Efficient model checking algorithms

As in many applications of formal methods, formal verification suffers from state-space explosion, which limits the scalability of algorithms unless proper state-space reduction techniques are applied. In timed automata, state-space explosion can be caused by two factors: 1) a large discrete state space, e.g. if the system is composed of many subsystems, or contains several discrete variables; 2) a large number of clocks or complex timing constraints. While the first factor already appears in finite-state model checking, in timed automata, the state space can grow exponentially in the number of clocks requiring a particular care. State-of-the-art algorithms can efficiently deal with complex time constraints 47, 55, 58 but fail at analyzing models with both large discrete state spaces (for instance real-time distributed systems) and real-time constraints. This is however crucial to demonstrate the benefits of formal methods for real-time systems on realistic applications.

We will build novel tools based on compositional reasoning and predicate abstraction to achieve formal verification performance comparable with that of finite-state systems without explicit time constraints. In fact, although clock constraints do cause state-space explosion, they are often not the only source of complexity; so smart ways of handling them must be developed to handle large models. Ideally, one should be able to handle clock variables like any other variable in a program under verification. In this context, predicate abstraction 46, 62 is a promising direction since when used properly, clock variables can be treated as any other system variable; so several techniques from software model checking or finite-state automata can be applied. Compositionality is a well-known approach to handle larger models 35; we will develop techniques to specifically handle the timing aspects in such approaches, and target the development of both fully automatized and interactive compositional model checkers. Last, some performance achievements might appear by targeting specific applications and developing tailored algorithms, rather than relying on one generic algorithm. Our collaborations with industrial partners will guide us in this direction since these are opportunities to consider specific practical problems. In all these works, we will use and contribute to the open-source timed automata model checker TChecker 51.

Testing and runtime verification

To extend the applicability of models like timed automata to verify industrial-size real-time systems, one can relax the exhaustiveness guarantee provided by model checking. Model-based test synthesis is one such technique (see, e.g. 66): it consists in synthesizing, from a system model, sequences of actions to be performed on the implementation, in order to check that it behaves as specified. We will generate such test cases from real-time requirements, leveraging techniques recently developed by team members based on both test synthesis from game theory 50 and consistency checking 54; this will complement the tool suite we developed in our collaboration with MERCE for checking consistency of real-time requirements, to obtain test cases for checking those requirements on real implementations.

Runtime monitoring 24 is another verification technique for assessing the validity of properties at runtime: it consists in observing the system as it executes and deciding as soon as possible whether the properties are satisfied or violated. In many contexts, the system is only partially observable, i.e. some internal actions are hidden to the monitor. Runtime monitoring is however limited to real-time systems that are not distributed. Our objective is to develop a framework for distributed runtime monitoring of real-time systems, in which several monitors observe components of the system, and exchange information so as to decide as early as possible on the validity of the property. Efficient solutions should limit the amount of communication as well as the computation time. Timed markings, a formalism we introduced and recently used to efficiently compute and manipulate sets of configurations 31, are a natural candidate tool to use. In the distributed setting, however, timed markings need to be reshaped to store sufficient information, and also to enable efficient updates with the observation and information stream.

Timing imprecisions

The model of timed automata for real-time systems assumes arbitrary precision in time measurements. This artifact which is theoretically convenient has the drawback of missing behaviours if delays are slightly shifted. Since time drifts are inevitable in distributed systems, we will pursue the development of models, semantics and algorithms to take timing imprecisions into account for real-time systems. For instance, the efficiency of our recent algorithm for synthesizing permissive strategies 38 can be improved by relaxing its precision while keeping track of the amount of approximation in the computation.

Timing imprecisions are also very relevant in online techniques, such as monitoring, testing and learning, since those techniques involve interactions with physical implementations. Because of those imprecisions, the observation of the system may be inexact, and the actions performed on the system may be slightly shifted, so that a given sequence of inputs may result in different outputs. This does not fit with our current techniques 49, 50, and we will have to develop specific approaches to take such imprecisions into account.

Real-time security properties

Most often in formal methods properties are defined at the level of individual behaviours: for instance, an execution of a program is terminating, or it isn't. However, in order to express security properties such as non-interference, one needs to reason on pairs of executions (for instance to guarantee that observing the control flow of a program does not leak information on a private key), or more generally sets of executions. So-called hyperproperties, introduced a decade ago 37, 36, allow one to compare executions of untimed models. Dealing with real-time in that context is a great challenge since one needs to compare dates of event occurrences. So far it only has been considered in a discrete-time setting 30. We will provide verification algorithms in the continuous-time case, with the objective of addressing security properties related to timing issues, such as covert communication induced by timing channels.

