A LEXANDRE C ORTIER

26 years old (1981-03-02) 41 Rue Louis Marc Demouilles

Ph.D. Student in Computer Science Master’s Degree in Information Systems Engineer’s degree in Mechanics and Aeronautics

31400 Toulouse 06.64.21.82.94 [email protected] http ://alexandre.cortier.free.fr

E DUCATION 2004-...

P H .D S TUDENT IN C OMPUTER S CIENCE Information Processing and Modeling Department. ONERA (French Aerospace Research Center) in Toulouse, France. Ph.D defense planned for early 2008.

2003-2004

M ASTER ’ S D EGREE IN I NFORMATION S YSTEMS Information Processing, Image and Automation. University of Poitiers, France. Graduated with honors.

2001-2004

E NGINEER D EGREE IN M ECHANICS AND A ERONAUTICS 3rd year specialization in Computer Science. ENSMA Engineer school in Poitiers, France.

2002-2003

M ASTER OF S CIENCE IN M ECHANICS Mechanical properties of solid, fluid mechanics. University of Poitiers, France. Graduated with honors

1999-2001

P REPARATORY CLASSES FOR HIGH SCHOOLS Mathematics, Physics. MPSI : Lycée Hoche, Versailles, France. PSI* : Lycée J.B Say, Paris, France.

1998

S CIENTIFIC BACCALAUREAT Graduated with honors.

W ORK E XPERIENCE 2004-2007

ONERA - I NFORMATION P ROCESSING AND M ODELING D EPARTMENT (Toulouse, France) Ph.D. works : Formal validation of interactive systems. . Static analysis of Java/Swing source code, formal model extraction and validation. . Validation using theorem proving (B event) and model-checking (NuSMV). . Development of a prototype tool in Java (Eclipse) using JavaCC and JJTree.

2004-2007

T EACHING A SSISTANT (Toulouse, France) Courses given to engineer and postgraduate students (INSA, SUPAERO) in : . Real-time systems : use of C programming on VxWork operating system. . Formal Methods : Introduction to theorem-proving and model-checking. . Synchronous data flow language Lustre.

2004 (6 months)

LISI - S CIENTIFIC AND I NDUSTRIAL I NFORMATIC L ABORATORY (Poitiers, France) Master / 3rd year engineering course internship : . (Meta)-Modeling of a components based architecture for avionic systems. . Approach based on category theory for multi-view development. . Use of the EXPRESS formal data modelling language .

2003 (4 months)

CSTB - S CIENTIFIC AND T ECHNICAL B UILDING C ENTER (Marnes-la-Vallée, France) Engineering course internship. . Physical modelling of behavior tensile and shear pins for concrete. . Statistical analysis of data.

C OMPUTER SKILLS G ENERAL K NOWLEDGE . Very good knowledge in Formal Methods. . Good knowledge in Mathematics and physics. . Good knowledge in Object modelling and programming. . Good knowledge in Static Analysis : regular expression, production rules, abstract syntax tree, control flow graph. . Good knowledge in Real-Time Systems : synchronous language, scheduling, multi-tasks architecture. . Notions in databases and web-programming (SQL, HTML, PHP, CSS). . OS : Windows, Linux, Solaris.

P ROGRAMMING AND M ODELLING L ANGUAGES . Java, Ada, Fortran, C, LabView. . Real-Time : C (VxWorks), Ada Real-Time, Lustre, Esterel. . Object Modelling : EXPRESS, UML(OCL), CTT. . Formal Methods :  Theorem Proving : B and event-B methods (Tools : B4free and Click’n’Prove, AtelierB, Rodin).  Model Checking : NuSMV, Promela (Tools : NuSMV, Spin, Bandera).

S TATIC A NALYSIS . Good knowledge in Javacc and JJTree (parser generator and AST manipulation). . Notions in Lex, Yacc.

D EVELOPMENT T OOLS . Eclipse, Tornado, Emacs, Dreamweaver, AtelierB, Rodin.

M ISCELLANEOUS . Transitions networks, temporal logic (LTL,CTL), Petri Nets.

OTHER S KILLS L ANGUAGES . French (Native Language). . English (Fluent). . German (Undergraduate knowledge).

M ISCELLANEOUS . Driving licence. . Many sports such as mountaineering, climbing, running, gymnastics (Monitor gymnastics from 1995 to 1998)... . Music : I play guitar and didgeridoo.

