The VeriDis project team includes members of the MOSEL group at LORIA, the
computer science laboratory in Nancy, and members of the research group
Automation of Logic at Max-Planck-Institut für Informatik in
Saarbrücken. It is headed by Stephan Merz and Christoph Weidenbach. VeriDis
was created in 2010 as a local research group of Inria Nancy – Grand Est and
has been an Inria project team since July 2012.

The objectives of VeriDis are to contribute to advances in verification techniques, including automated and interactive theorem proving, and to make them available for the development and analysis of concurrent and distributed algorithms and systems, based on mathematically precise and practically applicable development methods. The techniques that we develop are intended to assist designers of algorithms and systems in carrying out formally verified developments, where proofs of relevant properties, as well as bugs, can be found with a high degree of automation.

Within this context, we work on techniques for automated theorem
proving for expressive languages based on first-order logic, with support
for theories (fragments of arithmetic, set theory etc.) that are relevant for
specifying algorithms and systems. Ideally, systems and their properties would
be specified using high-level, expressive languages, errors in specifications
would be discovered automatically, and finally, full verification could also
be performed completely automatically. Due to the fundamental undecidability
of the problem, this cannot be achieved in general. Nevertheless, we have
observed important advances in automated deduction in recent years, to which
we have contributed. These advances suggest that a substantially higher degree
of automation can be achieved over what is available in today's tools
supporting deductive verification. Our techniques are developed within SMT
(satisfiability modulo theories) solving and first-order logic reasoning, the two
main frameworks of contemporary automated reasoning that have complementary
strengths and weaknesses, and we are interested in making them converge when
appropriate. Techniques developed within the symbolic computation domain, such
as algorithms for quantifier elimination for appropriate theories, are also
relevant, and we are working on integrating them into our portfolio of
techniques. In order to handle expressive input languages, we are working on
techniques that encompass tractable fragments of higher-order logic, for
example for specifying inductive or co-inductive data types, for automating
proofs by induction, or for handling collections defined through a
characteristic predicate.

Since full automatic verification remains elusive, another line of our
research targets interactive proof platforms. We intend these platforms
to benefit from our work on automated deduction by incorporating powerful
automated backends and thus raise the degree of automation beyond what current
proof assistants can offer. Since most conjectures stated by users are
initially wrong (due to type errors, omitted hypotheses or overlooked border
cases), it is also important that proof assistants be able to detect and
explain such errors rather than letting users waste considerable time in
futile proof attempts. Moreover, increased automation must not come at the
expense of trustworthiness: skeptical proof assistants expect to be given an
explanation of the proof found by the backend prover that they can certify.

Model checking is also an established and highly successful technique
for verifying systems and for finding errors. Our contributions in this area
more specifically target quantitative, in particular timed or probabilistic
systems. A specificity of VeriDis is notably to consider partially specified
systems, using parameters, in which case the verification problem
becomes the synthesis of suitable parameter valuations.

Our methodological and foundational research is accompanied by the development
of efficient software tools, several of which go beyond pure research
prototypes: they have been used by others, have been integrated in
verification platforms developed by other groups, and participate in
international competitions. We also validate our work on verification
techniques by applying them to the formal development of algorithms and
systems. We mainly target high-level descriptions of concurrent and
distributed algorithms and systems. This class of algorithms is by now
ubiquitous, ranging from multi- and many-core algorithms to large networks and
cloud computing, and their formal verification is notoriously difficult.
Targeting high levels of abstraction allows the designs of such systems to be
verified before an actual implementation has been developed, contributing to
reducing the costs of formal verification. The potential of distributed
systems for increased resilience to component failures makes them attractive
in many contexts, but also makes formal verification even more important and
challenging. Our work in this area aims at identifying classes of algorithms
and systems for which we can provide guidelines and identify patterns of
formal development that makes verification less an art and more an engineering
discipline. We mainly target components of operating systems, distributed and
cloud services, and networks of computers or mobile devices.

Beyond formal system verification, we pursue applications of some of the symbolic techniques that we develop in other domains. We have observed encouraging success in using techniques of symbolic computation for the qualitative analysis of biological and chemical networks described by systems of ordinary differential equations that were previously only accessible to large-scale simulation. Such networks include biological reaction networks as they occur with models for diseases such as diabetes or cancer. They furthermore include epidemic models such as variants and generalizations of SEIR1 models, which are typically used for Influenza A or Covid-19. This work is being pursued within a large-scale interdisciplinary collaboration. It aims for our work grounded in verification to have an impact on the sciences, beyond engineering, which will feed back into our core formal methods community.

The VeriDis team gathers experts in techniques and tools for automatic deduction and interactive theorem proving, and specialists in methods and formalisms designed for the development of trustworthy concurrent and distributed systems and algorithms. Our common objective is twofold: first, we wish to advance the state of the art in automated and interactive theorem proving, and their combinations. Second, we work on making the resulting technology available for the computer-aided verification of distributed systems and protocols. In particular, our techniques and tools are intended to support sound methods for the development of trustworthy distributed systems that scale to algorithms relevant for practical applications.