Efficient bug finding for MPI program

HPC applications in the MPI (message passing interface) programming model consist of distributed programs that communicate asynchronously through FIFO channels. Finding bugs, or proving their absence, in such programs is challenging because of the complexity due to concurrency and communication. The goal of the McSimGrid tool 59 is to automatically check properties directly on the programs, considering all alternative executions of the program for a fixed input. Rather than proving correctness, it aims at finding concurrency and communication bugs efficiently. As often in verification, scaling to real programs requires techniques that avoid the state-space explosion. One way to do so, is to use dynamic partial order reduction (DPOR) 45, 23, 61, which cleverly exploits the independence of concurrent events to reduce the state space to be explored. Beyond plain DPOR algorithms, in order to go an order of magnitude further in terms of program size, we propose to combine DPOR with other efficient bug-finding techniques, such as directed model checking 43. Directed model checking prioritizes the state-space exploration using A${}^{*}$-like algorithms, relying on approximate distances to a goal. In the context of MPI programs, the definition of appropriate distances is crucial for balancing the trade-off between precision and computation cost, that impact the time to find an error in two opposite ways. Alternatively, one can combine DPOR with other bug-finding techniques, by bounding some values 39 or progressively refining the independence relation. In order to evaluate these heuristics for MPI programs, the various approaches will be implemented in McSimGrid and benchmarked against academic case studies.

Parameterized verification of pseudo-codes

The correctness of distributed algorithms should be established independently of actual setup, i.e. the number of processes, the potential failures, and the communication topology when relevant. Parameterized verification answers this need by handling multiple model-checking queries at once; it also often comes with cutoff results that provide bounds on the parameters for which a bug can happen, in case the correctness does not hold. To overcome the general undecidability of the verification of properties for distributed systems with an unbounded number of processes 22, we propose two natural approaches: on the one hand exhibiting models for specific distributed algorithms with decidable parameterized verification, and on the other hand developing incomplete verification algorithms that may not terminate or may be inconclusive on some instances. We illustrate these alternatives on the two archetypal frameworks below, on which we will focus first.

Parameterized verification of models of MPI programs. Complementary to the objective of efficiently finding bugs in MPI programs, one can come up with models of MPI programs and study their parameterized verification problem. A relevant way to classify MPI programs with respect to model checking is by the communication primitives they use and possibly the communication topologies: mailboxes are typically represented as queues or bags, for instance. Our objective is to define classes of models for MPI programs with decidable parameterized verification. Most likely these models will approximate the actual behaviour of the programs. A prototype implementing parameterized verification for MPI programs would be a major breakthrough compared to the fixed-instances existing tools such as CIVL 57.

Parameterized verification of randomized distributed algorithms. Randomization is an elegant tool to design efficient algorithms or even to solve problems otherwise unsolvable, especially in distributed computing, where probabilities break symmetry between the components. Till now, automated proofs of randomized distributed algorithms remain limited to restricted types of algorithms, restricted classes of schedulers, and restricted properties 26, 27, 28. Leveraging parameterized verification techniques to handle randomized distributed algorithms raises the challenge that performance typically depend on the number of participants, whereas standard parameterized verification techniques abstract away this parameter. Counter-example guided abstraction refinement (CEGAR) approaches have proven extremely efficient on non-randomized fault-tolerant distributed algorithms 29, 63. Building on the latter, and on an existing CEGAR framework for finite-state probabilistic systems 52, 41, we aim at targetting randomized distributed algorithms, which is non-trivial: appropriate predicates must be defined, and counterexamples must be generic enough to account for sets of parameter values.

Formalising optimality in quantitative games

Before even computing optimal or quasi-optimal strategies for multi-agent systems, one needs to formally define these. Strategy Logic (SL  for short) is a temporal logic for expressing complex properties of multiple-player games 34. It can be used to express, e.g. the existence of equilibria, as well as properties of the outcomes of those equilibria. However, this logic is not suited to games with quantitative aspects: it cannot handle quantitative (as opposed to Boolean) payoffs for the players, which are needed for fine-grained representation of their preferences. We will continue the exploration of such quantitative features of SL, building on our recent works 32 on fuzzy SL (which was, to our knowledge, the first decidable quantitative extension of SL). Due to the high complexity of model checking for SL, we will also consider fragments of the logic, targeting good trade-offs between expressiveness and complexity.

