**PROTHEO**is a research project of
**LORIA**(Research Laboratory in Computer Science and Control of Lorraine, UMR 7503), a laboratory shared by
**CNRS**(National Center for Scientific Research),
**INRIA**(National Institute for Research on Computer Science and Control),
**UHP**(University Henri Poincaré Nancy 1),
**Nancy2**(University Nancy 2) and
**INPL**(National Engineering Institute of Lorraine).

The PROTHEO project aims at designing and implementing tools for program specification, proof of properties and safe and efficient execution.

We are working on environments for prototyping such tools, on theorem provers specialized in proofs by induction and equational first-order proofs, on proof techniques involving constraints and rewrite rules. The project has three strongly connected research domains:

Constraint solving,

Mechanized deduction with rewrite rules and strategies,

Theorem proving based on deduction modulo.

The team develops and maintains several software packages detailed later in this document. They allow us to test our ideas and results as well as to make them available to the community.

Dissemination of
*Tom*is successful not only among researchers and academics, but also among industrial actors involved in the development of complex software. Two testimonies:
*Tom*adopted by Business Object. Among the INRIA software developped on Gforge,
*Tom*had the greatest numbers of downloads during several months (see Section
).

TPA+CoLoR+Rainbow won the first international competition on certified automated termination provers (see Section ).

We defined a linear translation of second-order arithmetic into first-order arithmetic
*modulo*, i.e. the length of proofs remains the same, bringing a completely new point of view on the role of computation in Parikh's result, conjectured by Gödel: proofs in
second-order arithmetic can be unboundedly shorter than in first-order (see Section
).

Rewriting techniques have been developed since the 1970s and have been applied in particular to the prototyping of formal algebraic specifications and to the automated deduction of properties often related to program verification .

Rewriting techniques have been also used for describing inductive theorem provers, for verifying the completeness and coherence proofs for equational or conditional specifications, for defining first-order theorem provers, for solving equations in equational or conditional theories. Rewriting has been also applied to specific domains like, for example, the automatic demonstration of geometric properties or the verification of electronic circuits. This rewriting approach has proved extremely useful for simplifying search spaces, or for including decision procedures in general provers.

A common feature of (the evaluation of) functional languages and of theorem provers (including proof assistants) is the study of strategies. These strategies allow one, for instance, to guide computations and deductions by specifying which rule should be applied to which position in the term, or to restrict the search space by selecting only certain branches. In functional programming, we can also mention lazy evaluation and call-by-need strategy. In theorem proving, it is interesting to clearly separate inference rules and control strategies, since the correctness and completeness proofs are easier to obtain when using such an approach. Moreover, it is necessary to have a sufficiently expressive strategy language in order to express iteration, case reasoning, deterministic and nondeterministic choices. We have been studying strategies from the point of view of their specifications and their properties. We use them to formalize proofs in the demonstration and verification tools we develop.

Last but not least, rewriting is a fundamental paradigm for the description of transformations, either functional or not. Starting from our previous works on rewriting and strategies, we have introduced a new formalism generalizing -calculus and rewriting that we called rewriting calculus ( -calculus, for short) . The notion of -reduction of the rewriting calculus generalises -reduction by considering matching on patterns which can be more elaborated than simple variables. We have been studying the expressiveness of this general formalism and the properties of its various instances.

The notion of constraint has proved to be of main interest in the modeling of various problems taken from a large variety of domains like mechanics, logic and management of human activities. The properties to satisfy are specified as a set of constraints for which it is important to determine if it admits a solution, or to compute a description of all solutions.

In the context of automated deduction, dealing with symbolic constraints on abstract domains like terms is of the greatest interest. For instance, syntactic unification is solving equational constraints over terms, and it is a fundamental notion for logic programming languages and automated theorem provers. The unification problem extends to the case of equational theories, where function symbols may admit some equational properties like the associativity and commutativity . Other symbolic constraint systems may use predicates distinct from equality, like ordering constraints or membership constraints.

We are interested in the problem of combining symbolic constraint solvers for abstract (term-based) domains. We focus on the matching problem, which is the constraint solving process used when applying rewrite rules. The interest in matching is explained by its crucial role in the -calculus, and more generally in rewrite engines.

Developing methods and tools for verifying software is one of our main goals. To achieve it, we develop techniques and automated deduction systems based on rewriting and constraint solving.

Verifying specifications on recursive data structures often relies on inductive reasoning or equation handling, and uses operator properties like associativity or commutativity.

Rewriting, which enables us to simplify expressions and formulas, is now an essential tool for making the automated proof systems efficient. Moreover, a well founded rewriting relation can be used in a natural way to implement inductive reasoning. So we study termination of rewriting, as well as to guarantee termination of programs, in the scope of our study of rule-based programming languages, and to allow reasoning in automated deduction. A special effort is made to develop specific termination proof tools for rewriting strategies. We now also work on correctness proofs of rule-based computations in the case where key properties like termination are not verified.

Constraints allow us to postpone complex symbolic problem solving, so that they can be solved in an efficient way. They also allow us to increase expressiveness of specification languages and to refine proof strategies.

Dealing with unification or orienting constraints with interpreted operators (like associative-commutative ones) gives the hope of obtaining much simpler automated proofs. Implementing these ideas has indeed allowed W. McCune , to solve an open mathematical problem. Combining constraints and rewriting based simplifications induces complex problems, either theoretical as for example strategies completeness, or practical as for instance efficient implementation. We explore these techniques from these two point of views.

Our research applies to modeling, prototyping and verification of software components. To model these systems, we use rule-based languages with constraints and strategies that allow one to quickly prototype applications.

The matching capabilities of such languages offer ease of expressivity for program transformation and optimisation, or for the (safe) transformation of XML entities.

The combination of rewrite based transformations, strategies and typing provides an expressive framework and background for several application domains: we apply these techniques to the specification and verification of protocols and access control policies, and to the study biochemical applications.

