The research in Moscova centers around the theory and practice of concurrent programming in the context of distributed and mobile systems. The ambitious long-term goal of this research is the programming of the web or, more generally, the programming of global computations on top of wide-area networks.
The scientific focus of the project-team is the design of programming languages and the analysis and conception of constructs for security. While there have been decades of work on concurrent programming, concurrent programming is still delicate. Moreover new problems arise from environments now present with the common use of the Internet, since distributed systems have become heavily extendible and reconfigurable.
The design of a good language for concurrency, distribution and mobility remains an open problem. On one hand, industrial languages such as Java and
C#allow downloading of programs, but do not permit migrations of active programs. On the other hand, several prototype languages (Facile
, Obliq, Nomadic Pict
, Jocaml, etc) have been designed; experimental implementations have also been derived from formal models
(Join-calculus, Ambients, Klaim, Acute, etc). None of these prototypes has yet the status of a real programming language.
A major obstacle to the wide deployment of these prototype languages is the security concerns raised by computing in open environments. The security research adressed in our project-team is targeted to programming languages. It is firstly concerned by type-safe marshalling for communicating data between different runtimes of programming languages; it is also related to the definition of dynamic linking and rebinding in runtimes; it deals with versioning of libraries in programming languages; it is finally connected to access control to libraries and the safe usage of functions in these libraries.
We are also interested by theoretical frameworks and the design of programming constructs for transaction-based systems, which are relevant in a distributed environment. A theory of reversible process calculus has been studied in that direction.
On the software side, we pursue the development of Jocaml with additional constructs for object-oriented programming. Although the development of Jocaml is rather slow, due to the departure of several implementers and to interests in other topics, Jocaml remains one of our main objective in the next years.
The Acute prototype, developped jointly at U. of Cambridge and at INRIA, demonstrates the feasibility of our ideas in type-safe marshalling, dynamic binding and versioning; it is based on Fresh Ocaml, and the integration of these ideas in/with Jocaml will be also studied in the next years.
In 2005, Ma Qin and Guillaume Chatelet defended their PhD. Andrew Appel (Princeton University) started his sabbatical year in project Moscova. Pierre-Malo Deniélou is a new PhD student. We also had Prashant Kumar (IIT Kanpur), intern with J. Krivine, and Sylvain Pradalier (ENS Cachan) who started a work on the probabilistic -calculus with F. Zappa Nardelli for applications to biology.
Milner started the theory of concurrency in 1980 at Edinburgh. He proposed the calculus of communicating systems (CCS) as an algebra modeling interaction . This theory was amongst the most important to present a compositional process language. Furthermore, it included a novel definition of operational equivalence, which has been the source of many articles, most of them quite subtle. In 1989, R. Milner, J. Parrow and D. Walker introduced a new calculus, the pi-calculus, capable of handling reconfigurable systems. This theory has been refined by D. Sangiorgi (Edinburgh/INRIA Sophia/Bologna) and others. Many variants of the pi-calculus have been developed since 1989.
We developed a variant, called the Join-calculus , , a variant easier to implement in a distributed environment. Its purpose is to avoid the use of atomic broadcast to implement fair scheduling of processes. The Join-calculus allows concurrent and distributed programming, and simple communication between remote processes. It was designed with locations of processes and channels. It leads smoothly to the design and implementation of high-level languages which take into account low-level features such as the locations of objects.
The Join-calculus has higher-order channels as in the pi-calculus; channels names can be passed as values. However there are several restrictions: a channel name passed as argument cannot become a receiver; a receiver is permanent and has a single location, which allows one to identify channel names with their receivers. The loss of expressivity induced by these restrictions is compensated by joined receivers. A guard may wait on several receivers before triggering a new action. This is the way to achieve rendez-vous between processes. In fact, the notation of the Join-calculus is very near the natural description of distributed algorithms.
The second important feature of the Join-calculus is the concept of location. A location is a set of channels co-residing at the same place. The unit of migration is the location. Locations are structured as trees. When a location migrates, all of its sublocations move too.
