The project team is located at the *LSV*, a joint Inria-CNRS-ENSC lab at ENS Cachan.

In the increasingly networked world, reliability of applications becomes ever more critical as the number of users of, e.g., communication systems, web services, transportation etc., grows steadily. Management of networked systems, in a very general sense of the term, therefore is a crucial task, but also a difficult one.

*MExICo* strives to
take advantage of distribution by orchestrating cooperation between different agents that observe local subsystems,
and interact in a localized fashion.

The need for applying formal methods in the analysis and management of complex systems has long been recognized. It is with much less unanimity that the scientific community embraces methods based on asynchronous and distributed models. Centralized and sequential modeling still prevails.

However, we observe that crucial applications have increasing numbers of
users, that networks providing services grow fast both in the number of
participants and the physical size and degree of spatial distribution.
Moreover, traditional *isolated* and *proprietary* software
products for local systems are no longer typical for emerging applications.

In contrast to traditional centralized and sequential machinery for which purely functional specifications are efficient, we have to account for applications being provided from diverse and non-coordinated sources. Their distribution (e.g. over the Web) must change the way we verify and manage them. In particular, one cannot ignore the impact of quantitative features such as delays or failure likelihoods on the functionalities of composite services in distributed systems.

We thus identify three main characteristics of complex distributed systems that constitute research challenges:

*Concurrency* of behavior;

*Interaction* of diverse and semi-transparent components; and

management of *Quantitative* aspects of behavior.

The increasing size and the networked nature of communication systems,
controls, distributed services, etc. confront us with an ever higher degree
of parallelism between local processes. This field of application for
our work includes telecommunication systems and composite web
services. The challenge is to provide sound theoretical foundations and
efficient algorithms for management of such systems, ranging from
controller synthesis and fault diagnosis to integration and adaptation.
While these tasks have received considerable attention in the
*sequential* setting, managing *non-sequential* behavior requires
profound modifications for existing approaches, and often the development
of new approaches altogether. We see concurrency in distributed systems as
an opportunity rather than a nuisance. Our goal is to *exploit*
asynchronicity and distribution as an advantage. Clever use of adequate
models, in particular *partial order semantics* (ranging from
Mazurkiewicz traces to event structures to MSCs) actually helps in
practice. In fact, the partial order vision allows us to make causal
precedence relations explicit, and to perform diagnosis and test for the
dependency between events. This is a conceptual advantage that
interleaving-based approaches cannot match. The two key features of our
work will be *(i)* the exploitation of concurrency by using
asynchronous models with partial order semantics, and *(ii)*
distribution of the agents performing management tasks.

Systems and services exhibit non-trivial *interaction* between
specialized and heterogeneous components. A coordinated interplay of several
components is required; this is challenging since each of them has only a limited, partial view of the
system's configuration. We refer to this problem as *distributed
synthesis* or *distributed control*. An aggravating factor is that
the structure of a component might be semi-transparent, which requires a
form of *grey box management*.

Besides the logical functionalities of programs, the *quantitative*
aspects of component behavior and interaction play an increasingly
important role.

*Real-time* properties cannot be neglected even if time is not
an explicit functional issue, since transmission delays, parallelism,
etc, can lead to time-outs striking, and thus change even the logical
course of processes. Again, this phenomenon arises in telecommunications
and web services, but also in transport systems.

In the same contexts, *probabilities* need to be taken into
account, for many diverse reasons such as unpredictable functionalities,
or because the outcome of a computation may be governed by race
conditions.

Last but not least, constraints on *cost* cannot be ignored,
be it in terms of money or any other limited resource, such as memory
space or available CPU time.

Property of systems allowing some interacting processes to be executed in parallel.

The process of deducing from a
partial observation of a system aspects of the internal states or events of that system; in particular, *fault diagnosis* aims
at determining whether or not some non-observable fault event has
occurred.

Feeding dedicated input into an implemented system

It is well known that, whatever the intended form of analysis or control, a
*global* view of the system state leads to overwhelming numbers of
states and transitions, thus slowing down algorithms that need to explore
the state space. Worse yet, it often blurs the mechanics that are at work
rather than exhibiting them. Conversely, respecting concurrency relations
avoids exhaustive enumeration of interleavings. It allows us to focus on
`essential' properties of non-sequential processes, which are expressible
with causal precedence relations. These precedence relations are usually
called causal (partial) orders. Concurrency is the explicit absence of
such a precedence between actions that do not have to wait for one another.
Both causal orders and concurrency are in fact essential elements of a
specification. This is especially true when the specification is
constructed in a distributed and modular way. Making these ordering
relations explicit requires to leave the framework of state/interleaving
based semantics. Therefore, we need to develop new dedicated algorithms
for tasks such as conformance testing, fault diagnosis, or control for
distributed discrete systems. Existing solutions for these problems often
rely on centralized sequential models which do not scale up well.

*Fault Diagnosis* for discrete event systems is a crucial task in
automatic control. Our focus is on *event oriented* (as opposed to
*state oriented*) model-based diagnosis, asking e.g. the following
questions:

given a - potentially large - *alarm pattern*
formed of observations,

what are the possible *fault scenarios* in the system that
*explain* the pattern ?

Based on the observations, can we deduce whether or not a certain - invisible - fault has actually occurred ?

Model-based diagnosis starts from a discrete event model of the observed system - or rather, its relevant aspects, such as possible fault propagations, abstracting away other dimensions. From this model, an extraction or unfolding process, guided by the observation, produces recursively the explanation candidates.

In asynchronous partial-order based diagnosis with Petri nets
, , , one unfolds the
*labelled product* of a Petri net model *(configurations)* that explain *exactly*

Diagnosis algorithms have to operate in contexts with low observability,
i.e., in systems where many events are invisible to the supervisor.
Checking *observability* and *diagnosability* for the
supervised systems is therefore a crucial and non-trivial task in its own
right. Analysis of the relational structure of occurrence nets allows us
to check whether the system exhibits sufficient visibility to allow
diagnosis. Developing efficient methods for both verification of
*diagnosability checking* under concurrency, and the *diagnosis*
itself for distributed, composite and asynchronous systems, is an important
field for *MExICo*.

