The *Toccata* team (http://

The general objective of the *Toccata* project is to promote formal
specification and computer-assisted proof in the development of
software that requires a high assurance of its safety and its
correctness with respect to its intended behavior.

The importance of software in critical systems increased a lot in the past decades. Critical software appears in various application domains such as transportation (e.g. airplanes, railway), communication (e.g. smart phones) or banking. The set of available features is quickly increasing, together with the number of lines of codes involved. Given the need of high assurance of safety in the functional behavior of such applications, the need for automated (i.e. computer-assisted) methods and techniques to bring guarantee of safety became a major challenge. In the past, the main process to check safety of a software was to apply heavy test campaigns, which take a large part of the costs of software development.

This is why *static analysis* techniques were invented to complement
tests. The general aim is to analyze a program code without executing
it, to get as much guarantees as possible on all possible executions
at once. The main classes of static analysis techniques are:

*Abstract Interpretation*: it approximates program
execution by abstracting program states into well-chosen abstraction
domains. The reachable abstract states are then analyzed in order to
detect possible mistakes, corresponding to abstract states that
should not occur. The efficiency of this approach relies on
the quality of the approximation: if it is too coarse, false
positives will appear, which the user needs to analyze manually to
determine if the error is real or not. A major success of this kind
of approach is the verification of absence of run-time errors in the
control-command software of the Airbus A380 by the tool
*Astrée* .

*Model-checking*: it denotes a class of approaches that got
a great success in industry, e.g. the quality of device drivers of
Microsoft's Windows operating system increased a lot by systematic application of such an
approach . A program is abstracted into a finite graph
representing an approximation of its execution. Functional
properties expected for the execution can be expressed using formal
logic (typically temporal logic) that can be checked valid by an
exploration of the graph. The major issue of model-checking is that
the size of the graph can get very large. Moreover, to get less
coarse approximations, one may be interested in abstracting a
program into an infinite graph. In that case, extensions of
model-checking are proposed: bounded model-checking, symbolic
model-checking, etc. *Predicate Abstraction* is also a rather
successful kind of model-checking approach because of its ability of
getting iteratively refined to suppress false
positives .

*Deductive verification*: it differs from the other
approaches in that it does not approximate program execution. It
originates from the well-known *Hoare logic* approach. Programs
are formally specified using expressive logic languages, and
mathematical methods are applied to formally prove that a program
meets its specification.

The *Toccata* project is mainly interested in exploring the deductive
verification approach, although we believe that the above classes of approaches
are compatible. We indeed have studied some way to
combine these approaches in the
past , , .

In the past decade, significant progresses have been made in the
domain of deductive program verification. They are emphasized by some
successful application of these techniques on industrial-scale
software, e.g. the *Atelier B* system was used to develop part of
the embedded software of the Paris metro line 14 and
other railroad-related systems, a formally proved C compiler was
developed using the *Coq* proof assistant , Microsoft's
hypervisor for highly secure virtualization was verified using
VCC and the Z3 prover , the
L4-verified project developed a formally verified micro-kernel with
high security guarantees, using analysis tools on top of the
Isabelle/HOL proof assistant .
Another sign of recent progress is the emergence of deductive verification
competitions.

In the deductive verification context, there are two main families of
approaches. Methods in the first family build on top of mathematical
proof assistants (e.g. Coq, Isabelle) in which both the models and the
programs are encoded, and the proofs that a program meets its
specification is typically conducted in an interactive way using the
underlying proof construction engine. Methods from the second family
proceed by the design of standalone tools taking as input a program in
a particular programming language (e.g. C, Java) specified with a
dedicated annotation language (e.g. ACSL ,
JML ) and automatically producing a set of
mathematical formulas (the *verification conditions*) which are
typically proved using automatic provers (e.g. Z3 ,
*Alt-Ergo* , CVC3 ). The first
family of approaches usually offers a higher level of assurance than
the second, but also demands more work to establish the proofs (because
of their interactive nature) and makes them less easy to adopt by
industry. Moreover they do not allow to directly analyze a program
written in a mainstream programming language like Java or C. The
second kind of approaches has benefited in the past years from the
tremendous progresses made in SAT and SMT solving techniques, allowing
more impact on industrial practices, but suffers from a lower level of
trust: in all parts of the proof chain (the model of the input
programming language, the VC generator, the back-end automatic prover)
potential errors may appear, compromising the guarantee offered. They
can be applied to mainstream languages, but usually only a subset of
them is supported. Finally, recent trends in the industrial practice
for development of critical software is to require more and more
guarantees of safety, e.g. the DO-178C standard for
developing avionics software adds to the former DO-178B the use of
formal models and formal methods. It also emphasizes the need for
certification of the analysis tools involved in the process.

To illustrate our past contributions in the domain of deductive verification, we provide below a set of reference publications of our former scientific results, published in the past 5 years.

Concerning Automated Deduction, our references publications are: a TACAS'2011 paper on an SMT decision procedure for associativity and commutativity, an IJCAR'2012 paper about an original contribution to decision procedures for arithmetic, a CAV'2012 paper presenting an SMT-based model checker, a FroCos'2011 paper presenting an new approach for encoding polymorphic theories into monomorphic ones.

Regarding deductive program verification in general, a first reference
publication is the habilitation thesis of
Filliâtre which provides a very good survey of
our contributions until 2011. A shorter version appeared in the STTT
journal .
The ABZ'2012 paper is a
representative publication presenting an application of our *Why3*
system to solving proof obligations coming from *Atelier B*. The
VSTTE'2012 paper is a reference case study
publication: proof of a program solving the

In industrial applications, numerical calculations are very common
(e.g. control software in transportation). Typically they involve
floating-point numbers. Concerning the analysis of numerical programs,
our representative publications are: a paper in the MCS journal in
2011 presenting on various examples our approach of
proving behavioral properties of numerical C programs using
*Frama-C*/*Jessie*, a paper in the TC journal in 2010
presenting the use of the Gappa solver for proving numerical algorithms,
a paper in the ISSE journal in 2011 together with
a paper at the CPP'2011 conference presenting how
we can take architectures and compilers into account when dealing with
floating-point programs. We also contributed to the Handbook of
Floating-Point Arithmetic in 2009 . A
representative case study is the analysis and the proof of both the
method error and the rounding error of a numerical analysis program solving the
one-dimension acoustic wave equation, presented in part at
ITP'2010 and in another part at
ICALP'2009 and fully in a paper in the JAR
journal .

Finally, about the theme of certification of analysis tools, the reference papers are: a PEPM'2010 and a RTA'2011 paper on certified proofs of termination and other related properties of rewriting systems, and a VSTTE'2012 paper presenting a certified VC generator.

The diagram of Figure details how our tools interact
with each other and with other tools. The tools in pink boxes are
designed by us, while those in blue boxes are designed by
partners. The central tool is
*Why3* , , which includes both a
Verification Condition Generator and a set of encoders and
printers. The VC generator reads source programs in a dedicated input
language that includes both specifications and code. It produces
verification conditions that are encoded and printed into various
formats and syntax so that a large set of interactive and automatic
provers can be used to discharge the verification conditions.

Among
automated provers, our own tool *Alt-Ergo* is an SMT
solver that is able to deal with quantifiers, arithmetic in integers
or real numbers, and a few other
theories. *Gappa* is a prover designed to
support arithmetic on real numbers and floating-point rounding. As
front-ends, our tool *Krakatoa* reads annotated Java
source code and produces *Why3* code. The tool
*Jessie* , is a plug-in for the *Frama-C* environment
(which we designed in collaboration with CEA-List); it does the same
for annotated C code. The GnatProve tool is a prototype developed by
Adacore company; it reads annotated Ada code and also produces *Why3*
code. Spark is an ancestor of GnatProve developed by Altran-Praxis
company; it has a dedicated prover but it was recently modified so as
to produce verification conditions in a suitable format for
*Alt-Ergo*.

Last but not least, the modeling of programs semantics and
the specification of their expected behaviors is based on some
libraries of mathematical theories that we develop, either in the
logic language of *Why3* or in *Coq*. These are the yellow boxes of the
diagram. For example, we developed in *Coq*
the Flocq library for the formalization of floating-point
computations .

In the former *ProVal* project, we have been working on the design of
methods and tools for deductive verification of programs. One of our
originalities is our ability to conduct proofs by using automatic
provers and proof assistants at the same time, depending on the
difficulty of the program, and specifically the difficulty of each
particular verification condition. We thus believe that we are in a good
position to propose a bridge between the two families of approaches of
deductive verification presented above.
This is a new goal of the team: we want to provide methods and tools
for deductive program verification that can offer both a high amount
of proof automation and a high guarantee of validity. Toward this
objective, we propose a new axis of research: to develop
certified tools, i.e. analysis tools that are themselves formally proved
correct.

As mentioned above, some of the members of the team have an internationally-recognized expertise on deductive program verification involving floating-point computation , including both interactive proving and automated solving . Indeed we noticed that the verification of numerical programs is a representative case that can benefit a lot from combining automatic and interactive theorem proving , . This motivated our research on the formal verification of numerical programs.

Moreover, we continue the fundamental studies we conducted in the past concerning deductive program verification in general. This is why our detailed scientific programme is structured into three themes:

Formally Verified Programs,

Certified Tools,

Numerical Programs.

