EN FR
EN FR

2024Activity reportProject-TeamANTIQUE

RNSR: 201421111R
  • Research center Inria Paris Centre
  • In partnership with:CNRS, Ecole normale supérieure de Paris
  • Team name: Static Analysis by Abstract Interpretation
  • In collaboration with:Département d'Informatique de l'Ecole Normale Supérieure
  • Domain:Algorithmics, Programming, Software and Architecture
  • Theme:Proofs and Verification

Keywords

Computer Science and Digital Science

  • A2. Software
  • A2.1. Programming Languages
  • A2.1.1. Semantics of programming languages
  • A2.1.6. Concurrent programming
  • A2.1.7. Distributed programming
  • A2.1.12. Dynamic languages
  • A2.2.1. Static analysis
  • A2.3. Embedded and cyber-physical systems
  • A2.3.1. Embedded systems
  • A2.3.2. Cyber-physical systems
  • A2.3.3. Real-time systems
  • A2.4. Formal method for verification, reliability, certification
  • A2.4.1. Analysis
  • A2.4.2. Model-checking
  • A2.4.3. Proofs
  • A2.6.1. Operating systems
  • A4.4. Security of equipment and software
  • A4.5. Formal methods for security

Other Research Topics and Application Domains

  • B1.1. Biology
  • B1.1.8. Mathematical biology
  • B1.1.10. Systems and synthetic biology
  • B5.2. Design and manufacturing
  • B5.2.1. Road vehicles
  • B5.2.2. Railway
  • B5.2.3. Aviation
  • B5.2.4. Aerospace
  • B6.1. Software industry
  • B6.1.1. Software engineering
  • B6.1.2. Software evolution, maintenance
  • B6.6. Embedded systems

1 Team members, visitors, external collaborators

Research Scientists

  • Xavier Rival [Team leader, INRIA, Senior Researcher]
  • Bernadette Charron-Bost [CNRS, Senior Researcher]
  • Vincent Danos [CNRS, Senior Researcher]
  • Jérôme Feret [INRIA, Researcher]
  • Hugo Paquet [INRIA, Researcher, from Oct 2024]
  • Caterina Urban [INRIA, Researcher]

Post-Doctoral Fellows

  • Marco Campion [INRIA, Post-Doctoral Fellow]
  • Alessandro De Palma [INRIA, Post-Doctoral Fellow]
  • Guannan Wei [INRIA, Post-Doctoral Fellow, from Sep 2024]

PhD Students

  • Valentin Barbazo [ENS PARIS]
  • Jerome Boillot [ENS PARIS]
  • Charles De Haro [ENS PARIS, from Sep 2024]
  • Serge Durand [INRIA, from Nov 2024]
  • Serge Durand [CEA, until Nov 2024]
  • Josselin Giet [INRIA, until Aug 2024]
  • Denis Mazzucato [INRIA, until Sep 2024]
  • Naim Moussaoui Remil [INRIA]
  • Patricia Roxo [ENS, from Sep 2024]
  • Ignacio Tiraboschi [INRIA, until Aug 2024]

Technical Staff

  • Yoan Bouniard [INRIA, Engineer, from Nov 2024]
  • Rebecca Ghidini [ENS, Engineer, from Dec 2024]
  • Josselin Giet [INRIA, Engineer, from Sep 2024 until Sep 2024]
  • Antoine Pouille [INRIA, Engineer]
  • Ignacio Tiraboschi [INRIA, Engineer, from Sep 2024 until Sep 2024]

Interns and Apprentices

  • Charles De Haro [ENS RENNES, Intern, from Feb 2024 until Aug 2024]

Administrative Assistants

  • Meriem Guemair [INRIA]
  • Diana Marino Duarte [INRIA]

2 Overall objectives

Our group focuses on developing automated techniques to compute semantic properties of programs and other systems with a computational semantics in general. Such properties include (but are not limited to) important classes of correctness properties.

Verifying safety critical systems (such as avionics systems) is an important motivation to compute such properties. Indeed, a fault in an avionics system, such as a runtime error in the fly-by-wire command software, may cause an accident, with loss of life. As these systems are also very complex and are developed by large teams and maintained over long periods, their verification has become a crucial challenge. Safety critical systems are not limited to avionics: software runtime errors in cruise control management systems were recently blamed for causing unintended acceleration in certain Toyota models (the case was settled with a 1.2 billion dollars fine in March 2014, after years of investigation and several trials). Similarly, other transportation systems (railway), energy production systems (nuclear power plants, power grid management), medical systems (pacemakers, surgery and patient monitoring systems), and value transfers in decentralized systems (smart contracts), rely on complex software, which should be verified.

Beyond the field of embedded systems, other pieces of software may cause very significant harm in the case of bugs, as demonstrated by the Heartbleed security hole: due to a wrong protocol implementation, many websites could leak private information, over years.

An important example of semantic properties is the class of safety properties. A safety property typically specifies that some (undesirable) event will never occur, whatever the execution of the program that is considered. For instance, the absence of runtime error is a very important safety property. Other important classes of semantic properties include liveness properties (i.e., properties that specify that some desirable event will eventually occur) such as termination and security properties, such as the absence of information flows from private to public channels.

All these software semantic properties are not decidable, as can be shown by reduction to the halting problem. Therefore, there is no chance to develop any fully automatic technique able to decide, for any system, whether or not it satisfies some given semantic property.

The classic development techniques used in industry involve testing, which is not sound, as it only gives information about a usually limited test sample: even after successful test-based validation, situations that were untested may generate a problem. Furthermore, testing is costly in the long term, as it should be re-done whenever the system to verify is modified. Machine-assisted verification is another approach which verifies human specified properties. However, this approach also presents a very significant cost, as the annotations required to verify large industrial applications would be huge.

By contrast, the antique group focuses on the design of semantic analysis techniques that should be sound (i.e., compute semantic properties that are satisfied by all executions) and automatic (i.e., with no human interaction), although generally incomplete (i.e., not able to compute the best —in the sense of: most precise— semantic property). As a consequence of incompleteness, we may fail to verify a system that is actually correct. For instance, in the case of verification of absence of runtime error, the analysis may fail to validate a program, which is safe, and emit false alarms (that is reports that possibly dangerous operations were not proved safe), which need to be discharged manually. Even in this case, the analysis provides information about the alarm context, which may help disprove it manually or refine the analysis.

The methods developed by the antique group are not limited to the analysis of software. We also consider complex biological systems (such as models of signaling pathways, i.e. cascades of protein interactions, which enable signal communication among and within cells), described in higher level languages, and use abstraction techniques to reduce their combinatorial complexity and capture key properties so as to get a better insight in the underlying mechanisms of these systems.

3 Research program

3.1 Semantics

Semantics plays a central role in verification since it always serves as a basis to express the properties of interest, that need to be verified, but also additional properties, required to prove the properties of interest, or which may make the design of static analysis easier.

For instance, if we aim for a static analysis that should prove the absence of runtime error in some class of programs, the concrete semantics should define properly what error states and non error states are, and how program executions step from a state to the next one. In the case of a language like C, this includes the behavior of floating point operations as defined in the IEEE 754 standard. When considering parallel programs, this includes a model of the scheduler, and a formalization of the memory model.

Additionally, it is sometimes desirable for the semantics to describe program behavior with more precision than is strictly necessary for the property of interest. For instance, to establish a state property (such as the absence of runtime errors) we need a state invariant, but the analysis is sometimes significantly easier using a trace invariant, which also tracks the order in which states are visited, and allows for case-splitting on possible execution paths. This is only possible if the semantic model describes not just program states but also program traces.

Thus, for a given programming language there may be a number of useful semantics, tracking different aspects of program execution. One challenge is to understand how different semantics relate to each other, so that benefits can be compared or combined. On the theoretical side, we can organise the spectrum of possible semantics using category theory. This gives very general methods that are applicable to all kinds of programming languages.

In summary, program semantics is the first step in any program analysis. Our group works to extend the reach of semantic methods to new or non-standard kinds of programming languages, understand the theoretical foundations of these methods, and connect this theory with the practice of static analysis.

3.2 Abstract interpretation and static analysis

Once a reference semantics has been fixed and a property of interest has been formalized, the definition of a static analysis requires the choice of an abstraction. The abstraction ties a set of abstract predicates to the concrete ones, which they denote. This relation is often expressed with a concretization function that maps each abstract element to the concrete property it stands for. Obviously, a well chosen abstraction should allow one to express the property of interest, as well as all the intermediate properties that are required in order to prove it (otherwise, the analysis would have no chance to achieve a successful verification). It should also lend itself to an efficient implementation, with efficient data-structures and algorithms for the representation and the manipulation of abstract predicates. A great number of abstractions have been proposed for all kinds of concrete data types, yet the search for new abstractions is a very important topic in static analysis, so as to target novel kinds of properties, to design more efficient or more precise static analyses.

Once an abstraction is chosen, a set of sound abstract transformers can be derived from the concrete semantics and that account for individual program steps, in the abstract level and without forgetting any concrete behavior. A static analysis follows as a result of this step by step approximation of the concrete semantics, when the abstract transformers are all computable. This process defines an abstract interpretation  29. The case of loops requires a bit more work as the concrete semantics typically relies on a fixpoint that may not be computable in finitely many iterations. To achieve a terminating analysis we then use widening operators  29, which over-approximate the concrete union and ensure termination.

A static analysis defined that way always terminates and produces sound over-approximations of the programs behaviors. Yet, these results may not be precise enough for verification. This is where the art of static analysis design comes into play through, among others:

  • the use of more precise, yet still efficient enough abstract domains;
  • the combination of application-specific abstract domains;
  • the careful choice of abstract transformers and widening operators.

3.3 Applications of the notion of abstraction in semantics

In the previous subsections, we sketched the steps in the design of a static analyzer to infer some family of properties, which should be implementable, and efficient enough to succeed in verifying non trivial systems.