Distributed computation of unfoldings allows one to factor the unfolding of
the global system into smaller *local* unfoldings, by local
supervisors associated with sub-networks and communicating among each other.
In , , elements of a methodology for distributed computation of unfoldings between several supervisors, underwritten by algebraic
properties of the category of Petri nets have been developed. Generalizations, in particular
to Graph Grammars, are still do be done.

Computing diagnosis in a distributed way is only one aspect of a much
vaster topic, that of *distributed diagnosis* (see
, ). In fact, it involves a
more abstract and often indirect reasoning to conclude whether or not some
given invisible fault has occurred. Combination of local scenarios is in
general not sufficient: the global system may have behaviors that do not
reveal themselves as faulty (or, dually, non-faulty) on any local
supervisor's domain (compare , ). Rather, the local
diagnosers have to join all *information* that is available to them
locally, and then deduce collectively further information from the
combination of their views. In particular, even the *absence* of
fault evidence on all peers may allow to deduce fault occurrence jointly, see
, .
Automatizing such procedures for the supervision and management of
distributed and locally monitored asynchronous systems is a mid-term goal
of *MExICo*.

Assuring the correctness of concurrent systems is notoriously difficult due to the many unforeseeable ways in which the components may interact and the resulting state-space explosion. A well-established approach to alleviate this problem is to model concurrent systems as Petri nets and analyse their unfoldings, essentially an acyclic version of the Petri net whose simpler structure permits easier analysis .

However, Petri nets are inadequate to model concurrent read accesses to the same resource. Such situations arise naturally in many circumstances, for instance in concurrent databases or in asynchronous circuits. The encoding tricks typically used to model these cases in Petri nets make the unfolding technique inefficient.

Contextual nets, which explicitly do model concurrent read accesses, address this problem. Their accurate representation of concurrency makes contextual unfoldings up to exponentially smaller in certain situations, which promises to yield more efficient analysis procedures. In order to realize such procedures, we shall study contextual nets and their properties, in particular the efficient construction and analysis of their unfoldings, and their applications in verification, diagnosis, and planning.

In a DIGITEO PhD project, we will study logical specification formalisms for concurrent recursive programs. With the advent of multi-core processors, the analysis and synthesis of such programs is becoming more and more important. However, it cannot be achieved without more comprehensive formal mathematical models of concurrency and parallelization. Most existing approaches have in common that they restrict to the analysis of an over- or underapproximation of the actual program executions and do not focus on a behavioral semantics. In particular, temporal logics have not been considered. Their design and study will require the combination of prior works on logics for sequential recursive programs and concurrent finite-state programs.

The gap between specification and implementation
is at the heart of research on formal testing.
The general *conformance testing problem* can be defined
as follows:
Does an implementation *input streams* for

In this project, we focus on distributed or asynchronous versions of the
conformance testing problem. There are two main difficulties. First, due
to the distributed nature of the system, it may not be possible to have a
unique global observer for the outcome of a test. Hence, we may need to
use *local* observers which will record only *partial views* of
the execution. Due to this, it is difficult or even impossible to
reconstruct a coherent global execution. The second difficulty is the lack
of global synchronization in distributed asynchronous systems. Up to now,
models were described with I/O automata having a centralized control, hence
inducing global synchronizations.

Since 2006 and in particular during his sabbatical stay at the University of Ottawa, Stefan Haar has been working with Guy-Vincent Jourdan and Gregor v. Bochmann of UOttawa and Claude Jard of IRISA on asynchronous testing. In the synchronous (sequential) approach, the model is described by an I/O automaton with a centralized control and transitions labeled with individual input or output actions. This approach has known limitations when inputs and outputs are distributed over remote sites, a feature that is characteristic of , e.g., web computing. To account for concurrency in the system, they have developed in , asynchronous conformance testing for automata with transitions labeled with (finite) partial orders of I/O. Intuitively, this is a “big step” semantics where each step allows concurrency but the system is synchronized before the next big step. This is already an important improvement on the synchronous setting. The non-trivial challenge is now to cope with fully asynchronous specifications using models with decentralized control such as Petri nets.

Message-Sequence-Charts (MSCs) provide models of behaviors of distributed
systems with communicating processes. An important problem is to test whether
an implementation conforms to a specification given for instance by an
HMSC. In *local testing*, one proceeds by injecting messages to the
local processes and observing the responses: for each process

The first step that should be reached in the near future
is the completion of asynchronous testing in the setting without any big-step synchronization. In parallel, work on
the problems in local testing should progress sufficiently to allow, in a mid-term perspective, to understand the relations
and possible interconnections between local (i.e. distributed) and asynchronous (centralized) testing.
This is the objective of the *TECSTES* project (2011-2014), funded by a DIGITEO *DIM/LSC* grant,
and which involves Hernán Ponce de Léon and Stefan Haar of *MExICo*, and Delphine Longuet at LRI, University Paris-Sud/Orsay.
We have extended several well known conformance (ioco style) relations for sequential models to models that can handle concurrency (labeled event structures). Two semantics (interleaving and partial order) were presented for every relation. With the interleaving semantics, the relations we obtained boil down to the same relations defined for labeled transition systems, since they focus on sequences of actions. The only advantage of using labeled event structures as a specification formalism for testing remains in the conciseness of the concurrent model with respect to a sequential one. As far as testing is concerned, the benefit is low since every interleaving has to be tested. By contrast, under the partial order semantics, the relations we obtain allow to distinguish explicitly implementations where concurrent actions are implemented concurrently, from those where they are interleaved, i.e. implemented sequentially. Therefore, these relations will be of interest when designing distributed systems, since the natural concurrency between actions that are performed in parallel by different processes can be taken into account. In particular, the fact of being unable to control or observe the order between actions taking place on different processes will not be considered as an impediment for testing.

The mid-to long term goal (perhaps not yet to achieve in this four-year term) is the comprehensive formalization of testing and testability in asynchronous systems with distributed architecture and test protocols.

