The general objective of the Toccata project is to promote formal specification and computerassisted proof in the development of software that requires high assurance in terms of safety and correctness with respect to the intended behavior of the software.
The importance of software in critical systems increased a lot in the last decade. Critical software appears in various application domains like transportation (e.g., aviation, railway), communication (e.g., smartphones), banking, etc. The number of tasks performed by software is quickly increasing, together with the number of lines of code involved. Given the need of high assurance of safety in the functional behavior of such applications, the need for automated (i.e., computerassisted) methods and techniques to bring guarantee of safety became a major challenge. In the past and at present, the most widely used approach to check safety of software is to apply heavy test campaigns. These campaigns take a large part of the costs of software development, yet they cannot ensure that all the bugs are caught.
Generally speaking, software verification approaches pursue three goals: (1) verification should be sound, in the sense that no bugs should be missed, (2) verification should not produce false alarms, or as few as possible (3) it should be as automated as possible. Reaching all three goals at the same time is a challenge. A large class of approaches emphasizes goals (2) and (3): testing, runtime verification, symbolic execution, model checking, etc. Static analysis, such as abstract interpretation, emphasizes goals (1) and (3). Deductive verification emphasizes (1) and (2). The Toccata project is mainly interested in exploring the deductive verification approach, although we also consider the others in some cases.
In the past decade, there has been significant progress made in the domain of deductive program verification. They are emphasized by some success stories of application of these techniques on industrialscale software. For example, the Atelier B system was used to develop part of the embedded software of the Paris metro line 14 and other railroadrelated systems; a formally proved C compiler was developed using the Coq proof assistant ; Microsoft's hypervisor for highly secure virtualization was verified using VCC and the Z3 prover ; the L4verified project developed a formally verified microkernel with high security guarantees, using analysis tools on top of the Isabelle/HOL proof assistant . Another sign of recent progress is the emergence of deductive verification competitions (e.g., VerifyThis , VScomp ).
Finally, recent trends in the industrial practice for development of critical software is to require more and more guarantees of safety, e.g., the upcoming DO178C standard for developing avionics software adds to the former DO178B the use of formal models and formal methods. It also emphasizes the need for certification of the analysis tools involved in the process.
There are two main families of approaches for deductive verification. Methods in the first family build on top of mathematical proof assistants (e.g., Coq, Isabelle) in which both the model and the program are encoded; the proof that the program meets its specification is typically conducted in an interactive way using the underlying proof construction engine. Methods from the second family proceed by the design of standalone tools taking as input a program in a particular programming language (e.g., C, Java) specified with a dedicated annotation language (e.g., ACSL , JML ) and automatically producing a set of mathematical formulas (the verification conditions) which are typically proved using automatic provers (e.g., Z3, AltErgo , CVC3 , CVC4).
The first family of approaches usually offers a higher level of assurance than the second, but also demands more work to perform the proofs (because of their interactive nature) and makes them less easy to adopt by industry. Moreover, they do not allow to directly analyze a program written in a mainstream programming language like Java or C. The second kind of approaches has benefited in the past years from the tremendous progress made in SAT and SMT solving techniques, allowing more impact on industrial practices, but suffers from a lower level of trust: in all parts of the proof chain (the model of the input programming language, the VC generator, the backend automatic prover), potential errors may appear, compromising the guarantee offered. Moreover, while these approaches are applied to mainstream languages, they usually support only a subset of their features.
In the former ProVal project, we have been working on the design of methods and tools for deductive verification of programs. One of our original skills was the ability to conduct proofs by using automatic provers and proof assistants at the same time, depending on the difficulty of the program, and specifically the difficulty of each particular verification condition. We thus believe that we are in a good position to propose a bridge between the two families of approaches of deductive verification presented above. Establishing this bridge is one of the goals of the Toccata project: we want to provide methods and tools for deductive program verification that can offer both a high amount of proof automation and a high guarantee of validity. Toward this objective, a new axis of research was proposed: the development of certified analysis tools that are themselves formally proved correct.
The reader should be aware that the word “certified” in this scientific programme means “verified by a formal specification and a formal proof that the program meets this specification”. This differs from the standard meaning of “certified” in an industrial context where it means a conformance to some rigorous process and/or norm. We believe this is the right term to use, as it was used for the Certified Compiler project , the new conference series Certified Programs and Proofs, and more generally the important topics of proof certificates.
In industrial applications, numerical calculations are very common (e.g. control software in transportation). Typically they involve floatingpoint numbers. Some of the members of Toccata have an internationally recognized expertise on deductive program verification involving floatingpoint computations. Our past work includes a new approach for proving behavioral properties of numerical C programs using FramaC/Jessie , various examples of applications of that approach , the use of the Gappa solver for proving numerical algorithms , an approach to take architectures and compilers into account when dealing with floatingpoint programs , . We also contributed to the Handbook of FloatingPoint Arithmetic . A representative case study is the analysis and the proof of both the method error and the rounding error of a numerical analysis program solving the onedimension acoustic wave equation . Our experience led us to a conclusion that verification of numerical programs can benefit a lot from combining automatic and interactive theorem proving , . Certification of numerical programs is the other main axis of Toccata.
Our scientific programme in structured into four objectives:
deductive program verification;
automated reasoning;
formalization and certification of languages, tools and systems;
proof of numerical programs.
We detail these objectives below.
Permanent researchers: A. Charguéraud, S. Conchon, J.C. Filliâtre, C. Marché, G. Melquiond, A. Paskevich
This ecosystem is central in our work; it is displayed on Figure . The boxes in red background correspond to the tools we develop in the Toccata team.
The initial design of Why3 was presented in 2012 , . In the past years, the main improvements concern the specification language (such as support for higherorder logic functions ) and the support for provers. Several new interactive provers are now supported: PVS 6 (used at NASA), Isabelle2014 (planned to be used in the context of Ada program via Spark), and Mathematica. We also added support for new automated provers: CVC4, Metitarski, Metis, Beagle, Princess, and Yices2. More technical improvements are the design of a Coq tactic to call provers via Why3 from Coq, and the design of a proof session mechanism . Why3 was presented during several invited talks , , , .