The same principles can be applied successfully to other goals. In particular, the abstract interpretation framework should be viewed as a very general tool to compare different semantics, not necessarily with the goal of deriving a static analyzer. Such comparisons may be used in order to prove two semantics equivalent (i.e., one is an abstraction of the other and vice versa), or that a first semantics is strictly more expressive than another one (i.e., the latter can be viewed an abstraction of the former, where the abstraction actually makes some information redundant, which cannot be recovered). A classical example of such comparison is the classification of semantics of transition systems  28, which provides a better understanding of program semantics in general. For instance, this approach can be applied to get a better understanding of the semantics of a programming language, but also to select which concrete semantics should be used as a foundation for a static analysis, or to prove the correctness of a program transformation, compilation or optimization.

3.4 From properties to explanations

In many application domains, we can go beyond the proof that a program satisfies its specification. Abstractions can also offer new perspectives to understand how complex behaviors of programs emerge from simpler computation steps. Abstractions can be used to find compact and readable representations of sets of traces, causal relations, and even proofs. For instance, abstractions may decipher how the collective behaviors of agents emerge from the orchestration of their individual ones in distributed systems (such as consensus protocols, models of signaling pathways). Another application is the assistance for the diagnostic of alarms of a static analyzer.

Often times, complex systems and software have intricate behaviors, leading to executions that are hard to understand for programmers and also difficult to reason about with static analyzers. An additional challenge arises in the distributed setting with the combinatorial explosion of the number of possible executions inherent to the non-determinism of the system (interleaving of actions performed by different processes and link or process failures). In 2009, Charron-Bost and Schiper 5 proposed a new computing model, namely the Heard-Of model, in which computations evolve in synchronous rounds that are communication-closed layers. At each round r, information transmissions are represented by the communication graph, and each execution corresponds to a sequence of communication graphs, i.e., a dynamic graph. The features of a specific system are thus captured as a whole, just by the collection of possible dynamic graphs. This model handles various asynchrony degree and benign failures, be they static or dynamic, permanent or transient, in a unified framework: synchrony assumptions and failure model in a static network are translated into a certain class of dynamic graphs. Due to its high abstraction level and its expressiveness, the Heard-Of model has gained a considerable attention of the verification community, in particular for the consensus algorithms. Subsequently, this model was successfully used to study other fundamental problems in distributed computing such as synchronization and leader election.

Process crashes play a key role in the behavior of distributed systems. In Erlang, for instance, process crashes involve cascades of signals which aims at recovering state consistency. Yet, the order of signal handling is a potential source of bugs, the precise origin of which can be difficult to understand. Adressing this issue requires a low-level semantics describing precisely signal handling (as the one we proposed in 30) and causal analysis to understand why a system deviate from the behaviors in its specification (as the one that is implanted in CESAn, e.g. see Sect. 7.1.3).

In models of signaling pathways, collective behavior emerges from competition for common resources, separation of scales (time/concentration), non linear feedback loops, which are all consequences of mechanistic interactions between individual bio-molecules (e.g., proteins). While more and more details about mechanistic interactions are available in the literature, understanding the behavior of these models at the system level is far from easy. Causal analysis helps explaining how specific events of interest may occur. Model reduction techniques combine methods from different domains such as the analysis of information flow used in communication protocols, and tropicalization methods that comes from physics. The result is lower dimension systems that preserve the behavior of the initial system while focusing of the elements from which emerges the collective behavior of the system.

The abstraction of causal traces offer nice representation of scenarios that lead to expected or unexpected events. This is useful to understand the necessary steps in potential scenarios in signaling pathways; this is useful as well to understand the different steps of an intrusion in a protocol. Lastly, traces of computation of a static analyzer can themselves be abstracted, which provides assistance to classify true and false alarms. Abstracted traces are symbolic and compact representations of sets of counter-examples to the specification of a system which help one to either understand the origin of bugs, or to find that some information has been lost in the abstraction leading to false alarms.

4 Application domains

4.1 Verification of safety critical embedded software

The verification of safety critical embedded software is a very important application domain for our group. First, this field requires a high confidence in software, as a bug may cause disastrous events. Thus, it offers an obvious opportunity for a strong impact. Second, such software usually have better specifications and a better design than many other families of software, hence are an easier target for developing new static analysis techniques (which can later be extended for more general, harder to cope with families of programs). This includes avionics, automotive and other transportation systems, medical systems ...

For instance, the verification of avionics systems represent a very high percentage of the cost of an airplane (about 30 % of the overall airplane design cost). The state of the art development processes mainly resort to testing in order to improve the quality of software. Depending on the level of criticality of a software (at the highest levels, any software failure would endanger the flight) a set of software requirements are checked with test suites. This approach is both costly (due to the sheer amount of testing that needs to be performed) and unsound (as errors may go unnoticed, if they do not arise on the test suite).

By contrast, static analysis can ensure higher software quality at a lower cost. Indeed, a static analyzer will catch all bugs of a certain kind. Moreover, a static analysis run typically lasts a few hours, and can be integrated in the development cycle in a seamless manner. For instance, Astrée successfully verified the absence of runtime error in several families of safety critical fly-by-wire avionic software, in at most a day of computation, on standard hardware. Other kinds of synchronous embedded software have also been analyzed with good results.

In the future, we plan to greatly extend this work so as to verify other families of embedded software (such as communication, navigation and monitoring software) and other families of properties (such as security and liveness properties).

Embedded software in charge of communication, navigation, and monitoring typically relies on a parallel structure, where several threads are executed concurrently, and manage different features (input, output, user interface, internal computation, logging ...). This structure is also often found in automotive software. An even more complex case is that of distributed systems, where several separate computers are run in parallel and take care of several sub-tasks of a same feature, such as braking. Such a logical structure is not only more complex than the synchronous one, but it also introduces new risks and new families of errors (deadlocks, data-races...). Moreover, such less well designed, and more complex embedded software often utilizes more complex data-structures than synchronous programs (which typically only use arrays to store previous states) and may use dynamic memory allocation, or build dynamic structures inside static memory regions, which are actually even harder to verify than conventional dynamically allocated data structures. Complex data-structures also introduce new kinds of risks (the failure to maintain structural invariants may lead to runtime errors, non termination, or other software failures). To verify such programs, we will design additional abstract domains, and develop new static analysis techniques, in order to support the analysis of more complex programming language features such as parallel and concurrent programming with threads and manipulations of complex data structures. Due to their size and complexity, the verification of such families of embedded software is a major challenge for the research community.

Furthermore, embedded systems also give rise to novel security concerns. It is in particular the case for some aircraft-embedded computer systems, which communicate with the ground through untrusted communication media. Besides, the increasing demand for new capabilities, such as enhanced on-board connectivity, e.g. using mobile devices, together with the need for cost reduction, leads to more integrated and interconnected systems. For instance, modern aircrafts embed a large number of computer systems, from safety-critical cockpit avionics to passenger entertainment. Some systems meet both safety and security requirements. Despite thorough segregation of subsystems and networks, some shared communication resources raise the concern of possible intrusions. Because of the size of such systems, and considering that they are evolving entities, the only economically viable alternative is to perform automatic analyses. Such analyses of security and confidentiality properties have never been achieved on large-scale systems where security properties interact with other software properties, and even the mapping between high-level models of the systems and the large software base implementing them has never been done and represents a great challenge. Our goal is to prove empirically that the security of such large scale systems can be proved formally, thanks to the design of dedicated abstract interpreters.

The long term goal is to make static analysis more widely applicable to the verification of industrial software.

4.2 Static analysis of software components and libraries

An important goal of our work is to make static analysis techniques easier to apply to wider families of software. Then, in the longer term, we hope to be able to verify less critical, yet very commonly used pieces of software. Those are typically harder to analyze than critical software, as their development process tends to be less rigorous. In particular, we will target operating systems components and libraries. As of today, the verification of such programs is considered a major challenge to the static analysis community.

As an example, most programming languages offer Application Programming Interfaces (API) providing ready-to-use abstract data structures (e.g., sets, maps, stacks, queues, etc.). These APIs, are known under the name of containers or collections, and provide off-the-shelf libraries of high level operations, such as insertion, deletion and membership checks. These container libraries give software developers a way of abstracting from low-level implementation details related to memory management, such as dynamic allocation, deletion and pointer handling or concurrency aspects, such as thread synchronization. Libraries implementing data structures are important building bricks of a huge number of applications, therefore their verification is paramount. We are interested in developing static analysis techniques that will prove automatically the correctness of large audience libraries such as Glib and Threading Building Blocks.

4.3 Models of mechanistic interactions between proteins

Computer Science takes a more and more important role in the design and the understanding of biological systems such as signaling pathways, self assembly systems, DNA repair mechanisms. Biology has gathered large data-bases of facts about mechanistic interactions between proteins, but struggles to draw an overall picture of how these systems work as a whole. High level languages designed in Computer Science allow one to collect these interactions in integrative models, and provide formal definitions (i.e., semantics) for the behavior of these models. This way, modelers can encode their knowledge, following a bottom-up discipline, without simplifying a priori the models at the risk of damaging the key properties of the system. Yet, the systems that are obtained this way suffer from combinatorial explosion (in particular, in the number of different kinds of molecular components, which can arise at run-time), which prevents from a naive computation of their behavior.

We develop various analyses based on abstract interpretation, and tailored to different phases of the modeling process. We propose automatic static analyses in order to detect inconsistencies in the early phases of the modeling process. These analyses are similar to the analysis of classical safety properties of programs. They involve both forward and backward reachability analyses as well as causality analyses, and can be tuned at different levels of abstraction. We also develop automatic static analyses in order to identify key elements in the dynamics of these models. The results of these analyses are sent to another tool, which is used to automatically simplify models. The correctness of this simplification process is proved by the means of abstract interpretation: this ensures formally that the simplification preserves the quantitative properties that have been specified beforehand by the modeler. The whole pipeline is parameterized by a large choice of abstract domains which exploits different features of the high level description of models.

4.4 Application of distributed algorithms

We mainly worked on two different topics, namely synchronization in multi-agent networks and constrained consensus (or equivalently, function computation). We studied the two problems in the round-based Heard-Of model (cf. Section 3.4), where each computation is determined by a dynamic graph formed by the sequence of communication graphs at each round. As above explained, the features of the network (synchrony degree, failures, knowledge, ...) are captured by the class of possible dynamic graphs.

Synchronization in multi-agent networks.

