseph Fourier, Grenoble, June 2006.