2023Activity reportProjectTeamVERIDIS
RNSR: 201020692C Research center Inria Centre at Université de Lorraine
 In partnership with:CNRS, Université de Lorraine, MaxPlanckInstitut für Informatik Saarbrücken
 Team name: Modeling and Verification of Distributed Algorithms and Systems
 In collaboration with:Laboratoire lorrain de recherche en informatique et ses applications (LORIA)
 Domain:Algorithmics, Programming, Software and Architecture
 Theme:Proofs and Verification
Keywords
Computer Science and Digital Science
 A2.1.1. Semantics of programming languages
 A2.1.4. Functional programming
 A2.1.7. Distributed programming
 A2.1.11. Proof languages
 A2.2. Compilation
 A2.4. Formal method for verification, reliability, certification
 A2.4.1. Analysis
 A2.4.2. Modelchecking
 A2.4.3. Proofs
 A2.5. Software engineering
 A4.5. Formal methods for security
 A7.2. Logic in Computer Science
 A8.4. Computer Algebra
Other Research Topics and Application Domains
 B6.1. Software industry
 B6.1.1. Software engineering
 B6.3.2. Network protocols
 B6.6. Embedded systems
1 Team members, visitors, external collaborators
Research Scientists
 Stephan Merz [Team leader, INRIA, Senior Researcher, HDR]
 Engel Lefaucheux [INRIA, ISFP]
 Thomas Sturm [CNRS, Senior Researcher, HDR]
 Sophie Tourret [INRIA, Researcher]
 Uwe Waldmann [MAX PLANCK SOCIETY, Senior Researcher]
 Christoph Weidenbach [MAX PLANCK SOCIETY, Senior Researcher, HDR]
Faculty Members
 Horatiu Cirstea [UL, Professor, HDR]
 Marie DuflotKremer [UL, Associate Professor]
 Sergueï Lenglet [UL, Associate Professor, until Aug 2023]
 PierreÉtienne Moreau [UL, Professor, HDR]
 Dominique Méry [UL, Professor, HDR]
 Victor Roussanaly [UL]
 Sorin Stratulat [UL, Associate Professor, HDR]
PostDoctoral Fellows
 Martin Bromberger [Max Planck Society]
 Sibylle Möhle [Max Planck Society]
PhD Students
 Thomas Bagrel [Tweag, CIFRE]
 Ghilain Bergeron [INRIA, from Oct 2023]
 Alessio Coltellacci [INRIA]
 Rosalie Defourne [UL, ATER, until Aug 2023]
 Martin Desharnais [Max Planck Society]
 Hendrik Leidinger [Max Planck Society]
 Lorenz Leutgeb [Max Planck Society]
 Dylan Marinho [UL, until Oct 2023]
 Mohamed Amine Snoussi [Westinghouse, CIFRE, from May 2023]
 Vincent Trelat [INRIA, from Oct 2023]
Technical Staff
 Benjamin Loillier [INRIA, Engineer, from Feb 2023 until Sep 2023]
 Benjamin Loillier [UL, Engineer, until Jan 2023]
Interns and Apprentices
 Ghilain Bergeron [UL, Intern, from Mar 2023 until Sep 2023]
 Anton Danilkin [INRIA, Intern, from Jun 2023 until Aug 2023]
 Romain Nicolas [UL, Intern, from Apr 2023 until Jun 2023]
 Isaline Plaid [ENS DE LYON, Intern, from Jun 2023 until Jul 2023]
 Juliette Schilling [UL, Intern, from Apr 2023 until Jun 2023]
Administrative Assistants
 Juline Brevillet [UL, from Apr 2023]
 Sophie Drouot [INRIA, until Jun 2023]
 Sylvie Hilbert [CNRS, until Mar 2023]
 Jennifer Müller [Max Planck Society]
 Cecilia Olivier [INRIA, from Jul 2023]
External Collaborator
 Pascal Fontaine [Univ. Liège, HDR]
2 Overall objectives
The VeriDis project team includes members of the Formal Methods department at LORIA, the computer science laboratory in Nancy, and members of the research group Automation of Logic at Max Planck Institut für Informatik in Saarbrücken. It is headed by Stephan Merz and Christoph Weidenbach. VeriDis was created in 2010 as a local research group of Inria Nancy – Grand Est and has been an Inria project team since July 2012.
The objectives of VeriDis are to contribute to advances in verification techniques, including automated and interactive theorem proving, and to make them available for the development and analysis of concurrent and distributed algorithms and systems, based on mathematically precise and practically applicable development methods. The techniques that we develop are intended to assist designers of algorithms and systems in carrying out formally verified developments, where proofs of relevant properties, as well as bugs, can be found with a high degree of automation.
Within this context, we work on techniques for automated theorem proving for expressive languages based on firstorder logic, with support for theories (including fragments of arithmetic or of set theory) that are relevant for specifying algorithms and systems. Ideally, systems and their properties would be specified using highlevel, expressive languages, errors in specifications would be discovered automatically, and finally, full verification could also be performed completely automatically. Due to the fundamental undecidability of the problem, this cannot be achieved in general. Nevertheless, we have observed important advances in automated deduction in recent years, to which we have contributed. These advances suggest that a substantially higher degree of automation can be achieved over what is available in today's tools supporting deductive verification. Our techniques are developed within SMT (satisfiability modulo theories) solving and firstorder logic reasoning based on superposition, the two main frameworks of contemporary automated reasoning that have complementary strengths and weaknesses, and we are interested in making them converge when appropriate. Techniques developed within the symbolic computation domain, such as algorithms for quantifier elimination for appropriate theories, are also relevant, and we are working on integrating them into our portfolio of techniques. In order to handle expressive input languages, we are working on techniques that encompass tractable fragments of higherorder logic, for example for specifying inductive or coinductive data types, for automating proofs by induction, or for handling collections defined through a characteristic predicate.
Since full automatic verification remains elusive, another line of our research targets interactive proof platforms. We intend these platforms to benefit from our work on automated deduction by incorporating powerful automated backends and thus raise the degree of automation beyond what current proof assistants can offer. Since most conjectures stated by users are initially wrong (due to type errors, omitted hypotheses or overlooked border cases), it is also important that proof assistants be able to detect and explain such errors rather than letting users waste considerable time in futile proof attempts. Moreover, increased automation must not come at the expense of trustworthiness: skeptical proof assistants expect to be given an explanation of the proof found by the backend prover that they can certify.
Model checking is also an established and highly successful technique for verifying systems and for finding errors. Our contributions in this area more specifically target quantitative, in particular timed or probabilistic systems. A specificity of VeriDis is notably to consider partially specified systems, using parameters, in which case the verification problem becomes the synthesis of suitable parameter valuations.
Our methodological and foundational research is accompanied by the development of efficient software tools, several of which go beyond pure research prototypes: they have been used by others, have been integrated in verification platforms developed by other groups, and participate in international competitions. We also validate our work on verification techniques by applying them to the formal development of algorithms and systems. We mainly target highlevel descriptions of concurrent and distributed algorithms and systems. This class of algorithms is by now ubiquitous, ranging from multi and manycore algorithms to large networks and cloud computing, and their formal verification is notoriously difficult. Targeting high levels of abstraction allows the designs of such systems to be verified before an actual implementation has been developed, contributing to reducing the costs of formal verification. The potential of distributed systems for increased resilience to component failures makes them attractive in many contexts, but also makes formal verification even more important and challenging. Our work in this area aims at identifying classes of algorithms and systems for which we can provide guidelines and identify patterns of formal development that makes verification less an art and more an engineering discipline. We mainly target components of operating systems, distributed and cloud services, and networks of computers or mobile devices.
Beyond formal system verification, we pursue applications of some of the symbolic techniques that we develop in other domains. We have observed encouraging success in using techniques of symbolic computation for the qualitative analysis of biological and chemical networks described by systems of ordinary differential equations that were previously only accessible to largescale simulation. Such networks include biological reaction networks as they occur with models for diseases such as diabetes or cancer. They furthermore include epidemic models such as variants and generalizations of SEIR1 models, which are typically used for Influenza A or Covid19. This work is being pursued within a largescale interdisciplinary collaboration. It aims for our work grounded in verification to have an impact on the sciences, beyond engineering, which will feed back into our core formal methods community.
3 Research program
3.1 Automated and Interactive Theorem Proving
The VeriDis team gathers experts in techniques and tools for automatic deduction and interactive theorem proving, and specialists in methods and formalisms designed for the development of trustworthy concurrent and distributed systems and algorithms. Our common objective is twofold: first, we wish to advance the state of the art in automated and interactive theorem proving, and their combinations. Second, we work on making the resulting technology available for the computeraided verification of distributed systems and protocols. In particular, our techniques and tools are intended to support sound methods for the development of trustworthy distributed systems that scale to algorithms relevant for practical applications.
VeriDis members from Saarbrücken are developing the Spass 10workbench. It currently consists of one of the leading automated theorem provers for firstorder logic based on the superposition calculus 56, a theory solver for linear arithmetic 2, a CDCL2 based satisfiability solver and a propositional converter to clausal normal form. Recently we have extended it to a Datalog hammer solving universal and existential queries with respect to a Horn BernaysSchoenfinkel theory modulo linear arithmetic 61, 60.
In a complementary approach to automated deduction, VeriDis members from Nancy work on techniques for integrating reasoners for specific theories. They develop veriT1, an SMT 3 solver that combines decision procedures for different fragments of firstorder logic. The veriT solver is designed to produce detailed proofs; this makes it particularly suitable as a component of a robust cooperation of deduction tools.
Finally, VeriDis members design effective quantifier elimination methods and decision procedures for algebraic theories, supported by their efficient implementation in the Redlog system 5.
An important objective of this line of work is the integration of theories in automated deduction. Typical theories of interest, including fragments of arithmetic, are difficult or impossible to express in firstorder logic. We therefore explore efficient, modular techniques for integrating semantic and syntactic reasoning methods, develop novel combination results and techniques for quantifier instantiation. These problems are addressed from both sides, i.e. by embedding decision procedures into the superposition framework or by allowing an SMT solver to accept axiomatizations for plugin theories. We also develop specific decision procedures for theories such as nonlinear real arithmetic that are important when reasoning about certain classes of (e.g., realtime) systems but that also have interesting applications beyond verification.