At the level of the C frontend of Why3 (via FramaC), we have proposed an approach to add a notion of refinement on C programs , and an approach to reason about pointer programs with a standard logic, via separation predicates
The Ada frontend of Why3 has mainly been developed during the past three
years, leading to the release of SPARK2014 (http://
In collaboration with J. Almeida, M. Barbosa, J. Pinto, and B. Vieira (University do Minho, Braga, Portugal), J.C. Filliâtre has developed a method for certifying programs involving cryptographic methods. It uses Why as an intermediate language .
With M. Pereira and S. Melo de Sousa (Universidade da Beira Interior, Covilhã, Portugal), J.C. Filliâtre has developed an environment for proving ARM assembly code. It uses Why3 as an intermediate VC generator. It was presented at the Inforum conference (best student paper).
S. Conchon and A. Mebsout, in collaboration with F. Zaïdi (VALS team, LRI), A. Goel and S. Krstić (Strategic Cad Labs, INTEL) have proposed a new modelchecking approach for verifying safety properties of arraybased systems. This is a syntactically restricted class of parametrized transition systems with states represented as arrays indexed by an arbitrary number of processes. Cache coherence protocols and mutual exclusion algorithms are typical examples of such systems. It was first presented at CAV 2012 and detailed further . It was applied to the verification of programs with fences . The core algorithm has been extended with a mechanism for inferring invariants. This new algorithm, called BRAB, is able to automatically infer invariants strong enough to prove industrial cache coherence protocols. BRAB computes overapproximations of backward reachable states that are checked to be unreachable in a finite instance of the system. These approximations (candidate invariants) are then modelchecked together with the original safety properties. Completeness of the approach is ensured by a mechanism for backtracking on spurious traces introduced by too coarse approximations , .
In the context of the ERC DeepSea project
To provide an easy access to the case studies that we develop using
Why3 and its frontends, we have published a gallery of verified
programs on our web page
http://
Other case studies that led to publications are the design of a
library of datastructures based on
AVLs , and the verification a twolines
C program (solving the
A. Charguéraud, with F. Pottier (Inria Paris), extended their formalization of the correctness and asympotic complexity of the classic Union Find data structure, which features the bound expressed in terms of the inverse Ackermann function . The proof, conducted using CFML extended with time credits, was refined using a slightly more complex potential function, allowing to derive a simpler and richer interface for the data structure. A journal article is in preparation.
For other case studies, see also sections of numerical programs and formalization of languages and tools.
Several research groups in the world develop their own approaches, techniques, and tools for deductive verification. With respect to all these related approaches and tools, our originality is our will to use more sophisticated specification languages (with inductive definitions, higherorder features and such) and the ability to use a large set of various theorem provers, including the use of interactive theorem proving to deal with complex functional properties.
The RiSE
team
The KeY project
The “software engineering” group at Augsburg, Germany,
develops the KIV
system
The VeriFast
system
The Mobius Program Verification
Environment
The Lab for Automated Reasoning and Analysis
The TLA environment
The F* project
The KeY and KIV environments mentioned above are partly based on interactive theorem provers. There are other approaches on top of generalpurpose proof assistants for proving programs that are not purely functional:
The Ynot project
Frontends to Isabelle were developed to deal with simple sequential imperative programs or C programs . The L4verified project is built on top of Isabelle.
Permanent researchers: S. Conchon, G. Melquiond, A. Paskevich
J. C. Blanchette and A. Paskevich have designed an extension to the TPTP TFF (Typed Firstorder Form) format of theorem proving problems to support rank1 polymorphic types (also known as MLstyle parametric polymorphism) . This extension, named TFF1, has been incorporated in the TPTP standard.
S. Conchon defended his habilitation à diriger des recherches in December 2012. The memoir provides a useful survey of the scientific work of the past 10 years, around the SMT solving techniques, that led to the tools AltErgo and Cubicle as they are nowadays.
C. Dross, J. Kanig, S. Conchon, and A. Paskevich have proposed a generic framework for adding a decision procedure for a theory or a combination of theories to an SMT prover. This mechanism is based on the notion of instantiation patterns, or triggers, which restrict instantiation of universal premises and can effectively prevent a combinatorial explosion. A user provides an axiomatization with triggers, along with a proof of completeness and termination in the proposed framework, and obtains in return a sound, complete and terminating solver for his theory. A prototype implementation was realized on top of AltErgo. As a case study, a featurerich axiomatization of doublylinked lists was proved complete and terminating . C. Dross defended her PhD thesis in April 2014 . The main results of the thesis are: (1) a formal semantics of the notion of triggers typically used to control quantifier instantiation in SMT solvers, (2) a general setting to show how a firstorder axiomatization with triggers can be proved correct, complete, and terminating, and (3) an extended DPLL(T) algorithm to integrate a firstorder axiomatization with triggers as a decision procedure for the theory it defines. Significant case studies were conducted on examples coming from SPARK programs, and on the benchmarks on B set theory constructed within the BWare project.
S. Conchon, É. Contejean and M. Iguernelala have presented a modular extension of ground ACcompletion for deciding formulas in the combination of the theory of equality with userdefined AC symbols, uninterpreted symbols and an arbitrary signaturedisjoint Shostak theory X . This work extends the results presented in by showing that a simple preprocessing step allows to get rid of a full ACcompatible reduction ordering, and to simply use a partial multiset extension of a nonnecessarily ACcompatible ordering.
S. Conchon, M. Iguernelala, and A. Mebsout have designed a collaborative framework for reasoning modulo simple properties of nonlinear arithmetic . This framework has been implemented in the AltErgo SMT solver.