Computing sub-optimal strategies with guarantees

In non-critical contexts, sub-optimal strategies can be sufficient, and their computation can be less costly than optimal ones. In game theory, Simon 64 introduced the portmanteau word satisficing that combines satisfying and sufficient, to describe situations in non-cooperative games, where agents may opt for a non-optimal strategy if they think their reward is good enough and that the effort (be it time, energy, or computational power) needed to get closer to the optimal reward would be prohibitive. This notion has been addressed in economy as an alternative to optimality in standard reinforcement learning (RL) algorithms (see, e.g. 65). Strategies in RL are built to optimize quantitative goals but allow stopping construction when side measures such as regrets or risk exceed a fixed aspiration level. Building on our expertise in various aspects of quantitative games 33, 48, we aim at computing good-enough strategies by relating the improvement, e.g. measured as a reward, that can be obtained by changing a strategy and the extra effort needed to play the new strategy.

We will also address the scalability issue in optimal control problems in Markov decision processes by targeting distributed systems. This direction will combine approaches both from the formal verification world, such as abstraction techniques, and bounded verification 42, and from the reinforcement learning world, such as multi-agent reinforcement learning techniques and approximate solution methods (e.g. deep learning). This rich set of techniques will allow us to solve applications such as train regulation problems.

Application to traffic management in transports

Urban rail transportation calls for optimization techniques in order to improve the users experience in terms of metro punctuality, regularity, and time needed to resume to a nominal behaviour after an incident, to name a few. For a single metro line, efficient traffic management techniques exist and mainly consist in adapting fleets sizes, speeds of trains and dwell times 40. However, in large cities, the public transport demand is expected to grow tremendously (49% larger in 2050 than in 2012) with huge economic and environmental impacts. Improving efficiency of public transports must include several transport modes and several operators, making the state-of-the-art techniques unapplicable. Multi-modal transport raises the issue that operators, clients, and decision-makers have their own objective. Optimizing traffic management in this context is a challenging task: it amounts to solving a huge multi-player game with multiple objectives. Our aim is to compute good-enough strategies for each actor in these games. Despite the large size of transport networks, recently developed tools for concurrent hybrid models enable numerical methods, and can be used to learn regulation mechanisms 44. Symbolic representations of sets of states and distributions 53 is also promising to speed up simulation, discover appropriate abstractions and therefore enable efficient traffic management.

7.1.1 MOCHY

• Name:
  MOdels for Concurrent and HYbrid systems
• Keywords:
  Public transport, Hybrid models, Simulation, Performance analysis
• Functional Description:
  Allows for the modeling of hybrid systems, schedule and regulation algorithms to optimize Key Performance Indicators. Mochy addresses mainly models of transport networks, their timetables and traffic management techniques. The tool allows for the fast simulation of these regulated models, to measure performance indicators. Since version 2.0, MOCHY proposes a novel traffic management algorithm with neural networks.
• Release Contributions:
  Co-simulation of time Petri nets and timetables (model for regulated urban train systems with a hold-on policy). Performance analysis for simple Key Performance Indicators. Traffic management with neural networks.
• URL:
  https://­adt-mochy.­gitlabpages.­inria.­fr/­mochy/
• Contact:
  Loic Helouet

7.1.2 PyLTA

• Keywords:
  Model Checking, Distributed computing
• Functional Description:
  PyLTA is written in Python. It uses an ad hoc input format to represent distributed algorithms and their specification. The verification process builds on the counter-example guided abstraction refinement (CEGAR) principle.
• URL:
  https://­gitlab.­com/­BastienT/­pylta
• Publication:
  hal-03996060
• Contact:
  Nathalie Bertrand
• Participants:
  Bastien Thomas, Ocan Sankur, Nathalie Bertrand

Timed extensions of Petri nets

 In 13 we have considered verification of timed models handling additional quantities progressing linearly such as distance of moving objects to a target. We introduced a variant of Petri nets called trajectory nets where some places are standard control places containing tokens, and other places contain a trajectory of an object. We give a semantics for this model, and propose an abstraction of sets of equivalent trajectories into symbolic domains. These domains cannot be represented by Difference Bound Matrices, but one can compute in polynomial time a symbolic representation of successor configurations. Furthermore domains are closed under this successor relation, and the set of domains of a trajectory net is finite. A consequence is that, when the control part of a trajectory net is bounded, reachability, coverability and verification of safety properties involving distances are PSPACE-Complete.

In 7, we have extended results on a model called Waiting nets. In time Petri nets (TPNs), time and control are tightly connected: time measurement for a transition starts only when all resources needed to fire it are available. Further, upper bounds on duration of enabledness can force transitions to fire (this is called urgency). For many systems, one wants to decouple control and time, i.e. start measuring time as soon as a part of the preset of a transition is filled, and fire it after some delay and when all needed resources are available. Waiting nets are an extension of TPN that dissociates time measurement and control. Their semantics allows time measurement to start with incomplete presets, and can ignore urgency when upper bounds of intervals are reached but all resources needed to fire are not yet available. Firing of a transition is then allowed as soon as missing resources are available. It is known that extending bounded TPNs with stopwatches leads to undecidability. Our extension is weaker, and we show in this work how to compute a finite state class graph for bounded waiting nets, yielding decidability of reachability and coverability. Last, we have compared expressiveness of waiting nets with that of other models w.r.t. timed language equivalence, and show that waiting nets are strictly more expressive than TPNs.