Systems and services exhibit non-trivial *interaction* between
specialized and heterogeneous components. This interplay is challenging
for several reasons. On one hand, a coordinated interplay of several
components is required, though each has only a limited, partial view of the
system's configuration. We refer to this problem as *distributed
synthesis* or *distributed control*. An aggravating factor is that
the structure of a component might be semi-transparent, which requires a
form of *grey box management*.

Interaction, one of the main characteristics of systems under
consideration, often involves an environment that is not under the control
of cooperating services. To achieve a common goal, the services need to
agree upon a strategy that allows them to react appropriately regardless of
the interactions with the environment. Clearly, the notions of opponents
and strategies fall within *game theory*, which is naturally one of
our main tools in exploring interaction. We will apply to our problems
techniques and results developed in the domains of distributed games and of games with partial information. We will consider also new problems on games that arise from our
applications.

Program synthesis, as introduced by Church aims at deriving directly an implementation from a specification, allowing the implementation to be correct by design. When the implementation is already at hand but choices remain to be resolved at run time then the problem becomes controller synthesis. Both program and controller synthesis have been extensively studied for sequential systems. In a distributed setting, we need to synthesize a distributed program or distributed controllers that interact locally with the system components. The main difficulty comes from the fact that the local controllers/programs have only a partial view of the entire system. This is also an old problem largely considered undecidable in most settings , , , , .

Actually, the main undecidability sources come from the fact that this problem was addressed in a synchronous setting using global runs viewed as sequences. In a truly distributed system where interactions are asynchronous we have recently obtained encouraging decidability results ,. This is a clear witness where concurrency may be exploited to obtain positive results. It is essential to specify expected properties directly in terms of causality revealed by partial order models of executions (MSCs or Mazurkiewicz traces). We intend to develop this line of research with the ambitious aim to obtain decidability for all natural systems and specifications. More precisely, we will identify natural hypotheses both on the architecture of our distributed system and on the specifications under which the distributed program/controller synthesis problem is decidable. This should open the way to important applications, e.g., for distributed control of embedded systems.

Contrary to mainframe systems or monolithic applications of the past, we
are experiencing and using an increasing number of services that are
performed not by one provider but rather by the interaction and cooperation
of many specialized components. As these components come from different
providers, one can no longer assume all of their internal technologies to
be known (as it is the case with proprietary technology). Thus, in order
to compose e.g. orchestrated services over the web, to determine violations
of specifications or contracts, to adapt existing services to new
situations etc, one needs to analyze the interaction behavior of
*boxes* that are known only through their public interfaces. For
their semi-transparent-semi-opaque nature, we shall refer to them as
**grey boxes**. While the concrete nature of these boxes can range
from vehicles in a highway section to hotel reservation systems, the tasks
of *grey box management* have universal features allowing for
generalized approaches with formal methods. Two central issues emerge:

Abstraction: From the designer point of view, there is a need for a trade-off between transparency (no abstraction) in order to integrate the box in different contexts and opacity (full abstraction) for security reasons.

Adaptation: Since a grey box gives a partial view about the behavior of the component, even if it is not immediately useable in some context, the design of an adaptator is possible. Thus the goal is the synthesis of such an adaptator from a formal specification of the component and the environment.

Besides the logical functionalities of programs, the *quantitative*
aspects of component behavior and interaction play an increasingly
important role.

*Real-time* properties cannot be neglected even if time is not
an explicit functional issue, since transmission delays, parallelism,
etc, can lead to time-outs striking, and thus change even the logical
course of processes. Again, this phenomenon arises in telecommunications
and web services, but also in transport systems.

In the same contexts, *probabilities* need to be taken into
account, for many diverse reasons such as unpredictable functionalities,
or because the outcome of a computation may be governed by race
conditions.

Last but not least, constraints on *cost* cannot be ignored,
be it in terms of money or any other limited resource, such as memory
space or available CPU time.

Traditional mainframe systems were proprietary and (essentially) localized;
therefore, impact of delays, unforeseen failures, etc. could be considered
under the control of the system manager. It was therefore natural, in
verification and control of systems, to focus on *functional*
behavior entirely.

With the increase in size of computing system and the growing degree of compositionality and distribution, quantitative factors enter the stage:

calling remote services and transmitting data over the web creates *delays*;

remote or non-proprietary components are not “deterministic”, in the sense that their behavior is uncertain.

*Time* and *probability* are thus parameters
that management of distributed systems must
be able to handle; along with both, the *cost* of operations is often subject to restrictions,
or its minimization is at least desired.
The mathematical treatment of these features in
distributed systems is an important challenge,
which *MExICo* is addressing; the following describes our activities concerning probabilistic and
timed systems. Note that cost optimization is not a current activity but enters the picture in several intended activities.

Practical fault diagnosis requires to select explanations
of *maximal likelihood*; this leads therefore to the question what the
probability of a given partially ordered execution is.
In Benveniste et al. , , we presented a model of stochastic processes, whose trajectories are partially ordered, based on local branching in Petri net unfoldings;
an alternative and complementary model based on
Markov fields is developed in ,
which takes a different view on the semantics
and overcomes the first model's restrictions on applicability.

Both approaches
abstract away from real time progress and randomize choices in *logical* time. On the other hand, the relative speed - and thus, indirectly, the real-time behavior of the system's local processes - are crucial factors determining the outcome of probabilistic choices, even if
non-determinism is absent from the system.

Recently, we started a new line of research with Anne Bouillard, Sidney Rosario, and Albert Benveniste in the DistribCom team at Inria Rennes, studying the likelihood of occurrence of non-sequential runs under random durations in a stochastic Petri net setting.

Once the properties of the probability measures thus obtained are
understood, it will be interesting to relate them with the two above models
in logical time, and understand their differences. Another mid-term goal,
in parallel, is the transfer to *diagnosis*.

Distributed systems featuring non-deterministic and probabilistic aspects are usually hard to analyze and, more specifically, to optimize. Furthermore, high complexity theoretical lower bounds have been established for models like partially observed Markovian decision processes and distributed partially observed Markovian decision processes. We believe that these negative results are consequences of the choice of the models rather than the intrinsic complexity of problems to be solved. Thus we plan to introduce new models in which the associated optimization problems can be solved in a more efficient way. More precisely, we start by studying connection protocols weighted by costs and we look for online and offline strategies for optimizing the mean cost to achieve the protocol. We cooperate on this subject with Eric Fabre in the DistribCom team at Inria Rennes, in the context of the DISC project.