S. Conchon, G. Melquiond and C. Roux have described a dedicated procedure for a theory of floatingpoint numbers which allows reasoning on approximation errors. This procedure is based on the approach of the Gappa tool: it performs saturation of consequences of the axioms, in order to refine bounds on expressions. In addition to the original approach, bounds are further refined by a constraint solver for linear arithmetic . This procedure has been implemented in AltErgo.
In collaboration with A. Mahboubi (Inria projectteam Typical), and G. Melquiond, the group involved in the development of AltErgo have implemented and proved the correctness of a novel decision procedure for quantifierfree linear integer arithmetic . This algorithm tries to bridge the gap between projection and branching/cutting methods: it interleaves an exhaustive search for a model with bounds inference. These bounds are computed provided an oracle capable of finding constant positive linear combinations of affine forms. An efficient oracle based on the Simplex procedure has been designed. This algorithm is proved sound, complete, and terminating and is implemented in AltErgo.
Most of the results above are detailed in M. Iguernelala's PhD thesis .
We have been quite successful in the application of AltErgo to industrial development: qualification by Airbus France, integration of AltErgo into the Spark Pro toolset.
In the context of the BWare project, aiming at using Why3 and AltErgo for discharging proof obligations generated by Atelier B, we made progress into several directions. The method of translation of B proof obligations into Why3 goals was first presented at ABZ'2012 . Then, new drivers have been designed for Why3, in order to use new backend provers Zenon modulo and iProver modulo. A notion of rewrite rule was introduced into Why3, and a transformation for simplifying goals before sending them to backend provers was designed. Intermediate results obtained so far in the project were presented both at the French conference AFADL and at ABZ'2014 .
On the side of AltErgo, recent developments have been made to efficiently discharge proof obligations generated by Atelier B. This includes a new plugin architecture to facilitate experiments with different SAT engines, new heuristics to handle quantified formulas, and important modifications in its internal data structures to boost performances of core decision procedures. Benchmarks realized on more than 10,000 proof obligations generated from industrial B projects show significant improvements .
Hybrid automatons interleave continuous behaviors (described by differential equations) with discrete transitions. D. Ishii and G. Melquiond have worked on an automated procedure for verifying safety properties (that is, global invariants) of such systems .
Automated Theorem Proving is a large community, but several subgroups can be identified:
The SMTLIB community gathers people interested in reasoning
modulo theories. In this community, only a minority of participants are
interested in supporting firstorder quantifiers at the same time as
theories. SMT solvers that support quantifiers are Z3 (Microsoft
Research Redmond, USA), CVC3 and its successor CVC4
The TPTP community gathers people interested in firstorder theorem proving.
Other Inria teams develop provers: veriT by team Veridis, and Psyche by team Parsifal.
Other groups develop provers dedicated to very specific cases,
such as
Metitarski
It should be noticed that a large number of provers mentioned above are connected to Why3 as backends.
Permanent researchers: S. Boldo, A. Charguéraud, C. Marché, G. Melquiond, C. Paulin
S. Boldo, C. Lelay, and G. Melquiond have worked on the Coquelicot library, designed to be a userfriendly Coq library about real analysis , . An easier way of writing formulas and theorem statements is achieved by relying on total functions in place of dependent types for limits, derivatives, integrals, power series, and so on. To help with the proof process, the library comes with a comprehensive set of theorems and some automation. We have exercised the library on several use cases: on an exam at university entry level , for the definitions and properties of Bessel functions , and for the solution of the onedimensional wave equation . We have also conducted a survey on the formalization of real arithmetic and real analysis in various proof systems .
Watermarking techniques are used to help identify copies of publicly released information. They consist in applying a slight and secret modification to the data before its release, in a way that should remain recognizable even in (reasonably) modified copies of the data. Using the Coq Alea library, which formalizes probability theory and probabilistic programs, D. Baelde together with P. Courtieu, D. GrossAmblard from Rennes and C. Paulin have established new results about the robustness of watermarking schemes against arbitrary attackers . The technique for proving robustness is adapted from methods commonly used for cryptographic protocols and our work illustrates the strengths and particularities of the Alea style of reasoning about probabilistic programs.
P. Herms, together with C. Marché and B. Monate (CEA List), has developed a certified VC generator, using Coq. The program for VC calculus and its specifications are both written in Coq, but the code is crafted so that it can be extracted automatically into a standalone executable. It is also designed in a way that allows the use of arbitrary firstorder theorem provers to discharge the generated obligations . On top of this generic VC generator, P. Herms developed a certified VC generator for C source code annotated using ACSL. This work is the main result of his PhD thesis .
A. Tafat and C. Marché have developed a certified VC generator using Why3 , . The challenge was to formalize the operational semantics of an imperative language, and a corresponding weakest precondition calculus, without the possibility to use Coq advanced features such as dependent types or higherorder functions. The classical issues with local bindings, names and substitutions were solved by identifying appropriate lemmas. It was shown that Why3 can offer a significantly higher amount of proof automation compared to Coq.
A. Charguéraud, together with Alan Schmitt (Inria Rennes) and Thomas Wood (Imperial College), has developed an interactive debugger for JavaScript. The interface, accessible as a webpage in a browser, allows to execute a given JavaScript program, following step by step the formal specification of JavaScript developped in prior work on JsCert . Concretely, the tool acts as a doubledebugger: one can visualize both the state of the interpreted program and the state of the interpreter program. This tool is intended for the JavaScript committee, VM developpers, and other experts in JavaScript semantics.
M. Clochard, C. Marché, and A. Paskevich have developed a general setting for developing programs involving binders, using Why3. This approach was successfully validated on two case studies: a verified implementation of untyped lambdacalculus and a verified tableauxbased theorem prover .
M. Clochard, J.C. Filliâtre, C. Marché, and A. Paskevich have developed a case study on the formalization of semantics of programming languages using Why3 . This case study aims at illustrating recent improvements of Why3 regarding the support for higherorder logic features in the input logic of Why3, and how these are encoded into firstorder logic, so that goals can be discharged by automated provers. This case study also illustrates how reasoning by induction can be done without need for interactive proofs, via the use of lemma functions.