Constraint satisfiability, propagation and solving is of course in itself a main domain of application and has led to the creation of the Enginest Software company in 2000. Based on constraint solving, Plansuite, one of Enginest's products, is a global solution for transport and logistics planning. It allows users to anticipate, plan, manage and forecast the use of logistic resources.

In this section, we only describe software that are distributed. Other software are developed within contracts and grants but they are not distributed yet.

*CoLoR*and
*Rainbow*are distributed under CeCILL license on
http://

Mathematical structures: relations, semi-rings.

Data structures: lists, vectors, integer polynomials with multiple variables, finite multisets, matrices.

Term structures: strings, algebraic terms with symbols of fixed arity, algebraic terms with varyadic symbols, simply typed lambda-terms.

Transformation techniques: conversion from strings to algebraic terms, conversion from algebraic to varyadic terms, arguments filtering, rule elimination, dependency pairs.

Termination criteria: polynomial interpretations, multiset ordering, lexicographic ordering, first and higher order recursive path ordering, matrix interpretations, dependency graph decomposition.

This year, the
*CoLoR*library was extended with semi-rings and matrix interpretations
and dependency graph decomposition
.

*Rainbow*is a tool for automatically certifying termination proofs expressed in some termination proof grammar (TPG). Termination proofs are translated and checked in
*Coq*by using the
*CoLoR*library. The termination proof grammar is under development with various participants of the annual international competition on termination

In June, by using Adam Koprowski's automated termination prover TPA
*Rainbow*format, we could certify the termination of 463/1977 = 23.4% of the TRS termination problem data base (TPDB version 4.0) of the international competition on termination. In 2006,
the score was 167/864 = 19.3% (TPDB version 3.2). With Leo Ducas' last development on the dependency graph decomposition, we expect to reach at least 30%.

For the first time in 2007, the annual international competition on termination organized a competition for certified provers. There were three competitors: TPA+Rainbow+CoLoR, TTT2+Rainbow+CoLoR and CiME2.99+Coccinelle, and TPA+Rainbow+CoLoR won the competition. The results can be consulted on the web site of the competition.

*CoLoR*was also presented by Frédéric Blanqui in an invited talk at TYPES'07 (the slides of the talk are available on the CoLoR web site).

The
*ELAN*system provides an environment for specifying and prototyping deduction systems in a language based on rewrite rules controlled by strategies. It offers a natural and simple logical
framework for the combination of computation and deduction paradigms as it is backed up by the concepts of
-calculus and rewriting logic. It supports the design of theorem provers, logic programming languages, constraint solvers and decision procedures and offers a modular framework for
studying their combination.

*ELAN*was developed until 2003. It is still documented, maintained and available at
http://

*Moca*is distributed under QPL on
http://

*Moca*is a general construction functions generator for OCaml
data types with invariants.

*Moca*allows the high-level definition and automatic management of complex invariants for data types. In addition,
*Moca*provides the automatic generation of maximally shared values, independantly or in conjunction with the declared invariants.

A relational data type is a concrete data type that declares invariants or relations that are verified by its constructors. For each relational data type definition,
*Moca*compiles a set of construction functions that implements the declared relations.

*Moca*supports two kinds of relations:

algebraic relations (such as associativity or commutativity of a binary constructor),

general rewrite rules that map some pattern of constructors and variables to some arbitrary user's define expression.

Algebraic relations are primitive, so that
*Moca*ensures the correctness of their treatment. By contrast, the general rewrite rules are under the programmer's responsability, so that the desired properties must be verified by a
programmer's proof before compilation (including for completeness, termination, and confluence of the resulting term rewriting system).

Algebraic invariants are specified by using keywords denoting equational theories like commutativity and associativity.
*Moca*generates construction functions that allow each equivalence class to be uniquely represented by their canonical value.

See Section for some theoretical explanations.

Since 2002, we have developed a new system called
*Tom*
, presented in
,
. This system consists of a pattern matching compiler which is particularly well-suited for programming various
transformations on trees/terms and XML documents. Its design follows our experiences on the efficient compilation of rule-based systems
. The main originality of this system is to be language and data-structure independent. This means that the
*Tom*technology can be used in a C, C++ or Java environment. The tool can be seen as a Yacc-like compiler translating patterns into executable pattern matching automata. Similarly to Yacc,
when a match is found, the corresponding semantic action (a sequence of instructions written in the chosen underlying language) is triggered and executed.
*Tom*supports sophisticated matching theories such as associative matching with neutral element (also known as list-matching). This kind of matching theory is particularly well-suited to
perform list or XML based transformations for example. The main idea consists in encoding a DOM object into a term-based representation (a DOM NodeList becomes an associative list-operator),
and then perform matching and subterm retrieving using the
*Tom*pattern matching facilities. On the one hand, this approach is not comparable to XSLT. But, on the other side, the expressivity is very high since it is possible to combine powerful
pattern matching constructs with the expressive power of Java.

*Tom*is documented, maintained, and available at
http://

The rewriting calculus, studied in our team since 1996, is a foundational framework unifying rewriting and lambda-calculus. We have now a deep understanding of its agility and properties, culminating this year with the PhD thesis of Germain Faure and refinements on the graph versions of the calculus, the relationship between the calculus and higher-order rewritings, as well as the in depth study of its typed versions.

Different pattern calculi integrate the functional mechanisms from the -calculus and the matching capabilities from rewriting. Several approaches are used to obtain the confluence but in practice the proof methods share the same structure and each variation on the way pattern-abstractions are applied needs another proof of confluence.

We have proposed in , a generic confluence proof where the way pattern-abstractions are applied is axiomatized. Intuitively, the conditions guarantee that the matching is stable by substitution and by reduction.