R ESEARCH P UBLICATIONS All publications, workshops paper, master’s reports and teaching courses are available at http ://alexandre.cortier.free.fr/. I NTERNATIONAL C ONFERENCES . A. Cortier, B. d’Ausbourg,Y. Aït-Ameur, “Formal Validation of Java/Swing User Interfaces with the Event-B Method”, 12th International Conference on Human-Computer Interaction (HCI’07), J. Jacko editor, volume 1, Springer, Beijing (China), July 2007 . Y. Aït-Ameur, A. Cortier, R. Delmas, V. Wiels, “Formal modelling of avionics systems. An approach based on category theory and the EXPRESS modelling language”, Proceedings of IEEE International Symposium on Leveraging Formal Methods Applications (ISOLA 2006), Paphos(Cyprus), pages 27-35 N ATIONAL C ONFERENCES . Y. Aït-Ameur, A. Cortier, R. Delmas, V. Wiels, “Modélisation Formelle de Composants Avioniques. Utilisation du Langage de Modélisation EXPRESS”, Actes des Journées Objets, Composants et Modèles (OCM 2005), Genoble, Mai 2005 . A. Cortier, B. d’Ausbourg,Y. Aït-Ameur, “Contribution à la Validation Formelle des Systèmes Interactifs”,Approches Formelles dans l’Assistance au Développement de Logiciels (AFADL 2007), Namur, Juin 2007, pages 21-38 R EPORTS . Master / 3rd year engineering report,“Méta-Modélisation EXPRESS de l’architecture à base de composants.”, LISIENSMA, 2004

P H .D. W ORKS : D ETAILS .

Context. Human Computer Interfaces are becoming more and more complex and now assist critical activities. So, the industrial HCI development world is faced to a real need of validation methodology in order to ensure correctness, security and usability of the developped interactive systems. And tests are the only technique of validation for the end products. Many studies suggested the use of formal methods in the development process to ensure the required properties and to reduce the number of tests. In fact, these methods are not easily applicable in a whole industrial interactive systems development process . So, we suggest using formal methods in validation steps of the development process only.In such a context, the source code of the application is the first material we use as input. The idea is to extract a formal execution model of the application from this source code. This model describes the interface behavior and is used to validate usability and dialog interactions scenarii (use cases) by theorem proving. In our works, we consider that this validation is performed with respect to a task model that is the second material we use as input and that can be considered as an application specification Java-Swing programs. We focussed on Java-Swing implementations. A Java-Swing program makes use of widgets. Listeners are predefined objects that listen to events fired by user actions on widgets. The required method of a listener is invoked in accordance with the type of the emitted event. The execution of listener methods modifies the internal state of the system. So the behavior of a Java interactive system can be viewed as an ordered set of sequential processes running the listeners methods. The execution order depends on the sequence order of user actions on widgets. Formal model extraction. We made the choice of the Event B language to express the formal model. This choice is motivated by the fact that Event B method is supported by existing tools and is well adapted to the description of interactive system as well as sequential systems. The basic element in the Event B method is the model. A B model is defined by a set of variables defined in a VARIABLES clause. These variables evolve due to the action of events that are defined in an EVENTS clause. Each event is charachterized by a guard, first order logic expression involving variables. An event is fired when its guard is evaluated to true. The formal execution model describes the interface behavior and namely its reactions to user actions. This behaviour is encoded by widgets definitions and listeners methods inside the source code. So the Event B model is made up of variables and functions which describe widgets, listeners and relations between them. Inside the model, a listener method is denoted by a set of events that change control and rendering variables. These events are scheduled by variants. In order to extract this event-B behavioural model we use abstraction and static analysis principles. First, an abstraction of Java-Swing elementary components (widgets) and classes of the functional core are abstract by preserving relevant attributs (visibility, enabling,...). Second, all classes of the interactive part of the application is parsed in order to obtain an abstract tree representation of the application. This AST is analysed in order to produce an intermediate representation as Java System Dependence Graph (Control Flow Graph). Third, we analyse the main() method of the application to derive a structural representation of the application (widgets tree organisation, widgets/widgets links, widgets/listeners links). This structural representation allows us to define the SETS, PROPERTIES, VARIABLES and INVARIANT clause of the event-B model. Finally, listeners methods are analysed in order to construct a behavioural representation of the system. This behavioural representation allows us to define the EVENTS clause of the event-B model. Validation process. The objective is to compare the application behaviour, encoded in the source code, with a specified behaviour described by a task model. The idea is to compare the extracted B model of execution with and a formalized task model. Tasks models we use are expressed in CTT (Concurrent Task Tree). CTT describes tasks expressions combining CTT temporal operators and atomic tasks (atomic events). A CTT task model is based on a hierarchical structure of tasks represented by a tree like structure. Leaves represent concrete user actions and interface reactions. We translate a CTT model to an Event B model by using the refinement principle. B events refine user actions of the CTT model. Moreover, variables and new events are added ; these new events reflect calls to the listener methods that handle these user actions inside the application program. B tools permit to prove (in particular by generating proof obligations) that the extracted B model of execution is a correct implementation of the B model of tasks. Moreover it’s possible, by adding some invariants or some assertions, to prove other HCI properties such as deadlock freeness or insistence properties.