2025Activity reportTeam​VERIDIS

Model checking.

The paradigm​​​‌ of model checking is‌ based on automatically verifying‌​‌ properties over a formal​​ model of a system,​​​‌ using mathematical foundations. Model‌ checking, while useful and‌​‌ highly successful in practice,​​ can encounter the infamous​​​‌ state space explosion problem.‌ One direction of VeriDis‌​‌ therefore addresses the efficiency​​ of model checking, by​​​‌ proposing new algorithms or‌ heuristics to speed up‌​‌ analysis. We notably focus​​ on the quantitative setting​​​‌ (time, probabilities), and more‌ specifically on the parametric‌​‌ paradigm where some quantitative​​ constants are unknown, and​​​‌ the goal becomes to‌ synthesize suitable valuations. A‌​‌ recent application of the​​ VeriDis team is that​​​‌ of opacity (in the‌ more general field of‌​‌ cybersecurity), addressed using model​​ checking. The team considers​​​‌ a novel definition of‌ opacity in timed automata,‌​‌ where an attacker only​​ has access to the​​​‌ execution time; several recent‌ works address this direction.‌​‌

Correctness by construction

Verification​​ methods are used for​​​‌ a wide variety of‌ algorithm classes. An alternative‌​‌ to these verification methods​​ involves design methods aimed​​​‌ at producing algorithms or‌ programs that are correct‌​‌ by construction. This approach​​ is based on the​​​‌ notion of refinement, and‌ we aim at identifying‌​‌ fairly general patterns that​​ guide the designer's steps.​​​‌ In 37, we‌ contrast three techniques for‌​‌ constructing correct algorithms by​​ construction.

6.1.1 SPASS Workbench‌​‌

• Name:
  SPASS Automated Reasoning​​ Workbench
• Keywords:
  Automated theorem​​​‌ proving, Linear arithmetic solver,‌ Decision procedure
• Functional Description:‌​‌
  The SPASS Workbench is​​ a collection of tools​​​‌ for various reasoning tasks‌ in logic. It currently‌​‌ comprises the first-order theorem​​ prover SPASS, a decision​​​‌ procedure for linear (mixed)‌ arithmetic SPASS-IQ, a satisfiability‌​‌ modulo theory (SMT) solver​​​‌ for linear (mixed) arithmetic​ SPASS-SATT, a propositional satisfiability​‌ (SAT) solver SPASS-SAT, a​​ propositional conjunctive normal form​​​‌ converter SPASS-CNF, and several​ prototypical implementations of SPASS-SCL.​‌ The systems SPASS, SPASS-SAT​​ and SPASS-CNF are accessible​​​‌ via a web interface.​
• News of the Year:​‌
  We finished a first​​ competition version of SPASS-SCL​​​‌ and won the prize​ for the best newcomer​‌ system at CASC-30. SPASS​​ Workbench is developed at​​​‌ the Max Planck Institute​ with contributions by Martin​‌ Bromberger who now works​​ in industry.
• URL:
  https://­www.­mpi-inf.­mpg.­de/­departments/­automation-of-logic/­software/­spass-workbench/​​​‌
• Publications:
  hal-03531893, hal-03531889​, hal-03531894
• Contact:
  Christoph​‌ Weidenbach
• Participants:
  Lorenz Leutgeb,​​ Martin Bromberger, Christoph Weidenbach​​​‌

6.1.2 Goeland

• Name:
  Goeland​
• Keywords:
  First-order logic, Automated​‌ deduction, Automated Reasoning, Proof,​​ Certification
• Functional Description:
  Goeland​​​‌ is an automated theorem​ prover for first-order logic.​‌ It relies on a​​ concurrent tableaux-based proof-search procedure​​​‌ that allows it to​ conduct a fair branch​‌ exploration. The prover can​​ perform deskolemization and produce​​​‌ machine-checkable proofs in Rocq,​ LambdaPi and SC-TPTP. It​‌ supports TPTP FOF and​​ TFF files.
• News of​​​‌ the Year:

  In 2025,​ the main new developments​‌ were as follows:

  • redesign​​ of type system,
  • support​​​‌ for Rocq output,
  • support​ for SC-TPTP output.

  Johann​‌ Rosain (ENS Lyon) contributes​​ to the development and​​​‌ maintenance of Goeland.

• URL:​
  https://­github.­com/­GoelandProver/­Goeland
• Publication:
  tel-04526940
• Contact:​‌
  Julie Cailler
• Participants:
  Julie​​ Cailler, Johann Rosain

6.1.3​​​‌ E-Cyclist

• Keyword:
  Cyclic proofs​
• Functional Description:
  Checking the​‌ soundness of cyclic induction​​ reasoning for first-order logic​​​‌ with inductive definitions (FOLID)​ is decidable but the​‌ standard checking method is​​ based on an exponential​​​‌ complement operation for Büchi​ automata. We devised a​‌ polynomial method “semi-deciding” this​​ problem in a paper​​​‌ presented at the CiSS2019​ conference (Circularity in Syntax​‌ and Semantics). E-Cyclist is​​ an extension of the​​​‌ Cyclist prover (http://www.cyclist-prover.org/) that​ integrates this method. It​‌ successfully checked all the​​ proofs included in the​​​‌ Cyclist distribution. The implementation​ details have been presented​‌ at SCSS 2021 (ID​​ HAL: hal-02464242).
• URL:
  https://­members.­loria.­fr/­SStratulat/­files/­e-cyclist.­zip​​​‌
• Contact:
  Sorin Stratulat
• Participant:​
  Sorin Stratulat

6.1.4 TLAPS​‌

• Name:
  TLA+ proof system​​
• Keyword:
  Proof assistant
• Functional​​​‌ Description:
  TLAPS is a​ platform for developing and​‌ mechanically verifying proofs about​​ specifications written in the​​​‌ TLA+ language. The TLA+​ proof language is hierarchical​‌ and explicit, allowing a​​ user to decompose the​​​‌ overall proof into proof​ steps that can be​‌ checked independently. TLAPS consists​​ of a proof manager​​​‌ that interprets the proof​ language and generates a​‌ collection of proof obligations​​ that are sent to​​​‌ backend verifiers. The current​ backends include the tableau-based​‌ prover Zenon for first-order​​ logic, Isabelle/TLA+, an encoding​​​‌ of TLA+ set theory​ as an object logic​‌ in the logical framework​​ Isabelle, an SMT backend​​​‌ designed for use with​ any SMT-lib compatible solver,​‌ and an interface to​​ a decision procedure for​​​‌ propositional temporal logic.
• News​ of the Year:
  In​‌ 2025, the main new​​ developments were:

  • The integration​​​‌ of TLAPS into the​ TLA+ Virtual Studio​‌ Code Extension was consolidated.​​
  • A solution for importing​​​‌ the abstract syntax tree​ from the standard SANY​‌ parser for TLA+​​ was explored, in view​​ of replacing the bespoke​​​‌ parser underlying TLAPS.
  • The‌ standard library, as well‌​‌ as the collection of​​ examples, were consolidated and​​​‌ extended.
  • Various bug fixes.‌
• URL:
  https://­tla.­msr-inria.­inria.­fr/­tlaps/­content/­Home.­html
• Contact:
  Stephan‌​‌ Merz
• Participants:
  Damien Doligez,​​ Stephan Merz
• Partner:
  Microsoft​​​‌

6.1.5 Logic1

• Keywords:
  First-order‌ logic, Quantifier Elimination, Computer‌​‌ algebra system (CAS)
• Scientific​​ Description:

  Logic1 offers a​​​‌ robust framework for working‌ with first-order formulas. Its‌​‌ implementations are designed to​​ be generic and parameterized​​​‌ by theories in the‌ sense of first-order logic,‌​‌ currently supporting the theory​​ of Sets and the​​​‌ theory of Real Closed‌ Fields. Included algorithms cover‌​‌ a range of tasks,​​ such as computing normal​​​‌ forms (CNF, DNF, NNF,‌ PNF), simplification, and quantifier‌​‌ elimination.

  Comprehensive documentation is​​ available at docs.logic1.eu and​​​‌ on GitHub.

• Functional Description:‌

  First-order logic recursively builds‌​‌ terms from variables and​​ a specified set of​​​‌ function symbols with specified‌ arities, which includes constant‌​‌ symbols with arity zero.​​ Next, atomic formulas are​​​‌ built from terms and‌ a specified set of‌​‌ relation symbols with specified​​ arities. Finally, first-order formulas​​​‌ are recursively built from‌ atomic formulas and a‌​‌ fixed set of logical​​ operators.

  Logic1 focuses on​​​‌ interpreted first-order logic, where‌ the above-mentioned function and‌​‌ relation symbols have implicit​​ semantics, which is not​​​‌ explicitly expressed via axioms‌ within the logical framework.‌​‌ Typical applications include algebraic​​ decision procedures and, more​​​‌ generally, quantifier elimination procedures,‌ e.g., over the real‌​‌ numbers.

• News of the​​ Year:

  Version 0.2.0 of​​​‌ Logic1 was released on‌ February 12, 2025, via‌​‌ Conda-Forge. This release introduces​​ a parallel implementation of​​​‌ real quantifier elimination by‌ virtual substitution up to‌​‌ degree two, based on​​ the framework of Kosta​​​‌ (2016). The framework permits‌ instantiation for higher degrees‌​‌ through appropriate virtual substitution​​ tables.