Our approach directly applies to different pattern calculi, namely the lambda calculus with patterns, the pure pattern calculus and the rewriting calculus. We also characterized a class of matching algorithms and consequently of pattern-calculi that are not confluent.

Term collections are fundamental in the context of the rewriting calculus but also in logic programming and in web query languages. Typically, matching constraints that are involved in the
rewriting calculus may have more than one solution (this is also the case for example in programming language like
*Tom*, Maude, ASF+SDF or
*ELAN*) and thus generates a collection of results.

As a first step in the study of the rewriting calculus with non-unitary matching theories, we studied the lambda-calculus with term collections .

In the spirit of normalized rewriting
, the proposed approach manages term collections at the meta-level by considering only
*canonical sets*, i.e. sets that are normalized for some rules (sometimes refereed as "administrative simplifications"). The result is a confluent calculus where the computational
mechanism becomes easier to understand since only the
-rule is an explicit evaluation step. While the work of Boudol
mainly insisted on models, we provide an operational point of view on the parallel lambda-calculus.

Following the works on explicit substitutions for -calculus, we proposed, studied and exemplified a -calculus that handles explicitly the resolution of the matching constraints and the application of the obtained substitutions. We have also shown that the approach is modular and we have introduced a calculus handling explicitly only the substitution application and another one where the matching constraints are solved at the object level while the resulting substitutions are applied at the meta-level , . All these calculi can be extended to arbitrary matching theories.

The explicit substitution application initially studied is not optimal since the possible complexity of term traversals is not taken into account. We have thus composed and improved the previous explicit versions and we have introduced a calculus that offers support for the composition of substitutions . We proved the confluence of the calculus and the termination of the explicit constraint handling part.

Moreover, in this approach the matching constraints with no solution can be eliminated earlier in the reduction process leading to a more efficient evaluation. This can be achieved by integrating in the explicit calculus the approach already used for the plain calculus .

Since -calculus and rewriting have complementary features, their combination has been studied in different contexts. We have already shown that -calculus and rewriting are generalized by the -calculus, in the sense that the syntax and the inference rules of the -calculus can be restricted to obtain the other two formalisms.

In the prolongation of our works on the expressive power of the -calculus we have analyzed with Clara Bertolissi from the University Aix-Marseille 1, the relation between -calculus and higher order rewriting. We had showed how the semantics of Combinatory Reduction Systems can be expressed in terms of the rewriting calculus. The converse issue has been addressed lately: rewriting calculus derivations are simulated by Combinatory Reduction Systems derivations. As a consequence of this result, important properties, like standardisation, are deduced for the rewriting calculus .

Starting from the classical untyped
-calculus and in collaboration with Paolo Baldan from the University of Venice and Clara Bertolissi from the University Aix-Marseille 1, we have proposed an extension of the calculus,
called
*graph rewriting calculus*, handling structures containing sharing and cycles, rather than simple terms
.

The classical -calculus is naturally generalized by considering lists of constraints containing unification constraints in addition to the standard matching constraints. This leads to a term-graph representation in an equational style where terms consist of unordered lists of constraints. As for the classical -calculus, the transformations are performed by explicit application of rewrite rules as first class entities.

The evaluation rules are adapted to the new syntax leading to an enhanced expressive power for the calculus. In this new formalism we can represent and manipulate elaborated objects like, for example, regular infinite entities.

Several aspects of the calculus have been investigated so far, like its properties (we have also shown that the calculus is confluent over equivalence classes of terms, under some linearity restrictions on patterns) and its relationship with other existing frameworks.

General term rewriting systems and classical guiding strategies have been encoded in the original rewriting calculus by adding an additional operator that intuitively selects one of the elements from a set of results. We have shown that an equivalent operator can be encoded in the current version of the calculus but the encoding is limited in this case to convergent term rewriting systems .

In collaboration with Benjamin Wack, we have shown that the previously proposed encoding can be extended to the general case, i.e. to arbitrary term rewrite systems . For this, a new evaluation rule that enriches the semantics of the structure operator is added and an evaluation strategy is enforced by imposing a certain discipline on the application of the evaluation rules. This strategy is defined syntactically using an appropriate notion of value and is used in order to recover the confluence of the calculus that is lost in the general case.

We used the -calculus as an intermediate language to compile functional languages with pattern-matching features, and adapt the evaluation strategies developed for the -calculus to the specific constraints arising from typed functional programs.

In
two alternative encodings of the
-calculus in interaction nets
are proposed (graph rewrite systems which have been used for the implementation of efficient reduction
strategies for the
-calculus). In collaboration with Maribel Fernandez (King's College), Ian Mackie (CNRS and King's college) and François-Régis Sinot (University of Porto), we showed in
that a combination of these interaction net encodings provides an implementation for
*typed*functional languages with pattern-matching where pattern-matching and `traditional'
-reduction can proceed in parallel, without additional overheads. The compilation of functional programs in the
-calculus, and the subsequent interaction net encoding, uncover a new strategy of evaluation which naturally exploits the implicit parallelism of the different rules of the calculus.
This methodology gives thus rise to new, efficient strategies of evaluation for functional languages.

In strong collaboration with Benjamin Wack (now professeur agrégé de mathématiques), we have proved in
strong normalization of the simply-typed and dependently-typed
* P^{2}TS*. The proof relies on a faithful translation from simply-typed

In the untyped framework, we encoded pattern matching in the
-calculus in a quite efficient way, ensuring that every
-reduction is translated into (at least) one
-reduction. Introducing types in the translation proved an interesting challenge. One difficulty comes from the pattern matching occurring in the
* P^{2}TS*types, which calls for accurate adjustments in the translation. Another remarkable point is that the typing mechanisms of even the simply-typed

We are studying the design and the implementation of rule-based programming languages. We modularize our technologies in order to make them available as separate elementary tools.

