The Proval project-team is a research team common to INRIA - Saclay Île-de-France, CNRS and Université Paris-Sud 11. Researchers are also members of the LRI (Laboratoire de Recherche en Informatique, UMR 8623).

Critical software applications in the domain of transportation, telecommunication or electronic transactions are put on the market within very short delays. In order to guarantee a dependable behavior, it is mandatory for a large part of the validation of the system to be done in a mechanical way.

The ProVal team addresses this question and consequently participates to the INRIA major scientific priorities:“Programming: Security and Reliability of Computing Systems”.

Our approach uses
*Type Theory*as a theoretical basis, a formalism which
gives a clear semantics for representing, on a computer, both
computation and deduction.

Type theory is a natural formalism for the specification
and proof of
*higher-order functional programs*, but we also use it
as the kernel for
*deductive verification of imperative programs*. It
serves as a support for modeling activities (e.g. pointer
programs, random computations, floating-point arithmetic,
semantics).

Verification conditions (VCs) generated from programs
annotated with specifications can often be expressed in
simple formalisms (fragments of first-order logic) and
consequently be solved using
*automated deduction*. Building specialized tools for
solving VCs, integrating different proof technologies, in
particular interactive and automated ones, are important
activities in our group.

When sophisticated tools are used for analyzing safety-critical code, their reliability is an important question: in an industrial setting, there is often a certification process. This certification is based on an informal satisfaction of development rules. We believe that decision procedures, compilers or verification condition generators (VCGs) should not act as black boxes but should be themselves specified and proved, or should produce evidence of the correctness of their output. This choice is influential in the design of our tools and is also a good challenge for them.

The project develops a generic environment (
*Why*) for proving programs.
*Why*generates sufficient conditions for a program to
meet its expected behavior, that can be solved using
interactive or automatic provers. On top of this tool, we
have built dedicated environments for proving C (
*Caduceus*) or Java (
*Krakatoa*) programs.

With the arrival of Sylvie Boldo in 2005 and Guillaume Melquiond in 2008 as junior researchers, the team is developing a strong expertise in the area of formal verification of floating-point arithmetic.

Marc Pouzet joined the team as a full professor in September 2005, opening a research activity on synchronous systems. The goal is to propose high-level languages for the development of critical embedded systems with high temporal constraints. He obtained in March a new position at ENS. Members of ProVal working in this area consequentely moved their activity at this new location. They are currenly in the process of creating a new project-team.

Our research activities are detailed further, following the four themes:

Higher-order functional languages,

Proof of imperative and object-oriented programs,

Automated deduction for program proof,

Synchronous Programming.

Development of tools and applications is an important transversal activity for these four themes.

As part of the FOST project, S. Boldo, F. Clément, J.-C. Filliâtre, M. Mayero, G. Melquiond and P. Weis studied a real-life program computing the discretization of the spread of acoustic waves on a rope. They developed a full formal proof of the method error of the simple three-point finite difference scheme for solving the 1D acoustic wave equation. An article describing this proof and the design choices for the operators (in particular the big O) has been published in the selective conference ITP (Interactive Theorem Proving 2010) . This is to be joined with the corresponding rounding error that was also formally proved .

Our SMT theorem prover Alt-Ergo received a growing
interest from critical software industry. Airbus France
expressed in 2009 the wish to integrate Alt-Ergo in its
process of certification of the critical softwares in their
next generation planes. We thus started the procedure of
*qualifying*Alt-Ergo in the sense of the DO-178B norm,
which fixes the contraints on software development to achieve
certification of an avionics software. This is done as part
of the
*Action de Developpement Technologique Alt-Ergo*.
Alt-Ergo is also distributed by Altran/Praxis as part the
last 2010 release of the SPARK/ADA verifier.

Higher-order strongly typed programming languages such as Objective Caml help improving the quality of software development. Static typing automatically detects possible execution errors. Higher-order functions, polymorphism, modules and functors are powerful tools for the development of generic reusable libraries. Our general goal is to enrich such a software environment with a language of annotations as well as libraries for datatypes, abstract notions and associated theorems which can express logical properties of programs and ease the possibility to automatically and interactively develop proofs of correctness of the programs.

In the past, we made contributions to the
*Coq*proof assistant by adding functionalities for
improving the development of formally proved functional
programs. A first contribution is a new method to extract
Ocaml modular code from
*Coq*proofs (P. Letouzey PhD thesis
,
). This extraction mechanism is
an original feature for the
*Coq*system, and has been used by several teams around
the world in order to get efficient certified code
. Another contribution (M. Sozeau
PhD thesis
,
) is an extension of the
*Coq*input language for building programs with strong
specifications by writing only the computational part and
generating separetely proof obligations (which are usually
solved by tactics) and also a mechanism generalizing Type
Classes à la Haskell which gives overloading in programs and
proofs and facilitates the development of generic
tactics..

We are using the capability of the
*Coq*system to model both computation and deduction in
order to explore different classes of applications. These
examples involve the development of large reusable
*Coq*libraries and suggest domain-specific specification
and proof strategies.

C. Paulin in collaboration with Ph. Audebaud from ENS
Lyon, proposed a method for modeling probabilistic programs
in
*Coq*
. The method is based on a
monadic interpretation of probabilistic programs as
probability measures. A large
*Coq*library has been developed and made publicly
available (see also Section
).

Many industrial programs (weather forecasts, plane trajectories, simulations...) use floating-point computations, typically double precision floating-point numbers . Even if each computation is as good as it can be (except for elementary functions like sine, or exponential), the final result may be very wrong with no warnings, or the program will produce unexpected behaviors (like division by zero). This is the reason why guarantees should be provided to the user. We mean to guarantee for example that, for all or part of the possible inputs, the result obtained is correct (or near enough) and that no exceptional behavior will occur .

A high level of guarantee is obtained by formal proofs
in
*Coq*. We maintain and develop large
*Coq*libraries for floating-point arithmetic: core
definitions, axiomatic and computational rounding
operations, high-level properties. It provides a framework
for developers to formally certify numerical applications.A
new such library is described in Section
.

Certifying the result of tools for analysing programs is
a good challenge in the domain of proofs of higher-order
functional programs. We obtained several results concerning
formal proofs in
*Coq*corresponding to automated deduction. These
results are described in Section
.

We have also an on-going project for the modeling and proof of the correctness of a compiler for the Lustre synchronous language. Our goal is to show the feasability of the certification using formal proofs of the compiler used in the new version of Scade developed by Esterel Technologies.

A PhD thesis started in Sep. 2009 has for main objective the development of a certified version the Frama-C/Jessie/Why verification chain.

A foundation step of the project is the PhD thesis of
Jean-Christophe Filliâtre
that proposes to establish
soundness of a program with imperative features (assignments,
while loops, but also exceptions and exception handlers) by
means of a translation into an equivalent purely functional
program with logical annotations. Such an annotated
functional program is very well-suited to be expressed in
*Coq*'s type theory, hence this approach allowed for the
first time to prove imperative programs with
*Coq*
.

