## About

176

Publications

11,982

Reads

**How we measure 'reads'**

A 'read' is counted each time someone views a publication summary (such as the title, abstract, and list of authors), clicks on a figure, or views or downloads the full-text. Learn more

2,287

Citations

Citations since 2017

Introduction

## Publications

Publications (176)

Parametric timed automata are a powerful formalism for reasoning on concurrent real-time systems with unknown or uncertain timing constants. Reducing their state space is a significant way to reduce the inherently large analysis times. We present here different merging reduction techniques based on convex union of constraints (parametric zones), al...

Model checking timed systems may be negatively impacted by the presence of Zeno runs as counterexamples. Such runs contain an infinite number of discrete actions occurring in a finite time, which is unrealistic; therefore, these runs must be pruned during model checking. Given a model of a timed system and a property, parametric model checking aims...

Networks of automata that synchronise over shared actions are organised according to a graph synchronisation topology. In this topology two automata are connected if they can jointly execute some action. We present a very effective reduction for networks with tree-like synchronisation topologies such that all automata after synchronising with their...

Parametric timed automata are a powerful formalism for reasoning on concurrent real-time systems with unknown or uncertain timing constants. Reducing their state space is a significant way to reduce the inherently large analysis times. We present here different merging reduction techniques based on convex union of constraints (parametric zones), al...

At large scale, failures are statistically frequent and need to be taken into account. Tolerating failures has arisen as a major challenge in parallel computing as the size of the systems grow, failures become more common and some computation units are expected to fail during the execution of a program. Algorithms used in these programs must be sca...

A dynamic partial order reduction (DPOR) algorithm is optimal when it always explores at most one representative per Mazurkiewicz trace. Existing literature suggests that the reduction obtained by the non-optimal, state-of-the-art Source-DPOR (SDPOR) algorithm is comparable to optimal DPOR. We show the first program with $\mathop{\mathcal{O}}(n)$ M...

Expressing attack-defence trees (ADTrees) in a multi-agent setting allows for studying a new aspect of security scenarios, namely how the number of agents and their task assignment impact the performance of attacking and defending strategies executed by agent coalitions. Our tool ADT2AMAS allows for transforming ADTrees into extended asynchronous m...

We discuss what kind of completeness guarantees can be provided by semi-algorithms for the synthesis of the set of parameters under which a parametric timed automata meets some liveness property.

We study semi-algorithms to synthesise the constraints under which a Parametric Timed Automaton satisfies some liveness requirement. The algorithms traverse a possibly infinite parametric zone graph, searching for accepting cycles. We provide new search and pruning algorithms, leading to successful termination for many examples. We demonstrate the...

Expressing attack-defence trees in a multi-agent setting allows for studying a new aspect of security scenarios, namely how the number of agents and their task assignment impact the performance, e.g. attack time, of strategies executed by opposing coalitions. Optimal scheduling of agents' actions, a non-trivial problem, is thus vital. We discuss as...

Attack-Defence Trees (ADTrees) are a well-suited formalism to assess possible attacks to systems and the efficiency of counter-measures. This paper extends the available ADTree constructs with reactive patterns that cover further security scenarios, and equips all constructs with attributes such as time and cost to allow for quantitative analyses....

We investigate networks of automata that synchronise over common action labels. A graph synchronisation topology between the automata is defined in such a way that two automata are connected iff they can synchronise over an action. We show a very effective reduction of networks of automata with tree-like synchronisation topologies. The reduction pr...

This paper constitutes a short introduction to parametric verification of concurrent systems. It originates from two 1-day tutorial sessions held at the Petri nets conferences in Toruń (2016) and Zaragoza (2017). A video of the presentation is available at https://www.youtube.com/playlist?list=PL9SOLKoGjbeqNcdQVqFpUz7HYqD1fbFIg, consisting of 14 sh...

In this paper we investigate the Timed Alternating-Time Temporal Logic (TATL), a discrete-time extension of ATL. In particular, we propose, systematize, and further study semantic variants of TATL, based on different notions of a strategy. The notions are derived from different assumptions about the agents’ memory and observational capabilities, an...

