THÈSE Pour obtenir le grade de DOCTEUR DE L’UNIVERSITÉ DE GRENOBLE Spécialité : Informatique Arrêté ministérial : 25 Mai 2016 Présentée par Fatma Jebali Thèse dirigée par Frédéric Lang et codirigée par Radu Mateescu préparée au sein d’Inria Grenoble Rhône-Alpes, du Laboratoire d’Informatique de Grenoble et de l’École Doctorale Mathématiques, Sciences et Technologies de l’Information, Informatique Formal Framework for Modelling and Verifying Globally Asynchro- nous Locally Synchronous Sys- tems Thèse soutenue publiquement le 12/09/2016, devant le jury composé de : Monsieur Nicolas Halbwachs Vérimag, Président Monsieur Alessandro Fantechi Université de Florence, Rapporteur Madame Virginie Wiels ONERA, Rapporteur Monsieur Jean-Pierre Talpin Inria Rennes, Examinateur Monsieur Éric Jenn IRT Saint-Éxupéry, Examinateur Monsieur Frédéric Lang Inria Grenoble, Directeur de thèse Monsieur Radu Mateescu Inria Grenoble, Directeur de thèse Acknowledgements I am deeply grateful to my first supervisor, Frédéric Lang, for his invaluable help and guidance during my PhD, shaping the way I do research while giving me freedom to pursue my own ideas, and for being a constant source of self-transcendence. I am also heartily thankful to my second supervisor, Radu Mateescu, for his kindness and his wise and enthusiastic counsel through the thoughtprovoking discussions we had. From Frédéric and Radu, I have gained an incredible amount of life and research knowledge; for that, I cannot thank them enough. I am also grateful to my examiners, Nicolas Halbwachs, Alessandro Fantechi, Virginie Wiels, JeanPierre Talpin, and Eric Jenn for their thorough reading of my thesis and their constructive comments. Special thank goes to Eric for providing me with the AutoFlight Control System as a case study and for insightful encouragement from an industry perspective. Many thanks are due to the rest of the Convecs team, Hubert Garavel, Wendeline Serwe, and Gwen Salaün, for providing such a stimulating and cheerful environment of research. I owe much to Hubert for his enthusiasm, wisdom, and support providing me with muchneeded advice along the way. I warmly thank Jingyan JourdanLu and Eric Léo, my office mates, for being such pleasant company and for making the Bluesky project a wonderful experience. Thanks also to my fellows: Raquel Oliveira for graciously hosting me in her office during many Sundays; Gianluca Barbon and Lina Marsso, who appeared at critical times, for their soft presence and support; Abderahman Kriouile for inspiring me to apply my work on avionics systems; as well as Rim Abid, Lakhdar Akroun, Hugues Evrard, Lina Ye, José Ignacio Requeno, Kaoutar Hafdi, ImadSeddick Arrada, Ajay MuroorNadumane, MohammadAli Tabikh, Sai Srikar Kasi, and Zhen Zhang. I am grateful to Myriam Etienne, the Convecs team assistant, for her kindness and her ability to find solutions in tedious administrative situations. I also thank the people with whom I collaborated through the Bluesly project: Ioannis Parissis, Chriptophe Deleuze, and Mouna Tka from the LCIS lab; JeanBaptiste Gnuing, Guillaume Marie, Jackie Launay, and Vincent List from Crouzet Automatismes (now InnoVista Sensors). I met many nice friends during my PhD. Particular thanks are due to Ferdaouss, my first Grenoble’s friend; Hassan and Fatma, for being a second family to me; Alia, for being a source of happiness; Kaoutar, for her contagious serenity; as well as Nashwa, Imen, Wided, Jamel, Sonia, and Rihab. My family gave me endless love, patience, and support in every step of my life. I am eternally grateful to my mum, from whom I learned finding my strength in difficult times; my dad, from whom I learned seeking perfection in everything I do; as well as Mohamed and Rihab, for all the moments of fun we had together. iii To my parents Abstract A GALS (Globally Asynchronous, Locally Synchronous) system consists of several syn chronous components that evolve concurrently, each with its own pace, and communi cate altogether asynchronously. This thesis proposes a formal modelling and verification framework dedicated to GALS systems, with a focus on the asynchronous behaviour. As a cornerstone of our framework, we have designed a formal language, named GRL (GALS Representation Language). GRL enables the behavioural specification of syn chronous components, asynchronous communication, and constraints involving both component paces and the data carried by component inputs. To analyse GRL spec ifications, we took advantage of the CADP software toolbox for the verification of asynchronous concurrent processes, using state space exploration techniques. For this purpose, we have defined a translation from GRL to the LNT specification language sup ported by CADP. The translation has been implemented by a tool named GRL2LNT, thus enabling