Addressing large-scale probabilistic systems requires to face state explosion, due to both the discrete part and the probabilistic part of the model. In order to deal with such systems, different approaches have been proposed:

Restricting the synchronization between the components as in queuing networks allows to express the steady-state distribution of the model by an analytical formula called a product-form .

Some methods that tackle with the combinatory explosion for discrete-event systems can be generalized to stochastic systems using an appropriate theory. For instance symmetry based methods have been generalized to stochastic systems with the help of aggregation theory .

At last simulation, which works as soon as a stochastic operational semantic is defined, has been adapted to perform statistical model checking. Roughly speaking, it consists to produce a confidence interval for the probability that a random path fulfills a formula of some temporal logic .

We want to contribute to these three axes: (1) we are looking for product-forms related to systems where synchronization are more involved (like in Petri nets), (2) we want to adapt methods for discrete-event systems that require some theoretical developments in the stochastic framework and, (3) we plane to address some important limitations of statistical model checking like the expressiveness of the associated logic and the handling of rare events.

Nowadays, software systems largely depend on complex timing constraints and usually consist of many interacting local components. Among them, railway crossings, traffic control units, mobile phones, computer servers, and many more safety-critical systems are subject to particular quality standards. It is therefore becoming increasingly important to look at networks of timed systems, which allow real-time systems to operate in a distributed manner.

Timed automata are a well-studied formalism to describe reactive systems that come with timing constraints. For modeling distributed real-time systems, networks of timed automata have been considered, where the local clocks of the processes usually evolve at the same rate . It is, however, not always adequate to assume that distributed components of a system obey a global time. Actually, there is generally no reason to assume that different timed systems in the networks refer to the same time or evolve at the same rate. Any component is rather determined by local influences such as temperature and workload.

A first step towards formal models of distributed timed systems with
independently evolving clocks was done in . As
the precise evolution of local clock rates is often too complex or even
unknown, the authors study different semantics of a given system: The
*existential semantics* exhibits all those behaviors that are possible
under *some* time evolution. The *universal semantics* captures
only those behaviors that are possible under *all* time evolutions.
While emptiness and universality of the universal semantics are in general
undecidable, the existential semantics is always regular and offers a way
to check a given system against safety properties. A decidable
under-approximation of the universal semantics, called *reactive
semantics*, is introduced to check a system for liveness properties. It
assumes the existence of a *global* controller that allows the system
to react upon local time evolutions.
A short term goal is to investigate a *distributed* reactive
semantics where controllers are located at processes and only have
local views of the system behaviors.

Several questions, however, have not yet been tackled in this previous work or
remain open. In particular, we plan to exploit the power of synchronization
via local clocks and to investigate the *synthesis problem*: For which
(global) specifications

If, on the other hand, a system is already given and complemented with a
specification, then one is usually interested in controlling the system in
such a way that it meets its specification. The interaction between the actual
*system* and the *environment* (i.e., the local time evolution) can
now be understood as a 2-player game: the system's goal is to guarantee a
behavior that conforms with the specification, while the environment aims at
violating the specification. Thus, building a controller of a system actually
amounts to computing winning strategies in imperfect-information games with
infinitely many states where the unknown or unpredictable evolution of time
reflects an imperfect information of the environment. Only few efforts have
been made to tackle those kinds of games. One reason might be that, in the
presence of imperfect information and infinitely many states, one is quickly
confronted with undecidability of basic decision problems.

This is one of the tasks of the ANR ImpRo.

The objective is to provide formal guarantees on the implementation of real-time distributed systems, despite the semantic differences between the model and the code. We consider two kinds of timed models: time Petri nets and networks of timed automata .

Time Petri Nets allow the designer to explicit concurrent parts of the system, but without having decided yet to localize the different actions on the different components. In that sense, TPNs are more abstract than networks of timed automata, which can be seen as possible (ideal) distributed implementations. This raises the question of semantical comparison of these two models in the light of preserving the maximum of concurrency.

In order to implement our models on distributed architectures, we need a way to evaluate how much the implementation preserves the concurrency that is described in the model. For this we must be able to identify concurrency in the behavior of the models. This is done by equipping the models with a concurrent semantics (unfoldings), allowing us to consider the behaviors as partial orders.

For instance, we would like to be able to transform a time Petri net into a network of timed automata, which is closer to the implementation since the processes are well identified. But we require that this transformation preserves concurrency. Yet the first works about formal comparisons of the expressivity of these models , , , , do not consider preservation of concurrency.

In contrast, we aim at formalizing and automating translations that preserve
both the timed semantics and the concurrent semantics. This effort is crucial
for extending concurrency-oriented methods for logical time, in particular for
exploiting partial order properties. In fact, validation and management - in a
broad sense - of distributed systems is not realistic *in general* without
understanding and control of their real-time dependent features; the link
between real-time and logical-time behaviors is thus crucial for many aspects of
*MExICo*'s work.

Time and probability are only two facets of quantitative phenomena. A generic concept of adding weights to qualitative systems is provided by the theory of weighted automata . They allow one to treat probabilistic or also reward models in a unified framework. Unlike finite automata, which are based on the Boolean semiring, weighted automata build on more general structures such as the natural or real numbers (equipped with the usual addition and multiplication) or the probabilistic semiring. Hence, a weighted automaton associates with any possible behavior a weight beyond the usual Boolean classification of “acceptance” or “non-acceptance”. Automata with weights have produced a well-established theory and come, e.g., with a characterization in terms of rational expressions, which generalizes the famous theorem of Kleene in the unweighted setting. Equipped with a solid theoretical basis, weighted automata finally found their way into numerous application areas such as natural language processing and speech recognition, or digital image compression.