Following this thesis, a new tool called
*Why*was developed. It takes as input an imperative
program and a specification that this program is expected to
fulfil. It produces on one hand a set of
*verification conditions*(VCs): logical formulas which
have to be proved in the
*Coq*system ; and on the other hand a
*Coq*-term which contains a functional translation of
the imperative program and a proof of correctness of this
program based on the VCs. It was early remarked that this
tool was independent of
*Coq*, because the VCs can be validated in other
interactive tools or with automatic provers. This
multi-prover architecture is a powerful feature of
*Why*: it spreads this technology well beyond the
*Coq*community.

Since 2002, we tackle programs written in mainstream
programming languages. We first considered Java source code
annotated with JML (Java Modeling Language). This method
was implemented in a new tool called
*Krakatoa*
. The approach is based on a
translation from annotated Java programs into the specific
language of
*Why*, we then can reuse
*Why*'s VCG mechanism and choose between different
provers for establishing these VCs. From 2003, we followed
the same approach for programs written in ANSI C
.

The combination of the
*Why*VC generator and the front-ends dealing with C or
Java form a tool box for program verification, called the
*Why*platform. Its overall architecture is shown on
Figure
. Nowadays, the front-end for C
is in fact integrated in the Frama-C environment for static
analysis of C programs (
http://

The central issue for the design of our platform is the
modeling of memory heap for Java and C programs, handling
possible aliasing (two different pointer or object
expressions representing the same memory location): the
*Why*VC generator does not handle aliasing by itself,
indeed it does not support any form of complex data
structures like objects, structures, pointers. On the other
hand, it supports declaration of a kind of algebraic
specifications: abstract data types specified by
first-order functions, predicates and axioms. As a
consequence, there is a general approach for using
*Why*as a target language for
*programming the semantics*of higher-level programming
languages
. The
*Krakatoa*and the Jessie memory models are inspired by
the `component-as-array' representation due to Bornat,
following an old idea from Burstall, and commonly used to
verify pointers programs
. Each field declaration
fin a Java class or a C structure introduces a
*Why*variable
M_{f}in the model, which is a map (or an array) indexed
by addresses. We extended this idea to handle Java arrays
and JML annotations
and pointer arithmetic in
C
.

An important difficulty with programs handling pointers
is to specify side-effects of a function or a method. The
annotation languages offer the
*assigns*clauses in specifications in order to
delimitate the part of memory which is modified by a
function or a method. We proposed an original modeling for
such clauses
.

This kind of memory model does not scale up well for large programs. We designed an improved modeling of memory heap incorporating ideas from static analysis of memory separation, and from Reynolds' separation logic. Experiments on a C code proposed by Dassault Aviation were succesful ,

The use of
*Why*as intermediate language opens interesting new
approaches for reasoning on programs. We studied the
specification of global properties, by reuse of the
validation term of
*Why*in order to define a model of each function, and
then express and prove properties of functions composition.
Such an approach was investigated by J. Andronick in
the framework of proofs of security properties on smart
cards
,
. We also proposed a way to
handle the Java Card transaction mechanism (a specificity
of Java Card memory with both persistent and volatile
parts), by indeed generating a
*Why*model
*on-the-fly*for each Java Card applet
, thanks again to the
flexibility of the approach using
*Why*as an intermediate language.

The techniques we are developing can be naturally applied in domains which require to develop critical software for which there is a high need of certification.

The
*Krakatoa*tool was successfully used for the formal
verification of a commercial smart card applet
proposed by Gemalto. This case
study have been conducted in collaboration with LOOP and
Jive groups. Banking applications are concerned with
security problems that can be the confidentiality and
protection of datas, authentication, etc. The translation
of such specifications into assertions in the source code
of the program is an essential problem. We have been
working on a Java Card applet for an electronic purse
Demoney
developed by the company
Trusted Logic for experimental purpose. Other Java Card
case studies have been conducted in collaboration with
Gemalto by J. Andronick and N. Rousset, in
particular on global properties and Java Card
transactions
,
.

To illustrate the effectiveness of the approach on C
programs, T. Hubert and C. Marché performed a
full verification of a C implementation of the Schorr-Waite
algorithm
, using
*Coq*for the proofs. This is an allocation-free
graph-marking algorithm used in garbage collectors, which
is considered as a benchmark for verification tools. Other
industrial case studies have been investigated by
T. Hubert (with Dassault Aviation)
and by Y. Moy (with France
Telecom)
,
.

Our group has a long tradition of research on automated
reasoning, in particular on equational logic, rewriting, and
constraint solving. The main topics that have been under
study in recent years are termination proofs techniques, the
issue of combination of decision procedures, and generation
of proof traces. Our theoretical results are mainly
materialized inside our two automated provers CiME and
*Alt-Ergo*.

On the termination topic, we have studied new techniques
which can be automated. A fundamental result of ours is a
criterion for checking termination
*modularly*and
*incrementally*
, and further
generalizations
. These criteria and methods
have been implemented into the CiME2 rewrite toolbox
. Around 2002, several projects
of development of termination tools arose in the world. We
believe we have been pioneer in this growth, and indeed we
organized in 2004 the first competition of such tools.

A direction of research on termination techniques was
also to apply our new approaches (for rewriting) to other
computing formalisms, first to Prolog programs
and then to membership
equational programs
, a paradigm used in the
*Maude*system
.

Our research related to combination of decision procedures was initiated by a result obtained in collaboration with Shankar's group at SRI-international who develops the PVS environment, showing how decision procedures for disjoint theories can be combined as soon as each of them provides a so-called “canonizer” and a “solver”. Existing combination methods in the literature are generally not very well understood, and S. Conchon had a major contribution, in collaboration with Sava Krstić from OGI School of Science and Engineering (Oregon Health and Science University, USA), which is a uniform description of combination of decision procedures, by means of a system of inference rules, clearly distinguished from their strategy of application, allowing much clearer proofs of soundness and completeness , .

In the specific domain of program verification, the
goals to be proved are given as formulae in a polymorphic
multi-sorted first-order logic. Some of the sorts, such
as integers and arrays, are built-in as they come from
the usual data-types of programming languages.
Polymorphism is used as a convenience for defining the
memory models of C and Java programs and is handled at
the level of the
*Why*tool.

In order to be able to use all the available automated theorem provers (Simplify, SMT provers), including those which handle only untyped formulae (Simplify), one has to provide a way to get rid of polymorphism.

S. Conchon and É. Contejean have proposed an encoding of polymorphic multi-sorted logic (PSL) into unsorted logic based on term transformation, rather than addition of sort predicates which was used till then .

It would be more convenient to deal with polymorphism
directly in the theorem prover. There was no such prover
available at the beginning of 2006, that is why
S. Conchon and É. Contejean decided to develop
a new tool called
*Alt-Ergo*which is dedicated to the resolution of
polymorphic and multi-sorted proof obligations and takes
as input the
*Why*syntax. In 2009,
*Alt-Ergo*is still the only existing prover dealing
with parametric polymorphism.

*Alt-Ergo*is based on
CC(
X), a generic congruence
closure algorithm developed in the team, for deciding
ground formulas in the combination of the theory of
equality with uninterpreted symbols and an arbitrary
built-in solvable theory
X. Currently,
CC(
X)can be instantiated by the
empty equational theory, by the linear arithmetics and
the theory of constructors.