  The simplifier extends​​​‌ the standard Redlog simplifier‌ (Dolzmann–Sturm, 1995) by allowing‌​‌ global substitution of implicit​​ identities of the form​​​‌ x = q and‌ x = q *‌​‌ y, where x and​​ y are variables and​​​‌ q is a rational‌ number. In addition, Logic1‌​‌ now supports rational polynomial​​ coefficients rather than being​​​‌ restricted to integer coefficients.‌

  Finally, a programmatic interface‌​‌ has been added to​​ provide convenient access to​​​‌ essential Redlog functionality via‌ process communication. This interface‌​‌ includes several variants of​​ real quantifier elimination and​​​‌ simplification. In 2025, Logic1‌ exceeded 1,000 downloads.

  Besides‌​‌ members of VeriDis, Nicolas​​ Faroß (Chalmers University) actively​​​‌ contributes to the development‌ of Logic1.

• URL:
  https://­github.­com/­logic1-eu/­logic1‌​‌
• Contact:
  Thomas Sturm
• Participants:​​
  Thomas Sturm, Nicolas Faroß,​​​‌ Lorenz Leutgeb

6.1.6 Redlog‌

• Name:
  Reduce Logic System‌​‌
• Keywords:
  Computer algebra system​​ (CAS), First-order logic, Constraint​​​‌ solving, Quantifier Elimination
• Functional‌ Description:

  Redlog is an‌​‌ integral part of the​​ interactive computer algebra system​​​‌ Reduce. It supplements Reduce's‌ comprehensive collection of powerful‌​‌ symbolic computation methods by​​ supplying more than 100​​​‌ functions on first-order formulas.‌

  Redlog generally works with‌​‌ interpreted first-order logic in​​ contrast to free first-order​​​‌ logic. Each first-order formula‌ in Redlog must exclusively‌​‌ contain atoms from one​​ particular Redlog-supported theory, which​​​‌ corresponds to a choice‌ of admissible functions and‌​‌ relations with fixed semantics.​​​‌ Redlog-supported theories include Nonlinear​ Real Arithmetic (Real Closed​‌ Fields), Presburger Arithmetic, Parametric​​ QSAT (quantified satisfiability solving),​​​‌ and many more.

• News​ of the Year:
  While​‌ development efforts have primarily​​ focused on the successor​​​‌ system Logic1, Redlog remains​ available and is committed​‌ to continued full support​​ in the long term.​​​‌ Historically, many authors from​ different institutions contributed to​‌ the development of Redlog,​​ the main maintainers have​​​‌ been Thomas Sturm and​ Andreas Dolzmann (Schloss Dagstuhl).​‌
• URL:
  https://­www.­redlog.­eu/
• Contact:
  Thomas​​ Sturm
• Participants:
  Thomas Sturm,​​​‌ Andreas Dolzmann, Melanie Achatz,​ Marek Kosta, Aless Lasaruk,​‌ Herbert Melenk, Winfried Neun,​​ Andreas Seidl, Christoph Zengler,​​​‌ Volker Weispfenning

6.2.1 ODEbase

Participants:​‌ Thomas Sturm.

• Name:​​
  Online Database of Biomodels​​​‌ Involving Ordinary Differential Equations​
• Keywords:
  Automated reasoning, Dynamical​‌ systems, Interdisciplinary research, Qualitative​​ analysis
• Scientific Description:
  Symbolic​​​‌ Computation and Automated Reasoning​ allow qualitative answers to​‌ biological questions. Qualitative methods​​ analyze dynamical input systems​​​‌ as formal objects, in​ contrast to investigating only​‌ a subset of the​​ state space, as is​​​‌ the case with numerical​ simulation. A common format​‌ used in mathematical modeling​​ of biological processes is​​​‌ the Systems Biology Markup​ Language SBML. However,​‌ symbolic tools and libraries​​ have a different set​​​‌ of requirements for their​ input data than their​‌ numerical counterparts. The use​​ of SBML data in​​​‌ Symbolic Computation and Automated​ Reasoning requires significant pre-processing​‌ that combines automated translation​​ steps with human interaction​​​‌ and expertise. ODEbase provides​ pre-processed input data derived​‌ from established existing biomodels.​​
• Functional Description:
  SBML, which​​​‌ is technically an XML​ instance, has been designed​‌ as a very liberal​​ format, and contributors of​​​‌ models are primarily researchers​ whose key expertise resides​‌ in natural sciences. This​​ creates a situation where​​​‌ SBML features may be​ used in unexpected ways.​‌ A sound presentation of​​ corresponding models outside the​​​‌ SMBL framework then requires​ expertise in the life​‌ sciences as well as​​ mathematical competence, primarily in​​​‌ algebra and in dynamical​ systems. Technically we use​‌ a set of Python​​ tools, which we have​​​‌ developed for the semi-automatic​ conversion of SBML models.​‌ Since the conversion process​​ is not fully automatic​​​‌ and our resources are​ limited, we focus on​‌ models that we identify​​ as interesting for Symbolic​​​‌ Computation and Automated Reasoning​ approaches. Our principal source​‌ of models is the​​ renowned online database biomodels.net​​​‌.
• News of the​ Year:
  ODEbase has gained​‌ further recognition and citations​​ during 2025.
• URL:
  odebase.org​​​‌
• Publications:
  hal-03651751
• Contact:
  Thomas​ Sturm
• Partners:
  Christoph Lüders​‌ (University of Bonn, Germany),​​ Ovidiu Radulescu (University of​​​‌ Montpellier, France).

Graph Superposition for​​ Quantum Circuits

Julie Cailler​​​‌ , Florent Krasnopol ,​ Sophie Tourret , joint​‌ work with Noé Delormes​​ and Simon Perdrix (project​​​‌ team Mocqua).

The circuits​​ can be naturally represented​​​‌ using hypergraphs. We are‌ adapting a technique for‌​‌ automated reasoning on graphs​​ that uses the superposition​​​‌ calculus to work on‌ circuits represented as a‌​‌ particular class of graphs.​​

Challenging Benchmarks for Circuit​​​‌ Equivalence Checks in SMT-LIB‌ and TPTP

Julie Cailler‌​‌ , Sophie Tourret ,​​ joint work with Noé​​​‌ Delormes (project team Mocqua).‌

GNN for Word Equations​​​‌ Solving

Julie Cailler joint‌ work with Parosh Aziz‌​‌ Abdulla, Mohamed Faouzi Atig,​​ Chencheng Liang (Univ. of​​​‌ Uppsala, Sweden), Philipp Rümmer‌ (Univ. of Uppsala, Sweden‌​‌ & Univ. of Regensburg,​​ Germany).

We developed a​​​‌ new algorithm that leverages‌ a Graph Neural Network‌​‌ (GNN)-guided approach for solving​​ word equations, building upon​​​‌ the well-known Nielsen transformation‌ for equation splitting. We‌​‌ extend this algorithm to​​ deal with conjunction of​​​‌ word equations. To handle‌ the variable number of‌​‌ conjuncts, three approaches to​​ adapt a multi-classification task​​​‌ to the problem of‌ ranking equations are proposed.‌​‌ The training of the​​ GNN is done with​​​‌ the help of minimum‌ unsatisfiable subsets (MUSes) of‌​‌ word equations.

The algorithm​​ is implemented in a​​​‌ solver named DragonLi. Experimental‌ results on both artificial‌​‌ and real-world benchmarks demonstrate​​ the efficiency of DragonLi​​​‌ in solving satisfiable problems.‌ A paper presenting this‌​‌ work was published at​​ FroCoS 2025 14.​​​‌

A Framework for Certifying‌ Tableaux Proofs in Rocq‌​‌

Julie Cailler joint work​​ with Johann Rosain (ENS​​​‌ de Lyon).

Non-Ground Congruence​​ Closure

Hendrik Leidinger ,​​​‌ Christoph Weidenbach .

We propose​‌ an algorithm that directly​​ computes a non-ground representation​​​‌ of ground congruence classes​ constructed from non-ground equations.​‌ Our approach is sound​​ and complete with respect​​​‌ to the corresponding ground​ congruence classes. Experimental results​‌ demonstrate that computing non-ground​​ congruence classes often outperforms​​​‌ the classical ground congruence​ closure algorithm in efficiency​‌ 25.

Decision procedures​​ for fragments with arithmetic.​​​‌

Pascal Fontaine , joint​ work with Bernard Boigelot,​‌ Thomas Braipson, Tom Clara,​​ and Baptiste Vergain (Univ.​​​‌ of Liège).

The​​​‌ SMT-LIB standard.

Pascal Fontaine​ , joint work with​‌ Clark Barrett (Stanford University),​​ Cesare Tinelli (University of​​​‌ Iowa).

Formalizing the Relationship​​ Between SCL(FOL) and Ground​​​‌ Ordered Resolution

Martin Bromberger​ , Martin Desharnais ,​‌ Christoph Weidenbach .

An Extension of the​​​‌ TPTP Derivation Format for‌ Sequent-Based Calculi.

Julie Cailler‌​‌ , joint work with​​ Simon Guilloud, Sankalp Gambhir,​​​‌ Auguste Poiroux, Yann Herklotz,‌ Thomas Bourgeat, and Viktor‌​‌ Kunčak (EPFL, Switzerland).

Integration of Abduction in‌ Isabelle/HOL.