We rely on interactive theorem provers for reasoning about specifications at a high level of abstraction when fully automatic verification is not (yet) feasible. An interactive proof platform should help verification engineers lay out the proof structure at a sufficiently high level of abstraction; powerful automatic plugins should then discharge the resulting proof steps. Members of VeriDis have ample experience in the specification and subsequent machineassisted, interactive verification of algorithms. In particular, we participate in a project at the joint Microsoft ResearchInria Centre on the development of methods and tools for the formal proof of specifications written in the TLA+65 language. Our prover relies on a declarative proof language, and calls upon several automatic backends 4. Trust in the correctness of the overall proof can be ensured when the backends provide justifications that can be checked by the trusted kernel of a proof assistant. During the development of a proof, most obligations that are passed to the prover actually fail – for example, because necessary information is not present in the context or because the invariant is too weak, and we are interested in explaining failed proof attempts to the user, in particular through the construction of countermodels.
Members of VeriDis formalize a framework in the proof assistant Isabelle/HOL for representing the correctness and completeness of automated theorem provers. This work encompasses proof calculi such as ordered resolution or superposition, as well as concrete prover architectures such as Otter or DISCOUNT loops. It also covers the most recent splitting techniques that bring proof calculi closer to SMT solvers.
3.2 Formal Methods for Developing and Analyzing Algorithms and Systems
Theorem provers are not used in isolation, but they support the application of sound methodologies for modeling and verifying systems. In this respect, members of VeriDis have gained expertise and recognition in making contributions to formal methods for concurrent and distributed algorithms and systems 3, 8, and in applying them to concrete use cases. In particular, the concept of refinement53, 57, 69 in statebased modeling formalisms is central to our approach because it allows us to present a rational (re)construction of system development. An important goal in designing such methods is to establish precise proof obligations, many of which can be discharged by automatic tools. This requires taking into account specific characteristics of certain classes of systems and tailoring the model to concrete computational models. Our research in this area is supported by carrying out case studies for academic and industrial developments. This activity benefits from and influences the development of our proof tools.
In this line of work, we investigate specific development and verification patterns for particular classes of algorithms, in order to reduce the work associated with their verification. We are also interested in applications of formal methods and their associated tools to the development of systems that underlie specific certification requirements in the sense of, e.g., Common Criteria. Finally, we are interested in the adaptation of model checking techniques for verifying actual distributed programs, rather than highlevel models.
Today, the formal verification of a new algorithm is typically the subject of a PhD thesis, if it is addressed at all. This situation is not sustainable given the move towards more and more parallelism in mainstream systems: algorithm developers and system designers must be able to productively use verification tools for validating their algorithms and implementations. On a high level, the goal of VeriDis is to make formal verification standard practice for the development of distributed algorithms and systems, just as symbolic model checking has become commonplace in the development of embedded systems and as security analysis for cryptographic protocols is becoming standard practice today. Although the fundamental problems in distributed programming are wellknown, they pose new challenges in the context of modern system paradigms, including adhoc and overlay networks or peertopeer systems, and they must be integrated for concrete applications.
Model checking
The paradigm of model checking is based on automatically verifying properties over a formal model of a system, using mathematical foundations. Model checking, while useful and highly successful in practice, can encounter the infamous state space explosion problem. One direction of VeriDis therefore addresses the efficiency of model checking, by proposing new algorithms or heuristics to speed up analysis. We notably focus on the quantitative setting (time, probabilities), and more specifically on the parametric paradigm where some quantitative constants are unknown, and the goal becomes to synthesize suitable valuations. A recent application of the VeriDis team is that of opacity (in the more general field of cybersecurity), addressed using model checking. The team considers a novel definition of opacity in timed automata, where an attacker has only access to the execution time; several recent works address this direction.
3.3 Verification and Analysis of Dynamic Properties of Biological Systems
The unprecedented accumulation of information in biology and medicine during the last 20 years led to a situation where any new progress in these fields is dependent on the capacity to model and make sense of large data. Until recently, foundational research was concerned with simple models of 2 to 5 ordinary differential equations. The analysis of even such simple models was sufficiently involved that it resulted in one or several scientific publications for a single model. Much larger models are built today to represent cell processes, explain and predict the origin and evolution of complex diseases or the differences between patients in precision and personalized medicine. For instance, the biomodels.net model repository 66 contains thousands of handbuilt models of up to several hundreds of variables. Numerical analysis of large models requires an exhaustive scan of the parameter space or the identification of the numerical parameters from data. Both are infeasible for large biological systems because parameters are largely unknown and because of the curse of dimensionality: data, even rich, become rapidly sparse when the dimensionality of the problem increases. On these grounds, VeriDis researchers aim at formal symbolic analysis instead of numerical simulation.
As an illustration of the approach, consider BIOMD0000000716 in the abovementioned BioModels database, which models the transmission dynamics of subtype H5N6 of the avian Influenza A virus in the Philippines in August 2017 67. This model describes four species (susceptible/infected bird or human) together with their dynamics. Using purely symbolic algorithms, we obtain a decomposition of the dynamics into three subsystems ${T}_{1}$, ${T}_{2}$, and ${T}_{3}$ with attractive manifolds ${\mathcal{M}}_{1}$, ${\mathcal{M}}_{2}$ and ${\mathcal{M}}_{3}$, and the constant factors appearing in the corresponding differential equations indicate that the system ${T}_{2}$ is 125 times slower than ${T}_{1}$, and that ${T}_{3}$ is another 125 times slower.
This multiple time scale reduction emphasizes a cascade of successive relaxations of model variables. Figure 1(a) shows the surface of ${\mathcal{M}}_{1}$ projected into 3D space, with the line and the dot representing the submanifolds ${\mathcal{M}}_{2}$ and ${\mathcal{M}}_{3}$. Figure 1(b) illustrates the direction field of ${T}_{1}$ projected into 2D space. The curve corresponds to ${\mathcal{M}}_{1}$, indicating that the population of susceptible birds relaxes and that these variables reach quasisteady state values. Figure 1(c) represents the direction field of ${T}_{2}$ on ${\mathcal{M}}_{1}$ projected into 2D space. The line corresponds to ${\mathcal{M}}_{2}$, showing the relaxation of the population of infected birds. Finally, figure 1(d) shows the direction field of ${T}_{3}$ on ${\mathcal{M}}_{2}$ projected into 2D space. The dot corresponds to ${\mathcal{M}}_{3}$, indicating the relaxation of the populations of susceptible and infected humans to a stable steady state.
The computation time is less than a second. The computation is based on massive SMT solving over various theories, including QF_LRA for tropicalizations, QF_NRA for testing Hurwitz conditions on eigenvalues, and QF_LIA for finding sufficient differentiability conditions for hyperbolic attractivity of critical manifolds. Gröbner reduction techniques are used for final algebraic simplification 64. Observe that numerical simulation would not be able to provide such a global analysis of the overall system, even in the absence of symbolic parameters, as is the case in our rather simple example.
4 Application domains
Distributed algorithms and protocols are found at all levels of computing infrastructure, from manycore processors and systems on chip to widearea networks. We are particularly interested in the verification of algorithms that are developed for supporting novel computing paradigms, including adhoc networks that underlie mobile and lowpower computing or overlay networks, peertopeer networks that provide services for telecommunication, or cloud computing services. Computing infrastructure must be highly available and is ideally invisible to the end user, therefore correctness is crucial. One should note that standard problems of distributed computing such as consensus, group membership or leader election have to be reformulated for the dynamic context of these modern systems. We are not ourselves experts in the design of distributed algorithms, but we work together with domain experts on designing formal models of these protocols, and on verifying their properties. These cooperations help us focus on concrete algorithms and ensure that our work is relevant to the distributed algorithm community.
Our work on symbolic procedures for solving polynomial constraints finds applications beyond verification. In particular, we have been working in interdisciplinary projects with researchers from mathematics, computer science, systems biology, and system medicine on the analysis of reaction networks and epidemic models in order to infer principal qualitative properties. Our techniques complement numerical analysis techniques and are validated against collections of models from computational biology.
The team uses extensions of timed automata (such as parametric timed automata 54) as an underlying formalism to solve practical questions. Our work on parametric timed automata is partly motivated by applications in cybersecurity, notably within the ANRNRF ProMiS project. Foundational decidability results and novel notions of noninterference and opacity for this class of automata allow us, for example, to determine the maximal frequency of attacker actions for the attack to succeed (i.e., so that these actions remain invisible to the external observer). Several software artefacts were implemented by the team in this domain 55.
5 Highlights of the year
Pascal Fontaine obtained an Amazon Research Award, and Stephan Merz received a research award from Oracle Corporation.
Jasmin Blanchette, Qi Qiu and Sophie Tourret received the best paper award at CADE29, the 29th International Conference on Automated Deduction, for their paper about verified given clause procedures 23.
An article on the use of interactive proof assistants for formalizing mathematical developments was published in Communications of the ACM 12.
6 New software, platforms, open data
6.1 New software
6.1.1 Redlog