Formal program verification is a research theme that
builds upon our expertise in the development of
methods and tools for proving programs, from source codes annotated
with specifications to proofs. In the past, we tackled programs
written in mainstream programming languages, with the system *Why3*
and the front-ends *Krakatoa* for Java source code, and
*Frama-C*/*Jessie* for C code. However, Java and C
programming languages were designed a long time ago, and certainly
not with the objective of formal verification in mind. This raises a
lot of difficulties when designing specification languages on top of
them, and verification condition generators to analyze them. On the
other hand,
we designed and/or used the *Coq* and *Why3* languages
and tools for performing deductive verification, but those were not
designed as programming languages that can be compiled into executable
programs.

Thus, a new axis of research we propose is the design of an environment that is aimed to both programming and proving, hence that will allow to develop correct-by-construction programs. To achieve this goal, there are two major axes of theoretical research that needs to be conducted, concerning, on the one hand, methods required to support genericity and reusability of verified components, and, on the other hand, the automation of the proof of the verification conditions that will be generated.

A central ingredient for the success of deductive approaches in
program verification is the ability to reuse components that are
already proved. This is the only way to scale the deductive approach
up to programs of larger size. As for programming languages, a key
aspect that allow reusability is *genericity*. In programming
languages, genericity typically means parametricity with respect to
data types, e.g. *polymorphic types* in functional languages like
ML, or *generic classes* in object-oriented languages. Such
genericity features are essential for the design of standard libraries
of data structures such as search trees, hash tables, etc. or
libraries of standard algorithms such as for searching, sorting.

In the context of deductive program verification, designing reusable
libraries also requires designing of *generic specifications*
which typically involve parametricity not only with respect to data
types but also with respect to other program components. For example, a
generic component for sorting an array needs to be parametrized by
the type of data in the array but also by the comparison
function that will be used. This comparison function is thus another
program component that is a parameter of the sorting component. For
this parametric component, one needs to specify some requirements, at
the logical level (such as being a total ordering relation), but also
at the program execution level (like being *side-effect free*,
i.e. comparing of data should not modify the data). Typically such a
specification may require *higher-order* logic.

Another central feature that is needed to design libraries of data structures is the notion of data invariants. For example, for a component providing generic search trees of reasonable efficiency, one would require the trees to remain well-balanced, over all the life time of a program.

This is why the design of reusable verified components requires
advanced features, such as *higher-order specifications and
programs*, *effect polymorphism* and *specification of
data invariants*. Combining such features is considered as an
important challenge in the current state of the art (see
e.g. ). The well-known proposals for solving it
include *Separation logic* , *implicit
dynamic frames* , and *considerate
reasoning* . Part of our recent research
activities were aimed at solving this challenge: first at the level
of specifications, e.g. we proposed generic specification constructs
upon Java or a system of theory cloning in our
system *Why3* ; second at the level of programs,
which mainly aims at controlling side-effects to avoid unexpected
breaking of data invariants, thanks to advanced type checking:
approaches based on *memory regions*, *linearity* and
*capability-based* type
systems , , .

A concrete challenge that should be solved in the future is: what additional constructions should we provide in a specification language like ACSL for C, in order to support modular development of reusable software components? In particular, what would be an adequate notion of module, that would provide a good notion of abstraction, both at the level of program components and at the level of specification components?

Verifying that a program meets formal specifications typically amounts
to generating *verification conditions* e.g. using a weakest
precondition calculus. These verification conditions are purely
logical formulas—typically in first-order logic and involving
arithmetic in integers or real numbers—that should be checked to be
true. This can be done using either automatic provers or interactive
proof assistants. Automatic provers do not need user interaction, but
may run forever or give no conclusive answer.

There are several important issues to tackle. Of
course, the main general objective is to improve automation as much as
possible. We continue our efforts around our own automatic
prover *Alt-Ergo* towards more expressivity, efficiency, and usability,
in the context of program verification. More expressivity
means that the prover should better support the various theories that
we use for modeling. Toward this direction, we aim at designing
specialized proof search strategies in *Alt-Ergo*, directed by rewriting
rules, in the spirit of what we did for the theory of associativity
and commutativity .

A key challenge also lies in the handling of quantifiers. SMT
solvers, including *Alt-Ergo*, deal with quantifiers with a somewhat
ad-hoc mechanism of heuristic instantiation of quantified hypotheses
using the so-called *triggers* that can be given by
hand , . This is completely different from
resolution-based provers of the TPTP category (E-prover, Vampire,
etc.) which use unification to apply quantified premises. A challenge
is thus to find the best way to combine these two different approaches
of quantifiers. Another challenge is to add some support for
higher-order functions and predicates in this SMT context, since as
said above, reusable verified components will require higher-order
specifications. A few solutions have been proposed, essentially
based on encoding of higher-order goals into first-order goals
.

Generally speaking, there are several theories, interesting for
program verification, that we would like to add as built-in decision procedures
in an SMT context. First, although there already exist decision
procedures for variants of bit-vectors, they are not complete enough to
support what is needed to reason on programs that manipulate data at the
bit-level, in particular if conversions from bit-vectors to integers or
floating-point numbers are involved . Regarding
floating-point numbers, an important challenge is to integrate in an
SMT context a decision procedure like the one implemented in our
tool *Gappa*.

Another goal is to improve the feedback given by automatic provers:
failed proof attempts should be turned into potential counterexamples,
so as to help debugging programs or specifications. A pragmatic goal
would be to allow cooperation with other verification techniques. For
instance, testing could be performed on unproved goals. Regarding this
cooperation objective, an important goal is a deeper integration of
automated procedures in interactive proofs, like it already exists in
Isabelle . We now have a *Why3*
tactic in *Coq* that we plan to improve.

As said before, a new axis of research we follow is the design of a language and an environment for both programming and proving. We believe that this will be a fruitful approach for designing highly trustable software. This is a similar goal as projects Plaid, Trellys, ATS, or Guru, mentioned above.

The basis of this research direction is the *Why3* system, which is in
fact a reimplementation from scratch of the former *Why* tool, that we
started in January 2011. This new system supports our research at various
levels. It is already used as an intermediate language for deductive
verification.

The next step for us is to develop its use as a true programming
language. Our objective is to propose a language where programs could
be both executed (e.g. thanks to a
compiler to, say, *OCaml*) and proved correct. The language would
basically be purely applicative (i.e. without side-effects, e.g. close
to ML) but incorporating specifications in its core. There are,
however, some programs (e.g. some clever algorithms) where a bit of
imperative programming is desirable. Thus, we want to allow some form
of imperative features, but in a very controlled way: it
should provide a strict form of imperative programming that is
clearly more amenable to proof, in particular dealing with data
invariants on complex data structures.

As already said before, reusability is a key
issue. Our language should propose some form of modules with
interfaces abstracting away implementation details. Our plan is to
reuse the known ideas of *data refinement* that
was the foundation of the success of the B method. But our
language will be less constrained than what is usually the case in such
a context, in particular regarding the possibility of sharing data,
and the constraints on composition of modules, there will be a need for
advanced type systems like those based on regions and permissions.

The development of such a language will be the basis of the new theme regarding the development of certified tools, that is detailed in Section 3.3 below.

Concerning formal verification of programs, there are a few extra exploratory topics that we plan to explore.

**Concurrent Programming** So far, we only
investigated the
verification of sequential programs. However, given the spreading of
multi-core architectures nowadays, it becomes important to be able to
verify concurrent programs. This is known to be a major
challenge. We plan to investigate this direction, but in a very
careful way. We believe that the verification of concurrent programs
should be done only under restrictive conditions on the possible
interleaving of processes. In particular, the access and modification
of shared data should be constrained by the programming paradigm, to
allow reasonable formal specifications. In this matter, the issues are
close to the ones about sharing data between components in
sequential programs, and there are already some successful approaches
like separation logic, dynamic frames, regions, and permissions.

**Resource Analysis**
The deductive verification approaches are not necessarily limited to
functional behavior of programs. For example, a formal termination
proof typically provides a bound on the time complexity of the
execution. Thus, it is potentially possible to verify resources
consumption in this way, e.g. we could prove WCET (Worst Case
Execution Times) of programs. Nowadays, WCET analysis is typically
performed by abstract interpretation, and is applied on programs with
particular shape (e.g. no unbounded iteration, no recursion). Applying
deductive verification techniques in this context could allow to
establish good bounds on WCET for more general cases of programs.

**Other Programming Paradigms**
We are interested in the application of deductive methods in other
cases than imperative programming à la C, Java or Ada. Indeed, in the recent
years, we applied proof techniques to randomized
programs , to cryptographic
programs . We plan to use proof techniques
on applications related to databases. We also have plans to support
low-level programs such as assembly
code , and other unstructured
programming paradigm.
We are also investigating more and more applications of SMT solving,
e.g. in model-checking approach (for example in
Cubicle *Atelier B* (project BWare).

One of our goals is to guarantee the soundness of the tools we
develop. In fact, it goes beyond that; our goal is to promote our future
*Why3* environment so that
*others* could develop certified tools. Tools like automated
provers or program analyzers are good candidate case studies because
they are mainly performing symbolic computations, and as such they are
usually programmed in a mostly purely functional style.

We conducted several experiments of development of certified software
in the past. First, we have a strong expertise in the development of
*libraries* in *Coq*: the Coccinelle library
formalizing term rewriting systems, the
Alea library for the formalization of
randomized algorithms, several libraries formalizing floating-point
numbers (Floats , Gappalib ,
and now Flocq which unifies the formers). Second
we conducted the development of a certified decision procedure
that corresponds to a core part of
*Alt-Ergo*. Third we developed, still in *Coq*, certified
verification condition generators, in a first step
for a language similar to *Why*, and in a
second step for C annotated in ACSL
, based on the operational semantics formalized
in the CompCert certified compiler project .