What is still missing in the theory of weighted automata are satisfactory connections with verification-related issues such as (temporal) logic and bisimulation that could lead to a general approach to corresponding satisfiability and model-checking problems. A first step towards a more satisfactory theory of weighted systems was done in . That paper, however does not give final solutions to all the aforementioned problems. It identifies directions for future research that we will be tackling.

telecommunications, multimedia, transportation systems, web services

*MExICo*'s research is motivated by problems on system management in several domains:

In the domain of service oriented computing,
it is often necessary to insert some Web service
into an existing orchestrated business process, e.g. to replace another component after failures.
This requires to ensure, often actively, conformance to
the interaction protocol. One therefore needs to synthesize *adaptators* for every
component in order to steer its interaction with the
surrounding processes.

Still in the domain of telecommunications, the supervision of a network tends to move from out-of-band technology, with a fixed dedicated supervision infrastructure, to in-band supervision where the supervision process uses the supervised network itself. This new setting requires to revisit the existing supervision techniques using control and diagnosis tools.

This list is likely to grow over the next years as we continue our research.

In the context of traditional hard-wired communication networks, supervision structures for managing faults, configuration, provisioning etc could be developed with a fixed infrastructure, and perform the communication between sensors, supervisors, policy enforcement points etc over a separate network using separate hardware. This rigid, **out-of-band** technology does not survive passing to today's and tomorrow's services and networks. In fact, the dynamic mobility of services combined across sites and domains cannot be captured unless the network used for supervision evolves in the same way and simultaneously, which rules out static solutions; but providing out-of-band infrastructure that grows with the networks to be supervised would be prohibitively expensive, if at all technically feasible. *Heterogeneity* is
the other feature of modern networks that forces a change, since different domains are not likely to agree on a pervasive third-party supervision. Rather, the providers will keep control over the internal state and evolution of their domain, and accept only exchange through standardized outward interfaces.

Supervision has thus to be re-invented on an *in-band*, *autonomous* base: monitoring probes deployed on the web, dysfunctions on one peer node diagnosed by another peer in a network with changing configuration, enhanced supervisor and actor capacities of services, etc.
*MExICo* will work on improving the interoperability of service components through continued
application of e.g. distributed techniques for
control and diagnosis.

Specific applications targeted by *MExICo* include the problem of adaptation in Service-Oriented Computing (SOC). The challenge is here twofold, stemming both from the distributed nature of services (scattered over the entire web) and their heterogeneous origins.

Web services have become the most frequently used model of design and programming based on components for business applications. Web service languages like BPEL have useful constructors that manage for instance exceptions, (timed guarded) waiting of messages, parallel execution of processes, distant service invocations, etc. Interoperability of components is based on interaction protocols associated with them and often published on public or private registers. In the framework of Web services, these protocols are called abstract processes by contrast with business processes (i.e. services). Composition of components must be analyzed for several reasons and at least to avoid deadlocks during execution. This has led to numerous works that focus on compositional verification, substitution of a component by another one, synthesis of adaptators, etc., and triggered a push towards a unifying theoretical framework (see e.g. , )

Interoperability requires that when a user or a program wants to interact with the component, the knowledge of the interaction protocol is enough. Our previous works have shown that the interaction protocols can be inherently ambiguous: no client can conduct a correct interaction with the component in every scenario. This problem is even more complex when the protocol can evolve during execution due to adaptation requirements. The composition of components also raises interesting problems. When composing optimal components (w.r.t. the number of states for instance) the global component can be non optimal. So one aims at reducing a posteriori or better on the fly the global component. At last, the dynamical insertion of a component in a business process requires to check whether this insertion is behaviorally consistent ,

We do not intend to check global properties based on a modular verification technique. Rather, given an interaction protocol per component and a global property to ensure, we want to synthesize an adaptator per component such that this property is fulfilled or to detect that there cannot exist such adaptators . In another research direction, one can introduce the concept of utility of a service and then optimize a system i.e. keeping the same utility value while reducing the resources (states, transitions, clocks, etc.).

`libalf` is a comprehensive, open-source library for learning
finite-state automata covering various well-known learning techniques (such
as, Angluin s L

Details on `libalf` can be found at
`http://libalf.informatik.rwth-aachen.de/`

Mole computes, given a safe Petri net, a finite prefix of its
unfolding. It is designed to be compatible with other tools, such as
PEP and the Model-Checking Kit, which are using the resulting unfolding
for reachability checking and other analyses. The tool Mole arose
out of earlier work on Petri nets. Details on Mole can be found at
http://

In the context of MExICo, we have created a new tool called Cunf,
which is able to handle contextual nets, i.e. Petri nets with read
arcs ,. While in principle every contextual net can
be transformed into an equivalent Petri net and then unfolded using Mole,
Cunf can take advantage of their special features to do the job faster
and produce a smaller unfolding. Cunf has recently been extended with
a verification component that takes advantage of these features .
More details can be found at
http://

COSMOS is a statistical model checker for the Hybrid Automata Stochastic Logic (HASL). HASL employs Linear Hybrid Automata (LHA), a generalization of Deterministic Timed Automata (DTA), to describe accepting execution paths of a Discrete Event Stochastic Process (DESP), a class of stochastic models which includes, but is not limited to, Markov chains. As a result HASL verification turns out to be a unifying framework where sophisticated temporal reasoning is naturally blended with elaborate reward-based analysis. COSMOS takes as input a DESP (described in terms of a Generalized Stochastic Petri Net), an LHA and an expression Z representing the quantity to be estimated. It returns a confidence interval estimation of Z; recently, it has been equipped with functionalities for rare event analysis. COSMOS is written in C++ and is freely available to the research community.

Details on COSMOS can be found at
`http://www.lsv.ens-cachan.fr/ barbot/cosmos/`

CosyVerif is a software environment whose goal is the formal specification and verification of dynamic systems.

It has been designed in order to:

- support different formalisms with the ability to easily create new ones, - provide a graphical interface for every formalism, - include verification tools called via the interface as a web service, - offer the possibility for a developer to integrate his/her own tool, also allowing it to interact with the other tools.

This environment consists of two software tools: Coloane, the graphical interface, and Alligator, an integration framework based web services. It is enlarged with the existing verification tools developed in our laboratories (founding members or partners). Why ?

The development of Cosyverif has been decided and it is supported by three partners of the Parisian verification group, MeFoSyLoMa. This group is composed of seven teams. and the founding members of are LIP6, LIPN and LSV. First, these members aim at sharing their tools, comparing and supporting industrial case studies and finally making them long-lasting. Second, they also want to promote the practice of formal verification in industry and thus they intend to ease the task of integration of new formalisms and tools.