Efficient evaluation of policies in Markov decision processes

 In 10 we have revisited the value iteration question for Markov Decision Processes. Value and policy iteration are classical algorithms to maximize the average discounted reward of an MDP. They rely on a breadth-first exploration strategy in the future of each state to update its value and possibly change the action policy at this state. This work revisits this paradigm and examines a depth-first search strategy. It reformulates the average reward computation as an integral over (future) paths that is better expressed in the formalism of weighted automata. Policy evaluation can then be solved by a Floyd-Warshall algorithm, which gathers at once the rewards along possibly infinite runs. This reformulation opens the way to new approximation schemes for the value function. The same formalism also gives access to other quantities of interest, such as the gradient of the average reward with respect to model or policy parameters, or the variance of the reward. The behaviors and performance of this value estimation scheme are illustrated on several benchmarks.

Runtime monitoring of timed properties

 In formal verification, runtime monitoring consists in observing the execution of a system in order to decide as quickly as possible whether or not it satisfies a given property. We consider monitoring in a distributed setting, for properties given as reachability timed automata. In such a setting, the system is made of several components, each equipped with its own local clock and monitor. The monitors observe events occurring on their associated component, and receive timestamped events from other monitors through FIFO channels. Since clocks are local, they cannot be perfectly synchronized, resulting in imprecise timestamps. Consequently, they must be seen as intervals, leading monitors to consider possible reorderings of events. In this context, each monitor aims to provide, as early as possible, a verdict on the property it is monitoring, based on its potentially incomplete and imprecise knowledge of the current execution. In 14, we propose an online monitoring algorithm for timed properties, robust to time imprecision and partial information from distant components. We first identify the date at which a monitor can safely compute a verdict based on received events. We then propose a monitoring algorithm that updates this date when new information arrives, maintains the current set of states in which the property can reside, and updates its verdict accordingly.

Test synthesis from requirements using Monte-Carlo tree search

 In 19 we consider the automatic online synthesis of black-box test cases from functional requirements specified as automata for reactive implementations. The goal of the tester is to reach some given state, so as to satisfy a coverage criterion, while monitoring the violation of the requirements. We develop an approach based on Monte Carlo Tree Search, which is a classical technique in reinforcement learning for efficiently selecting promising inputs. Seeing the automata requirements as a game between the implementation and the tester, we develop a heuristic by biasing the search towards inputs that are promising in this game. We experimentally show that our heuristic accelerates the convergence of the Monte Carlo Tree Search algorithm, thus improving the performance of testing.

Model-checking models for distributed algorithms

 This year, we pursued our effort in establishing the decidability and complexity of model-checking problems for models of distributed systems. On the one hand, we studied the verification of population protocols with unordered data; on the other hand, we considered the extension of the well-known model of broadcast networks with registers.

Population protocols are a well-studied model of distributed computation in which a group of anonymous finite-state agents communicates via pairwise interactions. Together they decide whether their initial configuration, i. e., the initial distribution of agents in the states, satisfies a property. As an extension in order to express properties of multisets over an infinite data domain, Blondin and Ladouceur (ICALP'23) introduced population protocols with unordered data (PPUD). In PPUD, each agent carries a fixed data value, and the interactions between agents depend on whether their data are equal or not. Blondin and Ladouceur also identified the interesting subclass of immediate observation PPUD (IOPPUD), where in every transition one of the two agents remains passive and does not move, and they characterised its expressive power. We study the decidability and complexity of formally verifying these protocols. The main verification problem for population protocols is well-specification, that is, checking whether the given PPUD computes some function. We show that well-specification is undecidable in general. By contrast, for IOPPUD, we exhibit a large yet natural class of problems, which includes well-specification among other classic problems, and establish that these problems are in ExpSpace. We also provide a lower complexity bound, namely coNExpTime-hardness. 8

In 12, we consider the parameterized verification of arbitrarily large networks of agents which communicate by broadcasting and receiving messages. In our model, the broadcast topology is reconfigurable so that a sent message can be received by any set of agents. In addition, agents have local registers which are initially distinct and may therefore be thought of as identifiers. When an agent broadcasts a message, it appends to the message the value stored in one of its registers. Upon reception, an agent can store the received value or test this value for equality with one of its own registers. We consider the coverability problem, where one asks whether a given state of the system may be reached by at least one agent. We establish that this problem is decidable; however, it is as hard as coverability in lossy channel systems, which is non-primitive recursive. This model lies at the frontier of decidability as other classical problems on this model are undecidable; this is in particular true for the target problem where all processes must synchronize on a given state. By contrast, we show that the coverability problem is NP-complete when each agent has only one register.