state spaces to be automatically derived from GRL specifications. To enable the formal verification of GRL specifications, we have designed a property specification language, named muGRL, which is interpreted on GRL state spaces. The muGRL language is based on a set of patterns capturing properties of concurrent and GALS systems, which reduces the complexity of using fullfledged temporal logics. The semantics of muGRL are defined by a translation into the MCL temporal logic supported by CADP. Finally, we have illustrated how GRL, muGRL, and CADP can be applied to model and verify concrete GALS applications, including industrial casestudies. v Résumé Un système GALS (Globalement Asynchrone, Localement Synchrone) est un ensemble de composants synchrones qui évoluent en même temps, chacun à son propre rythme, et qui communiquent de manière asynchrone. Cette thèse propose un environnement formel de modélisation et de vérification dédié aux systèmes GALS, en se focalisant sur le comportement asynchrone. Notre environnement s’appuie sur un langage formel que nous avons conçu, appelé GRL (GALS Representation Language). GRL permet la spécification comportementale des composants synchrones, de la communication asynchrone, et des contraintes sur les rythmes des composants ainsi que sur les valeurs que prennent les entrées des com posants. Pour analyser les spécifications GRL, nous utilisons CADP, une boîte à outils logicielle permettant la vérification de processus concurrents asynchrones par des tech niques d’exploration d’espaces d’états. Dans ce but, nous avons défini une traduction de GRL vers LNT, un langage de spécification supporté par CADP. La traduction est im plémentée dans un outil appelé GRL2LNT, permettant ainsi la génération automatique d’espaces d’états à partir des spécifications GRL. Pour permettre la vérification formelle des spécifications GRL, nous avons conçu un langage de propriétés, appelé muGRL, qui s’interprète sur les espaces d’états de GRL. Le langage muGRL est basé sur un ensemble de patrons qui capturent les propriétés des systèmes concurrents et des systèmes GALS, réduisant ainsi la complexité d’utiliser les logiques temporelles classiques. La sémantique de muGRL est définie par traduction vers MCL, le langage de logique temporelle fourni par CADP. Enfin, nous illustrons l’usage de GRL, muGRL et CADP pour modéliser et vérifier des applications GALS concrètes, comprenant des études de cas industrielles. vi Contents Acknowledgements iii Abstract (English/Français) v Contents vii 1 Introduction 1 2 Background and State of the Art 8 2.1 Reactive systems ................................ 8 2.1.1 Formal models for reactive systems .................. 9 2.1.2 Formal verification of reactive systems ................ 11 2.2 The synchronous approach ........................... 13 2.2.1 Synchronous languages ......................... 13 2.2.2 Functional verification ......................... 15 2.3 The asynchronous approach .......................... 15 2.3.1 Communication models ........................ 16 2.3.2 Functional verification ......................... 17 2.4 The CADP toolbox for the verification of asynchronous systems ...... 18 2.4.1 Labelled Transition Systems (LTS) .................. 18 2.4.2 The LNT language ........................... 20 2.4.3 The MCL language ........................... 24 2.5 Globally Asynchronous Locally Synchronous (GALS) systems ....... 25 2.5.1 GALS systems in synchronous languages and dedicated tools ... 25 2.5.2 GALS systems in asynchronous languages and dedicated tools ... 27 3 The GRL Language for GALS Behavioural Description 29 3.1 A GALS example ................................ 29 3.2 Overview of GRL ................................ 30 3.2.1 Modules ................................. 30 3.2.2 Synchronous blocks ........................... 32 3.2.3 Asynchronous composition of blocks ................. 32 3.3 Basic GRL ................................... 34 vii Contents 3.3.1 Type definitions ............................ 34 3.3.2 Expressions ............................... 35 3.3.3 Statements ............................... 35 3.3.4 Global constant definitions ...................... 36 3.4 Blocks ...................................... 37 3.4.1 Block definition ............................. 37 3.4.2 Subblock composition ......................... 40 3.4.3 Discussion and related work ...................... 42 3.5 Environments .................................. 44 3.5.1 Data constraints ............................ 44 3.5.2 Activation constraints ......................... 46 3.5.3 Combining data and activation constraints ............. 47 3.6 Mediums .................................... 49 3.7 Systems ..................................... 51 3.7.1 System definition ...........................