This paper constitutes a short introduction to parametric verification of concurrent systems. It originates from two 1-day tutorial sessions held at the Petri nets conferences in Toru\'n (2016) and Zaragoza (2017). The paper presents not only the basic formal concepts tackled in the video version, but also an extensive literature to provide the rea...

Attack-Defence Trees (ADTs) are well-suited to assess possible attacks to systems and the efficiency of counter-measures. In this paper, we first enrich the available constructs with reactive patterns that cover further security scenarios, and equip all constructs with attributes such as time and cost to allow quantitative analyses. Then, ADTs are...

Parametric timed automata (PTA) extend timed automata by allowing parameters in clock constraints. Such a formalism is for instance useful when reasoning about unknown delays in a timed system. Using existing techniques, a user can synthesize the parameter constraints that allow the system to reach a specified goal location, regardless of how much...

Parametric timed automata (PTA) extend timed automata by allowing parameters in clock constraints. Such a formalism is for instance useful when reasoning about unknown delays in a timed system. Using existing techniques, a user can synthesize the parameter constraints that allow the system to reach a specified goal location, regardless of how much...

This is the author version of the manuscript of the same name published in the Transactions on Petri Nets and Other Models of Concurrency (ToPNoC). This work is partially supported by the ANR national research program PACS (ANR-14-CE28-0002)

A dynamic partial order reduction (DPOR) algorithm is optimal when it always explores at most one representative per Mazurkiewicz trace. Existing literature suggests that the reduction obtained by the non-optimal, state-of-the-art Source-DPOR (SDPOR) algorithm is comparable to optimal DPOR. We show the first program with \(\mathop {\mathcal {O}} (n...

This paper considers the consistency problem for Parametric Interval Markov Chains. In particular, we introduce a co-inductive definition of consistency, which improves and simplifies previous inductive definitions considerably. The equivalence of the inductive and co-inductive definitions has been formally proved in the interactive theorem prover...

Model checking is a fully automated, formal method for demonstrating absence of bugs in reactive systems. Here, bugs are violations of properties in Linear-time Temporal Logic (LTL). A fundamental challenge to its application is the exponential explosion in the number of system states. The current chapter discusses the use of parallelism in order t...

Real-time systems often involve hard timing constraints and concurrency, and are notoriously hard to design or verify. Given a model of a real-time system and a property, parametric model-checking aims at synthesizing timing valuations such that the model satisfies the property. However, the counter-example returned by such a procedure may be Zeno...

Wireless Sensor Networks (WSNs) are used for a lot of monitoring applications on risky area such as volcanoes, earthquake zones and deep jungle regions. Such network topologies are randomly deployed by dropping large sets of sensors from helicopters. Thus, one cannot ensure that the actual post-deployment topology of sensors is reliable, i.e. wheth...

This paper presents the benefits of formal modelling and verification
techniques for self-stabilising distributed algorithms. An algorithm is
studied, that takes a set of processes connected by a tree topology and
converts it to a ring configuration. The Coloured Petri net model not only
facilitates the proof that the algorithm is correct and self-...

The paper presents the WSN-PN tool, which aims at modelling and verifying Wireless Sensor Networks (WSN) using Petri nets (PN). Especially, WSN-PN allows for congestion detection on a WSN setting. Moreover, WSN-PN supports users to abstract components, which can be either sensors or channels, on the verified PN. This abstraction is possible due to...

This paper proposes a new approach for modelling a Congestion Detection mechanism on Wireless Sensor Networks (WSN) using the Petri Net (PN) language. Even though PNs are powerful for modelling concurrent systems, they suffer from a high computational cost when verifying properties on the modelled system. We suggest a component-based abstraction to...

Interval Markov Chains (IMCs) are the base of a classic probabilistic specification theory introduced by Larsen and Jonsson in 1991. They are also a popular abstraction for probabilistic systems. In this paper we study parameter synthesis for a parametric extension of Interval Markov Chains in which the endpoints of intervals may be replaced with p...

This paper introduces PeCAn, a tool supporting compositional verification of Petri nets. Beyond classical features (such as on-the-fly analysis and synchronisation between multiple Petri nets), PeCAn generates Symbolic Observation Graphs (SOG), and uses their composition to support modular abstractions of multiple Petri nets for more efficient veri...