Several improvements have been designed in pattern matching with anti-patterns, structure sharing via graph rewriting, and through powerful strategies. Also, we continue our study on applications of rule-based languages. In particular, we study their applications to XML transformations, biochemichal systems simulation, as well as the analysis and the certification of program transformations and of access control policies.

Finally, the algebraic structure of polygraph has been used as a description of graphical rule-based computations, equipped with complexity analysis tools.

One interest of term rewriting is its ability to describe elementary transformations. When combined with a strategy language it becomes very expressive to describe complex transformations.
Starting from the
*ELAN*experience, we have provided a powerful strategy language, that can be easily integrated in a Java environment. This language, which is part of the
*Tom*system is presented in
. In
we present the essential feature we have considered when designing this new language based on rules and
strategies. Relying on the implementation of
*Tom*, we explain how these ingredients can be implemented and integrated in a Java environment.

Pattern matching is a concept widely spread both in computer science community and in everyday life. Whenever we search for something, we build a structured object, a pattern, that specifies the features we are interested in. But we are often in the case where we want to exclude certain characteristics: typically we would like to specify that we search for white cars that are not station wagons, or to words that do not contain the letter “a”.

A natural question that then raises is to deal with anti-pattern when some of the symbols have some equational properties. To answer this question, we generalized in
the syntactic anti-pattern matching to anti-pattern matching
*modulo*an arbitrary equational theory
E, and we study the specific and practically very useful case of associativity, possibly with a unity (
). To this end, based on the
*syntacticness*of associativity, we present a rule-based associative matching algorithm, and we extend it to
. This algorithm is then used to solve
anti-pattern matching problems. This allows us to be generic enough so that for instance, the
*AllDiff*standard predicate of constraint programming becomes simply expressible in this framework.
anti-patterns are implemented in the
*Tom*language and we show some examples of their usage. An extended version of this work is available as a research report
.

There exist several libraries for manipulating Java bytecode, among them BCEL and ASM are the most well-known. Although they are powerful, a deep knowledge of the API may be needed to use them effectively.

We introduce an abstraction level, based on term-rewriting, to make the definition of high-level transformations and analysis easier. Using the notion of algebraic view, we have extended the ASM library in such a way that a bytecode program can be seen as a term . This gives us the possibility to directly express transformation rules without knowing the API, and thus to reduce the gap between the user's wishes and the language expressiveness. This approach can be considered similar to a domain specific language (DSL) for bytecode transformations.

Program transformation and graph rewriting are strongly related. Indeed, although the structure of a program may be represented by a tree, informations about its execution like data
dependencies or control flow are naturally expressed by data-structures inherently using graphs. To manage such structures, we have generalized the notion of term positions with
*term paths*
,
. By extending a signature with paths we obtained a new kind of rewriting called
*addressed term rewriting*where terms can contain pointers.

Based on the formalization of paths and a notion of rewriting for addressed terms, we establish a simulation of term-graph rewriting by addressed terms. The main advantage of such an
approach is to offer an efficient way to implement in any rule-based language term-graph rewriting features. In fact, since the simulation is completely based on standard first-order terms,
this extension is non-intrusive. The integration in the
*Tom*language provides a solid platform to experiment graph transformations in a concise and expressive way.

Providing a formal description for the structure and functioning of biochemical systems, as well as formal tools for reasoning about their behavior is yet a scientific challenge. Frequently, the description of molecular complexes or chemical reactants relies on specific classes of graphs, and the interactions between the reactants involve rules applied on these classes of graphs and controlled by numerical data or specific filters. In this context of biochemical systems, typical considered problems are the exhaustive generation of all possible states of the system, the detection of specific states, or the prediction of producing specific states. In , we have proposed a rewriting framework for modeling molecular complexes, biochemical reaction rules, and generation of biochemical networks based on the representation of molecular complexes as a particular type of multigraphs with ports called molecular graphs. The advantage of this approach is to obtain a rewriting calculus which allows defining at the same level transformation rules and strategies for modeling rule selection and application, in order to prototype network generation.

In the biochemical model we consider, the behaviour of a protein is given by its functional domains that determine which other protein it can bind to or interact with. These domains are
usually abstracted as sites that can be bound or free, visible or hidden. A protein is characterized by the collection of interaction sites on its surface. Proteins can bind to each other
forming molecular complexes. Membranes can also form complexes, called tissues, due to the binding proteins on their surfaces. The structure of a complex is naturally described as an extended
version of multigraphs with ports
, and multigraph rewriting models the interactions between them. We encoded the molecular graphs as terms, the
reaction patterns as rewrite rules, and the transformation on molecular graphs as a rewriting relation. We defined a rewriting calculus for molecular graphs, the
_{bio}-calculus, obtained from the rewrite calculus for labeled multigraphs with ports, the
_{mg}-calculus introduced in
, by adding state information on ports and imposing some conditions on edges. Strategic rewriting allows
modeling the control mechanism in biochemical systems and the generation of biochemical networks. This is illustrated on a fragment of the epidermal growth factor receptor (EGFR) signaling
cascade and currently implemented in
*Tom*.

Security policies, in particular access control, are fundamental elements of computer security. In collaboration with Dan Dougherty (Worcester Polytechnic Institute, USA) we have addressed the problem of authoring and analyzing policies in a modular way using techniques developed in the field of term rewriting, focusing especially on the use of rewriting strategies. Term rewriting supports a formalization of access control with a clear declarative semantics based on equational logic and an operational semantics guided by strategies. Well-established term rewriting techniques allow us to check properties of policies such as the absence of conflicts and the property of always returning a decision. A rich language for expressing rewriting strategies is used to define a theory of modular construction of policies, in which we can better understand the preservation of properties of policies under composition.

This framework is presented in where the robustness of the approach is illustrated on the composition operators of xacml.