To go further, we have several directions of research in mind.

Using the *Why3* programming language instead of *Coq* allows for more
freedom. For example, it should allow one to use a bit of side-effects when the underlying
algorithm justifies it (e.g. hash-consing, destructive unification). On
the other hand, we will lose some *Coq* features like dependent types
that are usually useful when formalizing languages. Among the issues
that should be studied, we believe that the question of the
formalization of binders is both central and challenging (as
exemplified by the POPLmark international
challenge ).

The support of binders in *Why3* should not be built-in, but should be
under the form of a reusable *Why3* library, that should already
contain a lot of proved lemmas regarding substitution,
alpha-equivalence and such. Of course we plan to build upon the former
experiments done for the POPLmark challenge.
Although, it is not clear yet that the support of binders only via a
library will be satisfactory. We may consider addition of built-in
constructs if this shows useful. This could be a form of (restricted) dependent
types as in *Coq*, or subset types as in PVS.

As an environment for both programming and proving, *Why3* should come
with a standard library that includes both verified libraries of
programs, but also libraries of specifications (e.g. theories of sets,
maps, etc.).

The certification of those *Why3* libraries of specifications should
be addressed too. *Why3* libraries for specifying models of programs
are commonly expressed using first-order axiomatizations, which have
the advantage of being understood by many different provers. However,
such style of formalization does not offer strong guarantees of
consistency. More generally, the fact that we are calling different
kind of provers to discharge our verification conditions raises
several challenges for certification: we typically apply various
transformations to go from the *Why3* language to those of the
provers, and these transformations should be certified too.

A first attempt in considering such an issue was done
in earlier work . It was proposed to certify the consistency of a
library of specification using a so-called *realization*, which
amounts to “implementing” the library in a proof assistant like *Coq*.
This is an important topic of the ANR project BWare.

The goal is to develop *certified* provers, in the sense that
they are proved to give a correct answer. This is an important
challenge since there have been a significant amount of soundness bugs
discovered in the past, in many tools of this kind.

The former work on the certified core of *Alt-Ergo*
should be continued to support more features: more theories (full
integer arithmetic, real arithmetic, arrays, etc.), quantifiers.
Development of a certified prover that supports quantifiers should
build upon the previous topic about binders.

In a similar way, the *Gappa* prover, which is specialized to solving
constraints on real numbers and floating-point numbers, should be
certified too. However, for very complex decision procedures,
developing a certified proof search might be too ambitious.
Instead, the idea is to ask *Gappa* to produce Coq proofs on
a per-goal basis, so as to check *a posteriori* the soundness
of its result on the given instance. More generally, we can have
*Gappa* produce traces of its execution that can later be
processed by a certified trace checker.
This approach was used in the past for certified proofs of termination of
rewriting systems , and it was also used
internally in CompCert for several passes of compilation .

The other kind of tools that we would like to certify are the VC
generators. This is a continuation of the work on developing in *Coq*
a certified VC generator for C code annotated in ACSL
. We develop such a generator in *Why3* instead
of *Coq* . As before, this builds upon a
formalization of binders. There are various kinds of VC generators
that are interesting. A generator for a simple language in the style
of those of *Why3* is a first step. Other interesting cases are: a
generator implementing the so-called *fast weakest preconditions*
, and a generator for unstructured programs like
assembly, that would operate on an arbitrary control-flow graph.

On a longer term, we wish to be able to certify advanced verification methods like those involving refinement, alias control, regions, permissions, etc.

An interesting question is how one could certify a VC generator that
involves a highly expressive logic, like higher-order logic, as it is
the case of the *CFML* method which allows one
to use the whole *Coq* language to specify the expected behavior.
One challenging aspect of such a certification is that a tool that
produces *Coq* definitions, including inductive definitions and
module definitions, cannot be directly proved correct in *Coq*,
because inductive definitions and module definitions cannot be
generated through the evaluation of *Coq* definitions.
Therefore, it seems necessary to involve, in a way
or another, a “deep embedding”, that is, a formalization of *Coq* in *Coq*,
possibly by reusing the deep embedding developed by B. Barras .

In recent years, we demonstrated our capability towards specifying
and proving properties of floating-point programs, properties which
are both complex and precise about the behavior of those programs:
see the
publications , , , , , , ,
as well as the web galleries of certified programs at
our Web
page *Coq* . The ability to combine proof by
reasoning and proof by computation is a key aspect when dealing with
floating-point programs. Such a modeling provides a safe basis when
dealing with C source code . However, the
proofs can get difficult even on short programs. To build these proofs,
some automation is needed. It can be obtained by combining SMT solvers and
*Gappa* , , , .
Finally, the precision of the verification is obtained thanks to
precise models of floating-point computations, taking into account the
peculiarities of the architecture (e.g., x87 80-bit floating-point
unit) and also the compiler optimizations , .

The directions of research concerning floating-point programs that we pursue are the following.

A first goal is to ease the formal verification of floating-point programs: the primary objective is still to improve the scope and efficiency of our methods, so as to ease further the verification of numerical programs. The on-going development of the Flocq library continues towards the formalization of bit-level manipulations and also of exceptional values (e.g. infinities). We believe that good candidates for applications of our techniques are advanced algorithms to compute efficiently with floats, which operate at the bit-level. The formalization of real numbers is being revamped too: higher-level numerical algorithms are usually built on some mathematical properties (e.g. computable approximations of ideal approximations), which then have to be proved during the formal verification of these algorithms.

Easing the verification of numerical programs also implies more
automation. SMT solvers are generic provers well-suited for
automatically discharging verification conditions, but they appear to
loose their effectiveness when floating-point arithmetic is involved
. Our goal is
to improve the arithmetic theories of *Alt-Ergo*, so that they support
floating-point arithmetic along their other theories, if possible by
reusing the heuristics developed for *Gappa*.

Our goal is to handle floating-point programs that are related to continuous quantities. This includes numerical analysis programs we have already worked on , , . But our work is only a beginning: we were able to solve the difficulties to prove one particular scheme for one particular partial differential equation. We need to be able to easily prove other programs of this kind. This requires new results that handle generic schemes and many partial differential equations. The idea is to design a toolbox to prove these programs with as much automation as possible. We wish this could be used by numerical analysts that are not or hardly familiar with formal methods, but are nevertheless interested in the formal correctness of their schemes and their programs.

Another very interesting kind of programs (especially for industrial
developers) are those based on *hybrid* systems, that is where
both discrete and continuous quantities are involved. This is a longer-term
goal, but we may try to go towards this direction. A
first problem is to be able to specify hybrid systems: what are they
exactly expected to do? Correctness usually means not going into a
forbidden state but we may want additional behavioral properties. A
second problem is the interface with continuous systems, such as
sensors. How can we describe their behavior? Can we be sure that the
formal specification fits? We may think about Ariane V where one piece
of code was shamelessly reused from Ariane IV. Ensuring that such a
reuse is allowed requires to correctly specify the input ranges and
bandwidths of physical sensors.

Studying hybrid systems is among the goals of the new ANR project Cafein.

In coordination with our second theme, another objective is to port the
kernel of *Gappa* into either *Coq* or *Why3*, and then extract a
certified executable. Rather than verifying the results of the tool
*a posteriori* with a proof checker, they would then be certified
*a priori*. This would simplify the inner workings of *Gappa*,
help to support new features (e.g. linear arithmetic, elementary
functions), and make it scale better to larger formulas, since the
tool would no longer need to carry certificates along its
computations. Overall the tool would then be able to tackle a wider
range of verification conditions.

An ultimate goal would be to develop the decision procedure for
floating-point computations, for SMT context, that is mentioned in
Section , directly as a certified program in *Coq* or *Why3*.

The application domains we target involve safety-critical software, that is where a high-level guarantee of soundness of functional execution of the software is wanted. The domains of application include the following. For each of them we refer to our past or current actions, in particular in relations with projects, contracts and industrial partners. Currently our industrial collaborations mainly belong to the first of these domains, transportation.

**Transportation** including aeronautics, railroad, space flight,
automotive.

These domains were considered in the context of the ANR U3CAT project,
led by CEA, in partnership with Airbus France, Dassault Aviation,
Sagem Défense et Sécurité. It included proof of C programs via
*Frama-C*/*Jessie*/*Why*, proof of floating-point programs, the use of
the *Alt-Ergo* prover via CAVEAT tool (CEA) or *Frama-C*/WP. This action
is continued in the new project Soprano.

Aeronautics is the main target of the Verasco project, leaded by Verimag, on the development of certified static analyzers, in partnership with Airbus.

The former FUI project Hi-Lite, led by Adacore company, uses
*Why3* and *Alt-Ergo* as back-end to SPARK2014, an environment for
verification of Ada programs. This is applied to the domain of
aerospace (Thales, EADS Astrium). This action is continued in the new
joint laboratory ProofInUse. A recent paper provides an
extensive list of applications of SPARK, a major one being the British air
control management.

In the current ANR project BWare, we investigate the use of
*Why3* and *Alt-Ergo* as an alternative back-end for checking proof
obligations generated by *Atelier B*, whose main applications are
railroad-related software
(http://

**Energy** is naturally an application in particular with our long-term
partner CEA, in the context of U3CAT and Soprano projects.

**Communications and Data** in particular in contexts with a
particular need for security or confidentiality: smart phones, Web
applications, health records, electronic voting, etc.

Part of the applications of SPARK include verification of security-related properties, including cryptographic algorithms.

Our new AJACS project addresses issues related to security and privacy in web applications written in Javascript, also including correctness properties.

