The Toccata team (http://
The general objective of the Toccata project is to promote formal specification and computer-assisted proof in the development of software that requires a high assurance of its safety and its correctness with respect to its intended behavior.
The importance of software in critical systems increased a lot in the past decades. Critical software appears in various application domains such as transportation (e.g. airplanes, railway), communication (e.g. smart phones) or banking. The set of available features is quickly increasing, together with the number of lines of codes involved. Given the need of high assurance of safety in the functional behavior of such applications, the need for automated (i.e. computer-assisted) methods and techniques to bring guarantee of safety became a major challenge. In the past, the main process to check safety of a software was to apply heavy test campaigns, which take a large part of the costs of software development.
This is why static analysis techniques were invented to complement tests. The general aim is to analyze a program code without executing it, to get as much guarantees as possible on all possible executions at once. The main classes of static analysis techniques are:
Abstract Interpretation: it approximates program execution by abstracting program states into well-chosen abstraction domains. The reachable abstract states are then analyzed in order to detect possible mistakes, corresponding to abstract states that should not occur. The efficiency of this approach relies on the quality of the approximation: if it is too coarse, false positives will appear, which the user needs to analyze manually to determine if the error is real or not. A major success of this kind of approach is the verification of absence of run-time errors in the control-command software of the Airbus A380 by the tool Astrée .
Model-checking: it denotes a class of approaches that got a great success in industry, e.g. the quality of device drivers of Microsoft's Windows operating system increased a lot by systematic application of such an approach . A program is abstracted into a finite graph representing an approximation of its execution. Functional properties expected for the execution can be expressed using formal logic (typically temporal logic) that can be checked valid by an exploration of the graph. The major issue of model-checking is that the size of the graph can get very large. Moreover, to get less coarse approximations, one may be interested in abstracting a program into an infinite graph. In that case, extensions of model-checking are proposed: bounded model-checking, symbolic model-checking, etc. Predicate Abstraction is also a rather successful kind of model-checking approach because of its ability of getting iteratively refined to suppress false positives .
Deductive verification: it differs from the other approaches in that it does not approximate program execution. It originates from the well-known Hoare logic approach. Programs are formally specified using expressive logic languages, and mathematical methods are applied to formally prove that a program meets its specification.
The Toccata project is mainly interested in exploring the deductive verification approach, although we believe that the above classes of approaches are compatible. We indeed have studied some way to combine these approaches in the past , , .
In the past decade, significant progresses have been made in the domain of deductive program verification. They are emphasized by some successful application of these techniques on industrial-scale software, e.g. the Atelier B system was used to develop part of the embedded software of the Paris metro line 14 and other railroad-related systems, a formally proved C compiler was developed using the Coq proof assistant , Microsoft's hypervisor for highly secure virtualization was verified using VCC and the Z3 prover , the L4-verified project developed a formally verified micro-kernel with high security guarantees, using analysis tools on top of the Isabelle/HOL proof assistant . Another sign of recent progress is the emergence of deductive verification competitions.
In the deductive verification context, there are two main families of approaches. Methods in the first family build on top of mathematical proof assistants (e.g. Coq, Isabelle) in which both the models and the programs are encoded, and the proofs that a program meets its specification is typically conducted in an interactive way using the underlying proof construction engine. Methods from the second family proceed by the design of standalone tools taking as input a program in a particular programming language (e.g. C, Java) specified with a dedicated annotation language (e.g. ACSL , JML ) and automatically producing a set of mathematical formulas (the verification conditions) which are typically proved using automatic provers (e.g. Z3 , Alt-Ergo , CVC3 ). The first family of approaches usually offers a higher level of assurance than the second, but also demands more work to establish the proofs (because of their interactive nature) and makes them less easy to adopt by industry. Moreover they do not allow to directly analyze a program written in a mainstream programming language like Java or C. The second kind of approaches has benefited in the past years from the tremendous progresses made in SAT and SMT solving techniques, allowing more impact on industrial practices, but suffers from a lower level of trust: in all parts of the proof chain (the model of the input programming language, the VC generator, the back-end automatic prover) potential errors may appear, compromising the guarantee offered. They can be applied to mainstream languages, but usually only a subset of them is supported. Finally, recent trends in the industrial practice for development of critical software is to require more and more guarantees of safety, e.g. the DO-178C standard for developing avionics software adds to the former DO-178B the use of formal models and formal methods. It also emphasizes the need for certification of the analysis tools involved in the process.
To illustrate our past contributions in the domain of deductive verification, we provide below a set of reference publications of our former scientific results, published in the past 5 years.
Concerning Automated Deduction, our references publications are: a TACAS'2011 paper on an SMT decision procedure for associativity and commutativity, an IJCAR'2012 paper about an original contribution to decision procedures for arithmetic, a CAV'2012 paper presenting an SMT-based model checker, a FroCos'2011 paper presenting an new approach for encoding polymorphic theories into monomorphic ones.
Regarding deductive program verification in general, a first reference
publication is the habilitation thesis of
Filliâtre which provides a very good survey of
our contributions until 2011. A shorter version appeared in the STTT
journal .
The ABZ'2012 paper is a
representative publication presenting an application of our Why3
system to solving proof obligations coming from Atelier B. The
VSTTE'2012 paper is a reference case study
publication: proof of a program solving the
In industrial applications, numerical calculations are very common (e.g. control software in transportation). Typically they involve floating-point numbers. Concerning the analysis of numerical programs, our representative publications are: a paper in the MCS journal in 2011 presenting on various examples our approach of proving behavioral properties of numerical C programs using Frama-C/Jessie, a paper in the TC journal in 2010 presenting the use of the Gappa solver for proving numerical algorithms, a paper in the ISSE journal in 2011 together with a paper at the CPP'2011 conference presenting how we can take architectures and compilers into account when dealing with floating-point programs. We also contributed to the Handbook of Floating-Point Arithmetic in 2009 . A representative case study is the analysis and the proof of both the method error and the rounding error of a numerical analysis program solving the one-dimension acoustic wave equation, presented in part at ITP'2010 and in another part at ICALP'2009 and fully in a paper in the JAR journal .
Finally, about the theme of certification of analysis tools, the reference papers are: a PEPM'2010 and a RTA'2011 paper on certified proofs of termination and other related properties of rewriting systems, and a VSTTE'2012 paper presenting a certified VC generator.
The diagram of Figure details how our tools interact with each other and with other tools. The tools in pink boxes are designed by us, while those in blue boxes are designed by partners. The central tool is Why3 , , which includes both a Verification Condition Generator and a set of encoders and printers. The VC generator reads source programs in a dedicated input language that includes both specifications and code. It produces verification conditions that are encoded and printed into various formats and syntax so that a large set of interactive and automatic provers can be used to discharge the verification conditions.
Among automated provers, our own tool Alt-Ergo is an SMT solver that is able to deal with quantifiers, arithmetic in integers or real numbers, and a few other theories. Gappa is a prover designed to support arithmetic on real numbers and floating-point rounding. As front-ends, our tool Krakatoa reads annotated Java source code and produces Why3 code. The tool Jessie , is a plug-in for the Frama-C environment (which we designed in collaboration with CEA-List); it does the same for annotated C code. The GnatProve tool is a prototype developed by Adacore company; it reads annotated Ada code and also produces Why3 code. Spark is an ancestor of GnatProve developed by Altran-Praxis company; it has a dedicated prover but it was recently modified so as to produce verification conditions in a suitable format for Alt-Ergo.
Last but not least, the modeling of programs semantics and the specification of their expected behaviors is based on some libraries of mathematical theories that we develop, either in the logic language of Why3 or in Coq. These are the yellow boxes of the diagram. For example, we developed in Coq the Flocq library for the formalization of floating-point computations .
In the former ProVal project, we have been working on the design of methods and tools for deductive verification of programs. One of our originalities is our ability to conduct proofs by using automatic provers and proof assistants at the same time, depending on the difficulty of the program, and specifically the difficulty of each particular verification condition. We thus believe that we are in a good position to propose a bridge between the two families of approaches of deductive verification presented above. This is a new goal of the team: we want to provide methods and tools for deductive program verification that can offer both a high amount of proof automation and a high guarantee of validity. Toward this objective, we propose a new axis of research: to develop certified tools, i.e. analysis tools that are themselves formally proved correct.
As mentioned above, some of the members of the team have an internationally-recognized expertise on deductive program verification involving floating-point computation , including both interactive proving and automated solving . Indeed we noticed that the verification of numerical programs is a representative case that can benefit a lot from combining automatic and interactive theorem proving , . This motivated our research on the formal verification of numerical programs.
Moreover, we continue the fundamental studies we conducted in the past concerning deductive program verification in general. This is why our detailed scientific programme is structured into three themes:
Formally Verified Programs,
Certified Tools,
Numerical Programs.
Formal program verification is a research theme that builds upon our expertise in the development of methods and tools for proving programs, from source codes annotated with specifications to proofs. In the past, we tackled programs written in mainstream programming languages, with the system Why3 and the front-ends Krakatoa for Java source code, and Frama-C/Jessie for C code. However, Java and C programming languages were designed a long time ago, and certainly not with the objective of formal verification in mind. This raises a lot of difficulties when designing specification languages on top of them, and verification condition generators to analyze them. On the other hand, we designed and/or used the Coq and Why3 languages and tools for performing deductive verification, but those were not designed as programming languages that can be compiled into executable programs.