*Alt-Ergo*contains also a Fourier-Motzkin decision
procedure for linear arithmetics inequalities, a
home-made SAT-solver and an instantiation mechanism.

*Alt-Ergo*is safe and its architecture is modular:
each part is described by a small set of inference rules
and is implemented as an Ocaml functor. Moreover, the
code is short (6500 lines).

A common issue to both termination techniques and
decision procedures is that automatic provers use complex
algorithms for checking validity of formula or termination
of a computation, but when they answer that the problem is
solved, they do not give any more useful information. It is
highly desirable that they give a
*proof trace*, that is some kind of certificate that
could be double-checked by a third party, such as an
interactive proof assistant like
*Coq*. Indeed
*Coq*is based on a relatively small and stable kernel,
so that when it checks that a proof is valid, it can be
trusted. Morevoer, a subpart of Coq has been proven correct
in Coq
.

In addition to efficient termination techniques, CiME
implements in particular a semi-decision procedure for
the equality modulo a set of axioms, based on ordered
completion. In 2005, the former human readable proof
traces have been replaced by
*Coq*certificates, based on reified proof objects
for a FOL logic modelled inside
*Coq*
.

É. Contejean, A. Paskevich, X. Urbain and the
Cédric participants of the A3PAT project, Pierre
Courtieu, Olivier Pons (CNAM), and Julien Forest,
(ENSIIE) develop the new version of the CiME tool, CiME
3, associated with a
*Coq*library called Coccinelle developed by É.
Contejean. A trace generator outputs a trace for
*Coq*in the unified framework provided by the
Coccinelle library
. Coccinelle contains the
corresponding modelling of terms algebras and rewriting
statements, and also some generic theorems which are
needed for establishing a rewriting property from a
trace. For example, in order to produce a certificate of
termination for a rewriting system, one may provide as a
trace an ordering that contains the rewrite system, but
it is also needed to have a proof that this ordering is
well-founded. Such a proof (for RPO for instance) is part
of Coccinelle as a generic property. Coccinelle also
contains as generic theorems some powerful criteria of
termination: dependency pairs
, the main modularity theorem
for termination presented in the thesis of Urbain
as well as innermost
termination, dependency pairs for it and its equivalence
with standard termination in some specific cases
.

The main improvement over the previous approach
is that the
*Coq*development is parameterized with respect to
the equality predicate (instead of using the
*Coq*native equality). This allows to deal uniformly
with equality modulo a set of axioms, with termination of
a set of rewrite rules, and with rewriting modulo a set
of equations, such as associativity-commutativity.

Certifying termination proofs gained interest in the term rewriting community. Groups are either developing their own certifier, or producing traces for other's, thanks to a shared XML format. Since 2007, the termination competition has a category for certified termination proofs.

The goal is to propose high-level languages for the development of critical embedded systems with both high temporal requirements and safety , , , . Our research activities concern the extension of synchronous languages with richer abstraction mechanisms (e.g., higher-order, functionality, dedicated type systems such as the clock calculus), the ability to describe heterogeneous systems (e.g., data-flow and control-flow, discrete and continous) or to account for resources through dedicated type-systems.

These research activities are experimented inside two programming languages, Lucid Synchrone and ReactiveML.

Lucid Synchrone is a data-flow language based on a Lustre semantics and is dedicated to real-time embedded software. It extends Lustre with features usually found in ML-languages such as typing and higher-order functions. It provides original features such as the arbitrary mix of data-flow and hierarchical automata , various type-based static analysis , and modular compilation into sequential code , .

In collaboration with Albert Cohen and Christine Eisenbeis (INRIA Alchemy), Marc Duranton (Philips Natlabs, Eindhoven), we have introduced in 2005 a new programming model for the design of video intensive applications. This model, called the n-synchronous model, is based on an extension of the synchronous model allowing to combine non strictly synchronous streams provided that they can be synchronized through the use of bounded buffers. This is obtained by introducing particular clocks as infinite binary periodic words . Thanks to the periodic nature of these clocks, we are able to verify properties like the absence of buffer overflows and deadlocks during the execution. Clock verification is expressed as a type-inference problem with a sub-typing rule. The core of the model has been settled in and . We introduced a notion of abstractions for these clocks as a mean to reason about sets of (non necessarily periodic) clocks . We defined the programming language Lucy-n to program with the n-synchronous model , .

Hybrid systems modelers have become the corner stone of
embedded system development, with Simulink a de facto
standard and Modelica a new player. They allow both
*discrete*controllers and their
*continuous*environments to be expressed
*in a single language*. Despite the availability of
such tools, there remain a number of issues related to the
lack of reproducibility of simulations and to the
separation of the continuous part, which has to be
exercised by a numerical solver, from the discrete part,
which must be guaranteed not to evolve during a step. Such
tools still raise a number of issues that, we believe,
require more fundamental understanding.

Many systems in telecommunication, banking or transportation involve sophisticated software for controlling critical operations. One major problem is to get a high-level of confidence in the algorithms or protocols that have been developed inside the companies or by partners.

Many smartcards in mobile phones are based on a (small) Java virtual machine. The card is supposed to execute applets that are loaded dynamically. The operating system itself is written in C, it implements security functions in order to preserve the integrity of data on the card or to offer authentication mechanisms. Applets are developed in Java, compiled, and then the byte-code is loaded and executed on the card. Applets or the operating systems are relatively small programs but they need to behave correctly and to be certified by an independent entity.

If the user expresses the expected behavior of the program as a formal specification, it is possible for a tool to check whether the program actually behaves according to the requirements. We have a collaboration with Gemalto in this area.

Avionics or more generally transportation systems are another area were there are critical algorithms involved, for instance in Air Traffic control. We have collaborations in this domain with Dassault-Aviation and National Institute of Aerospace (NIA, Hampton, USA).

CiME is a rewriting toolbox. Distributed since 1996 as
open source, at URL
http://
*Coq*. CiME3 is also developed by the participants of
the A3PAT project at the CNAM, and is distributed under the
Cecill-C licence.

The
*Why*platform is a set of tools for deductive
verification of Java and C source code. In both cases, the
requirements are specified as annotations in the source, in a
special style of comments. For Java (and Java Card), these
specifications are given in JML and are interpreted by the
*Krakatoa*tool. For C, we designed our own specification
language, largely inspired from JML. Those are interpreted by
the
*Caduceus*tool.

The platform is distributed as open source, under GPL
Licence, at
http://

A back-end tool also called
*Why*serves as the VCG. It differs from other systems in
that it outputs conditions for several existing provers:
interactive ones (
*Coq*, Isabelle/HOL, PVS, HOL-light, Mizar) and
automatic ones (Simplify,
*Alt-Ergo*, Gappa, and SMT provers Yices, CVC3, Z3,
haRVey, etc.). The
*Why*VCG alone has been used by external researchers in
published verifications of non-trivial algorithms (Efficient
square root used in GMP
, Knuth's algorithm for prime
numbers
).

*Krakatoa*is used internally at Gemalto company for
security analyses.
*Krakatoa*is also used for teaching (University of Evry,
Ecole Polytechnique).