Name:
Reduce Logic System

Keywords:
Computer algebra system (CAS), Firstorder logic, Constraint solving, Quantifier Elimination

Functional Description:
Redlog is an integral part of the interactive computer algebra system Reduce. It supplements Reduce's comprehensive collection of powerful symbolic computation methods by supplying more than 100 functions on firstorder formulas.
Redlog generally works with interpreted firstorder logic in contrast to free firstorder logic. Each firstorder formula in Redlog must exclusively contain atoms from one particular Redlogsupported theory, which corresponds to a choice of admissible functions and relations with fixed semantics. Redlogsupported theories include Nonlinear Real Arithmetic (Real Closed Fields), Presburger Arithmetic, Parametric QSAT (quantified satisfiability solving), and many more.

News of the Year:
The year 2023 corresponds to a transition in the development of Redlog. Parts of the code are more than 25 years old, and that version 1 of the underlying computer algebra system Reduce has been published even more than 50 years ago. During the last five years, the code has been revised and simplified aiming at better longterm maintainability. The existing code base remains available and will continue to be supported. New developments, however, will focus on the successor system Logic1, which we will be announced during 2024, and several parts of the Redlog core have been rewritten in view of this new system.
 URL:

Contact:
Thomas Sturm

Participants:
Thomas Sturm, Andreas Dolzmann, Melanie Achatz, Marek Kosta, Aless Lasaruk, Herbert Melenk, Winfried Neun, Andreas Seidl, Christoph Zengler, Volker Weispfenning
6.1.2 SPASS Workbench

Name:
SPASS Automated Reasoning Workbench

Keywords:
Decision, Linear Systems Solver

Functional Description:
The SPASS Workbench is a collection of tools for various reasoning tasks in logic. It currently comprises the firstorder theorem prover SPASS, a decision procedure for linear (mixed) arithmetic SPASSIQ, a satisfiability modulo theory (SMT) solver for linear (mixed) arithmetic, a propositional satisfiability (SAT) solver SPASSSAT and a propositional conjunctive normal form converter SPASSCNF.

News of the Year:
In 2023, work focused on the development of a new solver SPASSSPL for a fragment we call SUPERLOG, which is the firstorder Bernays Schoenfinkel class extended with linear arithmetic. A particular application domain for this solver will be the verification of supervisors, i.e. electronic control units used in embedded systems.
 URL:
 Publications:

Contact:
Christoph Weidenbach

Participants:
Martin Bromberger, Christoph Weidenbach
6.1.3 ECyclist

Keyword:
Cyclic proofs

Functional Description:
Checking the soundness of cyclic induction reasoning for firstorder logic with inductive definitions (FOLID) is decidable but the standard checking method is based on an exponential complement operation for Büchi automata. We devised a polynomial method “semideciding” this problem in a paper presented at the CiSS2019 conference (Circularity in Syntax and Semantics). ECyclist is an extension of the Cyclist prover (http://www.cyclistprover.org/) that integrates this method. It successfully checked all the proofs included in the Cyclist distribution. The implementation details have been presented at SCSS 2021 (ID HAL: hal02464242).

News of the Year:
Functionality for the reconstruction of proofs found by ECyclist in the Coq proof assistant was significantly extended in 2023.
 URL:

Contact:
Sorin Stratulat
6.1.4 TLAPS

Name:
TLA+ proof system

Keyword:
Proof assistant

Functional Description:
TLAPS is a platform for developing and mechanically verifying proofs about specifications written in the TLA+ language. The TLA+ proof language is hierarchical and explicit, allowing a user to decompose the overall proof into proof steps that can be checked independently. TLAPS consists of a proof manager that interprets the proof language and generates a collection of proof obligations that are sent to backend verifiers. The current backends include the tableaubased prover Zenon for firstorder logic, Isabelle/TLA+, an encoding of TLA+ set theory as an object logic in the logical framework Isabelle, an SMT backend designed for use with any SMTlib compatible solver, and an interface to a decision procedure for propositional temporal logic.

News of the Year:
A new SMT backend was developed in 2023 based on the thesis of Rosalie Defourné and is currently being integrated in the main code base on TLAPS. A new release based on the Dune build system and integrating recent developments such as support for reasoning about the enabled operator or a new Isabelle backend is in preparation.
 URL:

Contact:
Stephan Merz

Participants:
Damien Doligez, Stephan Merz

Partner:
Microsoft
6.1.5 veriT

Keywords:
Automated deduction, Formula solving, Verification

Functional Description:
VeriT is an open, trustable and efficient SMT (Satisfiability Modulo Theories) solver. It comprises a propositional satisfiability (SAT) solver, an efficient decision procedure for uninterpreted symbols based on congruence closure, a simplexbased decision procedure for linear arithmetic, and instantiationbased quantifier reasoning.

News of the Year:
Like the previous recent years, efforts in 2023 have been focused on higherorder logic, and better proof production. We also initiated a profound code refactoring phase, to better accommodate the role of the solver as a platform for testing new ideas.
We target applications where validation of formulas is crucial, such as proof about specifications written in the B or TLA+ languages, and we work together with the developers of the respective verification platforms to make veriT even more useful in practice. The solver is available as a plugin for the Rodin platform, and it is integrated within Atelier B.
 URL:

Contact:
Pascal Fontaine

Participants:
Pascal Fontaine, Sophie Tourret

Partner:
Université de Lorraine
6.2 New platforms
6.2.1 ODEbase
Participants: Thomas Sturm.

Name:
Online Database of Biomodels Involving Ordinary Differential Equations

Keywords:
Automated reasoning, Dynamical systems, Interdisciplinary research, Qualitative analysis

Scientific Description:
Symbolic Computation and Automated Reasoning allow qualitative answers to biological questions. Qualitative methods analyze dynamical input systems as formal objects, in contrast to investigating only a subset of the state space, as is the case with numerical simulation. A common format used in mathematical modeling of biological processes is the Systems Biology Markup Language SBML. However, symbolic tools and libraries have a different set of requirements for their input data than their numerical counterparts. The use of SBML data in Symbolic Computation and Automated Reasoning requires significant preprocessing that combines automated translation steps with human interaction and expertise. ODEbase provides preprocessed input data derived from established existing biomodels.

Functional Description:
SBML, which is technically an XML instance, has been designed as a very liberal format, and contributors of models are primarily researchers with their key expertise in the natural sciences. This creates a situation where SBML features are used in unexpected ways in general. A sound presentation of corresponding models outside the SMBL framework then requires expertise in the life sciences as well as mathematical competence, primarily in algebra and in dynamical systems. Technically we use a set of Python tools, which we have developed for the semiautomatic conversion of SBML models. Since the conversion process is not fully automatic and our resources are limited, we focus on models that we identify as interesting for Symbolic Computation and Automated Reasoning approaches. Our principal source of models is the renowned online database biomodels.net.
 News of the Year:
 URL:
 Publications:

