

INSTITUT NATIONAL DE RECHERCHE EN INFORMATIQUE ET EN AUTOMATIQUE

# Project-Team VerTeCs

# Verification models and techniques applied to the Testing and Control of reactive Systems

Rennes



# **Table of contents**

|    | Team                                                                                                  |         |  |  |  |
|----|-------------------------------------------------------------------------------------------------------|---------|--|--|--|
| 2. | 2. Overall Objectives                                                                                 |         |  |  |  |
|    | 2.1. Overall Objectives                                                                               | 1       |  |  |  |
| 3. | Scientific Foundations                                                                                | . 2     |  |  |  |
|    | 3.1. Underlying Models.                                                                               | 2       |  |  |  |
|    | 3.2. Verification                                                                                     | 3       |  |  |  |
|    | 3.2.1. Abstract interpretation and Data Handling                                                      | 3       |  |  |  |
|    | 3.2.2. Theorem Proving                                                                                | 4       |  |  |  |
|    | 3.3. Automatic Test Generation                                                                        | 4       |  |  |  |
|    | 3.4. Controller Synthesis                                                                             | 6       |  |  |  |
| 4. | Application Domains                                                                                   |         |  |  |  |
|    | 4.1. Panorama                                                                                         | 7       |  |  |  |
|    | 4.2. Telecommunication Systems                                                                        | 8       |  |  |  |
|    | 4.3. Software Embedded Systems                                                                        | 8       |  |  |  |
|    | 4.4. Smart-card Applications                                                                          | 8       |  |  |  |
| _  | 4.5. Control-command Systems                                                                          | 8       |  |  |  |
| 5. | Software                                                                                              |         |  |  |  |
|    | 5.1. TGV                                                                                              | 9       |  |  |  |
|    | 5.2. NBAC<br>5.3. STG                                                                                 | 9<br>10 |  |  |  |
|    | 5.5. SIG<br>5.4. SIGALI                                                                               | 10      |  |  |  |
|    | 5.5. Ctrl-S                                                                                           | 10      |  |  |  |
| 6  | New Results                                                                                           |         |  |  |  |
| υ. | 6.1. Controller Synthesis                                                                             | 10      |  |  |  |
|    | 6.1.1. Modular and Decentralized Supervisory Control of Concurrent Discrete Event Systems             | 10      |  |  |  |
|    | Using Reduced System Models                                                                           | 11      |  |  |  |
|    | 6.1.2. A constructive approach to decentralized supervisory Control problems                          | 11      |  |  |  |
|    | 6.1.3. Supervisory Control of Symbolic and Hybrid Transition systems                                  | 11      |  |  |  |
|    | 6.2. Test Generation on Enumerative and Symbolic Models                                               | 11      |  |  |  |
|    | 6.2.1. Symbolic Test Generation and Selection                                                         | 11      |  |  |  |
|    | 6.2.2. From Safety Verification to Safety Testing                                                     | 12      |  |  |  |
|    | 6.3. Verification and Abstract Interpretation                                                         | 12      |  |  |  |
|    | 6.3.1. Verification of Communication Protocols using Abstract Interpretation of FIFO queues           | 12      |  |  |  |
|    | 6.4. Transversal Results                                                                              | 12      |  |  |  |
|    | 6.4.1. Determinisation of Symbolic Automata                                                           | 12      |  |  |  |
|    | 6.4.2. Supervision Patterns for the Diagnosis of Discrete Event Systems                               | 12      |  |  |  |
|    | 6.4.3. Verifying an ATM Protocol Using a Combination of Formal Techniques                             | 13      |  |  |  |
|    | 6.4.4. Defining and reasoning about recursive functions: a practical tool for the Coq proof assistant | 13      |  |  |  |
| 7. | Contracts and Grants with Industry                                                                    |         |  |  |  |
|    | 7.1. France Telecom R&D                                                                               | 13      |  |  |  |
| 8. | Other Grants and Activities                                                                           | .14     |  |  |  |
|    | 8.1. National Grants & Contracts                                                                      | 14      |  |  |  |
|    | 8.1.1. CNRS ACI Sécurité Potestat: Security Policies: Test Directed Analysis of Open Network          |         |  |  |  |
|    | Systems                                                                                               | 14      |  |  |  |
|    | 8.1.2. CNRS ACI Sécurité APRON: Analysis of Numerical Programs                                        | 15      |  |  |  |
|    | 8.1.3. CNRS ACI Sécurité V3F: Validation and Verification of Programs with Floating Point             |         |  |  |  |
|    | Numbers                                                                                               | 15      |  |  |  |
|    | 8.1.4. RNRT POLITESS: Security Policies for Network Information Systems: Modeling, Deploy-            |         |  |  |  |
|    | ment, Testing and Supervision                                                                         | 16      |  |  |  |

|                     | 8.2. Eu  | ropean and International Grants                          | 16 |
|---------------------|----------|----------------------------------------------------------|----|
|                     | 8.2.1.   | ARTIST2 Network of Excellence                            | 16 |
|                     | 8.2.2.   | UIUC/CNRS/INRIA Collaboration                            | 17 |
|                     | 8.2.3.   | Bilateral CNRS/CONICET Collaboration                     | 17 |
| 8.3. Collaborations |          |                                                          | 17 |
|                     | 8.3.1.   | Collaborations with other INRIA Project-teams            | 17 |
|                     | 8.3.2.   | Collaborations with French Research Groups outside INRIA | 17 |
|                     | 8.3.3.   | International Collaborations                             | 18 |
| 9.                  | Dissemir | nation                                                   |    |
|                     | 9.1. Un  | iversity courses                                         | 18 |
|                     | 9.2. Ph  | D Thesis and Trainees                                    | 18 |
|                     | 9.3. Sc  | ientific animation                                       | 19 |
| 10.                 | Bibliog  | raphy                                                    | 19 |

# 1. Team

Head of project-team

Thierry Jéron [ Research Director (DR) Inria, HdR ]

#### Administrative assistants

Lydie Mabil [ TR INRIA, (80%) ]

#### **Research Fellows (Inria)**

Bertrand Jeannet [ Research Associate (CR) Inria, until March 2006 ] Hervé Marchand [ Research Associate (CR) Inria ] Vlad Rusu [ Research Associate (CR) Inria, on sabbatical from January to September 2006, HdR ] Florimond Ployette [ Technical staff, IR (50% with ASCII) ]

#### Ph. D. Students

Camille Constant [ INRIA ] Jéremy Dubreil [ INRIA ] Hatem Hamdi [ in collaboration with UNIVERSITY OF SFAX, since October 2005 ] Tristan Le Gall [ MENRT ]

# 2. Overall Objectives

# 2.1. Overall Objectives

The VERTECS team is focused on the reliability of reactive software using formal methods. By reactive software we mean software that continuously reacts with its environment. The environment can be a human user for a complete reactive system, or another software using the reactive software as a component. Among these, critical systems are of primary importance, as errors occurring during their execution may have dramatic economical or human consequences. Thus, it is essential to establish their correctness before they are deployed in a real environment. Correctness is also essential for less critical applications, in particular for COTS components whose behavior should be trusted before integration in software systems.

For this, the VERTECS team promotes the use of formal methods, i.e. formal specification and mathematically founded analysis methods. During the analysis and design phases, correctness of specifications with respect to requirements or higher level specifications can be established by formal *verification*. Alternatively, *control* consists in forcing specifications to stay within desired behaviours by coupling them with a supervisor. During validation, *testing* can be used to check the conformance of implementations with respect to their specifications. *Test generation* is the process of automatically generating test cases from specifications.

More precisely, the aim of the VERTECS project is to improve the reliability of reactive systems by providing software engineers with methods and tools for automating the **verification**, the **test generation** and **controller synthesis** from formal specifications. We adapt or develop formal models for the description of testing and control artifacts, e.g. specifications, implementations, test cases, supervisors. We formally describe correctness relations (e.g. conformance or satisfaction). We also formally describe interaction semantics between testing artifacts. From these models, relations and interaction semantics, we develop algorithms for automatic test and controller synthesis that ensure desirable properties. We try to be as generic as possible in terms of models and techniques in order to cope with a wide range of specification languages and application domains. We implement prototype tools for distribution in the academic world, or for transfer to industry.

Our research is based on formal models and our basic tools are **verification** techniques such as model checking, theorem proving, abstract interpretation, the control theory of discrete event systems, and their underlying models and logics. The close connection between testing, control and verification produces a synergy between these research topics and allows us to share theories, models, algorithms and tools.

# 3. Scientific Foundations

# 3.1. Underlying Models.

**Keywords:** controllable/uncontrollable events, implicit transition relation, input/output events, labeled transition systems, symbolic.

The formal models we use are mainly automata-like structures such as labelled transition systems (LTS) and some of their extensions: an LTS is a tuple  $M = (Q, \Lambda, \rightarrow, q_o)$  where Q is a non-empty set of states;  $q_o \in Q$ is the initial state; A is the alphabet of actions,  $\rightarrow \subseteq Q \times \Lambda \times Q$  is the transition relation. These models are adapted to testing and controller synthesis.

To model reactive systems in the testing context, we use Input/Output labeled transition systems (IOLTS for short). In this setting, the interactions between the system and its environment (where the tester lies) must be partitioned into inputs (controlled by the environment), outputs (observed by the environment), and internal (non observable) events modeling the internal behavior of the system. The alphabet  $\Lambda$  is then partitioned into  $\Lambda_! \cup \Lambda_? \cup \mathcal{T}$  where  $\Lambda_!$  is the alphabet of outputs,  $\Lambda_?$  the alphabet of inputs, and  $\mathcal{T}$  the alphabet of internal actions.