Thus, a new axis of research we propose is the design of an environment that is aimed to both programming and proving, hence that will allow to develop correct-by-construction programs. To achieve this goal, there are two major axes of theoretical research that needs to be conducted, concerning, on the one hand, methods required to support genericity and reusability of verified components, and, on the other hand, the automation of the proof of the verification conditions that will be generated.
A central ingredient for the success of deductive approaches in program verification is the ability to reuse components that are already proved. This is the only way to scale the deductive approach up to programs of larger size. As for programming languages, a key aspect that allow reusability is genericity. In programming languages, genericity typically means parametricity with respect to data types, e.g. polymorphic types in functional languages like ML, or generic classes in object-oriented languages. Such genericity features are essential for the design of standard libraries of data structures such as search trees, hash tables, etc. or libraries of standard algorithms such as for searching, sorting.
In the context of deductive program verification, designing reusable libraries also requires designing of generic specifications which typically involve parametricity not only with respect to data types but also with respect to other program components. For example, a generic component for sorting an array needs to be parametrized by the type of data in the array but also by the comparison function that will be used. This comparison function is thus another program component that is a parameter of the sorting component. For this parametric component, one needs to specify some requirements, at the logical level (such as being a total ordering relation), but also at the program execution level (like being side-effect free, i.e. comparing of data should not modify the data). Typically such a specification may require higher-order logic.
Another central feature that is needed to design libraries of data structures is the notion of data invariants. For example, for a component providing generic search trees of reasonable efficiency, one would require the trees to remain well-balanced, over all the life time of a program.
This is why the design of reusable verified components requires advanced features, such as higher-order specifications and programs, effect polymorphism and specification of data invariants. Combining such features is considered as an important challenge in the current state of the art (see e.g. ). The well-known proposals for solving it include Separation logic , implicit dynamic frames , and considerate reasoning . Part of our recent research activities were aimed at solving this challenge: first at the level of specifications, e.g. we proposed generic specification constructs upon Java or a system of theory cloning in our system Why3 ; second at the level of programs, which mainly aims at controlling side-effects to avoid unexpected breaking of data invariants, thanks to advanced type checking: approaches based on memory regions, linearity and capability-based type systems , , .
A concrete challenge that should be solved in the future is: what additional constructions should we provide in a specification language like ACSL for C, in order to support modular development of reusable software components? In particular, what would be an adequate notion of module, that would provide a good notion of abstraction, both at the level of program components and at the level of specification components?
Verifying that a program meets formal specifications typically amounts to generating verification conditions e.g. using a weakest precondition calculus. These verification conditions are purely logical formulas—typically in first-order logic and involving arithmetic in integers or real numbers—that should be checked to be true. This can be done using either automatic provers or interactive proof assistants. Automatic provers do not need user interaction, but may run forever or give no conclusive answer.
There are several important issues to tackle. Of course, the main general objective is to improve automation as much as possible. We continue our efforts around our own automatic prover Alt-Ergo towards more expressivity, efficiency, and usability, in the context of program verification. More expressivity means that the prover should better support the various theories that we use for modeling. Toward this direction, we aim at designing specialized proof search strategies in Alt-Ergo, directed by rewriting rules, in the spirit of what we did for the theory of associativity and commutativity .
A key challenge also lies in the handling of quantifiers. SMT solvers, including Alt-Ergo, deal with quantifiers with a somewhat ad-hoc mechanism of heuristic instantiation of quantified hypotheses using the so-called triggers that can be given by hand , . This is completely different from resolution-based provers of the TPTP category (E-prover, Vampire, etc.) which use unification to apply quantified premises. A challenge is thus to find the best way to combine these two different approaches of quantifiers. Another challenge is to add some support for higher-order functions and predicates in this SMT context, since as said above, reusable verified components will require higher-order specifications. A few solutions have been proposed, essentially based on encoding of higher-order goals into first-order goals .
Generally speaking, there are several theories, interesting for program verification, that we would like to add as built-in decision procedures in an SMT context. First, although there already exist decision procedures for variants of bit-vectors, they are not complete enough to support what is needed to reason on programs that manipulate data at the bit-level, in particular if conversions from bit-vectors to integers or floating-point numbers are involved . Regarding floating-point numbers, an important challenge is to integrate in an SMT context a decision procedure like the one implemented in our tool Gappa.
Another goal is to improve the feedback given by automatic provers: failed proof attempts should be turned into potential counterexamples, so as to help debugging programs or specifications. A pragmatic goal would be to allow cooperation with other verification techniques. For instance, testing could be performed on unproved goals. Regarding this cooperation objective, an important goal is a deeper integration of automated procedures in interactive proofs, like it already exists in Isabelle . We now have a Why3 tactic in Coq that we plan to improve.
As said before, a new axis of research we follow is the design of a language and an environment for both programming and proving. We believe that this will be a fruitful approach for designing highly trustable software. This is a similar goal as projects Plaid, Trellys, ATS, or Guru, mentioned above.
The basis of this research direction is the Why3 system, which is in fact a reimplementation from scratch of the former Why tool, that we started in January 2011. This new system supports our research at various levels. It is already used as an intermediate language for deductive verification.
The next step for us is to develop its use as a true programming language. Our objective is to propose a language where programs could be both executed (e.g. thanks to a compiler to, say, OCaml) and proved correct. The language would basically be purely applicative (i.e. without side-effects, e.g. close to ML) but incorporating specifications in its core. There are, however, some programs (e.g. some clever algorithms) where a bit of imperative programming is desirable. Thus, we want to allow some form of imperative features, but in a very controlled way: it should provide a strict form of imperative programming that is clearly more amenable to proof, in particular dealing with data invariants on complex data structures.
As already said before, reusability is a key issue. Our language should propose some form of modules with interfaces abstracting away implementation details. Our plan is to reuse the known ideas of data refinement that was the foundation of the success of the B method. But our language will be less constrained than what is usually the case in such a context, in particular regarding the possibility of sharing data, and the constraints on composition of modules, there will be a need for advanced type systems like those based on regions and permissions.
The development of such a language will be the basis of the new theme regarding the development of certified tools, that is detailed in Section 3.3 below.
Concerning formal verification of programs, there are a few extra exploratory topics that we plan to explore.
Concurrent Programming So far, we only investigated the verification of sequential programs. However, given the spreading of multi-core architectures nowadays, it becomes important to be able to verify concurrent programs. This is known to be a major challenge. We plan to investigate this direction, but in a very careful way. We believe that the verification of concurrent programs should be done only under restrictive conditions on the possible interleaving of processes. In particular, the access and modification of shared data should be constrained by the programming paradigm, to allow reasonable formal specifications. In this matter, the issues are close to the ones about sharing data between components in sequential programs, and there are already some successful approaches like separation logic, dynamic frames, regions, and permissions.
Resource Analysis The deductive verification approaches are not necessarily limited to functional behavior of programs. For example, a formal termination proof typically provides a bound on the time complexity of the execution. Thus, it is potentially possible to verify resources consumption in this way, e.g. we could prove WCET (Worst Case Execution Times) of programs. Nowadays, WCET analysis is typically performed by abstract interpretation, and is applied on programs with particular shape (e.g. no unbounded iteration, no recursion). Applying deductive verification techniques in this context could allow to establish good bounds on WCET for more general cases of programs.
Other Programming Paradigms
We are interested in the application of deductive methods in other
cases than imperative programming à la C, Java or Ada. Indeed, in the recent
years, we applied proof techniques to randomized
programs , to cryptographic
programs . We plan to use proof techniques
on applications related to databases. We also have plans to support
low-level programs such as assembly
code , and other unstructured
programming paradigm.
We are also investigating more and more applications of SMT solving,
e.g. in model-checking approach (for example in
Cubicle
One of our goals is to guarantee the soundness of the tools we develop. In fact, it goes beyond that; our goal is to promote our future Why3 environment so that others could develop certified tools. Tools like automated provers or program analyzers are good candidate case studies because they are mainly performing symbolic computations, and as such they are usually programmed in a mostly purely functional style.
We conducted several experiments of development of certified software in the past. First, we have a strong expertise in the development of libraries in Coq: the Coccinelle library formalizing term rewriting systems, the Alea library for the formalization of randomized algorithms, several libraries formalizing floating-point numbers (Floats , Gappalib , and now Flocq which unifies the formers). Second we conducted the development of a certified decision procedure that corresponds to a core part of Alt-Ergo. Third we developed, still in Coq, certified verification condition generators, in a first step for a language similar to Why, and in a second step for C annotated in ACSL , based on the operational semantics formalized in the CompCert certified compiler project .
To go further, we have several directions of research in mind.