Contact:
Thomas Sturm

Partners:
Christoph Lüders, University of Bonn, Germany, Ovidiu Radulescu, University of Montpellier, France.
7 New results
7.1 Automated and Interactive Theorem Proving
Participants: Martin Bromberger, Alessio Coltellacci, Rosalie Defourné, Martin Desharnais, Pascal Fontaine, Hendrik Leidinger, Lorenz Leutgeb, Stephan Merz, Sibylle Möhle, HansJörg Schurr, Simon Schwarz, Sorin Stratulat, Vincent Trélat, Sophie Tourret, Marco Voigt, Uwe Waldmann, Christoph Weidenbach.
7.1.1 Contributions to SMT Techniques
Quantifier Handling in HigherOrder SMT.
Joint work with Haniel Barbosa (Univ. Federal de Miras Gerais, Brazil).
SMT solvers have throughout the years been able to cope with increasingly expressive logics, from ground formulas to full firstorder logic (FOL). In the past, we proposed a pragmatic extension for SMT solvers to support higherorder logic reasoning natively without compromising performance on FOL reasoning, thus leveraging the extensive research and implementation efforts dedicated to efficient SMT solving. However, the higherorder SMT solvers resulting from this work are not as effective as we would expect given their performances in firstorder logic. We believe this comes from the fact that only the core of the SMT solver has been extended, ignoring in particular the modules for quantifier instantiation.
This motivated us to start working on an extension of the main quantifierinstantiation approach (congruence closure with free variables, CCFV) to higherorder logic in 2020. We are working on an encoding of the CCFV higherorder problem into a set of SAT constraints. In previous years, we concentrated our efforts on the theory, to prove the soundness and completeness of our approach, and developed pseudocode for all elements of CCFV computation. In 2022 and 2023, these algorithms were implemented in a C++ library, and they were tested on benchmarks from the SMTlib collection. We started to integrate this library within a new SMT framework. The library will eventually be released under an opensource permissive license.
7.1.2 Automated reasoning techniques beyond SMT
Extensions of a formal framework for automated reasoning.
We are part of a group developing a framework for formal refutational completeness proofs of abstract provers that implement automated reasoning calculi, especially calculi based on saturation such as ordered resolution and superposition. In previous work, we published a framework that fully captures the dynamic aspects of proof search with a saturation calculus. This framework covers clause splitting as supported by modern superposition provers with the help of a SAT solver. In particular, our formalization revealed some completeness issues with the theorem prover Vampire.
This year, we extended the Isabelle formalization by representations of the main loops of saturationbased theorem provers and their fairness conditions. In the process, we found and repaired several issues with the (in fact, our own) description of the Zipperposition loop, a novel loop that handles inferences producing an infinite stream of conclusions. In parallel, Martin Desharnais, for his PhD thesis, completed an instantiation of this framework for the superposition calculus. We also made progress on the Isabelle/HOL mechanization of the framework with clause splitting. Ghilain Bergeron contributed to this endeavor for his master thesis. This last piece of work is still ongoing, while the first one has been completed in 2022 and led to a paper presented at CADE in 2023 23.
Effective Symbolic Model Construction.
When automatic reasoning techniques are applied in order to prove a specific property of some system, a proof is a certificate of success and we have worked on explaining the gist of it 63. If a proof attempt fails, automatic reasoning techniques may still terminate and implicitly provide a representation of a (counter) model to the property of interest. We have worked on effective representations for such counter models providing insights into why the desired property does not hold. This way, either the system, the formalization of it or the property can be debugged 47, 27.
Certification of FOL${}_{\text{ID}}$ cyclic proofs.
Cyclic induction is a powerful reasoning technique that consists in blocking the proof development of certain subgoals already encountered during the proof process. In the setting of firstorder logic with inductive definitions and equality (FOL${}_{\text{ID}}$), cyclic proofs can be built automatically by the Cyclist prover, but their implementations are errorprone and the human validation may be tedious. On the other hand, cyclic induction is not yet integrated into certifying proof environments that support firstorder logic and inductive definitions, such as Isabelle and Coq.
We have proposed in 20 a general procedure for certifying formulabased Noetherian induction reasoning in order to check FOL${}_{\text{ID}}$ cyclic proofs using Coq. The output is a Coq script proving several theorems and lemmas for which the deductive part translates the ECyclist proof steps without using proof reconstruction techniques. This approach also allows for finding errors in cyclic proofs in a very precise way, at the level of proof steps. We established a bridge between formulabased Noetherian induction and FOL${}_{\text{ID}}$ cyclic induction, by identifying a class of preproofs certifiable by Coq when some ordering and derivability constraints are satisfied, such as those produced by the ECyclist prover. The advantages of our approach are threefold:
 The certification of cyclic FOL${}_{\text{ID}}$ proofs is mechanical. Coq can validate every single step from the ECyclist proofs, as well as the induction arguments; also, it helps to identify errors in a very precise way.
 There is a great potential for automation. The methodology has already been used to automatically convert to Coq scripts implicit induction proofs 70.
 Cyclic induction can be directly performed in Coq. A library of Coq functions is provided and can be reused to manage the induction part.
Proofs for TLA+.
In her PhD work, Rosalie Defourné defined improved encodings of the nontemporal theory of TLA+ in the input languages of automated theorem provers for firstorder and higherorder logic, including SMT solvers and Zipperposition. The SMT encoding relies on an axiomatization for the operators of TLA+ set theory, annotated by triggers for finding relevant instances of these axioms. The previously existing encoding heavily relied on rewriting input formulas in order to simplify them before submitting them to the backend solver. Verifying its soundness required to not only inspect the axioms given to the solver, but also understanding the preprocessing techniques that were applied to the input formulas. Besides, optimizing the set of rewrite rules was delicate because properties such as confluence and termination had to be maintained. In contrast, the soundness of the new encoding can be determined directly by verifying the background axioms. Adding triggers does not endanger soundness, and benchmarking the new backend over an extensive corpus of existing TLA+ proofs showed that it performs comparably or better than the old encoding. This work was presented in a conference publication 30 and in Rosalie Defourné's PhD thesis 45, which was defended in November.
7.2 Formal Methods for Developing and Analyzing Algorithms and Systems
Participants: Thomas Bagrel, Ghilain Bergeron, Martin Bromberger, Horatiu Cirstea, Marie DuflotKremer, Engel Lefaucheux, Serguei Lenglet, Benjamin Loillier, Dylan Marinho, Dominique Méry, Stephan Merz, PierreEtienne Moreau, Victor Roussanaly, Amine Snoussi, Christoph Weidenbach.
7.2.1 Contributions to Formal Methods of System Design
Formal framework for developing safetycritical interactive systems
F3FLUID is a unified formal framework for the development of safetycritical interactive systems. This framework is based on the Formal Language of User Interface Design (FLUID) defined in the FORMEDICIS ANR project (2017–2022) for expressing highlevel system requirements for interactive systems. FLUID is specifically designed for handling concepts of safetycritical interactive systems, including domain knowledge. A FLUID model is used as a source model for the generation of several target models in different modeling languages to support the formal verification methods, such as theorem proving and model checking.
The EventB modeling language is used for checking functional behaviors, user interactions, safety properties, and domain properties. A FLUID model is transformed into an EventB model, and then, the Rodin tool is used to check the internal consistency with respect to the given safety properties. In addition, an interactive cooperative objects (ICOs) model is derived from the EventB model for animation, visualization and validation of dynamic behaviors, visual properties, and task analysis, using the ProB model checker. Finally, an industrial case study, complying with the ARINC 661 standard, MultiPurpose Interactive Applications (MPIA), is used to illustrate the effectiveness of our F3FLUID framework for the development of safetycritical interactive systems. Moreover, we show 18 how formal ontologies can be used to model domainspecific knowledge, as well as how system models may refer to these ontologies through annotations. It relies on the EventB refinement and proof statebased method, and the associated theories, to define a framework in which domainspecific knowledge ontologies are formalized as EventB theories defining data types used to type EventB system design models. Finally, this framework is deployed for the specific case of interactive critical systems. To illustrate the proposed approach, a case study of the Traffic Collision Avoidance System (TCAS) is developed.
A Secure LowLatency Protocol for Mitigating High Computation Overhead in WIFI Networks
The increase in popularity of wireless networks in industrial, embedded, medical and public sectors has made them an appealing attack surface for attackers who exploit the vulnerabilities in network protocols to launch attacks such as Evil Twin, Maninthemiddle, sniffing, etc., which may result in economic and noneconomic losses. To protect wireless networks against such attacks, IEEE 802.11 keep updating the protocol standards with new and more secure versions. There has always been a direct correlation between attacks and the improvement of protocol standards. As the sophistication of attacks increases, protocol standards tend to move towards higher security, resulting in a significant increase in both latency and computational overhead, and severe degradation in the performance of lowlatency applications such as Industrial Internet of Things (IIoT), automotive, robotics, etc. The paper 16 highlights the importance of both latency and security in wireless networks from the implementation and performance perspectives. We review existing IEEE 802.11 protocols in terms of security offered and overhead incurred to substantiate the fact that there is a need for a protocol which in addition to providing optimum security against attacks also maintains the latency and overhead. We also propose a secure and lowlatency protocol known as Secure Authentication Protocol (SAP) which operates in two phases, where the first phase is a onetime process implemented using asymmetric cryptography and the second phase is implemented using symmetric cryptography. The protocol is structured in a way that it maintains the original structure of IEEE 802.11 protocols and performs both phases using fewer messages than existing protocols. By simulating the protocol using the wellestablished OMNeT++ simulator, we demonstrated that the proposed protocol incurs a low computation overhead, making it ideal for lowlatency applications. We extensively verified the security properties of the proposed protocol using formal verification through the widelyaccepted Scyther tool. Finally, we perform a comparative analysis of SAP with existing IEEE 802.11 wireless network protocols to highlight the improvement.
Modeling hybrid systems by refinement.
Whenever continuous dynamics and discrete control interact, hybrid systems arise. As hybrid systems become ubiquitous and more and more complex, analysis and synthesis techniques are in high demand to design safe hybrid systems. This is however challenging due to the nature of hybrid systems and their designs, and the question arises of how to formulate and reason about their safety problems. Previous work has demonstrated how to extend the discrete modeling language EventB with support for continuous domains to integrate traditional refinement in hybrid system design. We have extended our strategy 50 that can coherently refine an abstract hybrid system design with safety constraints down to a concrete one, integrated with implementable discrete control, that can behave safely. We demonstrate our proposal on a smart heating system that regulates room temperature between two reference values. The main innovation lies in the fact that we combine the EventB modelling language (events) and the B modelling language (operations). The transformation of events into operation is proved correct using a proof assistant. We also explore the frequency model approach of control theory using the EventB modelling language. The frequency modelling style is not so usual and we provided a Python artefact for assisting with the use of the approach.
Semantics transformations.
Any given programming language may come with several semantics definitions, such as bigstep, smallstep, or even abstract machines, which can be seen as an implementation of a language. They all describe identical behaviors of programs, but each may be better adapted for some purpose: for instance, smallstep semantics are better suited to prove subject reduction.
To have access to all kinds of semantics at once, we develop transformations between semantics to be able to generate one from the other at no extra cost for the language designer. In a previous work 59, we developed a semantics format called zipper semantics, a smallstep semantics from which we can automatically derive sound and complete abstract machines for nondeterministic languages such as process calculi. We build on this work in two ways: first, we propose a new format of zipper semantics, called leaffirst, in which we can express lazy scope extrusion or join patterns. Next, we make the nondeterministic abstract machines more efficient by reusing some design principles of abstract machines for the lambdacalculus, like environments and refocusing.
7.2.2 Automated Reasoning Techniques for Verification
Synthesis of inductive invariants for distributed algorithms.
In joint work with Aman Goel (Amazon) and Karem Sakallah (University of Michigan), we investigated the use of symbolic model checking techniques for automatically computing inductive invariants for parameterized distributed algorithms. Specifically, the IC3PO model checker applies the wellknown IC3 model checking algorithm to finite instances of the algorithm and, in case of success, retrieves inductive invariants for those instances. It then inspects these invariants for symmetries with respect to space (processes) and time (e.g., ballot numbers used during the algorithm) and expresses those symmetries by introducing quantifiers. The resulting formulas are then checked for larger input sizes until no new invariants are inferred. We applied the technique to two versions of the wellknown Bakery algorithm that ensures mutual exclusion among $N$ processes communicating via shared variables. For both versions, IC3PO generated invariants that were remarkably similar to, but more permissive than, humanwritten invariants used in a previous interactive proof of the algorithm. This work, presented at FORTE 2023 34, suggests that automated invariant inference is becoming a viable alternative to laborintensive humanwritten proofs. In ongoing work, we are investigating invariant synthesis for the significantly more complex Raft consensus algorithm. One of the main problems there is how to represent the sequential log maintained by the nodes in a firstorder logic of limited expressiveness.
New primitives in PlusCal for modeling distributed algorithms.
We designed an extension of the PlusCal algorithmic language for modeling distributed algorithms. Rather than introducing many new features that could break the design objectives of PlusCal being a lightweight frontend to writing TLA+specifications, we added only a few orthogonal concepts inspired from those found in distributed programming languages while both remaining compatible with the existing language and keeping simple the generation of humanreadable TLA+ specifications. Compared to the original PlusCal language, Distributed PlusCal allows processes to consist of multiple threads that communicate via processlocal variables, and it introduces communication channels that can be declared as preserving FIFO order or not. We illustrated Distributed PlusCal using two wellknown algorithms and our preliminary findings indicate that the extensions provided help us express distributed algorithms in a natural way. Moreover, any overhead incurred in verification with respect to a specification written in TLA+ is not different from that of ordinary PlusCal. This work was presented in a conference paper 29.
Validating traces of distributed systems.
Programming distributed systems is errorprone, and while formal methods such as TLA+ can help design such systems, the translation from the verified specification towards the final implementation is rarely certified. Nevertheless, we believe that we can still gain confidence in the fact that an implementation behaves according to a highlevel specification by collecting traces of executions and checking that they are allowed by the specification. We have developed a framework for the instrumentation of Java programs allowing one to record events and variable updates that are meaningful at the level of the TLA+ specification, and we use the TLA+ model checker to verify that the recorded trace of an execution indeed corresponds to a possible execution of the highlevel specification4. Although this cannot formally establish the correctness of an implementation, preliminary experience with this approach indicates that it can be surprisingly effective at discovering discrepancies between the TLA+ specification and the implementation.
7.2.3 Model checking for timed and linear systems
Opacity of timed automata.
Opacity of a system is a property describing the impossibility for an external attacker to deduce some private information by observing an execution of the system. In two publications 22, 11 we considered the opacity of systems modeled by timed automata where an attacker has access to the duration of the executions only. Our goal was to determine whether a system was opaque, and in some cases, under which conditions it could be made opaque. More precisely, the models we considered allowed for parameters representing unknown delays within the system, and we wished to identify for which parameter values opacity was achieved. Throughout this line of research we have considered many different variants of the notion of opacity, for instance by allowing the secret behaviour to expire, meaning that some private behaviour could stop being deemed private if the private information was not detected by the observer quickly enough. The paper 11 serves as a survey of the current state of this line of research.
Mathematical tools for the analysis of system.
For the analysis of timed automata, including the analysis of opacity mentioned above, the notion of semilinear sets (i.e. sets that can be defined by Presburger arithmetics) appears regularly. For instance, the durations of runs in a timed automata can be described as such a set. Presburger arithmetics however fails once parameters are included within the automata: the presence of parameters often leads to multiplications between integer variables, which cannot be represented in Presburger arithmetic. Peano arithmetic could of course represent those sets, but this arithmetic is well known to be undecidable and thus not a real option. Much previous research has studied the gap between Presburger and Peano arithmetic. To our knowledge, none of the existing work was able to handle the formulas that we generate in the analysis of parametric timed automata. In 51, we developed a parametric extension to Presburger arithmetic tailored for our needs. It shows how to handle some formulas beyond Presburger which we plan to use in future work.
Model checking of rounded linear loops.
Loops are a fundamental staple of any programming language, and the study of loops plays a pivotal role in many subfields of computer science, including automated verification, abstract interpretation, program analysis, semantics, etc. A lot of work has been done in the linear dynamical systems community to represent program loops as simple linear systems, and to analyze which kind of properties formulated in Monadic Second Order Logic could be checked over the evolution of a loop. In 35, we modify the usual linear models used to account for the fact that computers rely on floating points. This change leads to a completely different approach to the problem, as the usual tools to tackle linear dynamical systems fail to apply. An interesting result is that, while termination of simple linear loops is a longstanding open problem in the usual setting, it becomes undecidable with floating points. Moreover, if we add some very simple restriction on the system, which changes nothing in the original setting, termination in our setting becomes decidable.
7.3 Verification and Analysis of Dynamic Properties of Biological Systems
Participants: Thomas Sturm.
7.3.1 Approximate Conservation Laws
Section 3.3 showed an example for the analysis of the kinetics of a chemical reaction network at multiple timescales 64. Although general in its implementation, this reduction method can fail in a number of cases. A major cause of failure is the degeneracy of the quasisteady state, when the fast dynamics has a continuous variety of steady states. Typically, this happens when the fast truncated ODEs have first integrals, i.e. quantities that are conserved on any trajectory and that have to be fixed at arbitrary values depending on the initial conditions. The quasisteady states are then no longer hyperbolic, because the Jacobian matrix of the fast part of the dynamics becomes singular. To address this issue, we have now proposed a concept of approximate conservation laws, which allows additional reductions.
Technically, this framework requires parametric versions of various established algorithms from Symbolic Computation. One simple example is the computation of the rank of a matrix with real parameters, which produces a formal finite case distinction where possible ranks are paired with necessary and sufficient conditions as Tarski formulas. This allows to identify critical cases with respect to the abovementioned singularity of the Jacobian. Another example is the use of comprehensive Gröbner bases in the course of parametric computation of certain syzygy modules. From a practical point of view, a central issue with all such algorithms is the combinatorial explosion of the number of cases.
We use SMT solving as well as real quantifier elimination methods to detect inconsistent cases and prune the tree of case distinctions early. The decision procedures used are typically double exponential and can easily turn into a bottleneck preventing termination within reasonable time altogether, in particular when the degrees of polynomial terms get larger. Since the results remain correct also without the elimination of some redundant cases, we combine various methods and use suitable timeouts. This work has resulted in two articles, which have been accepted for publication in the SIAM Journal on Applied Dynamical Systems
8 Bilateral contracts and grants with industry
8.1 Bilateral contracts with industry
TLA+Trace Validation