This volume contains the proceedings of the 2nd French Singaporean Workshop
on Formal Methods and Applications (FSFMA'14). The workshop was held in
Singapore on May 13th, 2014, as a satellite event of the 19th International
Symposium on Formal Methods (FM'14).
FSFMA aims at sharing research interests and launching collaborations in the
area of form...

Nowadays, students are more and more demanding for practical coursework, which is a challenge when teaching formal approaches to software engineering. The solution is to provide environments for such hands-on sessions and homework, but this raises numerous difficulties. The environment must be: (i) multi-platform (Mac OS, Linux, Windows) so as to e...

This article introduces a parallel state space exploration algorithm for shared memory multi-core architectures using state compression and state reconstruction to reduce memory consumption. The algorithm proceeds in rounds each consisting of three phases: concurrent expansion of open states, concurrent reduction of potentially new states, and conc...

Over the past two decades, numerous verification tools have been successfully used for verifying complex concurrent systems, modelled using various formalisms. However, it is still hard to coordinate these tools since they rely on such a large number of formalisms. Having a proper syntactical mechanism to interrelate them through variability would...

This paper deals with verification of reachability properties on time Petri nets (TPN). TPNs allow the specification of real-time systems involving timing constraints explicitly. The main challenge of the analysis of such systems is to construct a finite abstraction of the corresponding (infinite) state graph preserving timed properties. Thus, we p...

Time Petri nets (TPN model) allow the specification of real-time systems involving explicit timing constraints. The main challenge of the analysis of such systems is to construct, with few resources (time and space), a coarse abstraction preserving timed properties. In this paper, we propose a new finite graph, called Timed Aggregate Graph (TAG), a...

Quantifying the robustness of a real-time system consists in measuring the maximum extension of the timing delays such that the system still satisfies its specification. In this work, we introduce a more precise notion of robustness, measuring the allowed variability of the timing delays in their neighbourhood. We consider here the formalism of tim...

CosyVerif aims at gathering within a common framework various existing tools for specification and verification. It has been designed in order to 1) support different formalisms with the ability to easily create new ones, 2) provide a graphical user interface for every formalism, 3) include verification tools called via the graphical interface or v...

Long-life learning allows for workers' career evolution, and can be achieved either through dedicated adults' courses, or via professional experience. In this paper, we report on a project started four years ago with Orange-France Telecom (major Telco operator in France) which aims at delivering national diplomas on the basis of knowledge and profi...

Problem Secure data exchange Securityin specific distributed systems Outline of art III Bibliography

This paper presents a method for designing a coloured Petri net model of a system starting from its high-level object oriented source code. The entire process is divided into two parts: grounding and code analysis. For each part detailed step-by-step guidelines are given. The approach is illustrated with an industrial application case study, the NE...

This paper presents Cndfs, a tight integration of two earlier multi-core nested depth-first search (Ndfs) algorithms for LTL model checking. Cndfs combines the different strengths and avoids some weaknesses of its predecessors. We compare Cndfs to an earlier ad-hoc combination of those two algorithms and show several benefits: It has shorter and si...

Model checking is a powerful and widespread technique for the verification of finite state concurrent systems. However, the main hindrance for wider application of this technique is the well-known state explosion problem. In [16], we proposed an incremental and compositional verification approach where the system model is partitioned according to t...

In this paper, we propose a distributed algorithm for CTL model-checking and a counterexample search whenever the CTL formula is not satisfied. The distributed approach is used in order to cope with the state space explosion problem. A cluster of workstations performs collaborative verification over a partitioned state space. Thus, every process in...

The Petri net standard ISO/IEC 15909 comprises 3 parts. The first one defines the most used net types, the second an interchange format for these – both are published. The third part deals with Petri net extensions, in particular structuring mechanisms and the introduction of additional, more elaborate net types within the standard.
This paper pres...

In order to manage very large distributed databases such as those used for banking and e-government applications, and thus to han-dle sensitive data, an original peer-to-peer transaction protocol, called NEO, was proposed. To ensure its effective operation, it is necessary to check a set of critical properties. The most important ones are related t...