Tiago Campos Ferreira‌​‌ , Sophie Tourret ,​​ joint work with Haniel​​​‌ Barbosa (Universidade Federal de‌ Minas Gerais, Brazil).

Formalization of Modal​​​‌ Model Theory in Isabelle/HOL‌

Sophie Tourret , joint‌​‌ work with Jasmin Blanchette​​ and Yiming Xu (LMU​​​‌ Munich, Germany).

Lean to DHOL Translation​​​‌

Sophie Tourret , joint​ work with Jasmin Blanchette,​‌ Alexander Bentkamp and Luca​​ Maio (LMU Munich, Germany).​​​‌

Certification of Rewriting​‌ on Circuits

Julie Cailler​​ , Sophie Tourret ,​​​‌ joint work with Noé​ Delormes and Simon Perdrix​‌ (project team Mocqua).

Reconstruction​ of SMT Proofs in​‌ Lambdapi.

Alessio Coltellacci ,​​ Stephan Merz , joint​​​‌ work with Bruno Andreotti​ and Haniel Barbosa (Universidade​‌ Federal de Minas Gerais,​​ Brazil) and with Frédéric​​​‌ Blanqui (project team Deducteam).​

A first‌ paper covering the pure‌​‌ logic fragment of SMT-LIB​​ was accepted for publication​​​‌ in the journal Acta‌ Informatica (to appear in‌​‌ 2026), a second paper​​ focusing on the reconstruction​​​‌ of proofs in linear‌ arithmetic was presented at‌​‌ FroCoS 2025 20.​​ A comprehensive description of​​​‌ the approach appears in‌ the PhD thesis of‌​‌ Alessio Coltellacci, to be​​ defended in January 2026.​​​‌

An Isabelle/HOL framework to‌ Add Splitting on Top‌​‌ of Saturation Calculi

Ghilain​​ Bergeron , Florent Krasnopol​​​‌ , Sophie Tourret .‌

Towards the Verification of​​ ProVerif in Isabelle/HOL

Qi​​​‌ Qiu , Sophie Tourret‌ , joint work with‌​‌ Steve Kremer (project team​​ Pesto).

Analysing the​​​‌ Divergence of Induction-based Proofs.‌

Sorin Stratulat .

A Verified Encoding​​​‌ of Proof Obligations.

Vincent​ Trélat , Ghilain Bergeron​‌ , Stephan Merz ,​​ Sophie Tourret .

An encoding in SMT-LIB,​‌ the input language of​​ SMT solvers, of proof​​​‌ obligations based on these​ ideas has been implemented​‌ in the Lean proof​​ assistant, and an evaluation​​​‌ on the fragment of​ the benchmark mentioned above​‌ that is covered by​​ the encoding indicates that​​​‌ this translation is a​ useful complement to the​‌ existing first-order encoding: the​​ solvers succeed in proving​​​‌ a high number of​ obligations that they failed​‌ to prove for the​​ previous encoding. A paper​​​‌ describing this work 26​ was presented at ABZ​‌ 2025 and received the​​ best paper award.

By​​​‌ developing the encoding in​ Lean, it becomes possible​‌ to establish its correctness​​ within that proof assistant.​​​‌ To this end, the​ semantics of B and​‌ SMT formulas have been​​ formalized in Lean, and​​​‌ work is in progress​ in order to formally​‌ prove the correctness of​​ the translation.

Moreover, a​​​‌ tool has been developed​ for representing proof obligations​‌ corresponding to formal developments​​ in B directly in​​​‌ Lean, with a particular​ emphasis on identifying well-definedness​‌ conditions arising from possibly​​ undefined expressions, such as​​​‌ the minimum value of​ a set or the​‌ application of a partial​​ function. A paper describing​​​‌ this work is in​ preparation for submission to​‌ an international conference.

Formalization and Implementation​‌ of Safe Destination Passing​​ in Pure Functional Programming​​​‌ Settings.

Thomas Bagrel ,​ Horatiu Cirstea , joint​‌ work with Arnaud Spiwack​​ (Tweag & Modus Create).​​​‌

We developed a core‌​‌ $\lambda$-calculus with destinations​​ 15. This new​​​‌ calculus is more expressive‌ than similar existing systems,‌​‌ with destination passing designed​​ to be as flexible​​​‌ as possible. This is‌ achieved through a modal‌​‌ type system combining linear​​ types with a system​​​‌ of ages to manage‌ scopes, in order to‌​‌ make destination-passing safe. Type​​ safety of our core​​​‌ calculus was proved formally‌ with the Rocq proof‌​‌ assistant.

Then, we see​​ how this core calculus​​​‌ can be adapted to‌ an existing pure functional‌​‌ language, Haskell, whose type​​ system is less powerful​​​‌ than our custom theoretical‌ one 32. Retaining‌​‌ safety comes at the​​ cost of removing some​​​‌ flexibility in the handling‌ of destinations. We later‌​‌ refine the implementation to​​ recover much of this​​​‌ flexibility, at the cost‌ of increased user complexity.‌​‌ The prototype implementation in​​ Haskell shows encouraging results​​​‌ for adopting destination-passing style‌ programming when traversing or‌​‌ mapping over large data​​ structures such as lists​​​‌ or data trees. A‌ comprehensive presentation of these‌​‌ results appears in Thomas​​ Bagrel's PhD thesis 32​​​‌.

Verified Code Generation‌ from PlusCal Programs.

Ghilain‌​‌ Bergeron , Horatiu Cirstea​​ , Stephan Merz .​​​‌

A translator from‌ a suitable fragment of‌​‌ Distributed PlusCal to the​​ Go language has been​​​‌ implemented in Lean based‌ on this approach, and‌​‌ the correctness of the​​ first two phases of​​​‌ the translation has been‌ proved. This work was‌​‌ presented at WPTE 2025​​ 27, and we​​​‌ have been invited to‌ prepare an extended paper‌​‌ for an international journal.​​ Work on formal proofs​​​‌ of the correctness of‌ the translation in the‌​‌ Lean proof assistant is​​ ongoing.

Gröbner Bases for​​​‌ Boolean Function Minimization.

Simon‌ Schwarz , joint work‌​‌ with Nikolas Faroß (Chalmers​​​‌ University).

Formalization and verification of​​ a train scheduler in​​​‌ TLA+.

Martin​ Vassor , Lucas Villaume​‌ , joint work with​​ Guillaume Bonfante (Carbone Team​​​‌ of LORIA).

In order to prevent​​ crashes (two trains colliding)​​​‌ or deadlocks (two trains​ being locked, e.g. facing​‌ each other), one has​​ to ensure that the​​​‌ scheduler never allows such​ situations to occur. Therefore,​‌ we formalized the traffic​​ rules in TLA+​​​‌, allowing to model​ check the correctness of​‌ a schedule. In a​​ second step, we show​​​‌ how schedules can be​ composed while remaining correct,​‌ allowing one to manage​​ large train networks.

Reversibility​​​‌ for Fault Tolerance in​ Typed Sessions.

Martin Vassor​‌ , joint work with​​ Adam Barwell (University of​​​‌ St. Andrews, Scotland), Ping​ Hou (University of Oxford,​‌ England), and Nobuko Yoshida​​ (University of Oxford, England).​​​‌

In​​​‌ this project, we aim‌ to implement MPST on‌​‌ top of a reversible​​ variant of the higher-order​​​‌ $\pi$-calculus. In such‌ a setting, upon the‌​‌ failure of a process,​​ we expect the system​​​‌ to transparently revert to‌ a previous state, thus‌​‌ recovering from the failure.​​ Contrary to existing approaches​​​‌ based on reversibility, we‌ do not modify the‌​‌ syntax or the semantics​​ of MPST, allowing users​​​‌ to transparently switch from‌ standard MPST to fault-tolerant‌​‌ MPST.

A paper describing​​ this work was published​​​‌ at the International Conference‌ on Reversible Computing 16‌​‌.

Bounded Reversibility in​​ HO$\pi$

Martin Vassor​​​‌ , joint work with‌ Ivan Lanese (University of‌​‌ Bologna and Inria -​​ Université Côte d'Azur, Italy),​​​‌ and Claudio A. Mezzina‌ (University of Urbino, Italy).‌​‌

While those two‌ key properties are desirable,‌​‌ as they lead to​​ nice theoretical frameworks, they​​​‌ are not suitable for‌ practical use. Indeed, completeness‌​‌ entails that enough information​​ has to be kept​​​‌ during execution to reach‌ the initial state. Causal‌​‌ consistency entails that reverting​​ part of the system​​​‌ possibly spreads to all‌ components. Those two consequences‌​‌ are problematic in practice:​​ the first one due​​​‌ to the amount of‌ information that has to‌​‌ be kept forever, even​​ if it is not​​​‌ used in the end.‌ In the second one,‌​‌ the spread of rollback​​ disallows standard software architectures​​​‌ such as client-server, in‌ which one would not‌​‌ allow the rollback of​​ a client to spread​​​‌ to the server, and‌ then to other clients.‌​‌

29 contains preliminary work​​ addressing those issues. We​​​‌ drafted a reversible higher-order‌ $\pi$ calculus with additional‌​‌ primitives for committing messages,​​ preventing them to be​​​‌ rolled back in the‌ rest of the computation‌​‌ (thus breaking completeness, but​​ allowing the garbage-collection of​​​‌ rollback information). We also‌ introduce non-causally-consistent uses of‌​‌ communication channels, in which​​ case the rollback spread​​​‌ is not propagated through‌ such uses (thus breaking‌​‌ causal consistency, but allowing​​ some spatial control of​​​‌ rollbacks).