Duration:
January 2023 – December 2024

Industrial Partner:
Oracle Corporation

Team participants:
Horatiu Cirstea, Benjamin Loillier, Stephan Merz

Summary:
The objective of this work is to find discrepancies between traces of distributed programs collected during their execution and highlevel specifications, written in TLA+, of the algorithms that the programs are supposed to implement.
Type systems for the memory safety of functional programs

Duration:
April 2022 – March 2025

Industrial Partner:
Tweag

Team participants:
Thomas Bagrel, Horatiu Cirstea

Summary:
In his PhD work supported by a CIFRE contract, Thomas Bagrel studies type systems and corresponding constructions in functional programs, notably based on (anti)patterns, for guaranteeing programs that are memory safe and can be compiled to efficient machine code.
Reengineering of protocols for industrial controllers

Duration:
May 2023 – April 2026

Industrial Partner:
Westinghouse France

Team participants:
Amine Snoussi, Marie DuflotKremer, Engel Lefaucheux, Stephan Merz

Summary:
In his PhD work supported by a CIFRE contract, Amine Snoussi aims at constructing formal models and simulations of protocols that are used for industrial controllers, in particular for the diagnosis and control of electronic components in nuclear power plants.
9 Partnerships and cooperations
Participants: Alessio Coltellacci, Marie DuflotKremer, Pascal Fontaine, Engel Lefaucheux, Sergueï Lenglet, Dominique Méry, Stephan Merz, Sorin Stratulat, Sophie Tourret, Vincent Trélat.
9.1 International research visitors
9.1.1 Visits to international teams
Research stays abroad
Sergueï Lenglet

Visited institution:
University of Wrocław

Country:
Poland

Dates:
from 8 May 2023 to 12 May 2023, and from 4 Dec 23 to 8 Dec 2023.

Context of the visit:
Research collaboration on program semantics.

Mobility program/type of mobility:
Partenariat Hubert Curien.
9.2 European initiatives
9.2.1 Other European Programs
COST EuroProofNet.

Program:
COST

Title:
European Research Network on Formal Proofs (COST action CA20111)

Duration:
October 2021 – October 2025

Coordinator:
Inria

Inria contact:
Frédéric Blanqui, Stephan Merz

Team participants:
Pascal Fontaine (WG leader, management committee), Alessio Coltellacci, Stephan Merz, Sophie Tourret

Summary:
EuroProofNet is the European research network on digital proofs. EuroProofNet aims at boosting the interoperability and usability of proof systems. The action now gathers more than 400 researchers from 43 different countries; it is coordinated by a core group chaired by Frédéric Blanqui. EuroProofNet organizes meetings and schools, and provides grants to its members for shortterm scientific missions in another country.
AiRobo

Program:
Erasmus+

Title:
Artificial Intelligence based Robotics

Duration:
December 2023 – November 2026

Coordinator:
West University of Timisoara (Romania)

Partners:
University of Macedonia (Thessaloniki, Greece), RWTH (Aachen, Germany), Eszterházy Károly Catholic University (Eger, Hungary), Université de Lorraine.

Inria contact:
Sorin Stratulat

Summary:
AiRobo is an innovative project, focused on both research and teacher training in the fields of robotics, artificial intelligence and formal verification. Within the project, a comprehensive set of didactic support materials will be developed: the AiRobo book, seven robotic applications in different fields (three of them are addressed to people with disabilities and migrants), tools and video tutorials, as well as scientific publications at international conferences. These materials will be used as support in the process of teaching courses at partner universities and even in other universities around the world.
9.3 National initiatives
ANR Project BiSoUS

Title:
Better Synthesis for Underspecified Quantitative Systems

Duration:
March 2023 – February 2027

Coordinator:
Didier Lime, École Centrale de Nantes & LS2N

Partner Institutions:
 IRISA, Rennes
 LIPN, Université Sorbonne Paris Nord (Paris 13)
 LS2N École Centrale de Nantes (coordinator)
 LMF, Université ParisSaclay

Team participants:
Marie DuflotKremer, Engel Lefaucheux

Summary:
Computer systems are ubiquitous and identifying their possible defects is crucial already at the earliest stages of their development, when many aspects, including the environments or the execution platforms, have not been fixed. Verification must then be performed on underspecified models and should give answers as understandable as possible. In this project, we aim at developing verification techniques for underspecified models that take this explainability constraint into account, by optimizing resources, such as energy or memory, and synthesizing more precise requirements on the underspecified aspects of the models under which the system behaves correctly. We depart from classical formalisms and consider their combined extensions with three complementary ingredients: costs/rewards for resource consumption; parameters for unknown quantitative characteristics; and games for representing all the behaviours of the underspecified system.

Keywords:
Verification, Model checking, parametrised systems, games with guarantees
 More information:
ANR Project BLaSST

Title:
Enhancing B Language Reasoners Using SAT and SMT Techniques

Duration:
March 2022 – February 2026

Coordinator:
Stephan Merz

Partner Institutions:
 Inria Nancy (coordinator)
 University of Artois & CRIL, Lens
 CLEARSY, AixenProvence
 University of Liège, Belgium

Team participants:
Pascal Fontaine, Stephan Merz, Vincent Trélat, Sophie Tourret

Summary:
The BLaSST project targets bridging combinatorial and symbolic techniques in automatic theorem proving, in particular for proof obligations generated from B models. It focuses on advancing the state of the art in automated reasoning, in particular SAT and SMT techniques, and on making these techniques available to software verification. More specifically, encoding techniques, optimized resolution techniques, model generation, and lemma suggestion will be investigated. The expected scientific impact is a substantially higher degree of automation of solvers for expressive input languages by leveraging higherorder reasoning and enumerative instantiations over finite domains, as well as useful feedback for verification conditions that cannot be proved. The effectiveness of the techniques developed in the project will be quantified by applying them to benchmark sets provided by the industrial partner. The industrial impact of BLaSST will be a higher productivity of proof engineers. The collections of benchmarks and the reasoning engines will be made openly available under permissive opensource licenses.