We consider the fundamental problem of periodic clock synchronization in a synchronous multi-agent system: Each agent holds a clock with an arbitrary initial value, and clocks must eventually be congruent, modulo some positive integer P. Our main contribution has been to prove some lower bounds on synchronization time and memory size required at each agent to synchronize, and to propose a new synchronization algorithm, called SAP because it is based on a self-adaptative period) mechanism, which fits these lower bounds. Interestingly, our algorithm works under very weak connectivity assumptions, and do not require any global knowledge on the network. Its correctness has been established in the proof assistant Isabelle. Then we extended these results to probabilistic communication networks: we demonstrated that the SAP algorithm still works in any probabilistic communication network that is "connected with high probability". The proof of such a probabilistic hyperproperty is based on novel tools and relies on weak assumptions about the probabilistic communication network, making it applicable to a wide range of networks, including the classical rumor spreading models.

Constrained consensus.

The problem consists, for a networked system of autonomous agents, to collectively compute the value of a given function of some input values, each initially private to one agent in the network. In the “blind broadcast” model, where an agent merely casts out a unique message without any knowledge or control over its addressees, the computable functions are exactly those that only depend on the set of the input values. In contrast, we proved that, when either i) the agents know how many outneighbors they have; ii) all communications links in the network are bidirectional; or iii) the agents may address each of their outneighbors individually, the set of computable functions grows to contain all functions that depend on the relative frequencies of each value in the input such as the average. We first obtained all these exact characterizations of computable functions for static networks using the notion of graph fibration in homotopy graph theory. The same characterizations hold for dynamic networks. To show this, we developed a totally different method based on the stochastic analysis of consensus algorithms derived from statistical physics.

4.5 Static analysis of data science software

Nowadays, thanks to advances in machine learning and the availability of vast amounts of data, computer software plays an increasingly important role in assisting or even autonomously performing tasks in our daily lives. As data science software becomes more and more widespread, we become increasingly vulnerable to programming errors. In particular, programming errors that do not cause failures can have serious consequences since code that produces an erroneous but plausible result gives no indication that something went wrong. This issue becomes particularly worrying knowing that machine learning software, thanks to its ability to efficiently approximate or simulate more complex systems, is slowly creeping into mission critical scenarios. However, programming errors are not the only concern. Another important issue is the vulnerability of machine learning models to adversarial examples, that is, small input perturbations that cause the model to misbehave in unpredictable ways. More generally, a critical issue is the notorious difficulty to interpret and explain machine learning software. Finally, as we are witnessing widespread adoption of software with far-reaching societal impact — i.e., to automate decision-making in fields such as social welfare, criminal justice, and even health care — a number of recent cases have evidenced the importance of ensuring software fairness as well as data privacy. Going forward, data science software will be subject to more and more legal regulations (e.g., the European General Data Protection Regulation adopted in 2016) as well as administrative audits.

It is thus paramount to develop method and tools that can keep up with these developments and enhance our understanding of data science software and ensure it behaves correctly and reliably. In particular, we are interesting in developing new static analyses specifically tailored to the idiosyncrasies of data science software. This makes it a new and exciting area for static analysis, offering a wide variety of challenging problems with huge potential impact on various interdisciplinary application domains 31.

4.6 Probabilistic programming and statistical inference

Probabilistic programming is a method for Bayesian probabilistic modelling in which statistical models are encoded as programs. Compared with the traditional approach, in which models are written down in mathematical notation, the advantage of the programming environment is that complex models can be clearly structured, and users can easily experiment with different models. Additionally, a probabilistic programming language typically comes with various built-in tools for inference—the process of updating probability distributions in the model after observing part of the data. This is a notoriously difficult practical problem and the central goal of Bayesian statistics.

Our research is mainly concerned with ensuring that inference algorithms from traditional statistics can be correctly adapted to probabilistic programming, in the sense that, for any probabilistic program, the results of inference are mathematically consistent with statistical theory.

In some cases, standard results from probability theory can be leveraged for correctness, but for advanced inference algorithms this usually requires care. For example, variational inference methods are only correct under additional assumptions, and we develop static analyses to verify these assumptions automatically for probabilistic programs. Another example is the correctness of an optimized Metropolis-Hastings algorithm. This is a very generic inference algorithm, which works for all programs, but generally performs poorly unless the program's data dependencies are properly understood and exploited. We gave a formal semantic account of these dependencies to formally prove the optimization correct.

In addition to correctness results, we are interested in the expressive power of probabilistic programming for certain classes of infinite-dimensional models. Compositional semantics, including category-theoretic methods, provide a bridge between statistical models and probabilistic programs, which we develop in order to address these questions.

5 Social and environmental responsibility

5.1 Impact of research results

We are advising static analysis companies including AbsInt Angewandte Informatik (static analysis for the verification of embedded software) and MatrixLead (static analysis for spreadsheet applications).

We also helped in the design of the distributed component of the blockchain that has been produced by Archethic for the security system of the Olympic Games Paris 2024.

6 Highlights of the year

Note : Readers are advised that the Institute does not endorse the text in the “Highlights of the year” section, which is the sole responsibility of the team leader.

At the end of 2024, Inria's top management enacted a new “contrat d'objectifs, de moyens et de performance” (COMP), which defines Inria's objectives for the period 2024–2028. We are very unhappy and concerned about the content of this document and the way it was imposed.

  • Neither the staff nor their representative bodies were given the opportunity to participate in (or influence) the drafting of this document.
  • The document defines Inria's main mission as “contributing to the digital sovereignty of the Nation through research and innovation” and proposes to amend Inria's founding decree to reflect this new definition. We strongly believe that our primary mission is (and should remain) the advancement of human knowledge through research. Research is not a means to achieve “digital sovereignty”, whatever that may mean. Research should not be associated with any particular nation, whatever that nation may be.
  • The document announces the creation of a funding agency within Inria. France already has an independent funding agency, the ANR. The creation of a new funding agency within a research institute is unnecessary and a waste of resources. It is also likely to create confusion, opacity, and conflicts of interest.
  • Many aspects of the document reflect a desire to drive research in a top-down manner, for example through the selection of “strategic partner institutions” and “strategic themes”. This threatens the fundamental freedom of researchers to choose their research topics and collaborations.
  • The document indicates that all of Inria's research should have “dual nature”, that is, both civilian and military applications. While some of the institute's research may have military applications, the vast majority of it is independent of the military, and should remain so.
  • The document announces a desire to place all of Inria in a “restricted regime area” (ZRR), which means that the hiring of researchers and interns will be reviewed and possibly vetoed by the Fonctionnaire Sécurité Défense. This creates administrative delays, subjects hiring to opaque criteria, and discourages the hiring of foreign nationals, thus harming research and collaboration.
  • Staff opposition to these policies, which has been expressed in several votes and petitions, has been largely ignored.

7 New software, platforms, open data

7.1 New software

7.1.1 Astrée

  • Name:
    The AstréeA Static Analyzer of Asynchronous Software
  • Keywords:
    Static analysis, Static program analysis, Program verification, Software Verification, Abstraction
  • Scientific Description:

    Astrée analyzes structured C programs, with complex memory usages, but without dynamic memory allocation nor recursion. This encompasses many embedded programs as found in earth transportation, nuclear energy, medical instrumentation, and aerospace applications, in particular synchronous control/command. The whole analysis process is entirely automatic.

    Astrée discovers all runtime errors including:

    undefined behaviors in the terms of the ANSI C99 norm of the C language (such as division by 0 or out of bounds array indexing),

    any violation of the implementation-specific behavior as defined in the relevant Application Binary Interface (such as the size of integers and arithmetic overflows),

    any potentially harmful or incorrect use of C violating optional user-defined programming guidelines (such as no modular arithmetic for integers, even though this might be the hardware choice),

    failure of user-defined assertions.

  • Functional Description:

    Astrée analyzes structured C programs, with complex memory usages, but without dynamic memory allocation nor recursion. This encompasses many embedded programs as found in earth transportation, nuclear energy, medical instrumentation, and aerospace applications, in particular synchronous control/command. The whole analysis process is entirely automatic.

    Astrée discovers all runtime errors including: - undefined behaviors in the terms of the ANSI C99 norm of the C language (such as division by 0 or out of bounds array indexing), - any violation of the implementation-specific behavior as defined in the relevant Application Binary Interface (such as the size of integers and arithmetic overflows), - any potentially harmful or incorrect use of C violating optional user-defined programming guidelines (such as no modular arithmetic for integers, even though this might be the hardware choice), - failure of user-defined assertions.

    Astrée is a static analyzer for sequential programs based on abstract interpretation. The Astrée static analyzer aims at proving the absence of runtime errors in programs written in the C programming language.

  • URL:
  • Contact:
    Patrick Cousot
  • Participants:
    Antoine Mine, Jerome Feret, Laurent Mauborgne, Patrick Cousot, Radhia Cousot, Xavier Rival
  • Partners:
    CNRS, ENS Paris, AbsInt Angewandte Informatik GmbH

7.1.2 AstréeA

  • Name:
    The AstréeA Static Analyzer of Asynchronous Software
  • Keywords:
    Static analysis, Static program analysis
  • Scientific Description:
    AstréeA analyzes C programs composed of a fixed set of threads that communicate through a shared memory and synchronization primitives (mutexes, FIFOs, blackboards, etc.), but without recursion nor dynamic creation of memory, threads nor synchronization objects. AstréeA assumes a real-time scheduler, where thread scheduling strictly obeys the fixed priority of threads. Our model follows the ARINC 653 OS specification used in embedded industrial aeronautic software. Additionally, AstréeA employs a weakly-consistent memory semantics to model memory accesses not protected by a mutex, in order to take into account soundly hardware and compiler-level program transformations (such as optimizations). AstréeA checks for the same run-time errors as Astrée , with the addition of data-races.
  • Functional Description:
    AstréeA is a static analyzer prototype for parallel software based on abstract interpretation. The AstréeA prototype is a fork of the Astrée static analyzer that adds support for analyzing parallel embedded C software.
  • URL:
  • Contact:
    Patrick Cousot
  • Participants:
    Antoine Mine, Jerome Feret, Patrick Cousot, Radhia Cousot, Xavier Rival
  • Partners:
    CNRS, ENS Paris, AbsInt Angewandte Informatik GmbH