M. Clochard and L. Gondelman have developed a formalization of a simple compiler in Why3 . It compiles a simple imperative language into assembler instructions for a stack machine. This case study was inspired by a similar example developed using Coq and interactive theorem proving. The aim is to improve significantly the degree of automation in the proofs. This is achieved by the formalization of a Hoare logic and a Weakest Precondition Calculus on assembly programs, so that the correctness of compilation is seen as a formal specification of the assembly instructions generated.
The objective of formalizing languages and algorithms is very general, and it is pursued by several Inria teams. One common trait is the use of the Coq proof assistant for this purpose: Pi.r2 (development of Coq itself and its metatheory), Gallium (semantics and compilers of programming languages), Marelle (formalization of mathematics), SpecFun (real arithmetic), Celtique (formalization of static analyzers).
Other environments for the formalization of languages include
ACL2
system
Isabelle
environment
The team “Trustworthy Systems” at NICTA in
Australia
The PVS system
In the Toccata team, we do not see these alternative environments as competitors, even though, for historical reasons, we are mainly using Coq. Indeed both Isabelle and PVS are available as backends of Why3.
Permanent researchers: S. Boldo, C. Marché, G. Melquiond
Linked with objective 1 (Deductive Program Verification), the methodology for proving numerical C programs has been presented by S. Boldo in her habilitation and as invited speaker . An application is the formal verification of a numerical analysis program. S. Boldo, J.C. Filliâtre, and G. Melquiond, with F. Clément and P. Weis (POMDAPI team, Inria Paris  Rocquencourt), and M. Mayero (LIPN), completed the formal proof of the secondorder centered finitedifference scheme for the onedimensional acoustic wave .
Several challenging floatingpoint algorithms have been studied and proved. This includes an algorithm by Kahan for computing the area of a triangle: S. Boldo proved an improvement of its error bound and new investigations in case of underflow . This includes investigations about quaternions. They should be of norm 1, but due to the roundoff errors, a drift of this norm is observed over time. C. Marché determined a bound on this drift and formally proved it correct . P. Roux formally verified an algorithm for checking that a matrix is semidefinite positive . The challenge here is that testing semidefiniteness involves algebraic number computations, yet it needs to be implemented using only approximate floatingpoint operations.
Because of compiler optimizations (or bugs), the floatingpoint semantics of a program might change once compiled, thus invalidating any property proved on the source code. We have investigated two ways to circumvent this issue, depending on whether the compiler is a black box. When it is, T. Nguyen has proposed to analyze the assembly code it generates and to verify it is correct . On the contrary, S. Boldo and G. Melquiond (in collaboration with J.H. Jourdan and X. Leroy) have added support for floatingpoint arithmetic to the CompCert compiler and formally proved that none of the transformations the compiler applies modify the floatingpoint semantics of the program , .
Linked with objectives 2 (Automated Reasoning) and 3 (Formalization and Certification of Languages, Tools and Systems), G. Melquiond has implemented an efficient Coq library for floatingpoint arithmetic and proved its correctness in terms of operations on real numbers . It serves as a basis for an interval arithmetic on which Taylor models have been formalized. É. MartinDorel and G. Melquiond have integrated these models into CoqInterval . This Coq library is dedicated to automatically proving the approximation properties that occur when formally verifying the implementation of mathematical libraries (libm).
Double rounding occurs when the target precision of a floatingpoint computation is narrower than the working precision. In some situations, this phenomenon incurs a loss of accuracy. P. Roux has formally studied when it is innocuous for basic arithmetic operations . É. MartinDorel and G. Melquiond (in collaboration with J.M. Muller) have formally studied how it impacts algorithms used for errorfree transformations . These works were based on the Flocq formalization of floatingpoint arithmetic for Coq.
By combining multiprecision arithmetic, interval arithmetic, and massivelyparallel computations, G. Melquiond (in collaboration with G. Nowak and P. Zimmermann) has computed enough digits of the MasserGramain constant to invalidate a 30year old conjecture about its closed form .
This objective deals both with formal verification and floatingpoint arithmetic, which is quite uncommon. Therefore our competitors/peers are few. We may only cite the works by J. Duracz and M. Konečný, Aston University in Birmingham, UK.
The Inria team AriC (Grenoble  RhôneAlpes) is closer to our research interests, but they are lacking manpower on the formal proof side; we have numerous collaborations with them. The Inria team Caramel (Nancy  Grand Est) also shares some research interests with us, though fewer; again, they do not work on the formal aspect of the verification; we have some occasional collaborations with them.
There are many formalization efforts from chip manufacturers, such as AMD (using the ACL2 proof assistant) and Intel (using the Forte proof assistants) but the algorithms they consider are quite different from the ones we study. The works on the topic of floatingpoint arithmetic from J. Harrison at Intel using HOL Light are really close to our research interests, but they seem to be discontinued.
A few deductive program verification teams are willing to extend their tools toward floatingpoint programs. This includes the KeY project and SPARK. We have an ongoing collaboration with the latter, in the context of the ProofInUSe project.
Deductive verification is not the only way to prove programs. Abstract interpretation is widely used, and several teams are interested in floatingpoint arithmetic. This includes the Inria team Antique (Paris  Rocquencourt) and a CEA List team, who have respectively developed the Astrée and Fluctuat tools. This approach targets a different class of numerical algorithms than the ones we are interested in.
Other people, especially from the SMT community (cf objective 2), are also interested in automatically proving formulas about floatingpoint numbers, notably at Oxford University. They are mainly focusing on pure floatingpoint arithmetic though and do not consider them as approximation of real numbers.
Finally, it can be noted that numerous teams are working on the verification of numerical programs, but assuming the computations are real rather than floatingpoint ones. This is out of the scope of this objective.