Using the Why3 programming language instead of Coq allows for more freedom. For example, it should allow one to use a bit of side-effects when the underlying algorithm justifies it (e.g. hash-consing, destructive unification). On the other hand, we will lose some Coq features like dependent types that are usually useful when formalizing languages. Among the issues that should be studied, we believe that the question of the formalization of binders is both central and challenging (as exemplified by the POPLmark international challenge ).
The support of binders in Why3 should not be built-in, but should be under the form of a reusable Why3 library, that should already contain a lot of proved lemmas regarding substitution, alpha-equivalence and such. Of course we plan to build upon the former experiments done for the POPLmark challenge. Although, it is not clear yet that the support of binders only via a library will be satisfactory. We may consider addition of built-in constructs if this shows useful. This could be a form of (restricted) dependent types as in Coq, or subset types as in PVS.
As an environment for both programming and proving, Why3 should come with a standard library that includes both verified libraries of programs, but also libraries of specifications (e.g. theories of sets, maps, etc.).
The certification of those Why3 libraries of specifications should be addressed too. Why3 libraries for specifying models of programs are commonly expressed using first-order axiomatizations, which have the advantage of being understood by many different provers. However, such style of formalization does not offer strong guarantees of consistency. More generally, the fact that we are calling different kind of provers to discharge our verification conditions raises several challenges for certification: we typically apply various transformations to go from the Why3 language to those of the provers, and these transformations should be certified too.
A first attempt in considering such an issue was done in earlier work . It was proposed to certify the consistency of a library of specification using a so-called realization, which amounts to “implementing” the library in a proof assistant like Coq. This is an important topic of the ANR project BWare.
The goal is to develop certified provers, in the sense that they are proved to give a correct answer. This is an important challenge since there have been a significant amount of soundness bugs discovered in the past, in many tools of this kind.
The former work on the certified core of Alt-Ergo should be continued to support more features: more theories (full integer arithmetic, real arithmetic, arrays, etc.), quantifiers. Development of a certified prover that supports quantifiers should build upon the previous topic about binders.
In a similar way, the Gappa prover, which is specialized to solving constraints on real numbers and floating-point numbers, should be certified too. However, for very complex decision procedures, developing a certified proof search might be too ambitious. Instead, the idea is to ask Gappa to produce Coq proofs on a per-goal basis, so as to check a posteriori the soundness of its result on the given instance. More generally, we can have Gappa produce traces of its execution that can later be processed by a certified trace checker. This approach was used in the past for certified proofs of termination of rewriting systems , and it was also used internally in CompCert for several passes of compilation .
The other kind of tools that we would like to certify are the VC generators. This is a continuation of the work on developing in Coq a certified VC generator for C code annotated in ACSL . We develop such a generator in Why3 instead of Coq . As before, this builds upon a formalization of binders. There are various kinds of VC generators that are interesting. A generator for a simple language in the style of those of Why3 is a first step. Other interesting cases are: a generator implementing the so-called fast weakest preconditions , and a generator for unstructured programs like assembly, that would operate on an arbitrary control-flow graph.
On a longer term, we wish to be able to certify advanced verification methods like those involving refinement, alias control, regions, permissions, etc.
An interesting question is how one could certify a VC generator that involves a highly expressive logic, like higher-order logic, as it is the case of the CFML method which allows one to use the whole Coq language to specify the expected behavior. One challenging aspect of such a certification is that a tool that produces Coq definitions, including inductive definitions and module definitions, cannot be directly proved correct in Coq, because inductive definitions and module definitions cannot be generated through the evaluation of Coq definitions. Therefore, it seems necessary to involve, in a way or another, a “deep embedding”, that is, a formalization of Coq in Coq, possibly by reusing the deep embedding developed by B. Barras .
In recent years, we demonstrated our capability towards specifying
and proving properties of floating-point programs, properties which
are both complex and precise about the behavior of those programs:
see the
publications , , , , , , ,
as well as the web galleries of certified programs at
our Web
page
The directions of research concerning floating-point programs that we pursue are the following.
A first goal is to ease the formal verification of floating-point programs: the primary objective is still to improve the scope and efficiency of our methods, so as to ease further the verification of numerical programs. The on-going development of the Flocq library continues towards the formalization of bit-level manipulations and also of exceptional values (e.g. infinities). We believe that good candidates for applications of our techniques are advanced algorithms to compute efficiently with floats, which operate at the bit-level. The formalization of real numbers is being revamped too: higher-level numerical algorithms are usually built on some mathematical properties (e.g. computable approximations of ideal approximations), which then have to be proved during the formal verification of these algorithms.
Easing the verification of numerical programs also implies more automation. SMT solvers are generic provers well-suited for automatically discharging verification conditions, but they appear to loose their effectiveness when floating-point arithmetic is involved . Our goal is to improve the arithmetic theories of Alt-Ergo, so that they support floating-point arithmetic along their other theories, if possible by reusing the heuristics developed for Gappa.
Our goal is to handle floating-point programs that are related to continuous quantities. This includes numerical analysis programs we have already worked on , , . But our work is only a beginning: we were able to solve the difficulties to prove one particular scheme for one particular partial differential equation. We need to be able to easily prove other programs of this kind. This requires new results that handle generic schemes and many partial differential equations. The idea is to design a toolbox to prove these programs with as much automation as possible. We wish this could be used by numerical analysts that are not or hardly familiar with formal methods, but are nevertheless interested in the formal correctness of their schemes and their programs.
Another very interesting kind of programs (especially for industrial developers) are those based on hybrid systems, that is where both discrete and continuous quantities are involved. This is a longer-term goal, but we may try to go towards this direction. A first problem is to be able to specify hybrid systems: what are they exactly expected to do? Correctness usually means not going into a forbidden state but we may want additional behavioral properties. A second problem is the interface with continuous systems, such as sensors. How can we describe their behavior? Can we be sure that the formal specification fits? We may think about Ariane V where one piece of code was shamelessly reused from Ariane IV. Ensuring that such a reuse is allowed requires to correctly specify the input ranges and bandwidths of physical sensors.
Studying hybrid systems is among the goals of the new ANR project Cafein.
In coordination with our second theme, another objective is to port the kernel of Gappa into either Coq or Why3, and then extract a certified executable. Rather than verifying the results of the tool a posteriori with a proof checker, they would then be certified a priori. This would simplify the inner workings of Gappa, help to support new features (e.g. linear arithmetic, elementary functions), and make it scale better to larger formulas, since the tool would no longer need to carry certificates along its computations. Overall the tool would then be able to tackle a wider range of verification conditions.
An ultimate goal would be to develop the decision procedure for floating-point computations, for SMT context, that is mentioned in Section , directly as a certified program in Coq or Why3.
The application domains we target involve safety-critical software, that is where a high-level guarantee of soundness of functional execution of the software is wanted. The domains of application include the following. For each of them we refer to our past or current actions, in particular in relations with projects, contracts and industrial partners. Currently our industrial collaborations mainly belong to the first of these domains, transportation.
Transportation including aeronautics, railroad, space flight, automotive.
These domains were considered in the context of the ANR U3CAT project, led by CEA, in partnership with Airbus France, Dassault Aviation, Sagem Défense et Sécurité. It included proof of C programs via Frama-C/Jessie/Why, proof of floating-point programs, the use of the Alt-Ergo prover via CAVEAT tool (CEA) or Frama-C/WP. This action is continued in the new project Soprano.
Aeronautics is the main target of the Verasco project, leaded by Verimag, on the development of certified static analyzers, in partnership with Airbus.
The former FUI project Hi-Lite, led by Adacore company, uses Why3 and Alt-Ergo as back-end to SPARK2014, an environment for verification of Ada programs. This is applied to the domain of aerospace (Thales, EADS Astrium). This action is continued in the new joint laboratory ProofInUse. A recent paper provides an extensive list of applications of SPARK, a major one being the British air control management.
In the current ANR project BWare, we investigate the use of
Why3 and Alt-Ergo as an alternative back-end for checking proof
obligations generated by Atelier B, whose main applications are
railroad-related software
(http://
Energy is naturally an application in particular with our long-term partner CEA, in the context of U3CAT and Soprano projects.
Communications and Data in particular in contexts with a particular need for security or confidentiality: smart phones, Web applications, health records, electronic voting, etc.
Part of the applications of SPARK include verification of security-related properties, including cryptographic algorithms.
Our new AJACS project addresses issues related to security and privacy in web applications written in Javascript, also including correctness properties.
The Cubicle model checker
modulo theories based on the Alt-Ergo
SMT prover, in collaboration with Intel Strategic Cad Labs (Hillsboro,
OR, USA) is particularly targeted to the verification of concurrent programs and
protocols (http://
Medicine, including diagnostic devices, computer-assisted surgery
Such applications involve techniques for control and command close to what is done in transportation. Moreover, in this context, there is a need for modeling using differential equations, finite elements, hybrid systems, which are considered in other projects of us: FastRelax, ELFIC, Cafein.
Financial applications, banking
We add projects in the past about safety and security of smart cards, in collaboration with Gemalto (European project VerifiCard, two CIFRE theses). Banking is naturally a domain of application of techniques dealing with security and confidentiality already mentioned above.
Criteria for Software Self-Assessment: A-3-up, SO-4, SM-4, EM-4,
SDL-5, OC-4.