The Join-calculus, renamed Jocaml, has been fully integrated into Ocaml. Locations and channels are new features; they may be manipulated by or can handle any Ocaml values. Unfortunately the newer versions of Ocaml do not support them. We are still planning for both systems to converge.
Types
are used in the theory of programming languages to guarantee (usually static) integrity of computations. Types are
also used for static analysis of programs. The theory of types is used in Moscova to ensure safety properties about abstract values exchanged by two run-time environments; to define inheritance on concurrent objects in current extensions of Jocaml; to guarantee access control policies in
Java- or
C#-like libraries.
The theory of Church lambda-calculus is considered in our work about dynamic access control to library functions. More specifically, the theory of the confluent history-based calculus defines a labeled lambda-calculus which is used both for access control in libraries and for the reversible pi-calculus.
Distributed programming with mobility appears in the programming of the web and in autonomous mobile systems. It can be used for customization of user interfaces and for communications between several clients. Telecommunications is an other example application, with active networks, hot reconfigurations, and intelligent systems. For instance, France Telecom (Lannion) designs a system programmed in mobile Erlang.
Acute is a test implementation of our current work on high-level programming languages for distributed computation. For motivation and a description of the language, see section .
The main priority for the implementation is to be rather close to the semantics, to make it easy to change as the definition changed, and easy to have reasonable confidence that the two agree, while being efficient enough to run moderate examples. An automated testing framework helps ensure the two are in sync.
The runtime is essentially an interpreter over the abstract syntax, finding redexes and performing reduction steps as in the semantics. For efficiency it uses closures and represents terms as pairs of an explicit evaluation context and the enclosed term to avoid having to re-traverse the whole term when finding redexes. Marshalled values are represented simply by a pretty-print of their abstract syntax. Numeric hashes use a hash function applied to a pretty-print of their body; it is thus important for this pretty-print to be canonical, choosing bound identifiers appropriately. Acute threads are reduced in turn, round-robin. A pool of OS threads is maintained for making blocking system calls. A genlib tool makes it easy to import (restricted versions of) Ocaml libraries, taking Ocaml .mli interface files and generating embeddings and projections between the Ocaml and internal Acute representations.
On top of Acute, we have written libraries for TCP connection management and string messaging, local and distributed channels, remote function invocation, as well as two bigger libraries that implement the mobility models of two process languages, namely Nomadic Pict and Mobile Ambients. Our experience suggests that our lightweight extension to ML suffices to enable sophisticated distributed infrastructure to be programmed as simple libraries.
Our prototype consists of about 25 000 lines of code and is written in FreshOcaml, a variant of INRIA's Ocaml with support for automatic alpha conversion. Acute is distributed online in source form from http://www.cl.cam.ac.uk/users/pes20/acute/.
Luc Maranget continued his long-term effort of a new version of JoCaml, the implementation of the join-calculus integrated into Ocaml. A branch from the source tree of Ocaml now does exist. The branch includes all the necessary additions to the standard Ocaml compiler and to the runtime system.
Most of the compiler modifications had been completed in 2004, as well as a specific JoCaml library on top of the Ocaml threads. In the previous version of this prototype, the was no support for distributed computing, i.e. no synchronization between remote programs. Only concurrent threads in the same program were supported. In 2005, there was progress in the development of a more avanced prototype, with extended support for distributed programming.
The most significant addition is a specific serialization (or marshalling) library. This library is required to pass values between runtimes on different computers. Those routines are specific in the sense that they have to replace communication channels by forwarders and manage channel names on a global basis. Part of the JoCaml library is now written in the JoCaml language, including a specific channel servicelibrary that can be used by programs to publish channels on which they accept to provide a service.
The current implementation is now mature to be released as a beta version in 2006, this was not possible in 2005 by lack of time to write the proper documentation.
The work on warning messages for pattern matching in the Ocaml compiler (see the 2003-2004 reports) has been sent for journal publication in january 2005. This articles also covers pattern matching for lazy languages (Haskell) and or-patternsfor efficient disjunctive patterns. These warning diagnostics have been implemented by Luc Maranget in the current Ocaml releases. .