7.1.3 CESAn

  • Name:
    Core Erlang Semantics Analyzer
  • Keyword:
    Formal semantics
  • Functional Description:
    CESAn implements the semantics of a subset of Core Erlang. Given a Core Erlang program with finite semantics, it outputs its semantics in the form of a labeled transition system. The underlying small-step semantics faithfully represents message passing and signal handling in Erlang.
  • Publication:
  • Contact:
    Aurélie Kong Win Chang
  • Participants:
    Aurélie Kong Win Chang, Jerome Feret, Gregor Goessler

7.1.4 FuncTion

  • Scientific Description:
    FuncTion is based on an extension to liveness properties of the framework to analyze termination by abstract interpretation proposed by Patrick Cousot and Radhia Cousot. FuncTion infers ranking functions using piecewise-defined abstract domains. Several domains are available to partition the ranking function, including intervals, octagons, and polyhedra. Two domains are also available to represent the value of ranking functions: a domain of affine ranking functions, and a domain of ordinal-valued ranking functions (which allows handling programs with unbounded non-determinism).
  • Functional Description:
    FuncTion is a research prototype static analyzer to analyze the termination and functional liveness properties of programs. It accepts programs in a small non-deterministic imperative language. It is also parameterized by a property: either termination, or a recurrence or a guarantee property (according to the classification by Manna and Pnueli of program properties). It then performs a backward static analysis that automatically infers sufficient conditions at the beginning of the program so that all executions satisfying the conditions also satisfy the property.
  • URL:
  • Contact:
    Caterina Urban
  • Participants:
    Antoine Mine, Caterina Urban

7.1.5 MemCAD

  • Name:
    The MemCAD static analyzer
  • Keywords:
    Static analysis, Abstraction
  • Functional Description:
    MemCAD is a static analyzer that focuses on memory abstraction. It takes as input C programs, and computes invariants on the data structures manipulated by the programs. It can also verify memory safety. It comprises several memory abstract domains, including a flat representation, and two graph abstractions with summaries based on inductive definitions of data-structures, such as lists and trees and several combination operators for memory abstract domains (hierarchical abstraction, reduced product). The purpose of this construction is to offer a great flexibility in the memory abstraction, so as to either make very efficient static analyses of relatively simple programs, or still quite efficient static analyses of very involved pieces of code. The implementation consists of over 30 000 lines of ML code, and relies on the ClangML front-end. The current implementation comes with over 300 small size test cases that are used as regression tests.
  • URL:
  • Contact:
    Xavier Rival
  • Participants:
    Antoine Toubhans, Francois Berenger, Huisong Li, Xavier Rival

7.1.6 KAPPA

  • Name:
    A rule-based language for modeling interaction networks
  • Keywords:
    Systems Biology, Computational biology
  • Scientific Description:
    OpenKappa is a collection of tools to build, debug and run models of biological pathways. It contains a compiler for the Kappa Language, a static analyzer (for debugging models), a simulator, a compression tool for causal traces, and a model reduction tool.
  • Functional Description:
    Kappa is provided with the following tools: - a compiler - a stochastic simulator - a static analyzer - a trace compression algorithm - an ODE generator - a tool for parameter calibration
  • Release Contributions:
    On line UI, Simulation is based on a new data-structure (see ESOP 2017 ), New abstract domains are available in the static analyzer (see SASB 2016), Local traces (see TCBB 2018), Reasoning on polymers (see SASB 2018).
  • URL:
  • Contact:
    Jerome Feret
  • Participants:
    Jean Krivine, Jerome Feret, Kim-Quyen Ly, Pierre Boutillier, Russ Harmer, Vincent Danos, Walter Fontana, Antoine Pouille, Matthieu Bougueon

7.1.7 PYPPAI

  • Name:
    Pyro Probabilistic Program Analyzer
  • Keywords:
    Probability, Static analysis, Program verification, Abstraction
  • Functional Description:

    PYPPAI is a program analyzer to verify the correct semantic definition of probabilistic programs written in Pyro. At the moment, PYPPAI verifies consistency conditions between models and guides used in probabilistic inference programs.

    PYPPAI is written in OCaml and uses the pyml Python in OCaml library. It features a numerical abstract domain based on Apron, an abstract domain to represent zones in tensors, and dedicated abstract domains to describe distributions and states in probabilistic programs.

  • URL:
  • Contact:
    Xavier Rival

8 New results

8.1 Symbolic Numerical Domains

Mopsa-C: Improved Verification for C Programs, Simple Validation of Correctness Witnesses (Competition Contribution)

Participants: Raphaël Monat, Marco Milanese, Francesco Parolini, Jérôme Boillot, Abdelraouf Ouadjaout, Antoine Miné.

The paper 20, which has been accepted in TACAS 2024, presents the advances which have been brought to Mopsa for SV-Comp 2024, including the works by Jérôme Boillot on the symbolic simplification of integer expressions (with explicit and implicit type conversions), that had been published at SAS 2023 27 Mopsa won SV-Comp’s Software Systems category by a large margin, scoring 2.5 times more points than the silver medalist, Bubaak-SpLit.

Abstraction of Memory Block Manipulations by Symbolic Loop Folding

Participants: Jérôme Boillot, Jérôme Feret.

In the paper 13, which has been accepted to ESOP 2025, we introduce a new abstract domain for analyzing memory block manipulations, focusing on programs with dynamically allocated arrays. This domain computes properties universally quantified over the value of the loop counters, both for assignments and tests. These properties consist of equalities and comparison predicates involving abstract expressions, represented as affine forms in the loop counters and symbolic dereferences. A well-founded order on the assignments prevents explosion of the abstract memory state.

All these methods have been incorporated within the Astrée static analyzer that checks for the absence of run-time errors in embedded critical software. We also give insights on how to implement this abstract domain within any other C static analyzer.

8.2 Shape Analysis

Automatic Verification of Tasks Schedulers

Participant: Josselin Giet, Xavier Rival.

We have set up a static analysis for the verification of the functional correctness of the core part of an operating system, using the MemCAD static analyser that has been designed in the group for over a decade.

In 2024, this work letd to Josselin Giet's PhD thesis 24. This PhD thesis addresses the verification of task schedulers for operating systems through static analysis based on abstract interpretation. The task scheduler is responsible for determining, according to a predefined policy, which task can execute at what time. These components use unbounded dynamic data-structures to store the necessary elements for their operation. These data-structures allow elements to be easily moved between them. Verifying a task scheduler requires designing an analysis capable of accurately representing these data-structures and their contents.

The PhD thesis introduces a new relational abstract domain capable of reasoning about symbolic sequences. This domain expresses constraints on the contents of these sequences, such as their lengths, extreme values, and sorted characteristics. This domain is combined with an abstraction of sequences, which enhances the expressiveness of the analysis. It is now capable of proving the partial functional correctness of complex algorithms, such as sorting algorithms on lists or binary trees, as well as list libraries drawn from real applications.

This analysis is applied to an instance of the FreeRTOS task scheduler.

Advanced Memory and Shape Analyses

Participants: Hugo Illous, Matthieu Lemerre, Olivier Nicole, Xavier Rival.

Manual memory management, as done in C programs, is often considered a requirement for performance critical code. However, the downside of manual memory management is that designing and implementing data-structures require reasoning about complex custom memory invariants. Any mistake may lead to severe issues, including safety problems (memory errors) or security vulnerabilities (leaving the software open to attacks). Due to the difficulty to reason over manually designed data-structures and due to their very wide diversity, it does not seem possible for a unique memory abstract domain to cope with them all. Therefore, we addressed in 23 the design of several memory abstractions, which are respectively based on a form refinement types and on separation logic. Both help verify properties of C programs manipulating data structures in memory with minimal guidance from the user. The former is more targetted at lower level code whereas the latter more describes structural invariants in a tighter maner. Both were implemented as Frama-C plugins.

8.3 Security Properties

Automatic Detection of Vulnerable Variables for CTL Properties of Programs

Participants: Naïm Moussaoui Remil, Caterina Urban, Antoine Miné.

In the paper 21, we present our tool FuncTion-V for the automatic identification of the minimal sets of program variables that an attacker can control to ensure an undesirable program property. FuncTion-V supports program properties expressed in Computation Tree Logic (CTL), and builds upon an abstract interpretation-based static analysis for CTL properties that we extend with an abstraction refinement process. We showcase our tool on benchmarks collected from the literature and SV-COMP 2023.

Intertwining Symbolic Execution and Abstract Interpretation for the Analysis of Security Properties

Participant: Ignacio Tiraboschi, Tamara Rezk, Xavier Rival.

As part of the SPAI Inria Project Lab, we have designed novel techniques to reason about security properties. Tamara Rezk and Xavier Rival co-supervised the PhD thesis of Ignacio Tiraboschi, who defended in 2024.

Ignacio Tiraboschi's PhD thesis 26 focuses on the application of static analysis for the automatic verification or refutation of information flow properties. More specifically, this work focuses on two information flow properties: noninterference, and weak explicit secrecy. The thesis is split in two parts that share a common thread: we propose several combinations of abstract interpretation and symbolic execution. In the first part of the thesis we explore a symbolically driven static analysis that communicates with a dependences analysis for the verification of Noninterference. Our contribution is a reduced product domain between a symbolic domain and a dependences domain for the sound analysis of Noninterference in a simple imperative language. The second part consists on exploring the concept of a symbolic taint-tracker. By assuming the existence of a sound-but-imprecise taint-tracker, our contribution is the development of a partially-complete tainting analysis for Python through symbolic execution, that refines the sound taint-tracker output.

8.4 Quantitative Properties

 

Quantitative Input Usage Static Analysis

Participants: Denis Mazzucato, Marco Campion, Caterina Urban.

Programming errors in software applications may produce plausible yet erroneous results, without providing a clear indication of failure. This happens, for instance, when certain inputs have a disproportionate impact on the program result. To address this issue, in the paper 18, we propose a novel quantitative static analysis for determining the impact of inputs on the program computations, parametrized in the definition of impact. This static analysis employs an underlying abstract backward analyzer and computes a sound over-approximation of the impact of program inputs, providing valuable insights into how the analyzed program handles them. We implement a proof-of-concept static analyzer to demonstrate potential applications.