Why3 is the next generation of Why. Why3 clearly separates the purely logical specification part from generation of verification conditions for programs. It features a rich library of proof task transformations that can be chained to produce a suitable input for a large set of theorem provers, including SMT solvers, TPTP provers, as well as interactive proof assistants.
It is distributed as open source, under GPL license, at
http://
Why3 is used as back-end of our own tools Krakatoa and
Jessie, but also as back-end of the GNATprove tool (Adacore
company), and of the WP plugin of Frama-C. Why3
has been used to develop and prove a significant part of the
programs of our team gallery
http://
Why3 is used by other academic research groups, e.g. within the
CertiCrypt/EasyCrypt project
(http://
Two versions were released in 2014: 0.83 released in March and 0.84 in September, plus a few days later a bugfix version 0.85.
Criteria for Software Self-Assessment: A-3-up, SO-4, SM-4-up, EM-4, SDL-5, OC-4.
Alt-Ergo is an automated proof engine, dedicated to program verification, whose development started in 2006. It is fully integrated in the program verification tool chain developed in our team. It solves goals that are directly written ina Why's annotation language; this means that Alt-Ergo fully supports first order polymorphic logic with quantifiers. Alt-Ergo also supports the standard defined by the SMT-lib initiative.
It is currently used in our team to prove correctness of C and Java programs as part of the Why platform and the new Why3 system. It is used as back-end prover in the environments Frama-C and CAVEAT for static analysis of C developed at CEA. In this context, Alt-Ergo has been qualified by Airbus and is integrated in the next generation of Airbus development process. Alt-Ergo is usable as a back-end prover in the SPARK verifier for ADA programs, since Oct 2010, and is also the main back-end prover of the new SPARK2014.
Alt-Ergo is integrated in several other tools and platforms: the
Bware platform for discharging VCs generated by Atelier B, the
EasyCrypt environment for verifying cryptographic protocols, the
Pangolin programming
language http://
Last but not least, Alt-Ergo is the solver used by the Cubicle model checker described below.
Alt-Ergo is distributed as open source, under the CeCILL-C license, at
URL http://
Partners: A. Goel, S. Krstić (Intel Strategic Cad Labs in Hillsboro, OR, USA), F. Zaïdi (LRI, Université Paris-sud)
Cubicle is an open source model checker for verifying safety properties of array-based systems, which corresponds to a syntactically restricted class of parametrized transition systems with states represented as arrays indexed by an arbitrary number of processes. Cache coherence protocols and mutual exclusion algorithms are typical examples of such systems.
Cubicle model-checks by a symbolic backward-reachability analysis on
infinite sets of states represented by specific simple formulas,
called cubes. Cubicle is based on ideas introduced by MCMT
(http://
Cubicle is distributed as open source, under the Apache license, at
URL http://
Criteria for Software Self-Assessment: A-2, SO-3, SM-3, EM-3, SDL-5, OC-4.
The Flocq library for the Coq proof assistant is a comprehensive formalization of floating-point arithmetic: core definitions, axiomatic and computational rounding operations, high-level properties . It provides a framework for developers to formally certify numerical applications.
Flocq is currently used by the CompCert certified compiler for its support of floating-point computations.
It is distributed as open source, under a LGPL license, at
http://
Criteria for Software Self-Assessment: A-3, SO-4, SM-4, EM-3, SDL-5, OC-4.
Given a logical property involving interval enclosures of mathematical expressions, Gappa tries to verify this property and generates a formal proof of its validity. This formal proof can be machine-checked by an independent tool like the Coq proof-checker, so as to reach a high level of confidence in the certification , .
Since these mathematical expressions can contain rounding operators in addition to usual arithmetic operators, Gappa is especially well suited to prove properties that arise when certifying a numerical application, be it floating-point or fixed-point. Gappa makes it easy to compute ranges of variables and bounds on absolute or relative roundoff errors.
Gappa is being used to certify parts of the mathematical libraries of
several projects, including CRlibm, FLIP, and CGAL.
It is distributed as open source, under a Cecill-B / GPL dual-license,
at http://
Part of the work on this tool was done while in the Arénaire team (Inria Rhône-Alpes), until 2008.
Criteria for Software Self-Assessment: A-3, SO-4, SM-3, EM-3, SDL-4, OC-4.
The Interval package provides several tactics for helping a Coq user to prove theorems on enclosures of real-valued expressions. The proofs are performed by an interval kernel which relies on a computable formalization of floating-point arithmetic in Coq.
Versions 1.0 and 2.0 were released in 2014. Version 2.0 integrates the CoqApprox library for computing Taylor models, so as to greatly improve performances when bounding univariate expressions .
It is distributed as open source, under a CeCILL-C license, at
http://
Part of the work on this library was done while in the Mathematical Components team (Microsoft Research–Inria Joint Research Center).
Criteria for Software Self-Assessment: A-3, SO-4, SM-2, EM-3, SDL-4, OC-4.
The Coquelicot library is designed with three principles in mind. The first is the user-friendliness, achieved by implementing methods of automation, but also by avoiding dependent types in order to ease the stating and readability of theorems. This latter part was achieved by defining total function for basic operators, such as limits or integrals. The second principle is the comprehensiveness of the library. By experimenting on several applications, we ensured that the available theorems are enough to cover most cases. We also wanted to be able to extend our library towards more generic settings, such as complex analysis or Euclidean spaces. The third principle is for the Coquelicot library to be a conservative extension of the Coq standard library, so that it can be easily combined with existing developments based on the standard library. Moreover, we achieved this compatibility without adding any additional axiom.
The result is the Coquelicot library available at
http://
Criteria for Software Self-Assessment: A-2, SO-4, SM-2, EM-3, SDL-1, OC-4.
The CFML tool supports the verification of OCaml programs through interactive Coq proofs. CFML proofs establish the full functional correctness of the code with respect to a specification. They may also be used to formally establish bounds on the asymptotic complexity of the code. The tool is made of two parts: on the one hand, a characteristic formula generator implemented as an OCaml program that parses OCaml code and produces Coq formulae; and, on the other hand, a Coq library that provides notation and tactics for manipulating characteristic formulae interactively in Coq.
CFML is distributed under the LGPL license, and is available
at http://
Criteria for Software Self-Assessment: A-2, SO-3, SM-2, EM-3, SDL-4, OC-4.
The ALEA library is a Coq development for modeling randomized
functional programs as distributions using a monadic transformation.
It contains an axiomatisation of the real interval
ALEA is used as a basis of the Certicrypt environment (MSR-Inria joint research center, Imdea Madrid, Inria Sophia-Antipolis) for formal proofs for computational cryptography . It is also experimented in LABRI as a basis to study formal proofs of probabilistic distributed algorithms.
ALEA is distributed as open source, at
http://
Criteria for Software Self-Assessment: A-5, SO-3, SM-3, EM-3, SDL-5, OC-4.
Bibtex2html is a generator of HTML pages of bibliographic
references. Distributed as open source since 1997, under the GPL
license, at http://
We estimate that between 10000 and 100000 web pages have been generated using Bibtex2html.
Criteria for Software Self-Assessment: A-2, SO-3, SM-2, EM-2, SLD-2, OC-4.
Coccinelle is a Coq library for term rewriting. Besides the usual
definitions and theorems of term algebras, term rewriting and term
ordering, it also models a number of algorithms implemented in the
CiME toolbox, such as matching, matching modulo
associativity-commutativity, computation of the one-step reducts
of a term, recursive path ordering (RPO) comparison between two terms, etc.
The RPO algorithm can effectively be run inside Coq, and is used
in the Color developement (http://
Coccinelle is available at
http://
OCamlgraph is a graph library for OCaml. It features many graph
data structures, together with many graph algorithms. Data
structures and algorithms are provided independently of each other,
thanks to OCaml module system. OCamlgraph is distributed as open
source, under the LGPL license, at
http://
Mlpost is a tool to draw scientific figures to be integrated in
Mlpost is available as an OPAM package
http://
Functory is a distributed computing library for OCaml. The main features of this library include (1) a polymorphic API, (2) several implementations to adapt to different deployment scenarios such as sequential, multi-core or network, and (3) a reliable fault-tolerance mechanism. Functory was presented at JFLA 2011 and at TFP 2011 .
Functory is distributed as open source, under the LGPL license, at
http://
Criteria for Software Self-Assessment: A-3, SO-4, SM-3, EM-2, SDL-5-down, OC-4.
The Why platform is a set of tools for deductive verification of Java and C source code. In both cases, the requirements are specified as annotations in the source, in a special style of comments. For Java (and Java Card), these specifications are given in JML and are interpreted by the Krakatoa tool. Analysis of C code must be done using the external Frama-C environment, and its Jessie plugin which is distributed in Why.
