2025Activity reportProject-Team​​​‌DEVINE

Efficient model checking algorithms​

As in many applications​‌ of formal methods, formal​​ verification suffers from state-space​​ explosion, which limits the​​​‌ scalability of algorithms unless‌ proper state-space reduction techniques‌​‌ are applied. In timed​​ automata, state-space explosion can​​​‌ be caused by two‌ factors: 1) a large‌​‌ discrete state space, e.g.​​ if the system is​​​‌ composed of many subsystems,‌ or contains several discrete‌​‌ variables; 2) a large​​ number of clocks or​​​‌ complex timing constraints. While‌ the first factor already‌​‌ appears in finite-state model​​ checking, in timed automata,​​​‌ the state space can‌ grow exponentially in the‌​‌ number of clocks requiring​​ a particular care. State-of-the-art​​​‌ algorithms can efficiently deal‌ with complex time constraints‌​‌ 54, 62,​​ 65 but fail at​​​‌ analyzing models with both‌ large discrete state spaces‌​‌ (for instance real-time distributed​​ systems) and real-time constraints.​​​‌ This is however crucial‌ to demonstrate the benefits‌​‌ of formal methods for​​ real-time systems on realistic​​​‌ applications.

We will build‌ novel tools based on‌​‌ compositional reasoning and predicate​​ abstraction to achieve formal​​​‌ verification performance comparable with‌ that of finite-state systems‌​‌ without explicit time constraints.​​ In fact, although clock​​​‌ constraints do cause state-space‌ explosion, they are often‌​‌ not the only source​​ of complexity; so smart​​​‌ ways of handling them‌ must be developed to‌​‌ handle large models. Ideally,​​ one should be able​​​‌ to handle clock variables‌ like any other variable‌​‌ in a program under​​ verification. In this context,​​​‌ predicate abstraction 53,‌ 69 is a promising‌​‌ direction since when used​​ properly, clock variables can​​​‌ be treated as any‌ other system variable; so‌​‌ several techniques from software​​ model checking or finite-state​​​‌ automata can be applied.‌ Compositionality is a well-known‌​‌ approach to handle larger​​ models 41; we​​​‌ will develop techniques to‌ specifically handle the timing‌​‌ aspects in such approaches,​​ and target the development​​​‌ of both fully automatized‌ and interactive compositional model‌​‌ checkers. Last, some performance​​ achievements might appear by​​​‌ targeting specific applications and‌ developing tailored algorithms, rather‌​‌ than relying on one​​ generic algorithm. Our collaborations​​​‌ with industrial partners will‌ guide us in this‌​‌ direction since these are​​ opportunities to consider specific​​​‌ practical problems. In all‌ these works, we will‌​‌ use and contribute to​​ the open-source timed automata​​​‌ model checker TChecker 58‌.

Testing and runtime‌​‌ verification

To extend the​​ applicability of models like​​​‌ timed automata to verify‌ industrial-size real-time systems, one‌​‌ can relax the exhaustiveness​​ guarantee provided by model​​​‌ checking. Model-based test synthesis‌ is one such technique‌​‌ (see, e.g. 73):​​ it consists in synthesizing,​​​‌ from a system model,‌ sequences of actions to‌​‌ be performed on the​​ implementation, in order to​​​‌ check that it behaves‌ as specified. We will‌​‌ generate such test cases​​ from real-time requirements, leveraging​​​‌ techniques recently developed by‌ team members based on‌​‌ both test synthesis from​​ game theory 57 and​​​‌ consistency checking 61;‌ this will complement the‌​‌ tool suite we developed​​ in our collaboration with​​​‌ MERCE for checking consistency‌ of real-time requirements, to‌​‌ obtain test cases for​​ checking those requirements on​​​‌ real implementations.

Runtime monitoring‌ 30 is another verification‌​‌ technique for assessing the​​​‌ validity of properties at​ runtime: it consists in​‌ observing the system as​​ it executes and deciding​​​‌ as soon as possible​ whether the properties are​‌ satisfied or violated. In​​ many contexts, the system​​​‌ is only partially observable,​ i.e. some internal actions​‌ are hidden to the​​ monitor. Runtime monitoring is​​​‌ however limited to real-time​ systems that are not​‌ distributed. Our objective is​​ to develop a framework​​​‌ for distributed runtime monitoring​ of real-time systems, in​‌ which several monitors observe​​ components of the system,​​​‌ and exchange information so​ as to decide as​‌ early as possible on​​ the validity of the​​​‌ property. Efficient solutions should​ limit the amount of​‌ communication as well as​​ the computation time. Timed​​​‌ markings, a formalism we​ introduced and recently used​‌ to efficiently compute and​​ manipulate sets of configurations​​​‌ 37, are a​ natural candidate tool to​‌ use. In the distributed​​ setting, however, timed markings​​​‌ need to be reshaped​ to store sufficient information,​‌ and also to enable​​ efficient updates with the​​​‌ observation and information stream.​

Timing imprecisions

The model​‌ of timed automata for​​ real-time systems assumes arbitrary​​​‌ precision in time measurements.​ This artifact which is​‌ theoretically convenient has the​​ drawback of missing behaviours​​​‌ if delays are slightly​ shifted. Since time drifts​‌ are inevitable in distributed​​ systems, we will pursue​​​‌ the development of models,​ semantics and algorithms to​‌ take timing imprecisions into​​ account for real-time systems.​​​‌ For instance, the efficiency​ of our recent algorithm​‌ for synthesizing permissive strategies​​ 44 can be improved​​​‌ by relaxing its precision​ while keeping track of​‌ the amount of approximation​​ in the computation.

Timing​​​‌ imprecisions are also very​ relevant in online techniques,​‌ such as monitoring, testing​​ and learning, since those​​​‌ techniques involve interactions with​ physical implementations. Because of​‌ those imprecisions, the observation​​ of the system may​​​‌ be inexact, and the​ actions performed on the​‌ system may be slightly​​ shifted, so that a​​​‌ given sequence of inputs​ may result in different​‌ outputs. This does not​​ fit with our current​​​‌ techniques 56, 57​, and we will​‌ have to develop specific​​ approaches to take such​​​‌ imprecisions into account.

Real-time​ security properties

Most often​‌ in formal methods properties​​ are defined at the​​​‌ level of individual behaviours:​ for instance, an execution​‌ of a program is​​ terminating, or it isn't.​​​‌ However, in order to​ express security properties such​‌ as non-interference, one needs​​ to reason on pairs​​​‌ of executions (for instance​ to guarantee that observing​‌ the control flow of​​ a program does not​​​‌ leak information on a​ private key), or more​‌ generally sets of executions.​​ So-called hyperproperties, introduced​​​‌ a decade ago 43​, 42, allow​‌ one to compare executions​​ of untimed models. Dealing​​​‌ with real-time in that​ context is a great​‌ challenge since one needs​​ to compare dates of​​​‌ event occurrences. So far​ it only has been​‌ considered in a discrete-time​​ setting 36. We​​​‌ will provide verification algorithms​ in the continuous-time case,​‌ with the objective of​​ addressing security properties related​​ to timing issues, such​​​‌ as covert communication induced‌ by timing channels.