The application domains we target involve safetycritical software, that is where a highlevel guarantee of soundness of functional execution of the software is wanted. Currently our industrial collaborations mainly belong to the domain of transportation, including aeronautics, railroad, space flight, automotive.
Transportation is the domain considered in the context of the ANR U3CAT project, led by CEA, in partnership with Airbus France, Dassault Aviation, Sagem Défense et Sécurité. It included proof of C programs via FramaC/Jessie/Why, proof of floatingpoint programs , the use of the AltErgo prover via CAVEAT tool (CEA) or FramaC/WP. Within this context, we contributed to a qualification process of AltErgo with Airbus industry: the technical documents (functional specifications and benchmark suite) have been accepted by Airbus, and these documents were submitted by Airbus to the certification authorities (DO178B standard) in 2012. This action is continued in the new project Soprano.
Aeronautics is the main target of the Verasco project, led by Verimag, on the development of certified static analyzers, in partnership with Airbus. This is a followup of the transfer of the CompCert certified compiler (Inria team Gallium) to which we contributed to the support of floatingpoint computations .
The former FUI project HiLite, led by Adacore company, introduced the use of Why3 and AltErgo as backend to SPARK2014, an environment for verification of Ada programs. This is applied to the domain of aerospace (Thales, EADS Astrium). At the very beginning of that project, AltErgo was added in the Spark Pro toolset (predecessor of SPARK2014), developed by AltranPraxis: AltErgo can be used by customers as an alternate prover for automatically proving verification conditions. Its usage is described in the new edition of the Spark book (Chapter “Advanced proof tools”). This action is continued in the new joint laboratory ProofInUse. A recent paper provides an extensive list of applications of SPARK, a major one being the British air control management iFacts.
In the current ANR project BWare, we investigate the use of Why3 and
AltErgo as an alternative backend for checking proof obligations
generated by Atelier B, whose main applications are
railroadrelated
software
S. Conchon (with A. Mebsout
and F. Zaidi from VALS team at LRI) has a longterm collaboration
with S. Krstic and A. Goel (Intel Strategic Cad Labs in Hillsboro,
OR, USA) that aims in the development of the SMTbased model checker
Cubicle (http://
Apart from transportation, energy is naturally an application in particular with our longterm partner CEA, in the context of U3CAT and Soprano projects. We also indirectly target communications and data, in particular in contexts with a particular need for security or confidentiality: smart phones, Web applications, health records, electronic voting, etc. These are part of the applications of SPARK , including verification of securityrelated properties, including cryptographic algorithms. Also, our new AJACS project addresses issues related to security and privacy in web applications written in Javascript, also including correctness properties.
S. Conchon: coorganizes POPL'2017 (January, Paris, http://
Major Int. Conference on Foundations of Programming Language, Semantics, Type Systems, Formal Proof Techniques
[April 2016] Martin Clochard, Léon Gondelman, Mário Pereira: jointly receive the "Best student team" award of the VerifyThis@ETAPS2016 verification competition
[July 2016] S. Boldo: Best Talk Award at workshop NSV Computing a correct and tight rounding error bound using roundingtonearest
Automated theorem prover for software verification
Keywords: Software Verification  Automated theorem proving
Functional Description
AltErgo is an automatic solver of formulas based on SMT technology. It is especially designed to prove mathematical formulas generated by program verification tools, such as FramaC for C programs, or SPARK for Ada code. Initially developed in Toccata research team, AltErgo's distribution and support are provided by OCamlPro since September 2013.
Participants: Sylvain Conchon, Evelyne Contejean, Mohamed Iguernelala, Stephane Lescuyer and Alain Mebsout
Partner: OCamlPro
Contact: Sylvain Conchon
Interactive program verification using characteristic formulae
Keywords: Coq  Software Verification  Deductive program verification  Separation Logic
Functional Description
The CFML tool supports the verification of OCaml programs through interactive Coq proofs. CFML proofs establish the full functional correctness of the code with respect to a specification. They may also be used to formally establish bounds on the asymptotic complexity of the code. The tool is made of two parts: on the one hand, a characteristic formula generator implemented as an OCaml program that parses OCaml code and produces Coq formulae, and, on the other hand, a Coq library that provides notation and tactics for manipulating characteristic formulae interactively in Coq.
Contact: Arthur Chargueraud
Keywords: Proof  Certification  Formalisation
Functional Description
Coq provides both a dependentlytyped functional programming language and a logical formalism, which, altogether, support the formalisation of mathematical theories and the specification and certification of properties of programs. Coq also provides a large and extensible set of automatic or semiautomatic proof methods. Coq's programs are extractible to OCaml, Haskell, Scheme, ...
Participants: Benjamin Gregoire, Enrico Tassi, Bruno Barras, Yves Bertot, Pierre Boutillier, Xavier Clerc, Pierre Courtieu, Maxime Denes, Stephane Glondu, Vincent Gross, Hugo Herbelin, Pierre Letouzey, Assia Mahboubi, Julien Narboux, JeanMarc Notin, Christine PaulinMohring, PierreMarie Pedrot, Loic Pottier, Matthias Puech, Yann RegisGianas, François Ripault, Matthieu Sozeau, Arnaud Spiwack, PierreYves Strub, Benjamin Werner, Guillaume Melquiond and JeanChristophe Filliatre
Partners: CNRS  ENS Lyon  Université ParisDiderot  Université ParisSud
Contact: Hugo Herbelin
URL: http://
Interval package for Coq
Keywords: Interval arithmetic  Coq
Functional Description
CoqInterval is a library for the proof assistant Coq. CoqInterval provides a method for proving automatically the inequality of two expression of real values.
The Interval package provides several tactics for helping a Coq user to prove theorems on enclosures of realvalued expressions. The proofs are performed by an interval kernel which relies on a computable formalization of floatingpoint arithmetic in Coq.