Hevea, first released in 1997, is a fast translator from
Hevea consists of 20000 lines of Ocaml and 5000 lines of package sources written in ``almost
In the context of hevea, style-sheets allow users more control over the final appearance of their documents, they also provide Hevea with additional expressivity.
Using Unicode characters specifications makes Hevea output more compliant with published standards. Notice that it was necessary to wait for mainstream browsers to implement those standards, before Hevea was able to follow standards.
dvixis a new implementation of ActiveDVI, a programmable viewer for DVI files developed by the Cristalproject-team at INRIA Rocquencourt. It improves the original one by (among other things) providing faster rendering of postscript specials, and by being compatible with Windows and MacOs. A pre-alpha version is being tested (about 48000 lines of Ocaml and C code), and the software should be completed and distributed in the next few months.
When describing new programming languages or calculi, it is common to advance on two fronts in parallel. A written description of the language is always needed, both to be reasoned upon and for presentation. An implementation of the theory is useful for experimentation as well as proof of feasability. Maintaining consistency between the two approaches can be painful. Gilles Peskine is working on a tool that can produce both a readable description of operational semantics and a working interpreter (in Objective Caml). This is work in progress.
This work addresses the design of distributed languages. Our focus is on the higher-order, typed, call-by-value programming of the ML tradition: we concentrate on what must be added to ML-like languages to support typed distributed programming. We explore the design space and define and implement a programming language, Acute (see section ).
This builds on previous work done by James J. Leifer, Gilles Peskine (INRIA), Peter Sewell, Keith Wansbrough (U. of Cambridge), published in ICFP 2003. The present work extends the theory to contend with the challenge of integrating with an ML like programming language. This requires a synthesis of novel and existing features.
Type-safe marshalling demands a notion of type identity that makes sense across multiple versions of differing programs. For concrete types this is conceptually straightforward, but with abstract types more care is necessary. We generate globally-meaningful type names either by hashing module definitions, taking their dependencies into account; freshly at compile-time; or freshly at run-time. The first two enable different builds or different programs to share abstract type names, by sharing their module source code or object code respectively; the last is needed to protect the invariants of modules with effect-full initialisation.
Dynamic linking and rebinding to local resources in the setting of a language with an ML-like second-class module system raises many questions: of how to specify which resources should be shipped with a marshalled value and which dynamically rebound; what evaluation strategy to use; when rebinding takes effect; and what to rebind to. For Acute we make interim choices, reasonably simple and sufficient to bring out the typing and versioning issues involved in rebinding, which here is at the granularity of module identifiers. A running Acute program consists roughly of a sequence of module definitions (of ML structures), imports of modules with specified signatures, which may or may not be linked, and marks which indicate where rebinding can take effect; together with running processes and a shared store.
Globally-meaningful expression-level names are needed for type-safe interaction, e.g. for communication channel names or RPC handles. They can also be constructed as hashes or created fresh at compile time or run time; we show how these support several important idioms. The polytypic support and swap operations of Shinwell, Pitts and Gabbay's FreshOcaml are included to support renaming of local names occuring inside of values during communication.
In a single-program development process one ensures the executable is built from a coherent set of versions of its modules by controlling static linking often by building from a single source tree. With dynamic linking and rebinding more support is required: we add versions and version constraints to modules and imports respectively. Allowing these to refer to module names gives flexibility over whether code consumers or producers have control.
Local concurrency is important for distributed programming. Acute provides a minimal level of support, with threads, mutexes and condition variables. Local messaging libraries can be coded up using these, though in a production implementation they might be built-in for performance. We also provide thunkification, allowing a collection of threads (and mutexes and condition variables) to be captured as a thunk that can then be marshalled and communicated (or stored); this enables various constructs for mobility to be coded up.
We deal with the interplay among these features and the core, in particular with the subtle interplay between versions, modules, imports, and type identity, requiring additional structure in modules and imports. We develop a semantic definition that tracks abstraction boundaries, global names, and hashes throughout compilation and execution, but which still admits an efficient implementation strategy.