An inductive invariant‌ for a high-level Raft‌​‌ specification

Volkan Burakcin ,​​ Stephan Merz .

Degradation​‌ of stochastic systems

Baptiste​​ Diedler , Marie Duflot-Kremer​​​‌ , Engel Lefaucheux ,​ Bastien Pichet .

During the internships of​ Baptiste Diedler and Bastien​‌ Pichet, we extended this​​ classical framework by introducing​​​‌ the notion of degradation.​ Degradation generalizes diagnosis by​‌ aiming not only to​​ detect whether a fault​​​‌ has occurred, but also​ to quantify the amount​‌ of damage suffered by​​ the system. In this​​​‌ setting, failures may accumulate​ over time, and the​‌ objective becomes to detect​​ when the accumulated degradation​​​‌ exceeds a given threshold.​ This work is ongoing,​‌ with the goal of​​ submitting a paper next​​​‌ year.

Multi-agent transfer systems​

Engel Lefaucheux , joint​‌ work with Nathalie Bertrand,​​ Loïc Helouet and Luca​​​‌ Paparazzo (project team Devine).​

We​​​‌ investigated the computational complexity​ of the resulting global​‌ reachability problem. For asynchronous​​ and strongly synchronous semantics,​​​‌ we established decidability and​ derived complexity bounds ranging​‌ from NP to EXPSPACE,​​ relying on monotonicity and​​​‌ bounded witness arguments. In​ contrast, we showed that​‌ reachability becomes undecidable under​​ weakly synchronous semantics due​​ to the loss of​​​‌ monotonicity.

On‌​‌ the number of real​​ types of univariate polynomials.​​​‌

Thomas Sturm , joint‌ work with Thomas Faroß‌​‌ (Chalmers University).

We are specifically‌​‌ interested in the number​​ of possible real types​​​‌ of families of $\mathrm{n‌}$ polynomials subject to a‌​‌ degree bound $d$.​​ Košta 53 has given​​​‌ a formula for the‌ number $R_d$ of‌​‌ possible real types of​​ a single polynomial of​​​‌ degree $d$ in terms‌ of summations of certain‌​‌ binomial coefficients, and conjectured​​ that this number could​​​‌ not be expressed in‌ a closed form. We‌​‌ are not aware of​​ any former results for​​​‌ $n>1$.‌

Considering finite families ${\mathrm{f‌‌}}_1$, ..., ${\mathrm{f}}_n$ of polynomials of​​​‌ degrees $d_1$,‌ ..., $d_n$,‌​‌ and denoting by $\mathrm{m}$ the finite cardinality of​​​‌ the union of their‌ real roots, we have‌​‌ derived the following results:​​

1. In the special case​​​‌ $n=1$,‌ we simplify Košta's result‌​‌ mentioned above to a​​ simple case distinction based​​​‌ on Fibonacci numbers, which‌ can be expressed in‌​‌ closed form, in contrast​​ to sums of binomial​​​‌ coefficients.
2. On these grounds,‌ we derived another closed‌​‌ form for the number​​ ${\widehat{R}}_d$ of​​​‌ all real types realized‌ by a single polynomial‌​‌ up to degree $\mathrm{d}$. It follows that​​​‌ both $R_d$,‌ ${\widehat{R}}_d\in ‌‌\Theta \left({\phi }^{\mathrm{d}}\right)$, where $\mathrm{\phi ‌}$ is the golden ratio,‌ and $\Theta$ is the‌​‌ Bachmann–Landau symbol for asymptotic​​ growth of the same​​​‌ order.
3. For the general‌ case $n\ge \mathrm{1‌‌}$, we derive a​​ formula for the number​​​‌ $R_{d_1,‌\cdots ,d_{\mathrm{n‌‌}}}^{\left(m\right)}$ of​​ all real types realized​​​‌ by polynomials with degrees‌ $d_i$ and $\mathrm{m‌‌}$ distinct real roots. Summation​​ over $m$ yields an​​​‌ explicit form for the‌ number $R_{d_{\mathrm{1‌‌}},\cdots ,{\mathrm{d}}_n}$ of all real​​​‌ types realized by polynomials‌ with degrees $d_{\mathrm{i‌‌}}$ and any number of​​ roots, which generalizes Košta's​​​‌ original result.
4. For the‌ number of all real‌​‌ types realized by polynomials​​​‌ with any choice of​ $d_1$, ...,​‌ $d_n$ and $\mathrm{m}$ distinct real roots, we​​​‌ can reduce or formula​ for $R_{d_{\mathrm{1‌}},\cdots ,{\mathrm{d}}_n}$ to the closed​​​‌ form $S_n^{(m)}={\mathrm{2‌}}^n·{({\mathrm{3}}^n-1)‌}^m$, which generalizes​ the obvious $S_{\mathrm{1‌}}^{\left(m\right)}=2^{m+\mathrm{1‌}}$. In particular, this​ imposes an upper bound​‌ on $R_{d_{\mathrm{1}},\cdots ,{\mathrm{d‌}}_n}^{(m)}$.

Real types for​‌ $n>1$ play​​ a key role in​​​‌ a number of decision​ and quantifier elimination procedures​‌ for real closed fields.​​ Our results were published​​​‌ at ISSAC 23.​

Type​‌ systems for the memory​​ safety of functional programs​​​‌

• Duration:
  April 2022 –​ March 2025
• Industrial Partner:​‌
  Tweag
• Team participants:
  Thomas​​ Bagrel , Horatiu Cirstea​​​‌
• Summary:
  In his PhD​ thesis 32 supported by​‌ a CIFRE contract, Thomas​​ Bagrel studies type systems​​​‌ and corresponding constructions in​ a pure functional calculus​‌ with destinations at its​​ core for guaranteeing programs​​​‌ that are memory safe​ and can be compiled​‌ to efficient machine code.​​

Reengineering protocols for industrial​​​‌ controllers

• Duration:
  May 2023​ – April 2026
• Industrial​‌ Partner:
  Westinghouse France
• Team​​ participants:
  Mohamed Amine Snoussi​​​‌ , Marie Duflot-Kremer ,​ Engel Lefaucheux , Stephan​‌ Merz
• Summary:
  In his​​ PhD work supported by​​​‌ a CIFRE contract, Amine​ Snoussi aims at constructing​‌ formal models and simulations​​ of protocols that are​​​‌ used for industrial controllers,​ in particular for the​‌ diagnosis and control of​​ electronic components in nuclear​​​‌ power plants. He has​ modeled the main protocol​‌ for the interaction between​​ a controller and a​​​‌ component as a system​ of timed automata and​‌ verified a number of​​ properties using the UppAal​​​‌ model checker. He also​ developed a simulator of​‌ the protocol that can​​ interact with an actual​​​‌ controller.

Event-B modeling for​ Human-Machine Interaction

• Duration:
  June​‌ 2024 – June 2025​​
• Industrial Partner:
  SAS H-AUGENPLUS​​​‌
• Team participants:
  Dominique Méry​
• Summary:
  The objective of​‌ this work is to​​ assist in the development​​​‌ of Event-B models for​ HMI systems.

9.1.1 Associate Teams​​​‌ in the framework of​ an Inria International Lab​‌ or in the framework​​ of an Inria International​​​‌ Program

• Title:
  CAtalyzing progRess​ in smt solving and​‌ proof assistants via Modularity,​​ proof trAnslation, and proof​​​‌ reconstruction (CARMA)
• Duration:
  2024​ - 2026
• Coordinators:
  Sophie​‌ Tourret and Haniel Barbosa​​ (UFMG)
• Partners:
  Universidad Federal​​​‌ de Minas Gerais, Belo​ Horizonte (Brazil)
• Inria contact:​‌
  Sophie Tourret
• Team participants:​​
  Tiago Campos Ferreira ,​​​‌ Alessio Coltellacci , Stephan​ Merz , Sophie Tourret​‌ , Vincent Trélat
• Summary:​​

  The Carma associate team​​​‌ aims at improving the​ state of the art​‌ in SMT solving on​​ three fronts. Our first​​ objective is to design​​​‌ a new SMT solver‌ as a research vessel‌​‌ that emphasizes modularity over​​ utmost performance. Our goal​​​‌ is that all components‌ can simply be plugged‌​‌ in and out to​​ make it easy to​​​‌ upgrade and serve as‌ a platform for comparison‌​‌ between different techniques. The​​ tentative name of this​​​‌ new solver is ModulariT.‌ Our second objective concerns‌​‌ higher-order SMT and the​​ missing components to make​​​‌ it competitive. We plan‌ to provide an efficient‌​‌ conflict-based instantiation technique for​​ higher-order logic for ModulariT.​​​‌ Our third objective concerns‌ the coexistence of various‌​‌ proof formats for SMT​​ solving. We aim at​​​‌ more interoperability so that‌ the various formats do‌​‌ not create a divide​​ in the community. Specifically,​​​‌ our aim will be‌ to provide a translation‌​‌ of Alethe proofs generated​​ by SMT solvers to​​​‌ Dedukti, a logical framework‌ based on the $\mathrm{\lambda ‌‌}\Pi$-calculus modulo, that​​ has become the lingua​​​‌ franca of proof translation.‌ In 2024, we added‌​‌ a fourth objective to​​ the team, that of​​​‌ studying the integration of‌ SMT-based abduction in a‌​‌ proof assistant.