*Caduceus*was experimented at Gemalto company, at
Dassault Aviation company, and at CEA (Saclay). It was also
used for teaching at Ecole Polytechnique (2006/2007, 1st year
master ISIC,
*projet de verification*) and at University of Evry
(2005-2006 and 2006-2007, proofs using
*Coq*). It is now subsumed by the Jessie plugin of
*Frama-C*. The latter is under use by several groups in
the world, e.g at Fraunhofer Institute in Berlin
, and at Universidade do Minho in
Portugal
.

*Alt-Ergo*is an automatic, little engine of proof
dedicated to program verification, whose development started
in 2006. It is fully integrated in the program verification
tool chain developed in our team. It solves goals that are
directly written in the
*Why*'s annotation language; this means that
*Alt-Ergo*fully supports first order polymorphic logic
with quantifiers.
*Alt-Ergo*also supports the standard
defined by the SMT-lib
initiative.

It is currently used in our team to prove correctness of C
and Java programs as part of the
*Why*platform.
*Alt-Ergo*is also called as an external prover by the
Pangolin tool developed by Y. Regis Gianas, INRIA
project-team Gallium
http://

*Alt-Ergo*is distributed as open source, under the
CeCILL-C licence, at URL
http://

Lucid Synchrone is an experimental language for the implementation of reactive systems. It is based on the synchronous model of time as provided by Lustre combined with features from ML languages. It provides powerful extensions such as type and clock inference, type-based causality and initialization analysis and allows to arbitrarily mix data-flow systems and hierarchical automata or flows and valued signals.

It is distributed under binary form, at URL
http://

The language has served as a laboratory to experiment various extensions of the language Lustre. Several programming constructs (e.g. merge, last) and type-based program analysis (e.g., typing, clock calculus) originaly introduced in Lucid Synchrone are integrated in the new SCADE 6 compiler developped at Esterel-Technologies.

ReactiveML is a programming language dedicated to the implementation of interactive systems as found in graphical user interfaces, video games or simulation problems. ReactiveML is based on the synchronous reactive model due to Boussinot, embedded in an ML language (Objective Caml).

The Synchronous reactive model provides synchronous parallel composition and dynamic features like the dynamic creation of processes. In ReactiveML, the reactive model is integrated at the language level (not as a library) which leads to a safer and a more natural programming paradigm.

ReactiveML is distributed at URL
http://

The language is mainly used for the simulation of mobile ad hoc networks at the University Paris 6 and for the simulation of sensor networks at France Telecom and Verimag (CNRS, Grenoble).

Bibtex2html is a generator of HTML pages of bibliographic
references. Distributed as open source since 1997, under the
GPL licence, at
http://

Bibtex2html is also distributed as a package in most Linux distributions. Package popularity contests show that it is among the 20% most often installed packages.

Ocamlgraph is a graph library for Objective Caml. It
features many graph data structures, together with many graph
algorithms. Data structures and algorithms are provided
independently of each other, thanks to Ocaml module system.
Ocamlgraph is distributed as open source, under the LGPL
licence, at
http://

Mlpost is a tool to draw scientific figures to be
integrated in

The Flocq library for the
*Coq*proof assistant is a comprehensive formalization of
floating-point arithmetic: core definitions, axiomatic and
computational rounding operations, high-level properties. It
provides a framework for developers to formally certify
numerical applications.

It is distributed as open source, under a LGPL license, at
http://

Given a logical property involving interval enclosures of
mathematical expressions, Gappa tries to verify this property
and generates a formal proof of its validity. This formal
proof can be machine-checked by an independent tool like the
*Coq*proof-checker, so as to reach a high level of
confidence in the certification
,
.

Since these mathematical expressions can contain rounding operators in addition to usual arithmetic operators, Gappa is especially well suited to prove properties that arise when certifying a numerical application, be it floating-point or fixed-point. Gappa makes it easy to compute ranges of variables and bounds on absolute or relative roundoff errors.

Gappa is being used to certify parts of the mathematical
libraries of several projects, including CRlibm, FLIP, and
CGAL. It is distributed as open source, under a Cecill-B /
GPL dual-license, at
http://

The Interval package provides several tactics for helping
a
*Coq*user to prove theorems on enclosures of real-valued
expressions. The proofs are performed by an interval kernel
which relies on a computable formalization of floating-point
arithmetic in
*Coq*.

It is distributed as open source, under a LGPL license, at
http://

In 2010, the Flocq library was used to straighten and fill the floating-point proofs of the Interval package.

The ALEA library is a
*Coq*development for modeling randomized functional
programs as distributions using a monadic transformation. It
contains an axiomatisation of the real interval
[0, 1], a definition of
distributions and general rules for approximating the
probability that a program satisfies a given property.

It is distributed as open source, at
http://

Coccinelle is a Coq library for term rewriting. Besides
the usual definitions and theorems of term algebras, term
rewriting and term ordering, it also models some of the
algorithms implemented in the CiME toolbox, such a matching,
matching modulo associativity-commutativity, computation of
the one-step reducts of a term, RPO comparison between two
terms, etc. The RPO algorithm can effectively be run inside
Coq, and is used in the Color developpement (
http://

Coccinelle is developped by Évelyne Contejean, available
at (
http://

S. Boldo and J.-M. Muller (CNRS, Arénaire, LIP, ÉNS Lyon) have worked on new floating-point algorithms for computing the exact and approximated errors of the FMA (fused multiply-and-add). This article is accepted in IEEE Transactions on Computers .

S. Boldo and T. Nguyen have worked on how to prove numerical programs on multiple architectures . T. Nguyen presented her poster at the Digiteo Forum on October 12th 2010.

S. Boldo, F. Clément, J.-C. Filliâtre, M. Mayero, G. Melquiond and P. Weis have worked on the formal proof of the method error of a numerical scheme . This is to be joined with the corresponding rounding error that was also formally proved .

S. Boldo, as invited speaker at the NSV workshop, published an article about the formal verification of numerical programs in Coq .

G. Melquiond participated to a handbook on floating-point arithmetic (IEEE-754r standard, hardware and software implementations, programming languages, and so on) coordinated by J.-M. Muller .

G. Melquiond, in collaboration with F. de Dinechin (Arénaire, LIP, ÉNS Lyon) and C. Lauter (Intel Hillsboro), improved the methodology for formally proving floating-point mathematical functions when their correctness depends on relative errors .

Collaboration between the Gappa,
*Coq*, and Frama-C/Jessie tools was improved by
making the Gappa support library depend on the Flocq
library for the core formalization of floating-point
arithmetic.

A new major version of the
*Why*platform started in 2010. The main developers
are A. Paskevich, J.-C. Filliâtre and
F. Bobot. The language of
*Why*, both programming and annotation parts, was
significantly extended
: algebraic types, records,
pattern matching, recursive logical definitions are now
supported. These logical declarations are structured in
modules (a.k.a. theories). The module language comes with
an original mechanism for reusing theories in specialized
contexts using partial instantiations.

The main efforts are put into creation of a
well-designed modular programming interface, allowing to
extend
*Why*easily with new modules (parsers, proof task
transformations, prover interfaces) as well as to embed
*Why*into third-party tools. A large effort was also
invested into the design of proof task transformations
and encodings used to send goals to external provers. In
particular, S. Cruanes has implemented a new
type-elimination encoding and a pretty-printer targeted
at the provers of the TPTP family. A first release of the
new version of
*Why*is planned for December 2010.