The definition is too large to make proofs of the properties feasible with the available resources and tools. To increase confidence in both semantics and implementation, therefore, our implementation can optionally type-check the entire configuration after each reduction step. Our strategy has been to synchronise the development of the formal specification of the Acute language with that of its implementation [...crossreflogicielsacute..]. As a result we have been able to quickly discovered and fixed errors in the type-system and in the run-time semantics.
The specification of Acute, together with a discussion of the design rationale, is avaliable as an INRIA Research Report . A paper describing our design principles decisions was published in the International Conference on Functional Programming.
Ensuring the coherency that the global state of a concurrent system is often difficult: locking mechanisms are commonly used to prevent interference, but they are no panacea and their use require a constant attention. In distributed systems this task is even more complicated: failures of machines and of network connections, the impossibility of relying on distributed locks, and the complex mechanisms to modify the local state of a remote machine require the implementation of complex protocols to update the remote states and, in some cases, to backtrack these updates.
Several researchers proposed software transactional memory footcitetrans-memory: groups of memory operations can then be performed atomically without explicitly requiring locking mechanisms. However their works are limited to the model of threads interacting through memory, and do not consider the questions of external interaction through storage systems or databases or, more generally, other machines.
Our investigation aims at designing, implementing, and proving correct, an infrastructure that offers distributed software transactional memory. The API exports operations to modify the local store, an rpc layer to interact with remote machines, and a keyword atomicthat ensures that all the memory accesses (both on the local and on the remote stores) are realised in a all-or-none fashion. The abortkeyword has the effect of interrupting the execution of the current atomic, undoing all the changes done both on the local and on the remote store. Atomic section can be nested, thus offering an expressive language for distributed transactions.
Our methodology consists in developing both a formal high-level operational semantics and a reference implementation. The high-level semantics is fundamental to identify and to reason about our design choices, and, since it abstracts from the implementation details, is useful to analyse some complex behaviours that may result from subtle interactions between nodes. The reference implementation (currently an Ocaml library) is used as a test-bed to ensure that the high-level semantics can be implemented safely and efficiently. The interaction between these two levels is a fruitful source of hints on how to proceed. A formal proof of the soundness of the reference implementation with respect to the high-level semantics will complete our research.
This ongoing research project is done in collaboration with Peter Sewell (U. of Cambridge).
In an effort to extend the former work presented in (the core calculus which developed into Acute), we worked on the addition of subtyping in order to study the future integration of objects or version handling in a full programming language. Our aim was to construct a type safe and abstraction safe core language including simple modules, some marshalling primitives, and a type system with subtyping (with structural subtyping resulting from records). To achieve this goal we used the the "colored brackets" of HAT to achieve a type preserving semantics that syntactically tracks a term's abstraction boundaries. Our goal was to remain as abstract as possible in treating record subtyping so that the semantic techniques developed should be easily generalizable.
Our resulting language is an extended lambda-calculus with tuples and records, a simple module system (with signatures to declare some types as abstract) and primitives for distributed computation such as marshalling. From the interaction between subtyping and abstract types, we included some richer features. First is the possibility to define partially abstracttypes, which are abstract types for which a supertype is known outside the module. We also allow abstract types to be declared explicitly as subtypes of each other through the extendsand restrictskeywords. This feature can be useful to declare some libraries as compatible with older versions for example. In these cases, we stated the minimal requirements that were necessary to guarantee the type safety and abstraction safety of the whole system.
These addition had consequences on the semantics of the language. For example, the complexity of the subtyping relation forced us to render all subtyping explicitly in the operational semantics. The semantic interactions between this explicit subtyping annotation and the color brackets was also the cause of a semantical change of the colour brackets: in our system as opposed as in Acute, they are additive, ie they do not denote a strict frontier of knowledge but only a privacy boundary that prevents the environment from illegitimately accessing the abstract data of a subexpression.
We have proved preservation, progress, and determinism for this system and we plan to extend this work with full polymorphism. We also would like to see part of this work implemented in Acute or another distributed language.
Gilles Peskine followed up on technical aspects of type safety for separately compiled programs in the presence of abstract types. The earlier work dealt with simple abstract types with obvious dependency chains. Subsequent work expanded on the core idea of using hashes to represent abstract types in a larger language incorporating common module features such as nesting, partial sealing, and both generative and applicative functors.