Despite the existence of a vast literature on access control, it is still very hard to assure the compliance of a large system to a given dynamic access control policy. Based on the formal
islands approach, we provided in
a systematic methodology to weave dynamic, formally specified policies on existing applications using
aspect-oriented programming. To that end, access control policies are formalized using term rewriting systems, allowing us to have an agile, modular, and precise way to specify and to ensure
their formal properties. These high-level descriptions are then weaved into the existing code, such that the resulting program implements a safe reference monitor for the specified policy.
For developers, this provides a systematic process to enforce dynamic policies in a modular and flexible way. The level of reuse is improved because policies are independently specified and
checked, to be later weaved into various different applications. We implemented the approach using
*Tom*, and
*AspectJ*. Test cases gave quite encouraging results.

Another contribution in this domain, in collaboration with Charles Morisset (LIP6), has been to address the verification of information leakage. Although this important property is assumed in several access control models and is well-understood formally, it is hard to verify in actual implementations of a given security policy. In , we proposed a general algorithm that allows one to automatically identify information leakage by model-checking rewrite-based access control policies. This approach is illustrated on the well-known model of Bell and LaPadula for multi-level policies, and we showed that its generalization, as proposed by McLean, does not respect the property.

This work was done in collaboration with Thérèse Hardin (LIP6) and Pierre Weis (INRIA Paris - Rocquencourt).

Many algorithms use concrete data types with some additional invariants. The set of values satisfying the invariants is often a set of representatives for the equivalence classes of some equational theory. For instance, a sorted list is a particular representative wrt commutativity. Theories like associativity, neutral element, idempotence, etc. are also very common. Now, when one wants to combine various invariants, it may be difficult to find the suitable representatives and to efficiently implement the invariants. The preservation of invariants throughout the whole program is even more difficult and error prone. Classically, the programmer solves this problem using a combination of two techniques: the definition of appropriate construction functions for the representatives and the consistent usage of these functions ensured via compiler verifications. The common way of ensuring consistency is to use an abstract data type for the representatives; unfortunately, pattern matching on representatives is lost. A more appealing alternative is to define a concrete data type with private constructors so that both compiler verification and pattern matching on representatives are granted. In , we detailed the notion of private data type and studied the existence of construction functions. We also described a prototype, called Moca (see Section ), that addresses the entire problem of defining concrete data types with invariants: it generates efficient construction functions for the combination of common invariants and builds representatives that belong to a concrete data type with private constructors.

Polygraphs provide an algebraic structure to graphical computations. Introduced by Albert Burroni as a
n-categorical formalization of equational theories
, they also describe in a uniform way several kinds of objects, coming from different fields of science:
abstract, word and term rewriting systems
,
; Petri nets
; propositional classical and linear logics
; abstract algebraic structures
; braids, knots and tangle diagrams with Reidemeister moves
; Feynman and Penrose diagrams
.

With Guillaume Bonfante (Carte, LORIA and INRIA), we have defined polygraphic programs as a generalisation of first-order functional programs. Inspired by polynomial interpretations of
terms
, we have built complexity analysis tools, called polygraphic interpretations, relying on the structure of
n-category. These tools allowed us to give a new, polygraphic characterization of the complexity class of functions that are computable in polynomial time
,
. Moreover, polygraphic interpretations can prove termination of existing first-order functional programs
.

To explore theoretical aspects, we work with François Lamarche (Calligramme, LORIA and INRIA) on foundations and with Philippe Malbos (Institut Camille Jordan, Lyon) on homological tools
for polygraph analysis. On the practical side, we have started the development of Cat, an environment for certified polygraphic programming: as a first step, a compiler of polygraphic
programs in the
*Tom*language is currently developped.

On one hand, we have obtained new or refined results for proving properties of probabilistic, rule-based and functional programs, in particular termination, using both the inductive and
size-based approaches. We also began to develop a
*Coq*library for certifying termination proofs.

On the other hand, we have further studied deduction modulo, identified an intrinsic complexity measure of a proof and a notion of “good proofs” in automated deduction, and explored the new concept of superdeduction.

Florent Garnier has defended his PhD thesis "Terminaison en temps moyen fini de système de règles probabilistes", supervised by Claude Kirchner and Olivier Bournez (Carte team at LORIA),
in September 2007
. It includes earlier results published in 2005 and 2006 in the RTA conference, as well as unpublished ones.
They deal with a refined way to study the termination in a finite mean time under strategies. This work also introduced a formalism to synchronize timed automaton that share a common
communication medium, in order to simulate a pool of computers exchanging messages through a common radio channel. The latter formalism is used to model a pool of computers communicating
using the CSMA/CA protocol and to prove that this protocol can terminate within a finite mean time when all stations start simultaneously. Finally, probabilistic rewrite systems are encoded
in the
*Tom*language.

In collaboration with Isabelle Gnaedig (Carte team at LORIA), we described in an inductive proof method for properties of reduction relations, inspired from our previous work on proving, by explicit induction, termination of rewriting under strategies . The reduction trees are simulated with proof trees generated by narrowing and an abstraction mechanism. While narrowing simulates reduction, abstraction relies on the induction principle to replace subterms by variables representing specific reduced forms that trivially satisfy the property to be proved. The induction ordering is not given a priori, but defined with ordering constraints, incrementally set during the proof. Abstraction constraints are used to control the narrowing mechanism, well-known to easily diverge. The proof method is briefly illustrated on various examples of properties: (weak-)termination under a strategy, definition completeness and existence of constructor forms, (weak-)reducibility of requests to specific answers, termination of probabilistic rewriting, termination of a transition system.

First, we have given a necessary and sufficient condition for the closure condition of Girard's reducibility candidates to be stable by union . Our condition is that Girard's candidates are exactly the non-empty sets of strongly normalizing terms that are downward closed for a weak observational preorder. Moreover, we have shown that this condition is met for the pure -calculus as well as for the -calculus enriched with product, co-product and recursive types.