The Cubicle model checker
modulo theories based on the *Alt-Ergo*
SMT prover, in collaboration with Intel Strategic Cad Labs (Hillsboro,
OR, USA) is particularly targeted to the verification of concurrent programs and
protocols (http://

**Medicine**, including diagnostic devices, computer-assisted surgery

Such applications involve techniques for control and command close to what is done in transportation. Moreover, in this context, there is a need for modeling using differential equations, finite elements, hybrid systems, which are considered in other projects of us: FastRelax, ELFIC, Cafein.

**Financial applications, banking**

We add projects in the past about safety and security of smart cards, in collaboration with Gemalto (European project VerifiCard, two CIFRE theses). Banking is naturally a domain of application of techniques dealing with security and confidentiality already mentioned above.

Criteria for Software Self-Assessment: A-3-up, SO-4, SM-4, EM-4,
SDL-5, OC-4.

*Why3* is the next generation of *Why*. *Why3* clearly separates the
purely logical specification part from generation of verification
conditions for programs. It features a rich library of proof task
transformations that can be chained to produce a suitable input for
a large set of theorem provers, including SMT solvers, TPTP provers,
as well as interactive proof assistants.

It is distributed as open source, under GPL license, at
http://

*Why3* is used as back-end of our own tools *Krakatoa* and
*Jessie*, but also as back-end of the GNATprove tool (Adacore
company), and of the WP plugin of *Frama-C*. *Why3*
has been used to develop and prove a significant part of the
programs of our team gallery
http://

*Why3* is used by other academic research groups, e.g. within the
CertiCrypt/EasyCrypt project
(http://*Why3* web site http://*Why3*.

Two versions were released in 2014: 0.83 released in March and 0.84 in September, plus a few days later a bugfix version 0.85.

Criteria for Software Self-Assessment: A-3-up, SO-4, SM-4-up, EM-4, SDL-5, OC-4.

*Alt-Ergo* is an automated proof engine, dedicated to
program verification, whose development started in 2006. It is fully
integrated in the program verification tool chain developed in our
team. It solves goals that are directly written ina *Why*'s
annotation language; this means that *Alt-Ergo* fully supports first
order polymorphic logic with quantifiers. *Alt-Ergo* also supports
the standard defined by the SMT-lib
initiative.

It is currently used in our team to prove correctness of C and Java
programs as part of the *Why* platform and the new *Why3*
system. It is used as back-end prover in the environments Frama-C
and CAVEAT for static analysis of C developed at CEA. In this
context, Alt-Ergo has been qualified by Airbus and is
integrated in the next generation of Airbus development process.
Alt-Ergo is usable as a back-end prover in the SPARK verifier for
ADA programs, since Oct 2010, and is also the main back-end prover
of the new SPARK2014.

*Alt-Ergo* is integrated in several other tools and platforms: the
Bware platform for discharging VCs generated by Atelier B, the
EasyCrypt environment for verifying cryptographic protocols, the
Pangolin programming
language http://

Last but not least, Alt-Ergo is the solver used by the Cubicle model checker described below.

*Alt-Ergo* is distributed as open source, under the CeCILL-C license, at
URL http://

Partners: A. Goel, S. Krstić (Intel Strategic Cad Labs in Hillsboro, OR, USA), F. Zaïdi (LRI, Université Paris-sud)

Cubicle is an open source model checker for verifying safety properties of array-based systems, which corresponds to a syntactically restricted class of parametrized transition systems with states represented as arrays indexed by an arbitrary number of processes. Cache coherence protocols and mutual exclusion algorithms are typical examples of such systems.

Cubicle model-checks by a symbolic backward-reachability analysis on
infinite sets of states represented by specific simple formulas,
called cubes. Cubicle is based on ideas introduced by MCMT
(http://*Alt-Ergo*;
and its parallel implementation relies on the Functory library.

Cubicle is distributed as open source, under the Apache license, at
URL http://

Criteria for Software Self-Assessment: A-2, SO-3, SM-3, EM-3, SDL-5, OC-4.

The Flocq library for the *Coq* proof assistant is a comprehensive
formalization of floating-point arithmetic: core definitions,
axiomatic and computational rounding operations, high-level
properties . It provides a framework for developers
to formally certify numerical applications.

Flocq is currently used by the CompCert certified compiler for its support of floating-point computations.

It is distributed as open source, under a LGPL license, at
http://

Criteria for Software Self-Assessment: A-3, SO-4, SM-4, EM-3, SDL-5, OC-4.

Given a logical property involving interval enclosures of
mathematical expressions, Gappa tries to verify this property and
generates a formal proof of its validity. This formal proof can be
machine-checked by an independent tool like the *Coq* proof-checker,
so as to reach a high level of confidence in the
certification , .

Since these mathematical expressions can contain rounding operators in addition to usual arithmetic operators, Gappa is especially well suited to prove properties that arise when certifying a numerical application, be it floating-point or fixed-point. Gappa makes it easy to compute ranges of variables and bounds on absolute or relative roundoff errors.

Gappa is being used to certify parts of the mathematical libraries of
several projects, including CRlibm, FLIP, and CGAL.
It is distributed as open source, under a Cecill-B / GPL dual-license,
at http://

Part of the work on this tool was done while in the Arénaire team (Inria Rhône-Alpes), until 2008.

Criteria for Software Self-Assessment: A-3, SO-4, SM-3, EM-3, SDL-4, OC-4.

The Interval package provides several tactics for helping a *Coq* user
to prove theorems on enclosures of real-valued expressions. The proofs
are performed by an interval kernel which relies on a computable
formalization of floating-point arithmetic in *Coq*.

Versions 1.0 and 2.0 were released in 2014. Version 2.0 integrates the CoqApprox library for computing Taylor models, so as to greatly improve performances when bounding univariate expressions .

It is distributed as open source, under a CeCILL-C license, at
http://

Part of the work on this library was done while in the Mathematical Components team (Microsoft Research–Inria Joint Research Center).

Criteria for Software Self-Assessment: A-3, SO-4, SM-2, EM-3, SDL-4, OC-4.

The Coquelicot library is designed with three principles in mind. The first is the user-friendliness, achieved by implementing methods of automation, but also by avoiding dependent types in order to ease the stating and readability of theorems. This latter part was achieved by defining total function for basic operators, such as limits or integrals. The second principle is the comprehensiveness of the library. By experimenting on several applications, we ensured that the available theorems are enough to cover most cases. We also wanted to be able to extend our library towards more generic settings, such as complex analysis or Euclidean spaces. The third principle is for the Coquelicot library to be a conservative extension of the Coq standard library, so that it can be easily combined with existing developments based on the standard library. Moreover, we achieved this compatibility without adding any additional axiom.

The result is the Coquelicot library available at
http://

Criteria for Software Self-Assessment: A-2, SO-4, SM-2, EM-3, SDL-1, OC-4.

The *CFML* tool supports the verification of *OCaml* programs through interactive *Coq* proofs. *CFML* proofs establish the full functional correctness of the code with respect to a specification. They may also be used to formally establish bounds on the asymptotic complexity of the code.
The tool is made of two parts: on the one hand, a characteristic formula generator implemented
as an *OCaml* program that parses *OCaml* code and produces *Coq* formulae; and, on the other hand,
a *Coq* library that provides notation and tactics for manipulating characteristic formulae
interactively in *Coq*.

*CFML* is distributed under the LGPL license, and is available
at http://

Criteria for Software Self-Assessment: A-2, SO-3, SM-2, EM-3, SDL-4, OC-4.

The ALEA library is a *Coq* development for modeling randomized
functional programs as distributions using a monadic transformation.
It contains an axiomatisation of the real interval

ALEA is used as a basis of the Certicrypt environment (MSR-Inria joint research center, Imdea Madrid, Inria Sophia-Antipolis) for formal proofs for computational cryptography . It is also experimented in LABRI as a basis to study formal proofs of probabilistic distributed algorithms.

ALEA is distributed as open source, at
http://

Criteria for Software Self-Assessment: A-5, SO-3, SM-3, EM-3, SDL-5, OC-4.

Bibtex2html is a generator of HTML pages of bibliographic
references. Distributed as open source since 1997, under the GPL
license, at http://

We estimate that between 10000 and 100000 web pages have been generated using Bibtex2html.

Criteria for Software Self-Assessment: A-2, SO-3, SM-2, EM-2, SLD-2, OC-4.

Coccinelle is a *Coq* library for term rewriting. Besides the usual
definitions and theorems of term algebras, term rewriting and term
ordering, it also models a number of algorithms implemented in the
CiME toolbox, such as matching, matching modulo
associativity-commutativity, computation of the one-step reducts
of a term, recursive path ordering (RPO) comparison between two terms, etc.
The RPO algorithm can effectively be run inside *Coq*, and is used
in the Color developement (http://*Coq* (Sorin
Stratulat).

Coccinelle is available at
http://

OCamlgraph is a graph library for *OCaml*. It features many graph
data structures, together with many graph algorithms. Data
structures and algorithms are provided independently of each other,
thanks to *OCaml* module system. OCamlgraph is distributed as open
source, under the LGPL license, at
http://*OCaml* developers, and available as an OPAM package
http://

Mlpost is a tool to draw scientific figures to be integrated in
*OCaml*. Yet it is based on MetaPost internally and thus
provides high-quality PostScript figures and powerful features such
as intersection points or clipping.
Mlpost is distributed as open source, under the LGPL license, at
http://

Mlpost is available as an OPAM package
http://

Functory is a distributed computing library for
*OCaml*. The main features of this library
include (1) a polymorphic API, (2) several implementations to
adapt to different deployment scenarios such as sequential,
multi-core or network, and (3) a reliable fault-tolerance mechanism.
Functory was presented at JFLA 2011 and at
TFP 2011 .