It is managed by a steering committee consisting of researchers and engineers. It decides strategic orientations as well as technical choices. Current Tools

Two formalisms are supported: automata and Petri nets, both with extensions. Most of the tools are related to Petri nets. Some of them perform structural analyses like invariant computations. while other tools perform behavioural analyses: symbolic reachability graph building, unfolding, stochastic simulations, etc. Finally some of them transform high-level nets into low-level ones. All the developed software are open source and free software tools. Alligator is published under the GNU Affero General Public License (AGPL) version 3 ; Coloane is published under the Eclipse Public License (EPL) version 1 .

Three engineers have worked or are currently working on COSYVERIF:

Francis Hulin-Hubard, part-time (CNRS) in 2012;

Clément Desmoulins , full-time ( ANR), 6 months; and

Alban Linard, full-time Inria engineer, for 2 years.

Networks of timed automata (NTA) are widely used to model distributed real-time systems. Quite often in the literature, the automata are allowed to share clocks, i.e. the transitions of one automaton may be guarded by a condition on the value of clocks reset by another automaton. This is a problem when one considers implementing such model in a distributed architecture, since reading clocks a priori requires communications which are not explicitly described in the model.

We discuss a formalization of the problem and give a criterion using the
notion of contextual timed transition system, which represents the behavior of

Here, we consider the dual approach of restricting the domain of data words instead of pruning the logic. This allows us to tackle the model-checking problem with respect to monadic second-order (MSO) properties. As model checking is undecidable for nearly all known automata models (including the model presented in the first part of the talk), we introduce data pushdown automata (DPA). DPA come with multiple pushdown stacks (where the access to stacks is bounded by a number of phase switches) and are enriched with parameters that can be instantiated with data values. DPA can model interesting protocols like a leader election protocol with an unknown number of processes. While satisfiability for MSO logic is undecidable (even for weaker fragments such as first-order logic), we show that one can decide if all words generated by a DPA satisfy a given formula from the full MSO logic.

A classical result by Hanf from the 60s states that first-order formulas over structures of bounded degree are equivalent to boolean combinations of statements of the form: “pattern P occurs at least n times”. Hanf's theorem has many model-theoretic applications, in particular in automata theory and database query answering.

However, until recently, no elementary construction was known. In , we present the first algorithm that computes a Hanf normal in elementary time. More precisely, our algorithm is triply exponential, which we also show to be optimal.

Multi-threaded programs with recursion are naturally modeled as multi-pushdown systems. The behaviors are represented as multiply nested words (MNWs), which are words enriched with additional binary relations for each stack matching a push operation with the corresponding pop operation. Any MNW can be decomposed by two basic and natural operations: shuffle of two sequences of factors and merge of consecutive factors of a sequence. We say that the split-width of an MNW is

Contextual nets (c-nets) are an extension of Petri nets that – unlike ordinary Petri nets – faithfully models concurrent read accesses to shared resources. This is not only interesting from a semantic but also from an algorithmic point of view, as the analysis of such nets can better exploit the fact that concurrent reads are independent and concurrent. In particular, the unfolding of a contextual net may be up to exponentially smaller in certain situations.

In previous work carried out in the Mexico project, we established theoretical foundations and efficient algorithms for constructing c-net unfoldings . More recently, we have investigated verification techniques based on c-nets. These exploit the advantages mentioned above to obtain results more efficiently. The results have been published in the Concur 2012 conference . In parallel, the development of the Cunf tool has continued, see . We are currently exploring how the technique can be combined with that of merged processes for further speed-ups, and its applications in diagnosis.

In , we show how to reliably compute fast-growing functions with timed-arc Petri nets and data nets. This construction provides ordinal-recursive lower bounds on the complexity of the main decidable properties (safety, termination, regular simulation, etc.) of these models. Since these new lower bounds match the upper bounds that one can derive from wqo theory, they precisely characterise the computational power of these so-called "enriched" nets. In , we characterize the importance of resources (like counters, channels, or alphabets) when measuring the expressiveness of Well-Structured Transition Systems (WSTS). We establish, for usual classes of well partial orders, the equivalence between the existence of order reflections (non-monotonic order embeddings) and the simulations with respect to coverability languages. We show that the non-existence of order reflections can be proved by the computation of order types. This allows us to extend the current classification of WSTS, in particular solving some open problems, and to unify the existing proofs.

Model checking real time properties on probabilistic systems requires computing transient probabilities on continuous time Markov chains. Beyond numerical analysis ability, a probabilistic framing can only be obtained using simulation. This statistical approach fails when directly applied to the estimation of very small probabilities. In , combining the uniformization technique and extending our previous results, we design a method which applies to continuous time Markov chains and formulas of a timed temporal logic. The corresponding algorithm has been implemented in our tool cosmos. We present experimentations on a relevant system, with drastic time reductions with respect to standard statistical model checking.

Statistical model-checking is an alternative verification technique applied on stochastic systems whose size is beyond numerical analysis ability. Given a model (most often a Markov chain) and a formula, it provides a confidence interval for the probability that the model satisfies the formula. One of the main limitations of the statistical approach is the computation time explosion triggered by the evaluation of very small probabilities. In order to solve this problem, we develop in a new approach based on importance sampling and coupling. The corresponding algorithms have been implemented in our tool cosmos. We present experimentation on several relevant systems, with estimated time reductions reaching a factor of

A complete testing framework for concurrent systems has been developped. We studied what kind of systems are testable in such a framework and we have proposed sufficient conditions for obtaining a complete test suite. Finally, an algorithm to construct a test suite with such properties was proposed. These result are summarized in a paper that is being prepared for a journal submission.

The research involving the PhD thesis of Aiswarya Cyriac on temporal logics for concurrent recursive programs is supported by the DIGITEO project LOCOREP, 2010-2013. Hernán Ponce de León's research on conformance testing for concurrent systems through event structures is supported by the DIGITEO project TECSTES, 2011-2014.