A. Tafat and C. Marché, together with S. Boulmé from VERIMAG, Grenoble, proposed a new approach based on data refinement techniques for building certified object-oriented program in a modular way. A first version appeared as an INRIA research report . An improved version was presented at the international conference FoVeOOS, and appeared in its proceedings .

Specification of functional behavior of generic Java programs, typically those of the Standard Java API, are difficult to design in a reusable way. C. Marché, together with E. Tushkanova, A. Giorgetti and O. Kouchnarenko from LIFC, Besançon, proposed extensions of the standard behavioral specification languages (like JML or ACSL) to support generic types but also a kind of higher-order setting via instantiation of interfaces parameterized by theories. This was presented at the LDTA workshop , satellite of the joint ETAPS conferences.

Proving that pointer programs preserve
data invariants, in a modular way, is known to be a
challenge. R. Bardou and C. Marché are
designing a new approach based on advanced static typing
systems (based on memory regions and permissions) to
control memory updates and ownership of data. A
preliminary description of the resulting language is
described in an INRIA research report
. A prototype implementation
is built, called Capucine. An initial version has been
available for download at
http://

Another challenge is the treatment of
imperative features in the context of higher-order
programming languages. J. Kanig has developed a new
approach, based on a Hoare logic for higher-order systems
and a higher-order effect system, that deals with these
features in a modular way. A prototype called Who has
been developed and is available for download at
http://

Barbará Vieira (Ph.D. student at Universidade do Minho, Braga, Portugal), visited ProVal from March to May 2009. In collaboration with J.-C. Filliâtre, she developed a tool for the verification of CAO programs. CAO is a domain-specific language for cryptographic protocols. This work was presented at OpenCert 2010 .

Wendi Urribarrí as part of her PhD
thesis developed a module calculus for the
*Why*programming language. She designed a refinement
calculus which allows to implement a module interface
possibly changing the representation of private data. For
instance a module implementing finite sets will be
specified using an mathematical notion of sets that will
be made available to possible clients of the module and
implemented using efficient data structures like arrays
or balanced trees. She obtained a logical criteria under
which two modules working on shared data can be
simultaneously loaded without breaking the local
invariants. A prototype implementation has been developed
and will be used for experimenting with significant
examples.

A long article presenting the work of Y. Moy and C. Marché on the automatic generation of program annotations using abstract interpretation appeared in the Journal of Symbolic Computation .

K. Krishnamani presented a work
on predicate abstraction integrating binary decision
diagrams and SMT solvers, at the DATE conference
for verification of hybrid
systems. This approach is implemented in the tool NuSMT,
available at
http://

P. Herms formalized in Coq a verification condition generator for a core language close to Why. It is formally proved that the validity of VCs guaranttes that the program respects its specifications. A certified OCaml program can be produced using the Coq extraction mechanism. An early version of this work was presented at the Coq Workshop , satellite of the joint Floc 2010 conference. Writing a complete article is under progress.

S. Lescuyer has formalized in Coq the algorithms at the heart of the Alt-Ergo SMT solver. This formalization represents a propositional SAT solver combined with an decision procedure for equality modulo linear arithmetic over integers. Using the technique of reflection, the development has been turned into a tactic which can be used in Coq to automatically discharge goals in this logical fragment.

A version of CiME 3 is released. The new certification and proof engines include the new termination criterion we developed, and that was presented at the PEPM symposium in January together with new formalization techniques for graphs in Coq. CiME 3 is to date the only tool able to prove and certify confluence as well as termination of term rewriting systems.

In collaboration with F. Le
Fessant (INRIA Saclay-Île-de-France), S. Conchon and
J.-C. Filliâtre supervised in 2009 the summer
project of G. Von Tokarski and J. Robert
(graduate students from Université Paris-Sud), funded by
Jane Street Capital (NYC, USA). Together they designed
and implemented Ocamlviz, a tool for real-time monitoring
of Objective Caml programs. Ocamlviz is available at
http://

J.-C. Filliâtre and
K. Krishnamani designed a distributed computing
library for Objective Caml which facilitates distributed
execution of parallelizable computations in a seamless
fashion. It is re-usable thanks to its polymorphic API,
and incorporates a robust fault-tolerant mechanism. This
is published at the JFLA conference
and available at
http://

F. Plateau defended her PhD.
thesis in january 2010 on the
*n*-synchronous model.

The paper
*Modular Static Scheduling of Synchronous Data-flow
Programs*by M. Pouzet and P. Raymond
(VERIMAG Grenoble) has been selected among the two best
papers at EMSOFT 2009. An extended version is published
in a special issue of the
*Journal of Design Automation for Embedded Systems*,
in 2010.

M. Pouzet will present a work done
with Albert Benveniste and Benoit Caillaud (INRIA Rennes)
at the
*49th Conference on Design and Control (CDC)*on the
use of non-standard analysis as a semantics basis for
hybrid system modelers
*a la Simulink*.

The n-synchronous model introduced a way to compose
streams which have
*almost the same clock*and can be synchronized through
the use of a finite buffer. We have designed the language
Lucy-n to program in this model of computation
,
. This language is similar to
the first order synchronous data-flow language Lustre in
which a buffer operator is added. A dedicated type system
allows to check that programs can be executed in bounded
memory and to compute the buffers sizes needed. Technically
it is done through the introduction of a subtyping
constraint at each bufferization point. To solve the
subtyping constraints we have defined an algorithm that
uses an improved version of the abstraction introduced
in
. We have proved the
correctness properties of this new abstraction in Coq.

We also worked on new typing algorithms that do not use clock abstraction and thus allows to model Latency Insensitive Designin Lucy-n .

In collaboration with Albert Benveniste and Benoit
Caillaud (INRIA Rennes), M. Pouzet have proposed using
non standard analysis as a semantic domain for hybrid
systems. Non standard analysis is an extension of classical
analysis in which infinitesimals can be manipulated as
first class citizens. This allows us to provide a
denotational semantics and a constructive semantics for
hybrid systems, thus establishing simulation engines on a
firm mathematical basis. In passing, we cleanly separate
the job of the numerical analyst (solving differential
equations) from that of the computer scientist (generating
execution schemes). This work will appear in the proceeding
of the
*49th Conference on Design and Control*in 2010
.

The other part of this work concern static typing and compilation. Starting from a minimal, yet full-featured, Lustre-like synchronous language, we have proposed a conservative extension where data-flow equations can be mixed with ordinary differential equations (ODEs) with possible reset. A type system is proposed to statically distinguish discrete computations from continuous ones and to ensure that signals are used in their proper domains.

The extended data-flow language is realized through a source-to-source transformation into a synchronous subset, which can then be compiled using existing tools into routines that are both efficient and bounded in their use of memory. These routines are orchestrated with a single off-the-shelf numerical solver using a simple but precise algorithm which treats causally-related cascades of zero-crossings. We have validated the viability of the approach through experiments with the Syndials library.

We have continued the development of ReactiveML, an extension of Objective Caml with reactive constructs . A lecture presenting the language has been done during the JFLA 2010 conference.