VeriDis members from Saarbrücken are developing the
Spass 10workbench.
It currently consists of one of the leading automated theorem provers for
first-order logic based on the superposition calculus
66, a theory solver for linear arithmetic
2, a CDCL2 based satisfiability solver and a propositional converter to clausal normal form.
Recently we have extended it to a Datalog
hammer solving universal and existential queries with respect to a Horn
Bernays-Schoenfinkel theory modulo linear
arithmetic 72, 71.

In a complementary approach to automated deduction, VeriDis members from Nancy work on techniques for integrating reasoners for specific theories. They develop veriT1, an SMT 3 solver that combines decision procedures for different fragments of first-order logic. The veriT solver is designed to produce detailed proofs; this makes it particularly suitable as a component of a robust cooperation of deduction tools.

Finally, VeriDis members design effective quantifier elimination methods and decision procedures for algebraic theories, supported by their efficient implementation in the Redlog system 5.

An important objective of this line of work is the integration of theories in automated deduction. Typical theories of interest, including fragments of arithmetic, are difficult or impossible to express in first-order logic. We therefore explore efficient, modular techniques for integrating semantic and syntactic reasoning methods, develop novel combination results and techniques for quantifier instantiation. These problems are addressed from both sides, i.e. by embedding decision procedures into the superposition framework or by allowing an SMT solver to accept axiomatizations for plug-in theories. We also develop specific decision procedures for theories such as non-linear real arithmetic that are important when reasoning about certain classes of (e.g., real-time) systems but that also have interesting applications beyond verification.

We rely on interactive theorem provers for reasoning about specifications at a
high level of abstraction when fully automatic verification is not (yet)
feasible. An interactive proof platform should help verification engineers lay
out the proof structure at a sufficiently high level of abstraction; powerful
automatic plug-ins should then discharge the resulting proof steps. Members of
VeriDis have ample experience in the specification and subsequent
machine-assisted, interactive verification of algorithms. In particular, we
participate in a project at the joint Microsoft Research-Inria Centre on the
development of methods and tools for the formal proof of specifications
written in the TLA+81 language. Our prover
relies on a declarative proof language, and calls upon several automatic
backends 4. Trust in the correctness of the
overall proof can be ensured when the backends provide justifications that can
be checked by the trusted kernel of a proof assistant. During the development
of a proof, most obligations that are passed to the prover actually fail –
for example, because necessary information is not present in the context or
because the invariant is too weak, and we are interested in explaining failed
proof attempts to the user, in particular through the construction of
counter-models.

Members of VeriDis formalize a framework in the proof assistant Isabelle/HOL for representing the correctness and completeness of automated theorem provers. This work encompasses proof calculi such as ordered resolution or superposition, as well as concrete prover architectures such as Otter or DISCOUNT loops. It also covers the most recent splitting techniques that bring proof calculi closer to SMT solvers.

Theorem provers are not used in isolation, but they support the
application of sound methodologies for modeling and verifying systems. In this
respect, members of VeriDis have gained expertise and recognition in making
contributions to formal methods for concurrent and distributed algorithms and
systems 3, 8, and in applying them to
concrete use cases. In particular, the concept of refinement63, 67, 84 in state-based
modeling formalisms is central to our approach because it allows us to present
a rational (re)construction of system development. An important goal in
designing such methods is to establish precise proof obligations, many of which
can be discharged by automatic tools. This requires taking into account
specific characteristics of certain classes of systems and tailoring the model
to concrete computational models. Our research in this area is supported by
carrying out case studies for academic and industrial developments. This
activity benefits from and influences the development of our proof tools.

In this line of work, we investigate specific development and verification patterns for particular classes of algorithms, in order to reduce the work associated with their verification. We are also interested in applications of formal methods and their associated tools to the development of systems that underlie specific certification requirements in the sense of, e.g., Common Criteria. Finally, we are interested in the adaptation of model checking techniques for verifying actual distributed programs, rather than high-level models.

Today, the formal verification of a new algorithm is typically the subject of a PhD thesis, if it is addressed at all. This situation is not sustainable given the move towards more and more parallelism in mainstream systems: algorithm developers and system designers must be able to productively use verification tools for validating their algorithms and implementations. On a high level, the goal of VeriDis is to make formal verification standard practice for the development of distributed algorithms and systems, just as symbolic model checking has become commonplace in the development of embedded systems and as security analysis for cryptographic protocols is becoming standard practice today. Although the fundamental problems in distributed programming are well-known, they pose new challenges in the context of modern system paradigms, including ad-hoc and overlay networks or peer-to-peer systems, and they must be integrated for concrete applications.