The platform is distributed as open source, under GPL license, at
http://
It also distributed as part of major Linux
distributions and in the OPAM packaging system
http://
The internal VC generator and the translators to external provers
are no longer under active development, as superseded by the Why3system
described above. The Krakatoa and Jessie front-ends
are still maintained, although using now by default the Why3 VC
generator. These front-ends are described in a specific web page
http://
The ACM Software System Award 2013 was given,
during a ceremony in June 2014 in San Francisco,
to the Coq proof assistant
(http://
The Concours Castor informatique
(http://
J.-C. Filliâtre, L. Gondelman, and A. Paskevich have formalized the notion of ghost code implemented in Why3, in a paper The Spirit of Ghost Code presented at CAV 2014. This is an outcome of L. Gondelman's M2 internship (spring/summer 2013).
M. Clochard published at the POPL conference a paper presenting a work done during an internship at Rice University (Houston, TX, USA) with S. Chaudhuri and A. Solar-Lezama . It is a new technique for parameter synthesis under boolean and quantitative objectives. The input to the technique is a “sketch”—a program with missing numerical parameters—and a probabilistic assumption about the program's inputs. The goal is to automatically synthesize values for the parameters such that the resulting program satisfies: (1) a boolean specification, which states that the program must meet certain assertions, and (2) a quantitative specification, which assigns a real valued rating to every program and which the synthesizer is expected to optimize.
J.-C. Filliâtre, C. Marché, and A. Paskevich,
together with F. Bobot (CEA LIST),
took part in the VerifyThis program verification competition,
held at the 18th FM symposium in August 2012. They used Why3
to solve three challenges (which can be found at
http://
M. Clochard developed, using Why3, verified implementations of
several data structures, including random-access lists and ordered
maps. These are derived from a common parametric implementation of
self-balancing binary trees in the style of Adelson-Velskii and
Landis trees (so-called AVLs). This work appeared at the VSTTE
conference . Its originality relies on
the genericity of the specifications and the code, and the very
high level of proof automation. Such a case study is aimed at
illustrating the capabilities of Why3 for designing certified
libraries. Development is available from our gallery at
http://
S. Conchon and A. Mebsout have extended the core algorithm of the Cubicle model checker with a mechanism for inferring invariants. This new algorithm, called BRAB, is able to automatically infer invariants strong enough to prove industrial cache coherence protocols. BRAB computes over-approximations of backward reachable states that are checked to be unreachable in a finite instance of the system. These approximations (candidate invariants) are then model-checked together with the original safety properties. Completeness of the approach is ensured by a mechanism for backtracking on spurious traces introduced by too coarse approximations. Details can be found in A. Mebsout's PhD thesis .
A. Charguéraud extended his tool CFML to support, in addition to the verification of the full functional correctness of a piece of code, the verification of the asymptotic complexity of the code. Even though it had been previously established that, in theory, amortized analysis can be explained as the manipulation of time credits, and that time credits can be encoded as resources in Separation Logic, CFML is the first practical tool to support the formal verification of amortized analyses for arbitrarily-complex pieces of code. The time-credit extension to CFML was put to practice to verify dynamic arrays (Julien Grangier's internship), and to verify a chunked sequence data structure , particularly challenging due to its use of Tarjan's data structural bootstrapping technique. The latter piece of work was presented in July at the workshop Semantics of proofs and certified mathematics, which took place at the Institut Henri Pointcaré. A paper describing the time-credit extension to CFML is under preparation.
C. Marché published in the Science of Computer
Programming journal a detailed
description of an industrial research initially conducted in the
context of the U3CAT project (ended in 2012) on static analysis of
critical C code. The code involves floating-point computations on
quaternions that should be of norm 1. Because of the round-off
errors, a drift of this norm is observed over time. In this work a
bound on this drift is determined and formally proved correct,
using Frama-C, Jessie and Why3. Proofs are done using automated
provers and in a few complex cases the Coq proof assistant. The
published version is up to date with the recent versions of those
tools, and the development is available on our gallery at
http://
S. Boldo, C. Lelay, and G. Melquiond worked on the Coquelicot library, designed to be a user-friendly Coq library about real analysis. An easier way of writing formulas and theorem statements is achieved by relying on total functions in place of dependent types for limits, derivatives, integrals, power series, and so on. To help with the proof process, the library comes with a comprehensive set of theorems and some automation. We have exercised the library on several use cases: in an exam at university entry level, for the definitions and properties of Bessel functions, and for the solution of the one-dimensional wave equation. These results are published in the journal Mathematics in Computer Science .
S. Boldo and G. Melquiond, with J.-H. Jourdan and X. Leroy (Gallium team, Inria Paris - Rocquencourt) extended the CompCert compiler to get the first formally verified C compiler that provably preserves the semantics of floating-point programs This work, published in the Journal of Automated Reasoning , also covers the formalization of numerous algorithms of conversion between integers and floating-point numbers.
S. Boldo, C. Lelay, and G. Melquiond, have conducted a survey on the formalization of real arithmetic and real analysis in various proof systems. This work, published in the journal Mathematical Structures in Computer Science , details the axioms, definitions, theorems, and methods of automation, available in these systems.
É. Martin-Dorel and G. Melquiond worked on integrating the CoqInterval and CoqApprox libraries into a single package. The CoqApprox library is dedicated to computing verified Taylor models of univariate functions so as to compute approximation errors. The CoqInterval library reuses this work to automatically prove bounds on real-valued expressions. A large formalization effort took place during this work, so as to get rid of all the holes remaining in the formal proofs of CoqInterval. It was also the chance to perform a comparison between numerous decision procedures dedicated to proving nonlinear inequalities involving elementary functions. A report is available .
S. Boldo, J.-C. Filliâtre, and G. Melquiond, with F. Clément and P. Weis (POMDAPI team, Inria Paris - Rocquencourt), and M. Mayero (LIPN), completed the formal proof of a numerical analysis program: the second-order centered finite-difference scheme for the one-dimensional acoustic wave. This proof was published with a focus towards numerical analysts, in the journal Computers and Mathematics with Applications .
P. Roux formalized the influence of double rounding on the accuracy of floating-point arithmetic operators. In particular, this includes all the corner cases that were ignored from Figueroa's original pen-and-paper proof. Results appeared in the Journal of Formalized Reasoning .
P. Roux formalized a theory of numerical analysis for bounding the round-off errors of a floating-point algorithm. This approach was applied to the formal verification of a program for checking that a matrix is semi-definite positive. The challenge here is that testing semi-definiteness involves algebraic number computations, yet it needs to be implemented using only approximate floating-point operations. A report is available .
In the context of the BWare project, aiming at using Why3 and Alt-Ergo for discharging proof obligations generated by Atelier B, we made progress into several directions. New drivers have been designed for Why3, in order to use new back-end provers Zenon modulo and iProver modulo. A notion of rewrite rule was introduced into Why3, and a transformation for simplifying goals before sending them to back-end provers was designed. Intermediate results obtained so far in the project were presented both at the French conference AFADL and at the international conference on Abstract State Machines, Alloy, B, VDM, and Z .
On the side of Alt-Ergo, recent developments have been made to efficiently discharge proof obligations generated by Atelier B. This includes a new plugin architecture to facilitate experiments with different SAT engines, new heuristics to handle quantified formulas, and important modifications in its internal data structures to boost performances of core decision procedures. Benchmarks realized on more than 10,000 proof obligations generated from industrial B projects show significant improvements .
C. Dross defended her PhD thesis in April 2014 , on the topic of automated reasoning modulo theories, and in particular the handling of quantifiers in the SMT approach. The main results of the thesis are: (1) a formal semantics of the notion of triggers typically used to control quantifier instantiation in SMT solvers, (2) a general setting to show how a first-order axiomatization with triggers can be proved correct, complete, and terminating, and (3) an extended DPLL(T) algorithm to integrate a first-order axiomatization with triggers as a decision procedure for the theory it defines. Significant case studies were conducted on examples coming from SPARK programs, and on the benchmarks on B set theory constructed within the BWare project.
M. Clochard, C. Marché, and A. Paskevich developed a general setting for developing programs involving binders, using Why3. This approach was successfully validated on two case studies: a verified implementation of untyped lambda-calculus and a verified tableaux-based theorem prover. This work was presented at the PLPV conference in January 2014 .
M. Clochard, J.-C. Filliâtre, C. Marché, and A. Paskevich developed a case study on the formalization of semantics of programming languages using Why3. This case study aimed at illustrating recent improvements of Why3 regarding the support for higher-order logic features in the input logic of Why3, and how these are encoded into first-order logic, so that goals can be discharged by automated provers. This case study also illustrates how reasoning by induction can be done without need for interactive proofs, via the use of lemma functions. This works was presented at the VSTTE conference .
M. Clochard and L. Gondelman developed a formalization of a simple compiler in Why3. It compiles a simple imperative language into assembler instructions for a stack machine. This case study was inspired by a similar example developed using Coq and interactive theorem proving. The aim is to improve significantly the degree of automation in the proofs. This is achieved by the formalization of a Hoare logic and a Weakest Precondition Calculus on assembly programs, so that the correctness of compilation is seen as a formal specification of the assembly instructions generated. This work conducted in 2014 will be presented at the JFLA conference in January 2015 .