The Marelle team developed a formalization of rigorous polynomial approximation using Taylor models inside the Coq proof assistant, with a special focus on genericity and efficiency for the computations. In 2014, this library has been included in CoqInterval.
Participants: Guillaume Melquiond, Erik Martin Dorel, Nicolas Brisebarre, Miora Maria Joldes, Micaela Mayero, Jean Michel Muller, Laurence Rideau and Laurent Thery
Contact: Guillaume Melquiond
The Coquelicot library for real analysis in Coq
Keywords: Coq  Real analysis
Functional Description
Coquelicot is library aimed for supporting real analysis in the Coq proof assistant. It is designed with three principles in mind. The first is the userfriendliness, achieved by implementing methods of automation, but also by avoiding dependent types in order to ease the stating and readability of theorems. This latter part was achieved by defining total function for basic operators, such as limits or integrals. The second principle is the comprehensiveness of the library. By experimenting on several applications, we ensured that the available theorems are enough to cover most cases. We also wanted to be able to extend our library towards more generic settings, such as complex analysis or Euclidean spaces. The third principle is for the Coquelicot library to be a conservative extension of the Coq standard library, so that it can be easily combined with existing developments based on the standard library.
Participants: Sylvie Boldo, Catherine Lelay and Guillaume Melquiond
Contact: Sylvie Boldo
The Cubicle model checker modulo theories
Keywords: Model Checking  Software Verification
Functional Description
Cubicle is an open source model checker for verifying safety properties of arraybased systems, which corresponds to a syntactically restricted class of parametrized transition systems with states represented as arrays indexed by an arbitrary number of processes. Cache coherence protocols and mutual exclusion algorithms are typical examples of such systems.
Participants: Sylvain Conchon and Alain Mebsout
Contact: Sylvain Conchon
The Flocq library for formalizing floatingpoint arithmetic in Coq
Keywords: Floatingpoint  Arithmetic code  Coq
Functional Description
The Flocq library for the Coq proof assistant is a comprehensive formalization of floatingpoint arithmetic: core definitions, axiomatic and computational rounding operations, highlevel properties. It provides a framework for developers to formally certify numerical applications.
Flocq is currently used by the CompCert certified compiler for its support of floatingpoint computations.
Participants: Guillaume Melquiond and Sylvie Boldo
Contact: Sylvie Boldo
The Gappa tool for automated proofs of arithmetic properties
Keywords: Floatingpoint  Arithmetic code  Software Verification  Constraint solving
Functional Description
Gappa is a tool intended to help verifying and formally proving properties on numerical programs dealing with floatingpoint or fixedpoint arithmetic. It has been used to write robust floatingpoint filters for CGAL and it is used to certify elementary functions in CRlibm. While Gappa is intended to be used directly, it can also act as a backend prover for the Why3 software verification plateform or as an automatic tactic for the Coq proof assistant.
Contact: Guillaume Melquiond
The Why3 environment for deductive verification
Keywords: Formal methods  Trusted software  Software Verification  Deductive program verification
Functional Description
Why3 is an environment for deductive program verification. It provides a rich language for specification and programming, called WhyML, and relies on external theorem provers, both automated and interactive, to discharge verification conditions. Why3 comes with a standard library of logical theories (integer and real arithmetic, Boolean operations, sets and maps, etc.) and basic programming data structures (arrays, queues, hash tables, etc.). A user can write WhyML programs directly and get correctbyconstruction OCaml programs through an automated extraction mechanism. WhyML is also used as an intermediate language for the verification of C, Java, or Ada programs.
Participants: JeanChristophe Filliatre, Claude Marche, Guillaume Melquiond, Andriy Paskevych, François Bobot, Martin Clochard and Levs Gondelmans
Partners: CNRS  Université ParisSud
Contact: Claude Marche
URL: http://
C. Fumex and C. Marché developed a new library for bitvectors,
in Why3 and SPARK. This library is rich enough for the formal
specification of functional behavior of programs that operate at
the level of bits. It is also designed to exploit efficiently the
support for bitvectors builtin in some SMT solvers. This work is
done in the context of the ProofInUse joint laboratory. The SPARK
frontend of Why3, for the verification of Ada programs, is
extended to exploit this new bitvector theory. Several cases
studies are conducted: efficient search for rightmost bit of a
bitvector, efficient computation of the number of bits set to 1,
efficient solving of the
D. Hauzar and C. Marché worked on counterexample generation from failed proof attempts. They designed a new approach for generating potential counterexamples in the deductive verification setting, and implemented in Why3. When the logic goal generated for a given verification condition is not shown unsatisfiable by an SMT solvers, some solver can propose a model. By carefully reverting the transformation chain (from an input program through the VC generator and the various translation steps to solvers), this model is turned into a potential counterexample that the user can exploit to analyze why its original code is not proved. The approach is implemented in the chain from Ada programs through SPARK, Why3, and SMT solvers CVC4 and Z3. This work is described in a research report and a paper was rpesented at the SEFM Conference . The work on the implementation was continued by S. Dailler. It was considered robust enough to be distributed in the release Pro 16 of SPARK.
C. Marché, together with Y. Moy from AdaCore, J. Signoles and N. Kosmatov from CEALIST, wrote a survey paper about the design of the specification languages of Why3 and its frontends FramaC and SPARK. The choices made when designing these specification languages differ significantly, in particular with respect to the executability of specifications. The paper reviews these differences and the issues that result from these choices. The paper also emphasizes two aspects where static and dynamic aspects of the specifications play an important role: the specific feature of ghost code, and the techniques that help users understand why static verification fails. This paper was presented at the Isola Symposium .
A. Charguéraud investigated how to formalize in Separation Logic representation predicates for describing mutable container data structures that store mutable elements that are themselves described using representation predicates. (In Separation Logic, representation predicates are used to describe mutable data structures, by establishing a relationship between the entry point of the structure, the piece of heap over which this structure spans, and the logical model associated with the structure.) The solution proposed, based on “higherorder representation predicates”, allows for concise specifications of such containers. A. Charguéraud has published a paper presenting, through a collection of practical examples, solutions to the challenges associated with verification proofs based on higherorder representation predicates .