Efficient bug​​​‌ finding for MPI program‌

HPC applications in the‌​‌ MPI (message passing interface)​​ programming model consist of​​​‌ distributed programs that communicate‌ asynchronously through FIFO (First‌​‌ In First Out) channels.​​ Finding bugs, or proving​​​‌ their absence, in such‌ programs is challenging because‌​‌ of the complexity due​​ to concurrency and communication.​​​‌ The goal of the‌ McSimGrid tool 66 is‌​‌ to automatically check properties​​ directly on the programs,​​​‌ considering all alternative executions‌ of the program for‌​‌ a fixed input. Rather​​ than proving correctness, it​​​‌ aims at finding concurrency‌ and communication bugs efficiently.‌​‌ As often in verification,​​ scaling to real programs​​​‌ requires techniques that avoid‌ the state-space explosion. One‌​‌ way to do so,​​ is to use dynamic​​​‌ partial order reduction (DPOR)‌ 52, 29,‌​‌ 68, which cleverly​​ exploits the independence of​​​‌ concurrent events to reduce‌ the state space to‌​‌ be explored. Beyond plain​​ DPOR algorithms, in order​​​‌ to go an order‌ of magnitude further in‌​‌ terms of program size,​​ we propose to combine​​​‌ DPOR with other efficient‌ bug-finding techniques, such as‌​‌ directed model checking 50​​. Directed model checking​​​‌ prioritizes the state-space exploration‌ using A${}^{*}$-like‌​‌ algorithms (that is optimal​​ pathfinding algorithms), relying on​​​‌ approximate distances to a‌ goal. In the context‌​‌ of MPI programs, the​​ definition of appropriate distances​​​‌ is crucial for balancing‌ the trade-off between precision‌​‌ and computation cost, that​​ impact the time to​​​‌ find an error in‌ two opposite ways. Alternatively,‌​‌ one can combine DPOR​​ with other bug-finding techniques,​​​‌ by bounding some values‌ 45 or progressively refining‌​‌ the independence relation. In​​ order to evaluate these​​​‌ heuristics for MPI programs,‌ the various approaches will‌​‌ be implemented in McSimGrid​​ and benchmarked against academic​​​‌ case studies.

Parameterized verification‌ of pseudo-codes

The correctness‌​‌ of distributed algorithms should​​ be established independently of​​​‌ actual setup, i.e. the‌ number of processes, the‌​‌ potential failures, and the​​ communication topology when relevant.​​​‌ Parameterized verification answers this‌ need by handling multiple‌​‌ model-checking queries at once;​​ it also often comes​​​‌ with cutoff results that‌ provide bounds on the‌​‌ parameters for which a​​ bug can happen, in​​​‌ case the correctness does‌ not hold. To overcome‌​‌ the general undecidability of​​ the verification of properties​​​‌ for distributed systems with‌ an unbounded number of‌​‌ processes 28, we​​ propose two natural approaches:​​​‌ on the one hand‌ exhibiting models for specific‌​‌ distributed algorithms with decidable​​​‌ parameterized verification, and on​ the other hand developing​‌ incomplete verification algorithms that​​ may not terminate or​​​‌ may be inconclusive on​ some instances. We illustrate​‌ these alternatives on the​​ two archetypal frameworks below,​​​‌ on which we will​ focus first.

Parameterized verification​‌ of models of MPI​​ programs. Complementary to the​​​‌ objective of efficiently finding​ bugs in MPI programs,​‌ one can come up​​ with models of MPI​​​‌ programs and study their​ parameterized verification problem. A​‌ relevant way to classify​​ MPI programs with respect​​​‌ to model checking is​ by the communication primitives​‌ they use and possibly​​ the communication topologies: mailboxes​​​‌ are typically represented as​ queues or bags, for​‌ instance. Our objective is​​ to define classes of​​​‌ models for MPI programs​ with decidable parameterized verification.​‌ Most likely these models​​ will approximate the actual​​​‌ behaviour of the programs.​ A prototype implementing parameterized​‌ verification for MPI programs​​ would be a major​​​‌ breakthrough compared to the​ fixed-instances existing tools such​‌ as CIVL 64.​​

Parameterized verification of randomized​​​‌ distributed algorithms. Randomization is​ an elegant tool to​‌ design efficient algorithms or​​ even to solve problems​​​‌ otherwise unsolvable, especially in​ distributed computing, where probabilities​‌ break symmetry between the​​ components. Till now, automated​​​‌ proofs of randomized distributed​ algorithms remain limited to​‌ restricted types of algorithms,​​ restricted classes of schedulers,​​​‌ and restricted properties 32​, 33, 34​‌. Leveraging parameterized verification​​ techniques to handle randomized​​​‌ distributed algorithms raises the​ challenge that performance typically​‌ depend on the number​​ of participants, whereas standard​​​‌ parameterized verification techniques abstract​ away this parameter. Counter-example​‌ guided abstraction refinement (CEGAR)​​ approaches have proven extremely​​​‌ efficient on non-randomized fault-tolerant​ distributed algorithms 35,​‌ 70. Building on​​ the latter, and on​​​‌ an existing CEGAR framework​ for finite-state probabilistic systems​‌ 59, 48,​​ we aim at targetting​​​‌ randomized distributed algorithms, which​ is non-trivial: appropriate predicates​‌ must be defined, and​​ counterexamples must be generic​​​‌ enough to account for​ sets of parameter values.​‌

Formalising optimality in​​​‌ quantitative games

Before even‌ computing optimal or quasi-optimal‌​‌ strategies for multi-agent systems,​​ one needs to formally​​​‌ define these. Strategy Logic‌ (SL  for short)‌​‌ is a temporal logic​​ for expressing complex properties​​​‌ of multiple-player games 40‌. It can be‌​‌ used to express, e.g.​​ the existence of equilibria,​​​‌ as well as properties‌ of the outcomes of‌​‌ those equilibria. However, this​​ logic is not suited​​​‌ to games with quantitative‌ aspects: it cannot handle‌​‌ quantitative (as opposed to​​ Boolean) payoffs for the​​​‌ players, which are needed‌ for fine-grained representation of‌​‌ their preferences. We will​​ continue the exploration of​​​‌ such quantitative features of‌ SL, building on‌​‌ our recent works 38​​ on fuzzy SL (which​​​‌ was, to our knowledge,‌ the first decidable quantitative‌​‌ extension of SL).​​ Due to the high​​​‌ complexity of model checking‌ for SL, we‌​‌ will also consider fragments​​ of the logic, targeting​​​‌ good trade-offs between expressiveness‌ and complexity.