Foundations of parameterized verification

 Since parameterized verification questions are often related to counter systems, we studied invariants for one-counter automata with disequality tests in 9. A disequality test is a guard that prohibits a specified counter value. This reachability problem has been known to be NP-hard and in PSPACE, and characterising its computational complexity has been left as a challenging open question by Almagor, Cohen, Pérez, Shirmohammadi, and Worrell (2020). We reduce the complexity gap, placing the problem into the second level of the polynomial hierarchy, namely into the class $coN{P}^{NP}$. In the presence of both equality and disequality tests, our upper bound is at the third level, $P^{{NP}^{NP}}$. To prove this result, we show that non-reachability can be witnessed by a pair of invariants (forward and backward). These invariants are almost inductive. They aim to over-approximate only a "core" of the reachability set instead of the entire set. The invariants are also leaky: it is possible to escape the set. We complement this with separate checks as the leaks can only occur in a controlled way.

Formal verification of blockchains

 On a more practical side, we aim at designing verification techniques for actual code or low-level models of distributed algorithms. Towards this goal, we propose a generic approach to the formal verification of consensus protocols within blockchains. DAG-based consensus protocols are being adopted by blockchain companies to decrease energy footprints and improve security. A DAG-based consensus protocol collaboratively constructs a partial order of blocks of transactions and produces linearly ordered blocks. The ubiquity and strategic importance of blockchains call for formal proofs of correctness of key components, namely, consensus protocols. The preprint Reusable Formal Verification of DAG-based Consensus Protocols presents a safety-proven formal specification of two DAG-based protocols. Our specification highlights several dissemination, DAG construction, and ordering variations that can be combined to express the two protocols. The formalization requires a refinement approach for modeling the consensus. In an abstract model, we first show the safety of DAG-based consensus on leader blocks and then further refine the specification to encompass all blocks for all processes. The TLA+ specification for a given protocol consists of 492-732 lines, and the proof system TLAPS verifies 2025-2294 obligations in 6-8 minutes.

Quantitative evaluation and optimization of metro regulation policies

 Members of DEVINE have a long-standing bilateral collaboration with Alstom on urban train systems regulation.

In 15 we consider simulation models for Metro systems to measure useful information that guides optimization of traffic management strategies w.r.t. goals such as satisfaction of passenger demands, adherence to schedules or energy saving. Many network models are too precise for the analysis needs, and do not exploit concurrency. This results in an explosion in the size of models, and long simulation times. The model proposed in this work is an extension of Petri nets that handles trajectories of trains, passenger flows, and scenarios for passenger arrivals. We then define a fast event-based simulation scheme. We have tested our model on a real case study, the Metro of Montreal, and shown that full days of train operations with passengers can be simulated in a few seconds, allowing analysis of quantitative properties.

In 20 we have proposed algorithms for online adaptation of Metro timetables. Metro networks are usually operated with timetables, i.e. schedules with fixed dates for departure and arrival events. However, when a delay occurs, timetables have to be adapted to mitigate the effect of this time gap. We have proposed several algorithms to propagate the effects of primary delays in a timetable. The principle of delay propagation is to compute the minimal modification to the original timetable induced by this delay. We define timetables as weighted acyclic graphs depicting events, causal dependencies, and timing constraints, and show that the minimal modification is achieved by rescheduling events as soon as possible in this graph. We have proposed five algorithms to compute efficiently new consistent dates after a delay, with the minimal modification w.r.t. the original timetable. The first algorithm uses properties of critical paths in the timetable, the second algorithm builds a topological ordering on events before a linear rescheduling of events dates. The third algorithm is a recursive scheme that may explore the whole timetable in the worst case, but stops on events that need no rescheduling. The next algorithms are still recursive schemes, but use heuristics to choose an ordering for events updates. Recursive schemes have a bad theoretical worst case complexity. However, tests on two real case studies show that they are efficient in practice, and reschedule timetables in a fraction of a second. This work has been submitted to a journal dedicated to transportation.

Planification in multi-agent systems

 In 11 we present a new algorithm for solving the connected multi-agent path finding problem (connected MAPF) which consists in finding paths for a set of agents that avoid collisions but also ensure connectivity between agents during the mission. Our algorithm is based on heuristic search and combines ODrM*, a well-known algorithm without connectivity constraints, and an efficient but incomplete solver for the connected MAPF from the literature. We present a formal analysis of the termination and completeness of our algorithm, and present an experimental evaluation, showing a significant improvement over the state of the art.

