“…Maybe this is going too far: there is no reason, for instance, why a BDD package should be verified using itself, whereas proof techniques for pointer manipulation algorithms are clearly more appropriate. However, we can mention, in the case of CADP, three examples that sustain Bernhard Steffen's intuition about "circular use" of formal tools: (i) The CAESAR.ADT compiler [12], which translates LOTOS abstract data types to C, is used to bootstrap itself and to build the XTL model checker [39], both tools being mostly written using LOTOS abstract data types; (ii) Similarly, the LNT language [19], as implemented by the TRAIAN compiler, serves as a basis for implementing the LNT2LOTOS translator for LNT, as well as a dozen of compilers/translators for other languages [16]; (iii) The DLC compiler [10], which translates LNT concurrent descriptions with multiway rendezvous [20] into distributed POSIX processes communicating using TCP sockets, enables formal validation, as its inputs and outputs, both expressed in LNT, can be compared against each other modulo safety equivalence.…”