Computing sub-optimal‌​‌ strategies with guarantees

In​​ non-critical contexts, sub-optimal strategies​​​‌ can be sufficient, and‌ their computation can be‌​‌ less costly than optimal​​ ones. In game theory,​​​‌ Simon 71 introduced the‌ portmanteau word satisficing that‌​‌ combines satisfying and sufficient​​, to describe situations​​​‌ in non-cooperative games, where‌ agents may opt for‌​‌ a non-optimal strategy if​​ they think their reward​​​‌ is good enough and‌ that the effort (be‌​‌ it time, energy, or​​ computational power) needed to​​​‌ get closer to the‌ optimal reward would be‌​‌ prohibitive. This notion has​​ been addressed in economy​​​‌ as an alternative to‌ optimality in standard reinforcement‌​‌ learning (RL) algorithms (see,​​ e.g. 72). Strategies​​​‌ in RL are built‌ to optimize quantitative goals‌​‌ but allow stopping construction​​ when side measures such​​​‌ as regrets or risk‌ exceed a fixed aspiration‌​‌ level. Building on our​​ expertise in various aspects​​​‌ of quantitative games 39‌, 55, we‌​‌ aim at computing good-enough​​ strategies by relating the​​​‌ improvement, e.g. measured as‌ a reward, that can‌​‌ be obtained by changing​​ a strategy and the​​​‌ extra effort needed to‌ play the new strategy.‌​‌

We will also address​​ the scalability issue in​​​‌ optimal control problems in‌ Markov decision processes by‌​‌ targeting distributed systems. This​​ direction will combine approaches​​​‌ both from the formal‌ verification world, such as‌​‌ abstraction techniques, and bounded​​ verification 49, and​​​‌ from the reinforcement learning‌ world, such as multi-agent‌​‌ reinforcement learning techniques and​​ approximate solution methods (e.g.​​​‌ deep learning). This rich‌ set of techniques will‌​‌ allow us to solve​​ applications such as train​​​‌ regulation problems.

Application to‌ traffic management in transports‌​‌

Urban rail transportation calls​​ for optimization techniques in​​​‌ order to improve the‌ users experience in terms‌​‌ of metro punctuality, regularity,​​ and time needed to​​​‌ resume to a nominal‌ behaviour after an incident,‌​‌ to name a few.​​ For a single metro​​​‌ line, efficient traffic management‌ techniques exist and mainly‌​‌ consist in adapting fleets​​ sizes, speeds of trains​​​‌ and dwell times 46‌. However, in large‌​‌ cities, the public transport​​​‌ demand is expected to​ grow tremendously (49% larger​‌ in 2050 than in​​ 2012) with huge economic​​​‌ and environmental impacts. Improving​ efficiency of public transports​‌ must include several transport​​ modes and several operators,​​​‌ making the state-of-the-art techniques​ unapplicable. Multi-modal transport raises​‌ the issue that operators,​​ clients, and decision-makers have​​​‌ their own objective. Optimizing​ traffic management in this​‌ context is a challenging​​ task: it amounts to​​​‌ solving a huge multi-player​ game with multiple objectives.​‌ Our aim is to​​ compute good-enough strategies for​​​‌ each actor in these​ games. Despite the large​‌ size of transport networks,​​ recently developed tools for​​​‌ concurrent hybrid models enable​ numerical methods, and can​‌ be used to learn​​ regulation mechanisms 51.​​​‌ Symbolic representations of sets​ of states and distributions​‌ 60 is also promising​​ to speed up simulation,​​​‌ discover appropriate abstractions and​ therefore enable efficient traffic​‌ management.

7.1.1​​ ParaGraphs

• Name:
  ParaGraphs
• Keywords:​​​‌
  Game theory, Symbolic verification‌
• Functional Description:
  ParaGraphs implements‌​‌ two new algorithms based​​ on antichains, and the​​​‌ original PSPACE algorithm for‌ solving parameterized concurrent games‌​‌ with reachability objectives. It​​ is an open-source C++20​​​‌ tool. It currently supports‌ constraints given as finite‌​‌ unions of intervals, but​​ is designed in a​​​‌ modular way and permits‌ to easily define new‌​‌ types (for instance semi-linear​​ sets), as well as​​​‌ specific implementations of the‌ algorithms for these types.‌​‌
• Release Contributions:
  First version​​ of the software.
• URL:​​​‌
  https://­gitlab.­inria.­fr/­gstaquet/­paragraphs
• Contact:
  Nathalie Bertrand‌
• Participants:
  Gaetan Staquet, Nathalie‌​‌ Bertrand

7.1.2 SimGrid

• Keywords:​​
  Large-scale Emulators, Grid Computing,​​​‌ Distributed Applications
• Scientific Description:‌

  SimGrid is a toolkit‌​‌ that provides core functionalities​​ for the simulation of​​​‌ distributed applications in heterogeneous‌ distributed environments. The simulation‌​‌ engine uses algorithmic and​​ implementation techniques toward the​​​‌ fast simulation of large‌ systems on a single‌​‌ machine. The models are​​ theoretically grounded and experimentally​​​‌ validated. The results are‌ reproducible, enabling better scientific‌​‌ practices.

  Its models of​​ networks, cpus and disks​​​‌ are adapted to (Data)Grids,‌ P2P, Clouds, Fogs, Clusters‌​‌ and HPC, allowing multi-domain​​​‌ studies. It can be​ used either to simulate​‌ algorithms and prototypes of​​ applications, or to emulate​​​‌ real MPI applications through​ the virtualization of their​‌ communication, or to formally​​ assess algorithms and applications​​​‌ that can run in​ the framework.

  The formal​‌ verification module explores all​​ possible message interleavings in​​​‌ the application, searching for​ states violating the provided​‌ properties. This tool can​​ be used to assess​​​‌ safety properties over arbitrary​ and legacy codes, thanks​‌ to a system-level introspection​​ tool that provides a​​​‌ finely detailed view of​ the running application to​‌ the model checker. This​​ can for example be​​​‌ leveraged to verify arbitrary​ MPI code written in​‌ C/C++/Fortran.

• Functional Description:
  SimGrid​​ is a simulation toolkit​​​‌ that provides core functionalities​ for the simulation of​‌ distributed applications in large​​ scale heterogeneous distributed environments.​​​‌
• Release Contributions:

  Breaking the​ seal: v4.0 was not​‌ the final release.