S. Dumbrava and É. Contejean, with V. Benzaken (VALS team, at LRI) proposed a Coq formalization of the relational data model which underlies relational database systems. More precisely, they have presented and formalized the data definition part of the model including integrity constraints. They have modelled two different query language formalisms: relational algebra and conjunctive queries. They also present logical query optimization and prove the main “database theorems”: algebraic equivalences, the homomorphism theorem and conjunctive query minimization. This work has been published at ESOP 2014 .
A. Charguéraud, together with the other members of the
JsCert team have developed this year the first complete
formalization of the semantics of the JavaScript programming
language. This project is joint work with Philippa Gardner,
Sergio Maffeis, Gareth Smith, Daniele Filaretti and Daiva
Naudziuniene from Imperial College, and Alan Schmitt and Martin
Bodin from Inria Rennes (see
http://
A. Charguéraud worked together with Umut Acar and Mike Rainey, as part of the ERC project DeepSea, on the developement of efficient data structures and algorithms targeting modern, shared memory multicore architectures. Two major results were obtained this year.
The first result is a sequence data structure that provides amortized constant-time access at the two ends, and logarithmic time concatenation and splitting at arbitrary positions. These operations are essential for programming efficient computation in the fork-join model. Compared with prior work, this novel sequence data structure achieves excellent constant factors, allowing it to be used as a replacement for traditional, non-splittable sequence data structures. This data structure, called chunked sequence due to its use of chunks (fixed-capacity arrays), has been implemented both in C++ and in OCaml. It is described in a paper published at ESA .
Another result by A. Charguéraud and his co-authors is the development of fast and robust parallel graph traversal algorithms, more precisely for parallel BFS and parallel DFS. The new algorithms leverage the aforementioned sequence data structure for representing the set of edges remaining to be visited. In particular, it uses the split operation for balancing the edges among the several processors involved in the computation. Compared with prior work, these new algorithms are designed to be efficient not just for particular classes of graphs, but for all input graphs. This work has not yet been published, however it is described in details in a technical report . Note that these two graph algorithms, which involve nontrivial use of concurrent data structures, will be very interesting targets for formal verification.
ProofInUse is a joint project between the Toccata team and the
SME AdaCore. It was selected and funded by the ANR programme
“Laboratoires communs”, starting from April 2014, for 3 years
http://
The SME AdaCore is a software publisher specializing in providing software development tools for critical systems. A previous successful collaboration between Toccata and AdaCore enabled Why3 technology to be put into the heart of the AdaCore-developed SPARK technology.
The goal is now to promote and transfer the use of deduction-based verification tools to industry users, who develop critical software using the programming language Ada. The proof tools are aimed at replacing or complementing the existing test activities, whilst reducing costs.
Jointly with the thesis of C. Dross, supervised in collaboration with the AdaCore company, we established a 3-year bilateral collaboration contract, that ended in April 2014.
The aim was to strengthen the usability of the Alt-Ergo theorem prover in the context of the GnatProve environment for the verification of safety-critical Ada programs . A focus was made on programs involving Ada containers . C. Dross defended her PhD in April 1st 2014 .
S. Conchon has obtained an academic grant by Intel corporation on the development of the Cubicle model checker, for 2 years starting from Dec. 2012 The goal of this project is to develop a new version of Cubicle with significantly improved model-checking power. This required innovative algorithmic enhancements to be implemented and evaluated.
Partner: Intel Strategic Cad Labs in Hillsboro, OR, USA
Coquelicot is a 3-year Digiteo project that started in September
2011. http://
The Coquelicot project aims at creating a modern formalization of the real numbers in Coq, with a focus on practicality , , ,. This is sorely needed to ease the verification of numerical applications, especially those involving advanced mathematics.
Partners: team SpecFun from LIX (Palaiseau), University Paris 13
ELFIC is a working group of the Digicosme Labex. S. Boldo is the principal investigator.
Project ELFIC focuses on proving the correctness of the FELiScE (Finite Elements for Life Sciences and Engineering) C++ library which implements the finite element method for approximating solutions to partial differential equations. Finite elements are at the core of numerous simulation programs used in industry. The formal verification of this library will greatly increase confidence in all the programs that rely on it. Verification methods developed in this project will be a breakthrough for the finite element method, but more generally for the reliability of critical software relying on intricate numerical algorithms.
Partners: Inria team Pomdapi; Ecole Polytechnique, LIX; CEA LIST; Université Paris 13, LIPN; UTC, LMAC (Compiègne).
The AJACS research project is funded by the programme “Société de l'information et de la communication” of the ANR, for a period of 42 months, starting on October 1st, 2014.
The goal of the AJACS project is to provide strong security and privacy guarantees on the client side for web application scripts implemented in JavaScript, the most widely used language for the Web. The proposal is to prove correct analyses for JavaScript programs, in particular information flow analyses that guarantee no secret information is leaked to malicious parties. The definition of sub-languages of JavaScript, with certified compilation techniques targeting them, will allow deriving more precise analyses. Another aspect of the proposal is the design and certification of security and privacy enforcement mechanisms for web applications, including the APIs used to program real-world applications. On the Toccata side, the focus will be on the formalization of secure subsets of JavaScript, and on the mechanization of proofs of translations from high-level languages into JavaScript.
Partners: team Celtique (Inria Rennes - Bretagne Atlantique), team Prosecco (Inria Paris - Rocquencourt), team Indes (Inria Sophia Antipolis - Méditerranée), and Imperial College (London).
This is a research project funded by the programme “Ingénierie
Numérique & Sécurité” of the ANR. It is funded for a period of
48 months and it has started on October 1st,
2014. http://
Our aim is to develop computer-aided proofs of numerical values, with certified and reasonably tight error bounds, without sacrificing efficiency. Applications to zero-finding, numerical quadrature or global optimization can all benefit from using our results as building blocks. We expect our work to initiate a "fast and reliable" trend in the symbolic-numeric community. This will be achieved by developing interactions between our fields, designing and implementing prototype libraries and applying our results to concrete problems originating in optimal control theory.
Partners: team ARIC (Inria Grenoble Rhône-Alpes), team MARELLE (Inria Sophia Antipolis - Méditerranée), team SPECFUN (Inria Saclay - Île-de-France), Université Paris 6, and LAAS (Toulouse).
The Soprano research project is funded by the programme “Sciences et technologies logicielles” of the ANR, for a period of 42 months, starting on October 1st, 2014.
The SOPRANO project aims at preparing the next generation of verification-oriented solvers by gathering experts from academia and industry. We will design a new framework for the cooperation of solvers, focused on model generation and borrowing principles from SMT (current standard) and CP (well-known in optimization). Our main scientific and technical objectives are the following. The first objective is to design a new collaboration framework for solvers, centered around synthesis rather than satisfiability and allowing cooperation beyond that of Nelson-Oppen while still providing minimal interfaces with theoretical guarantees. The second objective is to design new decision procedures for industry-relevant and hard-to-solve theories. The third objective is to implement these results in a new open-source platform. The fourth objective is to ensure industrial-adequacy of the techniques and tools developed through periodical evaluations from the industrial partners.
Partners: team DIVERSE (Inria Rennes - Bretagne Atlantique), Adacore, CEA List, Université Paris-Sud, and OCamlPro.
The CAFEIN research project is funded by the programme “Ingénierie
Numérique & Sécurité” of the ANR, for a period
of 3 years, starting on February 1st, 2013.
https://
This project addresses the formal verification of functional properties at specification level, for safety critical reactive systems. In particular, we focus on command and control systems interacting with a physical environment, specified using the synchronous language Lustre.
A first goal of the project is to improve the level of automation of formal verification, by adapting and combining existing verification techniques such as SMT-based temporal induction, and abstract interpretation for invariant discovery. A second goal is to study how knowledge of the mathematical theory of hybrid command and control systems can help the analysis at the controller's specification level. Third, the project addresses the issue of implementing real valued specifications in Lustre using floating-point arithmetic.
Partners: ONERA, CEA List, ENSTA, teams Maxplus (Inria Saclay - Île-de-France), team Parkas (Inria Paris - Rocquencourt), Perpignan University, Prover Technology, Rockwell Collins.
The BWare research project is funded by the programme “Ingénierie
Numérique & Sécurité” of the ANR, a period of 4
years, starting on September 1st, 2012. http://
BWare is an industrial research project that aims to provide a mechanized framework to support the automated verification of proof obligations coming from the development of industrial applications using the B method and requiring high guarantee of confidence. The methodology used in this project consists in building a generic platform of verification relying on different theorem provers, such as first-order provers and SMT solvers. The variety of these theorem provers aims at allowing a wide panel of proof obligations to be automatically verified by the platform. The major part of the verification tools used in BWare have already been involved in some experiments, which have consisted in verifying proof obligations or proof rules coming from industrial applications . This therefore should be a driving factor to reduce the risks of the project, which can then focus on the design of several extensions of the verification tools to deal with a larger amount of proof obligations.
The partners are: Cedric laboratory at CNAM (CPR Team, project leader); teams Gallium and Deducteam (Inria Paris - Rocquencourt) ; Mitsubishi Electric R&D Centre Europe, ClearSy (the company which develops and maintains Atelier B), and the start-up OCamlPro.