Foundations of games

 Games are a well-studied mathematical model to represent the interactions of agents in multi-agent systems. The games considered in the verification community often are games played on graphs. They form a prominent model in two related fields: the first being automata theory and logic, and the second verification and synthesis, both of which have been very active for decades. Members of the DEVINE team contributed to a textbook 16 presenting the state of the art on games on graphs from automata and logic. Specifically, we wrote the chapters on stochastic games, on timed games and on multi-player games.

Logics and automata

 In the preprint Arbitrary-arity Tree Automata and QCTL we introduce a new class of automata (which we coin EU-automata) running on infinite trees of arbitrary (finite) arity. We develop and study several algorithms to perform classical operations (union, intersection, complement, projection, alternation removal) for those automata, and precisely characterise their complexities. We also develop algorithms for solving membership and emptiness for the languages of trees accepted by EU-automata. We then use EU-automata to obtain several algorithmic and expressiveness results for the temporal logic QCTL (which extends CTL with quantification over atomic propositions) and for MSO. On the one hand, we obtain decision procedures with optimal complexity for QCTL satisfiability and model checking; on the other hand, we obtain an algorithm for translating any QCTL formula with k quantifier alternations to formulas with at most one quantifier alternation, at the expense of a (k+1)-exponential blow-up in the size of the formulas. Using the same techniques, we prove that any MSO formula can be translated into a formula with at most four quantifier alternations (and only two second-order-quantifier alternations), again with a (k+1)-exponential blow-up in the size of the formula.

10.1.1 Inria associate team not involved in an IIL or an international program

DST/INRIA Associate Team SINCRET: Scalable and INCREmental security monitoring and enforcement for Timed systems

Participants: Loïc Germerie-Guizouarn, Thierry Jéron, Ocan Sankur.

• Website:
  https://devine.inria.fr/SINCRET/
• Partner Institution:
  IIT Bhubaneswar, India
• Led by
  Thierry Jéron and Srinivas Pinisetty
• Objectives:
  The objective of this project is to study the enforcement of timed properties for cyber physical systems (CPS) in a synchronous context, and study their incremental composition. We first consider an enforcement monitor synthesis framework for reactive CPS focused on discrete timed properties. We currently propose a serial composition scheme, delineate the sub-class of properties that are enforceable, and develop a serial composition scheme. A prototype is developped by our partner and experimented on a case study of a swarm of drones. A common publication will soon be submitted.

10.1.2 Participation in other International Programs

We are participating in the activities of the CNRS UMI ReLaX Research Lab in Computer Science, an Indo-French joint research unit dedicated to research in theoretical computer science, its applications and its interactions with mathematics. Within this setting, we are frequently hosting undergraduate students as interns from Indian universities such as Chennai Mathematical Institute, and IIT Bombay.

10.3.1 ANR projects

ANR MAVeriQ: Methods of Analysis for Verification of Quantitative properties (2021-2025)

Participants: Aymeric Côme, Loïc Hélouët, Nathalie Bertrand.

• Website:
  https://www.irif.fr/users/maveriq/index
• Led by
  Aldric Degorre (IRIF); Local coordinator Éric Fabre.
• Partners:
  IRIF, LMF, Inria Rennes/IRISA, LACL, Verimag.
• Objectives:
  The objective of this project is to develop unified frameworks for quantitative verification of timed, hybrid, and stochastic systems. We believe such a unification is possible because common patterns are used in many cases. The project targets in particular: • systematization of quantitative properties and their use cases • substantial progress in the algorithms of quantitative verification; • practical methodology for stating and verifying quantitative properties of systems. The aim of MAVeriQ is to progress towards this unification, by gathering skills on timed and stochastic systems and on quantitative verification under a common roof, to jointly address open challenges in quantitative model-checking and quantitative validation. One such challenge we will address is robustness of quantitative models, that is, resilience to small perturbations, which is crucial for implementability. Unified methods developed in the project (such as robustness analysis and simulation techniques) will be showcased in different case studies in the domain of CPS (in particular automotive control), showing that such a system can be verified in different ways without leaving this framework.

ANR BisoUS: Better Synthesis for Underspecified Quantitative Systems (2023-2027)

Participants: Nathalie Bertrand, Loïc Hélouët, Nicolas Markey, Julie Parreaux, Ocan Sankur.