Functory is distributed as open source, under the LGPL license, at
http://

Criteria for Software Self-Assessment: A-3, SO-4, SM-3, EM-2, SDL-5-down, OC-4.

The *Why* platform is a set of tools for deductive verification of
Java and C source code. In both cases, the requirements are
specified as annotations in the source, in a special style of
comments. For Java (and Java Card), these specifications are given
in JML and are interpreted by the *Krakatoa* tool. Analysis of C code
must be done using the external *Frama-C* environment, and its *Jessie*
plugin which is distributed in *Why*.

The platform is distributed as open source, under GPL license, at
http://

It also distributed as part of major Linux
distributions and in the OPAM packaging system
http://*Frama-C*Neon and *Why3* 0.83.

The internal VC generator and the translators to external provers
are no longer under active development, as superseded by the *Why3*system
described above. The *Krakatoa* and *Jessie* front-ends
are still maintained, although using now by default the *Why3* VC
generator. These front-ends are described in a specific web page
http://

The ACM Software System Award 2013 was given,
during a ceremony in June 2014 in San Francisco,
to the Coq proof assistant
(http://

The *Concours Castor informatique*
(http://

J.-C. Filliâtre, L. Gondelman, and A. Paskevich
have formalized the notion of ghost code implemented in *Why3*, in
a paper *The Spirit of Ghost
Code* presented at CAV 2014.
This is an outcome of L. Gondelman's M2 internship (spring/summer
2013).

M. Clochard published at the POPL conference a paper presenting a work done during an internship at Rice University (Houston, TX, USA) with S. Chaudhuri and A. Solar-Lezama . It is a new technique for parameter synthesis under boolean and quantitative objectives. The input to the technique is a “sketch”—a program with missing numerical parameters—and a probabilistic assumption about the program's inputs. The goal is to automatically synthesize values for the parameters such that the resulting program satisfies: (1) a boolean specification, which states that the program must meet certain assertions, and (2) a quantitative specification, which assigns a real valued rating to every program and which the synthesizer is expected to optimize.

J.-C. Filliâtre, C. Marché, and A. Paskevich,
together with F. Bobot (CEA LIST),
took part in the VerifyThis program verification competition,
held at the 18th FM symposium in August 2012. They used *Why3*
to solve three challenges (which can be found at
http://*Software Tools for Technology Transfer*
.

M. Clochard developed, using *Why3*, verified implementations of
several data structures, including random-access lists and ordered
maps. These are derived from a common parametric implementation of
self-balancing binary trees in the style of Adelson-Velskii and
Landis trees (so-called AVLs). This work appeared at the VSTTE
conference . Its originality relies on
the genericity of the specifications and the code, and the very
high level of proof automation. Such a case study is aimed at
illustrating the capabilities of *Why3* for designing certified
libraries. Development is available from our gallery at
http://

S. Conchon and A. Mebsout have extended the core algorithm of the Cubicle model checker with a mechanism for inferring invariants. This new algorithm, called BRAB, is able to automatically infer invariants strong enough to prove industrial cache coherence protocols. BRAB computes over-approximations of backward reachable states that are checked to be unreachable in a finite instance of the system. These approximations (candidate invariants) are then model-checked together with the original safety properties. Completeness of the approach is ensured by a mechanism for backtracking on spurious traces introduced by too coarse approximations. Details can be found in A. Mebsout's PhD thesis .

A. Charguéraud extended his tool CFML to support, in addition to
the verification of the full functional correctness of a piece of code,
the verification of the asymptotic complexity of the code.
Even though it had been previously established that, in theory,
amortized analysis can be explained as the manipulation of *time credits*,
and that time credits can be encoded as resources in Separation Logic,
CFML is the first practical tool to support the formal verification of
amortized analyses for arbitrarily-complex pieces of code.
The *time-credit* extension to CFML was put to practice
to verify dynamic arrays (Julien Grangier's internship),
and to verify a *chunked sequence*
data structure , particularly challenging due
to its use of Tarjan's data structural bootstrapping technique.
The latter piece of work was presented in July
at the workshop *Semantics of proofs
and certified mathematics*, which took place at the Institut Henri Pointcaré.
A paper describing the time-credit extension to CFML is under preparation.

C. Marché published in the *Science of Computer
Programming* journal a detailed
description of an industrial research initially conducted in the
context of the U3CAT project (ended in 2012) on static analysis of
critical C code. The code involves floating-point computations on
quaternions that should be of norm 1. Because of the round-off
errors, a drift of this norm is observed over time. In this work a
bound on this drift is determined and formally proved correct,
using *Frama-C*, *Jessie* and *Why3*. Proofs are done using automated
provers and in a few complex cases the Coq proof assistant. The
published version is up to date with the recent versions of those
tools, and the development is available on our gallery at
http://

S. Boldo, C. Lelay, and G. Melquiond worked on the Coquelicot
library, designed to be a user-friendly Coq library about real
analysis. An easier way of writing formulas and theorem statements
is achieved by relying on total functions in place of dependent
types for limits, derivatives, integrals, power series, and so on.
To help with the proof process, the library comes with a
comprehensive set of theorems and some automation. We have exercised
the library on several use cases: in an exam at university entry
level, for the definitions and properties of Bessel functions, and
for the solution of the one-dimensional wave equation.
These results are published in the journal
*Mathematics in Computer Science*
.

S. Boldo and G. Melquiond, with J.-H. Jourdan and X. Leroy
(Gallium team, Inria Paris - Rocquencourt) extended the CompCert
compiler to get the first formally verified C compiler that provably
preserves the semantics of floating-point programs
This work, published in the *Journal of Automated Reasoning*
,
also covers the formalization of numerous algorithms of
conversion between integers and floating-point numbers.

S. Boldo, C. Lelay, and G. Melquiond, have conducted a survey on the
formalization of real arithmetic and real analysis in various proof
systems. This work, published in the journal
*Mathematical Structures in Computer Science* ,
details the axioms, definitions, theorems, and
methods of automation, available in these systems.

É. Martin-Dorel and G. Melquiond worked on integrating the CoqInterval and CoqApprox libraries into a single package. The CoqApprox library is dedicated to computing verified Taylor models of univariate functions so as to compute approximation errors. The CoqInterval library reuses this work to automatically prove bounds on real-valued expressions. A large formalization effort took place during this work, so as to get rid of all the holes remaining in the formal proofs of CoqInterval. It was also the chance to perform a comparison between numerous decision procedures dedicated to proving nonlinear inequalities involving elementary functions. A report is available .

S. Boldo, J.-C. Filliâtre, and G. Melquiond,
with F. Clément and P. Weis (POMDAPI team, Inria Paris - Rocquencourt),
and M. Mayero (LIPN),
completed the formal proof of a numerical analysis program:
the second-order centered finite-difference scheme for the
one-dimensional acoustic wave. This proof was published with a focus
towards numerical analysts, in the journal
*Computers and Mathematics with Applications*
.

P. Roux formalized the influence of double rounding on the accuracy
of floating-point arithmetic operators. In
particular, this includes all the corner cases that were ignored from
Figueroa's original pen-and-paper proof.
Results appeared in the *Journal of Formalized Reasoning*
.

P. Roux formalized a theory of numerical analysis for bounding the round-off errors of a floating-point algorithm. This approach was applied to the formal verification of a program for checking that a matrix is semi-definite positive. The challenge here is that testing semi-definiteness involves algebraic number computations, yet it needs to be implemented using only approximate floating-point operations. A report is available .

In the context of the BWare project, aiming at using *Why3* and
Alt-Ergo for discharging proof obligations generated by Atelier B,
we made progress into several directions. New drivers have been
designed for *Why3*, in order to use new back-end provers Zenon
modulo and iProver modulo. A notion of rewrite rule was introduced
into *Why3*, and a transformation for simplifying goals before
sending them to back-end provers was designed. Intermediate
results obtained so far in the project were presented both at the
French conference AFADL and at the
international conference on Abstract State Machines, Alloy, B,
VDM, and Z .

On the side of Alt-Ergo, recent developments have been made to efficiently discharge proof obligations generated by Atelier B. This includes a new plugin architecture to facilitate experiments with different SAT engines, new heuristics to handle quantified formulas, and important modifications in its internal data structures to boost performances of core decision procedures. Benchmarks realized on more than 10,000 proof obligations generated from industrial B projects show significant improvements .

M. Clochard, C. Marché, and A. Paskevich developed a general
setting for developing programs involving binders, using
*Why3*. This approach was successfully validated on two case
studies: a verified implementation of untyped lambda-calculus and
a verified tableaux-based theorem prover. This work was presented
at the PLPV conference in January 2014
.

M. Clochard, J.-C. Filliâtre, C. Marché, and A. Paskevich
developed a case study on the formalization of semantics of
programming languages using *Why3*. This case study aimed at
illustrating recent improvements of *Why3* regarding the support for
higher-order logic features in the input logic of *Why3*, and how
these are encoded into first-order logic, so that goals can be
discharged by automated provers. This case study also illustrates
how reasoning by induction can be done without need for interactive
proofs, via the use of *lemma functions*. This works was presented
at the VSTTE conference .

M. Clochard and L. Gondelman developed a formalization of a
simple compiler in *Why3*. It compiles a simple imperative language
into assembler instructions for a stack machine. This case study
was inspired by a similar example developed using Coq and
interactive theorem proving. The aim is to improve significantly
the degree of automation in the proofs. This is achieved by the
formalization of a Hoare logic and a Weakest Precondition Calculus
on assembly programs, so that the correctness of
compilation is seen as a formal specification of the assembly
instructions generated. This work conducted in 2014
will be presented at the JFLA
conference in January 2015 .