Even though the well-known nested-depth first search algorithm for LTL model checking provides good performance, it cannot benefit from the recent advent of multi-core computers. This paper proposes a new version of this algorithm, adapted to multi-core architectures with a shared memory. It can exhibit good speed-ups as supported by a series of ex...

Nowadays, distributed systems are increasingly present, for public software applications as well as critical systems. software applications as well as critical systems. This title and Distributed Systems: Design and Algorithms - from the same editors - introduce the underlying concepts, the associated design techniques and the related security issu...

The Petri net standard ISO/IEC 15909 comprises 3 parts. The first one defines the most used net types, the second an interchange format for these — both are published. The third part deals with Petri net extensions, in particular structuring mechanisms and the introduc-tion of additional, more elaborate net types within the standard. This paper foc...

In data modelling, one of the most important abstraction concepts is specialisation, with generalisation being the converse. Al-though there are already some approaches to define generalisation for process modelling as well, there is no generally accepted notion of gen-eralisation for processes. In this paper, we introduce a general definition of p...

In today's digital environment, distributed systems are increasingly present in a wide variety of environments, ranging from public software applications to critical systems. Distributed Systems introduces the underlying concepts, the associated design techniques and the related security issues. Distributed Systems: Design and Algorithms, is dedica...

In this work, we address the issue of the formal proof (using the proof assistant Coq) of refinement correctness for symmetric nets, a subclass of coloured Petri nets. We provide a formalisation of the net models, and of their type refinement in Coq. Then the Coq proof assistant is used to prove the refinement correctness lemma. An example adapted...

This paper presents the modelling process and first analysis results carried out within the NEOPPOD project. A protocol, NEO,
has been designed in order to manage very large distributed databases such as those used for banking and e-government applications,
and thus to handle sensitive data. Security of data is therefore a critical issue that must...

Verification of complex systems specification often encoun-ters the so-called state space explosion problem, which prevents exhaus-tive model-checking in many practical cases. Many techniques have been developed to counter this problem by reducing the state space, either by retaining a smaller number of relevant states, or by using a smart rep-rese...

The International Standard on Petri nets, ISO/IEC 15909, provides a formal semantics and syntax to enable model interchange and industrial dissemination. Part 2 defines a concrete interchange format as an XML-based language: PNML. This language is bound to evolve together with future developments of the standard.
This paper presents PNML Framework,...

In 2000, there was a workshop [1] that should foster the definition of a standard transfer format for Petri nets as a satellite event of the annual ‘Petri Net Conference’ in Aarhus. As a result of this first workshop, after many other discussions and meetings, the Petri Net Markup Language (PNML) is about to be finally adopted as ISO/IEC 15909-2. O...

The use of high-level nets, such as coloured Petri nets, is very convenient for modelling complex controllable systems in order to have a compact, readable and structured specification. However, when coming to the analysis phase, using too elaborate types becomes a burden. A good trade-off between expressiveness and analysis capabilities is then to...

In this paper, we propose a distributed algorithm for CTL model-checking and a counterexample search whenever the CTL formula is not satisfied. The distributed approach is used in order to cope with the state space explosion problem. A cluster of workstations performs collaborative verification over a partitioned state space. Thus, every process in...

When designing complex systems, mechanisms for structuring, composing, and reusing system components are crucial. Today, there are many approaches for equipping Petri nets with such mechanisms. In the context of defining a standard interchange format for Petri nets, modular PNML was defined as a mechanism for modules in Petri nets that is independe...

The use of distributed or parallel processing gained interest in the recent years to fight the state space explosion problem. Many in-dustrial systems are described with large models, and the state space being even larger, it does not fit completely into the memory of a single computer. To avoid the high space requirement, several reduction techniq...

Fast acceleration of symbolic transition systems (Fast) is a tool for the analysis of systems manipulating unbounded integer variables. We check safety properties by computing the reachability set of the system under study. Even if this reachability set is not necessarily recursive, we use innovative techniques, namely symbolic representation, acce...

Model checking for Linear Time Logic (LTL) is usually based on converting the (negation of a) property into a Buchi automaton, composing the automaton and the model, and finally checking for emptiness of the language of the composed system. The last step is the crucial stage of the verification process because of the state explosion problem. In thi...