The paradigm of model checking is based on automatically verifying properties
over a formal model of a system, using mathematical foundations.
Model checking, while useful and highly successful in practice, can encounter
the infamous state space explosion problem.
One direction of VeriDis therefore addresses the efficiency of model checking,
by proposing new algorithms or heuristics to speed up analysis.
We notably focus on the quantitative setting (time, probabilities), and more
specifically on the parametric paradigm where some quantitative constants are
unknown, and the goal becomes to synthesize suitable valuations.
A recent application of the VeriDis team is that of opacity (in the more general field of cybersecurity), addressed using model checking.
The team considers a novel definition of opacity in timed automata, where an attacker has only access to the execution time; several recent works address this direction.

The unprecedented accumulation of information in biology and medicine during the last 20 years led to a situation where any new progress in these fields is dependent on the capacity to model and make sense of large data. Until recently, foundational research was concerned with simple models of 2 to 5 ordinary differential equations. The analysis of even such simple models was sufficiently involved that it resulted in one or several scientific publications for a single model. Much larger models are built today to represent cell processes, explain and predict the origin and evolution of complex diseases or the differences between patients in precision and personalized medicine. For instance, the biomodels.net model repository 82 contains thousands of hand-built models of up to several hundreds of variables. Numerical analysis of large models requires an exhaustive scan of the parameter space or the identification of the numerical parameters from data. Both are infeasible for large biological systems because parameters are largely unknown and because of the curse of dimensionality: data, even rich, become rapidly sparse when the dimensionality of the problem increases. On these grounds, VeriDis researchers aim at formal symbolic analysis instead of numerical simulation.

As an illustration of the approach, consider BIOMD0000000716 in the
above-mentioned BioModels database, which models the transmission dynamics of
subtype H5N6 of the avian Influenza A virus in the Philippines in August 2017
83. This model describes four species (susceptible/infected
bird or human) together with their dynamics. Using purely symbolic algorithms,
we obtain a decomposition of the dynamics into three subsystems

This multiple time scale reduction emphasizes a cascade of successive
relaxations of model variables. Figure 1(a) shows the surface of

The computation time is less than a second. The computation is based on
massive SMT solving over various theories, including QF_LRA for
tropicalizations, QF_NRA for testing Hurwitz conditions on
eigenvalues, and QF_LIA for finding sufficient differentiability
conditions for hyperbolic attractivity of critical manifolds. Gröbner
reduction techniques are used for final algebraic simplification
80. Observe that numerical simulation would not be able
to provide such a global analysis of the overall system, even in the absence
of symbolic parameters, as is the case in our rather simple example.

Distributed algorithms and protocols are found at all levels of computing infrastructure, from many-core processors and systems on chip to wide-area networks. We are particularly interested in the verification of algorithms that are developed for supporting novel computing paradigms, including ad-hoc networks that underly mobile and low-power computing or overlay networks, peer-to-peer networks that provide services for telecommunication, or cloud computing services. Computing infrastructure must be highly available and is ideally invisible to the end user, therefore correctness is crucial. One should note that standard problems of distributed computing such as consensus, group membership or leader election have to be reformulated for the dynamic context of these modern systems. We are not ourselves experts in the design of distributed algorithms, but we work together with domain experts on designing formal models of these protocols, and on verifying their properties. These cooperations help us focus on concrete algorithms and ensure that our work is relevant to the distributed algorithm community.

Our work on symbolic procedures for solving polynomial constraints finds applications beyond verification. In particular, we have been working in interdisciplinary projects with researchers from mathematics, computer science, systems biology, and system medicine on the analysis of reaction networks and epidemic models in order to infer principal qualitative properties. Our techniques complement numerical analysis techniques and are validated against collections of models from computational biology.

The team uses extensions of timed automata (such as parametric timed automata 64) as an underlying formalism to solve practical questions. Our work on parametric timed automata is partly motivated by applications in cybersecurity, notably within the ANR-NRF ProMiS project (cf. section 9.1). Foundational decidability results 11, 28 and novel notions of non-interference and opacity for this class of automata allow us, for example, to determine the maximal frequency of attacker actions for the attack to succeed (i.e., so that these actions remain invisible to the external observer). Several software artefacts were implemented by the team in this domain 65.

Alexander Bentkamp, a former PhD student at VU Amsterdam co-supervised by Jasmin Blanchette and Uwe Waldmann, received the Ackermann award of the European Association for Computer Science Logic, the Beth Award of the Association for Logic, Language and Information, the McCune award at CADE, and the dissertation award of the Institute for Programming Research and Algorithmics (IPA) for his PhD thesis 69.

Fajar Haifani received the DL 2022 Best Student Paper Award for the paper “Connection-minimal Abduction in EL via translation to FOL” 42.

Sophie Tourret has been recognized as a distinguished PC member of IJCAI-ECAI 2022, for the quality of her reviews (ranked in the top 3%).

Redlog is an integral part of the interactive computer algebra system Reduce. It supplements Reduce's comprehensive collection of powerful methods from symbolic computation by supplying more than 100 functions on first-order formulas.