S. Dumbrava and É. Contejean, with V. Benzaken (VALS team, at LRI)
proposed a *Coq* formalization of the relational
data model which underlies relational database systems. More
precisely, they have presented and formalized the data definition
part of the model including integrity constraints. They have
modelled two different query language formalisms: relational
algebra and conjunctive queries.
They also present logical query optimization and prove the main
“database theorems”: algebraic equivalences, the homomorphism
theorem and conjunctive query minimization. This work has been
published at ESOP 2014 .

A. Charguéraud, together with the other members of the
*JsCert* team have developed this year the first complete
formalization of the semantics of the JavaScript programming
language. This project is joint work with Philippa Gardner,
Sergio Maffeis, Gareth Smith, Daniele Filaretti and Daiva
Naudziuniene from Imperial College, and Alan Schmitt and Martin
Bodin from Inria Rennes (see
http://*ECMAScript Language Specification,
version 5*, using the pretty-big-step semantics
.
These rules can be used to formally reason about program
behaviors or to establish the correctness of program
transformations. In addition to the inductive rules, a reference
interpreter has been proved correct. This interpreter may be used
to run actual JavaScript program following the rules of the formal
semantics. It has been used in particular to validate the formal
semantics against official JavaScript test suites.
The formalization of JavaScript has been published at
POPL .

A. Charguéraud worked together with Umut Acar and Mike Rainey,
as part of the ERC project *DeepSea*, on the developement of
efficient data structures and algorithms targeting modern,
shared memory multicore architectures. Two major results were obtained
this year.

The first result is a sequence data structure that
provides amortized constant-time access at the two ends, and logarithmic
time concatenation and splitting at arbitrary positions. These
operations are essential for programming efficient computation
in the fork-join model. Compared with prior work, this novel
sequence data structure achieves excellent constant factors,
allowing it to be used as a replacement for traditional,
non-splittable sequence data structures. This data structure,
called *chunked sequence* due to its use of chunks
(fixed-capacity arrays), has
been implemented both in C++ and in OCaml. It is
described in a paper published at ESA .

Another result by A. Charguéraud and his co-authors is the development of fast and robust parallel graph traversal algorithms, more precisely for parallel BFS and parallel DFS. The new algorithms leverage the aforementioned sequence data structure for representing the set of edges remaining to be visited. In particular, it uses the split operation for balancing the edges among the several processors involved in the computation. Compared with prior work, these new algorithms are designed to be efficient not just for particular classes of graphs, but for all input graphs. This work has not yet been published, however it is described in details in a technical report . Note that these two graph algorithms, which involve nontrivial use of concurrent data structures, will be very interesting targets for formal verification.

ProofInUse is a joint project between the Toccata team and the
SME AdaCore. It was selected and funded by the ANR programme
“Laboratoires communs”, starting from April 2014, for 3 years
http://

The SME AdaCore is a software publisher specializing in providing
software development tools for critical systems. A previous
successful collaboration between Toccata and AdaCore enabled
*Why3* technology to be put into the heart of the
AdaCore-developed SPARK technology.

The goal is now to promote and transfer the use of deduction-based verification tools to industry users, who develop critical software using the programming language Ada. The proof tools are aimed at replacing or complementing the existing test activities, whilst reducing costs.

Jointly with the thesis of C. Dross, supervised in collaboration with the AdaCore company, we established a 3-year bilateral collaboration contract, that ended in April 2014.

The aim was to strengthen the usability of the *Alt-Ergo* theorem
prover in the context of the GnatProve environment for the
verification of safety-critical Ada programs
. A focus was made on programs involving Ada
containers . C. Dross defended her PhD in April
1st 2014 .

S. Conchon has obtained an academic grant by Intel corporation on the development of the Cubicle model checker, for 2 years starting from Dec. 2012 The goal of this project is to develop a new version of Cubicle with significantly improved model-checking power. This required innovative algorithmic enhancements to be implemented and evaluated.

Partner: Intel Strategic Cad Labs in Hillsboro, OR, USA

Coquelicot is a 3-year Digiteo project that started in September
2011. http://

The Coquelicot project aims at creating a modern formalization of
the real numbers in *Coq*, with a focus on
practicality , , ,.
This is sorely needed to ease the
verification of numerical applications, especially those involving
advanced mathematics.

Partners: team SpecFun from LIX (Palaiseau), University Paris 13

ELFIC is a working group of the Digicosme Labex. S. Boldo is the principal investigator.

Project ELFIC focuses on proving the correctness of the FELiScE (Finite Elements for Life Sciences and Engineering) C++ library which implements the finite element method for approximating solutions to partial differential equations. Finite elements are at the core of numerous simulation programs used in industry. The formal verification of this library will greatly increase confidence in all the programs that rely on it. Verification methods developed in this project will be a breakthrough for the finite element method, but more generally for the reliability of critical software relying on intricate numerical algorithms.

Partners: Inria team Pomdapi; Ecole Polytechnique, LIX; CEA LIST; Université Paris 13, LIPN; UTC, LMAC (Compiègne).

The AJACS research project is funded by the programme “Société de l'information et de la communication” of the ANR, for a period of 42 months, starting on October 1st, 2014.

The goal of the AJACS project is to provide strong security and privacy guarantees on the client side for web application scripts implemented in JavaScript, the most widely used language for the Web. The proposal is to prove correct analyses for JavaScript programs, in particular information flow analyses that guarantee no secret information is leaked to malicious parties. The definition of sub-languages of JavaScript, with certified compilation techniques targeting them, will allow deriving more precise analyses. Another aspect of the proposal is the design and certification of security and privacy enforcement mechanisms for web applications, including the APIs used to program real-world applications. On the Toccata side, the focus will be on the formalization of secure subsets of JavaScript, and on the mechanization of proofs of translations from high-level languages into JavaScript.

Partners: team Celtique (Inria Rennes - Bretagne Atlantique), team Prosecco (Inria Paris - Rocquencourt), team Indes (Inria Sophia Antipolis - Méditerranée), and Imperial College (London).

This is a research project funded by the programme “Ingénierie
Numérique & Sécurité” of the ANR. It is funded for a period of
48 months and it has started on October 1st,
2014. http://

Our aim is to develop computer-aided proofs of numerical values, with certified and reasonably tight error bounds, without sacrificing efficiency. Applications to zero-finding, numerical quadrature or global optimization can all benefit from using our results as building blocks. We expect our work to initiate a "fast and reliable" trend in the symbolic-numeric community. This will be achieved by developing interactions between our fields, designing and implementing prototype libraries and applying our results to concrete problems originating in optimal control theory.

Partners: team ARIC (Inria Grenoble Rhône-Alpes), team MARELLE (Inria Sophia Antipolis - Méditerranée), team SPECFUN (Inria Saclay - Île-de-France), Université Paris 6, and LAAS (Toulouse).

The Soprano research project is funded by the programme “Sciences et technologies logicielles” of the ANR, for a period of 42 months, starting on October 1st, 2014.

The SOPRANO project aims at preparing the next generation of verification-oriented solvers by gathering experts from academia and industry. We will design a new framework for the cooperation of solvers, focused on model generation and borrowing principles from SMT (current standard) and CP (well-known in optimization). Our main scientific and technical objectives are the following. The first objective is to design a new collaboration framework for solvers, centered around synthesis rather than satisfiability and allowing cooperation beyond that of Nelson-Oppen while still providing minimal interfaces with theoretical guarantees. The second objective is to design new decision procedures for industry-relevant and hard-to-solve theories. The third objective is to implement these results in a new open-source platform. The fourth objective is to ensure industrial-adequacy of the techniques and tools developed through periodical evaluations from the industrial partners.

Partners: team DIVERSE (Inria Rennes - Bretagne Atlantique), Adacore, CEA List, Université Paris-Sud, and OCamlPro.

The CAFEIN research project is funded by the programme “Ingénierie
Numérique & Sécurité” of the ANR, for a period
of 3 years, starting on February 1st, 2013.
https://

This project addresses the formal verification of functional properties at specification level, for safety critical reactive systems. In particular, we focus on command and control systems interacting with a physical environment, specified using the synchronous language Lustre.

A first goal of the project is to improve the level of automation of formal verification, by adapting and combining existing verification techniques such as SMT-based temporal induction, and abstract interpretation for invariant discovery. A second goal is to study how knowledge of the mathematical theory of hybrid command and control systems can help the analysis at the controller's specification level. Third, the project addresses the issue of implementing real valued specifications in Lustre using floating-point arithmetic.

Partners: ONERA, CEA List, ENSTA, teams Maxplus (Inria Saclay - Île-de-France), team Parkas (Inria Paris - Rocquencourt), Perpignan University, Prover Technology, Rockwell Collins.

The BWare research project is funded by the programme “Ingénierie
Numérique & Sécurité” of the ANR, a period of 4
years, starting on September 1st, 2012. http://

BWare is an industrial research project that aims to provide a mechanized framework to support the automated verification of proof obligations coming from the development of industrial applications using the B method and requiring high guarantee of confidence. The methodology used in this project consists in building a generic platform of verification relying on different theorem provers, such as first-order provers and SMT solvers. The variety of these theorem provers aims at allowing a wide panel of proof obligations to be automatically verified by the platform. The major part of the verification tools used in BWare have already been involved in some experiments, which have consisted in verifying proof obligations or proof rules coming from industrial applications . This therefore should be a driving factor to reduce the risks of the project, which can then focus on the design of several extensions of the verification tools to deal with a larger amount of proof obligations.