Keywords:
B method, deductive verification, SAT, SMT, higherorder logic
 More information:
ANR Project DISCONT

Title:
Correct integration of discrete and continuous models

Duration:
March 2018 – September 2023

Coordinator:
Dominique Méry

Partner Institutions:
 University of Lorraine (coordinator)
 ENSEEIHT & IRIT, Toulouse
 University Paris Est & LACL, Créteil
 CLEARSY, AixenProvence

Team participants:
Dominique Méry

Summary:
CyberPhysical Systems (CPSs) connect the real world to software systems through a network of sensors and actuators that interact in complex ways, depending on context and involving different spatial and temporal scales. Typically, a discrete software controller interacts with its physical environment in a closedloop schema where input from sensors is processed and output is generated and communicated to actuators. We are concerned with the verification of the correctness of such discrete controllers, which requires correct integration of discrete and continuous models. Correctness should arise from a design process based on sound abstractions and models of the relevant physical laws. The systems are generally characterized by differential equations with solutions in continuous domains; discretization steps are therefore of particular importance for assessing the correctness of CPSs. DISCONT aims at bridging the gap between the discrete and continuous worlds of formal methods and control theory. We will lift the level of abstraction above that found in current bridging techniques and provide associated methodologies and tools. Our concrete objectives are to develop a formal hybrid model, elaborate refinement steps for control requirements, propose a rational stepwise design method and support tools, and validate them based on use cases from a range of application domains.

Keywords:
cyberphysical systems, discrete models, continuous models, refinement, verification, tools
 More information:
ANR Project EBRP

Title:
Enhancing EventB and RODIN: EventBRodinPlus

Duration:
January 2020 – January 2024

Coordinator:
Dominique Méry

Partner Institutions:
 INPTENSEEIHT & IRIT, Toulouse
 CentraleSupelec & LRI
 University of Lorraine & LORIA
 University ParisEst Créteil & LACL
 University of Düsseldorf, Germany
 University of Southampton, School of Electronics and Computer Science, United Kingdom

Team participants:
Dominique Méry

Keywords:
formal IDE, theory, proof managementr, cyberphysical systems, discrete models, continuous models, refinement, verification, tools

Summary:
The purpose of EBRP is to enhance EventB and the corresponding Rodin toolset. This will be done by engaging in some basic research dealing with various mathematical theories that are not currently available in EventB and Rodin. The development of complex systems usually involves different scientific disciplines and skills. For instance, modeling behaviors and interactions of autonomous systems may require concepts from control theory such as differential equations, communication protocols, resource allocation, access control rules, etc. EBRP targets the definition of extension mechanisms for EventB rather than defining domainspecific modeling languages, and implementing those mechanisms within Rodin.
 More information:
ANR Project ICSPA

Title:
Interoperable and Confident Setbased Proof Assistants

Duration:
January 2022 – December 2025

Coordinator:
Catherine Dubois, ENSIIE & Samovar

Partner Institutions:
 ENSIIE & Samovar, Évry
 Inria (Nancy and Saclay research centers)
 University Paul Sabatier & IRIT, Toulouse
 University of Montpellier & LIRMM, Montpellier
 CLEARSY, AixenProvence

Team participants:
Alessio Coltellacci, Dominique Méry, Stephan Merz

Summary:
The B, EventB, and TLA+ formal methods are based on different flavors of set theory. The ICSPA project aims at formally relating these different theories for allowing users (i) to independently certify proofs carried out using the automatic proof tools developed for these formal methods and (ii) to transfer developments, including their proofs, carried out in one of these languages to another one. The objectives are to reinforce confidence in developments carried out using these methods and to enable interoperability between them. The foundation for achieving these goals lies in the encoding of the set theories in the Dedukti logical framework developed at Inria Saclay, which implements the $\lambda \Pi $calculus modulo theory.