The calculus described in has such common features. However, only a type system is provided, with no run-time semantics hence no formal notion of safety. Abstract types cause some difficulty in defining a type-preserving run-time semantics as the equality between the abstract type and its implementation is sometimes visible and sometimes hidden. Hashes (or nonces in the generative case) annotating colored brackets, introduced to model dynamic type checks in a distributed setting, also help in providing a formal way to limit the scope of type equalities. A type-preserving semantics has been defined and is being proved for a language which gives a precise account of abstract types with the varying degrees of generativity found in diverse module calculi.
The new semantics has been achieved by modifying, and often simplifying, the existing calculus in several ways. The coexistence of generative functors and applicative functors lets the programmer decide whether to create abstract types each time the functor is applied (a good thing if the functor's code manipulates an exclusive resource such as a memory location or a hardware device) or to reuse the same abstract type when given equivalent arguments (a good thing if the functor implements a parametric data structure). Where earlier systems either provide only one behavior or require a notion of static impurity whose correct treatment by reduction is unclear, Gilles Peskine's system achieves this distinction with a single, easily-understood sealing construct.
Hashes of simple modules serve as universally valid names for the abstract types that they define. In the generative case, nonces are used for the same effect. Hashes and nonces have a pendant in the type system, namely singleton signatures: the singleton signature of a module is the signature of that and computationally equivalent modules. Whereas Dreyer et al. restrict module equivalent to type components, Gilles Peskine's system includes arbitrary higher-order singleton signatures, making it possible to track all module equalities (in particular between functor arguments) throughout the reduction process.
The provided run-time semantics treats generativity as a primitive, meaning that each build of an abstract type is incompatible with any other build. This is unsatisfactory in a distributed system, where modules built on different machines must be compatible when they provide location-independent functionnality (e.g., data structure modules). However, when an abstract type is only created once at each site, it is possible to create it in the same manner on each site (obtaining the same type independently), making the system suitable for distributed environments. Thus the system can model marshalling between separate runtimes of an ML-like language.
Ma Qin's thesis (started in September 2001, supervised by Pierre-Louis Curien, team PPS, CNRS, and Luc Maranget) Curien) has been completed and defended in October 2005 . The summary of her work is following (quoted from her dissertation):
It is widely acknowledged that concurrent programs are extremely difficult to get right. This dissertation aims to improve the situation by providing better language support for concurrent programming.
In our view, an ideal language for concurrent programming would be a multiparadigm one: besides high-level concurrency, it would also feature important (and well established) programming styles such as functional and object-oriented. More importantly, the ideal language should possess firm semantical foundations in mathematical models that favor formal understanding and reasoning.
This dissertation explores ideas in the design, formalism, and implementation issues of such a language. Attention is particularly paid to the theoretical core of the target language — the next release of JoCaml. As a response to the two weak points which we found either absent or poorly supported in current ongoing research work, we mainly focus on two directions: the interaction between concurrency and inheritance, and the interplay between pattern matching and synchronization. More specifically, we introduce an object-oriented extension of the join calculus for the first, and we propose an extension of the join calculus with algebraic pattern matching for the second. Both extensions are implemented (prototyped) in the context of the current JoCaml system.
In 2005, a solution to the problem of visibility control during inheritance has been sent for publication. We study the issue both at the object level and the class level, in the context of an object-oriented extension of the join calculus. At the object level, we improve a privacy mechanism proposed in prior work by defining a simpler chemical semantics with privacy control during execution. At the class level, we design a new hiding operation on classes, aimed at preventing part of parent classes from being visible in client (inheriting) classes. The formal semantics of our new operation has been defined in terms of -renaming of hidden names into fresh names, and its typing in terms of eliminating hidden names from class types. We proved the soundness property of the type system, as well as specific properties concerning hiding. Our motivation stems from language design to produce a practical programming language. As an evidence of significance, we implemented our model in a prototype system.