  In 2025,​​ there were again several​​​‌ exchanges between Belo Horizonte‌ and Nancy, despite cancellations‌​‌ of trips in the​​ spring related to the​​​‌ late vote of the‌ budget in France. A‌​‌ master student from Belo​​ Horizonte, Tiago Campos Ferreira​​​‌ is visiting us for‌ a 4 months master‌​‌ internship funded by Orion,​​ a program within the​​​‌ excellence initiative of Lorraine‌ University. He is working‌​‌ on our fourth objective​​ with Sophie Tourret and​​​‌ Haniel Barbosa. A PhD‌ student from our team‌​‌ (Alessio Coltellacci )​​ and a postdoc from​​​‌ Deducteam (part of the‌ associate team) visited Belo‌​‌ Horizonte for 3 weeks​​ to work on our​​​‌ first objective. Some more‌ trips have been anticipated‌​‌ for early 2026 to​​ counteract the previously mentioned​​​‌ delays.

9.1.2 Participation in‌ other International Programs

• Title:‌​‌
  Artificial Intelligence based Robotics​​ (AiRobo)
• Partner Institution(s):
  • University​​​‌ of Macedonia, Greece
  • RWTH,‌ Germany
  • Eszterhazy Karoly Catholic‌​‌ University, Hungary
  • West University​​ of Timisoara, Romania
• Date/Duration:​​​‌
  December 2023 - November‌ 2026
• Team participant:
  Sorin‌​‌ Stratulat
• Summary:
  AiRobo 51​​ is an ERASMUS+ project​​​‌ that aims to increase‌ the quality and the‌​‌ attractivity of related departments​​ at the partner universities,​​​‌ by a significant raise‌ of the level of‌​‌ competence and skills of​​ the relevant academic staff​​​‌ in the field of‌ Artificial Intelligence based Robotics.‌​‌ The correct functioning of​​ such safety-critical systems is​​​‌ ensured by formal verifications‌ using theorem provers such‌​‌ as Theorema and Coq,​​ as well as SAT​​​‌ and SMT solvers such‌ as SMT-RAT.

ANR Project BiSoUS​​

• Title:
  Better Synthesis for​​​‌ Underspecified Quantitative Systems
• Duration:‌
  March 2023 – February‌​‌ 2027
• Coordinator:
  Didier Lime,​​ École Centrale de Nantes​​​‌ & LS2N
• Partner Institutions:‌
  • IRISA, Rennes
  • LIPN, University‌​‌ Sorbonne Paris Nord (Paris​​ 13)
  • LS2N École Centrale​​​‌ de Nantes (coordinator)
  • LMF,‌ University Paris-Saclay
• Team participants:‌​‌
  Marie Duflot-Kremer , Engel​​ Lefaucheux
• Summary:
  Computer systems​​​‌ are ubiquitous and identifying‌ their possible defects is‌​‌ crucial already at the​​​‌ earliest stages of their​ development, when many aspects,​‌ including the environments or​​ the execution platforms, have​​​‌ not been fixed. Verification​ must then be performed​‌ on underspecified models and​​ should give understandable answers.​​​‌ In this project, we​ aim at developing verification​‌ techniques for underspecified models​​ that take this explainability​​​‌ constraint into account, by​ optimizing resources, such as​‌ energy or memory, and​​ synthesizing more precise requirements​​​‌ on the underspecified aspects​ of the models under​‌ which the system behaves​​ correctly. We depart from​​​‌ classical formalisms and consider​ their combined extensions with​‌ three complementary ingredients: costs/rewards​​ for resource consumption; parameters​​​‌ for unknown quantitative characteristics;​ and games for representing​‌ all the behaviours of​​ the underspecified system.
• Keywords:​​​‌
  Verification, Model checking, parametrised​ systems, games with guarantees​‌
• More information:
  BiSoUS Web​​ site

ANR Project BLaSST​​​‌

• Title:
  Enhancing B Language​ Reasoners Using SAT and​‌ SMT Techniques
• Duration:
  March​​ 2022 – February 2027​​​‌
• Coordinator:
  Stephan Merz
• Partner​ Institutions:
  • Inria Nancy (coordinator)​‌
  • University of Artois &​​ CRIL, Lens
  • CLEARSY, Aix-en-Provence​​​‌
  • University of Liège, Belgium​
• Team participants:
  Pascal Fontaine​‌ , Stephan Merz ,​​ Vincent Trélat , Sophie​​​‌ Tourret
• Summary:
  The BLaSST​ project targets bridging combinatorial​‌ and symbolic techniques in​​ automatic theorem proving, in​​​‌ particular for proof obligations​ generated from B models.​‌ It focuses on advancing​​ the state of the​​​‌ art in automated reasoning,​ in particular SAT and​‌ SMT techniques, and on​​ making these techniques available​​​‌ to software verification. More​ specifically, encoding techniques, optimized​‌ resolution techniques, model generation,​​ and lemma suggestion will​​​‌ be investigated. The expected​ scientific impact is a​‌ substantially higher degree of​​ automation of solvers for​​​‌ expressive input languages by​ leveraging higher-order reasoning and​‌ enumerative instantiations over finite​​ domains, as well as​​​‌ useful feedback for verification​ conditions that cannot be​‌ proved. The effectiveness of​​ the techniques developed in​​​‌ the project will be​ quantified by applying them​‌ to benchmark sets provided​​ by the industrial partner.​​​‌ The industrial impact of​ BLaSST will be a​‌ higher productivity of proof​​ engineers. The collections of​​​‌ benchmarks and the reasoning​ engines will be made​‌ openly available under permissive​​ open-source licenses.
• Keywords:
  B​​​‌ method, deductive verification, SAT,​ SMT, higher-order logic
• More​‌ information:
  BLaSST Web site​​

ANR Project EBRP

• Title:​​​‌
  Enhancing EventB and RODIN:​ EventB-Rodin-Plus
• Duration:
  January 2020​‌ – December 2026
• Coordinator:​​
  Dominique Méry
• Partner Institutions:​​​‌
  • INPT-ENSEEIHT & IRIT, Toulouse​
  • CentraleSupelec & LRI
  • University​‌ of Lorraine & LORIA​​
  • University Paris-Est Créteil &​​​‌ LACL
  • University of Düsseldorf,​ Germany
  • University of Southampton,​‌ School of Electronics and​​ Computer Science, United Kingdom​​​‌
• Team participants:
  Dominique Méry​
• Keywords:
  formal IDE, theory,​‌ proof management, cyber-physical systems,​​ discrete models, continuous models,​​​‌ refinement, verification, tools
• Summary:​
  The purpose of EBRP​‌ is to enhance Event-B​​ and the corresponding Rodin​​​‌ toolset. This will be​ done by engaging in​‌ some basic research dealing​​ with various mathematical theories​​​‌ that are not currently​ available in Event-B and​‌ Rodin. The development of​​ complex systems usually involves​​​‌ different scientific disciplines and​ skills. For instance, modeling​‌ behaviors and interactions of​​ autonomous systems may require​​ concepts from control theory​​​‌ such as differential equations,‌ communication protocols, resource allocation,‌​‌ access control rules, etc.​​ EBRP targets the definition​​​‌ of extension mechanisms for‌ Event-B rather than defining‌​‌ domain-specific modeling languages, and​​ implementing those mechanisms within​​​‌ Rodin.
• More information:
  EBRP‌ Web site

ANR Project‌​‌ ICSPA

• Title:
  Interoperable and​​ Confident Set-based Proof Assistants​​​‌
• Duration:
  January 2022 –‌ December 2026
• Coordinator:
  Catherine‌​‌ Dubois, ENSIIE & Samovar​​
• Partner Institutions:
  • ENSIIE &​​​‌ Samovar, Évry
  • Inria (Nancy‌ and Saclay research centers)‌​‌
  • University Paul Sabatier &​​ IRIT, Toulouse
  • University of​​​‌ Montpellier & LIRMM, Montpellier‌
  • CLEARSY, Aix-en-Provence
• Team participants:‌​‌
  Alessio Coltellacci , Dominique​​ Méry , Stephan Merz​​​‌
• Summary:
  The B, Event-B,‌ and TLA+ formal‌​‌ methods are based on​​ different flavors of set​​​‌ theory. The ICSPA project‌ aims at formally relating‌​‌ these different theories for​​ allowing users (i) to​​​‌ independently certify proofs carried‌ out using the automatic‌​‌ proof tools developed for​​ these formal methods and​​​‌ (ii) to transfer developments,‌ including their proofs, carried‌​‌ out in one of​​ these languages to another​​​‌ one. The objectives are‌ to reinforce confidence in‌​‌ developments carried out using​​ these methods and to​​​‌ enable interoperability between them.‌ The foundation for achieving‌​‌ these goals lies in​​ the encoding of the​​​‌ set theories in the‌ Dedukti logical framework developed‌​‌ at Inria Saclay, which​​ implements the $\lambda \mathrm{\Pi ‌}$-calculus modulo.
• Keywords:
  B‌ method, TLA+,‌​‌ set theory, logical framework​​
• More information:
  ICSPA Web​​​‌ site