The Versaco research project is funded by the programme “Ingénierie
Numérique & Sécurité” of the ANR, for a period of 4
years, starting on January 1st, 2012. Project website:
http://
The main goal of the project is to investigate the formal verification of static analyzers and of compilers, two families of tools that play a crucial role in the development and validation of critical embedded software. More precisely, the project aims at developing a generic static analyzer based on abstract interpretation for the C language, along with a number of advanced abstract domains and domain combination operators, and prove the soundness of this analyzer using the Coq proof assistant. Likewise, it will keep working on the CompCert C formally-verified compiler, the first realistic C compiler that has been mechanically proved to be free of miscompilation, and carry it to the point where it could be used in the critical software industry.
Partners: teams Gallium and Abstraction (Inria Paris - Rocquencourt), Airbus avionics and simulation (Toulouse), IRISA (Rennes), Verimag (Grenoble).
Project acronym: ERC Deepsea
Project title: Parallel dynamic computations
Duration: Jun. 2013 - Jun. 2018
Coordinator: Umut A. Acar
Other partners: Carnegie Mellon University
Abstract:
The objective of this project is to develop abstractions, algorithms and languages
for parallelism and dynamic parallelism with applications to problems
on large data sets.
Umut A. Acar (affiliated to Carnegie Mellon University and Inria Paris - Rocquencourt)
is the principal investigator of this ERC-funded project.
The other main researchers involved are
Mike Rainey (Inria, Gallium team), who is full-time on the project,
and Arthur Charguéraud (Inria, Toccata team), who works
40% of his time to the project.
Project website: http://
S. Conchon, A. Mebsout and F. Zaïdi (VALS group, LRI) collaborate with S. Krstic and A. Goel (Intel Strategic Cad Labs in Hillsboro, OR, USA), in particular around the development of the SMT-based model checker Cubicle (see above). This collaboration is partly supported by an academic grant by Intel.
P. Roux (ISAE, Onera) visited for 7 months in order to collaborate with S. Boldo and G. Melquiond on the topic of formal verification of numerical algorithms.
Bas Spitters visited for 3 months from April to June funded by a Digiteo grant. He worked with C. Paulin on the extension of the ALEA library to continuous structures and the use of “lower reals” (monotonic sequences of rationals). He also worked on adapting the Corn and Math-classes libraries to the new Coq release. During that time he published a final version of a paper presented at the Workshop on Quantum Physics and Logic in 2012 .
Andrew Tolmach is a visiting researcher from Portland State University, on a one-year Digiteo Chair. His research project will initiate a new research effort to develop principles, techniques, and tools for large-scale proof engineering. It is focused on the Coq proof assistant and is designed to take advantage of the deep pool of expertise available in the Paris area (at Paris-Sud, LIX, Inria, etc.) concerning both the use and development of Coq. Initial results are expected to include: a precise description of requirements for large proof management; sample prototype tools addressing one or more of these requirements; and a technical survey of relevant proof representation options.
J.-C. Filliâtre chaired the fifth meeting of the IFIP Working Group 1.9/2.15 (Verified Software) in Vienna, Austria, July 2014.
S. Boldo and G. Melquiond are members of the organizing committee for the 22nd IEEE Symposium on Computer Arithmetic (ARITH 2015), held in Lyon in June 2015.
J.-C. Filliâtre organized the sixth meeting of the IFIP Working Group 1.9/2.15 (Verified Software) in Paris, France, December 2014.
C. Paulin co-organized with Z. Shao (Harvard University) the Workshop on certification of high-level and low-level programs, July 7-11, 2014. This workshop was part of the IHP thematic trimester Semantics of proofs and certified mathematics, which took place in Paris from April to July.
S. Boldo is a member of the program committee of the 7th International Workshop on Numerical Software Verification (NSV-7). For 2015, she will be in the program committes of the 26th Journées Francophones des Langages Applicatifs (JFLA 2015), of the 8th International Workshop on Numerical Software Verification (NSV-8) and of the 22nd IEEE Symposium on Computer Arithmetic (ARITH 2015).
A. Charguéraud served on the external review commitee for POPL 2015.
É. Contejean is a member of the program committee of the ACM SIGPLAN 2014 Workshop on Partial Evaluation and Program Manipulation, (PEPM 2014) affiliated with the POPL 2014 conference.
J.-C. Filliâtre is a member of the program committees of the Symposium on Languages, Applications and Technologies (SLATE 2014) and the Journées Francophones des Langages Applicatifs (JFLA 2014).
C. Marché, member of program committee of the first
international workshop Formal-IDE (F-IDE), held as a satellite
workshop of ETAPS 2014
http://
C. Paulin is a member of the program committees of the conference Interactive Theorem Proving (ITP 2014) and the Coq Workshop 2014. For 2015, she will be in the program committees of the following conferences: Certified Programs and Proofs (CPP 2015), Mathematics of Program Construction (MPC 2015) and Types for Proofs and Programs (TYPES 2015).
A. Paskevich is a member of the program committee of the 11th International Workshop on User Interfaces for Theorem Provers (UITP 2014) affiliated with the FLoC 2014 conference.
The members of the Toccata team have reviewed papers for numerous international conferences, including: ARITH, CICM, CPP, ESOP, NFM, POPL, SLATE.
S. Boldo is member of the editorial committee of the popular science web site “)i(”:
S. Boldo is member of the editorial board of Binaire
http://
J.-C. Filliâtre is member of the editorial board of the Journal of Functional Programming.
C. Paulin is member of the editorial board of the Journal of Formalized Reasoning.
The members of the Toccata team reviewed numerous papers for numerous international journals, including: Journal of Automated Reasoning (JAR), Transactions in Computational Sciences (TCS), Theory of Computing Systems (TCS), IEEE Transactions on Computers (TC), Journal of Scientific Programming, Journal of Field Robotics (JFR), Mathematical Structures in Computer Science (MSCS), Journal of Automated Software Engineering.
S. Boldo was invited speaker at the 16th GAMM-IMACS International Symposium on Scientific Computing, Computer Arithmetic and Validated Numerics conference (SCAN 2014) about her methodology for the formal verification of floating-point programs.
S. Boldo and G. Melquiond were invited speakers at an
international workshop in Lyon, France called Mathematical
Structures of Computation during the week 4: Formal Proof, Symbolic
Computation and Computer Arithmetic.
http://
C. Lelay was invited speaker at the 25th JFLA (Journées Francophones des Langages Applicatifs), Fréjus, France, Jan 10th, 2014 about “Coq passe le bac”: she tried the 2013 mathematics test of the scientific Baccalaureate in Coq at the same time as the students.
C. Marché, “Calcul de plus faible précondition, revisité en Why3”, 25th JFLA, special session on selected representative papers of past editions, joint work with A. Tafat, Fréjus, France, Jan 11th, 2014.
C. Marché, “Beyond SPARK2014: the ProofInUse project”, IFIP WG1.9/2.15, Vienna, Austria, Jul 15th, 2014.
G. Melquiond was invited speaker at the 12th International Workshop on Satisfiability Modulo Theories (SMT 2014).
C. Paulin was invited speaker at the 25th JFLA (Journées Francophones des Langages Applicatifs), Fréjus, France, Jan 10th, 2014 to give a tutorial presentation of the ALEA library. She also gave an invited talk during the GDR-GPL “Journées Nationales”.
C. Paulin was invited speaker at the workshop “All about Proofs, Proofs for All” (APPA) as part of the Vienna Summer of Logic. She presented an introduction to the Calculus of Inductive Constructions. She wrote a chapter in the post-conference book to appear next year.
S. Boldo, elected member of the Inria Evaluation Committee until August 2014. She was in the committee in charge of selecting the Inria permanent researchers (CR2) in Bordeaux and Nancy and in the national committee for first-class Inria permanent researchers (CR1).
S. Boldo, member of the national Inria admission committee.
S. Boldo, C. Marché, and G. Melquiond, members of committees in charge of recruiting assistant professors at Université Paris-Sud.
S. Boldo, member of the CLFP, comité local de formation permanente.
S. Boldo, scientific head for Saclay for the MECSI group for networking about computer science popularization inside Inria.
S. Boldo, member of the national popularization committee, comité de médiation scientifique, of Inria.
A. Charguéraud is vice-president of France-ioi, a non-profit organization in charge of the selection and the training of the French team to the International Olympiads in Informatics (IOI). France-ioi also provides online exercises in programming and algorithmics—in average, over 70,000 such exercises are solved every month on the website.
A. Charguéraud is a board member of the non-profit organization Animath, which aims at developing interest in mathematics among young students.
A. Charguéraud and G. Melquiond are members of the committee for the monitoring of PhD students (“commission de suivi des doctorants”).
S. Conchon and A. Paskevich, members of the “commission consultative de spécialistes de l'université”, Section 27, University Paris-Sud since December 2014.
É. Contejean, leader of the VALS team since February 2014.
É. Contejean, nominated member of the “conseil du laboratoire” of LRI since April 2010 till June 2014.
É. Contejean, elected member of the “section 6 du Comité National de la Recherche Scientifique” since September 2012.
É. Contejean, member of the committee of experts for the AERES evaluation of the Verimag laboratory (2014).
É. Contejean, reviewer for the ANR (2014).