We are working on the interactive definition of reactive systems as a kind of extreme dynamic aspect. It allows to write a program and add it to an application which is already running. The ReactiveML toplevel add these features to the ReactiveML language. A journal article about the toplevel has been submitted. In addition, we are working on a new scripting language based on the synchronous reactive model in collaboration with Frédéric Boussinot, Pejman Attar (INRIA Sophia) and Jean-Fredy Susini (CNAM).

The Hi-Lite project (
http://

Hi-Lite is a project aiming at popularizing formal methods for the development of high-integrity software. It targets ease of adoption through a loose integration of formal proofs with testing and static analysis, that allows combining techniques around a common expression of specifications. Its technical focus is on modularity, that allows a divide-and-conquer approach to large software systems, as well as an early adoption by all programmers in the software life cycle.

Our involvements in that project include the use of the Alt-Ergo prover as back-end to already existing tools for SPARK/ADA, and the design of a verification chain for an extended SPARK/ADA language to verification conditions, via the Why VC generator.

This project is funded by the french ministry of industry (FUI), the Île-de-France region and the Essonne general council for 36 months from September 2010.

In conjunction with the INRIA funding of ADT Alt-Ergo, a specific support contract has started in Sep 09, between INRIA, CEA Saclay and Airbus France at Toulouse. This is to support our efforts for the maintainance and to feature updates of Alt-Ergo, for its use at Airbus software development and certification of avionics critical code.

This support contract has started in Sep 10, between INRIA and Airbus France at Toulouse. This is to support our efforts for the DO-178B qualification of Alt-Ergo.

Hisseo is a 3 years Digiteo project that started in
September 2008.
http://

The Hisseo project focuses on the problems related to the treatment of floating-point computations in the compilation process, especially in the case of the compilation of critical C code.

Partners: CEA List (Saclay), INRIA Paris-Rocquencourt (Team Gallium).

Pactole is a 3 year Digiteo project which started in October 2009.

The Pactole project focuses on automation and formal verification for ubiquitous, large scale environments. Tasks include proof automation techniques for distributed systems, verification conditions for fault tolerant distributed systems, specification and design of fundamental services for mobile sensor networks. The principal investigator of Pactole is Xavier Urbain.

Partners: CÉDRIC (CNAM/ENSIIE), LIP6 (UPMC).

U3CAT (Unification of Critical C Code Analysis Techniques) is a project funded by ANR within its programme “Systèmes Embarqués et Grandes Infrastructures - ARPEGE”. It aims at verification techniques of C programs, and is partly a follow-up of the former CAT project. It started in January 2009 and will end in 2012.

The main goal of the project is to integrate various analysis techniques in a single framework, and make them cooperate in a sound way. We address the following general issues:

Verification techniques for floating-point programs;

Specification and verification of dynamic or temporal properties;

Combination of static analysis techniques;

Management of verification sessions and activities;

Certification of the tools chains for compilation and for verification.

Partners: CEA-List (Saclay, project leader), Lande team (INRIA Rennes), Gallium team (INRIA Rocquencourt), Dassault Aviation (Saint-Cloud), Airbus France (Toulouse), ATOS Origin (Toulouse), CNAM Cedric laboratory (Evry), CS Communication & Systems (Toulouse), Hispano-Suiza/Safran (Moissy-Cramayel).

The
*ADT*(Action de Développement Technologique) Alt-Ergo
is a 2-years project funded by INRIA, started in September
2009.

The goal is the maturation of the Alt-Ergo prover towards its use in an industrial context in particular for avionics. The expected outcomes of this ADT are the following:

improving the efficiency of Alt-Ergo;

fine tuning of Alt-Ergo for the SMT competition;

generation of counter-examples;

the qualification of Alt-Ergo for the norm DO-178B.

External Collaborators: Airbus France (Toulouse), Dassault Aviation (Saint-Cloud), team Typical (INRIA, École Polytechnique).

FOST (Formal prOofs of Scientific compuTation programs)
is a 3 years ANR “Blanc” project started in January 2009.
S. Boldo is the principal investigator of this
project.
http://

The FOST project follows CerPAN's footprints as it aims at developing new methods to bound the global error of a numerical program. These methods will be very generic in order to prove a large range of numerical analysis programs. Moreover, FOST aims at providing reusable methods that are understandable by non-specialists of formal methods.

Partners: University Paris 13, INRIA Paris - Rocquencourt (Estime).

SIESTA is a 4 year project funded by ANR RNTL. The
coordinator is Y. Parissis (LIG, Grenoble).
http://

This project addresses the automated testing of embedded systems implemented in SCADE or Simulink. M Pouzet is involved on the architecture of the SCADE 6 compiler to integrate verification techniques. The challenge is to take new programming constructs (e.g., hierarchical automata, reset and general forms of clocks) into account to improve verification techniques and modularity.

Partners: AIRBUS, Turbomea, Hispano-Suiza, Onera, CEA List, Esterel-Technologies, EADS, LRI, LIG.

This project is funded by DGE for two years. The coordinator is Thales. The project started in sept. 2008 (delayed by one year).

The GENCOD project aims at defining methods to certify the Esterel compiler for hardware (Norm. DO 254, the hardware version of DO 178 B used for critical software).

Partners: Dassault-Aviation, Thales, Esterel-Technologies, TNI, Airbus, LRI.

This project is funded by INRIA for 4 years and started
in Jan. 2008. The coordinators are A. Girault (INRIA
Rhône Alpes) and M. Pouzet.
http://

The goal of the project is to propose new languages for
the development of embedded systems allowing
*from a unique source*to both simulate the system with
its environment and generate code. It capitalizes on recent
extensions of data-flow synchronous languages (Lucid
Synchrone, ReactiveML), a relaxed form of synchrony, and
means to mix discrete and continous systems inside the
synchronous model of time.

The project focuses on language extensions to increase modularity, dedicated type systems to ensure safety properties, efficient compilation and the mix of discrete and continuous time.

Partners: INRIA Rhône Alpes (Gwenaël Delaval, Alain Girault, Bertrand Jeannet), IRISA (Benoit Caillaud), VERIMAG (Erwan Jahier, Pascal Raymond), INRIA Saclay (Albert Cohen, Marc Pouzet, Louis Mandel)

This project is funded by ANR (program SESUR).
http://

It started on january 2008 for 4 years; the coordinator is Yassine Lakhnech from VERIMAG.

Partners: Verimag, INRIA Sophia-Antipolis(Everest then Marelle team), ENS Lyon, LRI, CNAM.

The SCALP project (Security of Cryptographic Algorithms with Probabilities) aims at developping automated tools for the verification of cryptographic systems.

This project is funded by ANR (program DEFIS).
http://

It started on january 2009 for 4 years; the coordinator is Frédéric Boussinot from INRIA Mimosa.

Partners: INRIA Mimosa, CNAM, LRI.

The goal of the project PARTOUT is, from a programming language point of view, to study the impact on programming of the globalization of parallelism which now covers all the spectrum of informatics, ranging from multicore architectures and distributed systems, up to applications deployed on the Web.

DECERT (DEduction and CERTification) is an ANR “Domaines Emergents” project. It started on January 2009 for 3 years; the coordinator is Thomas Jensen from the Lande team of IRISA/INRIA Rennes.