10.1.1 Scientific events:‌​‌ organization

10.1.2 Scientific​ events: selection

10.1.3 Journals

10.1.4 Invited​ talks

• Julie Cailler :​‌
  • Deskolemization: From Tableaux to​​ Proof Certificates, CHoCoLa Meeting,​​​‌ Lyon, France
  • Goéland: A​ Concurrent Tableau-Based ATP that​‌ Produces Machine-Checkable Proofs, EuroProofNet​​ School on Natural Formal​​​‌ Mathematics, University of Bonn,​ Germany
• Stephan Merz :​‌ The TLA+ Framework​​ – From High-Level Specifications​​​‌ to Distributed Programs, 20th​ Intl. Conf. Integrated Formal​‌ Methods, Paris, France.​​
• Christoph Weidenbach : Cars,​​​‌ Wine, Logic & more.​ Weidenbach60, Stuttgart, Germany.​‌

10.1.5 Leadership within the​​ scientific community

• Julie Cailler​​​‌ :
  • Co-chairperson of the​ LVP (Langages et​‌ Vérification de Programmes)​​ group of GDR GPL.​​​‌
• Stephan Merz :
  • chair​ of the TLA+​‌ Specification Language Committee,
  • member​​ of the Governing Board​​​‌ of the TLA+​ Foundation,
  • member of IFIP​‌ WG 2.2 (Formal Specification​​ of Programming Concepts).
• Thomas​​​‌ Sturm :
  • advisory positions​ in the EPRSC Projects​‌ EP/T015748/1 and EP/T015713/1, UK,​​
  • SC-Square steering committee member,​​​‌ invited in 2023.
• Sophie​ Tourret :
  • CADE trustee,​‌ elected in 2022, reelected​​ in 2025,
  • PAAR workshop​​​‌ steering committee member, invited​ in 2020,
  • Ex-officio SMT​‌ trustee for 2025,
  • SAT/SMT/AR​​ coordination committee member, invited​​​‌ in 2024.
• Uwe Waldmann​ :
  • CADE trustee, ex-officio​‌ in 2024, elected in​​ 2025,
  • co-speaker of GI​​​‌ FG Deduktionssysteme.
• Christoph Weidenbach​ :
  • president of AAR,​‌
  • FroCos steering committee member.​​

10.1.6 Scientific expertise

• Stephan​​​‌ Merz : assessment of​ a promotion request at​‌ the University of Delaware,​​ U.S.A.
• Sophie Tourret :​​​‌ reviewer for a project​ submitted to the Israel​‌ Science Foundation.

10.1.7 Research​​ administration

• Horatiu Cirstea :​​​‌
  • member of the hiring​ committee for an associate​‌ professor position at Toulouse​​ INP - ENSEEIHT /​​​‌ IRIT.
• Stephan Merz :​
  • coach for ERC project​‌ applications at Inria,
  • scientific​​ referent for European affairs​​​‌ (project REIL) at University​ of Lorraine,
  • member of​‌ the bureau du comité​​ des projets at Inria​​ Nancy,
  • chairman of the​​​‌ hiring committee for an‌ associate professor position at‌​‌ IDMC, University of Lorraine.​​
• Sophie Tourret :
  • EuroProofNet​​​‌ European COST action core‌ member, deputy leader of‌​‌ working group 2 on​​ automated theorem provers,
  • member​​​‌ of the doctoral commission‌ of Inria centre at‌​‌ University of Lorraine,
  • member​​ of the hiring committee​​​‌ for an associate professor‌ position at Polytech Paris-Saclay,‌​‌
  • member of the Bill​​ McCune PhD Award committee.​​​‌
• Uwe Waldmann :
  • member‌ of MPG CIS W2‌​‌ tenure track selection committees​​ 2024/2025 and 2025/2026,
  • ombudsperson​​​‌ of MPI-INF.

10.2.1 Teaching

The​​​‌ university employees of VeriDis‌ have a statutory teaching‌​‌ obligation of 192 hours​​ per year. We only​​​‌ list the teaching activities‌ at the master level.‌​‌

• Master: Julie Cailler ,​​ Software engineering, 20 HETD,​​​‌ 2A (M1), ENSEM, France.‌
• Master: Horatiu Cirstea ,‌​‌ Programming paradigms, 32 HETD,​​ M2 Informatique, Université de​​​‌ Lorraine, France.
• Master: Horatiu‌ Cirstea , Software analysis‌​‌ and design, 80 HETD,​​ M1 informatique, Université de​​​‌ Lorraine, France.
• Master: Horatiu‌ Cirstea , Software engineering,‌​‌ 50 HETD, 2A (M1),​​ ENSEM, Université de Lorraine,​​​‌ France.
• Master: Marie Duflot-Kremer‌ , Using unplugged activities‌​‌ to pass on computer​​ science concepts to students,​​​‌ 35 HETD, master for‌ future teachers, Université de‌​‌ Lorraine, France
• Master: Marie​​ Duflot-Kremer , Elements of​​​‌ model checking, 16 HETD,‌ M2 Informatique, Université de‌​‌ Lorraine, France.
• Master: Marie​​ Duflot-Kremer , Distributed algorithms,​​​‌ 15 HETD, M1 Informatique,‌ Université de Lorraine, France.‌​‌
• Master: Marie Duflot-Kremer and​​ Engel Lefaucheux, supervision of​​​‌ 3 students in a‌ short initiation à la‌​‌ recherche internship, M1, Université​​ de Lorraine
• Master: Dominique​​​‌ Méry , Formal Modeling‌ for Software-based Systems 40‌​‌ HETD, M2 Informatique, Université​​ de Lorraine, France.
• Master:​​​‌ Dominique Méry , Models‌ and algorithms, M1 Telecom‌​‌ Nancy, 48 HETD, Université​​ de Lorraine, France.
• Master:​​​‌ Dominique Méry , Formal‌ Modeling for Software-based Systems,‌​‌ M2 Telecom Nancy, 24​​ HETD, Université de Lorraine,​​​‌ France.
• Master: Stephan Merz‌ , Elements of model‌​‌ checking, 16 HETD, M2​​ Informatique, Université de Lorraine,​​​‌ France.
• Master: Stephan Merz‌ , Distributed algorithms, 15‌​‌ HETD, M1 Informatique, Université​​ de Lorraine, France.
• Master:​​​‌ Stephan Merz , Secure‌ Coding, M1 Mines Nancy,‌​‌ 13 HETD, Université de​​ Lorraine, France.
• Master: Thomas​​​‌ Sturm , Decision Procedures‌ for Specific Theories (Seminar),‌​‌ Universität des Saarlandes, Germany.​​
• Master: Sophie Tourret ,​​​‌ Secure Coding, M1 Mines‌ Nancy, 13 HETD, Université‌​‌ de Lorraine, France.
• Master:​​ Martin Vassor , Distributed​​​‌ Algorithms, 16HETD, 4th years,‌ Polytech Nancy, Université de‌​‌ Lorraine, France.
• Master: Martin​​ Vassor , Foundation of​​​‌ Cybersecurity, 24.5HETD, 2A, Mines‌ Nancy, Université de Lorraine,‌​‌ France.
• Master: Martin Vassor​​ , Python for engineers,​​​‌ 40.5 HETD, 2A and‌ 3A, Mines Nancy, Université‌​‌ de Lorraine, France.
• Master:​​ Uwe Waldmann , Automated​​​‌ Reasoning, 60 HETD, Universität‌ des Saarlandes, Germany.
• Master:‌​‌ Christoph Weidenbach , Competitive​​ Programming, 60 HETD, Universität​​​‌ des Saarlandes, Germany.
• Master:‌ Christoph Weidenbach , Automated‌​‌ Reasoning, 60 HETD, Universität​​ des Saarlandes, Germany.
• Master:​​​‌ Christoph Weidenbach , Decision‌ Procedures for Specific Theories‌​‌ (Seminar), Universität des Saarlandes,​​​‌ Germany.