In the controller synthesis theory, we also distinguish between controllable and uncontrollable events  $(\Lambda = \Lambda_c \cup \Lambda_{uc})$ , observable and unobservable events  $(\Lambda = \Lambda_O \cup \mathcal{T})$ .

In order to cope with more realistic models, closer to real specification languages, we also need higher level models that consider both control and data aspects. We defined (input-output) symbolic transition systems ((IO)STS), which are extensions of (IO)LTS that operate on data (i.e., program variables, communication parameters, symbolic constants) through message passing, guards, and assignments. Formally, an IOSTS is a tuple  $(V, \Theta, \Sigma, T)$ , where V is a set of variables (including a counter variable encoding the control structure),  $\Theta$  is the initial condition defined by a predicate on V,  $\Sigma$  is the finite alphabet of actions, where each action has a signature (just like in IOLTS,  $\Sigma$  can be partitioned as e.g.  $\Sigma_? \cup \Sigma_! \cup \Sigma_\tau$ ), T is a finite set of symbolic transitions of the form t = (a, p, G, A) where a is an action (possibly with a polarity reflecting its input/output/internal nature), p is a tuple of communication parameters, G is a guard defined by a predicate on p and V, and A is an assignment of variables. The semantics of IOSTS is defined in terms of (IO)LTS where states are vectors of values of variables, and transitions between them are labelled with instantiated actions (action with valued communication parameter). This (IO)LTS semantics allows us to perform syntactical transformations at the (IO)STS level while ensuring semantical properties at the (IO)LTS level. We also consider extensions of these models with added features such as recursion, fifo channels, etc. An alternative to IOSTS to specify systems with data variables is the model of synchronous dataflow equations.

Our research is based on well established theories: conformance testing, supervisory control, abstract interpretation, and theorem proving. Most of the algorithms that we employ take their origins in these theories:

- graph traversal algorithms (breadth first, depth first, strongly connected components, ...). We use these algorithms for verification as well as test generation and control synthesis.
- BDDs (Binary Decision Diagrams) algorithms, for manipulating Boolean formula, and their MTB-DDs (Multi-Terminal Decision Diagrams) extension for manipulating more general functions. We use these algorithms for verification and test generation.
- abstract interpretation algorithms, specifically in the abstract domain of convex polyhedra (for example, Chernikova's algorithm for the computation of dual forms). Such algorithms are used in verification and test generation.
- logical decision algorithms, such as satisfiability of formulas in Presburger arithmetics. We use these
  algorithms during generation and execution of symbolic test cases.

# 3.2. Verification

Most of our research, and in particular controller synthesis and conformance testing, relies on the ability to solve some verification problems. A large part of these problems reduces to reachability and coreachability problems on a formal model (a state *s* is *reachable from an initial state*  $s_i$  if an execution starting from  $s_i$  can lead to *s*; *s* is *coreachable from a final state*  $s_f$  if an execution starting from *s* can lead to  $s_f$ ). These are important cases of verification problems, as they correspond to the verification of safety properties.

Verification in its full generality consists in checking that a system, which is specified in a formal model, satisfies a required property. When the state space of the system is finite and not too large, verification can be carried out by graph algorithms (model-checking). For large or infinite state spaces, we can perform approximate computations, either by computing a finite abstraction and resort to graph algorithms, or preferably by using more sophisticated abstract interpretation techniques. Another way to cope with large or infinite state systems is deductive verification, which, either alone or in combination with compositional and abstraction techniques, can deal with complex systems that are beyond the scope of fully automatic methods.

#### 3.2.1. Abstract interpretation and Data Handling

The techniques described above, which are dedicated to the analysis of LTS, are already mature. It seems natural to extend them to IOSTS or data-flow applications that manipulate variables taking their values into possibly infinite data domains.

The techniques we develop for test generation or controller synthesis require to solve state reachability and state coreachability problems which can be solved by fixpoint computations (and also by deductive methods).

The big change induced by taking into account the data and not only the (finite) control of the systems under study is that the fixpoints become uncomputable. The undecidability is overcome by resorting to approximations, using the theoretical framework of Abstract Interpretation [34].

Abstract Interpretation is a theory of approximate solving of fixpoint equations applied to program analysis. Most program analysis problems, among others reachability analysis, come down to solving a fixpoint equation

$$x = F(x), x \in C$$

where C is a lattice. In the case of reachability analysis, if we denote by S the state space of the considered program, C is the lattice  $\wp(S)$  of sets of states, ordered by inclusion, and F is roughly the "successor states" function defined by the program.

The exact computation of such an equation is generally not possible for undecidability (or complexity) reasons. The fundamental principles of Abstract Interpretation are:

- 1. to substitute to the *concrete domain* C a simpler *abstract domain* A (static approximation) and to transpose the fixpoint equation into the abstract domain, so that one has to solve an equation  $y = G(y), y \in A$ ;
- 2. to use a *widening operator* (dynamic approximation) to make the iterative computation of the least fixpoint of *G* converge after a finite number of steps to some upper-approximation (more precisely, a post-fixpoint).

Approximations are conservative so that the obtained result is an upper-approximation of the exact result. Those two principles are well illustrated by the Interval Analysis [33], which consists in associating to each numerical variable of a program an interval representing an (upper) set of reachable values:

1. One substitutes to the concrete domain  $\wp(R^n)$  induced by the numerical variables the abstract domain  $(I_R)^n$ , where  $I_R$  denotes the set of intervals on real numbers; a set of values of a variable is then represented by the smallest interval containing it;

2. An iterative computation on this domain may not converge: it is indeed easy to generate an infinite sequence of intervals which is strictly growing. The "standard" widening operator extrapolates by  $+\infty$  the upper bound of an interval if the upper bound does not stabilize within a given number of steps (and similarly for the lower bound).

In this example, the state space  $\wp(R^n)$  that should be abstracted has a simple structure, but this may be more complicated when variables belong to different data types (Booleans, numerics, arrays) and when it is necessary to establish *relations* between the values of different types.

Programs performing dynamic allocation of objects in memory have an even more complex state space. Solutions have been devised to represent in an approximate way the memory heap and pointers between memory cells by graphs (*shape analysis* [43], [42]). Values contained in memory cells are however generally ignored.

In the same way, programs with recursive procedure calls, parameter passing and local variables are more delicate to analyse with precision. The difficulty is to abstract the execution stacks which may have a complex structure, particularly when parameters passing by reference are allowed, as it induces aliasing on the stack [30].

#### 3.2.2. Theorem Proving

For verification we also use theorem proving and more particularly the PVS [39] and COQ [40] proof assistants. These are two general-purpose systems based on two different versions of higher-order logic. A verification task in such a proof assistant consists in encoding the system under verification and its properties into the logic of the proof assistant, together with verification *rules* that allow to prove the properties. Using the rules usually requires input from the user; for example, proving that a state predicate holds in every reachable state of the system (i.e., it is an *invariant*) typically requires to provide a stronger, *inductive* invariant, which is preserved by every execution step of the system. Another type of verification problem is proving *simulation* between a concrete and an abstract semantics of a system. This too can be done by induction in a systematic manner, by showing that, in each reachable state of the system, each step of the concrete system is simulated by a corresponding step at the abstract level.

# **3.3.** Automatic Test Generation

In testing, we are mainly interested in conformance testing. Conformance testing consists in checking whether a black box implementation under test (the real system that is only known by its interface) behaves correctly with respect to its specification (the reference which specifies the intended behavior of the system). In the line of model-based testing, we use formal specifications and their underlying models to unambiguously define the intended behavior of the system, to formally define conformance and to design test case generation algorithms. The difficult problems are to generate test cases that correctly identify faults (the oracle problem) and, as exhaustiveness is impossible to reach in practice, to select an adequate subset of test cases that are likely to detect faults. Hereafter we detail some elements of the models, theories and algorithms we use.

**Models:** We use IOLTS (or IOSTS) as formal models for specifications, implementations, test purposes, and test cases. Most often, specifications are not directly given in such low-level models, but are written in higher-level specification languages (e.g. SDL, UML, Lotos). The tools associated with these languages often contain a simulation API that implements their semantics under the form of IOLTS. On the other hand, the IOSTS model is expressive enough to allow a direct representation of most constructs of the higher-level languages. **Conformance testing theory:** We adapt a well established theory of conformance testing [45], which formally defines conformance as a relation between formal models of specifications and implementations. This conformance relation, called **ioco** is defined in terms of visible behaviors (called *suspension traces*) of the implementation I (denoted by STraces(I)) and those of the specification S (denoted by STraces(S)). Suspension traces are sequence of inputs, outputs or quiescence (absence of action denoted by  $\delta$ ), thus abstract away internal behaviors that cannot be observed by testers. The conformance relation *ioco* was originally written in [45] as follows:

$$I ioco \ S \stackrel{\vartriangle}{=} \forall \sigma \in STraces(S), Out(I \ after \ \sigma) \subseteq Out(S \ after \ \sigma)$$

where  $M after \sigma$  is the set of states where M can stay after the observation of the suspension trace  $\sigma$ , and  $Out(M after \sigma)$  is the set of outputs and quiescence allowed by M in this set. Intuitively, I ioco S if, after a suspension trace of the specification, the implementation I can only show outputs and quiescences of the specification S. We re-formulated ioco as a partial inclusion of visible behaviors as follows

$$I \ ioco \ S \Leftrightarrow STraces(I) \cap [STraces(S).\Lambda^{\delta}_{!} \smallsetminus STraces(S)] = \varnothing$$

Intuitively, this says that suspension traces of I which are suspension traces of S prolongated by an output or quiescence, should still be suspension traces of S. Interestingly, this characterization presents conformance with respect to S as a safety property of suspension traces of I. In fact STraces(S). $\Lambda_1^{\delta} \ STraces(S)$  characterizes finite unexpected behaviours. Thus conformance with respect to S is clearly a safety property of I which negation can be specified by a "non conformance" observer  $A_{\neg ioco S}$  built from S and recognizing these unexpected behaviours. However, as I is a black box, one cannot check conformance exhaustively, but may only experiment I using test cases, expecting the detection of some non-conformances. In fact the non-conformance observer  $A_{\neg ioco S}$  can also be thought as the *canonical tester* of S for *ioco*, i.e. the most general testing process of S for *ioco*. It then serves also as a basis for test selection.