The goal of the project DECERT is to design and implement new efficient cooperating decision procedures (in particular for fragments of arithmetics), to standardize output interfaces based on certificates proof objects and to integrate SMT provers with skeptical proof assistants and larger verification contexts such as the Rodin tool for B and the Frama-C/Jessie tool chain for verifying C programs.

The partners are: CEA List, LORIA/INRIA Nancy - Grand Est, IRISA/INRIA Rennes - Bretagne Atlantique, INRIA Sophia Antipolis - Méditerranée, Systerel

FVOOS (Formal Verification of Object-Oriented Programs,
http://

It involves 40 academic groups among 18 countries in Belgium, Denmark, Estonia, France, Germany, Ireland, Israel, Italy, The Netherlands, New Zealand, Norway, Poland, Portugal, Romania, Spain, Sweden, Switzerland and United Kingdom.

The aim of this action is to develop verification technology with the reach and power to assure dependability of object-oriented programs on industrial scale.

M. Pouzet visited TheMathworks (Natick, USA) in July 2010 and gave a talk on VeLus, a formally certified Lustre compiler.

Thierry Coquand (University of
Gothenburg, Sweden) visited our team in January as part
of the Digiteo invitation program. He worked with C.
Paulin and other researchers from Typical and MSR-INRIA
research center on the use of the
*Coq*proof assistant for the development of formal
mathematics.

Simão Melo de Sousa (Universidade da Beira Interior, Portugal) visited ProVal from September to November 2010. He worked with J.-C. Filliâtre on the deductive verification of ARM7 assembly programs, with application to the WCET problem.

Since 2007, Marc Pouzet is a junior member of the IUF (
*“Institut Universitaire de France”*), that
distinguishes each year a few French university professors
for the high quality of their research activities.

S. Boldo, elected representative of the researchers at the “comité de centre” of the INRIA Saclay - Île-de-France (2008–2010).

S. Boldo, member of the CLHS,
*comité local hygiène et sécurité*and member of
the CLFP,
*comité local de formation permanente*.

S. Boldo, member of hiring committee of a communication engineer (IR-COM1) for the INRIA.

C. Paulin,
*déléguée scientifique*of the centre INRIA Saclay
- Île-de-France and a member of the national evaluation
board of INRIA until November.

C. Paulin, member of hiring committee of DR2 national positions and CR2 positions at INRIA Nancy-Lorraine.

C. Paulin, director of the
Graduate school in Computer Science at University Paris
Sud
http://

G. Melquiond, elected officer of the IEEE-1788 standardization committee on interval arithmetic since 2008.

C. Marché, French National Coordinator for the COST action “Formal Verification of Object-Oriented Programs” (2008-2011).

C. Marché (since April 2007) and C.
Paulin (since Sep. 2010) , members of the program
committee of Digiteo Labs, the world-class research
park in
*Île-de-France*region dedicated to information and
communication science and technology,
http://

C. Marché, member of the selection
committee of the “DIM Logiciels et Systèmes Complexes”,
providing grants to research projects, funded by
*Île-de-France*regional council and Digiteo
cluster,
http://

E. Contejean and C. Marché,
nominated members of the
*“conseil du laboratoire”*of LRI since April
2010.

C. Marché, hiring committee of one assistant professor position at IUT Orsay.

C. Marché, M. Pouzet and X. Urbain: hiring committee for one assistant professor position at ENSIIE, in Evry (spring 2010).

M. Pouzet, hiring committee for a full professor position at Ecole Supérieure d'Informatique et Applications de Lorraine (ESIAL) in Nancy (spring 2010).

G. Melquiond, C. Paulin,
members of the
*“commission consultative de spécialistes de
l'université”*, Section 27, University Paris-Sud 11
since April 2010.

C. Paulin, hiring committees of two assistant professor positions: University Paris-Sud (chaire INRIA), and University Paris 7.

C. Paulin, representative of Univ. Paris-Sud 11 for the education part of the EIT KIC ICT Labs.

X. Urbain, hiring committee for two assistant professor positions at UPB/ENSEIRB-MATMECA, Bordeaux (Spring 2010).

J.-C. Filliâtre is
*correcteur au concours d'entrée à l'École
Polytechnique*(computer science examiner for the
entrance exam at École Polytechnique) since 2008.

S. Conchon was
*correcteur au concours d'entrée á l'École
Polytechnique*(computer science examiner for the
entrance exam at École Polytechnique) in 2010.

É. Contejean is a member of the
*“jury de l'agrégation externe de
mathématiques”*as an expert in computer science
since 2007.

X. Urbain is an elected member
of the board (
*“conseil d'administration”*) of École Nationale
Supérieure d'Informatique pour l'Industrie et
l'Entreprise (ENSIIE).

C. Marché co-organized (with
B. Beckert, Karlsruhe Institute of Technology,
Germany) the International Conference on Formal
Verification of Object-Oriented Software (Paris,
France, June 28-30, 2010).
http://

J.-C. Filliâtre co-organized
(with Cormac Flanagan, University of California, Santa
Cruz, CA, USA) the PLPV'10 workshop (January 2010,
Madrid, Spain).
http://

S. Boldo is member of the
editorial committee of the popular science web site
)i(:
http://

C. Paulin edited a special issue of Science of Computer Programming devoted to selected papers of the conference MPC'08 .

Marc Pouzet is associate editor of
the EURASIP Journal on Embedded systems (
http://

C. Marché, program co-chair of the International Conference on Formal Verification of Object-Oriented Software (FoVeOOS 2010).

S. Conchon, co-chair of the JFLA 2010 and program chair of JFLA 2011.

S. Boldo is a member of the program committee of JFLA 2011.

É. Contejean is a member of the program committee of PEPM 2011.

C. Paulin is a member of the program committees of the 10th International Conference on Mathematics of Program Construction (MPC 2010), the second conference on Interactive Theorem Proving (ITP 2011), and the Fifth ACM SIGPLAN Workshop on Programming Languages meets Program Verification (PLPV 2011), affiliated to POPL.

M. Pouzet is a member of the program committee of the following conferences in 2010: 31st IEEE Real-Time Systems Symposium conference (RTSS); Formal Methods in Computer Aided Design (FMCAD); Design, Automation & Test in Europe (DATE); Approches Formelles dans l'Assistance au Développement de Logiciels (AFADL); Conference on Real-Time and Network Systems (RTNS) and the workshop of Design Correct Circuits (DCC), affiliated to ETAPS.

J.-C. Filliâtre was a member of the program committees of AFM 2010, IWS 2010, Inforum 2010 and PLPV 2010.

S. Boldo, invited speaker at
the Third International Workshop on Numerical Software
Verification (NVS-3) on July 15th 2010:
*Formal verification of numerical programs: from C
annotated programs to Coq proofs*.