  *​​ Allow one to unseal​​​‌ netzones to modify the​ platform even after the​‌ simulation start. * The​​ model-checker can now report​​​‌ memory race conditions (see​ tutorial). * Pip builds​‌ should now work out​​ of the box. *​​​‌ (+ the usual bug​ fixes overall, and improvements​‌ to the Java/Python bindings).​​

• News of the Year:​​​‌

  Most of the scientific​ work in SimGrid in​‌ 2025 occurred in the​​ embedded model checker. Our​​​‌ work could profit of​ the 2 major releases​‌ of SimGrid in 2025​​ (v4.0 in March and​​​‌ Release v4.1 in November).​ We first worked on​‌ improving the performance of​​ the verification process, and​​​‌ fixed some bugs. Our​ preferred algorithm (ODPOR reduction​‌ + Best-first exploration to​​ enable random walk) is​​​‌ now much faster and​ consumes much less memory,​‌ being 5x faster on​​ small scenarios. But since​​​‌ performance is now linear​ with the number of​‌ states, while it used​​ to be polynomial, 5x​​​‌ faster is the lowest​ performance boost you can​‌ expect from the new​​ version. The number of​​​‌ states to explore for​ a given scenario is​‌ still the same (ODPOR​​ was not improved), but​​​‌ we now can explore​ these states much faster.​‌

  In addition, we added​​ the ability to check​​​‌ for race conditions in​ the user code. This​‌ feature relies on a​​ specific pass to the​​​‌ clang LLVM compiler, to​ instrument the memory accesses.​‌ We use this feature​​ for teaching purposes at​​​‌ our institutions.

  We are​ working on a parallel​‌ explorer leveraging all cores​​ to accelerate the exploration,​​​‌ but unfortunately, we did​ not manage to find​‌ all the bugs in​​ our parallel explorer yet.​​​‌ We are working on​ verifying SimGrid with itself​‌ to hammer this bug​​ out.

• URL:
  https://­simgrid.­org/
• Publication:​​​‌
  hal-04909441
• Contact:
  Martin Quinson​
• Participants:
  Mathieu Laurent, Anne-Cécile​‌ Orgerie, Arnaud Legrand, Augustin​​ Degomme, Arnaud Giersch, Frédéric​​​‌ Suter, Martin Quinson, Samuel​ Thibault
• Partners:
  CNRS, ENS​‌ Rennes

7.1.3 Ticynet

• Name:​​
  Time Cyclic Networks Tool​​​‌
• Keywords:
  Simulator, Public transport,​ Transport model
• Functional Description:​‌

  Ticynet is a tool​​ for the analysis of​​​‌ quantitative properties of urban​ transport networks and for​‌ the optimization of these​​ properties through control techniques.​​

  Specifically, Ticynet allows users​​​‌ to design a metro‌ network and analyze the‌​‌ energy savings achieved through​​ an appropriate fleet management​​​‌ strategy.

  In its current‌ version, Ticynet allows to:‌​‌

  - model an urban​​ transport line (tracks and​​​‌ vehicle fleet) - model‌ the regenerative braking phenomenon‌​‌ - integrate a controller​​ managing vehicle departures, arrivals,​​​‌ and speeds - simulate‌ the complete system to‌​‌ quantify the energy saved​​ ratio.

• Release Contributions:
  Initial​​​‌ version, demonstrator for the‌ ANR Project BisoUS.
• Contact:‌​‌
  Loic Helouet

Runtime enforcement

In the‌ paper 14, we‌​‌ deal with the problem​​ of runtime enforcement (RE)​​​‌ in the context of‌ reactive systems, which consists‌​‌ in modifying the outputs​​ of a system minimally​​​‌ to ensure its correctness.‌ In contrast to enforcers‌​‌ that can postpone events​​ via buffering, enforcers for​​​‌ reactive systems must operate‌ within the same reactive‌​‌ cycle, always yielding a​​ (possibly modied) output. For​​​‌ safety properties, an enforcer‌ makes sure to satisfy‌​‌ the property at each​​ step. However, for general​​​‌ regular properties, one can‌ only expect to satisfy‌​‌ the property eventually. There​​ is then a risk​​​‌ that even under enforcement‌ the satisfaction is indefinitely‌​‌ delayed, and the property​​ is never actually satisfied.​​​‌ Forcing the satisfaction of‌ regular or $\omega$-regular‌​‌ properties has been considered​​ using bounded fairness and​​​‌ prompt eventuality. In this‌ paper, we propose a‌​‌ new runtime enforcement framework​​ for regular properties with​​​‌ prompt eventualities. Given an‌ automaton specifying a property‌​‌ $\phi$ and a bound​​ $k$, the enforcer​​​‌ should never falsify $\mathrm{\phi ‌}$ more than $k$ consecutive‌​‌ steps. We formally define​​ this RE problem, characterize​​​‌ $k$-enforceability of automata,‌ and exhibit the construction‌​‌ of the enforcer. Rather​​ than fixing $k$,​​​‌ we also study whether‌ $k$ can be computed‌​‌ to ensure $k$-enforceability​​ or some maximal coverage​​​‌ of $\phi$. We‌ implement the $k$-prompt‌​‌ enforcement framework, and demonstrate​​ its behaviour with varying​​​‌ $k$.

Learning models‌ for real-time systems

In‌​‌ 22 we present a​​ state-merging algorithm for learning​​​‌ timed languages definable by‌ Event-Recording Automata (ERA) using‌​‌ positive and negative samples​​ in the form of​​​‌ symbolic timed words. Our‌ algorithm, (Learning Event-recording Automata‌​‌ Passively), constructs a possibly​​ nondeterministic ERA from such​​​‌ samples based on merging‌ techniques. We prove that‌​‌ determining whether two ERA​​ states can be merged​​​‌ while preserving sample consistency‌ is an NP-complete problem,‌​‌ and address this with​​ a practical SMT-based solution.​​​‌ Our implementation demonstrates the‌ algorithm’s effectiveness through examples.‌​‌ We also show that​​ every ERA-definable language can​​​‌ be inferred using our‌ algorithm with a suitable‌​‌ sample.

In 18 we​​​‌ present the first algorithm​ for query learning Mealy​‌ machines with timers in​​ a black-box context. Our​​​‌ algorithm is an extension​ of the $L^{♯‌}$ algorithm of Vaandrager et​​ al. to a timed​​​‌ setting. We rely on​ symbolic queries which empower​‌ us to reason on​​ untimed executions while learning.​​​‌ Similarly to the algorithm​ for learning timed automata​‌ of Waga, these symbolic​​ queries can be realized​​​‌ using finitely many concrete​ queries. Experiments with a​‌ prototype implementation show that​​ our algorithm is able​​​‌ to efficiently learn realistic​ benchmarks.