Test cases are processes executed against implementations in order to detect non-conformance. They are also formalized by IOLTS (or IOSTS) with special states indicating *verdicts*. The execution of test cases against implementations is formalized by a parallel composition with synchronization on common actions. Usually a *Fail* verdict means that the IUT is rejected and should correspond to non-conformance, a *Pass* verdict means that the IUT exhibited a correct behavior and some specific targeted behaviour has been observed, while an *Inconclusive* verdict is given to a correct behavior that is not targeted. Based on these models, the execution semantics, and the conformance relation, one can then define required properties of test cases and test suites (sets of test cases). Typical properties are soundness (only non conformant implementations should be rejected by a test case) and exhaustiveness (every non conformant implementation may be rejected by a test case). Soundness is not difficult to obtain, but exhaustiveness is not possible in practice and one has to select test cases.

**Test selection:** in the literature, in particular in white box testing, test selection is often based on coverage of some criteria (state coverage, transition coverage, etc). But in practice, test cases are often associated with *test purposes* describing some particular behaviors targeted by a test case. We have developed test selection algorithms based on the formalization of these *test purposes*. In our framework, test purposes are specified as IOLTS (or IOSTS) associated with marked states or dedicated variables, giving them the status of automata or observers accepting runs (or sequences of actions or suspension traces). We note ASTraces(S, TP)the suspension traces of these accepted runs. Now selection of test cases amounts at selecting these traces ASTraces(S, TP), and then complement them with unspecified outputs leading to *Fail*. Alternatively, this can be seen as the computation of a sub-automaton of the canonical tester  $A_{\neg ioco} S$  whose accepting traces are ASTraces(S, TP) and failed traces are a subset of  $[STraces(S).\Lambda_1^A \ STraces(S)]$ . The resulting test case is then both an observer of the negation of a safety property (non-conformance wrt. S), and an observer of a reachability property (acceptance by the test purpose).

Test selection algorithms are based on the computation of the visible behaviors of the specification STraces(S), involving the identification of quiescence ( $\delta$  actions) followed by determinisation, the construction of a product between the specification and test purpose which accepted behavior is ASTraces(TP), and finally the selection of these accepted behaviors. Selection can be seen reduced to a model-checking problem where one wants to identify states (and transitions between them) which are both reachable from the initial state and co-reachable from the accepting states. We have proved that these algorithms ensure soundness. Moreover the (infinite) set of all possibly generated test cases is also exhaustive. Apart from these theoretical results, our algorithms are designed to be as efficient as possible in order to be able to scale up to real applications.

Our first test generation algorithms are based on enumerative techniques, thus adapted to IOLTS models, and optimized to fight the state-space explosion problem. We have developed on-the-fly algorithms, which consist in performing a lazy exploration of the set of states that are reachable in both the specification and the test purpose [4]. This technique is implemented in the TGV tool (see 5.1). However, this enumerative technique suffers from some limitations when specification models contain data.

More recently, we have explored symbolic test generation techniques for IOSTS specifications [8]. This is a promising technique whose main objective is to avoid the state space explosion problem induced by the enumeration of values of variables and communication parameters. The idea consists in computing a test case under the form of an *IOSTS*, i.e., a reactive program in which the operations on data is kept in a symbolic form. Test selection is still based on test purposes (also described as IOSTS) and involves syntactical transformations of IOSTS models that should ensure properties of their IOLTS semantics. However, most of the operations involved in test generation (determinisation, reachability, and coreachability) become undecidable. For determinisation we employ heuristics that allow us to solve the so-called bounded observable non-determinism (i.e., the result of an internal choice can be detected after finitely many observable actions). The product is defined syntactically. Finally test selection is performed as a syntactical transformation of transitions which is based on a semantical reachability and co-reachability analysis. As both problems are undecidable for IOSTS, syntactical transformations are guided by over-approximations using abstract interpretation techniques. Nevertheless, these over-approximations still ensure soundness of test cases [5]. These techniques are implemented in the STG tool (see 5.3), with an interface with NBAC used for abstract interpretation.

### 3.4. Controller Synthesis

**The Supervisory Control Problem** is concerned with ensuring (not only checking) that a computer-operated system works correctly. More precisely, given a specification model and a required property, the problem is to control the specification's behavior, by coupling it to a supervisor, such that the controlled specification satisfies the property [41]. The models used are LTSs, say G, and the associated languages, say  $\mathcal{L}(G)$ , which make a distinction between *controllable* and *non-controllable* actions and between *observable* and *non-observable* actions. Typically, the controlled system is constrained by the supervisor, which acts on the system's controllable actions and forces it to behave as specified by the property. The control synthesis problem can be seen as a constructive verification problem: building a supervisor that prevents the system from violating a property. Several kinds of properties can be ensured such as reachability, invariance (i.e. safety), attractivity, etc. Techniques adapted from model checking are then used to compute the supervisor w.r.t. the objectives. Optimality must be taken into account as one often wants to obtain a supervisor that constrains the system as few as possible.

**The Supervisory Control Theory overview**. Supervisory control theory deals with control of Discrete Event Systems [41]. In this theory, the behavior of the system S is assumed not to be fully satisfactory. Hence, it has to be reduced by means of a feedback control (named Supervisor or Controller) in order to achieve a given set of requirements [41]. Namely, if S denotes the specification of the system and  $\Phi$  is a safety property that has to be ensured on S (i.e.  $S \neg \models \Phi$ ), the problem consists in computing a supervisor C, such that

$$S \parallel \mathfrak{C} \models \Phi \tag{1}$$

where  $\parallel$  is the classical parallel composition between two LTSs. Given S, some events of S are said to be uncontrollable ( $\Sigma_{uc}$ ), i.e. the occurrence of these events cannot be prevented by a supervisor, while the others are controllable ( $\Sigma_c$ ). It means that all the supervisors satisfying (1) are not good candidates. In fact, the behavior of the controlled system must respect an additional condition that happens to be similar to the *ioco* conformance relation that we previously defined in 3.3. This condition is called the *controllability condition* and is defined as follows.

$$\mathcal{L}(S \parallel \mathfrak{C})\Sigma_{uc} \cap \mathcal{L}(S) \subseteq \mathcal{L}(S \parallel \mathfrak{C})$$
<sup>(2)</sup>

Namely, when acting on S, a supervisor is not allowed to disable uncontrollable events. Given a safety property  $\Phi$ , that can be modeled by an LTS  $A_{\Phi}$ , there actually exists many different supervisors satisyfing both (1) and (2). Among all the valid supervisors, we are interested in computing the supremal one, ie the one that restricts the system as few as possible. It has been shown in [41] that such a supervisor always exists and is unique. It gives access to a behavior of the controlled system that is called the supremal controllable sub-language of  $A_{\Phi}$  w.r.t. S and  $\Sigma_{uc}$ . In some situations, it may also be interesting to force the controlled system to be non-blocking (See [41] for details).

The underlying techniques are similar to the ones used for Automatic Test Generation. It consists in computing a product between the specification and  $A_{\Phi}$  and to remove the states of the obtained LTS that may lead to states that violate the property by triggering only uncontrollable events.

**Optimal Control.** We are also interested in the Optimal Control Problem. The purpose of optimal control is to study the behavioral properties of a system in order to generate a supervisor that constrains the system to a desired behavior according to quantitative and qualitative requirements. In this spirit, we have been working on the optimal scheduling of a system through a set of multiple goals that the system had to visit one by one [37]. We have also extended the results of [44] to the case of partial observation in order to handle more realistic applications [38].

**Control of Structured Discrete Event System.** In many applications and control problems, LTS are the starting point to model fragments of a large scale system, which usually consists of several composed and nested sub-systems. Knowing that the number of states of the global system grows exponentially with the number of parallel and nested sub-systems, we have been interested in designing algorithms that perform the controller synthesis phase by taking advantage of the structure of the plant without expanding the system. Given a concurrent system and a *safety property, modeled as a language*, also called specification that have to be ensured on this system, we have investigated in e.g. [2] the computation of the supremal controllable language contained in the expected language. To do so, we use a modular centralized approach and perform the control on some approximations of the plant derived from the behavior of each component. The behavior of these approximations is restricted so that they respect a new language property for discrete event systems called *partial controllability condition* that depends on the safety property. It is shown that, under some assumptions the intersection of these "controlled approximations" corresponds to the supremal controllable language contained in the specification with respect to the plant. This computation is performed without building the whole plant, hence avoiding the state space explosion induced by the concurrent nature of the plant.

Similarly, in order to take into account nested behaviors, some techniques based on model aggregation methods [46], [32] have been proposed to deal with hierarchical control problems. Another direction has been proposed in [31]. Brave and Heimann in [31] introduced Hierarchical State Machines which constitute a simplified version of the STATECHARTS. Compared to the classical state machines, they add concurrency and hierarchy features. Some other works dealing with control and hierarchy can be found in [35], [36]. This is the direction we have chosen in the VERTECS Team [3].