This work was done in collaboration with Jean-Pierre Jouannaud and Pierre-Yves Strub (LIX, Ecole Polytechnique).

It is commonly agreed that the success of future proof assistants will rely on their ability to incorporate computations within deductions in order to mimic the mathematician when replacing the proof of a proposition P by the proof of an equivalent proposition P' obtained from P thanks to possibly complex calculations.

Our main result shows that this extension of the calculus of constructions does not compromise its main properties: confluence, strong normalization and decidability of proof-checking are all preserved. We also showed in detail how a goal to be proved in the calculus of constructions is actually transformed into a goal in a decidable first-order theory. Based on this transformation, we are currently developing a new version of Coq implementing this calculus, taking linear arithmetic and the theory of lists as targets combined via Shostak's algorithm.

This work was done in collaboration with Jean-Pierre Jouannaud (LIX, Ecole Polytechnique) and Albert Rubio (Technical University of Catalonia).

Solving goals, like deciding word problems or resolving constraints, is much easier in some theory presentations than in others. We have designed a general proof-theoretic framework centered around well-founded orderings of proofs and within which completion-like processes can be modeled around notions of saturation and redundancy .

In
,
, using this framework, we designed a new completion procedure which permits to regain the cut admissibility in
deduction modulo
, which does not hold in general if propositions can be rewritten
. We first proved that this property is in fact undecidable. Then, we proved that deduction modulo fits in the
general framework, in such a way that the better presentations admit cuts. The framework gives therefore a completion procedure that permits to recover the cut admissibility. Based on a
tableau method for deduction modulo, it is actually implemented in
*Tom*.

We also focused on the length of proofs in deduction modulo. Parikh proved a speed-up theorem stated by Gödel: proofs in second-order arithmetic can be unboundedly shorter than in first
order
. In
we defined a translation of second-order arithmetic into first-order arithmetic
*modulo*which is linear, i.e. the length of proofs remains the same. The speed-up lies therefore in first-order arithmetic, depending whether we work modulo or not. This result allowed
us to prove that the speed-up can be expressed as simple computation, therefore justifying the use of deduction modulo as an efficient first-order setting simulating higher order.

Following the seminal work of Benjamin Wack on extended natural deduction
, we introduced superdeduction
which is a new systematic way of extending deduction systems with rules derived from an axiomatic theory. Since
it explicitly deals with
*deduction*, we presented it as a complementary approach to
*deduction modulo*
which deals with
*computation*. The superdeduction extension proposes to infer new deduction rules from part of the theory in a sound, systematic and complete way. First, we presented its application to
classical sequent calculus and we proved its soundness and completeness. After exhibiting a proof-term language associated with the corresponding deduction system, we proved its strong
normalisation under non-trivial hypothesis, therefore ensuring the consistency of instances of the system, as well as of a large class of theories.

The proof of strong normalization can be found in , as well as significant examples including higher-order logic, induction and equality explaining why superdeduction could be a grounding framework for a new generation of interactive proof environments.

Finally, we pointed out the benefits of superdeduction in the frame of interactive proof building by developing an implementation of superdeduction modulo using the
*Tom*language. This prototype called
*Lemuridæ*can be downloaded from
*Tom*'s CVS. The theoretical foundations of such a framework have been studied in
, which relates the strong normalization property of superdeduction to the one of deduction modulo.

In the line of previous work on a proof theoretic framework to perform rewrite based inductive reasonning, Fabrice Nahon's PhD thesis
proposed an original narrowing-based proof search method for inductive theorems. It has the specificity to be
grounded on deduction modulo and to rely on narrowing to provide both induction variables and instantiation schemes. It also yields a direct translation from a successful proof search
derivation to a proof in the sequent calculus. The method is shown to be sound and refutationally correct in a proof theoretical way. The first approach presented in
,
has been extended to equational rewrite theories given by a rewrite system
and a set
Eof equalities
.

Whenever the equational rewrite system
has good properties of termination, sufficient completeness, and whenever
Eis constructor preserving, narrowing at defined-innermost positions is performed with unifiers which are constructor substitutions. This is especially interesting for associative and
associative-commutative theories for which the general proof search system is refined.

National Agency for Research

ANR Fundamental Research Action

ARA on Security, embedded Systems and Ambient Intelligence

FNS Concerted and Incentive Action

ACI on Computer and Software Security

Comité interministériel pour la sécurité des systèmes d'information

ESPRIT network on Computational Logic

Conseil Scientifique de la Défense

Planning Contract between the Government and the Region

European Research Consortium for Informatics and Mathematics

Information Technologies Program of the European Union

National Fund for Science

CNRS Research Group

GDR on Algorithmics, Languages and Programming

Integrated Action Programme

CPER Pole of Scientific and Technological Research

PRST devoted to Software Intelligence

PRST-IL project on Quality and Safety of Software

National Network on software Technology

We participate in the “Logic and Complexity” part of the GDR–IM (CNRS Research Group on Mathematical Computer Science), in the projects “Logic, Algebra and Computation” (mixing algebraic and logical systems) and “Geometry of Computation” (using geometrical and topological methods in computer science).

This project gathers people from INRIA Nancy - Grand Est (Frédéric Blanqui, Richard Bonichon, Laura Lowenthal), INRIA Paris - Rocquencourt (Pierre Weis and Damien Doligez), Université Paris 6 (Thérèse Hardin, Renaud Rioboo) and CNAM (David Delahaye, Catherine Dubois). Its aim is to study and certify the use of non-free concrete data types in functional programming (see Section ), and develop an extension of OCaml providing such types (see Section ).