Timed Games

Weighted​‌ Timed Games (WTG for​​ short) are the most​​​‌ widely used model to​ describe controller synthesis problems​‌ involving real-time issues. We​​ consider optimal reachability objectives,​​​‌ in which one of​ the players, that we​‌ call Min, wants to​​ reach a target location​​​‌ while minimising the cumulated​ weight. Unfortunately, WTGs are​‌ notoriously difficult, and undecidable​​ with two or more​​​‌ clocks. As a consequence,​ one-clock WTGs have attracted​‌ a lot of attention,​​ especially because they are​​​‌ known to be decidable​ when only non-negative weights​‌ are allowed. However, when​​ arbitrary weights are considered,​​​‌ despite several recent works,​ their decidability status was​‌ still unknown. In 9​​, we solve this​​​‌ problem positively and show​ that the value function​‌ can be computed in​​ exponential time (if weights​​​‌ are encoded in unary).​ Alternatively to restricting to​‌ a single clock, several​​ conditions, one of them​​​‌ being divergence, have been​ given to recover decidability.​‌ In such weighted timed​​ games (like in untimed​​​‌ weighted games in the​ presence of negative weights),​‌ Min may need finite​​ memory to play (close​​​‌ to) optimally. This is​ thus tempting to try​‌ to emulate this finite​​ memory with other strategic​​​‌ capabilities. In 10,​ we allow the players​‌ to use stochastic decisions,​​ both in the choice​​​‌ of transitions and of​ timing delays. We give​‌ a definition of the​​ expected value in weighted​​​‌ timed games. We then​ show that, in divergent​‌ weighted timed games as​​ well as in (untimed)​​​‌ weighted games (that we​ call shortest-path games in​‌ the following), the stochastic​​ value is indeed equal​​​‌ to the classical (deterministic)​ value, thus proving that​‌ Min can guarantee the​​ same value while only​​​‌ using stochastic choices, and​ no memory.

Compositionality of​‌ transducers

Deterministic two-way transducers​​ with pebbles (aka pebble​​​‌ transducers) capture the class​ of polyregular functions, which​‌ extend the string-to-string regular​​ functions allowing polynomial growth​​​‌ instead of linear growth.​ They are the object​‌ of 20. One​​ of the most fundamental​​​‌ operations on functions is​ composition, and (poly)regular functions​‌ can be realized as​​ a composition of several​​​‌ simpler functions. In general,​ composition of deterministic two-way​‌ transducers incur a doubly​​ exponential blow-up in the​​​‌ size of the inputs.​ A major improvement in​‌ this direction comes from​​ the fundamental result of​​​‌ Dartois et al. 47​ showing a polynomial construction​‌ for the composition of​​ reversible two-way transducers. A​​​‌ precise complexity analysis for​ existing composition techniques of​‌ pebble transducers is missing,​​ but they rely on​​ the classic composition of​​​‌ two-way transducers and inherit‌ the double exponential complexity.‌​‌ To overcome this problem,​​ we introduce in this​​​‌ paper reversible pebble transducers.‌ Our main results are‌​‌ efficient uniformization techniques for​​ non-deterministic pebble transducers to​​​‌ reversible ones and efficient‌ composition for reversible pebble‌​‌ transducers. Our objective is​​ now to lift these​​​‌ result to the timed‌ setting.

True concurrency models​​

In 13 we consider​​​‌ a new approach for‌ the concurrent semantics of‌​‌ Petri nets. Petri nets​​ and their variants are​​​‌ often considered through their‌ interleaved semantics, i.e. considering‌​‌ executions where, at each​​ step, a single transition​​​‌ fires. This is clearly‌ a miss, as Petri‌​‌ nets are a true​​ concurrency model. This paper​​​‌ revisits the semantics of‌ Petri nets as higher-dimensional‌​‌ automata (HDAs) as introduced​​ by van Glabbeek, which​​​‌ methodically take concurrency into‌ account. We extend the‌​‌ translation to include some​​ common features. We consider​​​‌ nets with inhibitor arcs,‌ under both concurrent semantics‌​‌ used in the literature,​​ and generalized self-modifying nets.​​​‌ Finally, we present a‌ tool that implements our‌​‌ translations.

Dynamic Partial Order​​ Reduction

Assessing the correctness​​​‌ of distributed and parallel‌ applications is notoriously difficult‌​‌ due to the complexity​​ of the concurrent behaviors​​​‌ and the difficulty to‌ reproduce bugs. In this‌​‌ context, Dynamic Partial Order​​ Reduction (DPOR) techniques have​​​‌ proved successful in exploiting‌ concurrency to verify applications‌​‌ without exploring all their​​ behaviors. However, they may​​​‌ lack of efficiency when‌ tracking non-systematic bugs of‌​‌ real size applications. In​​ this work 21,​​​‌ we suggest two adaptations‌ of the Optimal Dynamic‌​‌ Partial Order Reduction (ODPOR)​​ algorithm with a particular​​​‌ focus on bug finding‌ and explanation. The first‌​‌ adaptation is an out-of-order​​ version called RFS ODPOR​​​‌ which avoids being stuck‌ in uninteresting large parts‌​‌ of the state space.​​ Once a bug is​​​‌ found, the second adaptation‌ takes advantage of ODPOR‌​‌ principles to efficiently find​​ the origins of the​​​‌ bug.

Verification of blockchain‌ protocols

Blockchains use consensus‌​‌ protocols to reach agreement,​​ e.g., on the ordering​​​‌ of transactions. DAG-based consensus‌ protocols are increasingly adopted‌​‌ by blockchain companies to​​ reduce energy consumption and​​​‌ enhance security. These protocols‌ collaboratively construct a partial‌​‌ order of blocks (DAG​​ construction) and produce a​​​‌ linear sequence of blocks‌ (DAG ordering). Given the‌​‌ strategic significance of blockchains,​​ formal proofs of the​​​‌ correctness of key components‌ such as consensus protocols‌​‌ are essential. The contribution​​ 16 presents safety-verified specifications​​​‌ for five DAG-based consensus‌ protocols. Four of these‌​‌ protocols—DAG-Rider, Cordial Miners, Hashgraph,​​ and Eventual Synchronous BullShark—are​​​‌ well-established in the literature.‌ The fifth protocol is‌​‌ a minor variation of​​ Aleph, another well-established protocol.​​​‌ Our framework enables proof‌ reuse, reducing proof efforts‌​‌ by almost half. It​​​‌ achieves this by providing​ various independent, formally verified,​‌ specifications of DAG construction​​ and ordering variations, which​​​‌ can be combined to​ express all five protocols.​‌ We employ TLA+ for​​ specifying the protocols and​​​‌ writing their proofs, and​ the TLAPS proof system​‌ to automatically check the​​ proofs. Each TLA+ specification​​​‌ is relatively compact, and​ TLAPS efficiently verifies hundreds​‌ to thousands of obligations​​ within minutes. The significance​​​‌ of our work is​ two-fold: first, it supports​‌ the adoption of DAG-based​​ systems by providing robust​​​‌ safety assurances; second, it​ illustrates that DAG-based consensus​‌ protocols are amenable to​​ practical, reusable, and compositional​​​‌ formal methods.