10.2.2 Supervision

• PhD​ completed: Thomas Bagrel ,​‌ Formalization and Implementation of​​ Safe Destination Passing in​​​‌ Functional Programming Languages 32​. University of Lorraine.​‌ Supervised by Horatiu Cirstea​​ , since April 2022,​​​‌ defended in November 2025.​
• PhD completed: Martin Desharnais​‌ , Verification in Isabelle/HOL​​ of automated reasoning results​​​‌ 33, MPI for​ Informatics, Saarland University. Supervised​‌ by Jasmin Blanchette, Martin​​ Bromberger , Sophie Tourret​​​‌ and Christoph Weidenbach ,​ since August 2021, defended​‌ in January 2025.
• PhD​​ completed: Hendrik Leidinger ,​​​‌ SCL(EQ): Simple Clause Learning​ in First-Order Logic with​‌ Equality 34. Supervised​​ by Christoph Weidenbach ,​​​‌ defended in June 2025.​
• PhD in progress: Ghilain​‌ Bergeron , Generating distributed​​ programs from formal specifications.​​​‌ University of Lorraine. Supervised​ by Horatiu Cirstea and​‌ Stephan Merz , since​​ October 2023.
• PhD in​​​‌ progress: Yasmine Briefs ,​ A Unifiying Reasoning Framework​‌ for SAT, SMT and​​ First-Order Logic. Supervised by​​​‌ Christoph Weidenbach , since​ April 2025.
• PhD in​‌ progress: Alessio Coltellacci ,​​ Reconstructing SMT Proofs in​​​‌ Lambdapi. Supervised by Stephan​ Merz , since January​‌ 2023.
• PhD in progress:​​ Sarah Dépernet , Model-checking​​​‌ security properties on Timed​ automata. Supervised by Engel​‌ Lefaucheux and Stephan Merz​​ , since September 2024.​​​‌
• PhD in progress: Florent​ Krasnopol , Automated Theorem​‌ Proving over the Reals​​ for Reasoning on Quantum​​​‌ Circuits. Supervised by Julie​ Cailler , Sophie Tourret​‌ , and Stephan Merz​​ , since September 2025.​​​‌
• PhD in progress: Lorenz​ Leutgeb , Automated Reasoning​‌ about Constraint Horn Clauses.​​ Supervised by Christoph Weidenbach​​​‌ , since October 2022.​
• PhD in progress: Simon​‌ Schwarz , Automatic Reasoning​​ for Security. Supervised by​​​‌ Thomas Sturm and Christoph​ Weidenbach , since October​‌ 2022.
• PhD in progress:​​ Mohamed Amine Snoussi ,​​​‌ Reengineering of an Industrial​ Communication Protocol. Supervised by​‌ Marie Duflot-Kremer , Engel​​ Lefaucheux , and Stephan​​​‌ Merz , since May​ 2023.
• PhD in progress:​‌ Vincent Trélat , Higher-Order​​ SMT Solving for Proof​​​‌ Obligations in Set Theory.​ University of Lorraine. Supervised​‌ by Stephan Merz and​​ Sophie Tourret , since​​​‌ October 2023.
• Master completed:​ Yasmine Briefs , Formalizing​‌ CDCL(T). Supervised by Christoph​​ Weidenbach , March 2025.​​​‌
• Bachelor completed: Christian Michel​ , SCL(FOL) with Propositional​‌ Abstraction. Supervised by Christoph​​ Weidenbach , February 2025.​​​‌
• Master internship in progress:​ Tiago Campos Ferreira ,​‌ Integrating SMT-based abduction in​​ the proof assistant Isabelle/HOL,​​​‌ since October 2025. Supervised​ by Sophie Tourret .​‌
• Master internship: Lucas Villaume​​ , Formalisation and verification​​​‌ of a train scheduler​ in TLA+,​‌ Spring semester 2025. Supervised​​ by Martin Vassor .​​​‌
• Bachelor internship: Volkan Burakcin​ , Correctness proof of​‌ Raft, Spring semester 2025.​​ Supervised by Stephan Merz​​​‌ .
• Bachelor internship: Baptiste​ Diedler , Degradation of​‌ stochastic systems, Spring semester​​ 2025. Supervised by Marie​​​‌ Duflot-Kremer and Engel Lefaucheux​ .
• Bachelor internship: Bastien​‌ Pichet , Degradation of​​ stochastic systems, Spring semester​​​‌ 2025. Supervised by Marie​ Duflot-Kremer and Engel Lefaucheux​‌ .

10.2.3 Juries

• Julie​​ Cailler was a member​​​‌ of the jury for​ the French national high​‌ school teacher competitive exam​​ in computer science (CAPES​​ NSI).
• Marie Duflot-Kremer was​​​‌ a member of the‌ board (secrétaire générale) of‌​‌ the jury for the​​ French national high school​​​‌ teacher competitive exam in‌ computer science (CAPES NSI).‌​‌
• Stephan Merz was a​​ reviewer and member of​​​‌ the PhD committees of‌ theses at IPP Paris,‌​‌ University of Saclay, and​​ University of Strasbourg.

10.2.4​​​‌ Educational and pedagogical outreach‌

• Julie Cailler , Marie‌​‌ Duflot-Kremer , and Sophie​​ Tourret gave a talk​​​‌ and a lab session‌ on formal verification for‌​‌ a training program for​​ teachers in France (PNF),​​​‌ Nancy.
• Marie Duflot-Kremer gave‌
  • two talks and activities‌​‌ on unplugged computer science​​ for a training program​​​‌ for teachers in France‌ (PNF), online,
  • one workshop‌​‌ at a séminaire de​​ pédagogie universitaire on including​​​‌ unplugged activities in a‌ computer science curriculum, Université‌​‌ de Lorraine, Nancy.
  • a​​ talk about popularization activities​​​‌ at the annual day‌ of LIP6 lab, Paris.‌​‌
  • a talk about popularization​​ activities at the new​​​‌ staff Inria seminar, Strasbourg.‌
• Stephan Merz gave a‌​‌ lecture (6 hours) on​​ Specifying and Verifying Algorithms​​​‌ in TLA+ at‌ the VTSA summer school‌​‌ in Liège, Belgium.
• Sophie​​ Tourret gave
  • a lecture​​​‌ at the SAT/SMT/AR summer‌ school 2025 (St Andrews,‌​‌ Scotland), and
  • a talk​​ at the CP/SAT Doctoral​​​‌ Program 2025 (Glasgow, Scotland).‌

10.3.1 Specific‌​‌ official responsibilities in science​​ outreach structures

• Julie Cailler​​​‌ and Marie Duflot-Kremer co-organized‌ Le stage des cigognes‌​‌, a one week​​ experience of research in​​​‌ maths and computer science‌ for high school girls.‌​‌
• Marie Duflot-Kremer is the​​ deputy vice-president for outreach​​​‌ activities in the supervisory‌ council of SIF (‌​‌Société Informatique de France​​).
• Thomas Sturm was​​​‌ involved in the organization‌ of the scientific training‌​‌ of the German team​​ for the International Olympiad​​​‌ in Informatics (IOI).
• Christoph‌ Weidenbach is the head‌​‌ of the steering committee​​ of the German Computer​​​‌ Science Competition for High‌ School Students (BWINF) and‌​‌ a co-organizer and the​​ president of the jury​​​‌ of the final round,‌ which took place in‌​‌ Munich in September 2025.​​ Thomas Sturm was a​​​‌ member of that jury.‌

10.3.2 Participation in Live‌​‌ events

• Marie Duflot-Kremer :​​
  • Journée décodeuses du numérique​​​‌, unplugged activities workshop,‌ organized by CNRS, Paris,‌​‌
  • Journées filles et sciences​​, unplugged activities workshop​​​‌ for secondary school girls,‌ lycée Loritz, Nancy,
  • Mathematics‌​‌ week, presentation of outreach​​ unplugged activities for teachers,​​​‌ rectorat de Nancy,
  • one‌ day of training secondary‌​‌ school students and two​​ live shows of informagic​​​‌ for 300 and 400‌ students, lycée Vauban, Luxembourg,‌​‌
  • Journées du matrimoine,​​ explaining research in formal​​​‌ verification, Jarville,
  • a popularization‌ tour with 12 workshops‌​‌ ranging from kindergarden to​​ secondary school audience over​​​‌ 4 days, Montereau-Fault-Yonne,
  • a‌ talk for general audience‌​‌ on unplugged activities, Montereau-Fault-Yonne,​​
  • Journée d'initiative citoyenne en​​​‌ faveur de l'égalité femmes-hommes‌, a short talk‌​‌ on women in science,​​ Vandœuvre-lès-Nancy,
  • two days of​​​‌ fête de la science‌, training and supervising‌​‌ first year students realizing​​ unplugged computer science workshops​​​‌ for a general audience,‌ Université de Lorraine, Vandœuvre-lès-Nancy,‌​‌

10.3.3 Other activities related​​​‌ to science outreach

• Julie​ Cailler :
  • Chiche: 1​‌ scientifique, 1 classe
  • MATh.en.JEANS​​
• Marie Duflot-Kremer :
  • Chiche:​​​‌ 1 scientifique, 1 classe​, 4 talks to​‌ secondary school students, Fameck,​​
  • referent researcher of a​​​‌ group of secondary school​ kids doing research for​‌ the Math.en.JEANS program.

International journals

• 12​​ articleR.Rosalie Defourné​​. Encoding TLA+ proof​​​‌ obligations safely for SMT‌.Science of Computer‌​‌ Programming239103178January​​ 2025HALDOI
• 13​​​‌ articleN.Nicolas Faroß‌ and S.Simon Schwarz‌​‌. Gröbner Bases for​​ Boolean Function Minimization.​​​‌Mathematics in Computer Science‌1912025,‌​‌ 7HALDOIback​​ to text