Redlog generally works with interpreted first-order logic in contrast to free first-order logic. Each first-order formula in Redlog must exclusively contain atoms from one particular Redlog-supported theory, which corresponds to a choice of admissible functions and relations with fixed semantics. Redlog-supported theories include Nonlinear Real Arithmetic (Real Closed Fields), Presburger Arithmetic, Parametric QSAT (quantified satisfiability solving), and many more.

Parts of the Redlog code are more than 25 years old now. Version 1 of the underlying computer algebra system Reduce has been published even more than 50 years ago. In 2018 we therefore started to go for major revisions and improvements of Redlog's software architecture, which are still under way.

Our principal design goal is more simplicity for the sake of better long-term maintainability. Technically we now favor keeping state spaces in explicit mutable data structures rather than on the recursion stack. Although not directly supported by the underlying Lisp system, we use object oriented ideas and approaches to the extent possible.

F5 is a package for the computation of Gröbner Bases using Faugère's F5 algorithm. It uses multivariate rational functions as the coefficient field. The package is compatible with existing REDUCE term orderings, as used with the GROEBNER package and the CGB package.

From an Automated Reasoning viewpoint this offers a decision procedure for algebraically closed fields (including the complex numbers). The code has been designed with possible future generalization to the formal treatment of the coefficients as parameters and comprehensive Gröbner Bases in mind, which, in combination with other components of REDUCE, namely Redlog, would yield quantifier elimination and decision procedures for algebraically closed fields (including the complex numbers) as well as for real closed fields (including the real numbers).

Efforts in 2022 have been focused on higher-order logic, and better proof production. Achievements in 2022 are essentially around proof production, which makes veriT particularly suitable for integration within skeptical proof assistants. Code refactoring is envisioned for the future, to better accommodate the role of the solver as a platform for testing new ideas. Even if the veriT solver participated in the SMT competition http://www.smtcomp.org like previous years, the improvement on this incarnation of the solver have been minimal, and the performances have not improved compared to 2021.

We target applications where validation of formulas is crucial, such as proof about specifications written in the B or TLA+ languages, and we work together with the developers of the respective verification platforms to make veriT even more useful in practice. The solver is available as a plugin for the Rodin platform, and it is integrated within Atelier B.

veriT is also a prototype platform for ideas developed within the Matryoshka project, aiming at greater availability of automated reasoning for proof assistants.

SMT solvers have throughout the years been able to cope with increasingly expressive logics, from ground formulas to full first-order logic (FOL). In the past, we proposed a pragmatic extension for SMT solvers to support higher-order logic reasoning natively without compromising performance on FOL reasoning, thus leveraging the extensive research and implementation efforts dedicated to efficient SMT solving. However, the higher-order SMT solvers resulting from this work are not as effective as we would expect given their performances in first-order logic. We believe this comes from the fact that only the core of the SMT solver has been extended, ignoring in particular the modules for quantifier instantiation.

This motivated us to start working on an extension of the main quantifier-instantiation approach (congruence closure with free variables, CCFV) to higher-order logic in 2020. This work is still ongoing. We are working on an encoding of the CCFV higher-order problem into a set of SAT constraints. In 2020, we concentrated our efforts mainly on the theory, to prove the soundness and completeness of our approach. In 2021, as a first step towards an implementation, we designed precise pseudo-code for all elements of CCFV computation. In 2022, these algorithms were implemented in a C++ library, and they were tested on benchmarks from the SMT-lib collection. Future works involve thorough testing of the library, improvements, and release under an open-source permissive license.

We previously developed a framework for processing formulas in automatic theorem provers, with generation of detailed proofs that can be checked by external tools, including skeptical proof assistants. The main components are a generic contextual recursion algorithm and an extensible set of inference rules. Clausification, Skolemization, theory-specific simplifications, and expansion of `let' expressions are instances of this framework. With suitable data structures, proof generation adds only a linear-time overhead, and proofs can be checked in linear time. We implemented the approach in the SMT solver veriT. This allowed us to dramatically simplify the code base while increasing the number of problems for which detailed proofs can be produced. Our publication at CADE 2021 88 demonstrates the excellent results of our approach, building on our previous work on proof formats for SMT and on proof reconstruction within the proof assistant Isabelle/HOL (e.g., 76). Our proof format was moreover the basis for the standard Alethe format 87, which is now getting adopted by the community. In 2022, the format was further polished, also to accommodate the needs of other SMT solvers adopting the format.

This is one of the main contributions, besides techniques for quantifier instantiation and strategy learning, of Hans-Jörg Schurr's PhD thesis 52, defended in October 2022. During his post-doctoral research in the cvc5 team (Iowa and Stanford), Hans-Jörg Schurr will continue to work notably on proofs for SMT.

We are part of a group developing a framework for formal refutational completeness proofs of abstract provers that implement automated reasoning calculi, especially calculi based on saturation such as ordered resolution and superposition. In previous work, we published a framework that fully captures the dynamic aspects of proof search with a saturation calculus. This framework covers clause splitting as supported by modern superposition provers with the help of a SAT solver. In particular, our formalization revealed some completeness issues with the theorem prover Vampire.