Modelling and optimizing​​​‌ transportation networks

With the​ application of optimization of​‌ urban transportation systems in​​ mind, we proposed several​​​‌ models for multi-agent systems​ and studied relevant verification​‌ questions.

In 23 we​​ consider a timed model​​​‌ tailored to study energy​ savings in transport networks.​‌ It focuses on regenerative​​ braking, a situation where​​​‌ the kinetic energy of​ a vehicle is transformed​‌ in electrical energy and​​ sent back in the​​​‌ electrical network. We first​ describe transport networks, and​‌ formalize their semantics as​​ timed runs of an​​​‌ equivalent network of timed​ automata (NTA). We then​‌ consider three problems. The​​ transfer existence problem checks​​​‌ whether a network has​ the ability to save​‌ energy. The ratio maximization​​ problem aims at computing​​​‌ the maximal ratio of​ energy saved by time​‌ unit in the long​​ run, and the threshold​​​‌ problem consists in verifying​ the existence of a​‌ strategy allowing the saving​​ of more energy than​​​‌ a fixed minima. We​ show that the transfer​‌ problem is a reachability​​ question in the region​​​‌ automaton of the NTA,​ which can be solved​‌ in PSPACE. The ratio​​ problem can be solved​​​‌ using Karp’s algorithm on​ a corner point abstraction​‌ for the NTA, yielding​​ an EXPTIME complexity. Finally,​​​‌ the threshold problem requires​ to address properties of​‌ elementary cycles and finite​​ paths of the corner-point​​​‌ automaton, yielding a PSPACE​ complexity.

In 17 we​‌ consider a new model​​ for multi-agent systems. This​​​‌ contribution introduces collaborative reachability​ games with energy constraints.​‌ In the considered arenas,​​ agents can spend or​​​‌ gain energy during moves,​ or share it with​‌ their peers if their​​ current position allows it.​​​‌ We study several variants​ of energy reachability games​‌ where agents move either​​ synchronously or asynchronously, and​​​‌ with/without constraints on energy​ transfers among peers. We​‌ show that these problems​​ have different complexities ranging​​​‌ from NP to EXPSPACE.​

Optimizating of probabilistic systems​‌

Markov chains and Markov​​ decision processes (MDPs) are​​​‌ well-established probabilistic models. We​ proposed two complementary contributions​‌ to the analysis of​​ MDPs: on the one​​​‌ hand an innovative depth-first​ search strategy, and on​‌ the other hand approximation​​ algorithms for large of​​ infinite-state models.

In the​​​‌ paper8 we consider‌ new algorithms to compute‌​‌ fixpoints in Markov Decison​​ Processes. Value and policy​​​‌ iteration are classical algorithms‌ to maximize the average‌​‌ discounted reward of an​​ MDP. They rely on​​​‌ a breadth-first exploration strategy‌ in the future of‌​‌ each state to update​​ its value and possibly​​​‌ change the action policy‌ at this state. This‌​‌ paper revisits this paradigm​​ and examines a depth-first​​​‌ search strategy. It reformulates‌ the average reward computation‌​‌ as an integral over​​ (future) paths that is​​​‌ better expressed in the‌ formalism of weighted automata.‌​‌ Policy evaluation can then​​ be solved by a​​​‌ Floyd-Warshall algorithm, which gathers‌ at once the rewards‌​‌ along possibly infinite runs.​​ This reformulation opens the​​​‌ way to new approximation‌ schemes for the value‌​‌ function. We show that​​ the same approach also​​​‌ gives access to other‌ quantities of interest, as‌​‌ the gradient of the​​ average reward with respect​​​‌ to model or policy‌ parameters, or the variance‌​‌ of the reward. The​​ behaviors and performances of​​​‌ this value estimation scheme‌ are illustrated on several‌​‌ benchmarks.

While finite Markov​​ models are well-understood, analyzing​​​‌ their infinite counterparts remains‌ a significant challenge. Decisiveness‌​‌ has proven to be​​ an elegant property for​​​‌ countable Markov chains: it‌ is general enough to‌​‌ be satisfied by several​​ natural classes of countable​​​‌ Markov chains, and it‌ is a sufficient condition‌​‌ for simple qualitative and​​ approximate quantitative model-checking algorithms​​​‌ to exist. In contrast,‌ existing works on the‌​‌ formal analysis of countable​​ MDPs usually rely on​​​‌ ad hoc techniques tailored‌ to specific classes. We‌​‌ provide in 25 a​​ general framework to analyze​​​‌ countable MDPs by extending‌ the notion of decisiveness.‌​‌ Compared to Markov chains,​​ MDPs exhibit extra non-determinism​​​‌ that can be resolved‌ in an adversarial or‌​‌ cooperative way, leading to​​ multiple natural notions of​​​‌ decisiveness. We show that‌ these notions enable the‌​‌ approximation of reachability and​​ safety probabilities in countable​​​‌ MDPs using simple model-checking‌ procedures. We then instantiate‌​‌ our generic approach to​​ two concrete classes of​​​‌ models inducing countable MDPs:‌ non-deterministic probabilistic lossy channel‌​‌ systems and partially observable​​ MDPs. This leads to​​​‌ an algorithm to approximately‌ compute safety probabilities in‌​‌ each of these classes.​​

Collaboration with Alstom Transport​​ - P22

Participants: Loïc​​​‌ Hélouët, Antoine Thébault‌.

DEVINE is involved‌​‌ in a long-term collaboration​​ with Alstom Transport on​​​‌ the topic of urbain‌ train systems regulation. Alstom‌​‌ and DEVINE jointly supervised​​ a CIFRE PhD on​​​‌ the topic of smart‌ traffic management (PhD of‌​‌ Antoine Thébault, ANRT grant​​ 2022-0444, 2022-2025). This PhD​​​‌ addressed the two following‌ objectives: optimize traffic management‌​‌ using concurrent models on​​ one hand, and learning​​​‌ techniques (neural networks training,‌ decision tree synthesis) on‌​‌ the other hand to​​ synthesize controllers.

10.1.1 Associate Teams‌​‌ in the framework of​​ an Inria International Lab​​​‌ or in the framework‌ of an Inria International‌​‌ Program

10.1.2 Participation in other​‌ International Programs

10.2.1 ANR​‌ projects

10.2.2 National Informal‌ Collaborations

The team collaborates‌​‌ with the following researchers:​​

• Patricia Bouyer (LMF, ENS​​​‌ Paris-Saclay) on quantitative aspects‌ of verification and game‌​‌ models for parameterized systems;​​​‌
• Luc Dartois (FEMTO-ST, Université​ de Besançon) and Paul​‌ Gastin (LMF, ENS Paris-Saclay)​​ on transducer models and​​​‌ verification of transformations;

11.1.1 Scientific events:​​ selection

11.1.2​​​‌ Journal

11.1.3 Leadership​ within the scientific community​‌

Nathalie Bertrand is the​​ co-head of the French​​​‌ working group on verification​ of GDR-IFM: GT Vérif​‌.