Quantitative Static Timing Analysis

Participants: Denis Mazzucato, Marco Campion, Caterina Urban.

Programming errors in software applications can often be difficult to detect, as they may appear without clear indications of failure. One such example is when certain input variables have an unexpected impact on the program's behavior. As an indicator of the program's runtime behavior, this work studies the impact of input variables on the number of loop iterations in a program. Such information is valuable for debugging, optimizing performance, and analyzing security vulnerabilities, such as in side-channel attacks where execution times can be exploited. In the paper 19, we address this issue by proposing a sound static analysis based on abstract interpretation to quantify the impact of each input variable on the global number of iterations. Our approach combines a dependency analysis with a global loop bound analysis to derive an over-approximation of the impact quantity. We demonstrate our prototype tool in the S2N-Bignum library for cryptographic systems to certify the absence of timing side-channels.

Static Analysis by Abstract Interpretation of Quantitative Program Properties

Participant: Denis Mazzucato.

Denis Mazzucato's PhD thesis 25 develops efficient, mathematically sound methods to enhance software reliability through abstract interpretation. It introduces a quantitative framework for measuring the influence of input variables on program behavior, offering flexibility with customizable impact measures and ensuring sound results as over- or under-approximations. The framework addresses both extensional properties (input-output behavior) and intensional properties (computational details like loop iterations). It has been implemented in three tools: IMPATTO (general software reliability), LIBRA (neural network fairness), and TIMESEC (side-channel vulnerability detection). Extensive experimental evaluations, including bias detection in neural networks and vulnerability analysis in cryptographic libraries, validate the tools' effectiveness. This work advances the understanding of input data usage in software, providing both theoretical insights and practical tools to improve system reliability and security.

8.5 Hyperproperties

Monotonicity and the Precision of Program Analysis

Participants: Marco Campion, Mila Dalla Preda, Roberto Giacobazzi, Caterina Urban.

It is widely known that the precision of a program analyzer is closely related to intensional program properties, namely, properties concerning how the program is written. Less is known about a possible relation between what the program extensionally computes, namely, its input-output relation, and the precision of a program analyzer. In our paper 11, 4, we explore this potential connection in an effort to isolate program fragments that can be precisely analyzed by abstract interpretation, namely, programs for which there exists a complete abstract interpretation. In the field of static inference of numeric invariants, this happens for programs, or parts of programs, that manifest a monotone (either non-decreasing or non-increasing) behavior. In the paper, we first formalize the notion of program monotonicity with respect to a given input and a set of numerical variables of interest. A sound proof system is then introduced with judgments specifying whether a program is monotone relatively to a set of variables and a set of inputs. The interest in monotonicity is justified because we prove that the family of monotone programs admits a complete abstract interpretation over a specific class of non-trivial numerical abstractions and inputs. This class includes all non-relational abstract domains that refine interval analysis (i.e., at least as precise as the intervals abstraction) and that satisfy a topological convexity hypothesis.

8.6 Static Analysis of Probabilistic Programming Languages and Optimization Algorithms

Optimisation of inference engines based on stochastic variational inference

Participants: Hyougjin Im, Wonyeol Lee, Sangho Lim, Xavier Rival, Hongseok Yang.

In the past years, we have studied correctness properties for inference engines used in probabilistic programming languages. We studied properties that are required to ensure that inference will return non-biased estimates of posterior probabilistic distributions. As a continuation of this study, we initiated the formalisation of several components of Pyro, a well-known probabilistic programming language based on Python. This formalisation effort includes both the control structures and the data-structures used in inference, which led us to identify some possible sources for inefficiency in inference, and to propose an optimisation for these issues.

8.7 Data Science and Machine Learning

An Abstract Interpretation-Based Data Leakage Static Analysis

Participants: Filip Drobnjaković, Pavle Subotić, Caterina Urban.

Data leakage is a well-known problem in machine learning. Data leakage occurs when information from outside the training dataset is used to create a model. This phenomenon renders a model excessively optimistic or even useless in the real world since the model tends to leverage greatly on the unfairly acquired information. To date, detection of data leakages occurs post-mortem using run-time methods. However, due to the insidious nature of data leakage, it may not be apparent to a data scientist that a data leakage has occurred in the first place. For this reason, it is advantageous to detect data leakages as early as possible in the development life cycle. In 17, we propose a novel static analysis to detect several instances of data leakages during development time. We define our analysis using the framework of abstract interpretation: we define a concrete semantics that is sound and complete, from which we derive a sound and computable abstract semantics. We implement our static analysis inside the open-source NBLyzer static analysis framework and demonstrate its utility by evaluating its performance and precision on over 2000 Kaggle competition notebooks.

Towards a High Level Linter for Data Science

Participants: Greta Dolcetti, Agostino Cortesi, Caterina Urban, Enea Zaffanella.

Due to its interdisciplinary nature, the development of data science code is subject to a wide range of potential mistakes that can easily compromise the final results. Several tools have been proposed that can help the data scientist in identifying the most common, low level programming issues. We discuss the steps needed to implement a tool that is rather meant to focus on higher level errors that are specific of the data science pipeline. To this end, in the paper 16, we propose a static analysis assigning ad hoc abstract datatypes to the program variables, which are then checked for consistency when calling functions defined in data science libraries. By adopting a descriptive (rather than prescriptive) abstract type system, we obtain a linter tool reporting data science related code smells. While being still work in progress, the current prototype is able to identify and report the code smells contained in several examples of questionable data science code.

Verification of Geometric Robustness of Neural Networks via Piecewise Linear Approximation and Lipschitz Optimisation

Participants: Ben Batten, Yang Zheng, Alessandro De Palma, Panagiotis Kouvaros, Alessio Lomuscio.

In the paper 12, we address the problem of verifying neural networks against geometric transformations of the input image, including rotation, scaling, shearing, and translation. The proposed method computes provably sound piecewise linear constraints for the pixel values by using sampling and linear approximations in combination with branch-and-bound Lipschitz optimisation. The method obtains provably tighter over-approximations of the perturbation region than the present state-of-the-art. We report results from experiments on a comprehensive set of verification benchmarks on MNIST and CIFAR10. We show that our proposed implementation resolves up to 32% more verification cases than present approaches.

Expressive Losses for Verified Robustness via Convex Combinations

Participants: Alessandro De Palma, Rudy Bunel, Krishnamurthy Dvijotham, M Pawan Kumar, Robert Stanforth, Alessio Lomuscio.

In order to train networks for verified adversarial robustness, it is common to over-approximate the worst-case loss over perturbation regions, resulting in networks that attain verifiability at the expense of standard performance. As shown in recent work, better trade-offs between accuracy and robustness can be obtained by carefully coupling adversarial training with over-approximations. In the paper 15, we hypothesize that the expressivity of a loss function, which we formalize as the ability to span a range of trade-offs between lower and upper bounds to the worst-case loss through a single parameter (the over-approximation coefficient), is key to attaining state-of-the-art performance. To support our hypothesis, we show that trivial expressive losses, obtained via convex combinations between adversarial attacks and IBP bounds, yield state-of-the-art results across a variety of settings in spite of their conceptual simplicity. We provide a detailed analysis of the relationship between the over-approximation coefficient and performance profiles across different expressive losses, showing that, while expressivity is essential, better approximations of the worst-case loss are not necessarily linked to superior robustness-accuracy trade-offs.

Abstract Interpretation-Based Feature Importance for SVMs

Participants: Abhinandan Pal, Francesco Ranzato, Caterina Urban, Marco Zanella.

In 22, we propose a symbolic representation for support vector machines (SVMs) by means of abstract interpretation, a well-known and successful technique for designing and implementing static program analyses. We leverage this abstraction in two ways: (1) to enhance the interpretability of SVMs by deriving a novel feature importance measure, called abstract feature importance (AFI), that does not depend in any way on a given dataset of the accuracy of the SVM and is very fast to compute, and (2) for verifying stability, notably individual fairness, of SVMs and producing concrete counterexamples when the verification fails. We implemented our approach and we empirically demonstrated its effectiveness on SVMs based on linear and nonlinear (polynomial and radial basis function) kernels. Our experimental results show that, independently of the accuracy of the SVM, our AFI measure correlates much more strongly with the stability of the SVM to feature perturbations than feature importance measures widely available in machine learning software such as permutation feature importance. It thus gives better insight into the trustworthiness of SVMs.

 

8.8 Distributed Algorithms

Know Your Audience: Communication Model and Computability in Anonymous Networks

Participants: Bernadette Charron-Bost, Patrick Lambein-Monette.

In distributed computing, questions of computability are exquisitely sensitive to minute details of the model assumptions, and there is no universally agreed upon model of network computing. In the paper 14 which has been accepted to PODC 2024, we study which functions are computable by deterministic and anonymous agents in either static or dynamic networks. We consider various communication assumptions common in the literature, and in each case we strive to characterize the set of computable functions, organizing existing results as well as offering new ones, alongside new proofs which bring new understanding of this computability landscape.

8.9 Application to Computational Systems Biology

A Kappa model for hepatic stellate cells activation by TGFB1

Participants: Matthieu Bougéon, Pierre Boutillier, Jérôme Feret, Octave Hazard, Nathalie Théret.

In this 10, we model as a realistic case study, a population of hepatic stellate cells under the effect of the TGFB1 protein. In this case study, the components will be occurrences of hepatic stellate cells in different states, and occurrences of the protein TGFB1. The protein TGFB1 induces different behaviors of hepatic stellate cells thereby contributing either to tissue repair or to fibrosis. Better understanding the overall behavior of the mechanisms that are involved in these processes is a key issue to identify markers and therapeutic targets likely to promote the resolution of fibrosis at the expense of its progression.

9 Partnerships and cooperations

Participants: Bernadette Charron-Bost, Jérôme Feret, Hugo Paquet, Xavier Rival, Caterina Urban.