The Project ANR **ImpRo** ANR-2010-BLAN-0317
involves *IRCCyN* (Nantes), *IRISA* (Rennes), *LIP6*(Paris),
*LSV* (Cachan), *LIAFA* (Paris) and *LIF* (Marseille).
It addresses issues related to the practical implementation of formal models
for the design of communication-enabled systems: such models abstract away from many complex features or limitations of the execution environment. The modeling of *time*,
in particular, is usually idealized, with infinitely precise clocks, instantaneous tests or mode
communications, etc. Our objective is thus to study to what extent the practical implementation of these models preserves their good properties. We aim at a generic mathematical framework to reason about and measure implementability, and then study the possibility to integrate implementability constraints in the models. A particular focus is on the combination of several sources of perturbation such as resource allocation, the distributed architecture of applications, etc. We also study implementability through control and diagnosis techniques, and apply the developed methods to a case study based on the AUTOSAR architecture, a standard in the automotive industry.

Title: Highly Complex and Networked Control Systems

Type: COOPERATION (ICT)

Defi: Engineering of Networked Monitoring and Control Systems

Instrument: Network of Excellence (NoE)

Duration: September 2010 - August 2014

Coordinator: CNRS (France)

Others partners: Inria (France), ETH Zurich (Switzerland), TU Berlin (Germany), TU Delft (Netherlands) and many others.

See also: http://

Abstract: Hycon 2 aims at stimulating and establishing a long-term integration in the strategic field of control of complex, large-scale, and networked dynamical systems. It focuses in particular on the domains of ground and aerospace transportation, electrical power networks, process industries, and biological and medical systems.

Title: Univerself

Type: COOPERATION (ICT)

Defi: The Network of the Future

Instrument: Integrated Project (IP)

Duration: September 2010 - August 2013

Coordinator: Alcatel Lucent (France)

Others partners: Universiteit Twente, Alcatel Lucent Ireland, Alcatel Lucent Deutschland, Valtion Teknillinen Tutkimuskeskus (Finland), University of Piraeus, France Telecom, Telecom Italia, National University of Athens, Fraunhofer-Gesellschaft zur Förderung der Angewandten Forschung, Interdisciplinary Institute for Broadband Technology, Telefonica Investigacion y Desarrollo,Thales Communications, Inria,Nec Europe, University of Surrey, University College London, IBBT (Belgium).

See also: http://

Abstract: UniverSelf unites 17 partners with the aim of overcoming the growing management complexity of future networking systems, and to reduce the barriers that complexity and ossification pose to further growth. Univerself has been launched in October 2010 and is scheduled for four years.

The CMI (Chennai Mathematical Institute) is a long-standing partner of our team. The project
*Île de France/Inde* in the *ARCUS* program from 2008 to 2011 has allowed several exchange visits between Cachan and Chennai, organizations of ACTS workshops with french and indian researchers in Chennai, internships in Cachan, and
two theses in *co-tutelle* (Akshay Sundararaman, defended in 2010) and Aiswarya Cyriac (thesis in progress).

Currently, Paul Gastin is co-head (with Madhavan Mukund) of the new International Associated Laboratory (LIA) INFORMEL (INdo-French FORmal Methods Lab). This LIA was created in January 2012 by an agreement between CNRS, ENS Cachan, University Bordeaux 1 on the french side and the Chennai Mathematical Institute, the Institute of Mathematical Sciences of Chennai, and the Indian Institute of Science of Bangalore on the Indian side.

Benedikt Bollig, Aiswarya Cyriac, and Benjamin Monmege are participating in LeMon, a joint Procope project with LIAFA, (Paris) and the University of Lübeck, supported by EGIDE/DAAD. The aim of the project is to develop techniques for the inference of systems that deal with infinite data domains.

Supported by the LIA INFORMEL,

K. Narayan Kumar from CMI visited our team from May 2nd to 27th, and

Madhavan Mukund from CMI visited our team from May 8th to June 3rd.

From April 10 to April 13, Victor Khomenko from Newcastle University (UK) visited the team.

Estibaliz Fraca, PhD student from Zaragossa, is visiting from november 2012 trough February 2013.

Umang Mathur (IIT Bombay, India) effected a two-month internship from May to July at ENS Cachan, co-financed by the Inria Internship program, which was jointly supervised by Rohit Chadha (of the Secsi team) and Stefan Schwoon. The co-operation is being continued remotely, with Rohit Chadha now at the University of Missouri.

Subject: Estimating the Information Leakage of a Recursive Probabilistic Program.

Institution: IIT Bombay, India

Gaurav MAHAJAN (from May 2012 until Jul 2012)

Subject: Probabilistic Unfolder for Petri Nets

Institution: IIT Delhi (India)

The team members made several *short* visits:

Supported by the LIA INFORMEL, Paul Gastin visited the Chennai Mathematical Institute (CMI) in India from January 9 to 21.

Benedikt Bollig and Aiswarya Cyriac were visiting Thomas Schwentick's group at TU Dortmund University (March 13 – 16).

Benjamin Monmege was visiting Martin Leucker's group at the University of Lübeck (July 9 – 14 and October 28 – November 2).

Stefan Schwoon visited Javier Esparza's group at TU Müchen and gave a talk in April 2012.

Serge Haddad visited Rolf Hennicker's group at LMU Munich in November 2012.

was the organizer and a PC member of the 4rd Young Researchers Workshop on Concurrency Theory (YR-CONCUR), which was co-located with CONCUR'12. He was a PC member of the International Workshop on Interactions, Games and Protocols (IWIGP'12). Moreover, he served as a reviewer for numerous international conferences and journals. He also was a member of the *commission scientifique* Inria Saclay.

was a member of the program committee of ACSD'12 (*International
Conference on Application of Concurrency to System Design*). He was a member
of a selection committee at CNAM Paris in 2012, and participated in the organization and presentation of
the one-day Petri net tutorial on unfoldings at the *international conference on the
application and theory of Petri nets* in Hamburg, June 2012.

is co-head (with Madhavan Mukund) of the new International Associated Laboratory (LIA) INFORMEL (INdo-French FORmal Methods Lab). This LIA was created in January 2012 by an agreement between CNRS, ENS Cachan, University Bordeaux 1 on the french side and the Chennai Mathematical Institute, the Institute of Mathematical Sciences of Chennai, and the Indian Institute of Science of Bangalore on the Indian side.