This ANR project is a grouping of three teams through their common interest for a new approach to proof theory, called “deep inference”. The project aims at refining its potential and at
applying it to problems related to the foundations of logic and to more practical questions in the algorithmic of deductive systems, such as identity of proofs, Curry-Howard isomorphism,
complexity of proofs, formulation of “exotic” logical systems, links with other paradigms like deduction modulo, etc. For more information, see the Infer website at
*http://
www.
lix.
polytechnique.
fr/
~lutz/
orgs/
infer.
html*.

The ANR project "Invariants algébriques des systèmes informatiques" (Inval), headed by Éric Goubault (CEA Saclay), federates researchers in mathematics and theoretical computer science.
Its main objective is to favour the transfer of ideas and methods between both communities. The coordinator for the LORIA site is François Lamarche (Calligramme). An Inval meeting was held at
LORIA on September 7, 2007. For more information, see the Inval website at
*http://
www.
pps.
jussieu.
fr/
~inval/
index.
html*.

Ravaj (Réécriture et Approximation pour la Vérification d'Applications Java) is an ANR project coordinated by Thomas Genet (Irisa). The goal is to model Java bytecode programs using term rewriting and to use completion techniques to compute the set of reachable terms. Then, it is possible to check some properties related to reachability (in particular safety and security properties) on the modeled system using tree automata intersection algorithms.

“SSURF: Safety and Security under FOCAL” is an ANR project coordinated by Mathieu Jaume (LIP6). The SSURF project consists in characterizing and studying the required features that an Integrated Development Environment (IDE) must provide in order not only to obtain software systems in conformance with high Evaluation Assurance Levels (EAL-5, 6 and 7), but also to ease the evaluation process according to various standards (e.g. IEC61508, CC, ...). Moreover we aim at developing a formal generic framework describing various security properties, e.g. access control policies, together with their implementations using such an IDE.

We participate to REWERSE - “Reasoning on the Web”, a Network of Excellence (NoE) within the “6th Framework Programme” (FP6), Information Society Technologies (IST). The main objective of this project is the development of a coherent and complete, yet minimal, collection of inter-operable reasoning languages for advanced Web systems and applications. These languages will be tested on context-adaptive Web systems and Web-based decision support systems selected as test-beds for proof-of-concept purposes. Finally, we aim at bringing the proposed languages to the level of open pre-standards amenable to submissions to standardization bodies such as the W3C.

**Chili.**Since 2002, we have a French-Chilean cooperation with the Federico Santa Maria Technical University of Valparaiso. This project, called COCARS and supported by CONICYT and INRIA,
is about the use of rules and strategies for the design of constraint solvers.

**Brazil.**Project INRIA-CNPq (Brazil), DA CAPO - Automated deduction for the verification of specifications and programs. It is a project on the development of proof systems for the
verification of specifications and software components. The coordinators of this project are David Déharbe (UFRN Natal, Brazil) and Christophe Ringeissen (CASSIS). On the french side, DA CAPO
also involves the CASSIS project.

Anamaria Martins-Moreira, Brazil, two weeks, January–February 2007.

Andreas Abel, Munich, one week, February–March 2007.

Philippe Malbos, Lyon, one week, September 2007.

The program of the seminars is available at
http://

Quang-Huy Nguyen (Security Labs, Gemalto),
*Security evaluation and formal verification*.

Serge Autexier (Saarland University),
*Integrating the text-editor TeXmacs with the proof assistance system Omega using Plato*.

François-Régis Sinot (Univesidade do Porto),
*More laziness!*

Clara Bertolissi (Université Aix-Marseille 1),
*The rewriting calculus as a combinatory reduction system*.

Andreas Abel (Ludwig-Maximilians-Universität München),
*Normalization by evaluation and dependent types*.

Manuel Maarek (Heriot-Watt University Edimburgh),
*Restoring natural language as a computerised mathematics input method*.

Mathieu Jaume (Université Paris 6),
*Comparaison de politiques d'accès*.

Makoto Tatsuta (National Institute for Informatics Tokyo),
*Simple saturated sets for disjunction and second-order existential quantification*.

Arnaud Bailly (Oqube),
*Une étude de cas sur l'adaptation et le développement rapide d'applications de vente en ligne multicanaux*.

French chapter of EATCS

Asian Computing Science Conference

Comité Interministériel sur la Sécurité des Systèmes d'Information

Conference of the European Association for Computer Science Logic

Workshop on Developments in Computational Models

Summer School on Generative and Transformational Techniques in Software Engineering

International Embedded and Hybrid Systems Conference

International Federation for Information Processing

IFIP Working Group

French-speaking workshop on Applicative Languages

Language Descriptions, Tools and Applications

International Conference on Logics in Computer Science

International Conference on Logic for Programming Artificial Intelligence and Reasoning

International Conference on Principles and Practice of Declarative Programming

Online journal for peer-reviewed source code for deductive software components

International Conference on Rewriting Techniques and Applications

International Workshop on Rule-Based Programming

Symposium on Theoretical Aspects of Computer Science

Frédéric Blanqui:

Program committee of the 1st international workshop on type theory, proof theory, and rewriting (TPR'07), 29 June 2007, Paris, in conjonction with RDP'07. See
http://

Organizer of the 1st internation workshop on the certification of termination proofs, Nancy, 11-12 May 2007. See
http://

Horatiu Cirstea:

Program committees of RULE 2007, WRS 2007.

Yves Guiraud:

Organization committee of the 4th Inval meeting (Nancy, September 7).

Organization committee of the 86th Peripathetic Seminar on Sheaves and Logic (Nancy, September 8-9).

Claude Kirchner:

Since June, delegate director of the FUTURS INRIA research center, Bordeaux site.

Chair of the scientific committee for the national ACISI programs.

Chair of the evaluation committee of the ANR SESUR2007 program.

Chair until June of the LORIA building extension committee.

Co-coordinator of the Franco-Japanese 3 years cooperation program on security founded by CNRS and JST.

Editorial boards of
*Journal of Automated Reasoning*,
*Journal of Applied Logic*.

