Section: Scientific Foundations
Verification
Verification in its full generality consists in checking that a system, which is specified by a formal model, satisfies a required property. Verification takes place in our research in two ways: on the one hand, a large part of our work, and in particular controller synthesis and conformance testing, relies on the ability to solve some verification problems. Many of these problems reduce to reachability and coreachability questions on a formal model (a state s is reachable from an initial state s_{i} if an execution starting from s_{i} can lead to s ; s is coreachable from a final state s_{f} if an execution starting from s can lead to s_{f} ). These are important cases of verification problems, as they correspond to the verification of safety properties.
On the other hand we investigate verification on its own in the context of complex systems. For expressivity purposes, it is necessary to be able to describe faithfully and to deal with complex systems. Some particular aspects require the use of infinite state models. For example asynchronous communications with unknown transfer delay (and thus arbitrary large number of messages in transit) are correctly modeled by unbounded FIFO queues, and real time systems require the use of continuous variables which evolve with time. Apart from these aspects requiring infinite state data structure, systems often include uncertain or random behaviours (such as failures, actions from the environment), which it make sense to model through probabilities. To encompass these aspects, we are interested in the verification of systems equipped with infinite data structures and/or probabilistic features.
When the state space of the system is infinite, or when we try to evaluate performances, standard modelchecking techniques (essentially graph algorithms) are not sufficient. For large or infinite state spaces, symbolic modelchecking or approximation techniques are used. Symbolic verification is based on efficient representations of set of states and permits exact modelchecking of some wellformed infinitestate systems. However, for feasibility reasons, it is often mandatory to make the use of approximate computations, either by computing a finite abstraction and resort to graph algorithms, or preferably by using more sophisticated abstract interpretation techniques. Another way to cope with large or infinite state systems is deductive verification, which, either alone or in combination with compositional and abstraction techniques, can deal with complex systems that are beyond the scope of fully automatic methods. For systems with stochastic aspects, a quantitative analysis has to be performed, in order to evaluate the performances. Here again, either symbolic techniques (e.g. by grouping states with similar behaviour) or approximation techniques should be used.
We detail below four verification topics we are interested in: abstract interpretation, theorem proving, modelchecking of infinite state and probabilistic systems and analysis of systems defined by graph grammars.
Abstract interpretation and Data Handling
Most problems in test generation or controller synthesis reduce to state reachability and state coreachability problems which can be solved by fixpoint computations of the form x = F(x), xC where C is a lattice. In the case of reachability analysis, if we denote by S the state space of the considered program, C is the lattice (S) of sets of states, ordered by inclusion, and F is roughly the “successor states ” function defined by the program.
The big change induced by taking into account the data and not only the (finite) control of the systems under study is that the fixpoints become uncomputable. The undecidability is overcome by resorting to approximations, using the theoretical framework of Abstract Interpretation [39] . The fundamental principles of Abstract Interpretation are:

to substitute to the concrete domain C a simpler abstract domain A (static approximation) and to transpose the fixpoint equation into the abstract domain, so that one has to solve an equation y = G(y), yA ;

to use a widening operator (dynamic approximation) to make the iterative computation of the least fixpoint of G converge after a finite number of steps to some upperapproximation (more precisely, a postfixpoint).
Approximations are conservative so that the obtained result is an upperapproximation of the exact result. In simple cases the state space that should be abstracted has a simple structure, but this may be more complicated when variables belong to different data types (Booleans, numerics, arrays) and when it is necessary to establish relations between the values of different types.
Theorem Proving
For verification we also use theorem proving and more particularly the pvs [43] and Coq [44] proof assistants. These are two generalpurpose systems based on two different versions of higherorder logic. A verification task in such a proof assistant consists in encoding the system under verification and its properties into the logic of the proof assistant, together with verification rules that allow to prove the properties. Using the rules usually requires input from the user; for example, proving that a state predicate holds in every reachable state of the system (i.e., it is an invariant ) typically requires to provide a stronger, inductive invariant, which is preserved by every execution step of the system. Another type of verification problem is proving simulation between a concrete and an abstract semantics of a system. This can also be done by induction in a systematic manner, by showing that, in each reachable state of the system, each step of the concrete system is simulated by a corresponding step at the abstract level.
Modelchecking of infinite state and probabilistic systems
Modelchecking techniques for finite state probabilistic systems are now quite developed. Given a finite state Markov chain, for example, one can check whether some property holds almost surely (i.e. the set of executions violating the property is negligible), and one can even compute (or at leat approximate as close as wanted) the probability that some property holds. In general, these techniques cannot be adapted to infinite state probabilistic systems, just as modelchecking algorithms for finite state systems do not carry over to infinite state systems. For systems exhibiting complex data structures (such as unbounded queues, continuous clocks) and uncertainty modeled by probabilities, it can thus be hard to design modelchecking algorithms. However, in some cases, especially when considering qualitative verification, symbolic methods can lead to exact results. Qualitative questions do not aim at computing neither approximating a probability, but are only concerned with almostsure or non negligible behaviours (that is events either of probability one, or non zero). In some cases, qualitative modelchecking can be derived from a combination of techniques for infinite state systems (such as abstractions) with methods for finite state probabilistic systems. However, when one is interested in computing (or rather approximating) precise probability values (neither 0 nor 1), exact methods are scarce. To deal with these questions, we either try to restrict to classes of systems where exact computations can be made, or look for approximation algorithms.
Analysis of infinite state systems defined by graph grammars
Currently, many techniques (reachability, model checking, ...) from finite state systems have been generalised to pushdown systems, that can be modeled by graph grammars. Several such extensions heavily depend on the actual definition of the pushdown automata, for example, how many top stack symbols may be read, or whether the existence of transitions (silent transitions) is allowed. Many of these restrictions do not affect the actual structure of the graph, and interesting properties like reachability or satisfiability (of a formula) only depend on the structure of a graph.
Deterministic graph grammars enable to focus on structural properties of systems. The connexion with finite graph algorithms is often straightforward: for example reachability is simply the finite graph algorithm iterated on the right hand sides. On the other hand, extending these grammars with time or probabilities is not straightforward: qualitative values associated to each copy (in the graph) of the same vertex (in the grammar) is different, introducing more complex equations. Furthermore, the fact that the lefthand sides are single hyperarcs is a very strong restriction. But removing this restriction leads to nonrecursive graphs. Identifying decidable families of graphs defined by contextual graph grammars is also very challenging.