# 4. Application Domains

### 4.1. Panorama

**Keywords:** Telecommunication, control-command Systems, smart-cards, software embedded systems, transportation systems. The methods and tools developed by the VERTECS project-team for test generation and control synthesis of reactive systems are intended to be as generic as possible. This allows us to apply them in many application domains where the presence of software is predominant and its correctness is essential. In particular, we apply our research in the context of telecommunication systems, for embedded systems, for smart-cards application, and control-command systems.

## 4.2. Telecommunication Systems

Our research on test generation was initially proposed for conformance testing of telecommunication protocols. In this domain, testing is a normalized process [29], and formal specification languages are widely used (SDL in particular). Our test generation techniques have already proved useful in this context, going up to industrial transfer. New standardized component-based design methodologies such as UML and OMG's MDE increase the need for formal techniques in order to ensure the composionality of components, by verification and testing. Our techniques, by their genericity and adaptativity, have also proved useful at different levels of these methodologies, from component testing to system testing. The telecommunication industry now also tries to provide more and more services to the users. These services also have to be validated. We are involved with France Telecom R & D in a project on the validation of vocal services (see 7.1). Very recently, we also started to study the impact of our test generation techniques in the domain of network security. More specifically, we believe that testing that a network or information systems meets its security policy is a major concern, and complements other design and verification techniques.

## 4.3. Software Embedded Systems

In the context of transport, software embedded systems are increasingly predominant. This is particularly important in automotive systems, where software replaces electronics for power train, chassis (e.g. engine control, steering, brakes) and cabin (e.g. wiper, windows, air conditioning) or new services to passengers are increasing (e.g. telematics, entertainment). Car manufacturers have to integrate software components provided by many different suppliers, according to specifications. One of the problems is that testing is done late in the life cycle, when the complete system is available. Faced with these problems, but also complexity of systems, compositionality of components, distribution, etc, car manufacturers now try to promote standardized interfaces and component-based design methodologies. They also develop virtual platforms which allow for testing components before the system is complete. It is clear that software quality and trust are one of the problems that have to be tackled in this context. This is why we believe that our techniques (testing and control) can be useful in such a context.

### 4.4. Smart-card Applications

We have also applied our test generation techniques in the context of smart-card applications. Such applications are typically reactive as they describe interactions between a user, a terminal and a card. The number and complexity of such applications is increasing, with more and more services offered to users. The security of such applications is of primary interest for both users and providers and testing is one of the means to improve it.

# 4.5. Control-command Systems

The main application domain for controller synthesis is control-command systems. In general, such systems control costly machines (see e.g. robotic systems, flexible manufacturing systems), that are connected to an environment (e.g. a human operator). Such systems are often critical systems and errors occurring during their execution may have dramatic economical or human consequences. In this field, the controller synthesis methodology (CSM) is useful to ensure by construction the interaction between 1) the different components, and 2) the environment and the system itself. For the first point, the CSM is often used as a safe scheduler, whereas for the second one, the supervisor can be interpreted as a safe discrete tele-operation system.

8

# 5. Software

## 5.1. TGV

Keywords: Conformance Testing, IF, Lotos, SDL, TGV, TTCN, UML. Participants: Thierry Jéron [contact], Valéry Tschaen.

TGV (Test Generation with Verification technology) is a tool for test generation of conformance test suites from specifications of reactive systems [4]. It is based on the IOLTS model, a well defined theory of testing, and on-the-fly test generation algorithms coming from verification technology. Originally, TGV allows test generation focused on well defined behaviors formalized by test purposes. The main operations of TGV are (1) a synchronous product which identifies sequences of the specification accepted by a test purpose, (2) abstraction and determinisation for the computation of next visible actions, (3) selection of test cases by the computation of reachable states from the initial states and co-reachable states from accepting states. TGV has been developed in collaboration with Vérimag Grenoble and uses libraries of the CADP toolbox (VERIMAG and VASY). TGV can be seen as a library that can be linked to different simulation tools through well defined APIs. An academic version of TGV is distributed in the CADP toolbox and allows test generation from Lotos specifications by a connection to its simulator API. The same API is used for a connection with the UMLAUT validation framework of UML models. This version has been transfered in the SDL ObjectGéode toolset as part of the TestComposer tool. A new version of TGV has been adapted to a new API of the IF simulator (VERIMAG) allowing test generation from IF and UML models (via a compilation from UML to IF). This new version TGV-IF extends the previous one with new functionalities for coverage based test generation combined with test purposes based test generation. This year some CADP libraries used in TGV-IF have been replaced with STL libraries in order to gain some independency with respect to CADP and allow easier porting. The first version of TGV is protected by APP (Agence de Protection des Programmes) Number IDDN.FR.001.310012.00.R.P.1997.000.2090. TGV-IF is currently being deposit at APP.

#### **5.2. NBAC**

**Keywords:** *Abstract Interpretration, Reactive Systems, boolean and numerical types, polyhedra.* **Participant:** Bertrand Jeannet [contact].

NBAC is a verification/slicing tool developed in collaboration with Vérimag. This tool analyses synchronous and deterministic reactive systems containing combination of Boolean and numerical variables and continuously interacting with an external environment. Its input format is directly inspired by the low-level semantics of the LUSTRE dataflow synchronous language. Asynchronous and/or non-deterministic systems can be compiled in this model. The kind of analyses performed by NBAC are: reachability analysis from a set of initial states, which allows to compute invariants satisfied by the system; coreachability analysis from a set of final states, which allows to compute sets of states that may lead to a final state; and combination of the above. The result of an analysis is either a set of states together with a necessary condition on states and inputs to stay in this set during an execution, either a verdict of a verification problem. The tool is founded on the theory of abstract interpretation: sets of states are approximated by abstract values belonging to an abstract domain, on which fix-point computations are performed. The originality of NBAC resides in

- the use of a very general notion of control structure in order to very precisely tune the trade-off between precision and efficiency;
- the ability to dynamically refine the control structure, and to guide this refinement by the needs of the analysis;
- sophisticated methods for computing postconditions and preconditions of abstract values.

More recently, NBAC has been extended with auxiliary translation tools AUTO2NBAC and NBAC2AUTO. This allows to specify systems to be analyzed as a product of hybrid automata with constant differential inclusion (*e.g.*,  $1 \le \dot{x} + 2\dot{y} \le 3$ ) and to get the result of the analysis on the product automaton.

# 5.3. STG

Keywords: *Conformance Testing*, *Symbolic Testing*, *Symbolic Verification*. Participants: Vlad Rusu [contact], Florimond Ployette, Bertrand Jeannet, Thierry Jéron.

STG (Symbolic Test Generation) is a prototype tool for the generation and execution of test cases using symbolic techniques. It takes as input a specification and a test purpose described as IOSTS, and generates a test case program also in the form of IOSTS. Test generation in STG is based on a syntactic product of the specification and test purpose IOSTS, an extraction of the subgraph corresponding to the test purpose, elimination of internal actions, determinisation, and simplification. The simplification phase now relies on NBAC, which approximates reachable and coreachable states using abstract interpretation. It is used to eliminate unreachable states, and to strengthen the guards of system inputs in order to eliminate some Inconclusive verdicts. After a translation into C++ or Java, test cases can be executed on an implementation in the corresponding language. Constraints on system input parameters are solved on-the-fly during execution using a constraint solver. The first version of STG was developed in C++, using Omega as constraint solver during execution. This version has been deposit at APP (IDDN.FR.001.510006.000.S.P.2004.000.10600).

A new version in OCaml is still under development. This version is more generic and will serve as a library for symbolic operations on IOSTS. Most functionalities of the C++ version have been re-implemented. Also a new translation of abstract test cases into Java executable tests has been developed, in which the constraint solver is LUCKYDRAW (VERIMAG).

# 5.4. SIGALI

Keywords: Controller Synthesis, symbolic techniques, verification.

Participant: Hervé Marchand [contact].

SIGALI is a model-checking tool that operates on ILTS (Implicit Labeled Transition Systems, an equational representation of an automaton), an intermediate model for discrete event systems. It offers functionalities for verification of reactive systems and discrete controller synthesis. It is developed jointly by the ESPRESSO and VERTECS teams. The techniques used consist in manipulating the system of equations instead of the set of solutions, which avoids the enumeration of the state space. Each set of states is uniquely characterized by a predicate and the operations on sets can be equivalently performed on the associated predicates. Therefore, a wide spectrum of properties, such as liveness, invariance, reachability and attractivity can be checked. Algorithms for the computation of predicates on states are also available [7], [27]. SIGALI is connected with the Polychrony environment (ESPRESSO project-team) as well as the Matou environment (VERIMAG), thus allowing the modeling of reactive systems by means of Signal Specification or Mode Automata and the visualization of the synthesized controller by an interactive simulation of the controlled system. SIGALI is protected by APP (Agence de Protection des Programmes).

# 5.5. Ctrl-S

**Keywords:** *Controller Synthesis, structured systems.* **Participant:** Hervé Marchand [contact].

CTRL-S is a tool dedicated to the control and simulation of structured discrete event systems. CTRL-S is a graphical tool connected with Oris for the simulation aspect as well as Umdes for the controller synthesis computations. It now encompasses the former tool Syntool that was developed in our team during the past years. This tool is currently under testing.

# 6. New Results

# **6.1.** Controller Synthesis

Keywords: Hierarchical models, controller synthesis methodology, symbolic methods.

## 6.1.1. Modular and Decentralized Supervisory Control of Concurrent Discrete Event Systems Using Reduced System Models

Participant: Hervé Marchand.

This year we investigated the supervisor synthesis for concurrent systems based on reduced system models with the intention of complexity reduction. It is assumed that the expected behavior (specification) is given on a subset of the system alphabet, and the system behavior is reduced to this alphabet. Supervisors are computed for each reduced subsystem employing a modular decentralized approach. Depending on the chosen architecture, we provide sufficient conditions for the consistent implementation of the reduced supervisors for the original system [23]. This work has been done in cooperation with Klaus Schmidt and Benoit Gaudin.