• Website:
  https://anr-bisous.ls2n.fr
• Led by
  Didier Lime (LS2N); Local coordinator Nicolas Markey until August 2024, then Nathalie Bertrand .
• Partners:
  LS2N, Inria Rennes/IRISA, LIPN, LMF.
• Objectives:
  When designing complex and critical systems (planes, autonomous vehicles, etc.), it is crucial to be able to give guarantees that the system works as intended, which is often done through comprehensive testing. The goal of project BisoUS is to provide stronger guarantees, based on mathematics, and to detect problems as early as possible: solving them is then easier and cheaper. Unfortunately this is a hard problem because some design choices may not have been done yet, and some key features (e.g. speed of a CPU) are then not known precisely enough. In project BisoUS we develop formal methods, based on model-checking and synthesis to work with expressive modelling formalisms encompassing parameters, cost/rewards, and games on graphs to meet those challenges.

ANR PaVeDyS: Parametric Verification of Dynamic Distributed Systems (2024-2027)

Participants: Nathalie Bertrand, Loïc Germerie-Guizouarn, Thierry Jéron, Ocan Sankur.

• Website:
  https://raduiosif.github.io/PAVEDYS/
• Led by
  Radu Iosif (Verimag); Local coordinator Nathalie Bertrand .
• Partners:
  Verimag, Inria Rennes, IRIF, LaBRI.
• Objectives:
  Applications of distributed systems are omnipresent. They allow sharing resources and data. They are used to coordinate activities across multiple nodes, as in geographically distributed systems. Furthermore, they increase the resilience of systems through fault tolerance, availability, and recovery mechanisms. Designing, understanding, and validating distributed systems is challenging because of the huge number of interactions between components, some potentially leading to unpredictable scenarios. Early detection of design errors is not only crucial for financial reasons, but it is often the only feasible way to find critical errors. The methods for ensuring the correctness of distributed systems are not yet mature. This is particularly the case for the mechanized reasoning methods that we propose to develop in this project.

10.3.2 National Informal Collaborations

The team collaborates with the following researchers:

• Patricia Bouyer (LMF, ENS Paris-Saclay) on quantitative aspects of verification and game models for parameterized systems;
• Luc Dartois (LACL, Université Paris-Est Créteil) and Paul Gastin (LMF, Université Paris Saclay) on transducer models and verification of transformations;
• Victor Roussalany (Université de Lorraine) and Léo Henry (University College London, UK) on distributed monitoring of timed properties.
• François Laroussinie (IRIF, Univ. Paris-Cité) on arbitrary-arity tree automata for temporal logics.

11.1.1 Scientific events: organisation

Nicolas Markey , Nathalie Bertrand –for the scientific part– together with Laurence Dinh , Aymeric Côme , Nicolas Waldburger and Mathieu Laurent for the organisation part, hosted the MOVEP 2024 summer school in May. It gathered 40 PhD and postdocs from Europe to follow courses on the topic of verification.

11.1.2 Scientific events: selection

11.1.3 Journal

11.1.4 Invited talks

Nathalie Bertrand was a panelist in the roundtable during the Women in Computer Science Workshop Cameroon in december 2024.

11.1.5 Leadership within the scientific community

Nathalie Bertrand is the co-head of the French working group on verification of GDR-IFM: GT Vérif.

11.1.6 Research administration

• Nicolas Markey has been the head of Department "Language and Software Engineering" of IRISA until August 2024.
• Loïc Hélouët was member of the "commission Personnel" (Temporary staff committee) responsible for evaluation of PhD hirings for Inria Rennes until September 2024. Since September 2024, he is the president of the commitee.

11.2.1 Teaching

Almost all members of DEVINE do teach, even the ones who have no teaching duties.

• Master: Nathalie Bertrand , Algorithms, and Symbolic AI, 18h, Agrégation, ENS Rennes, France;
• Master: Loïc Hélouët , Algorithms and proofs, 16h, Agrégation, ENS Rennes;
• Master: Nicolas Markey , Algorithms, 18h, Agrégation, ENS Rennes, France;
• Master: Nicolas Markey , Computability and Complexity, 18h, Agrégation, ENS Rennes, France;
• Licence: Loïc Hélouët , Algorithms and Java, 40h, INSA Rennes, France;
• BUT: Loïc Germerie Guizouarn , Networks Principles and Architecture, 20h, IUT Saint-Malo, France;
• Licence: Julie Parreaux , Formals Tools for Computer scientists, 52h, ISTIC, Université de Rennes, France;
• Licence: Julie Parreaux , Algorithms and Complexity, 47h, ISTIC, Université de Rennes, France;

11.2.2 Supervision

11.2.3 Juries

International journals

• 7 articleL.Loïc Hélouët and P.Pranay Agrawal. Waiting Nets: State Classes and Taxonomy.Fundamenta Informaticae1902-4January 2024, 63-107HALDOIback to text