Keywords:
B method, TLA+, set theory, logical framework
 More information:
10 Dissemination
Participants: Thomas Bagrel, Martin Bromberger, Horatiu Cirstea, Alessio Coltellacci, Marie DuflotKremer, Pascal Fontaine, Engel Lefaucheux, Sergueï Lenglet, Dominique Méry, Stephan Merz, Sibylle Möhle, Victor Roussanaly, Simon Schwarz, Sorin Stratulat, Thomas Sturm, Sophie Tourret, Vincent Trélat, Uwe Waldmann, Christoph Weidenbach.
10.1 Promoting scientific activities
10.1.1 Scientific events: organization
General chair, scientific chair
 Dominique Méry: 9th International Conference on Rigorous StateBased Methods (ABZ 2023) 44, 27th International Conference on Engineering of Complex Computer Systems (ICECCS 2023).
 Sorin Stratulat: 25th International Symposium on Symbolic and Numeric Algorithms for Scientific Computing (SYNASC 2023).
 Thomas Sturm: SCSquare (8th International Workshop on Satisfiability Checking and Symbolic Computation), including edition of the proceedings 42.
Member of organizing committees
 Engel Lefaucheux: 8th International Workshop on Synthesis of Complex Parameters (SynCoP 2023, Paris, France)
 Stephan Merz: ETAPS Mentoring Workshop (Paris, France), 10th Workshop Formal Reasoning in Distributed Algorithms (FRIDA, L'Aquila, Italy), TLA+ Community Meeting (Paris, France).
10.1.2 Scientific events: selection
Member of conference program committees
 Horatiu Cirstea: RuleML+RR (7th International Joint Conference on Rules and Reasoning), SLE (ACM SIGPLAN International Conference on Software Language Engineering).
 Pascal Fontaine: CADE (International Conference on Automated Deduction).
 Engel Lefaucheux: FORMATS (21st International Conference on Formal Modeling and Analysis of Timed Systems).
 Sergueï Lenglet: ICE (16th Interaction and Concurrency Experience).
 Dominique Méry: FMAS (Fifth Workshop on Formal Methods for Autonomous Systems), HEDA (3rd International Health Data Workshop), ICFEM (24rd International Conference on Formal Engineering Methods), MEDI (12th International Conference on Model and Data Engineering), TASE ( 17th Theoretical Aspects of Software Engineering Conference).
 Stephan Merz: ABZ (9th International Conference on Rigorous Statebased Methods), AFADL (22èmes Journées Approches Formelles dans l'Assistance au Développement Logiciel), ICFEM 2023 (24th International Conference on Formal Engineering Methods), SEFM2023 (Software Engineering and Formal Methods 2023), VMCAI 2023 (Verification, Model Checking and Abstract Interpretation).
 Sorin Stratulat: SYNASC (25th International Symposium on Symbolic and Numeric Algorithms for Scientific Computing), ICEUTE (14th International Conference on EUropean Transnational Educational), CISIS (16th International Conference on Computational Intelligence in Security for Information Systems).
 Thomas Sturm: CASC (25th International Workshop on Computer Algebra in Scientific Computing).
 Sophie Tourret: IJCAI (32st International Joint Conference on Artificial Intelligence) and CADE (29th International Conference on Automated Deduction).
10.1.3 Journal
Member of editorial boards
 Dominique Méry is a member of the editorial boards of the journals Formal Aspects of Computing and Science of Computer Programming.
 Thomas Sturm is an editor of the Journal of Symbolic Computation and of Mathematics in Computer Science.
 Christoph Weidenbach is an editor of the Journal of Automated Reasoning.
Special issues edited
 Thomas Sturm has edited a special issue of the Springer journal Mathematics in Computer Science on Computer Algebra in Scientific Computing 43.
10.1.4 Invited talks
 Horatiu Cirstea and Thomas Sturm were invited plenary speakers and Stephan Merz gave an invited tutorial at SYNASC 2023.
 Stephan Merz gave an invited talk at the 2023 meeting of the working group on verification of GDR IM.
 Sophie Tourret gave an invited talk at the Vampire workshop 2023.
10.1.5 Leadership within the scientific community
 Pascal Fontaine is an elected CADE Trustee. In the COST action EuroProofNet, he was workgroup viceleader until October 2023, and he is in the management committee as one Belgian representative. He was member of the committee for the William McCune PhD Award 2023.
 Dominique Méry is a member of the IFIP Working Group 1.3 on Foundations of System Specifications.
 Stephan Merz is a member of the IFIP Working Group 2.2 on Formal Description of Programming Concepts.
 Thomas Sturm has become a member of the steering committee of the workshop series SCSquare (Satisfiability Checking and Symbolic Computation)
 Sophie Tourret is an elected CADE Trustee. She is also a member of the Association for Automated Reasoning (AAR) board of trustees as the editor of the AAR newsletter.
10.1.6 Research administration
 Marie DuflotKremer is a member of the jury of CAPES NSI, the French hiring exam for becoming a computer science teacher in secondary schools.
 PierreÉtienne Moreau is the director of Télécom Nancy.
10.2 Teaching  Supervision  Juries
10.2.1 Teaching
 Master: Horatiu Cirstea, Advanced software engineering, 40 HETD, M2 Informatique, Université de Lorraine, France.
 Master: Horatiu Cirstea, Software engineering & Design patterns, 80 HETD, M1 informatique, Université de Lorraine, France.
 Master: Horatiu Cirstea, Software engineering, 40 HETD, 2A ENSEM, Université de Lorraine, France.
 Licence: Horatiu Cirstea, Algorithms and programming 3, 60 HETD, L2, Université de Lorraine, France.
 Licence: Marie DuflotKremer, Algorithms and programming 1, 80 HETD, L1, Université de Lorraine, France.
 Licence: Marie DuflotKremer, Individual support for algorithms and programming, 30 HETD, L1, Université de Lorraine, France.
 Master: Marie DuflotKremer, Using unplugged activities to pass on computer science concepts to students, master for future teachers.
 Licence : Marie DuflotKremer, data bases, 20 HETD, L2 and L3, Université de Lorraine
 Master: Marie DuflotKremer and Stephan Merz, Elements of model checking, 24 HETD, M2 Informatique, Université de Lorraine, France.
 Master: Marie DuflotKremer and Stephan Merz, Distributed algorithms, 30 HETD, M1 Informatique, Université de Lorraine, France.
 Classe préparatoire universitaire: Engel Lefaucheux, Algorithms and programming (2 and 3), 8 HETD, Université de Lorraine.
 Licence: Engel Lefaucheux, Algorithms and programming 2, 20 HETD, L2, Université de Lorraine.
 Classe préparatoire des INP: Engel Lefaucheux, Langages et Automates, 34.5 HETD, Université de Lorraine
 BUT 1: Sergueï Lenglet, Introduction to databases, 110 HETD, Université de Lorraine – IUT Charlemagne, France.
 BUT 1: Sergueï Lenglet, Exploitation of databases, 60 HETD, Université de Lorraine – IUT Charlemagne, France.
 BUT 2: Sergueï Lenglet, Functional programming, 24 HETD, Université de Lorraine – IUT Charlemagne, France.
 Master: Dominique Méry, Formal Modeling for Softwarebased Systems 40 HETD, M2 Informatique, Université de Lorraine, France.
 Master: Dominique Méry, Models and algorithms, M1 Telecom Nancy, 48 HETD, Université de Lorraine, France.
 Master: Dominique Méry, Formal Modeling for Softwarebased Systems, M2 Telecom Nancy, 24 HETD, Université de Lorraine, France.
 Master: Stephan Merz and Sophie Tourret, Secure Coding, M1 Mines Nancy, 26 HETD, Université de Lorraine, France
 Master: Sophie Tourret, Decision Procedures for Program Verification, M2 Informatique (academic year 20222023), Université de Lorraine, France.
 Master: Uwe Waldmann, Automated Reasoning, 60 HETD, Universität des Saarlandes, Germany.
 Master: Martin Bromberger, Sibylle Möhle, Simon Schwarz, Christoph Weidenbach, Automated Reasoning I, 60 HETD, Universität des Saarlandes, Germany.
 Master: Sorin Stratulat, Software design, 30 HETD, M2 Informatique, Université de Lorraine, France.
 Licence: Sorin Stratulat, Algorithms and programming, 105 HETD, L1 Informatique, Université de Lorraine, France.
 Licence: Sorin Stratulat, Logic for computer science, 26 HETD, L1 Informatique, Université de Lorraine, France.
 Licence: Victor Roussanaly, Data bases, L3 Polytech Nancy, 60 HETD, Université de Lorraine, France.
 Licence: Victor Roussanaly, Objectoriented programming, L3 Polytech Nancy, 42 HETD, Université de Lorraine, France.
 Master: Victor Roussanaly, Introduction to cryptography, M2 Polytech Nancy, 15 HETD, Université de Lorraine, France.
 Master: Thomas Sturm, Algorithmic Quantifier Elimination, 40 HETD, Universität des Saarlandes, Germany.
10.2.2 Supervision
 PhD: Rosalie Defourné, Encoding TLA+Set Theory for Automatic Proof, Université de Lorraine 45. Supervised by Jasmin Blanchette, Pascal Fontaine, and Stephan Merz, November 7, 2023.
 PhD: Dylan Marinho, Detecting timing attacks using formal methods, Université de Lorraine. Supervised by Étienne André, October 3, 2023.
 PhD: Fajar Haifani, On a Notion of Abduction and Relevance for FirstOrder Logic Clause Sets, MPI for Informatics, Saarland University, Sarrebruck, Allemagne. Supervised by Sophie Tourret and Christoph Weidenbach, March 9, 2023.
 PhD in progress: Thomas Bagrel, Type systems for memory safety in functional programming languages, Université de Lorraine (CIFRE with Tweag company). Supervised by Horatiu Cirstea, since April 2022.
 PhD in progress: Ghilain Bergeron, Generating distributed programs from formal specifications, INRIA. Supervised by Horatiu Cirstea and Stephan Merz, since October 2023.
 PhD in progress: Martin Desharnais, Verification in Isabelle/HOL of automated reasoning results, MPI for Informatics, Saarland University, Sarrebruck, Allemagne. Supervised by Jasmin Blanchette, Sophie Tourret and Christoph Weidenbach, since August 2021.
 PhD in progress: Hendrik Leidinger, SCL in FirstOrder Logic with Equality, Universität des Saarlandes. Supervised by Christoph Weidenbach, since August 2020.
 PhD in progress: Lorenz Leutgeb, Reasoning with SCL, Universität des Saarlandes. Supervised by Christoph Weidenbach, since October 2021.
 PhD in progress: Simon Schwarz, Automatic Reasoning for Security, Universität des Saarlandes. Supervised by Christoph Weidenbach, since October 2022.
 PhD in progress: Amine Snoussi, Formal Reengineering of Communication Protocols for Controllers. Université de Lorraine (CIFRE with Westinghouse France). Supervised by Marie DuflotKremer and Stephan Merz, since May 2023.
 PhD in progress: Vincent Trélat, HigherOrder SMT Solving for Proof Obligations in Set Theory. Université de Lorraine. Supervised by Stephan Merz and Sophie Tourret, since October 2023.
10.2.3 Juries
 Stephan Merz was a reviewer of the PhD theses of Samira Aït Bensaïd (Saclay), Jürgen König (Paderborn), Alexandrina Korneva (Saclay), and Gautier Raimondi (Rennes).
10.3 Popularization
10.3.1 Internal or external Inria responsibilities
 Marie DuflotKremer is the deputy vicepresident for outreach activities in the supervisory council of SIF (Société Informatique de France) and a member of the scientific committee of Fondation Blaise Pascal, which supports projects on popularization activities.
 Marie DuflotKremer is a member of the Interstices editorial board, a Web site launched by Inria that publishes popularization articles.
 Christoph Weidenbach is the head of the steering committee of the German Computer Science Competition for High School Students (BWINF) and a coorganizer and the president of the jury of the final round that took place in Karlsruhe in September 2023. Thomas Sturm was a member of that jury.
 Thomas Sturm collaborated in the scientific part of the German team for the International Olympiad in Informatics (IOI).
10.3.2 Education
 Marie DuflotKremer gave a half day training with Universcience for secondary school teachers on artificial intelligence in February in Paris
 Marie DuflotKremer gave a one day training on resenting computer science concepts to secondary school computer science teachers in April in Besançon
 Marie DuflotKremer gave a talk at a seminar on graphs for secondary school math teachers in Paris in June
10.3.3 Interventions
 Marie DuflotKremer coorganized a one week seminar "Les Cigognes" for girls in secondary school to help them discover research in mathematics and computer science in Ramonchamp in October 2023
 Marie DuflotKremer coorganized "Journée Sciences et Médias", a one day conference on links beetween sciences and journalism in Paris in May 2023
 Marie DuflotKremer organized a stand at the “Fête de la science” event (October 2023), to present unplugged computer science activities to the general public with the help of bachelor and master students. She also gave an invited talk for Fête de la Science in Saint Dié.
 Marie DuflotKremer set up a stand at different scientific events, like "Nocturnes de l'histoire" and "semaine des mathématiques" in March, "matinées filles maths et sciences" in April, "Salon de la culture et des Jeux Mathématiques" in May
 Marie DuflotKremer took part in several meetings with secondary school students to present computer science and research within the Chiche program.
11 Scientific production
11.1 Major publications
 1 inproceedingsveriT: an open, trustable and efficient SMTsolver.Proc. Conference on Automated Deduction (CADE)5663Lecture Notes in Computer ScienceMontreal, CanadaSpringer2009, 151156back to text
 2 articleA complete and terminating approach to linear integer solving.Journal of Symbolic Computation100September 2020, 102136HALDOIback to text
 3 incollectionThe EventB Modelling Method  Concepts and Case Studies.Logics of Specification LanguagesMonographs in Theoretical Computer ScienceSpringerFebruary 2008, 33140HALback to text
 4 inproceedingsTLA+ Proofs.18th International Symposium On Formal Methods  FM 20127436Lecture Notes in Computer ScienceParis, FranceSpringer2012, 147154back to text
 5 articleRedlog: Computer algebra meets computer logic.ACM SIGSAM Bull.3121997, 29back to text
 6 articleDetection of Hopf bifurcations in chemical reaction networks using convex coordinates.Journal of Computational Physics291March 2015, 279  302HALDOI
 7 articleSuperposition Decides the FirstOrder Logic Fragment Over Ground Theories.Mathematics in Computer Science642012, 427456
 8 incollectionThe Specification Language TLA+.Logics of specification languagesMonographs in Theoretical Computer ScienceSpringer2008, 401452HALback to text
 9 inproceedingsVerification and synthesis using real quantifier elimination.Proc. ISSAC 2011San Jose, United StatesACM PressJune 2011, 329HALDOI
 10 inproceedingsSPASS Version 3.5.22nd International Conference on Automated Deduction (CADE22)5663LNAIMontreal, CanadaSpringer2009, 140145back to text
11.2 Publications of the year
International journals
 11 articleConfiguring Timing Parameters to Ensure ExecutionTime Opacity in Timed Automata.Electronic Proceedings in Theoretical Computer Science392October 2023, 1  26HALDOIback to textback to text
 12 articleMechanical Mathematicians.Communications of the ACM664March 2023, 8090HALDOIback to text
 13 articleSuperposition for HigherOrder Logic.Journal of Automated Reasoning671January 2023, 10HALDOI
 14 articleSATInspired HigherOrder Eliminations.Logical Methods in Computer Science1922023HALDOI
 15 articleUnifying Splitting.Journal of Automated Reasoning672April 2023, 16HALDOI
 16 articleSAP: A Secure LowLatency Protocol for Mitigating High Computation Overhead in WIFI Networks.IEEE Access112023, 8462084635HALDOIback to text
 17 articleSCL(EQ): SCL for FirstOrder Logic with Equality.Journal of Automated Reasoning673June 2023, 22HALDOI
 18 articleFormal domaindriven system development in EventB: Application to interactive critical systems.Journal of Systems Architecture135February 2023, 102798HALDOIback to text
 19 articleSynchronization modulo P in dynamic networks.Theoretical Computer Science942January 2023, 200212HALDOI
 20 articleMechanical certification of FOLID cyclic proofs.Annals of Mathematics and Artificial Intelligence955February 2023, 651673HALDOIback to text
 21 articleSATInspired Eliminations for Superposition.ACM Transactions on Computational Logic241January 2023, 125HALDOI
International peerreviewed conferences
 22 inproceedingsExpiring opacity problems in parametric timed automata.2023 27th International Conference on Engineering of Complex Computer Systems (ICECCS)2023 27th International Conference on Engineering of Complex Computer Systems (ICECCS)Toulouse, FranceIEEE; IEEEJune 2023, 8998HALDOIback to text
 23 inproceedingsBest paperVerified Given Clause Procedures.Automated Deduction – CADE 29CADE2914132Lecture Notes in Computer ScienceRome, ItalySpringer Nature SwitzerlandSeptember 2023, 6177HALDOIback to textback to text
 24 inproceedingsKBO Constraint Solving Revisited.Frontiers of Combining Systems  14th International Symposium14279Lecture Notes in Computer SciencePrague (CZ), Czech RepublicSpringer Nature Switzerland2023, 81  98HALDOI
 25 inproceedingsAn Isabelle/HOL Formalization of the SCL(FOL) Calculus.Springer LNCSAutomated Deduction  {CADE} 29  29th International Conference on Automated Deduction14132Lecture Notes in Computer ScienceRome (IT), ItalySpringer Nature SwitzerlandSeptember 2023, 116133HALDOI
 26 inproceedingsSCL(FOL) Can Simulate NonRedundant Superposition Clause Learning.Automated Deduction  {CADE} 29  29th International Conference on Automated Deduction14132Lecture Notes in Computer ScienceRome (IT), ItalySpringer Nature Switzerland2023, 134  152HALDOI
 27 inproceedingsSymbolic Model Construction for Saturated Constrained Horn Clauses.Frontiers of Combining Systems  14th International Symposium, FroCoS 202314279Lecture Notes in Computer SciencePrague (CZ), Czech RepublicSpringer Nature Switzerland2023, 137  155HALDOIback to text
 28 inproceedingsExploring Partial Models with SCL.Proceedings of 24th International Conference on Logic for Programming, Artificial Intelligence and Reasoning94Manizales, ColombiaJune 2023, 4822HALDOI
 29 inproceedingsExtending PlusCal for Modeling Distributed Algorithms.Lecture Notes in Computer Science18th International Conference on Integrated Formal Methods (iFM 2023)14300Leiden, NetherlandsSpringerNovember 2023, 321340HALDOIback to text