9.1 International initiatives

9.1.1 Inria associate team not involved in an IIL or an international program

AISAPPL
  • Title:
    Abstract Interpretation-based Static Analysis for Probabilistic Programming Languages
  • Duration:
    2023 ->
  • Coordinator:
    Hongseok Yang (hongseok00@gmail.com)
  • Partners:
    • Korea Advanced Institute of Science and Technology Daejeon (Corée du Sud)
  • Inria contact:
    Xavier Rival
  • Summary:

    Probabilistic programming languages describe computations over probability distributions and are increasingly used in various modeling applications as well as machine learning applications. However their complex semantics makes correctness of programs difficult to guarantee for developers, and their computation complexity remains high. To address these issues, we propose to develop techniques based on abstract interpretation static analysis, so as to guarantee in a static manner correctness properties and to optimise probabilistic inference

    In 2024, the AISAPPL was strongly involved in the organisation of the KAIST-INRIA workshop.

9.2 International research visitors

9.2.1 Visits to international teams

Research stays abroad
Jerome Feret
  • Visited institution:
    Harvard Medical School
  • Country:
    USA
  • Dates:
    from 22/10/2024 to 31/10/2024
  • Context of the visit:
    collaboration with Walter Fontana on Kappa
  • Mobility program/type of mobility:
    research stay
Hugo Paquet
  • Visited institution:
    Korean Advanced Institute of Science and Technology (KAIST)
  • Country:
    South Korea
  • Dates:
    from 25/11/2024 to 5/12/2024
  • Context of the visit:
    Inria–KAIST workshop (26/11/2024), and collaboration with Hongseok Yang and his research group as part of the AISAPPL INRIA Associate Team.
  • Mobility program/type of mobility:
    research stay
Xavier Rival
  • Visited institution:
    National Institute for Informatics (NII)
  • Country:
    Japan
  • Dates:
    from 06/03/2024 to 15/03/2024
  • Context of the visit:
    Scientific collaboration with Shin-ya Katsumata.
  • Mobility program/type of mobility:
    research stay.
Xavier Rival
  • Visited institution:
    Korean Advanced Institute of Science and Technology (KAIST)
  • Country:
    South Korea
  • Dates:
    from 25/11/2024 to 11/12/2024
  • Context of the visit:
    Inria–KAIST workshop (26/11/2024), and collaboration with Hongseok Yang and his research group as part of the AISAPPL INRIA Associate Team.
  • Mobility program/type of mobility:
    research stay
Xavier Rival
  • Visited institution:
    Seoul National University (SNU)
  • Country:
    South Korea
  • Dates:
    from 16/11/2024 to 24/11/2024
  • Context of the visit:
    Scientific collaboration with Kwangkeun Yi.
  • Mobility program/type of mobility:
    research stay.

9.3 National initiatives

9.3.1 ANR VeriAMOS

  • Title: Verification of Abstract Machines for Operating Systems
  • Type: ANR générique 2018
  • Defi: Société de l'information et de la communication
  • Instrument: ANR grant
  • Duration: January 2019 - July 2024
  • Coordinator: INRIA Paris (France)
  • Others partners: LIP6 (France), IRISA (France), UGA (France)
  • Inria contact: Xavier Rival
  • Abstract: Operating System (OS) programming is notoriously difficult and error prone. Moreover, OS bugs can have a serious impact on the functioning of computer systems. Yet, the verification of OSes is still mostly an open problem, and has only been done using user-assisted approaches that require a huge amount of human intervention. The VeriAMOS proposal relies on a novel approach to automatically and fully verifying OS services, that combines Domain Specific Languages (DSLs) and automatic static analysis. In this approach, DSLs provide language abstraction and let users express complex policies in high-level simple code. This code is later compiled into low level C code, to be executed on an abstract machine. Last, the automatic static analysis verifies structural and robustness properties on the abstract machine and generated code. We will apply this approach to the automatic, full verification of input/output schedulers for modern supports like SSDs.

9.3.2 ANR EMASS

  • Title: Analyse Mémoire Efficace de Logiciel Système
  • Type: ANR appel 2022
  • Defi: CE39 - Sécurité globale, résilience et gestion de crise, cybersécurité
  • Instrument: ANR grant
  • Duration: 2023 - 2027
  • Coordinator: CEA Saclay
  • Others partners: INRIA (France), Thalés (France)
  • Inria contact: Xavier Rival
  • Abstract: The goal of this project is to develop and integrate static analysis techniques that target memory properties for low level code (such as operating system code), in order both to establish safety and security properties. As part of this project, antique is carrying out research on the analysis of programs using complex data-structures.

9.3.3 ANR ForML

  • Title: Formally Certified Reasoning in Machine Learning
  • Type: ANR appel 2023
  • Defi: CE25 - Software sciences and engineering - Multi-purpose communication networks, high-performance infrastructures
  • Instrument: ANR grant
  • Duration: 2023 - 2027
  • Coordinator: Université Toulouse 3 - Paul Sabatier
  • Others partners: Inria (France), Institut National Polytechnique Toulouse (France), Sorbonne Université (France)
  • Inria contact: Caterina Urban
  • Abstract: The ongoing advances in machine learning (ML) foretell an ever-increasing range of practical uses of ML models. However, in domains deemed high-risk at the EU level, but also in safety-critical domains, the deployment of complex ML models should be underpinned by reasoning tools that are rigorous and efficient, and which are thus capable of identifying possible limitations of such ML models. Concrete examples include whether the ML model is adequately robust, whether it does not exhibit bias, but also whether its actions can be explained so as to be understood by a human decision maker or automatically validated. The ForML project proposes to make fundamental inroads in advancing the state of the art in rigorous approaches for reasoning about ML models. The ForML project proposes to exploit well-known hallmarks from software analysis, including abstract interpretation and counterexample-guided abstraction refinement, to promote a new generation of tools for rigorous ML reasoning, in explainability, fairness and robustness, which are both automated and efficient. Furthermore, the ForML project will also pioneer the certification of such tools by exploiting proof assistants.

9.3.4 PEPR SecurEval

  • Title: SecurEval, Improving Digital Systems Security Evaluation
  • Type: PEPR
  • Defi: PEPR Cybersécurité
  • Instrument: PEPR
  • Duration: 2022 - 2028
  • Coordinator: CEA Saclay
  • partners: CNRS, INRIA, CEA, INP Grenoble, Supelec, UGA, Université Paris Saclay, Université Sorbonne nouvelle
  • Inria contact: Xavier Rival and Jérôme Feret
  • Abstract: This project targets methods to improve the security of software, using programming languages techniques (static analysis, testing, programming languages). It gathers a large number of academic partners (CNRS, INRIA, CEA, INP Grenoble, Supelec, UGA, Université Paris Saclay, Université Sorbonne nouvelle). As part of this project, antique is investigating static analysis techniques for the verification of safety and security proeprties.

9.3.5 PEPR SAIF

  • Title: PEPR SAIF
  • Type: PEPR
  • Defi: PEPR IA
  • Instrument: PEPR
  • Duration: 2022 - 2028
  • Coordinator: CEA Saclay
  • partners: INRIA Paris (project team antique), INRIA Saclay (project team TAU), and INRIA Rennes (project team SuMo), Université Paris-Saclay (Formal Methods Laboratory, LMF), École Polytechnique (Computer Science Laboratory, LIX), CEA-List (Software Safety &Security Lab, LSL), and Université de Bordeaux (Bordeaux Computer Science Laboratory)
  • Inria contact: Caterina Urban
  • Abstract: SAIF is a project led by Caterina Urban within the PEPR IA. The consortium includes INRIA Paris (project team antique), INRIA Saclay (project team TAU), and INRIA Rennes (project team SuMo), as well as Université Paris-Saclay (Formal Methods Laboratory, LMF), École Polytechnique (Computer Science Laboratory, LIX), CEA-List (Software Safety &Security Lab, LSL), and Université de Bordeaux (Bordeaux Computer Science Laboratory).

    The overall goal of SAIF is to use the vast knowledge accumulated over decades in formal methods to rethink them and address the novel safety concerns raised by machine learning-based systems.

10 Dissemination

Participants: Bernadette Charron-Bost, Jérôme Feret, Hugo Paquet, Xavier Rival, Caterina Urban.

10.1 Promoting scientific activities

10.1.1 Scientific events: organisation

General chair, scientific chair
  • Caterina Urban is general chair of the 20th Conference on Integrated Formal Methods (iFM 2025)
Member of the steering committee
  • Caterina Urban is a Member of the Steering Committee of Static Analysis Symposium (SAS).
  • Caterina Urban is a Member of the Steering Committee of State Of the Art in Program Analysis (SOAP).
  • Caterina Urban is a member of the Steering Committee of the series of Summer Schools on Foundations of Programming and Software Systems (FoPSS).
  • Caterina Urban is a member of the ETAPS Executive Board.
Member of the organizing committees
  • Jérôme Feret, Xavier Rival, and Caterina Urban were members of the organizing committee of the N40AI Workshop at POPL 2024.
  • Xavier Rival was a member of the organizing committee of the INRIA-KAIST Worshop (November 2024). In addition to the scientific and local organisation, he attended the workshop and chaired two sessions.
  • Caterina Urban is a member of the organizing committee of the Dagstuhl Seminar 25421 “Sound Static Program Analysis in Modern Software Engineering”.
  • Caterina Urban is the publicity chair of the Federated Logic Conference 2026 (FLoC 2026).