The partners are: Cedric laboratory at CNAM (CPR Team, project
leader); teams Gallium and Deducteam (Inria Paris - Rocquencourt) ;
Mitsubishi Electric R&D Centre Europe, ClearSy (the company which
develops and maintains *Atelier B*), and the start-up OCamlPro.

The Versaco research project is funded by the programme “Ingénierie
Numérique & Sécurité” of the ANR, for a period of 4
years, starting on January 1st, 2012. Project website:
http://

The main goal of the project is to investigate the formal verification
of static analyzers and of compilers, two families of tools that play a
crucial role in the development and validation of critical embedded
software. More precisely, the project aims at developing a generic
static analyzer based on abstract interpretation for the C language,
along with a number of advanced abstract domains and domain combination
operators, and prove the soundness of this analyzer using the *Coq*
proof assistant. Likewise, it will keep working on the CompCert C
formally-verified compiler, the first realistic C compiler that has
been mechanically proved to be free of miscompilation, and carry it to
the point where it could be used in the critical software industry.

Partners: teams Gallium and Abstraction (Inria Paris - Rocquencourt), Airbus avionics and simulation (Toulouse), IRISA (Rennes), Verimag (Grenoble).

Project acronym: ERC Deepsea

Project title: Parallel dynamic computations

Duration: Jun. 2013 - Jun. 2018

Coordinator: Umut A. Acar

Other partners: Carnegie Mellon University

Abstract:

The objective of this project is to develop abstractions, algorithms and languages
for parallelism and dynamic parallelism with applications to problems
on large data sets.
Umut A. Acar (affiliated to Carnegie Mellon University and Inria Paris - Rocquencourt)
is the principal investigator of this ERC-funded project.
The other main researchers involved are
Mike Rainey (Inria, Gallium team), who is full-time on the project,
and Arthur Charguéraud (Inria, Toccata team), who works
40% of his time to the project.
Project website: http://

S. Conchon, A. Mebsout and F. Zaïdi (VALS group, LRI) collaborate with S. Krstic and A. Goel (Intel Strategic Cad Labs in Hillsboro, OR, USA), in particular around the development of the SMT-based model checker Cubicle (see above). This collaboration is partly supported by an academic grant by Intel.

P. Roux (ISAE, Onera) visited for 7 months in order to collaborate with S. Boldo and G. Melquiond on the topic of formal verification of numerical algorithms.

Bas Spitters visited for 3 months from April to June funded by a Digiteo grant. He worked with C. Paulin on the extension of the ALEA library to continuous structures and the use of “lower reals” (monotonic sequences of rationals). He also worked on adapting the Corn and Math-classes libraries to the new Coq release. During that time he published a final version of a paper presented at the Workshop on Quantum Physics and Logic in 2012 .

Andrew Tolmach is a visiting researcher from Portland State University, on a one-year Digiteo Chair. His research project will initiate a new research effort to develop principles, techniques, and tools for large-scale proof engineering. It is focused on the Coq proof assistant and is designed to take advantage of the deep pool of expertise available in the Paris area (at Paris-Sud, LIX, Inria, etc.) concerning both the use and development of Coq. Initial results are expected to include: a precise description of requirements for large proof management; sample prototype tools addressing one or more of these requirements; and a technical survey of relevant proof representation options.

J.-C. Filliâtre chaired the fifth meeting of the IFIP Working Group 1.9/2.15 (Verified Software) in Vienna, Austria, July 2014.

S. Boldo and G. Melquiond are members of the organizing committee for the 22nd IEEE Symposium on Computer Arithmetic (ARITH 2015), held in Lyon in June 2015.

J.-C. Filliâtre organized the sixth meeting of the IFIP Working Group 1.9/2.15 (Verified Software) in Paris, France, December 2014.

C. Paulin co-organized with Z. Shao (Harvard University) the
*Workshop on certification of high-level and low-level programs*,
July 7-11, 2014.
This workshop was part of the IHP thematic trimester *Semantics
of proofs and certified mathematics*,
which took place in Paris from April to July.

S. Boldo is a member of the program committee of the 7th International Workshop on Numerical Software Verification (NSV-7). For 2015, she will be in the program committes of the 26th Journées Francophones des Langages Applicatifs (JFLA 2015), of the 8th International Workshop on Numerical Software Verification (NSV-8) and of the 22nd IEEE Symposium on Computer Arithmetic (ARITH 2015).

A. Charguéraud served on the external review commitee for POPL 2015.

É. Contejean is a member of the program committee of the ACM SIGPLAN 2014 Workshop on Partial Evaluation and Program Manipulation, (PEPM 2014) affiliated with the POPL 2014 conference.

J.-C. Filliâtre is a member of the program committees of the Symposium on Languages, Applications and Technologies (SLATE 2014) and the Journées Francophones des Langages Applicatifs (JFLA 2014).

C. Marché, member of program committee of the first
international workshop Formal-IDE (F-IDE), held as a satellite
workshop of ETAPS 2014
http://

C. Paulin is a member of the program committees of the conference Interactive Theorem Proving (ITP 2014) and the Coq Workshop 2014. For 2015, she will be in the program committees of the following conferences: Certified Programs and Proofs (CPP 2015), Mathematics of Program Construction (MPC 2015) and Types for Proofs and Programs (TYPES 2015).

A. Paskevich is a member of the program committee of the 11th International Workshop on User Interfaces for Theorem Provers (UITP 2014) affiliated with the FLoC 2014 conference.

The members of the Toccata team have reviewed papers for numerous international conferences, including: ARITH, CICM, CPP, ESOP, NFM, POPL, SLATE.

S. Boldo is member of the editorial committee of the popular science web site “)i(”:

S. Boldo is member of the editorial board of Binaire
http://

J.-C. Filliâtre is member of the editorial board of the
*Journal of Functional Programming*.

C. Paulin is member of the editorial board of the *Journal of Formalized Reasoning*.

The members of the Toccata team reviewed numerous papers for numerous international journals, including: Journal of Automated Reasoning (JAR), Transactions in Computational Sciences (TCS), Theory of Computing Systems (TCS), IEEE Transactions on Computers (TC), Journal of Scientific Programming, Journal of Field Robotics (JFR), Mathematical Structures in Computer Science (MSCS), Journal of Automated Software Engineering.

S. Boldo was invited speaker at the 16th GAMM-IMACS International Symposium on Scientific Computing, Computer Arithmetic and Validated Numerics conference (SCAN 2014) about her methodology for the formal verification of floating-point programs.

S. Boldo and G. Melquiond were invited speakers at an
international workshop in Lyon, France called Mathematical
Structures of Computation during the week 4: Formal Proof, Symbolic
Computation and Computer Arithmetic.
http://

C. Lelay was invited speaker at the 25th JFLA (Journées Francophones des Langages Applicatifs), Fréjus, France, Jan 10th, 2014 about “Coq passe le bac”: she tried the 2013 mathematics test of the scientific Baccalaureate in Coq at the same time as the students.

C. Marché, “Calcul de plus faible précondition, revisité en Why3”, 25th JFLA, special session on selected representative papers of past editions, joint work with A. Tafat, Fréjus, France, Jan 11th, 2014.

C. Marché, “Beyond SPARK2014: the ProofInUse project”, IFIP WG1.9/2.15, Vienna, Austria, Jul 15th, 2014.

G. Melquiond was invited speaker at the 12th International Workshop on Satisfiability Modulo Theories (SMT 2014).

C. Paulin was invited speaker at the 25th JFLA (Journées Francophones des Langages Applicatifs), Fréjus, France, Jan 10th, 2014 to give a tutorial presentation of the ALEA library. She also gave an invited talk during the GDR-GPL “Journées Nationales”.

C. Paulin was invited speaker at the workshop “All about Proofs, Proofs for All” (APPA) as part of the Vienna Summer of Logic. She presented an introduction to the Calculus of Inductive Constructions. She wrote a chapter in the post-conference book to appear next year.

S. Boldo, elected member of the Inria Evaluation Committee until August 2014. She was in the committee in charge of selecting the Inria permanent researchers (CR2) in Bordeaux and Nancy and in the national committee for first-class Inria permanent researchers (CR1).

S. Boldo, member of the national Inria admission committee.

S. Boldo, C. Marché, and G. Melquiond, members of committees in charge of recruiting assistant professors at Université Paris-Sud.

S. Boldo, member of the CLFP, *comité local de formation
permanente*.

S. Boldo, scientific head for Saclay for the MECSI group for networking about computer science popularization inside Inria.

S. Boldo, member of the national popularization committee, *comité
de médiation scientifique*, of Inria.

A. Charguéraud is vice-president of *France-ioi*, a
non-profit organization in charge of the selection and the training
of the French team to the International Olympiads in
Informatics (IOI). France-ioi also provides online exercises in
programming and algorithmics—in average, over 70,000 such
exercises are solved every month on the website.

A. Charguéraud is a board
member of the non-profit organization *Animath*, which aims at
developing interest in mathematics among young students.

A. Charguéraud and G. Melquiond are members of the committee for the
monitoring of PhD students (*“commission de suivi des
doctorants”*).

S. Conchon and A. Paskevich, members of the *“commission
consultative de spécialistes de l'université”*, Section 27,
University Paris-Sud since December 2014.

É. Contejean, leader of the VALS team since February 2014.

É. Contejean, nominated member of the
*“conseil du laboratoire”* of LRI since April 2010 till June 2014.