X. Urbain, Habilitation thesis, November 29th, 2010 .

F. Plateau, PhD thesis, January 6th, 2010 . She has been hired in the new company Prove & Run headed by D. Bolignano.

J. Kanig, PhD thesis, November
26th, 2010. He was supervised by Jean-Christophe
Filliâtre and Christine Paulin. In 2011, he will be
software engineer at the AdaCore Company, at the
European Office in Paris. (
http://

C. Marché: reviewer, PhD jury of Arthur Charguéraud (University Paris 7, December 16th, 2010).

C. Marché: member of Habilitation jury of Xavier Urbain (University Paris 11, November 29th, 2010).

C. Paulin: reviewer of the following PhD thesis: Benoït Robillard (CNAM, Nov 30th) and Santiago Zanella (Mines-Paristech, Dec 9th); member of Cédric Saule PhD thesis jury (Univ. Paris 11, Dec 17th, 2010).

C. Paulin: member of Habilitation jury of Iordanis Kerenidis (University Paris 11, Dec 3th, 2010).

M. Pouzet: reviewer of the following PhD thesis: Tayeb Bouhadiba (Université de Grenoble; dir: Florence Maraninchi; September 16th, 2010); Daniel Reynaud (INPL, Nancy; dir: Jean-Yves Marion; October 15th, 2010); Antony Coadou (Université de Nice; dir: Robert de Simone; December 3th, 2010).

M. Pouzet: president of the PhD jury of Tayeb Bouhadiba and of the Habilitation jury of David Delahaye (December 9th, 2010).

J.-C. Filliâtre: member of the PhD jury of Ioana Paşca (Université de Nice, November 23rd, 2010).

S. Boldo, C. Marché: Ph.D. thesis of T. Nguyen, started in February 2009, part of the Hisseo project (static analysis of the assembly code).

S. Conchon, É. Contejean: Ph.D. thesis of Stéphane Lescuyer, defence scheduled January 2011 (complete certification of an automated theorem prover dedicated to program verification).

S. Conchon, É. Contejean: Ph.D thesis of Mohamed Iguernelala, started September 2009 (forward and backward strategies in SMT solvers).

J.-C. Filliâtre: Ph.D. thesis of Johannes Kanig, defended on November 26th, 2010

J.-C. Filliâtre: Ph.D. thesis of François Bobot (started September 2008).

C. Marché: PhD thesis of Romain Bardou since Sep. 07 (modular reasoning on pointer programs)

C. Marché: PhD thesis of Asma Tafat since Sep. 09 (dynamic invariants)

C. Marché, jointly with Benjamin Monate (CEA): Paolo Herms, since Oct. 08 (certification of Frama-C/Jessie/Why tool-chain).

C. Paulin: Wendi Urribarrí (towards certified libraries) since Nov. 2006

M. Pouzet: PhD thesis of Léonard Gérard since Sept 2008 (a language for n-synchronous systems) and Cédric Auger, started in Sept 2008 (certified compilation of Lustre).

M. Pouzet was supervising the PhD of Florence Plateau (the theory of n-synchronous systems) which was defended January, 6th 2010.

X. Urbain is (co-)supervising the PhD theses of A. Compaore (with P. Le Gall, on rewriting techniques for (space and time) simulation of biological processes), and of Z. Bouzid (with S. Tixeuil and M. Gradinariu Potop-Butucaru, on models and algorithms for emerging systems).

C. Marché supervises the post-doc intern of K. Krishnamani since Sep 09 (predicate abstraction techniques for critical C programs).

C. Paulin supervises together with P. Courtieu (CNAM) the post-doc intern of D. Baelde on certification of security of watermarking algorithms.

J.-C. Filliâtre and A. Paskevich supervised the internship of S. Cruanes on integration of TPTP provers into the Why platform.

M. Pouzet supervised the master internship of C. Pasteur, on the optimisation of the handling of arrays in the Scade compiler.

Master Parisien de Recherche en
Informatique (MPRI)
http://

C. Paulin is responsible for the course “Proof assistants”. In 2010, she lectured (6h) in this course.

In 2010, G. Melquiond lectured (9h) in the course on “Proof assistants”.

In 2010-2011, X. Urbain lectured (12,5h) in the course on “Automated Deduction”.

In 2010-2011, É. Contejean lectured on advanced rewriting (12h) in the course on “Automated Deduction”.

L. Mandel, C. Paulin and M. Pouzet: complete professor duty (192h per year) at University Paris-Sud 11 and ENS.

S. Conchon is teaching as part of his duty (96h per year) at University Paris-Sud 11.

A. Paskevich: young associate professor (150h during academic year 2010/2011) at IUT d'Orsay, University Paris-Sud 11.

In fall 2010, J.-C. Filliâtre is lecturing (24h) at École Normale Supérieure on programming languages and compilers. In 2009–2010, J.-C. Filliâtre is teaching at École Polytechnique (70h per year).

C. Auger, R. Bardou, F. Bobot and L. Gérard: “moniteur” position (64h per year) at University Paris-Sud 11.

A. Tafat, M. Iguernelala: “moniteur” position (64h per year) at I.U.T Orsay.

T. Nguyen: “moniteur” position (64h per year) at IFIPS (since September 2009)

The tools Frama-C, Why and Alt-Ergo
were presented at the Imatch day on 23 november 2010, on
the themes of security and proof of programs
(C. Marché, S. Conchon, C. Paulin)
http://

Airbus France expressed in 2009 the
wish to integrate our tool Alt-Ergo in its process of
certification of the critical softwares in their next
generation planes. We thus started the procedure of
*qualifying*Alt-Ergo in the sense of the DO-178B
norm, which fixes the contraints on software development
to achieve certification of an avionics software. This is
done as part of the
*ADT Alt-Ergo*.

Journees INRIA-Industrie in Toulouse: Sylvain Conchon presented a demo of the Alt-Ergo theorem prover.

G. Melquiond participates in the meetings of the IEEE-1788 standardization committee on interval arithmetic. The “Technology Development” INRIA department is funding his travel expenses till late 2011.

The Frama-C environment has a growing
industrial impact, being currently under experimental use
and evaluation by U3CAT industrial partners but also
other european industrial users, e.g. Fraunhofer FIRST
institute (
http://

Since April 2008, S. Boldo is member of the editorial
committee of the popular science web site )i(:
http://

Since July 2009, S. Boldo is elected member of the board of the Animath association that promotes mathematics among young people.

S. Boldo was invited to talk at Intertice on May 10th 2010, a meeting for teachers about teaching and TICE. She talked about the seminar “Formation Informatique et Objets Numériques”, where she was speaker, which was organized in 2009 in order to prepare a computer science option in the secondary schools of the academy of Versailles.

S. Boldo gave a talk for mathematic secondary school teachers at the IUFM on June 3rd 2010.

S. Boldo wrote an article for the popular science web
site )i( about the fact that it is always the computer's
fault:
http://

S. Boldo was invited to a participate to the web-TV
of the Cité des Sciences et de l'Industrie for the show
*Qui veut gagner des neurones?*about computer science:
http://

R. Bardou, F. Bobot, M. Iguernelala:
*“Salon de la Culture et des Jeux Mathématiques”*,
Paris, May 27-30. Animation of a workshop introducing the
bases of programming, illustrated by the programmation of a
robot. Jointly with Y. Régis-Gianas, pi.r2 team, INRIA
Paris-Rocquencourt.

F. Bobot, M. Iguernelala, J. Kanig,
A. Tafat:
*“Fête de la science”*, Gif-sur-Yvette, October 22-24.
Introduction to computer programming based on an improved
presentation of the robot animation above.