30
inproceedingsEncoding TLA
${}^{+}$ Proof Obligations Safely for SMT.9th International Conference on Rigorous StateBased Methods (ABZ 2023)14010Lecture Notes in Computer ScienceNancy, FranceSpringer Nature SwitzerlandMay 2023, 88106HALDOIback to text  31 inproceedingsClosure Properties of General Grammars – Formally Verified.14th International Conference on Interactive Theorem Proving (ITP 2023)ITP 2023Białystok, PolandSchloss Dagstuhl  LeibnizZentrum für Informatik2023HALDOI
 32 inproceedingsCombining representation formalisms for reasoning upon mathematical knowledge.KCAP '23: Proceedings of the 12th Knowledge Capture Conference 2023KCAP '23: Knowledge Capture Conference 2023Pensacola FL USA, United StatesACM2023, 180187HALDOI
 33 inproceedingsGröbner Bases for Boolean Function Minimization.Proceedings of the 8th SCSquare WorkshopTromsø, NorwayJuly 2024HAL
 34 inproceedingsTowards an Automatic Proof of the Bakery Algorithm.Formal Techniques for Distributed Objects, Components, and Systems. FORTE 2023.13910Lecture Notes in Computer ScienceLisbon, PortugalSpringer Nature SwitzerlandJune 2023, 2128HALDOIback to text
 35 inproceedingsModel Checking Linear Dynamical Systems under Floatingpoint Rounding.Tools and Algorithms for the Construction and Analysis of Systems (TACAS 2023)13993Lecture Notes in Computer ScienceParis, FranceSpringer Nature SwitzerlandApril 2023, 4765HALDOIback to text
 36 inproceedingsNonIntrusive AnnotationBased DomainSpecific Analysis to Certify EventB Models Behaviours.2022 29th AsiaPacific Software Engineering Conference (APSEC)2022 29th AsiaPacific Software Engineering Conference (APSEC)Japan, JapanIEEEFebruary 2023, 129138HALDOI
 37 inproceedingsAn Abstract CNFtodDNNF Compiler Based on Chronological CDCL.Frontiers of Combining Systems  14th International Symposium, FroCoS 202314279Lecture Notes in Computer SciencePrague, Czech RepublicSpringer Nature Switzerland2023, 195  213HALDOI
 38 inproceedingsRecurrenceDriven Summations in Automated Deduction.Frontiers of Combining Systems. FroCoS 2023FroCoS 202314279Lecture Notes in Computer SciencePrague, Czech RepublicSpringer Nature SwitzerlandSeptember 2023, 2340HALDOI
 39 inproceedingsEnumerative Level2 Solution Counting for Quantified Boolean Formulas.29th International Conference on Principles and Practice of Constraint Programming  CP 2023Toronto, CanadaSchloss Dagstuhl  LeibnizZentrum für Informatik2023HALDOI
 40 inproceedingsExtending a HighPerformance Prover to HigherOrder Logic.Tools and Algorithms for the Construction and Analysis of Systems. TACAS 2023TACAS 202313994Lecture Notes in Computer ScienceParis, FranceSpringer Nature SwitzerlandApril 2023, 111129HALDOI
National peerreviewed Conferences
 41 inproceedingsDestinationpassing style programming: a Haskell implementation.35es Journées Francophones des Langages Applicatifs (JFLA 2024)SaintJacutdelaMer, FranceJanuary 2024HAL
Edition (books, proceedings, special issue of a journal)
 42 proceedingsE.Erika ÁbrahámT.Thomas SturmSatisfiability Checking and Symbolic Computation 2023: Proceedings of the 8th SCSquare Workshop, colocated with the 48th International Symposium on Symbolic and Algebraic Computation (ISSAC 2023).3455CEURWS.orgAugust 2023HALback to text
 43 periodicalComputer Algebra in Scientific Computing 2022.Mathematics in Computer Science1734September 2023HALback to text
 44 proceedingsU.Uwe GlässerJ.Jose Creissac CamposD.Dominique MéryP.Philippe PalanqueRigorous StateBased Methods  9th International Conference, ABZ 2023, Nancy, France, May 30  June 2, 2023, Proceedings.14010Springer Nature Switzerland; Springer2023HALDOIback to text
Doctoral dissertations and habilitation theses
 45 thesisEncoding TLA+’s Set Theory for Automated Theorem Provers.Université de lorraineNovember 2023HALback to textback to text
Reports & preprints
 46 reportSCL(FOL) Can Simulate NonRedundant Superposition Clause Learning.MaxPlanckInstitut für Informatik, Saarbrücken, GermanyMay 2023HALDOI
 47 reportSymbolic Model Construction for Saturated Constrained Horn Clauses.MaxPlanckInstitut für Informatik, Saarbrücken, GermanyJuly 2023HALDOIback to text
 48 reportSCL(FOL) Revisited.MaxPlanckInstitut für Informatik, Saarbrücken, GermanyFebruary 2023HALDOI
 49 miscA Static Checker for Reference Tracking Systems via Laplace Transform and Transfer Functions.July 2023HAL
 50 miscFrom System Events to Software Operations for Refinementbased Modeling of Hybrid Systems *.August 2023HALback to text
 51 miscTesting equality of parametric semilinear sets.July 2023HALback to text
Other scientific publications
11.3 Cited publications
 53 bookModeling in EventB: System and Software Engineering.Cambridge University Press2010back to text
 54 inproceedingsParametric realtime reasoning.Proc. 25th Annual ACM Symp. Theory of ComputingSan Diego, CA, USAACM1993, 592601back to text
 55 inproceedingsIMITATOR 3: Synthesis of Timing Parameters Beyond Decidability.Proc. 33rd Intl. Conf. ComputerAided Verification (CAV 2021)2021, 552565back to text
 56 articleRewriteBased Equational Theorem Proving with Selection and Simplification.Journal of Logic and Computation431994, 217247back to text
 57 bookRefinement calculusA systematic introduction.Springer Verlag1998back to text
 58 incollectionSatisfiability Modulo Theories.Handbook of Satisfiability185Frontiers in Artificial Intelligence and ApplicationsIOS PressFebruary 2009, 26825885back to text
 59 inproceedingsNonDeterministic Abstract Machines.33rd International Conference on Concurrency Theory (CONCUR 2022)243Leibniz International Proceedings in Informatics (LIPIcs)Keywords: Abstract machines, nondeterminism, lambdacalculus, process calculiDagstuhl, GermanySchloss Dagstuhl  LeibnizZentrum für Informatik2022, 7:17:24URL: https://drops.dagstuhl.de/entities/document/10.4230/LIPIcs.CONCUR.2022.7DOIback to text
 60 inproceedingsA Datalog Hammer for Supervisor Verification Conditions Modulo Simple Linear Arithmetic.13th Intl. Symp. Frontiers of Combining Systems (FroCoS 2021)12941Lecture Notes in Computer ScienceSpringer2021, 324back to text
 61 inproceedingsDeciding the BernaysSchoenfinkel Fragment over Bounded Difference Constraints by Simple Clause Learning over Theories.22nd Intl. Conf. Verification, Model Checking, and Abstract Interpretation (VMCAI 2021)12597Lecture Notes in Computer ScienceSpringer2021, 511533back to text
 62 bookletDimension and Degeneracy of Solutions of Parametric Polynomial Systems Arising from Reaction Networks.arXiv 2304.023022023back to text
 63 inproceedingsGeneralized Completeness for SOS Resolution and its Application to a New Notion of Relevance.28th Intl. Conf. Automated Deduction (CADE 28)12699Lecture Notes in Computer ScienceSpringer2021, 327343back to text
 64 articleAlgorithmic Reduction of Biological Networks with Multiple Time Scales.Mathematics in Computer Science153September 2021, 499  534HALDOIback to textback to text
 65 bookSpecifying Systems.Boston, Mass.AddisonWesley2002back to text
 66 articleBioModels Database: A Free, Centralized Database of Curated, Published, Quantitative Kinetic Models of Biochemical and Cellular Systems.Nucleic acids res.34suppl_1January 2006, D689D691DOIback to text
 67 articleTransmission Dynamics and Control Strategies Assessment of Avian Influenza A (H5N6) in the Philippines.Infectious Disease Modelling32018, 3559DOIback to text
 68 bookletDAlgebraic Functions.arXiv 2301.025122023back to text
 69 bookProgramming from Specifications.2nd editionPrentice Hall1998back to text
 70 articleMechanically Certifying Formulabased Noetherian Induction Reasoning.Journal of Symbolic Computation80, Part I2017, 209249HALDOIback to text
 71 bookletDouble Normalizing Flows: Flexible Bayesian Gaussian Process ODEs Learning.arXiv:2309.092222023back to text