#### 6.1.2. A constructive approach to decentralized supervisory Control problems Participant: Hervé Marchand.

We plunge decentralized control problems into modular ones to benefit from the know-how of modular control theory: any decentralized control problem is associated to a natural modular control problem, which over-approximates it. Then, we discuss how a solution of the latter problem delivers a solution of the former [21]. This work has been done in cooperation with Jan Komenda and Sophie Pinchinat.

#### 6.1.3. Supervisory Control of Symbolic and Hybrid Transition systems

Participants: Tristan Le Gall, Bertrand Jeannet, Hervé Marchand.

We here tackled the safety controller synthesis problem for various models (from finite transition systems to hybrid systems). Within this framework, we are mainly interested in the synthesis problem for an intermediate model: the symbolic transition system. Modelization needs lead us to redefine the concept of controllability by associating it to guards of transitions instead of events. We then define synthesis algorithms based on abstract interpretation techniques so that we can ensure finiteness of the computations. We finally generalize our methodology to the control of hybrid systems, which gives an unified framework to the supervisory control problem for several classes of models [12].

## 6.2. Test Generation on Enumerative and Symbolic Models

Keywords: symbolic transition systems, test generation, testing, transition systems.

#### 6.2.1. Symbolic Test Generation and Selection

Participants: Jérémy Dubreil, Camille Constant, Hatem Hamdi, Bertrand Jeannet, Thierry Jéron, Vlad Rusu.

For several years we address the generation of symbolic test cases for testing the conformance of a blackbox implementation with respect to a specification. More specifically, the problem we consider is the offline selection of test cases according to a test purpose, which is here a set of scenarii of interest that one wants to observe during test execution. In [5] and [17], we extend them in the context of infinite-state symbolic models (IOSTS), by showing how approximate fixpoint computations can be used in a conservative way. The same kind of technique is also adapted for test selection with respect to safety properties and its combination with verification (see 6.2.2). When dealing with non-deterministic IOSTS specifications, offline test selection involves a determinisation phase, which is not always feasible for IOSTS. However a determinisation procedure which terminates for a sub-class of IOSTS has been identified (see 6.4.1).

Instead of considering the extension of the finite-state IOLTS model with variables, one can also consider the extension of the IOLTS model with recursion, which corresponds to a pushdown system. A preliminary study was done in 2004 with the master thesis of Liva Randriamanohisoa. One of the problems still to be solved is the determinisation of a pushdown system which may be necessary when testing under partial observation. When pushdown automata are deterministic however, test selection techniques with test purposes can be used with some adaptations. This is the object of Camille Constant's PhD.

This year, we also started some work on testing the conformance of open networks with their security properties. This is part of Jeremy Dubreil and Hatem Hamdi's PhDs.

#### 6.2.2. From Safety Verification to Safety Testing

Participants: Camille Constant, Thierry Jéron, Hervé Marchand, Vlad Rusu.

In this work we describe a methodology integrating verification and conformance testing for the formal validation of reactive systems. A specification of a system - an extended input-output automaton, which may be infinite-state - and a set of safety properties ("nothing bad ever happens") and possibility properties ("something good may happen") are assumed. The properties are first tentatively verified on the specification using automatic techniques based on approximated state-space exploration, which are sound, but, as a price to pay for automation, are not complete for the given class of properties. Because of this incompleteness and of state-space explosion, the verification may not succeed in proving or disproving the properties. However, even if verification did not succeed, the testing phase can proceed and provide useful information about the implementation. Test cases are automatically and symbolically generated from the specification may detect violations of conformance between implementation and specification; in addition, it may detect violation/satisfaction of the properties by the implementation and by the specification. In this sense, testing completes verification. The approach is illustrated on simple examples and on a Bounded Retransmission Protocol [1].

### 6.3. Verification and Abstract Interpretation

**Keywords:** Abstract Interpretation, Acceleration, Communicating Finite State Machines, Exact Widening, FIFO channels, Reachability Analysis, Shape Analysis.

### 6.3.1. Verification of Communication Protocols using Abstract Interpretation of FIFO queues Participants: Bertrand Jeannet, Thierry Jéron, Tristan Le Gall.

The PhD thesis of Tristan Le Gall is concerned by the verification of asynchronous systems communicating through FIFO channels and its applications. This year, we addressed the verification of communication protocols or distributed systems that can be modeled by Communicating Finite State Machines (CFSMs), i.e. a set of sequential machines communicating via unbounded FIFO channels. Unlike recent related works based on acceleration techniques, we propose to apply the Abstract Interpretation approach to such systems, which consists in using approximated representations of sets of configurations. We show that the use of regular languages together with an extrapolation operator provides a simple and elegant method for the analysis of CFSMs, which is moreover often as accurate as acceleration techniques, and in some cases more expressive. Last, when the system has several queues, our method can be implemented either as an attribute-independent analysis or as a more precise (but also more costly) attribute-dependent analysis [22].

### **6.4. Transversal Results**

**Keywords:** Data Flow Analysis, Determinisation, Diagnosis, Fault Model, Logic, Proof, Symbolic Transition Systems, Type Theory.

#### 6.4.1. Determinisation of Symbolic Automata

Participants: Thierry Jéron, Hervé Marchand, Vlad Rusu.

We define a symbolic determinisation procedure for a class of infinite-state systems, which consists of automata extended with symbolic variables that may be infinite-state. The subclass of extended automata for which the procedure terminates is characterised as bounded lookahead extended automata. It corresponds to automata for which, in any location, the observation of a bounded-length trace is enough to infer the first transition actually taken. We discuss applications of the algorithm to the verification, testing, and diagnosis of infinite-state systems [26], [20].

#### 6.4.2. Supervision Patterns for the Diagnosis of Discrete Event Systems

Participants: Thierry Jéron, Hervé Marchand.

In this work, we are interested in the diagnosis of discrete event systems modeled by finite transition systems. We propose a model of supervision patterns general enough to capture past occurrences of particular trajectories of the system. Modeling the diagnosis objective by supervision patterns allows us to generalize the properties to be diagnosed and to render them independent of the description of the system. We first formally define the diagnosis problem in this context. We then derive techniques for the construction of a diagnoser and for the verification of the diagnosability based on standard operations on transition systems. We show that these techniques are general enough to express and solve in a unified way a broad class of diagnosis problems found in the literature, e.g. diagnosing permanent faults, multiple faults, fault sequences and some problems of intermittent faults [18], [25], [19]. This work has been done in cooperation with Marie-Odile Cordier (Dream project-team) and Sophie Pinchinat (S4 project-team).

Our aim is now to extend these results to infinite state systems as well as to non permanent patterns, and to apply these techniques to the automatic generation of passive testers (intruder detection systems) in order to test on-line whether an implementation respects a given security policy.

### 6.4.3. Verifying an ATM Protocol Using a Combination of Formal Techniques Participant: Vlad Rusu.

In this work, we describe a methodology and a case study in formal verification. The case study is the SSCOP protocol, a member of the ATM adaptation layer whose main role is to perform a reliable data transfer over an unreliable communication medium. The methodology involves: (1) simulation for initial debugging; (2) partial-order abstraction that preserves the properties of interest; and (3) compositional verification of the properties at the abstract level using the PVS theorem prover. Steps (2) and (3) guarantee that the properties still hold on the whole (composed, concrete) system. The value of the approach lies in adapting and integrating several existing formal techniques into a new verification methodology that is able to deal with real case studies [9].

# 6.4.4. Defining and reasoning about recursive functions: a practical tool for the Coq proof assistant

#### Participant: Vlad Rusu.

We present a practical tool for defining and proving properties of recursive functions in the Coq proof assistant. The tool proceeds by generating from pseudo-code (Coq functions that need not be total nor terminating) the graph of the intended function as an inductive relation, and then proves that the relation actually represents a function, which is by construction the function that we are trying to define. Then, we generate induction and inversion principles, and a fixpoint equation for proving other properties of the function. Our tool builds upon state-of-the-art techniques for defining recursive functions, and can also be used to generate executable functions from inductive descriptions of their graph. We illustrate the benefits of our tool on two case studies [15].

# 7. Contracts and Grants with Industry

# 7.1. France Telecom R&D

**Keywords:** *test generation, testing, vocal phone services.* **Participants:** Camille Constant, Thierry Jéron, Vlad Rusu. The goal of this 3-year project (starting October 2004) is to build a platform for the formal validation of France Telecom's vocal phone services. Vocal services are based on speech recognition and synthesis algorithms, and they include automatic connection to the callee's phone number by pronouncing her name, or automatic pronounciation of the callee's name whose phone number was dialed in by the user. Here, we are not interested in validating the voice recognition/synthesis algorithms, but on the logic surrounding them. For example, the system may allow itself a certain number of attempts for recognizing a name, after which it switches to normal number-dialing mode, during which the user may choose to go back to voice-recognition mode by pronouncing a certain keyword. This logic may become quite intricate, and this complexity is multiplied by the number of clients that may be using the service at any given time. Its correctness has been identified by France Telecom as a key factor in the success of the deployment of voice-based systems. To validate them we are planning to apply a combination of formal verification and conformance testing techniques (cf. Section 6.2.2). In the context of Camille Constant's PhD, we also study test generation from models of programs with recursion (pushdown automata and extensions).

# 8. Other Grants and Activities

# 8.1. National Grants & Contracts

### 8.1.1. CNRS ACI Sécurité Potestat: Security Policies: Test Directed Analysis of Open Network Systems

Participants: Jérémy Dubreil, Thierry Jéron, Hervé Marchand, Vlad Rusu.

