Robert de Simone

Symbolic Bisimulation Minimisation

We describe a set of algorithmic methods, based on symbolic representation of state space, for minimisation of networks of parallel processes according to bisimulation equivalence. We compute this with the Coarsest Partition Refinement algorithm, using the Binary Decision Diagram structures. The method applies to labelled synchronised vectors of finite automata as the description of systems. We report performances on a couple of examples of a tool being implemented.

Esterel: a formal method applied to avionic software development

Dassault Aviation is a French aircraft manufacturer building civil business jets (the Falcon family) and military jet fighters (the Mirage and Rafale families). It has been concerned with formal methods inside the development process of avionic software since 1989. In this paper, we give a comprehensive account of three industrial-size studies carried out at Dassault Aviation using the reactive synchronous language ESTEREL and its toolset, in collaboration with the public research team that develops ESTEREL at Ecole des Mines de Paris and INRIA Sophia-Antipolis. We deal with software engineering issues related to compilation, optimization and verification of safety-critical embedded software. The goal is to ensure production of efficient and reliable code.

Auto/Autograph

We describe the Auto and Autograph tools for verification and analysis of concurrent systems in their more recent developments. Auto is dedicated to a philosophy of verification by reduction, based on automata morphisms and quotients. Autograph provides a graphical layout on which to display both terms and informations on terms, back and forth to Auto. We stress the openness aspects of both systems and their interface formats to the outside world. We see this as a contribution to the ever growing collaborative trends between similar tools, mostly under the pressure of national or European Esprit projects.

The clock constraint specification language for building timed causality models

The uml Profile for Modeling and Analysis of Real-Time and Embedded (RTE) systems has recently been adopted by the OMG. Its Time Model extends the informal and simplistic Simple Time package proposed by Unified Modeling Language (UML2) and offers a broad range of capabilities required to model RTE systems including discrete/dense and chronometric/logical time. The Marte specification introduces a Time Structure inspired from several time models of the concurrency theory and proposes a new clock constraint specification language (ccsl) to specify, within the context of the uml, logical and chronometric time constraints. A semantic model in ccsl is attached to a (uml) model to give its timed causality semantics. In that sense, ccsl is comparable to the Ptolemy environment, in which directors give the semantics to models according to predefined models of computation and communication. This paper focuses on one historical model of computation of Ptolemy [Synchronous Data Flow (SDF)] and shows how to build SDF graphs by combining uml models and ccsl.

Instantaneous termination in pure Esterel

Esterel is a design language for the representation of embedded systems. Based on the synchronous reactive paradigm, its execution relies on a clear distinction of instants of computation. As a consequence, deciding whether a piece of a program may or may not run instantaneously is central to any compilation scheme, both for correctness and efficiency. In general, this information can be obtained by an exhaustive exploration of all possible execution paths, which is expensive. Most compilers approximate it through algorithmic methods amenable to static analysis. In our contribution, we first formalize the analysis involved in detecting statements that may run instantaneously. Then, we identify statements that may terminate and be instantaneously reentered. This allows us to model precisely these compilers front-end activities with a clear mathematical specification and led us to uncover inefficiencies in the Esterel v5 academic compiler from Ecole des Mines and INRIA.

Formal methods for scheduling of latency-insensitive designs

Latency-insensitive design (LID) theory was invented to deal with SoC timing closure issues, by allowing arbitrary fixed integer latencies on long global wires. Latencies are coped with using a resynchronization protocol that performs dynamic scheduling of data transportation. Functional behavior is preserved. This dynamic scheduling is implemented using specific synchronous hardware elements: relay-stations (RS) and shell-wrappers (SW). Our first goal is to provide a formal modeling of RS and SW, that can be then formally verified. As turns out, resulting behavior is k-periodic, thus amenable to static scheduling. Our second goal is to provide formal hardware modeling here also. It initially performs throughput equalization, adding integer latencies wherever possible; residual cases require introduction of fractional registers (FRs) at specific locations. Benchmark results are presented, run on our Kpassa tool implementation.

Petri nets and algebraic calculi of processes

We show that, as transition systems, Petri nets may be expressed by terms of a calculus of processes which is a variant of Milners SCCS. We then prove that the class of labelled nets forms a subcalculus, thus an algebra, with juxtaposition, adding condition and labelling as primitive operations. Finally we introduce rational machines which express explicit synchronizations on nets.

Compositional Semantics of ESTEREL and Verification by Compositional Reductions

We present a compositional semantics of the Esterel synchronous reactive language, in the process algebraic style of Structured Operational Semantics. We then study its interplay with various reductional transformations on the underlying automata model, focusing on compositionality and congruence properties. These properties allow early nested reductions to take place at intermediate stages during the construction of a (reduced) model, a key point in cutting down the combinatorial explosion which plagues verification of parallel programs.

The Time Model of Logical Clocks Available in the OMG MARTE Profile

Multiform logical time, introduced and made popular through its central role in Synchronous Language theory, is already present in many formalisms pertaining to embedded system design, although usually in a hidden fashion. Logical time considers time bases that can be generated from any sort of sequences of events, not necessarily equally spaced in physical time. Our main goal here is to capture some of the essence of multiform logical time, and encapsulate it into a dedicated syntax (CCSL, Clock Constraint Specification Language, part of the UML profile for MARTE). CCSL provides ways to express loose or strict constraints between distinct logical clocks. Solving such clock constraints amounts to relating clocks to a common reference one, which then can be thought of as closer to physical. We motivate the role of MARTE Time Model and CCSL by using them to explain and formally characterize important semantic features of East-ADL/AUTOSAR, AADL, and Ptolemy’s SDC models.

Another Glance at Relay Stations in Latency-Insensitive Design

We revisit the formal modeling of relay stations, which are specific connection elements used in the theory of Latency-Insensitive Design of Globally-Asynchronous/Locally-Synchronous systems. Relay stations are in charge of taking into account the physical mandatory latencies, while handling the regulation of signal/data traffic so as to avoid starvation, deadlock and congestion of local IP synchronous computation blocks. Since proposed by Carloni et al, the structure and behaviors of these relay stations have been amply characterized and analyzed. But previous works did not provide a fully formal and cycle-accurate description of these mechanisms, amenable to formal verification for instance (instead, mainly simulation models were developed). Due to the needed precision of the whole scheme we feel such a formal description might be needed. We describe such an attempt here.