## Section: Scientific Foundations

### Verification

Verification in its full generality consists in checking that a
system, which is specified by a formal model, satisfies a required
property. Verification takes place in our research in two ways: on
the one hand, a large part of our work, and in particular controller
synthesis and conformance testing, relies on the ability to solve
some verification problems. Many of these problems reduce to
reachability and coreachability questions on a formal model (a state
$s$ is *reachable from an initial state ${s}_{i}$* if an execution
starting from ${s}_{i}$ can lead to $s$; $s$ is *coreachable from a
final state ${s}_{f}$* if an execution starting from $s$ can lead to
${s}_{f}$). These are important cases of verification problems, as they
correspond to the verification of safety properties.

On the other hand we investigate verification on its own in the context of complex systems. For expressivity purposes, it is necessary to be able to describe faithfully and to deal with complex systems. Some particular aspects require the use of infinite state models. For example asynchronous communications with unknown transfer delay (and thus arbitrary large number of messages in transit) are correctly modeled by unbounded FIFO queues, and real time systems require the use of continuous variables which evolve with time. Apart from these aspects requiring infinite state data structure, systems often include uncertain or random behaviours (such as failures, actions from the environment), which it make sense to model through probabilities. To encompass these aspects, we are interested in the verification of systems equipped with infinite data structures and/or probabilistic features.

When the state space of the system is infinite, or when we try to evaluate performances, standard model-checking techniques (essentially graph algorithms) are not sufficient. For large or infinite state spaces, symbolic model-checking or approximation techniques are used. Symbolic verification is based on efficient representations of sets of states and permits exact model-checking of some well-formed infinite-state systems. However, for feasibility reasons, it is often mandatory to use approximate computations, either by computing a finite abstraction and resort to graph algorithms, or preferably by using more sophisticated abstract interpretation techniques. For systems with stochastic aspects, a quantitative analysis has to be performed, in order to evaluate the performances. Here again, either symbolic techniques (e.g. by grouping states with similar behaviour) or approximation techniques should be used.

We detail below verification topics we are interested in: abstract interpretation, quantitative model-checking and analysis of systems defined by graph grammars.

#### Abstract interpretation and data handling

Most problems in test generation or controller synthesis reduce to
state reachability and state coreachability problems which can be
solved by fixpoint computations of the form $x=F\left(x\right),x\in C$ where
$C$ is a lattice. In the case of reachability analysis, if we denote
by $S$ the state space of the considered program, $C$ is the lattice
$\wp \left(S\right)$ of sets of states, ordered by inclusion, and $F$ is roughly
the “*successor states*” function defined by the program.

The big change induced by taking into account the data and not only the (finite) control of the systems under study is that the fixpoints become uncomputable. The undecidability is overcome by resorting to approximations, using the theoretical framework of Abstract Interpretation [24] . The fundamental principles of Abstract Interpretation are:

to substitute to the

*concrete domain*$C$ a simpler*abstract domain*$A$ (static approximation) and to transpose the fixpoint equation into the abstract domain, so that one has to solve an equation $y=G\left(y\right),y\in A$;to use a

*widening operator*(dynamic approximation) to make the iterative computation of the least fixpoint of $G$ converge after a finite number of steps to some upper-approximation (more precisely, a post-fixpoint).

Approximations are conservative so that the obtained result is an
upper-approximation of the exact result.
In simple cases the state space that should be
abstracted has a simple structure, but this may be more complicated
when variables belong to different data types (Booleans, numerics,
arrays) and when it is necessary to establish *relations* between
the values of different types.

#### Model-checking quantitative systems

Model-checking techniques for finite-state systems are now quite developed, and a current challenge is to adapt them as much as possible to infinite-state systems. We detail below two types of models we are interested in: timed automata and infinite-state probabilistic systems.

**Model-checking timed automata** The model of timed automata,
introduced by Alur and Dill in the 90's [22] is commonly
used to represent real-time systems. Timed automata consist of an
extension of finite automata with continuous variables, called clocks,
that evolve synchronously with time, and can be tested and reset along
an execution. Despite their uncountable state space, checking
reachability, and more generally $\omega $-regular properties, is
decidable *via* the construction of a finite abstraction, the
so-called region automaton. The recent developments in model-checking
timed automata have aimed at modelling and verifying quantitative
aspects encompassing timing constraints, for example costs,
probabilities, frequencies. These quantitative questions demand
advanced techniques that go far beyond the classical methods.

**Model-checking infinite state probabilistic systems**
Model-checking techniques for finite state probabilistic systems are
now quite developed. Given a finite state Markov chain, for example,
one can check whether some property holds almost surely (i.e. the set
of executions violating the property is negligible), and one can even
compute (or at leat approximate as close as wanted) the probability
that some property holds. In general, these techniques cannot be
adapted to infinite state probabilistic systems, just as
model-checking algorithms for finite state systems do not carry over
to infinite state systems. For systems exhibiting complex data
structures (such as unbounded queues, continuous clocks) and
uncertainty modeled by probabilities, it can thus be hard to design
model-checking algorithms. However, in some cases, especially when
considering qualitative verification, symbolic methods can lead to
exact results. Qualitative questions aim neither at computing nore at
approximating a probability, but are only concerned with almost-sure
or non neglectible behaviours (that is events of probability either
one or non zero). In some cases, qualitative model-checking can be
derived from a combination of techniques for infinite state systems
(such as abstractions) with methods for finite state probabilistic
systems. However, when one is interested in computing (or rather
approximating) precise probability values (neither 0 nor 1), exact
methods are scarce. To deal with these questions, we either try to
restrict to classes of systems where exact computations can be made,
or look for approximation algorithms.

#### Analysis of infinite state systems defined by graph grammars

Currently, many techniques (reachability, model checking, ...) from finite state systems have been generalised to pushdown systems, that can be modeled by graph grammars. Several such extensions heavily depend on the actual definition of the pushdown automata, for example, how many top stack symbols may be read, or whether the existence of $\epsilon $-transitions (silent transitions) is allowed. Many of these restrictions do not affect the actual structure of the graph, and interesting properties like reachability or satisfiability (of a formula) only depend on the structure of a graph.

Deterministic graph grammars enable us to focus on structural properties of systems. The connection with finite graph algorithms is often straightforward: for example reachability is obtained by iterating the finite graph algorithm iterated on the right hand sides of the rules. On the other hand, extending these grammars with time or probabilities is not straightforward: qualitative values associated to different copies (in the graph) of the same vertex (in the grammar) may differ, introducing complex equations. Furthermore, the fact that the left-hand sides of rules are single hyperarcs is a strong restriction. But removing this restriction would lead to non-recursive graphs. Identifying decidable families of graphs defined by contextual graph grammars is also very challenging.