10.1.2 Scientific events: selection

Chair of conference program committees
  • Caterina Urban chaired the committee of the ETAPS Doctoral Dissertation Award 2024.
  • Caterina Urban is chairing the committee of the ETAPS Doctoral Dissertation Award 2025.
Member of the conference program committees
  • Bernadette Charron-Bost served a Member of the Program Committee of SAND 2024 (Symposium on Algorithmic Foundations of Dynamic Networks).
  • Bernadette Charron-Bost is serving as a Member of the Program Committee of SIROCCO 2025 (International Colloquium On Structural Information and Communications Complexity).
  • Jerome Feret served a Member of the Program Committee of CMSB 2024 (Computational Methods in Systems Biology).
  • Jerome Feret is serving as a Member of the Program Committee of PADS 2025 (Principles of Advanced Discrete Simulation). He is also organizing a special track on model reduction.
  • Hugo Paquet served a Member of the Program Committee of LAFI 2025 (Languages for Inference).
  • Xavier Rival served a Member of the Program Committee of PLDI 2024 (Symposium on Programming Languages Design and Implementation).
  • Xavier Rival served a Member of the Program Committee of SAS 2024 (Static Analysis Symposium).
  • Xavier Rival is serving as a Member of the Program Committee of POPL 2025 (Symposium on Principles Of Programming Languages).
  • Xavier Rival is serving as a Member of the Program Committee of VMCAI 2025 (Conference on Verification, Model Checking and Abstract Interpretation).
  • Xavier Rival is serving as a Member of the Program Committee of CSF 2025 (Conference on Security Foundations).
  • Xavier Rival is serving as a Member of the Program Committee of JFLA 2025 (Journées Françaises des Langages Applicatifs).
  • Caterina Urban is serving as a Member of the Program Committee of SAS 2025 (Static Analysis Symposium).
  • Caterina Urban is serving as a Member of the Program Committee of FOSSACS 2025 (Foundations of Software Science and Computation Structure).
  • Caterina Urban is serving as a Member of the Program Committee of POPL 2025 (Principles of Programming Languages).
  • Caterina Urban served a Member of the Program Committee of LPAR 2024 (Logic for Programming, Artificial Intelligence and Reasoning).
  • Caterina Urban served a Member of the Program Committee of CAV 2024 (Computer-Aided Verification).
  • Caterina Urban served a Member of the Program Committee of TACAS 2024 (Tools and Algorithms for the Construction and Analysis of Systems).
  • Hugo Paquet served a Member of the Program Committee of LAFI 2025 (Languages for Inference).

10.1.3 Journal

Member of the editorial boards
  • Jérôme Feret is serving as Associated Editor for TOMACS (Transactions on Modeling and Computer Simulation).
  • Caterina Urban is serving as Associated Editor for TOPLAS (Transactions on Programming Languages and Systems).
Reviewer - reviewing activities
  • Jérôme Feret served as a reviewer for IST (Information and Software Technology), PLOS ONE (Public Library Of Science ONE), TCS (Theoretical Computer Science).
  • Hugo Paquet served as a reviewer for MSCS (Mathematical Structures in Computer Science).
  • Hugo Paquet and Xavier Rival served as reviewers for TOPML (ACM Transactions on Probabilistic Machine Learning).

10.1.4 Invited talks

  • Xavier Rival was invited to the Shonan meeting 159 on Web Application Security and gave an invited talk.
  • Xavier Rival gave an invited talk at Seoul National University in November 2024.
  • Xavier Rival gave an invited talk at KAIST in November 2024.
  • Caterina Urban gave an invited talk at the 17th International Scientific Conference on Informatics (Informatics 2024).
  • Caterina Urban gave an invited talk at the 10th International Workshop on Numerical and Symbolic Abstract Domains (NSAD 2024)
  • Caterina Urban gave an invited tutorial at the 31st Static Analysis Symposium (SAS 2024)
  • Caterina Urban gave an invited talk at the 29th Journées Formalisation des Activités Concurrentes (FAC 2024).
  • Caterina Urban gave an invited talk at Quarkslab, Paris.

10.1.5 Leadership within the scientific community

  • Xavier Rival is a member of the IFIP Working Group 2.4 on Software Implementation Technologies.

10.1.6 Scientific expertise

  • Bernadette Charron-Bost is a member of the administration board ot the Laboratoire d’Excellence CIMI de l'Université de Toulouse.
  • Bernadette Charron-Bost is a member of the steering committee of the Blockchain X-CapGemini chair.
  • Jérôme Feret is a member of the Scientific and Pedagogical Advisory Board of the Interdisciplinary Center for Strategic Studies (CIENS) de l'École normale supérieure.
  • Caterina Urban is a member of the Scientific Advisory Board of the Laboratoire Méthodes Formelles (LMF) de l’Université Paris-Saclay.

10.1.7 Recruiting Juries

  • Bernadette Charron-Bost Membre du comité de recrutement pour le poste de MdC publié par l'ENS de Paris, pour la campagne 2024.
  • Jérôme Feret served in the “admissibility” jury for INRIA researcher positions (CRCN) for the center of “Paris-Saclay” in 2024.
  • Jérôme Feret is serving in the selection committee for an Associate Professor in Computer Science at Université de Marseille in 2025.
  • Caterina Urban served in the hiring committee for an Associate Professor in Computer Science at Université de la Réunion in 2024.
  • Caterina Urban served in the hiring committee for an Assistant Professor in Computer Science at École Polytechnique in 2024.
  • Caterina Urban is serving in the selection committee for an Associate Professor in Computer Science at Université de Lille in 2025.
  • Caterina Urban is serving in the "admissibility" jury for INRIA researcher positions (ISFP/CRCN) for the center "de l'Université de Lorraine" in 2025.

10.1.8 Research administration and other collective responsibilities

  • Bernadette Charron-Bost is the gender-equality referent of the DIENS for the CNRS (COREGAL network).
  • Jérôme Feret is a Member of the PhD Review Committee (CSD) of Inria Paris.
  • Jérôme Feret is head of study of the department of computer science of École normale supérieure.
  • Jérôme Feret is member of the laboratory board of the department of computer sciences of École normale supérieure.
  • Xavier Rival is the head of the department of computer sciences of École normale supérieure and of the UMR (Unité Mixte de Recherche) 8548 (DIENS) since June 2024.
  • Xavier Rival is a member of the laboratory board of the department of computer sciences of École normale supérieure.
  • Xavier Rival is a member of the Bureau du Comité des Projets of the INRIA Paris Research Center.

10.2 Teaching - Supervision - Juries

10.2.1 Teaching

  • Licence:
    • Jérôme Feret and Xavier Rival (lectures), and Charles de Haro (tutorials), “Semantics and Application to Verification”, 36h, L3, at École Normale Supérieure, France.
  • Master:
    • Bernadette Charron-Bost, ”Fundamentals in distributed computing”, 60h, M1 Ecole Polytechnique Master.
    • Bernadette Charron-Bost, ”Consensus problems”, 30h, M2 Ecole Polytechnique Master.
    • Jérôme Feret, Antoine Miné, Xavier Rival, and Caterina Urban, “Abstract Interpretation: application to verification and static analysis”, 72h, M2. Parisian Master of Research in Computer Science (MPRI), France.
    • Jérôme Feret and François Fages, “Biochemical Programming”, 24h, M2. Parisian Master of Research in Computer Science (MPRI), France.
    • Jérôme Feret, Jean Krivine, Sébastien Légaré, and Matthieu Bouguéon. "Rule-based Modelling", 24h, M1. Interdisciplinary Approaches to Life Science (AIV), Master Program, Université Paris-Descartes, France.
    • Xavier Rival gave a lecture on Formal Methods for Systems Security at the EXED.
  • Summer Schools:
    • Caterina Urban gave a lecture on “Formal Methods for Machine Learning Pipelines” at the École Jeunes Chercheuses et Jeunes Chercheurs en Programmation 2024 (EJCP 2024)
    • Caterina Urban gave a lecture on “Formal Methods for Machine Learning Pipelines” at the 16th Summer School on Verification Technology, Systems & Applications (VTSA 2024)
    • Caterina Urban gave a lecture on “Formal Methods for Machine Learning Pipelines” at the Summer School on Role and effects of ARTificial Intelligence in Secure ApplicatioNs 2024 (ARTISAN 2024)
    • Caterina Urban gave a lecture on “Formal Methods for Machine Learning Pipelines” at the Lipari Summer School on Abstract Interpretation 2024

10.2.2 Entrance competition juries

  • Bernadette Charron-Bost is the co-head of the university track of the École normale supérieure entrance competition for the Computer Science Department.

10.2.3 Supervision

  • Internship: Bernadette Charron-Bost and Jérôme Feret surpervised the research project of Sylvain Gay (4rd year student at ENS) and Vincent Peth (2nd year student at ENS). Fibration in graphs and application to modular proofs of distributed algorithms.
  • PhD in progress: Valentin Barbazo, , started in 2023 and supervised by Xavier Rival.
  • PhD in progress: Jérôme Boillot, Static Analysis of the setting of expanded memory in a dedicated operating system, started in 2022 and supervised by Jérôme Feret.
  • PhD in progress: Serge Durand, Formal Specification of Machine Learning Algorithms, started in 2021 and supervised by Zakaria Chihani (CEA/List) and Caterina Urban.
  • PhD in progress: Charles De Haro, , started in 2024 and supervised by Marc Pouzet (INRIA Paris - Project team Parkas) and Xavier Rival.
  • PhD in progress: Aurélie Kong Win Chang, Abstractions for causal analysis and explanations in concurrent programs, started in 2021 and supervised by Gregor Gössler (INRIA Grenoble - Rhône Alpes, Project team Spades) and Jérôme Feret.
  • PhD in progress: Naïm Moussaoui-Remil, Static Analyses for Robust (Un)reachability, started in 2023 and supervised by Caterina Urban.
  • PhD in progress: Patricia Roxo, Impact of qualitative variations on the dynamics of Boolean networks, started in 2024 and supervised by Claudine Chaouyia (I2M - Marseille) and Jérôme Feret.
  • PhD defended : Josselin Giet, Automatic verification of tasks schedulers, started in 2020 and supervised by Xavier Rival (defended the 26th September 2024).
  • PhD defended : Denis Mazzucato, Static Analysis by Abstract Interpretation of Quantitative Program Properties, started in 2020 and supervised by Caterina Urban (defended the 10th December 2024).
  • PhD defended : Ignacio Tiraboschi, Intertwining Symbolic Execution and Abstract Interpretation for the Analysis of Security Properties, started in 2020 and supervised by Xavier Rival (defended the 28th October 2024).

10.2.4 PhD Juries

  • Bernadette Charron-Bost served as a jury member of the defense of the PhD of Denis Mazzucato at École normale supérieure of Paris, (December 2024).
  • Jérôme Feret served as an examiner and as a jury member of the defense of the PhD of Fabricio Cravo at École normale supérieure of Paris-Saclay (December 2024).
  • Xavier Rival served as an examiner and as a jury member of the defense of the PhD of Son Ho at PSL University (December 2024).
  • Xavier Rival served as a president and as a jury member of the defense of the PhD of Paul Jeanmaire at ENS / PSL University (December 2024).
  • Caterina Urban served as examiner and as a jury member of the defense of the PhD of Olivier Martinot at Université Paris Cité (December 2024).
  • Caterina Urban is serving as reviewer of the PhD manuscript of Pankaj Kumar Kalita at the Indian Institute of Technology Kanpur, India (2025).
  • Caterina Urban is serving as examiner and as a jury member of the defense of the PhD of Linpeng Zhang at University College London, UK (2025).