É. Contejean, reviewer for the START program of the Austrian Science Fund (FWF) (2014).
S. Dumbrava, elected member of the “conseil du laboratoire” of LRI since June 2014.
J.-C. Filliâtre is correcteur au concours d'entrée à l'École Polytechnique (computer science examiner for the entrance exam at École Polytechnique) since 2008.
C. Lelay, elected member of the “conseil du laboratoire” of LRI from November 2011 to June 2014.
C. Marché and S. Boldo, members of the “jury de l'agrégation externe de mathématiques” as experts in computer science, since 2012.
C. Marché (since April 2007) and C. Paulin (since September
2010), members of the program committee of Digiteo Labs, the
world-class research park in Île-de-France region dedicated
to information and communication science and technology,
http://
C. Marché, member of the executive team of the LRI (as “chargé de mission”), since July 2014.
C. Marché, president of the hiring committee of one associate professor position (Maître de Conferences), Université Paris-Sud, April-June 2014. Member of another such committee.
C. Marché, director of the ProofInUse Joint Laboratory between
Inria and AdaCore, http://
G. Melquiond and C. Paulin, members of the “commission consultative de spécialistes de l'université”, Section 27, University Paris-Sud since April 2010. C. Paulin is the president of this committee since December 2014.
G. Melquiond, elected officer of the IEEE-1788 standardization committee on interval arithmetic since 2008.
C. Paulin, scientific leader of Labex
DigiCosme http://
C. Paulin, president of the Computer Science Department of the
University Paris-Sud https://
C. Paulin, president of the assembly of directors of graduate schools at the Université Paris-Sud since September 2012.
C. Paulin, chaired the hiring committee for a professor position in computer science at Université Paris-Sud.
In 2014, C. Paulin was elected member of the Informatics Section of Academia Europaea http://
A. Paskevich was in charge (together with C. Bastoul in 2012–2013 and B. Cautis in 2013–2014) of Licence professionnelle PER (L3) at IUT d'Orsay, Paris-Sud University since September 2012 till August 2014.
Master Parisien de Recherche en Informatique (MPRI)
https://
Licence: “Programmation Fonctionnelle avancée” (L3), M. Clochard (10h), Université Paris-Sud, France.
Master: “Projet de programmation (compilation)” (M1), M. Clochard (50h), Université Paris-Sud, France.
Licence: “Programmation fonctionnelle avancée” (L3), S. Conchon (30h), Université Paris-Sud, France.
Master: “Compilation” (M1), S. Conchon (33h), Université Paris-Sud, France.
DUT (Diplôme Universitaire de Technologie): “Systèmes” (S3), D. Declerck, IUT d'Orsay, Université Paris-Sud, France.
DUT (Diplôme Universitaire de Technologie): “Programmation et administration des bases de données” (S2), S. Dumbrava (62h), IUT d'Orsay, Université Paris-Sud, France.
DUT (Diplôme Universitaire de Technologie): “Bases de données avancées” (S3), S. Dumbrava (36h), IUT d'Orsay, Université Paris-Sud, France.
Licence: “Langages de programmation et compilation” (L3), J.-C. Filliâtre (36h), École Normale Supérieure, France.
Licence: “INF411: Les bases de l'algorithmique et de la programmation” (L3), J.-C. Filliâtre (16h), École Polytechnique, France.
Licence: “Mathématiques pour l'informatique” (L2), L. Gondelman (30h), Université Paris-Sud, France.
Master: “Compilation” (M1), L. Gondelman (28h), Université Paris-Sud, France.
DUT (Diplôme Universitaire de Technologie): “Programmation système” (S4), A. Paskevich (48h), IUT d'Orsay, Université Paris-Sud, France.
Y. Chatelain, a L3 student from Université Paris-Sud, did a 2-month internship under the supervision of J.-C. Filliâtre and A. Paskevich, on the implementation of a new criterion of termination of recursive functions in a pure functional language.
J.-P. Deplaix, a third-year student of Epitech, did a 4-month internship, supervised by J.-C. Filliâtre and A. Paskevich, on the compilation of Why3 programs to C.
J. Grangier, a M1 student from ENSIEE, did a 10-week internship under the supervision of A. Charguéraud, on the verification of the functional correctness and the asymptotic complexity of a dynamic array data structure.
X. Onfroy, a L3 student form ENS-Lyon, did a 6-week internship, supervised by G. Melquiond, on the formalization of the gauge integral in the setting of the Coquelicot library.
HDR: É. Contejean, “Facettes de la preuve, Jeux de reflets entre démonstration automatique et preuve assistée” , Université Paris-Sud, June 13th, 2014.
HDR: S. Boldo, “Deductive Formal Verification: How To Make Your Floating-Point Programs Behave” , Université Paris-Sud, October 6th, 2014.
PhD: C. Dross, “Theories and Techniques for Automated Proof of programs” , Université Paris-Sud, Apr. 1st, 2014, supervised by C. Marché, A. Paskevich, and with industrial supervisors Y. Moy and J. Kanig (AdaCore company).
PhD: A. Mebsout, “SMT-based Model-Checking” , Université Paris-Sud, Sep. 29th, 2014, supervised by F. Zaïdi (LRI) and S. Conchon.
PhD in progress: C. Lelay, “Real numbers for the Coq proof assistant”, since Oct. 2011, supervised by S. Boldo and G. Melquiond.
PhD in progress: S. Dumbrava, “Towards data certification”, since Oct. 2012, supervised by V. Benzaken (LRI) and É. Contejean.
PhD in progress: L. Gondelmans, “Obtention de programmes corrects par raffinement dans un langage de haut niveau”, since Oct. 2013, supervised by J.-C. Filliâtre and A. Paskevich.
PhD in progress: M. Clochard, “A unique language for developing programs and prove them at the same time”, since Oct. 2013, supervised by C. Marché and A. Paskevich.
PhD in progress: J. C. Mbiada Djanda, “Augmented Semantics for the Non-interference of critical C Code”, since Nov. 2013, supervised by C. Marché and J. Signoles (CEA LIST).
PhD in progress: D. Declerck, “Vérification par des techniques de test et model checking de programmes C11”, since Sep. 2014, supervised by F. Zaïdi (LRI) and S. Conchon.
S. Boldo: examiner, PhD committee of Mohamed Amine Najahi, “Synthesis of certified programs in fixed-point arithmetic, and its application to linear algebra basic blocks”, Perpignan, France, December 2014.
J.-C. Filliâtre: examiner, PhD committee of Jonathan Protzenko, “Mezzo: the language of the future”, Université Paris Diderot, September 2014.
C. Marché: reviewer, PhD committee of T. Bormer “Advancing Deductive Program-Level Verification for Real-World Application”, Karlsruhe Institute of Technology, Karlsruhe, Germany, October 2014.
C. Marché: examiner, HDR committee of S. Boldo, “Deductive Formal Verification: How To Make Your Floating-Point Programs Behave”, Université Paris-Sud, October 2014.
C. Paulin: examiner, PhD committee of Guillaume Cano, “Interaction entre algèbre linéaire et analyse en formalisation des mathématiques”, University of Nice-Sophia Antipolis, March 2014.
C. Paulin: examiner, HDR committee of Évelyne Contejean, “Facettes de la preuve, Jeux de reflets entre démonstration automatique et preuve assistée”, Université Paris-Sud, June 2014.
C. Paulin: president of the PhD committee of Peva Blanchard “Synchronization and Fault-tolerance in Distributed Algorithms”, Université Paris-Sud, September 2014.
C. Paulin: examiner, HDR committee of Stéphane Graham-Lengrand “Polarities & Focussing: a Journey from Realisability to Automated Reasoning”, Université Paris-Sud, December 2014.
S. Boldo presented the Concours Castor informatique to
computer sciences teachers (ISN) in Nancy on April 17th, 2014. A video of
the talk is available at
http://
S. Boldo gave a 2-hour course entitled Les nombres et l'ordinateur at the École Normale Supérieure de Cachan, France, on September 9th.
S. Boldo gave a 2-hour course Pourquoi mon ordinateur calcule faux? to a general audience at the Université Inter-Âge in Versailles, France, on March 4th.
S. Boldo gave a talk for computer sciences teachers (ISN) in Créteil on March 24th
S. Boldo gave a talk for teenagers at the lycée Maximilien Perretin Alfortville on May 22nd.
S. Boldo wrote an article with Jean-Michel Muller (ARIC) in the popularization journal La Recherche .
S. Boldo wrote in 2013 an article for the French blog
celebrating 2013 as the “Mathematics of Planet Earth” year:
http://
S. Boldo is member of the editorial committee of
the popular science Interstices web site, since April 2008.
http://
S. Boldo is member of the editorial board of Binaire
http://
S. Boldo, G. Melquiond, A. Paskevich, and C. Paulin animated two stands at the Fête de la science.
A. Charguéraud and S. Boldo contributed to the preparation of
the exercises of the Concours Castor informatique
http://
S. Conchon and J.-C. Filliâtre published a book “Apprendre à programmer avec OCaml” for undergraduate students learning computer programming (Eyrolles, September 2014).