This year, we extended the Isabelle formalization by representations of the main loops of saturation-based theorem provers and their fairness conditions. In the process, we found and repaired several issue with the (in fact, our own) description of the Zipperposition loop, a novel loop that handles inferences producing an infinite stream of conclusions. In parallel, Martin Desharnais, for his PhD thesis, is working on an instantiation of this framework for the superposition calculus as formalized by Nicolas Peltier in the Archive of Formal Proof, a repository of Isabelle/HOL mechanizations 85. We also made progress on the Isabelle/HOL mechanization of the framework with clause splitting. Florent Krasnopol, a student of ENS Saclay, contributed to this endeavor for his first-year internship. The two last pieces of work are still ongoing, while the first one has been completed in 2022 and a conference submission is being prepared on it.

In previous work, we designed a superposition calculus for higher-order logic
and implemented it in a prototype called Zipperposition. Now, we designed and
developed an extension of the high-performance first-order prover E
86 with this higher-order calculus. When extending E, we used
the extensive experience with Zipperposition to choose a set of effective
rules that could easily be retrofitted into an originally first-order prover.
Challenges included accommodating gracefulness: we made sure that our changes do not impact the strong first-order performance of E.

E helped us win the first-place trophy at the CADE ATP System Competition (CASC), ahead of Zipperposition, in the Sledgehammer division of the 2022 edition of the competition. This confirms that an optimized implementation inside a competitive prover such as E, SPASS, or Vampire can outperform existing higher-order automated provers. A publication on this research has just been accepted and will be presented at the TACAS 2023 conference.

A clause is relevant for a refutation with respect to an unsatisfiable clause
set if it occurs in all refutation proofs. It is semi-relevant if it occurs in
at least one refutation proof.
We have shown that the
question whether a clause

We previously showed that the SCL (Clause Learning from Simple Models) calculus can be successfully applied through a Datalog hammer to first-order logic modulo theories 34. It was on open question whether SCL can be effectively extended to first-order logic with equality. It requires an interpretation of the simple ground model assumption with respect to equality. We could show that all syntactic operations on the simple ground model assumption can be lifted modulo equality and eventually be incorporated in a sound, complete, and effective SCL calculus for full first-order logic with equality 46. In parallel, a mechanization effort for SCL without equality in Isabelle/HOL has been started by Martin Desharnais, as part of his PhD.

Cyclic induction is a powerful reasoning technique that consists in
blocking the proof development of certain subgoals already
encountered during the proof process. In the setting of first-order
logic with inductive definitions and equality (FOLCyclist
prover, but their implementations are error-prone and the human
validation may be tedious.

We developed techniques for checking, using Coq, the cyclic proofs produced by E-Cyclist (cf. section 6.1), an extension of the Cyclist theorem prover, relying on the general Noetherian induction principle that is available in Coq. In this way, cyclic FOLE-Cyclist proofs of the
FOLCyclist, as well as the 2-Hydra
problem. The datasets generated during and/or analyzed during the
current study, in particular, the full Coq specifications and proof
scripts, are archived and made available
on
the Web.

Abduction is the process of explaining new observations using background knowledge. It is central to knowledge discovery and knowledge processing and has been intensely studied in various domains such as artificial intelligence, philosophy and logic. In the description logic literature, abduction has received little attention, despite being recognised as important for ontology repair, query update and matchmaking.

As part of his PhD, Fajar Haifani finalized in 2022 a technique for abduction
in the lightweight description logic

In a joint work with P. Koopmann (TU Dresden), W. Del-Pinto and R. Schmidt (Univ. Manchester), we are also
working on an extended version of an earlier work on abduction in the
expressive description logic

In her PhD work, Rosalie Defourné investigates encodings of the non-temporal
theory of TLA+ in the input languages of automated theorem provers for
first-order and higher-order logic, including SMT solvers and Zipperposition.
The current SMT backend of the TLA+ Proof System TLAPS heavily relies on
simplification techniques such as rewriting and term abstraction in order to
transform TLA+ proof obligations into the input language of SMT solvers.
Although these techniques are quite powerful, they destroy the structure of
the original formulas, and the inherent danger of unsoundness or loss of
termination makes it hard to maintain them. The approach proposed in this work
consists in axiomatizing TLA+ set theory in the SMT language and in
adding suitable triggers that guide the instantiation of quantifiers. It has
been validated over an extensive corpus of existing TLA+ proofs,
demonstrating that its effectiveness is at least comparable with that of the
existing backend, and sometimes outperforms it significantly. Moreover, the
addition of trigger annotations cannot invalidate the soundness of the
axiomatization, which should help in longer-term maintenance of the proof
backend. A paper describing this work has been submitted for publication, and
the code is intended to replace the existing SMT backend of TLAPS.