We have proposed a notion of distributed backtracking built on top of Milner's CCS . The backtracking mechanism was constructed as a distributed monitoring system meshing well with the specifics of the host calculus CCS. Backtrack needed not to involve any additional communication structure and we obtained a syntax, termed RCCS, for reversibleCCS, staying really close to ordinary CCS.
This reversible process algebra offers a clear-cut theoretical characterization of reversibility. In particular, given a process and a past, we showed that RCCS allows to backtrack along any causally equivalentpast. A similar notion of computation trace equivalence exists in -calculus which Lévy could characterize by a suitable labelling system . Thus, a pretty good summary of the theoretical status of this backtracking mechanism, is to say that RCCS is a Lévy labelling for CCS. Two reduction paths will be equivalent if and only if they lead to the same process in RCCS.
In its fully reversible setting, one cannot really use RCCS as a language for describing distributed consensus because there is no way of validating a decision. During the year 2005, we have studied and formalized the notion of transaction one obtains when integrating such irreversible action within RCCS . We also illustrated such formalism with a paradigmatic problem of distributed consensus .
More precisely, our work was to characterize, in Milner's sense, the visible behavior of a reversible process. It amounts to exhibit a labelled transition system (LTS) that is bisimilar to the RCCS term when we only observe irreversible actions. More precisely, given a CCS process
P, we defined its lift into RCCS semantics
K(
P), where the parameter
Kis a set of occurrences of irreversible actions. Our main contribution was to show that
K(
P)is bisimilar to the
K-causal LTSof
P. A
K-causal LTS is obtained by considering only minimal traces that may trigger actions in
K, i.e where every transition cannot commute with the final commit.
We showed that this theorem could be used for the design of transactional systems: the idea is to break down the distributed implementation of a given reference specification in two steps. First, one writes down a code which is only required to meet a weaker condition of correctness
relative to the specification (i.e whose
K-causal transition system is bisimilar to the specification). Second, the obtained code is lifted into RCCS and we can apply the theorem to reduce the correctness of the latter (partially) reversible code to the causal correctness of the former.
In many transactional examples, this structured programming method works well, and obtains codes which are smaller, and simpler to understand . It also seems interesting from a correctness perpective, since one never has to deal with the full state space, and it is enough to consider the much smaller state space of the forward code causal compression relative to observable actions. Thus it obtains codes which are also easier to prove correct. It is only natural then to ask whether and to which extent such indirect correctness proofs can be automated.
We have developped an Ocaml library that offers primitives to construct CCS processes and build their
K-causal transition system. Specifically we have implemented an algorithm, which, under certain rather mild assumptions about the system of interest, computes its causal compression relative to a choice of observables. To this aim we used Flow Event Structures
, which are suited to the handling of causal relationships between transitions, as an internal representation of
processes. By using event structures we could cumulate the compression effects from the non interleaved representation of processes (which is a classical verification technique), and the state space compression that is allowed by relaxing the full correctness condition to the correctness of
the
K-causal transition system.
In extensible virtual machines such as the JVM or the CLR, software components from various origins (applets, local libraries, ...) share the same local resources (CPU, files, ...) but not necessarily the same level of trust. We model access control in such semi-trusted environment in a minimal language based on the lambda-calculus. We aim at expressing in a unified framework a variety of known access control mechanisms.
The stack inspection is a dynamic access control mechanism that is used in the JVM and the CLR. Before accessing a sensitive resource, the call stack is inspected to check that every caller is allowed to access the resource. This mechanism is difficult to handle since it depends on the runtime stack, which is not statically known. Moreover, Fournet and Gordon showed that it is surprisingly hard to express what security property is guaranteed by stack inspection . With static analysis, one can garantee statically that such security defects will not occur .
Slight variants of stack inspection that guarantee a clearer security property were proposed by Fournet and Gordon . Abadi and Fournet also proposed another variant where a global history of executed calls replaces the stack .
Flow analysis provides another approach where secret data are not accessible to untrusted code . The Chinese Wall policy, described below, is another security policy which is inspired by interest conflicts , . Chinese Wall: initially, Alice may choose to communicate with Bob or Charlie; but once she communicated with Bob (resp. Charlie), she is not allowed anymore to communicate with Charlie (resp. Bob). This policy is inherently dynamic.