11.1.4 Research administration​​

• Nathalie Bertrand is member​​​‌ of the Formation Spécialisée​ de Site at Inria​‌ center of the University​​ of Rennes.
• Nathalie Bertrand​​​‌ is co-head of IRISA​ and Inria Rennes gender​‌ equality committee, and member​​ of Inria's gender equality​​​‌ and equal opportunities committee.​
• Loïc Hélouët is the​‌ president of the Commission​​ Personnel (Temporary staff committee)​​​‌ at Inria Rennes, responsible​ for evaluation of hirings​‌ on non-permanent positions.
• Loïc​​ Hélouët is elected member​​​‌ of the "Formation Specialisée​ (Health and security committee)"​‌ of Inria and secretary​​ of this committee.
• Thierry​​​‌ Jéron is référent chercheur​ for Inria Rennes and​‌ IRISA.

11.2.1 Teaching

Almost​ all members of DEVINE​‌ do teach.

• Licence: Nathalie​​ Bertrand , Algorithms II,​​​‌ 18h, ENS Rennes;

• BUT:​ Loïc Germerie Guizouarn, network​‌ and cyber-security classes, 246h,​​ IUT Saint-Malo;

• Licence: Aline​​​‌ Goeminne, Algorithms I, 19.5h,​ ENS Rennes;
• Master: Aline​‌ Goeminne, Algorithms, 9h, Agrégation,​​ ENS Rennes;
• Master: Aline​​​‌ Goeminne, Computability and Complexity,​ 10.5h, Agrégation, ENS Rennes;​‌
• Master: Aline Goeminne, Formal​​ languages, 12h, Agrégation, ENS​​​‌ Rennes;

• Master: Aline Goeminne,​ Algorithms and data structures,​‌ 16h, Agrégation, ENS Rennes.​​

• Master: Loïc Hélouët ,​​​‌ Algorithms and proofs, 16h,​ Agrégation, ENS Rennes;

• Licence:​‌ Loïc Hélouët , Algorithms​​ and Java, 40h, INSA​​​‌ Rennes;

• Licence: Julie Parreaux​ , Algorithms 2, 21h,​‌ ENS Rennes;
• Licence: Julie​​ Parreaux , Formals Tools​​​‌ for Computer scientists, 52h,​ ISTIC, Université de Rennes;​‌
• Licence: Julie Parreaux ,​​ Algorithms and Complexity, 47h,​​​‌ ISTIC, Université de Rennes;​
• Licence: Julie Parreaux ,​‌ Programming 2, 24h, ISTIC,​​ Université de Rennes;
• Licence:​​​‌ Julie Parreaux , Logic,​ 16.5h, ISTIC, Université de​‌ Rennes;
• Master: Julie Parreaux​​ , Validation and Verification,​​ 16.5h, ISTIC, Université de​​​‌ Rennes.

11.2.2 Supervision

11.2.3 Juries

11.3.1 Participation in‌ Live events

• Loïc Hélouët‌​‌ contributed to the organization​​ of a seminar on​​​‌ Livestorm for PhD and‌ Postdocs at Inria Rennes‌​‌ (1h each, 40-50 participants),​​ dedicated to Work environment​​​‌ for PhD students.

11.3.2‌ Others science outreach relevant‌​‌ activities

• Loïc Hélouët contributed​​ to the CHICHE! program​​​‌ (15 classes visited).

International journals

• 7​​ articleA.Amazigh Amrane​​​‌, H.Hugo Bazille​, U.Uli Fahrenberg​‌ and K.Krzysztof Ziemiański​​. Closure and decision​​​‌ properties for higher-dimensional automata​.Theoretical Computer Science​‌10362025, 115156​​HALDOI
• 8 article​​​‌A.Aymeric Côme,​ E.Eric Fabre and​‌ L.Loïc Hélouët.​​ A Floyd-Warshall Approach to​​​‌ Value Computation in Markov​ Decision Processes (Extended Version)​‌.International Journal on​​ Software Tools for Technology​​​‌ Transfer2026. In​ press. HALback to​‌ text
• 9 articleB.​​Benjamin Monmege, J.​​​‌Julie Parreaux and P.-A.​Pierre-Alain Reynier. Decidability​‌ of One-Clock Weighted Timed​​ Games with Arbitrary Weights​​​‌.Logical Methods in​ Computer Science211​‌January 2025HALDOI​​back to text
• 10​​​‌ articleB.Benjamin Monmege​, J.Julie Parreaux​‌ and P.-A.Pierre-Alain Reynier​​. Playing Stochastically in​​​‌ Weighted Timed Games to​ Emulate Memory.Logical​‌ Methods in Computer Science​​211February 2025​​​‌HALDOIback to​ text
• 11 articleO.​‌Ocan Sankur. Automatic​​ Assume-Guarantee Reasoning for Safety​​​‌ and Liveness Using Passive​ Learning.Formal Methods​‌ in System Design66​​July 2025, 498–528​​​‌HALDOI
• 12 article​O.Ocan Sankur.​‌ Timed Automata Verification and​​ Synthesis Via Finite Automata​​​‌ Learning.Journal of​ Automated Reasoning692​‌June 2025, 15​​HALDOI