International peer-reviewed conferences

• 8 inproceedingsS.Steffen van Bergerem, R.Roland Guttenberg, S.Sandra Kiefer, C.Corto Mascle, N.Nicolas Waldburger and C.Chana Weil-Kennedy. Verification of Population Protocols with Unordered Data.ICALP 2024 - 51st EATCS International Colloquium on Automata, Languages and ProgrammingTallinn, EstoniaSchloss Dagstuhl – Leibniz-Zentrum für Informatik2024, 1-40HALDOIback to text
• 9 inproceedingsD.Dmitry Chistikov, J.Jérôme Leroux, H.Henry Sinclair-Banks and N.Nicolas Waldburger. Invariants for One-Counter Automata with Disequality Tests.Proceedings of the 35th International Conference on Concurrency TheoryCONCUR2024 - International Conference on Concurrency Theory311Calgary, CanadaSchloss Dagstuhl – Leibniz-Zentrum für Informatik2024, 1-34HALDOIback to text
• 10 inproceedingsA.Aymeric Côme, É.Éric Fabre and L.Loïc Hélouët. A Floyd-Warshall Approach to Value Computation in Markov Decision Processes.LNCSQEST-Formats 2024 - International Conference on Quantitative Evaluation of SysTems14996Lecture Notes in Computer ScienceCalgary, CanadaSpringer Nature Switzerland; Springer Nature SwitzerlandAugust 2024, 284-301HALDOIback to text
• 11 inproceedingsV.Victorien Desbois, O.Ocan Sankur and F.François Schwarzentruber. An Efficient Modular Algorithm for Connected Multi-Agent Path Finding.ECAI 2024 - 27th European Conference on Artificial IntelligenceSantiago de Compostela, Spain2024, 1-11HALback to text
• 12 inproceedingsL.Lucie Guillou, C.Corto Mascle and N.Nicolas Waldburger. Parameterized Broadcast Networks with Registers: from NP to the Frontiers of Decidability.Foundations of Software Science and Computation StructuresFoSSaCS 2024 - 27th International Conference on Foundations of Software Science and Computation Structures14575Lecture Notes in Computer ScienceLuxembourg, LuxembourgSpringer Nature Switzerland2024, 250-270HALDOIback to text
• 13 inproceedingsL.Loïc Hélouët and P.Prerak Contractor. Symbolic domains and reachability for nets with trajectories.LNCSPETRI NETS 2024 - 45th International Conference on Theory and Application of Petri Nets and Concurrency14628Lecture Notes in Computer ScienceGenève, SwitzerlandSprincer; Springer Nature SwitzerlandJune 2024, 244-265HALDOIback to text
• 14 inproceedingsL.Léo Henry, T.Thierry Jéron, N.Nicolas Markey and V.Victor Roussanaly. Distributed Monitoring of Timed Properties.LNCS24th International Conference, RV 2024, Istanbul, Turkey, October 15–17, 2024, ProceedingsRV 2024 - 24th International Conference on Runtime Verification15191Istanbul, TurkeySpringerNovember 2024, 260HALback to text
• 15 inproceedingsA.Antoine Thébault, L.Loïc Hélouët and K.Kenza Saiah. Modeling subway networks and passenger flows.OASIcsATMOS 2024 - 24th Symposium on Algorithmic Approaches for Transportation Modelling, Optimization, and Systems123Egham, United Kingdom2024, 1-20HALDOIback to text

Scientific books

• 16 bookN.Nathalie Bertrand, P.Patricia Bouyer, R.Romain Brenguier, A.Arnaud Carayol, J.John Fearnley, H.Hugo Gimbert, F.Florian Horn, R.Rasmus Ibsen-Jensen, N.Nicolas Markey, B.Benjamin Monmege, P.Petr Novotny, M.Mickael Randour, O.Ocan Sankur, S.Sylvain Schmitz, O.Olivier Serre and M.Mateusz Skomra. N.Nathanaël Fijalkow, eds. Games on Graphs: From Logic and Automata to Algorithms.2024, 1-491In press. HALDOIback to text

Doctoral dissertations and habilitation theses

• 17 thesisN.Nicolas Waldburger. Parameterized verification of distributed shared-memory systems.Université de RennesDecember 2024HAL

Reports & preprints

• 18 miscA.Aymeric Côme, É.Éric Fabre and L.Loïc Hélouët. A Floyd-Warshall Approach to Value Computation in Markov Decision Processes.January 2025HAL
• 19 miscO.Ocan Sankur, T.Thierry Jéron, N.Nicolas Markey, D.David Mentré and R.Reiya Noguchi. Online Test Synthesis From Requirements: Enhancing Reinforcement Learning with Game Theory.2024HALback to text
• 20 miscA.Antoine Thébault, L.Loïc Hélouët and K.Kenza Harkouken Saiah. Delay Propagation in Metro Timetables.2024HALback to text