He is the head of the computer science department of ENS Cachan.

Paul Gastin is an associate editor of the Journal of Automata, Languages and Combinatorics.

He is on the Advisory Board of the EATCS-Springer book series

Monographs in Theoretical Computer Science,

Texts in Theoretical Computer Science.

He was a member of the program committees of LATA 2012 (Language and Automata Theory and Applications) and CONCUR 2012 (International Conference on Concurrency Theory).

He was an invited speaker at the 17th International Conference on Implementation and Application of Automata (CIAA'12).

He was a member of 3 selection committees (Cachan, Nancy and Orléans).

is an associate editor for the journal *Discrete Event Dynamic Systems: Theory and Application*, and was on the program committees of
*SAFEPROCESS 2012* and *PNSE 2012*. He participated in the organization and presentation of
the one-day Petri net tutorial on unfoldings at the *international conference on the
application and theory of Petri nets* in Hamburg, June 2012
Stefan is the correspondent for Inria's *DRI* (international relations service) for the Saclay center, and ipso facto member of the GTRI (working group on international relations) of Inria's COST.

has been a member of the steering committee of the *International Conference on Application and Theory of Petri Nets (ICATPN)* since 2001. He gave a tutorial on timed and stochastic Petri nets, and was co-president of the program committee of ICATPN 2012; he was also co-president for the tutorials at the 18th Int. Symp. on Formal Methods (FM) 2012, Paris, France, and member of the program committee of the Workshop on Research and Use of Multiformalism Modeling Methods of QEST, September 2012, London, UK.
He is a founding member of the research group *MeFoSyLoMa* and co-chair of the software project *COSYVERIF*. He was one of the evaluators in the Evaluation AERES of the *Cedric* Laboratory, and is
a member of the selection committees of the universities Paris VI and Nancy.

was a member of the program committee of GRAPHITE'12 (First Workshop on GRAPH Inspection and Traversal Engineering). and of the MOVEP 2012 winter school. He gave a tutorial on unfolding and partial-order techniques at CEA LIST in January.

Here we present the teaching activities of PhD students and *researchers*;
note that in addition to the classes here, four team members (Th. Chatain, P. Gastin,
S. Haddad and S. Schwoon) are full-time professors of ENS Cachan and fulfill their teaching obligations there.

Master : Sandie Balaguer, Programmation en C, 32, M1, U.F.R d'Informatique de Paris 7, France

Master : Benjamin Monmege, Probabilistic Aspects of Computer Science, 10h, M1, ENS de Cachan, France

Master : Benoît Barbot, Projet de programmation réseau, 30h, M1, ENS Cachan, France

Master : Benedikt Bollig, Modeling and verification of real-time distributed systems, 12, M2, MPRI, France

Ecole d'Ingénieur: Hernán Ponce de León, Algorithmique et Programmation, 32, 3e année (equivalent L3), Ecole Centrale Paris, France

Master : Stefan Haar, Verification (VSFR), 12, M2, UPMC, France

Master : Stefan Haar, Modelisation et optimisation (MOPS), 12, M2, Université d'Evry, France

Agrégation : Stefan Haar, Algorithmique , 42.5, Agrégation option informatique, ENS Cachan

Master : César Rodríguez, Projet de programmation réseau, 30h, M1, ENS Cachan, France

Agrégation : César Rodríguez, TP programmation, 24h, Préparation à l'agrégation, ENS Cachan, France

Licence : Aiswarya CYRIAC, Algorithmique avancée, 60, niveau L3, ENS de Cachan, France

Licence: Benoît Barbot , Mathématiques Discrètes, 22.5 , L3 , ENS Cachan, France

Licence : Benjamin Monmege, Machine learning, 60h, L3, ENS de Cachan, France

PhD & HdR :

*PhD*: Sandie Balaguer, Concurrency in Real-Time Distributed
Systems, ENS Cachan, December 13, 2012, supervised by Stefan Haar and Thomas
Chatain.

*PhD*: Hilal Djafri, Numerical and Statistical Approaches for Model Checking of Stochastic Processes, ENS Cachan, June 19, 2012, supervised by Serge Haddad.

PhD in progress: Hernán Ponce de Léon, Testing of concurrent systems using event structures, ENS Cachan, supervised by Stefan Haar and Delphine Longuet (Paris XI)

PhD in progress: César Rodríguez, *Contextual Petri Nets and Applications*, begun in September 2010,.
supervised by Stefan Schwoon

PhD in progress:
Aiswarya Cyriac, *Temporal logics for concurrent recursive programs*, begun in September 2010, supervised by Benedikt Bollig and Paul Gastin.

PhD in progress:
Benjamin Monmege, *Specification and verification of qualitative properties and applications to queries for XML documents*,
begun in September 2010, supervised by Benedikt Bollig and Paul Gastin.

PhD in progress:
Benoît Barbot, *Rare event handling in statistical model checking*, begun in September 2011, Serge Haddad and Claudine Picaronny (ENS Cachan).

participated , as examinator and co-supervisor, in the PhD committee of Sandie Balaguer (, December 13, 2012).

was president of the committee for the HDR of Daniele Varacca at *Université Paris Diderot*.

was president of the Ph D committees of Hilal Djafri at ENS Cachan (June 19, 2012)and Hoang-Thach Nguyen at Paris VII (April 18, 2012), and member (as the thesis supervisor) of the PhD committee of Sandie Balaguer (, December 13, 2012). He will be a reviewer for the thesis of Elisabeta Mangioni at University of Milan-Bicocca in Italy.

was examinator and thesis supervisor in the Ph D committee of Hilal Djafri at ENS Cachan (June 19, 2012). He also was a reviewer for the thesis of H. Schonenberg at Eindhoven University, mai 2012, and member of the PhD Committees of L. Jezequel (University of Rennes, november 2012, and M. Lauer at INP Toulouse, june 2012.

participated in the *jury de mi-parcours* of
Ala Eddine Ben Salem, PhD student at LIP6.