International peer-reviewed​​​‌ conferences

• 13 inproceedingsA.​Amazigh Amrane, H.​‌Hugo Bazille, U.​​Uli Fahrenberg, L.​​​‌Loïc Hélouët and P.​Philipp Schlehuber-Caissier. Petri​‌ Nets and Higher-Dimensional Automata​​.Lecture Notes in​​​‌ Computer SciencePetri Nets​ 2025 - 46th International​‌ Conference on Application and​​ Theory of Petri Nets​​ and Concurrency15714Aubervillers,​​​‌ FranceSpringer2025,‌ 18-40HALDOIback‌​‌ to text
• 14 inproceedings​​A.Ayush Anand,​​​‌ L.Loïc Germerie Guizouarn‌, T.Thierry Jéron‌​‌, S.Sayan Mukherjee​​, S.Srinivas Pinisetty​​​‌ and O.Ocan Sankur‌. Prompt Runtime Enforcement‌​‌.ATVA 2025 -​​ International Symposium on Automated​​​‌ Technology for Verification and‌ AnalysisBengalore, IndiaSpringer‌​‌2025, 1-22HAL​​back to textback​​​‌ to text
• 15 inproceedings‌É.Étienne André,‌​‌ S.Swen Jacobs,​​ S. L.Shyam Lal​​​‌ Karra and O.Ocan‌ Sankur. Parameterized Verification‌​‌ of Timed Networks with​​ Clock Invariants.FSTTCS​​​‌ 2025 - 45th IARCS‌ Annual Conference on Foundations‌​‌ of Software Technology and​​ Theoretical Computer Science45th​​​‌ IARCS Annual Conference on‌ Foundations of Software Technology‌​‌ and Theoretical Computer Science​​ (FSTTCS 2025)Goa, India​​​‌Schloss Dagstuhl – Leibniz-Zentrum‌ für InformatikDecember 2025‌​‌HALDOI
• 16 inproceedings​​N.Nathalie Bertrand,​​​‌ P.Pranav Ghorpade,‌ S.Sasha Rubin,‌​‌ B.Bernhard Scholz and​​ P.Pavle Subotić.​​​‌ Reusable Formal Verification of‌ DAG-based Consensus Protocols.‌​‌Proceedings of the 17th​​ Symposium on Nasa Formal​​​‌ MethodsNFM 2025 -‌ 17th NASA Formal Methods‌​‌ SymposiumLecture Notes in​​ Computer Science15682Williamsburg​​​‌ (Virginia), United StatesSpringer‌2025HALDOIback‌​‌ to text
• 17 inproceedings​​N.Nathalie Bertrand,​​​‌ L.Loïc Hélouët,‌ E.Engel Lefaucheux and‌​‌ L.Luca Paparazzo.​​ Reachability in multi-agent transfer​​​‌ systems.VMCAI 2026‌ - 27th International Conference‌​‌ on Verification, Model Checking,​​ and Abstract InterpretationLNCS​​​‌Rennes, France2026HAL‌back to text
• 18‌​‌ inproceedingsV.Véronique Bruyère​​, B.Bharat Garhewal​​​‌, G. A.Guillermo‌ A Pérez, G.‌​‌Gaëtan Staquet and F.​​ W.Frits W Vaandrager​​​‌. Active Learning of‌ Mealy Machines with Timers‌​‌.Quantitative Evaluation of​​ Systems and Formal Modeling​​​‌ and Analysis of Timed‌ Systems. QEST+FORMATS 2025. Lecture‌​‌ Notes in Computer Science.​​QEST+FORMATS 2025 - Quantitative​​​‌ Evaluation of Systems and‌ Formal Modeling and Analysis‌​‌ of Timed Systems16143​​Lecture Notes in Computer​​​‌ ScienceAarhus, DenmarkSpringer‌ Nature SwitzerlandOctober 2025‌​‌, 42-61HALDOI​​back to text
• 19​​​‌ inproceedingsK.Krishnendu Chatterjee‌, L.Laurent Doyen‌​‌, J.-F.Jean-François Raskin​​ and O.Ocan Sankur​​​‌. The Value Problem‌ for Multiple-Environment MDPs with‌​‌ Parity Objective.ICALP​​ 2025 - 52nd EATCS​​​‌ International Colloquium on Automata,‌ Languages, and Programming52nd‌​‌ International Colloquium on Automata,​​ Languages, and Programming (ICALP​​​‌ 2025)Aarhus, DenmarkSchloss‌ Dagstuhl – Leibniz-Zentrum für‌​‌ Informatik2025HALDOI​​
• 20 inproceedingsL.Luc​​​‌ Dartois, P.Paul‌ Gastin, L. G.‌​‌Loïc Germerie Guizouarn and​​ S.Shankaranarayanan Krishna.​​​‌ Reversible Pebble Transducers.‌Leibniz International Proceedings in‌​‌ Informatics (LIPIcs)CONCUR 2025​​ - 36th International Conference​​​‌ on Concurrency Theory36th‌ International Conference on Concurrency‌​‌ Theory (CONCUR 2025)348​​Aarhus, DenmarkSchloss Dagstuhl​​​‌ – Leibniz-Zentrum für Informatik‌August 2025, 14:1-14:22‌​‌HALDOIback to​​ text
• 21 inproceedingsM.​​​‌Mathieu Laurent, T.‌Thierry Jéron and M.‌​‌Martin Quinson. Towards​​​‌ Efficient Verification of Parallel​ Applications with Mc SimGrid​‌.DisCoTec 2025 -​​ 20th International Federated Conference​​​‌ on Distributed Computing Techniques​FORTE 2025 - 45th​‌ International Conference on Formal​​ Techniques for Distributed Objects,​​​‌ Components, and SystemsLecture​ Notes in Computer Science​‌Lille, FranceSpringer2025​​, 1-21HALback​​​‌ to text
• 22 inproceedings​A.Anirban Majumdar,​‌ S.Sayan Mukherjee and​​ J.-F.Jean-François Raskin.​​​‌ Learning Event-Recording Automata Passively​.ATVA 2025 -​‌ Automated Technology for Verification​​ and Analysis16145Lecture​​​‌ Notes in Computer Science​Bengaluru, IndiaSpringer Nature​‌ SwitzerlandOctober 2025,​​ 27-48HALDOIback​​​‌ to text
• 23 inproceedings​L.Luca Paparazzo,​‌ L.Loïc Hélouët and​​ N.Nicolas Markey.​​​‌ Energy Transfer in Timed​ Cyclic Networks.Lecture​‌ Notes in Computer Science​​Petri Nets 2025 -​​​‌ 46th International Conference on​ Applications and Theory of​‌ Petri Nets and Concurrency​​15714Lecture Notes in​​​‌ Computer ScienceParis, France​Springer Nature SwitzerlandJune​‌ 2025, 197-218HAL​​DOIback to text​​​‌

Conferences without proceedings

• 24​ inproceedingsL.Luc Passemard​‌, A.Amazigh Amrane​​ and U.Uli Fahrenberg​​​‌. Higher-Dimensional Automata: Extension​ to Infinite Tracks.​‌FSCD 2025 - 10th​​ International Conference on Formal​​​‌ Structures for Computation and​ DeductionBirmingham, United Kingdom​‌Schloss Dagstuhl – Leibniz-Zentrum​​ für Informatik2025HAL​​​‌DOI

Scientific book chapters​

• 25 inbookN.Nathalie​‌ Bertrand, P.Patricia​​ Bouyer, T.Thomas​​​‌ Brihaye, P.Paulin​ Fournier and P.Pierre​‌ Vandenhove. Decisiveness for​​ Countable MDPs and Insights​​​‌ for NPLCSs and POMDPs​.15760Principles of​‌ Formal Quantitative AnalysisLecture​​ Notes in Computer Science​​​‌Springer Nature SwitzerlandAugust​ 2026, 70-98HAL​‌DOIback to text​​

Edition (books, proceedings, special​​​‌ issue of a journal)​

• 26 proceedingsPrinciples of​‌ Formal Quantitative Analysis: Essays​​ Dedicated to Christel Baier​​​‌ on the Occasion of​ Her 60th Birthday.​‌Principles of Formal Quantitative​​ Analysis15760Lecture Notes​​​‌ in Computer ScienceAarhus​ (Danemark), DenmarkSpringer Nature​‌ Switzerland2025HALDOI​​