10.3 Popularization

  • Jerome Feret hosted a group of eight high school students for three hours. These students has been invited by Inria to visit few research teams in the context of their observation internships.
  • Jerome Feret hosted a group of sixteen high school students for three hours. These students has been invited by Department of Mathematics of École normale supérieure, to visit few research teams in the context of their observation internships.

10.3.1 Participation in Live events

  • Caterina Urban participated in the Career Panel at the Programming Language Mentoring Workshop (PLMW) of SPLASH 2024

11 Scientific production

11.1 Major publications

  • 1 inproceedingsJ.Julien Bertrane, P.Patrick Cousot, R.Radhia Cousot, J.Jérôme Feret, L.Laurent Mauborgne, A.Antoine Miné and X.Xavier Rival. Static Analysis and Verification of Aerospace Software by Abstract Interpretation.Proceedings of the American Institute of Aeronautics and Astronautics (AIAA Infotech@Aerospace 2010)Atlanta, Georgia, USAAmerican Institute of Aeronautics and Astronautics2010
  • 2 inproceedingsB.Bruno Blanchet, P.Patrick Cousot, R.Radhia Cousot, J.Jérôme Feret, L.Laurent Mauborgne, A.Antoine Miné, D.David Monniaux and X.Xavier Rival. A Static Analyzer for Large Safety-Critical Software.Proceedings of the ACM SIGPLAN 2003 Conference on Programming Language Design and Implementation (PLDI'03)ACM PressJune 7--14 2003, 196--207HAL
  • 3 proceedingsElement-free probability distributions and random partitions.LICS '24: 39th Annual ACM/IEEE Symposium on Logic in Computer ScienceACMJuly 2024, 1-14HALDOI
  • 4 articleM.Marco Campion, M.Mila Dalla Preda, R.Roberto Giacobazzi and C.Caterina Urban. Monotonicity and the Precision of Program Analysis.Proceedings of the ACM on Programming Languages8POPLJanuary 2024, 1629-1662HALDOIback to text
  • 5 articleB.Bernadette Charron-Bost and A.André Schiper. The Heard-Of model: computing in distributed systems with benign faults.Distributed Computing221July 2009, 49-71HALDOIback to text
  • 6 articleJ.Jérôme Feret, V.Vincent Danos, J.Jean Krivine, R.Russ Harmer and W.Walter Fontana. Internal coarse-graining of molecular systems.Proceeding of the national academy of sciences10616Apr 2009
  • 7 inproceedingsL.Laurent Mauborgne and X.Xavier Rival. Trace Partitioning in Abstract Interpretation Based Static Analyzers.Proceedings of the 14th European Symposium on Programming (ESOP'05)3444Lecture Notes in Computer ScienceSpringer-Verlag2005, 5--20
  • 8 inproceedingsX.Xavier Rival. Symbolic Transfer Functions-based Approaches to Certified Compilation.Conference Record of the 31st Annual ACM SIGPLAN~-- SIGACT Symposium on Principles of Programming LanguagesACM Press, New York, United States2004, 1--13
  • 9 articleC.Caterina Urban, M.Maria Christakis, V.Valentin Wüstholz and F.Fuyuan Zhang. Perfectly Parallel Fairness Certification of Neural Networks.Proceedings of the ACM on Programming Languages4OOPSLANovember 2020, 1-30HALDOI

11.2 Publications of the year

International journals

International peer-reviewed conferences

  • 12 inproceedingsB.Ben Batten, Y.Yang Zheng, A.Alessandro De Palma, P.Panagiotis Kouvaros and A.Alessio Lomuscio. Verification of Geometric Robustness of Neural Networks via Piecewise Linear Approximation and Lipschitz Optimisation.ECAI 2024 - European Conference on Artificial IntelligenceSantiago de Compostela, SpainOctober 2024HALback to text
  • 13 inproceedingsJ.Jérôme Boillot and J.Jérôme Feret. Abstraction of memory block manipulations by symbolic loop folding.European Symposium on Programming 2025ESOP 2025 - 34th European Symposium on ProgrammingHamilton, CanadaSpringer2025HALback to text
  • 14 inproceedingsB.Bernadette Charron-Bost and P.Patrick Lambein-Monette. Brief Announcement: Know Your Audience.Proceedings of the 43rd {ACM} Symposium on Principles of Distributed ComputingPODC '24 - 43rd ACM Symposium on Principles of Distributed ComputingNantes, FranceACMJune 2024, 243-246HALDOIback to text
  • 15 inproceedingsA.Alessandro De Palma, R.Rudy Bunel, K.Krishnamurthy Dvijotham, M. P.M Pawan Kumar, R.Robert Stanforth and A.Alessio Lomuscio. Expressive Losses for Verified Robustness via Convex Combinations.ICLR 2024 - International Conference on Learning RepresentationsProceedings of the Twelfth International Conference on Learning Representations (ICLR 2024)Vienna, AustriaMay 2024HALback to text
  • 16 inproceedingsG.Greta Dolcetti, A.Agostino Cortesi, C.Caterina Urban and E.Enea Zaffanella. Towards a High Level Linter for Data Science.NSAD 2024 - 10th International Workshop on Numerical and Symbolic Abstract DomainsPasadena, United StatesOctober 2024HALDOIback to text
  • 17 inproceedingsF.Filip Drobnjaković, P.Pavle Subotic and C.Caterina Urban. An Abstract Interpretation-Based Data Leakage Static Analysis.18th International Symposium on Theoretical Aspects of Software EngineeringGuiyang, ChinaJuly 2024HALback to text
  • 18 inproceedingsD.Denis Mazzucato, M.Marco Campion and C.Caterina Urban. Quantitative Input Usage Static Analysis.Lecture Notes in Computer ScienceNASA Formal Methods 202414627Lecture Notes in Computer ScienceMoffett Field (CA), United StatesSpringer Nature SwitzerlandMay 2024, 79-98HALDOIback to text
  • 19 inproceedingsD.Denis Mazzucato, M.Marco Campion and C.Caterina Urban. Quantitative Static Timing Analysis.31st Static Analysis Symposium (SAS 2024)Pasadena, CA, United StatesOctober 2024HALback to text
  • 20 inproceedingsR.Raphaël Monat, M.Marco Milanese, F.Francesco Parolini, J.Jérôme Boillot, A.Abdelraouf Ouadjaout and A.Antoine Miné. Mopsa-C: Improved Verification for C Programs, Simple Validation of Correctness Witnesses (Competition Contribution).Tools and Algorithms for the Construction and Analysis of Systems. TACAS 202414572Lecture Notes in Computer ScienceLuxembourg City, LuxembourgSpringer Nature Switzerland2024, 387 - 392HALDOIback to text
  • 21 inproceedingsN.Naïm Moussaoui Remil, C.Caterina Urban and A.Antoine Miné. Automatic Detection of Vulnerable Variables for CTL Properties of Programs.25th Conference on Logic for Programming, Artificial Intelligence and Reasoning100EPiC Series in ComputingPort Louis, MauritiusEasyChairMay 2024, 116-126HALDOIback to text
  • 22 inproceedingsA.Abhinandan Pal, F.Francesco Ranzato, C.Caterina Urban and M.Marco Zanella. Abstract Interpretation-Based Feature Importance for Support Vector Machines.25th International Conference on Verification, Model Checking, and Abstract Interpretation (VMCAI 2024)14499Lecture Notes in Computer ScienceLondon, United KingdomSpringer Nature SwitzerlandDecember 2024, 27-49HALDOIback to text

Scientific book chapters

  • 23 inbookM.Matthieu Lemerre, X.Xavier Rival, O.Olivier Nicole and H.Hugo Illous. Advanced Memory and Shape Analyses.Guide to Software Verification with Frama-CComputer Science Foundations and Applied LogicSpringer International PublishingJuly 2024, 487-520HALDOIback to text

Doctoral dissertations and habilitation theses

  • 24 thesisJ.Josselin Giet. Automatic verification of tasks schedulers.École normale supérieure - PSLSeptember 2024HALback to text
  • 25 thesisD.Denis Mazzucato. Static Analysis by Abstract Interpretation of Quantitative Program Properties.École Normale SupérieureDecember 2024HALback to text
  • 26 thesisI.Ignacio Tiraboschi. Intertwining Symbolic Execution and Abstract Interpretation for the Analysis of Security Properties.ENS Paris - Ecole Normale Supérieure de ParisOctober 2024HALback to text

11.3 Cited publications

  • 27 inproceedingsJ.Jérôme Boillot and J.Jérôme Feret. Symbolic transformation of expressions in modular arithmetic.Static Analysis: 30th International Symposium, SAS 2023Static Analysis: 30th International Symposium, SAS 2023Static Analysis: 30th International Symposium, SAS 2023Cascais, PortugalOctober 2023HALback to text
  • 28 articleP.Patrick Cousot. Constructive design of a hierarchy of semantics of a transition system by abstract interpretation.Electr. Notes Theor. Comput. Sci.61997, 77--102URL: http://dx.doi.org/10.1016/S1571-0661(05)80168-9DOIback to text
  • 29 inproceedingsP.Patrick Cousot and R.Radhia Cousot. Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints.Conference Record of the Fourth Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming LanguagesACM Press, New York, United States1977, 238--252back to textback to text
  • 30 inproceedingsA.Aurélie Kong Win Chang, J.Jerome Feret and G.Gregor Gössler. A Semantics of Core Erlang with Handling of Signals.ACM Digital LibrarySeattle WA, United StatesACMSeptember 2023, 31-38HALDOIback to text
  • 31 inproceedingsC.Caterina Urban. Static Analysis of Data Science Software.SAS 2019 - 26th Static Analysis SymposiumPorto, PortugalSpringer10 2019, 17-23HALDOIback to text