All these security mechanisms rely crucially on history of past events. To trace this history in the lambda-calculus, we use Lévy's labels: the labels of redexes keep track of the past interactions that created it . This causality history is expressive enough to code a variant of stack inspection , information flow or the Chinese Wall policy. More specifically, we formalise security properties in terms of causality, in a modal logic similar to the logic that Jensen, Le Métayer and Thorne used to statically analyse stack inspection by model-checking .
Contrary to static information flow analyses, the building of Lévy's labels is dynamic. We intend to (1) extend the labeled lambda-calculus with a dynamic test of labels and (2) provide a type system that approximates runtime labels. Such a type system could statically guarantee that a term verifies a security property.
Although the syntactic properties of the weak lambda-calculus did not receive great attention in the past decades, this theory is more relevant for the implementation of programming languages than the usual theory of the strong lambda-calculus. Contrary to the latter and similarly to lazy functional languages, the weak lambda-calculus does not validate the -rule i.e. the reduction under a lambda-abstraction. Without this rule, the weak lambda-calculus is not confluent. We based our labeled language on a variant of the weak lambda-calculus by the Çağman and Hindley for Combinatory Logic. In this variant, a new -rule is valid: it allows reductions under lambda-abstraction in subterms that do not contain a bound variable. This variant enjoys confluence.
We proposed a labeling of this language that expresses a confluent theory of reductions with sharing, independant of the reduction strategy. If the subterms of a term are initially labeled with distinct letters, then, after some steps of reduction, two subterms that have the same label are equal. This formal setting corresponds to the shared evaluation strategy by Wadsworth defined with dags in 1971. This work was published on the occasion of Jan Willem Klop's 60th birthday .
Properties and invariants of concurrent algorithms are most often described informally, using natural language. The application of formal methods, in particular those issued by semantics and concurrency theory, to the proof of properties of concurrent algorithms is a today necessary task, yet little efforts have been carried out in this direction.
In November Andrew Appel and Francesco Zappa Nardelli started a working group common to the Moscova and Cristal project-teams. Their long-term goal is to investigate how to use a theorem prover (namely Coq) to implement and prove the correctness of a simple (but subtle) algorithm for lock-free synchronisation . Several sub-tasks emerged and revealed interesting in their own. Among them, we point out the formalisation in Coq of a relaxed memory model and the use of separation logic as a tool to reason about programs with pointers.
There are about 20 different proof assistant systems for mechanized proofs. But several are better than others for safety proofs and soundness proofs of tools such as compilers. For instance Coq, Twelf and Isabelle/HOL seem more adequate. To make these systems usable by specialists of programming languages, it is useful that an expert in programming languages try these proofs in the different systems. With X. Leroy ( Cristal), we developed a small benchmark to compare these proof assistant systems for proof of correctness of compilers. We have two solutions based on Coq and Twelf and wrote a short article on this.
Another work by A. Appel is on the semantics of types with P.-A. Melliès (PPS), J. Vouillon (PPS) and Chris Richard (Princeton). This new semantics for types in programming languages for von Neumann machines will preserve better properties than previous works by Melliès, Vouillon and Appel et al.
J.-J. Lévy is co-supervisor, with Pierre Crégut (France Télécom, Lannion), of the doctoral work of Guillaume Chatelet, who is working on extensions of Erlang with primitives for mobility. This PhD is defended on January 20, 2006, at Ecole polytechnique.
In 2005, we started investigations to be member of the new laboratory between INRIA and Microsoft. With Cédric Fournet (MSR Cambridge), Gilles Barthe and Benjamin Grégoire (INRIA Sophia-Antipolis), we defined some research project about Provable Secure Distributed Computing. This project will start in 2006.
J.-J. Lévy co-organised, with K. Gopinath (IISc), a CIMPA-Unesco school on Security of Computer Systems and Networks, was held on January 25-February 5, 2005, in Bangalore (India).