A. Charguéraud and François Pottier (Inria Paris) have developed an extension of Separation Logic with temporary readonly permissions. This mechanism allows to temporarily convert any assertion (or “permission”) to a readonly form. Unlike with fractional permissions, no accounting is required: the proposed readonly permissions can be freely duplicated and discarded. Where mutable data structures are temporarily accessed only for reading, the proposed readonly permissions enable more concise specifications and proofs. All the metatheory is verified in Coq. An article has been submitted to a conference .
J.C. Filliâtre and M. Pereira proposed a new approach to the problem of specifying iteration, verifying iterators (such as cursors or higherorder functions), and using iterators. The idea is to characterize the sequence of elements enumerated so far, and only those. The proof methodology is modular, iterator implementations and clients being verified independently of each other. The proposed method is validated experimentally in Why3. This work has been published first at JFLA 2016 and then at NFM 2016 . A journal version of this work is under submission.
J.C. Filliâtre and M. Pereira proposed a new approach to the verification of higherorder programs, using the technique of defunctionalization, that is, the translation of firstclass functions into firstorder values. This is an early experimental work, conducted on examples only within the Why3 system. This work has been published at JFLA 2017 .
J.C. Filliâtre, L. Gondelman, and A. Paskevich proposed a practical method to track pointer aliases statically in a large family of computer programs. Their approach relies on a special type system with singleton regions and effects which both can be inferred automatically, without requiring additional user annotations. This kind of static analysis is important for deductive program verification, since it allows us to construct verification conditions using the traditional rules in the spirit of Hoare and Dijkstra, without recurring to more sophisticated solutions (memory models, separation logic) which incur additional complexity both for a user and a verification tool. The proposed method is implemented in Why3 and described in a technical report .
J.C. Filliâtre, L. Gondelman, and A. Paskevich published a paper on a general approach to the concept of ghost code in the journal of Formal Methods in System Design . Ghost code is a subset of program code that serves the purposes of specification and verification: it can be erased from the program without affecting its result. This work forms the basis of the support for ghost code in Why3. This work is an extended version of the paper presented at the 26th International Conference on Computer Aided Verification (CAV) in 2014.
C. Dross, A. Paskevich, J. Kanig and S. Conchon published a paper in the Journal of Automated Reasoning about integration of firstorder axiomatizations with triggers as decision procedures in an SMT solver. This work extends a part of C. Dross PhD thesis . A formal semantics of the notion of trigger is presented, with a general setting to show how a firstorder axiomatization with triggers can be proved correct, complete, and terminating. An extended DPLL(T) algorithm can then integrate such an axiomatization with triggers, as a decision procedure for the theory it defines.
M. Clochard designed an extension of firstorder logic, for describing reasoning steps needed to discharge a proof obligation. The extension is under the form of two new connectives, called proof indications, that allow the user to encode reasoning steps inside a logic formula. This extension makes possible to use the syntax of formulas as a proof language. The approach was presented at the JFLA conference and implemented in Why3. It brings a lightweight mechanism for declarative proofs in an environment like Why3 where provers are used as black boxes. Moreover, this mechanism restricts the scope of auxiliary lemmas, reducing the size of proof obligations sent to external provers.
M. Clochard,
L. Gondelman and M. Pereira wrote a paper describing a complete
solution for the first challenge of the VerifyThis 2016
competition held at the 18th ETAPS Forum, where they obtain the
award for the best student team. Two variants for the
multiplication of matrices are presented and proved: a naive
version using three nested loops and Strassen's algorithm. To
formally specify the two multiplication algorithms, they developed
a new Why3 theory of matrices, and they applied a reflection
methodology to condut some of the proofs. This work was presented
at the VSTTE Conference . An extended
version that considers arbitrary rectangular martices instead of
square ones is in preparation. The development is available at
http://
J.C. Filliâtre and M. Pereira presented the first formal proof of an implementation of Koda and Ruskey's algorithm (an algorithm for generating all ideals of a forest poset as a Gray code) at VSTTE 2016 . The proof is conducted within the Why3 system and is mostly automatic.
S. Boldo, F. Clément, F. Faissole, V. Martin, and M. Mayero have worked on a Coq formal proof of the Lax–Milgram theorem. The Finite Element Method is a widelyused method to solve numerical problems coming for instance from physics or biology. To obtain the highest confidence on the correction of numerical simulation programs implementing the Finite Element Method, one has to formalize the mathematical notions and results that allow to establish the soundness of the method. The Lax–Milgram theorem may be seen as one of those theoretical cornerstones: under some completeness and coercivity assumptions, it states existence and uniqueness of the solution to the weak formulation of some boundary value problems. This article presents the full formal proof of the Lax–Milgram theorem in Coq. It requires many results from linear algebra, geometry, functional analysis , and Hilbert spaces. This has been published at the 6th ACM SIGPLAN Conference on Certified Programs and Proofs (CPP 2017) .
The ALEA library uses a monadic construction to formalize discrete measure theory. F. Faissole and B. Spitters proposed to extend it to continuous datatypes. They used both synthetic topology and homotopy type theory to achieve the formalization. This work is presented at the Workshop on Coq for Programming Languages .
R. Chen and J.J. Lévy designed a formal proof of Tarjan's
algorithm for computing the strongly connected component of a
directed graph. The proof is conducted using Why3. This work is
presented at the JFLA conference . This
case study is part of a larger set of case studies on algorithms
on graphs http://
R. Chen, M. Clochard and C.Marché designed a formal proof of an algorithm for resolving a pathname in Unix file systems. The proof is conducted using Why3 . This case study is part of the CoLiS project.