A key problem in proving refinement between two specifications of a system at
different levels of abstraction is to assign suitable values to internal
values of the high-level specification, given an execution of the low-level
specification. It is well known that the standard technique of refinement
mappings is incomplete; in their classic paper The existence of
refinement mappings62, Abadi and Lamport
introduced the concept of auxiliary variables and proved the technique to be
complete under certain conditions. In joint work with Leslie Lamport
(Microsoft Research), we introduce simpler rules for prophecy variables that
predict a certain event, as well as rules for combining auxiliary variables.
We demonstrate how our rules can be used in a linearizability proof, and prove
unrestricted (relative) completeness of our technique. Our paper was published
in ACM Transactions on Programming Languages and Systems
17.

System engineering advocates a thorough understanding of the engineering domain or certification standards (aeronautics, railway, medical, etc.) associated with the system under design. In this context, engineering domain knowledge plays a predominant role in system design and/or certification, and this knowledge should be made explicit in the corresponding formal design models. Using external theories, we introduce a formal method based on Event-B for describing and setting up domain-specific behavioral analyses 49. This method allows us to describe and set up domain-specific behavioral analyses 19. We obtain a formal verification technique for dynamic properties entailed by engineering domain knowledge where Event-B formal models are annotated and analyzed in a non-intrusive way, i.e. without destructive alteration. This method is based on the formalization of analyses of behavioral properties relying on domain knowledge as an ontology on the one hand and a meta-theory for Event-B on the other hand. The proposed method is illustrated using a critical interactive system.

F3FLUID is developed in the ANR project Formedicis and used for developing safety critical systems. F3FLUID (Formal Framework For FLUID) 19 is a unified formal framework for the development of safety-critical interactive systems. This framework is based on the FLUID (Formal Language of User Interface Design) pivot modeling language defined in the FORMEDICIS project and targeted at expressing high-level system requirements for interactive systems. This modeling language is specifically designed for handling concepts of safety-critical interactive systems, including domain knowledge. A FLUID model is used as a source model for the generation of several target models in different modeling languages to support the formal verification methods, such as theorem proving and model checking. We use the Event-B modeling language for checking functional behaviors, user interactions, safety properties, and domain properties. A FLUID model is transformed into an Event-B model, and then the Rodin tool is used to check the internal consistency with respect to the given safety properties. We illustrate the operational semantics of the FLUID language, and the transformation strategy of FLUID models into Event-B models, including the tool development. We use the ProB model checker to analyse the temporal properties and to animate the formal specification. In addition, an Interactive Cooperative Objects (ICO) model is derived from the Event-B model for animation, visualization and validation of dynamic behaviors, visual properties and task analysis. Finally, an industrial case study, complying with the ARINC 661 standard, Multi-Purpose Interactive Applications (MPIA), is used to illustrate the effectiveness of our F3FLUID framework for the development of safety-critical interactive systems.

Whenever continuous dynamics and discrete control interact, hybrid systems arise. As hybrid systems become ubiquitous and more and more complex, analysis and synthesis techniques are in high demand to design safe hybrid systems. This is however challenging due to the nature of hybrid systems and their designs, and the question of how to formulate and reason about their safety problems. Previous work has demonstrated how to extend the discrete modeling language Event-B with support for continuous domains to integrate traditional refinement in hybrid system design. We now propose a strategy that can coherently refine an abstract hybrid system design with safety constraints down to a concrete one, integrated with implementable discrete control, that can behave safely. We demonstrate our proposal on a smart heating system that regulates room temperature between two references.

Any given programming language may come with several semantics definitions, such as big-step, small-step, or even abstract machines, which can be seen as an implementation of a language. They all describe identical behaviors of programs, but each may be better adapted for some purpose: for instance, small-step semantics are better suited to prove subject reduction.

To have access to all kinds of semantics at once, we develop transformations between semantics to be able to generate one from the other at no extra cost for the language designer. We propose a transformation from big-step to small-step semantics and certify its correctness using Coq certificates: for a given input language in big-step, we generate the small-step semantics and a Coq proof script that shows the correspondence between the two semantics 27. We also develop a certified transformation from big-step to abstract machines 26. Finally, we generate abstract machines in a generic and complete way for non-deterministic languages such as process calculi 33, for which only ad hoc and partial implementations existed so far.

From compilation to many approaches of code analysis and formal verification, program transformations are both ubiquitous and critical to properly functioning programs and information systems. In the context of formal verification, it is often necessary to characterize the shape of the result of these transformations. In a typed context, the underlying type system provides syntactic guarantees on the form of these terms by exhibiting, among others, the constructor symbols that they can contain. On the other hand, when performing (program) transformations we often want to eliminate some symbols and, more generally, to ensure that some patterns are absent from the result of the transformation. We have proposed 51 a formalism, based on the notions of pattern-matching and rewriting, to express such properties. The proposed approach relies on annotations on function symbols to express set of specifications describing the expected behavior of the associated functions. Using a rewrite system to encode the considered transformation, we introduced a static analysis method to verify that the rewrite system is indeed consistent with the respective annotations, in order to conclude that the transformation actually verifies the given specifications.