The Potestat project (http://www-lsr.imag.fr/POTESTAT/) [2004-2007] involves Lsr-IMAG Grenoble, VER-IMAG Grenoble and Lande and VERTECS project teams in Irisa.

In the framework of open service implementations, based on the interconnection of heterogeneous systems, the security managers lack of well-formalized analysis techniques. The security of such systems is therefore organized from pragmatic elements, based on well-known vulnerabilities and their associated solutions. It then remains to verify if such security policies are correctly and effectively implemented in the actual system. This is usually carried out by auditing the administrative procedures and the system configuration. Tests are then performed, for instance by probing, to check the presence of some particular vulnerabilities. Although some tools are already available for specific tests (like password crackers), there is no solution to analyse the whole system conformance with respect to a security policy. This lack may be explained by several factors. First, there is currently no complete study about the formal modeling of a security policy, even if some particular aspects have been more thoroughly studied. Furthermore, verification based researches about security usually concern more precise elements, like cryptographic protocols or code analysis. Finally, most of these works are dedicated to an *a priori* verification of the coherency of security policies before their implementation. We are concerned here by the conformance of a system configuration with respect to a given policy. In the framework of the POTESTAT project we plan to tackle this problem according to the following items:

- Formal modeling of security policies, allowing a test directed analysis.
- Definition of a conformance notion between a system configuration and some security policies elements. The goal is to obtain a test theory similar to the one existing in the protocol testing area (like the Z.500 norm).
- Definition of methods to test this conformance notion, including the testability problems, the environment of execution, code analysis and test selection.

A long-term objective of this project is to offer some tools allowing security managers to model information flow, network elements (protocols, node types and their associated security policy, etc) to better describe the security policy for conformance testing and to provide some practical tools to perform coherency verification and vulnerabilities detection.

# 8.1.2. CNRS ACI Sécurité APRON: Analysis of Numerical Programs

Participant: Bertrand Jeannet.

The APRON (Analyse de PROgrammes Numériques) project (http://www.cri.ensmp.fr/apron/) [2004-2007] involves ENSMP, LIENS-ENS, LIX-Polytechnique, VERIMAG and VERTECS-Irisa.

The goal is to develop methods and tools to analyse statically embedded software with high-level of criticity for which the detection of errors at run-time is unacceptable for safety or security reasons. Such safety and security software is found in the context of transportation, automotive, avionics, space, industrial process control and supervision, etc. One characteristics of such software is that it is based on physical models whence involve a lot of numerical computations. Moreover, *counters* play an important role in the control of reactive programs (e.g., delay counting in synchronous programming). Critical properties depending on these counters are generally outside the scope of model-checking approaches, while being simple enough to be accurately analysed by more sophisticated numerical analyses.

The goal of the project is the static analysis of large specifications (e.g. à la LUSTRE) and corresponding programs (e.g. of 100 to 500 000 LOCs of C), made of thousands of procedures, involving a lot of numerical floating-point computations, as well as boolean and counter-based control in order to verify critical properties (including the detection of possible runtime errors), and to help in automatically locating the origin of critical property potential violation.

An example of such critical properties, as found in control/command programs, is of the form "under a condition holding on boolean and numerical variables for some time, the program must imperatively establish a given boolean and/or numerical property, in a given bounded delay".

VERTECs contributes to the following topics within the APRON project:

- The design and implementation of a common interface to several abstraction libraries (intervals, linear equalities, octagons, polyhedra, ...and their combination).
- The study of adaptative techniques for adjusting the trade-off between the efficiency and the precision of analyses, among other dynamic partitioning techniques [6]. Results have already been obtained in the intraprocedural case, but to a less extend in the interprocedural case.

VERTECS focuses mainly on LUSTRE specifications and provides with the NBAC tool one of the main experimental platforms of the project for the verification of critical properties on such specifications.

In 2006, most of the effort of VERTECS was spent on the design and implementation of the common interface.

### 8.1.3. CNRS ACI Sécurité V3F: Validation and Verification of Programs with Floating Point Numbers

Participants: Bertrand Jeannet, Thierry Jéron.

V3F (http://lifc.univ-fcomte.fr/~v3f/)[2003-2006] is a project involving LIFC Besançon, Inria-I3S Nice, LIST-CEA Saclay and project teams Lande and VERTECs in Irisa. The goal of this project is to provide tools to support the verification and validation process of programs with floating-point numbers. More precisely, project V3F investigates techniques to check that a program satisfies the calculations hypothesis on the real numbers that have been done during the modeling step. The underlying technology will be based on constraint programming. Constraints solving techniques have been successfully used during the last years for automatic test data generation, model-checking and static analysis. However in all these applications, the domains of the constraints were restricted either to finite subsets of the integers, rational numbers or intervals of real numbers. Hence, the investigation of solving techniques for constraint systems over floating-point numbers is an essential issue for handling problems over the floats. The results obtained in the course of the project V3F are a clean design of constraint solving techniques over floating-point number, and a study of the capabilities of these techniques in the software validation and verification process. An open and generic prototype of a constraint solver over the floats was developped. We also paid attention on the integration of floats into various formal notations (e.g., B, Lustre, UML/OCL) to allow an effective use of the constraint solver in formal model verification, automatic test data generation (functional and structural) and static analysis.

Our contribution to this project is to precisely formalize a conformance testing theory for programs with floating point with respect to their specifications, and second, to describe test generation algorithms in this framework. We consider the IOSTS model for the specification and the test purpose. An important point is to obtain a computable conformance relation. The solution that we propose takes into account the inaccuracy of floating points computations w.r.t. real semantics by allowing a limited skew of floating points values in conformant traces. In order to be able to recognize conformant traces/execution during test execution, and to check that the allowed skew does not diverge, we use a projection technique that allows the tester to use safely the values emitted by the implementation for its own execution. A nice point of our approach is that we can fully reuse the test generation and selection techniques implemented in our STG tool, the only change being in the implementation of the test driver. This result has been presented in the last meeting but has not yet been published.

This project ended this year with a final report presenting the main results of the project [28] and the organization by V3F project members of the workshop CSTVA'06 (Workshop on Constraints in Software Testing) in Nantes in September 2006, where the results of V3F were presented [16].

#### 8.1.4. RNRT POLITESS: Security Policies for Network Information Systems: Modeling, Deployment, Testing and Supervision

Participants: Jérémy Dubreil, Thierry Jéron, Hervé Marchand, Vlad Rusu.

The POLITESS project (http://www.rnrt-politess.info/) [2006-2008] involves GET (INT Evry and ENST Rennes), INPG-IMAG (LSR and VERIMAG laboratories), France Telecom R&D Caen, Leyrios Technologies, SAP Research, AQL Silicomp Rennes and Irisa. In a sense, this project is an extension of the Potestat project. The objective of the project is to study and provide methodological guidelines and software solutions for a formal approach to security of networks. This encompasses the specification of high level security policies with clear semantics, their deployment on the network in terms of security artifacts and the analysis of this deployment, testing and monitoring of security based on models of security policies and abstract models of networks. Our team is involved in several activities, in particular in modelling (defining adequate models for both the system and security policies), testing (modelling security testing, test generation/selection), supervision (intrusion detection, diagnosis) and case studies.

### 8.2. European and International Grants

#### 8.2.1. ARTIST2 Network of Excellence

Participants: Thierry Jéron, Hervé Marchand, Vlad Rusu.

We are partners of the ARTIST2 Network of Excellence on Embedded Systems (http://www.artistembedded.org/), involved in the Testing and Verification cluster with Brics in Aalborg (DK), University of Twente (NL), University of Liège (B), Uppsala (SE), VERIMAG Grenoble, ENS Cachan, LIAFA Paris, EPFL Lausanne (S). The aim of the cluster is to develop a theoretical foundation for real-time testing, real-time monitoring and optimal control, to design data structures and algorithms for quantitative analysis, and to apply testing and verification tools in industrial settings. For security, we plan to create a common semantic framework for describing security protocols including notion of "trust" and to develop tools and methods for the verification of security protocols. Test and verification tools developed by partners will be made available via a web-portal and with dedicated verification servers.

In Artist2, the main role of VERTECS is to integrate our research on testing and test generation based on symbolic transition systems with other works based on timed models.

This year we participated in a cluster meeting that took place at the Embedded Systems Institute in Eindhoven (The Netherlands) in April 2006. We also participated to the second review meeting of Artist2 in Paris in November 2006. A three weeks visit of Thierry Massart (ULB) was funded by Artist2.

#### 8.2.2. UIUC/CNRS/INRIA Collaboration

Participants: Vlad Rusu, Thierry Jéron.

This grant involving three groups, IRISA/INRIA, VERIMAG, and University of Illinois at Urbana-Champaign (Grigore Roşu), is concerned with various aspects of runtime analysis of software systems, and aims both at advancing theoretical foundations and at developing and improving supporting tools and prototypes.

#### 8.2.3. Bilateral CNRS/CONICET Collaboration

#### Participant: Bertrand Jeannet.

This bilateral collaboration grant, between France and Argentina, involves 4 teams: the team MOVE of LIF (Laboratoire d'Informatique Fondamentale) of Marseille (Peter Niebert) and the VERTECS project, on the French side, the university of Cordoba (Pedro d'Argenio) and the La Empesa University of Buenos Aires (Alfredo Olivero), on the Argentinian side.

The aim of this collaboration (august 2005- august 2007) is to make progress in the verification of probabilistic timed concurrent systems. The VERTECs project brings its expertise in algorithms and abstraction techniques implemented in the RAPTURE tool for Markov Decision Processes.