International peer-reviewed​​​‌ conferences

• 14 inproceedingsP.‌ A.Parosh Aziz Abdulla‌​‌, M. F.Mohamed​​ Faouzi Atig, J.​​​‌Julie Cailler, C.‌Chencheng Liang and P.‌​‌Philipp Rümmer. When​​ GNNs Met a Word​​​‌ Equations Solver: Learning to‌ Rank Equations.FroCoS‌​‌ 202515979Lecture Notes​​ in Computer ScienceReykavik,​​​‌ IcelandSpringer Nature Switzerland‌September 2025, 327-345‌​‌HALDOIback to​​ text
• 15 inproceedingsT.​​​‌Thomas Bagrel and A.‌Arnaud Spiwack. Destination‌​‌ Calculus: A Linear λ-Calculus​​ for Purely Functional Memory​​​‌ Writes.Proceedings of‌ the ACM on Programming‌​‌ Languages, Volume 9, Issue​​ OOPSLA1Article No.: 89, Pages​​​‌ 253 - 279OOPSLA‌ 2025 - ACM Conference‌​‌ on Object Oriented Programming​​ Systems Languages and Applications​​​‌9OOPSLA1Singapore, Singapore‌ACMApril 2025,‌​‌ 253-279HALDOIback​​ to text
• 16 inproceedings​​​‌A.Adam Barwell,‌ P.Ping Hou,‌​‌ M.Martin Vassor and​​ N.Nobuko Yoshida.​​​‌ Encoding Choice and Replication‌ in roll-π.International‌​‌ Conference on Reversible Computation​​International Conference on Reversible​​​‌ Computation15716Lecture Notes‌ in Computer ScienceOdense‌​‌ (Danemark), DenmarkJune 2025​​, 27-36HALDOI​​​‌back to text
• 17‌ inproceedingsG.Ghilain Bergeron‌​‌, F.Florent Krasnopol​​ and S.Sophie Tourret​​​‌. Formalizing Splitting in‌ Isabelle/HOL.ITP 2025‌​‌ - 16th International Conference​​ on Interactive Theorem Proving​​​‌Reykjavik, IcelandSchloss Dagstuhl‌ – Leibniz-Zentrum für Informatik‌​‌2025HALDOIback​​ to text
• 18 inproceedings​​​‌N.Nathalie Bertrand,‌ L.Loïc Hélouët,‌​‌ E.Engel Lefaucheux and​​ L.Luca Paparazzo.​​​‌ Reachability in multi-agent transfer‌ systems.VMCAI 2026‌​‌ - 27th International Conference​​ on Verification, Model Checking,​​​‌ and Abstract InterpretationLNCS‌Rennes, France2026HAL‌​‌
• 19 inproceedingsM.Martin​​ Bromberger, M.Martin​​​‌ Desharnais and C.Christoph‌ Weidenbach. A Stepwise‌​‌ Refinement Proof that SCL(FOL)​​ Simulates Ground Ordered Resolution​​​‌.Automated Deduction –‌ CADE 30: 30th International‌​‌ Conference on Automated Deduction,​​ Stuttgart, Germany, July 28-31,​​​‌ 2025, Proceedings15943Stuttgart,‌ GermanyJuly 2025HAL‌​‌back to text
• 20​​ inproceedingsA.Alessio Coltellacci​​​‌ and S.Stephan Merz‌. Checking Linear Integer‌​‌ Arithmetic Proofs in Lambdapi​​.FroCoS 2025 -​​​‌ 15th International Symposium Frontiers‌ of Combining Systems15979‌​‌Lecture Notes in Computer​​ ScienceReykjavik, IcelandSpringer​​​‌ Nature Switzerland2025,‌ 367-385HALDOIback‌​‌ to text
• 21 inproceedings​​I.I Dramnesc,​​​‌ E.E Abraham,‌ N.N Fachantidis,‌​‌ T.T Jebelean,​​ G.G Kusper and​​​‌ S.Sorin Stratulat.‌ AIROBO: A EUROPEAN PROJECT‌​‌ FOR SOFTWARE ENGINEERS.​​EDULEARN 2025 - 17th​​​‌ International Conference on Education‌ and New Learning Technologies‌​‌EDULEARN25 ProceedingsPalma De​​ Majorque, SpainJune 2025​​​‌, 1221-1228HALDOI‌
• 22 inproceedingsI.Isabela‌​‌ Dramnesc, E.Erika​​​‌ Abraham, N.Nikolaos​ Fachantidis, T.Tudor​‌ Jebelean, G.Gabor​​ Kusper and S.Sorin​​​‌ Stratulat. AiRobo: A​ EU Project on Artificial​‌ Intelligence and Robotics for​​ Higher Education.ED-MEDIA​​​‌ 2025 - EdMedia +​ Innovate LearningED-MEDIA 2025​‌ - EdMedia + Innovate​​ LearningBarcelona, SpainMay​​​‌ 2025, 1198-1203HAL​
• 23 inproceedingsN.Nicolas​‌ Faroß and T.Thomas​​ Sturm. On the​​​‌ Number of Real Types​ of Univariate Polynomials.​‌ISSAC '25: Proceedings of​​ the 2025 International Symposium​​​‌ on Symbolic and Algebraic​ ComputationISSAC 2025 -​‌ 50th International Symposium on​​ Symbolic and Algebraic Computation​​​‌Guanajuato, MexicoACMNovember​ 2025, 62-69HAL​‌DOIback to text​​
• 24 inproceedingsS.Simon​​​‌ Guilloud, J.Julie​ Cailler, A.Auguste​‌ Poiroux, Y.Yann​​ Herklotz, T.Thomas​​​‌ Bourgeat and V.Viktor​ Kunčak. Interoperability of​‌ Proof Systems with SC-TPTP​​.CADE 30 -​​​‌ 30th International Conference on​ Automated Deduction15943Lecture​‌ Notes in Computer Science​​Stuttgart, GermanySpringer Nature​​​‌ SwitzerlandJuly 2025,​ 325-340HALDOIback​‌ to text
• 25 inproceedings​​H.Hendrik Leidinger and​​​‌ C.Christoph Weidenbach.​ Computing Ground Congruence Classes​‌.Automated Deduction –​​ CADE 30: 30th International​​​‌ Conference on Automated Deduction,​ Stuttgart, Germany, July 28-31,​‌ 2025, Proceedings15943Stuttgart,​​ GermanyJuly 2025HAL​​​‌back to text
• 26​ inproceedingsBest paperV.​‌Vincent Trélat. Safely​​ Encoding B Proof Obligations​​​‌ in SMT-LIB.Lecture​ Notes in Computer Science​‌Rigorous State-Based Methods –​​ 11th International Conference, ABZ​​​‌ 202515728Düsseldorf, Germany​SpringerJune 2025,​‌ 52-69HALDOIback​​ to textback to​​​‌ text

Conferences without proceedings​

• 27 inproceedingsG.Ghilain​‌ Bergeron, H.Horatiu​​ Cirstea and S.Stephan​​​‌ Merz. Towards a​ verified compiler for Distributed​‌ PlusCal.11th International​​ Workshop on Rewriting Techniques​​​‌ for Program Transformations and​ EvaluationBirmingham, United Kingdom​‌July 2025HALback​​ to text
• 28 inproceedings​​​‌S.Stephan Merz.​ Invariant Synthesis: Decidable Fragments​‌ to the Rescue.​​First-Order Reasoning, Below and​​​‌ Beyond: Workshop in Honor​ of Christoph Weidenbach's 60th​‌ BirthdayStuttgart, GermanyAugust​​ 2025HAL

Scientific book​​​‌ chapters

• 29 inbookI.​Ivan Lanese, C.​‌ A.Claudio Antares Mezzina​​ and M.Martin Vassor​​​‌. Bounded Reversibility in​ HOπ.16065Components​‌ Operationally: Reversibility and System​​ Engineering. Essays Dedicated to​​​‌ Jean-Bernard Stefani on the​ Occasion of His 65th​‌ BirthdayLecture Notes in​​ Computer ScienceSpringer Nature​​​‌ SwitzerlandOctober 2025,​ 24-45HALDOIback​‌ to text

Edition (books,​​ proceedings, special issue of​​​‌ a journal)

• 30 proceedings​C.Clark Barrett and​‌ U.Uwe Waldmann,​​ eds. Automated Deduction –​​​‌ CADE 30.30th​ International Conference on Automated​‌ Deduction15943Lecture Notes​​ in Computer ScienceStuttgart,​​​‌ Germany, GermanySpringer Nature​ Switzerland; Springer2025HAL​‌DOI
• 31 proceedingsFrontiers​​ of Combining Systems. 15th​​​‌ International Symposium, FroCoS 2025,​ Reykjavik, Iceland, September 29​‌ – October 1, 2025,​​ Proceedings.15th International​​​‌ Symposium Frontiers of Combining​ Systems15979Lecture Notes​‌ in Computer ScienceReykjavik,​​ IcelandSpringer Nature Switzerland​​2026HALDOI

Doctoral​​​‌ dissertations and habilitation theses‌

• 32 thesisT.Thomas‌​‌ Bagrel. Formalization and​​ Implementation of Safe Destination​​​‌ Passing in Pure Functional‌ Programming Settings.LORIA‌​‌ (Université de Lorraine, CNRS,​​ INRIA)November 2025HAL​​​‌back to textback‌ to textback to‌​‌ textback to text​​
• 33 thesisM.Martin​​​‌ Desharnais. Formal verification‌ of logical calculi and‌​‌ simulations in Isabelle/HOL.​​MPI for InformaticsJanuary​​​‌ 2025HALback to‌ text
• 34 thesisH.‌​‌Hendrik Leidinger. SCL(EQ):​​ Simple clause learning in​​​‌ first-order logic with equality‌.MPI for Informatics‌​‌May 2025HALback​​ to text

Reports &​​​‌ preprints

• 35 miscN.‌Nathalie Bertrand, L.‌​‌Loïc Hélouët, E.​​Engel Lefaucheux and L.​​​‌Luca Paparazzo. Reachability‌ in multi-agent transfer systems‌​‌ (Extended Version).November​​ 2025HALback to​​​‌ text
• 36 miscN.‌Nicolas Faroß and T.‌​‌Thomas Sturm. On​​ the Number of Real​​​‌ Types of Univariate Polynomials‌.2025HALDOI‌​‌

Scientific popularization

• 37 misc​​D.Dominique Méry.​​​‌ Teaching formal techniques with‌ Event-B and Rodin ⋆‌​‌.May 2025HAL​​back to text