Computing strongly connected components (SCCs) in a graph is a fundamental algorithmic problem that also underlies algorithms for automated system verification by model checking. State-of-the-art algorithms are based on depth-first search, and they are therefore difficult to parallelize. In his PhD thesis 70, Bloemen introduces a novel variant of Dijkstra's SCC algorithm, together with clever data structures suitable for implementations on multi-core architectures. We contributed to ongoing efforts for the formal verification of this algorithm.

During a research project at École des Mines, we formulated a sequential version of the algorithm as two mutually recursive functions in the proof assistant Isabelle/HOL, and we stated suitable pre- and postconditions that allowed us to prove the partial correctness of the algorithm. We also proved that the algorithm terminates for finite graphs. The formal proofs have been published in the Archive of Formal Proofs.

In joint work with Jaco van de Pol (University of Aarhus), we also worked
on the verification of parallel versions of the algorithm. We represented the
algorithm in TLA+ at two different abstraction levels, corresponding to
different grains of atomicity, and verified a number of invariants using model
checking and the TLAPS proof assistant.

The specification language TLA+ is supported by three main verification
tools: the explicit-state model checker TLC, the symbolic SMT-based model
checker Apalache, and the interactive proof assistant TLAPS. In joint work
with Igor Konnov (Informal Systems) and Markus Kuppe (Microsoft Research), we
explore the complementary strengths and weaknesses of these tools, using two
specifications of an algorithm for distributed termination detection due to
Safra, expressed at two levels of abstraction. Whereas TLC is very easy to use
and can be used for verifying properties for small instances of
specifications, it suffers from state space explosion. Apalache performs
bounded model checking and becomes quite slow when exploring prefixes of
executions beyond a handful of transitions due to the growth of the size of
SMT constraints. However, it is very useful for checking candidates for
inductive invariants where only one transition needs to be considered, and can
in that case handle instances with up to 100 active nodes. Finally, TLAPS is
not limited by the size of the considered instances, but requires the user to
write a proof whose correctness is then checked by the system. The properties
of interest include both safety and liveness properties, making good use of
the recently added functionality in TLAPS for handling fairness and liveness
conditions. Our experience allows us to suggest a methodology for applying the
different tools to different aspects of system verification. A paper
describing our findings was published at ISOLA 45, and
our specifications and proofs are available on
GitHub.

In joint work with the groups of Markus Kroetzsch and Christof Fetzer
(Technical University of Dresden), we continued the automated reasoning on the
so called SUPERLOG (Supervisor Logic) fragment that is meant to provide
a basis for formalizing abstract control algorithms found in ECUs
(Electronical Control Units). The language comes with support for fully
automated verification and also for execution 74.
Technically, SUPERLOG is an extension of the (Horn) first-order
Bernays-Schoenfinkel fragment with arithmetic constraints. It extends the well
known SMT fragment by universally quantified variables. In addition to the
already developed sound and complete calculus for the SUPERLOG language and a
previously developed Datalog hammer
73, 71 reducing
universally as well as existentially quantified queries to plain Datalog, we
now refined our hammer by a soft typing discipline. It still outperforms any
available state-of-the art technique and improves our previous results by
several orders of magnitude. We successfully applied the hammer not only to
the ECU scenario but also to a lane change assistant of a car
34. The SUPERLOG language can also be executed by
a hierarchic superposition based interpreter. We improved the performance of
the interpreter by several order of magnitude as well by providing fast
redundancy tests 35.

In 15, we considered timed games with cost on both transitions and states. Existing work focused mostly on systems where the costs were restricted to non-negative values, thus failing to represent energy consumption and creation for instance. We showed how to solve these games under some usual restrictions over clocks and resets.

In 12, we considered theoretical problems related to reachability and liveness in (subclasses of) parametric timed automata, exhibiting the frontier between decidability and undecidability.

In 29, 31, we proposed new algorithms using convex merging and zone extrapolations to synthesize parameter valuations in parametric timed automata much more efficiently than in the past. Our algorithms were implemented and demonstrated on a library of benchmarks.

We developed a tool 28 based on IMITATOR that detects when one can ensure through a simple form of control that a given timed automata is timed opaque (a security property) and which, in the positive case, builds this control.

In 40, we proposed new monitoring algorithms to monitor the (offline or online) behavior of cyber-physical systems used as a black box (no inner information known). We do however add the very rough knowledge of a “bounding model” to eliminate spurious violation detections. Several approaches were proposed with different domains of applications.

In 30, we exemplify a specification by exhibiting concrete examples of sample runs, from a specification given in the form of a quantitative extension of automata, involving real-valued signals.