Our ambition is to progress in the following directions:

- 1. Apply the abstraction techniques implemented in the RAPTURE tool and the probabilistic partial order reduction techniques to *timed* probabilistic automata, instead of untimed systems only;
- 2. Extend the same techniques to the verification of untimed and timed temporal logical formula (expressed in the (timed) LTL logic);
- 3. Explore the applicability of program slicing and abstract interpretation techniques to quantitative model checking;
- 4. Explore the possibility to use these techniques for performance analysis;
- 5. Implement the fundamental results;
- 6. Analyse case studies in order to better understand the performances of the tools.

### 8.3. Collaborations

#### 8.3.1. Collaborations with other INRIA Project-teams

We collaborate with several Inria project-teams. We collaborate with the LANDE project-team in two ACI-Sécurité grants (V3F and POTESTAT). With ESPRESSO project-team for the development of the SIGALI tool inside the Polychrony environment. With the DART project-team on the use of the controller synthesis methodology for the control of control-command systems (e.g. robotic systems). With DISTRIBCOM on security testing in the context of Potestat and Politess grants. With the S4 project-team on the use of control, game theory and diagnosis for test generation. With the DREAM project-team on the diagnosis of discrete event systems. With the VASY project-team on the use of CADP libraries in TGV and the distribution of TGV in the CADP toolbox.

#### 8.3.2. Collaborations with French Research Groups outside INRIA

Our main collaborations in France are with Vérimag. Beyond formalized collaborations, (ACI Potestat and APRON, RNRT Politess, Rex Artist2), we also collaborate on the connection of NBAC with Lurette for the analysis of Lustre programs, as well as the connection of SIGALI and Matou. We are also involved in several collaborations with LSR Imag (ACI Potestat and RNRT Politess).

#### 8.3.3. International Collaborations

- University of Twente and Nijmegen in The Netherlands (E. Brinksma, J. Tretmans) on test generation (symbolic in particular) following the Van Gogh bilateral cooperation (1999-2001). This year, Vlad Rusu was a sabbatical visitor at the University of Nijmegen (NL) from February to September 2006, in the Informatics for Technical Applications (ITA) led by Prof. Frits Vandraager. He worked in a joint project between the ITA and Security of Systems (SoS) groups on the formal validation of the new Dutch electronic passport by means of a combination of formal verification, black-box testing, and learning techniques [24].
- ENIS Sfax in Tunisia (M. Tahar Bhiri) on security testing. Thierry Jéron is co-supervisor of a PhD student Hatem Hamdi working on robustness and security testing.
- University Libre Bruxelles in Belgium (Thierry Massart) on testing. Thierry Massart visited us for three weeks in April 2006, funded by Artist2. We collaborate with him on testing from pushdown automata models.
- University Ottawa in Quebec (Guy-Vincent Jourdan) on security testing. G.-V. Jourdan visited IRISA during summer 2006.
- Institute of Mathematics, Czech Academy of Sciences (Jan Komenda) on supervisory control of concurrent systems. Hervé Marchand published a paper [21] with Jan Komenda.
- University of Erlangen in Germany (with Klaus Schmidt). Hervé Marchand published a paper [23] with Klaus Schmidt (other are in preparation).
- University of Michigan in USA (Prof. Stéphane Lafortune) on control an diagnosis of discrete event systems. Hervé Marchand visited this university this year (1 week).

# 9. Dissemination

#### **9.1.** University courses

- C. Constant is teaching in INSA of Rennes (32h in 2005-2006), on compilation.
- J. Dubreil is teaching in INSA of Rennes (26h in 2006), on the Scheme programming language
- **T. Le Gall** is teaching in License in the University of Rennes 1 and in "Magistère Informatique-Télécom" in ENS Cachan-Bretagne (64h/year)

# 9.2. PhD Thesis and Trainees

#### **Current PhD. theses:**

Camille Constant: "Verification and symbolic test generation for reactive systems", 2nd year,

Tristan Le Gall: "Abstract lattice of fifo channels for verification and control synthesis", 2nd year,

Hatem Hamdi: "Testing of network security", In collaboration with University of Sfax, 1st year,

Jérémy Dubreil: "Formal methods for testing and monitoring security of open networks", 1st year.

#### Trainees 2005-2006:

- Zahi Karam: "A tool for the simulation of controlled discrete-Event systems", Internship-ESIB (Liban) (2 months).
- Jérémy Dubreil: "Diagnosis for intrusion detection", Master student, university of Uppsala and Enst Brest, (5 months).

# 9.3. Scientific animation

- Thierry Jéron was PC member of Testcom 2006 (New-York, May 2006), PC member and Tool Chair of Tacas'06 (Vienna, March 06), PC member of Rosatea'06 (Portland, Maine, USA, July 2007). He is SC of the Movep summer school (Bordeaux, June 2006). He is PC member of the forthcoming Testcom/Fates'07 (Tallinn, Estonia, June 2007) and Rosatea'07 (Boston, July 2007). Thierry Jéron gave a keynote speech on *Model-based test selection for infinite state reactive systems* at the 5th International Symposium on Formal Methods for Components and Objects (FMCO'06, Amsterdam, November 2006) and was invited to give a seminar in Labri Bordeaux (June 2006) on *Test selection with approximate analysis*. He was reviewer of the PhD defense of Assia Touil (University Evry, December 2006). He is member of the new IFIP Working Group 10.2 on Embedded Systems (http://jerry.c-lab.de/ifip-wg-102/).
- Hervé Marchand is PC member of the forthcoming MSR'07 conference on modeling of reactive systems. He was PC member of WODES'2006 and is member of the IFAC Technical Committees (TC 1.3 on Discrete Event and Hybrid Systems) for the 2005-2008 triennium. He gave two seminars on "Control of Concurrent Discrete Event System" and "Diagnosis of Discrete-Event Systems" at the university of Michigan. He was also invited to give a seminar on the same last topic in LABRI (Bordeaux). He is member of the "Commissions de Spécialistes 27e section" at the University of Rennes 1.
- Vlad Rusu Vlad Rusu gave invited talks to at the Centrum voor Wiskunde en Informatica (CWI), Amsterdam, NL (may 2006) on *Combining verification and testing for reactive systems* and at IPA Dutch spring school in Computer Science, Vught, NL (april 2006) on the same topic.
- **Tristan Le Gall** was invited to give seminars on *Verification of communicating protocols / Abstract interpretation of regula languages* in VERIMAG Grenoble (June 2006) and Liafa Paris (October 2006).
- Camille Constant is member of the Ifsic Council as PhD representative.

# **10. Bibliography**

#### Major publications by the team in recent years

- [1] C. CONSTANT, T. JÉRON, H. MARCHAND, V. RUSU. Combinaison entre vérification et test pour la validation de systèmes réactifs, Traité I2C. Systèmes Temps Réel: Techniques de Description et de Vérification - Théorie et Outils, vol. 1, chap. 2, Hermès Science, 2006, p. 59-88.
- [2] B. GAUDIN, H. MARCHAND. Modular Supervisory Control of a class of Concurrent Discrete Event Systems, in "Workshop on Discrete Event Systems, WODES'04", September 2004, p. 181-186, http://www.irisa.fr/vertecs/Publis/Ps/2004-WODES-Language.pdf.
- [3] B. GAUDIN, H. MARCHAND. Supervisory Control of Product and Hierarchical Discrete Event Systems, in "European Journal of Control", vol. 10, n<sup>O</sup> 2, 2004.
- [4] C. JARD, T. JÉRON. TGV: theory, principles and algorithms, A tool for the automatic synthesis of conformance test cases for non-deterministic reactive systems, in "Software Tools for Technology Transfer (STTT)", vol. 6, October 2004.
- [5] B. JEANNET, T. JÉRON, V. RUSU, E. ZINOVIEVA. Symbolic Test Selection based on Approximate Analysis, in "11th Int. Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS'05), Volume 3440 of LNCS, Edinburgh (Scottland)", April 2005, p. 349-364, http://www.irisa.fr/vertecs/Publis/Ps/tacas05.pdf.

- [6] B. JEANNET. Dynamic Partitioning In Linear Relation Analysis. Application To The Verification Of Reactive Systems, in "Formal Methods in System Design", vol. 23, n<sup>o</sup> 1, July 2003, p. 5–37.
- [7] H. MARCHAND, P. BOURNAI, M. LE BORGNE, P. LE GUERNIC. Synthesis of Discrete-Event Controllers based on the Signal Environment, in "Discrete Event Dynamic System : Theory and Applications", vol. 10, n<sup>o</sup> 4, Octobre 2000, p. 347-368, http://www.irisa.fr/vertecs/Publis/Ps/J-DEDS.ps.gz.
- [8] V. RUSU, L. DU BOUSQUET, T. JÉRON. An approach to symbolic test generation, in "International Conference on Integrating Formal Methods (IFM'00), Volume 1945 of LNCS", Springer Verlag, 2000, p. 338-357.
- [9] V. RUSU. Verifying an ATM Protocol Using a Combination of Formal Techniques, in "Computer Journal", 2006.

### **Year Publications**

#### **Doctoral dissertations and Habilitation theses**

[10] V. RUSU. Formal verification and conformance testing for reactive systems, Habilitation à diriger des Recherches, Unviversité de Rennes 1, Dec. 2006.