L. Maranget acted as external reviewer for Michael Levin's Phd, at U. of Pennsylvania.
Our project-team participates to the following courses:
``Informatique fondamentale'', 2nd year course at the Ecole polytechnique, 200 students (J.-J. Lévy is professor in charge of this course ; L. Maranget edited notes for the programming projects;
``Bases de la programmation et de l'algorithmique'', 1st year course at the Ecole polytechnique, 80 students (L. Maranget is the professor ``chargé de cours'', in charge of this course ;
Compilers, 3rd year course at the Ecole polytechnique, 20 students (L. Maranget, professor ``chargé de cours'' ; F. Pottier ( Cristal) assisted him in laboratory courses; available on the Web
Concurrency, ``Master Parisien de Recherche en informatique'' (MPRI), at U. of Paris 7, 35 students, (J. Leifer, J.-J. Lévy, F. Zappa Nardelli, C. Palamidessi from project-team Comète, E. Goubault from CEA).
Strong Static Typing and Advanced Functional Programming, Bertinoro International Spring School, March 14-18 (F. Zappa Nardelli – 20 graduate students, 15 hours of lecture plus final exam).
J.-J. Lévy authored 3 computer science problems (4h +2h +2h) of the entrance examination at the Ecole polytechnique in 2005. He is the coordinator of the Computer Science examinations for Ecole polytechnique.
L. Maranget acted as problem designer and judge in the Southwestern Europe Regional ACM Collegiate Programming Contest organized by the Ecole polytechnique, on November 2005.
Feb, 12-16, J. Leifer and F. Zappa Nardelli visited the Computer Laboratory of the University of Cambridge for collaboration with Peter Sewell.
Mar 2005, J. Leifer presented our work on Acute to the final PEPITO scientific meeting held in the Univ. of Cambridge, UK. (PEPITO is a 3-year project of EU, of which we were member)
Apr 2005, J. Leifer attended ETAPS 2005 (Edinburgh) and the final PEPITO review meeting during which the project was judged successfully completed.
Aug 22-28, J. Krivine and J.-J. Lévy attended to Concur 2005, San Francisco. J. Krivine presented a paper at Concur, J.-J. Lévy was invited at the DisCoVeri workshop.
Sep 1-2, J.-J. Lévy attented to a meeting at MSR Cambridge on the new INRIA/MS collaboration.
Sep 24-30, J. Leifer, J.-J. Lévy, F. Zappa Nardelli attended the ICFP conference, to the Erlang and Merlin workshops, Tallinn. A paper co-signed by Leifer and Zappa Nardelli was presented at ICFP.
Dec 22-23, J.-J. Lévy attended to the ACI workshop on Security, in Bordeaux.
Sep 3–6, L. Maranget visited Benjamin Pierce (UPenn). He gave a presentation of his work on warnings for ML pattern matching, and was ember of the jury of Michael Levin's Ph.D. thesis.
Oct, A. Appel visited Wolfganf Paul (Verisoft project, Sarrebrucken).
Dec 9, F. Zappa Nardelli gave a talk on the design of the Acute programming language at ENS-Lyon.
May 24-28 and July 14-30, C. Franco went to Louvain la Neuve (Belgium) for scientific collaboration with P. Van Roy.
Aug 14-21, G. Peskine participated to the AFP 2004 summer school on Advanced Functional Programming, Tartu, Estonia.
Sep 23-24, J. Krivine visited I. Castellani, project-team MIMOSA, at INRIA Sophia-Antipolis.
April 15, Juliusz Chroboczeck (PPS, U. of Paris 7) gave a talk on "Continuation passing for C".
May 26-29, Peter Sewell visited Rocquencourt for collaboration with J. Leifer and F. Zappa Nardelli.
Sep 5-7, J. Leifer hosted an intensive 12 hour mini-course by Robin Milner (Emeritus Professor, Univ. of Cambridge, UK) on bigraphs.
September 7-11, Peter Sewell visited Rocquencourt for collaboration with J. Leifer and F. Zappa Nardelli.
October 3-7, Massimo Merro (U. of Verona) visited Rocquencourt for collaboration with F. Zappa Nardelli. He gave a talk on the formalisation and proof of an algorithm solving consensus in presence of a particular class of failure detectors.