Program committee of LSFA'07, Brazilian Workshop on Logical and Semantic Frameworks, with Applications, Chair of the scientific committee of the second international school on Rewriting (ISR'2007).

Chair of the IFIP WG 1.6 working group on rewriting and applications.

Member of the advisory board of LICS.

Member of the working group on research and perspectives of the CISSI.

Co-organizer of the Symposium in Honor of Jean-Pierre Jouannaud's 60th birthday (Cachan, june 21-22, 2007)

Hélène Kirchner:

Director of LORIA and INRIA Lorraine until January 31, 2007. Then Deputy scientific director at INRIA.

Editorial boards of
*Annals of Mathematics and Artificial Intelligence*,
*Computing and Informatics*and
*Logical Methods in Computer Science*.

Editorial board of the QPQ forum on rewriting.

Program committees of RTA'07 and LPAR'07.

Co-organizer of the Symposium in Honor of Jean-Pierre Jouannaud's 60th birthday (Cachan, june 21-22, 2007)

Member of Scientific directorate of the Dagstuhl international conference center.

Member of the ANR selection committee of the programmes “Non thématique 2007” and “Jeunes chercheurs 2007” in “Sciences et Technologies de l'Information”.

Chair of the evaluation board of LINA (Laboratoire d'Informatique de Nantes).

Member of the Conseil de Surveillance du GIS (Groupement d'Intérêt Scientifique) S3GS (Surveillance, sûreté et sécurité des grands systèmes).

Pierre-Etienne Moreau:

Program committee of LSFA 2007 Brazilian Workshop on Logical and Semantic Frameworks, with Applications, and RULE 2007 International Workshop on Rule-Based Programming.

Chair with Sandrine Blazy of JFLA'07 Journées Francophones des Langages Applicatifs.

Steering committee of LDTA Workshop on Language Descriptions, Tools and Applications.

We do not mention the teaching activities of the various teaching assistants and lecturers of the project who work in various universities of the region.

Horatiu Cirstea:

Master course in Nancy on programming and proving with rule based languages, with Claude Kirchner and Pierre-Etienne Moreau.

Course on rewriting techniques and transformation at JFLA 2007 (Journées Francophones des Langages Applicatifs), with Antoine Reilles.

Claude Kirchner:

Master course in Nancy on programming and proving with rule based languages, with Horatiu Cirstea and Pierre-Etienne Moreau.

Pierre-Etienne Moreau:

Master course in Nancy on programming and proving with rule based languages, with Horatiu Cirstea and Claude Kirchner.

Lectures at ESIAL on fundamental data-structures.

Lecture at ISR (International School on Rewriting).

Frédéric Blanqui:

Invited talk on the “Automated certification of termination proofs” at TYPES'07, 2 May 2007, Cividale del Friuli (Udine), Italy.

Yves Guiraud:

Université Paris 7, “Polygraphic programs”, April 2, 2007.

Claude Kirchner:

Colloque en l'honneur de Jean-Pierre Jouannaud:
*Superdeduction at work*;

Dixième anniversaire du LSV:
*Security challenges for computer systems*;

Colloque final du projet Asphales:
*Les actions de recherche en sécurité*;

Canada-France meeting on security:
*Security Research in France*and
*Tools for specifying and verifying software*.

Pierre-Etienne Moreau:

“Implementing Program Transformation with Tom and Java”, GTTSE.

“Rules and Strategies in Java”, WRS.

Yves Guiraud:

One week at Institut Camille Jordan, Lyon, June 2007.

Hélène Kirchner:

In June 4-8, 2007, in Tokyo, visits of AIST (Research Center for Information Security), Hitachi (Systems Development Laboratory), Sony (Computer Science Laboratory), Keio University (Keio Research Institute for Digital Media and Content) and NII.

Frédéric Blanqui:

Substitute member of the Saint-Etienne University recruitment committee (section 27).

Member of the PhD committee of Colin Riba on “Définitions par réécriture dans le lambda-calcul: confluence, réductibilité et typage”.

Horatiu Cirstea:

Germain Faure “Structures et modèles de calculs de réécriture”, PhD (co-advisor)

Member of recruitment committee (section 27) of Nancy2.

Claude Kirchner:

Eric Filiol “Modèles Booléens en virologie et en cryptologie”, HDR (referee);

Yann Radenac “Programmation “chimique” d'ordre supérieur”, PhD (referee);

Thierry Sans “Beyond Access Control - Specifying and Deploying Security Policies in Information Systems”, PhD;

Germain Faure “Structures et modèles de calculs de réécriture”, PhD (co-advisor);

Luigi Liquori “Peter, the Language that does not Exist ... ”, HDR;

Florent Garnier “Terminaison en temps moyen fini de systèmes de règles probabilistes”, PhD (co-advisor);

Charles Morisset “Définition d'un cadre sémantique pour la spécification, l'implantation et la comparaison de modèles de contrôle d'accès”, PhD;

Loic Duflot “Contribution à la sécurité des systèmes d'exploitation et des microprocesseurs”, PhD (referee);

Fabrice Nahon “Preuve par récurrence dans le calcul des séquents modulo”, PhD (co-advisor);

Romain Péchoux “Analyse de la complexité des programmes par interprétation sémantique” PhD;

Colin Riba “Définitions par réécriture dans le lambda-calcul : confluence, réductibilité et typage” PhD (co-advisor).

Hélène Kirchner:

Duc Khan-Tran “Conception de procédures de décision par combinaison et saturation”, PhD (co-advisor)

Fabrice Nahon “Preuve par récurrence dans le calcul des séquents modulo”, PhD (co-advisor)

Member of recruitment committees (section 27) of UHP Nancy1, Nancy2, INPL.

Pierre-Etienne Moreau:

Member of the UHP recruitment committee (section 27).