É. Contejean, elected member of the *“section 6 du
Comité National de la Recherche Scientifique”* since September
2012.

É. Contejean, member of the committee of experts for the AERES evaluation of the Verimag laboratory (2014).

É. Contejean, reviewer for the ANR (2014).

É. Contejean, reviewer for the START program of the Austrian Science Fund (FWF) (2014).

S. Dumbrava, elected member of the *“conseil du
laboratoire”* of LRI since June 2014.

J.-C. Filliâtre is *correcteur au concours d'entrée à
l'École Polytechnique* (computer science examiner for the
entrance exam at École Polytechnique) since 2008.

C. Lelay, elected member of the *“conseil du
laboratoire”* of LRI from November 2011 to June 2014.

C. Marché and S. Boldo, members of the *“jury de
l'agrégation externe de mathématiques”* as experts in
computer science, since 2012.

C. Marché (since April 2007) and C. Paulin (since September
2010), members of the program committee of Digiteo Labs, the
world-class research park in *Île-de-France* region dedicated
to information and communication science and technology,
http://

C. Marché, member of the executive team of the LRI (as “chargé de mission”), since July 2014.

C. Marché, president of the hiring committee of one associate professor position (Maître de Conferences), Université Paris-Sud, April-June 2014. Member of another such committee.

C. Marché, director of the ProofInUse Joint Laboratory between
Inria and AdaCore, http://

G. Melquiond and C. Paulin, members of the *“commission
consultative de spécialistes de l'université”*, Section 27,
University Paris-Sud since April 2010.
C. Paulin is the president of this committee since December 2014.

G. Melquiond, elected officer of the IEEE-1788 standardization committee on interval arithmetic since 2008.

C. Paulin, scientific leader of Labex
DigiCosme http://

C. Paulin, president of the Computer Science Department of the
University Paris-Sud https://

C. Paulin, president of the assembly of directors of graduate schools at the Université Paris-Sud since September 2012.

C. Paulin, chaired the hiring committee for a professor position in computer science at Université Paris-Sud.

In 2014, C. Paulin was elected member of the Informatics Section of Academia Europaea http://

A. Paskevich was in charge (together with C. Bastoul in 2012–2013 and B. Cautis in 2013–2014) of Licence professionnelle PER (L3) at IUT d'Orsay, Paris-Sud University since September 2012 till August 2014.

Master Parisien de Recherche en Informatique (MPRI)
https://

Licence: “Programmation Fonctionnelle avancée” (L3), M. Clochard (10h), Université Paris-Sud, France.

Master: “Projet de programmation (compilation)” (M1), M. Clochard (50h), Université Paris-Sud, France.

Licence: “Programmation fonctionnelle avancée” (L3), S. Conchon (30h), Université Paris-Sud, France.

Master: “Compilation” (M1), S. Conchon (33h), Université Paris-Sud, France.

DUT (Diplôme Universitaire de Technologie): “Systèmes” (S3), D. Declerck, IUT d'Orsay, Université Paris-Sud, France.

DUT (Diplôme Universitaire de Technologie): “Programmation et administration des bases de données” (S2), S. Dumbrava (62h), IUT d'Orsay, Université Paris-Sud, France.

DUT (Diplôme Universitaire de Technologie): “Bases de données avancées” (S3), S. Dumbrava (36h), IUT d'Orsay, Université Paris-Sud, France.

Licence: “Langages de programmation et compilation” (L3), J.-C. Filliâtre (36h), École Normale Supérieure, France.

Licence: “INF411: Les bases de l'algorithmique et de la programmation” (L3), J.-C. Filliâtre (16h), École Polytechnique, France.

Licence: “Mathématiques pour l'informatique” (L2), L. Gondelman (30h), Université Paris-Sud, France.

Master: “Compilation” (M1), L. Gondelman (28h), Université Paris-Sud, France.

DUT (Diplôme Universitaire de Technologie): “Programmation système” (S4), A. Paskevich (48h), IUT d'Orsay, Université Paris-Sud, France.

Y. Chatelain, a L3 student from Université Paris-Sud, did a 2-month internship under the supervision of J.-C. Filliâtre and A. Paskevich, on the implementation of a new criterion of termination of recursive functions in a pure functional language.

J.-P. Deplaix, a third-year student of Epitech, did a 4-month internship,
supervised by J.-C. Filliâtre and A. Paskevich, on the compilation of *Why3*
programs to C.

J. Grangier, a M1 student from ENSIEE, did a 10-week internship under the supervision of A. Charguéraud, on the verification of the functional correctness and the asymptotic complexity of a dynamic array data structure.

X. Onfroy, a L3 student form ENS-Lyon, did a 6-week internship, supervised by G. Melquiond, on the formalization of the gauge integral in the setting of the Coquelicot library.

HDR: É. Contejean, “Facettes de la preuve, Jeux de reflets entre démonstration automatique et preuve assistée” , Université Paris-Sud, June 13th, 2014.

HDR: S. Boldo, “Deductive Formal Verification: How To Make Your Floating-Point Programs Behave” , Université Paris-Sud, October 6th, 2014.

PhD: C. Dross, “Theories and Techniques for Automated Proof of programs” , Université Paris-Sud, Apr. 1st, 2014, supervised by C. Marché, A. Paskevich, and with industrial supervisors Y. Moy and J. Kanig (AdaCore company).

PhD: A. Mebsout, “SMT-based Model-Checking” , Université Paris-Sud, Sep. 29th, 2014, supervised by F. Zaïdi (LRI) and S. Conchon.

PhD in progress: C. Lelay, “Real numbers for the Coq proof assistant”, since Oct. 2011, supervised by S. Boldo and G. Melquiond.

PhD in progress: S. Dumbrava, “Towards data certification”, since Oct. 2012, supervised by V. Benzaken (LRI) and É. Contejean.

PhD in progress: L. Gondelmans, “Obtention de programmes corrects par raffinement dans un langage de haut niveau”, since Oct. 2013, supervised by J.-C. Filliâtre and A. Paskevich.

PhD in progress: M. Clochard, “A unique language for developing programs and prove them at the same time”, since Oct. 2013, supervised by C. Marché and A. Paskevich.

PhD in progress: J. C. Mbiada Djanda, “Augmented Semantics for the Non-interference of critical C Code”, since Nov. 2013, supervised by C. Marché and J. Signoles (CEA LIST).

PhD in progress: D. Declerck, “Vérification par des techniques de test et model checking de programmes C11”, since Sep. 2014, supervised by F. Zaïdi (LRI) and S. Conchon.

S. Boldo: examiner, PhD committee of Mohamed Amine Najahi, “Synthesis of certified programs in fixed-point arithmetic, and its application to linear algebra basic blocks”, Perpignan, France, December 2014.

J.-C. Filliâtre: examiner, PhD committee of Jonathan Protzenko, “Mezzo: the language of the future”, Université Paris Diderot, September 2014.

C. Marché: reviewer, PhD committee of T. Bormer “Advancing Deductive Program-Level Verification for Real-World Application”, Karlsruhe Institute of Technology, Karlsruhe, Germany, October 2014.

C. Marché: examiner, HDR committee of S. Boldo, “Deductive Formal Verification: How To Make Your Floating-Point Programs Behave”, Université Paris-Sud, October 2014.

C. Paulin: examiner, PhD committee of Guillaume Cano, “Interaction entre algèbre linéaire et analyse en formalisation des mathématiques”, University of Nice-Sophia Antipolis, March 2014.

C. Paulin: examiner, HDR committee of Évelyne Contejean, “Facettes de la preuve, Jeux de reflets entre démonstration automatique et preuve assistée”, Université Paris-Sud, June 2014.

C. Paulin: president of the PhD committee of Peva Blanchard “Synchronization and Fault-tolerance in Distributed Algorithms”, Université Paris-Sud, September 2014.

C. Paulin: examiner, HDR committee of Stéphane Graham-Lengrand “Polarities & Focussing: a Journey from Realisability to Automated Reasoning”, Université Paris-Sud, December 2014.

S. Boldo presented the *Concours Castor informatique* to
computer sciences teachers (ISN) in Nancy on April 17th, 2014. A video of
the talk is available at
http://

S. Boldo gave a 2-hour course entitled *Les nombres et l'ordinateur*
at the École Normale Supérieure de Cachan,
France, on September 9th.

S. Boldo gave a 2-hour course *Pourquoi mon ordinateur calcule
faux?* to a general audience at the Université
Inter-Âge in Versailles, France, on March 4th.

S. Boldo gave a talk for computer sciences teachers (ISN) in Créteil on March 24th

S. Boldo gave a talk for teenagers at the lycée Maximilien Perretin Alfortville on May 22nd.

S. Boldo wrote an article with Jean-Michel Muller (ARIC) in the popularization journal La Recherche .

S. Boldo wrote in 2013 an article for the French blog
celebrating 2013 as the “Mathematics of Planet Earth” year:
http://

S. Boldo is member of the editorial committee of
the popular science Interstices web site, since April 2008.
http://

S. Boldo is member of the editorial board of Binaire
http://

S. Boldo, G. Melquiond, A. Paskevich, and C. Paulin animated two
stands at the *Fête de la science*.

A. Charguéraud and S. Boldo contributed to the preparation of
the exercises of the *Concours Castor informatique*
http://*6ème* to *terminale*)
to computer sciences. More than 228,000 teenagers played with the
interactive exercises in November 2014.

S. Conchon and J.-C. Filliâtre published a book
*“Apprendre à programmer avec OCaml”* for undergraduate
students learning computer programming
(Eyrolles, September 2014).