#### Articles in refereed journals and book chapters

- [11] C. CONSTANT, T. JÉRON, H. MARCHAND, V. RUSU. Combinaison entre vérification et test pour la validation de systèmes réactifs, Traité 12C. Systèmes Temps Réel: Techniques de Description et de Vérification - Théorie et Outils, vol. 1, chap. 2, Hermès Science, 2006, p. 59-88.
- [12] T. LE GALL, B. JEANNET, H. MARCHAND. Contrôle de systèmes symboliques, discrets ou hybrides, in "Technique et Science Informatiques (TSI)", vol. 25, 2006, p. 293-319.
- [13] S. PICKIN, C. JARD, T. JÉRON, J.-M. JÉZÉQUEL, Y. LE TRAON. *Test Synthesis from UML Models of Distributed Software*, in "IEEE Transactions on Software Engineering", to appear, 2006.
- [14] V. RUSU. Verifying an ATM Protocol Using a Combination of Formal Techniques, in "Computer Journal", 2006.

#### **Publications in Conferences and Workshops**

- [15] G. BARTHE, J. FOREST, D. PICHARDIE, V. RUSU. *Defining and reasoning about recursive functions: a practical tool for the Coq proof assistant*, in "Functional and LOgic Programming Systems (FLOPS'06), Fuji Susono, Japan", April 2006, http://www.irisa.fr/vertecs/Publis/Ps/2006-FLOPS.pdf.
- [16] B. BLANC, F. BOUQUET, A. GOTLIEB, B. JEANNET, T. JÉRON, B. LEGEARD, B. MARRE, C. MICHEL, M. RUEHER. *The V3F Project*, in "Workshop on Constraints in Software Testing, Verification and Analysis (CSTVA06), Nantes", B. BLANC, A. GOTLIEB, C. MICHEL (editors). , 2006, http://www.irisa.fr/manifestations/2006/CSTVA06/images/proceedings-cstva.pdf.
- [17] T. JÉRON. Model-based test selection for infinite state reactive systems, in "5th IFIP Working Conference on Distributed and Parallel Embedded Systems, DIPES'06, Braga, Portugal", Invited paper, Springer SBM, October 2006.

- [18] T. JÉRON, H. MARCHAND, M.-O. CORDIER. Motifs de surveillance pour le diagnostics de systèmes à événements discrets finis, in "15e congrès francophone AFRIF-AFIA Reconnaissance des Formes et Intelligence Artificielle, Tours, France", January 2006, http://www.irisa.fr/vertecs/Publis/Ps/2006-RFIA-Diag.pdf.
- [19] T. JÉRON, H. MARCHAND, S. PINCHINAT, M.-O. CORDIER. Supervision Patterns in Discrete Event Systems Diagnosis, in "Workshop on Discrete Event Systems, WODES'06, Ann-Arbor (MI, USA)", Also published in 17th International Workshop on Principles of Diagnosis, DX'06, Penaranda de Duero (Burgos, Spain), July 2006, http://www.irisa.fr/vertecs/Publis/Ps/PI-1784.pdf.
- [20] T. JÉRON, H. MARCHAND, V. RUSU. Symbolic Determinisation of Extended Automata, in "4th IFIP International Conference on Theoretical Computer Science, Stantiago, Chile", IFIP book series, Springer Science and Business Media, August 2006, http://www.irisa.fr/vertecs/Publis/Ps/PI-1776.pdf.
- [21] J. KOMENDA, H. MARCHAND, S. PINCHINAT. A constructive approach to decentralized supervisory Control problems, in "3rd IFAC Workshop on Discrete-Event System Design", 2006, http://www.irisa.fr/vertecs/Publis/Ps/2006-C-DESDes.pdf.
- [22] T. LE GALL, B. JEANNET, T. JÉRON. Verification of Communication Protocols using Abstract Interpretation of FIFO queues, in "11th International Conference on Algebraic Methodology and Software Technology, AMAST '06, Kuressaare, Estonia", M. JOHNSON, V. VENE (editors). , LNCS, vol. 4019, Springer-Verlag, July 2006.
- [23] K. SCHMIDT, H. MARCHAND, B. GAUDIN. Modular and Decentralized Supervisory Control of Concurrent Discrete Event Systems Using Reduced System Models, in "Workshop on Discrete Event Systems, WODES'06, Ann-Arbor (MI, USA)", July 2006, http://www.irisa.fr/vertecs/Publis/Ps/2006-Wodes\_modular.pdf.

#### **Internal Reports**

- [24] C.-B. BREUNESSE, E. HUBBERS, P. KOOPMAN, W. MOSTOWSKI, M. OOSTDIJK, V. RUSU, R. DE VRIES, A. VAN WEELDEN, R. W. SCHREUR, T. WILLEMSE. *Testing the Dutch e-passport*, Technical report, Radboud University, Nijmegen, The Netherlands, 2006.
- [25] T. JÉRON, H. MARCHAND, S. PINCHINAT, M.-O. CORDIER. Supervision Patterns in Discrete Event Systems Diagnosis, Extended version of papers in Wodes'06 and DX'06, Technical report, n<sup>o</sup> 1784, IRISA, February 2006, http://www.irisa.fr/vertecs/Publis/Ps/PI-1784.pdf.
- [26] T. JÉRON, H. MARCHAND, V. RUSU. Symbolic Determinisation of Extended Automata, Extended version of paper in TCS 2006, Technical report, n<sup>o</sup> 1176, IRISA, February 2006, http://www.irisa.fr/vertecs/Publis/Ps/PI-1776.pdf.

#### Miscellaneous

- [27] L. BESNARD, H. MARCHAND, E. RUTTEN. *The Sigali Tool Box Environment*, July 2006, http://www.irisa.fr/vertecs/Publis/Ps/2006-Tool-Wodes-Sigali.pdf, Workshop on Discrete Event Systems, WODES'06.
- [28] B. LEGEARD, M. RUEHER, T. JÉRON, B. MARRE. V3F: Validation et Vérification en présence de calculs A Virgule Flottante, October 2006, Rapport final de l'Action Concertée Incitative, Sécurité Informatique.

# **References in notes**

- [29] I. 9646. Information Technology Open Systems Interconnection Conformance Testing Methodology and Framework - Part 1 : General Concept - Part 2 : Abstract Test Suite Specification - Part 3 : The Tree and Tabular Combined Notation (TTCN), in "International Standard ISO/IEC 9646-1/2/3", 1992.
- [30] F. BOURDONCLE. Sémantique des langages impératifs d'ordre supérieur et interprétation abstraite, Ph. D. Thesis, Ecole Polytechnique, Paris, 1992.
- [31] Y. BRAVE, M. HEIMANN. Control of Discrete Event Systems Modeled as hierarchical State Machines, in "IEEE Transacations on Automatic Control", vol. 38, n<sup>o</sup> 12, December 1993, p. 1803–1819.
- [32] P. CAINES, V. GUPTA, G. SHEN. *The hierarchical control of ST-finite-state machines*, in "Systems and Control Letters", vol. 32, 1997, p. 185-192.
- [33] P. COUSOT, R. COUSOT. Static determination of dynamic properties of programs, in "2nd Int. Symp. on Programming", Dunod, Paris, 1976.
- [34] P. COUSOT, R. COUSOT. Abstract intrepretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints, in "Conference Record of the 4th ACM Symposium on Principles of Programming Languages, Los Angeles (CA, USA)", January 1977, p. 238-252.
- [35] P. GOHARI-MOGHADAM, W.M. WONHAM. A linguistic Framework for controller hierarchical DES, in "4th International Workshop on Discrete Event Systems, Cagliari(Italy)", August 1998, p. 207-212.
- [36] R.J. LEDUC. *Hierarchical Interface Based Supervisory Control*, Ph. D. Thesis, Dept. of Elec. & Comp. Engrg., Univ. of Toronto, 2002.
- [37] H. MARCHAND, O. BOIVINEAU, S. LAFORTUNE. On the Synthesis of Optimal Schedulers in Discrete Event Control Problems with Multiple Goals, in "SIAM Journal on Control and Optimization", vol. 39, n<sup>o</sup> 2, 2000, p. 512-532.
- [38] H. MARCHAND, O. BOIVINEAU, S. LAFORTUNE. On Optimal Control of a class of partially-Observed Discrete Event Systems, in "Automatica", vol. 38, n<sup>0</sup> 11, October 2002, p. 1935-1943.
- [39] S. OWRE, J. RUSHBY, N. SHANKAR, F. VON HENKE. Formal Verification for Fault-Tolerant Architectures: Prolegomena to the Design of PVS, in "IEEE Transactions on Software Engineering", vol. 21, n<sup>o</sup> 2, feb 1995, p. 107-125.
- [40] C. PAULIN-MOHRING. Le système Coq (Habilitation Thesis, in French), Technical report, ENS Lyon, 1997.
- [41] P. J. RAMADGE, W. M. WONHAM. The Control of Discrete Event Systems, in "Proceedings of the IEEE; Special issue on Dynamics of Discrete Event Systems", vol. 77, n<sup>o</sup> 1, 1989, p. 81-98.
- [42] M. SAGIV, T. REPS, R. WILHELM. Parametric shape analysis via 3-valued logic, in "ACM Transactions on Programming Languages and Systems", vol. 24, n<sup>o</sup> 3, 2002.

- [43] M. SAGIV, T. REPS, R. WILHELM. Solving shape-analysis problems in languages with destructive updating, in "ACM Transactions on Programming Languages and Systems", vol. 20, n<sup>o</sup> 1, 1998.
- [44] R. SENGUPTA, S. LAFORTUNE. An Optimal Control Theory for Discrete Event Systems, in "SIAM Journal on Control and Optimization", vol. 36, n<sup>o</sup> 2, march 1998.
- [45] J. TRETMANS. *Test Generation with Inputs, Outputs and Repetitive Quiescence.*, in "Software Concepts and Tools", vol. 17, n<sup>o</sup> 3, 1996, p. 103-120.
- [46] K. C. WONG, W. M. WONHAM. *Hierarchical Control of Discrete-Event Systems*, in "Discrete Event Dynamic Systems", vol. 6, 1996, p. 241-273.