Loops are a fundamental staple of any programming language, and the study of
loops plays a pivotal role in many subfields of computer science, including
automated verification, abstract interpretation, program analysis, semantics,
etc. Modeling loops as simple linear dynamical systems, we studied in
44 which kind of properties formulated in Monadic
Second Order Logic could be checked over the evolution of a loop. In
32, we parameterized our model, allowing for instance
a more accurate representation of the unknown variables that could affect the
behavior of a loop. This work aimed at synthesizing for which values of the
parameters a loop satisfies some

Proving the termination of a loop is one of the main properties that one may want to check. In 47 we considered loops (once again modeled as linear dynamical systems) that were already guaranteed to terminate. Despite this guarantee, one could remain within these loops for a very long time. Our result provides a tight bound on the number of iterations within the loop before which the system escapes. We required this bound to be independent of the initial values of the variables (at least when such a bound exists).

Abstraction of a complex behavior of a system is one of the causes leading to non-deterministic modeling. In 36 we consider the evolution of non-deterministic linear dynamical systems in the form of weighted automata. We establish when and how can we detect whether such systems can diverge, or converge to 0.

In the course of our research line on Biological Systems we are applying automated reasoning to problems such as sustained oscillations and Hopf bifurcations, multi-stationarity, multi-scale model reduction, dynamical invariants, and structural properties of steady state varieties. Compared to numerical analysis and simulation, our approach provides not only quantitative but also qualitative results about network dynamics, to some extent in parametric settings. Our focus has been on reaction networks in the sense of chemical reaction network theory 75. Such networks are usually stored and exchanged in the Systems Biology Markup Language (SBML), a free, open and standardized XML-based format 78. However, on the one hand, formal methods do not utilize the full information contained in SBML models. For instance, SBML was designed with a focus on network simulation and supports corresponding concepts like events and initial assignments, which are not natural from our point of view. On the other hand, our automated reasoning is based on symbolic computation, which operates on formal objects like polynomials, exact rational numbers, and ordinary differential equations (ODEs), which are not readily available in SBML. For instance, ODEs describing differential network kinetics can be modeled as pieces of code to be used with numerical solvers instead of mathematical expressions accessible for formal methods.

The rigorous construction of of suitable formal models requires joint competence and combined efforts from computer science, mathematics, and biology. Not only resolving but even recognizing issues is a challenge with every single model considered. Software tool chains must be integrated with human interaction. Emerging from combined efforts within the SYMBIONT project (9.1.1), we have picked up the challenge and launched a web service ODEbase (6.2.1) that provides reliable input data for formal methods to the research community. We identify the following benefits:

At the time of writing, ODEbase comprises 660 models, mostly from the renowned biomodels.net online database 82. For further details on the project see 18.

In Section 3.3 we have seen an example for the reduction of the
kinetics of a chemical reaction network to multiple timescales
80. Although general in its implementation, this
reduction method can fail in a number of cases. A major cause of failure is
the degeneracy of the quasi-steady state, when the fast dynamics has a
continuous variety of steady states. Typically, this happens when the fast
truncated ODEs have first integrals, i.e. quantities that are conserved on
any trajectory and that have to be fixed at arbitrary values depending on
the initial conditions. The quasi-steady states are then no longer
hyperbolic, because the Jacobian matrix of the fast part of the dynamics
becomes singular. To address this issue, we have now proposed a concept of
approximate conservation laws, which allows additional reductions.

Technically, this framework requires parametric versions of various established algorithms from Symbolic Computation. One simple example is the computation of the rank of a matrix with real parameters, which produces a formal finite case distinction where possible ranks are paired with necessary and sufficient conditions as Tarski formulas. This allows to identify critical cases with respect to the above-mentioned singularity of the Jacobian. Another example is the use of comprehensive Gröbner bases in the course of parametric computation of certain syzygy modules. From a practical point of view, a central issue with all such algorithms is the combinatorial explosion of the number of cases.

We use SMT solving as well as real quantifier elimination methods to detect inconsistent cases and prune the tree of case distinctions early. The decision procedures used are typically double exponential and can easily turn into a bottleneck preventing termination within reasonable time altogether, in particular when the degrees of polynomial terms get larger. Since the results remain correct also without the elimination of some redundant cases, we combine various methods and use suitable timeouts. This work in progress has led to two preprints so far 54, 55.

The Max Planck Institute for Informatics (MPI-INF) and Logic 4 Business GmbH (L4B) have signed a cooperation contract. Its subject is the application of automated reasoning methods to product complexity management, in particular in the car industry. MPI-INF is providing software and know-how, L4B is providing real-world challenges. The agreement involves Martin Bromberger and Christoph Weidenbach. The company L4B was successfully sold in 2021 to an industrial partner.

Matryoshka project on cordis.europa.eu

The PhD thesis of Rosalie Defourné is partly funded by Région Grand Est.

Dominique Méry was co-chair of the conferences MEMOCODE and ABZ.

Sophie Tourret was workshop co-chair of the conference IJCAR (International Joint Conference on Automated Reasoning).

Jasmin Blanchette was co-chair of the program committee of the conference IJCAR (International Joint Conference on Automated Reasoning).