É. MartinDorel and G. Melquiond have worked on integrating the CoqInterval and CoqApprox libraries into a single package. The CoqApprox library is dedicated to computing verified Taylor models of univariate functions so as to compute approximation errors. The CoqInterval library reuses this work to automatically prove bounds on realvalued expressions. A large formalization effort took place during this work, so as to get rid of all the holes remaining in the formal proofs of CoqInterval. It was also the chance to perform a comparison between numerous decision procedures dedicated to proving nonlinear inequalities involving elementary functions. This work has been published in the Journal of Automated Reasoning .
A. Mahboubi, G. Melquiond, and T. SibutPinote have extended the CoqInterval library with support for definite univariate integrals. The library is now able to automatically and formally verify bounds on the value of integrals by computing rigorous polynomial approximations of integrands. This work has been presented at the 7th International Conference on Interactive Theorem Proving .
S. Boldo, S.Graillat, and J.M. Muller have worked on the 2Sum and Fast2Sum algorithms, that are important building blocks in numerical computing. They are used (implicitely or explicitely) in many compensated algorithms or for manipulating floatingpoint expansions. They showed that these algorithms are much more robust than it is usually believed: the returned result makes sense even when the rounding function is not roundtonearest, and they are almost immune to overflow. This work has been submitted .
S. Boldo has created an algorithm to compute a correct and
tight rounding error bound for a floatingpoint computation. The
rounding error can be bounded by folklore formulas, such as
S. Boldo has worked on the formal verification of a floatingpoint case study where the common iterators fold_left and fold_right have not the wanted behaviors. She then had to define other iterators, which are very similar in most cases, but that do behave well in our case study. This has been published at the 1st Workshop on HighConsequence Control Verification .
ProofInUse is a joint project between the Toccata team and the
SME AdaCore. It was selected and funded by the ANR programme
“Laboratoires communs”, starting from April 2014, for 3 years
http://
The SME AdaCore is a software publisher specializing in providing software development tools for critical systems. A previous successful collaboration between Toccata and AdaCore enabled Why3 technology to be put into the heart of the AdaCoredeveloped SPARK technology.
The goal is now to promote and transfer the use of deductionbased verification tools to industry users, who develop critical software using the programming language Ada. The proof tools are aimed at replacing or complementing the existing test activities, whilst reducing costs.
ELFIC is a working group of the Digicosme Labex. S. Boldo is the
principal investigator. It began in 2014 for one year and was
extended for one year. https://
The ELFIC project focuses on proving the correctness of the FELiScE (Finite Elements for Life Sciences and Engineering) C++ library which implements the finite element method for approximating solutions to partial differential equations. Finite elements are at the core of numerous simulation programs used in industry. The formal verification of this library will greatly increase confidence in all the programs that rely on it. Verification methods developed in this project will be a breakthrough for the finite element method, but more generally for the reliability of critical software relying on intricate numerical algorithms.
Partners: Inria team Pomdapi; Ecole Polytechnique, LIX; CEA LIST; Université Paris 13, LIPN; UTC, LMAC (Compiègne).
ELEFFAN is a Digicosme project funding the PhD of
F. Faissole. S. Boldo is the principal investigator. It began in 2016
for three years. https://
The ELEFFAN project aims at formally proving rounding error bounds of numerical schemes.
Partners: ENSTA Paristech (A. Chapoutot)
The CoLiS research project is funded by the programme “Société de
l'information et de la communication” of the ANR, for a period of
48 months, starting on October 1st,
2015. http://
The project aims at developing formal analysis and verification techniques and tools for scripts. These scripts are written in the POSIX or bash shell language. Our objective is to produce, at the end of the project, formal methods and tools allowing to analyze, test, and validate scripts. For this, the project will develop techniques and tools based on deductive verification and tree transducers stemming from the domain of XML documents.
Partners: Université ParisDiderot, IRIF laboratory (formerly PPS & LIAFA), coordinator ; Inria Lille, team LINKS
The Vocal research project is funded by the programme “Société de
l'information et de la communication” of the ANR, for a period of 48
months, starting on October 1st, 2015. https://
The goal of the Vocal project is to develop the first formally verified library of efficient generalpurpose data structures and algorithms. It targets the OCaml programming language, which allows for fairly efficient code and offers a simple programming model that eases reasoning about programs. The library will be readily available to implementers of safetycritical OCaml programs, such as Coq, Astrée, or FramaC. It will provide the essential building blocks needed to significantly decrease the cost of developing safe software. The project intends to combine the strengths of three verification tools, namely Coq, Why3, and CFML. It will use Coq to obtain a common mathematical foundation for program specifications, as well as to verify purely functional components. It will use Why3 to verify a broad range of imperative programs with a high degree of proof automation. Finally, it will use CFML for formal reasoning about effectful higherorder functions and data structures making use of pointers and sharing.
Partners: team Gallium (Inria ParisRocquencourt), team DCS (Verimag), TrustInSoft, and OCamlPro.
The AJACS research project is funded by the programme “Société de l'information
et de la communication” of the ANR, for a period of 42
months, starting on October 1st, 2014. http://
The goal of the AJACS project is to provide strong security and privacy guarantees on the client side for web application scripts implemented in JavaScript, the most widely used language for the Web. The proposal is to prove correct analyses for JavaScript programs, in particular information flow analyses that guarantee no secret information is leaked to malicious parties. The definition of sublanguages of JavaScript, with certified compilation techniques targeting them, will allow deriving more precise analyses. Another aspect of the proposal is the design and certification of security and privacy enforcement mechanisms for web applications, including the APIs used to program realworld applications. On the Toccata side, the focus will be on the formalization of secure subsets of JavaScript, and on the mechanization of proofs of translations from highlevel languages into JavaScript.
Partners: team Celtique (Inria Rennes  Bretagne Atlantique), team Prosecco (Inria Paris  Rocquencourt), team Indes (Inria Sophia Antipolis  Méditerranée), and Imperial College (London).
This is a research project funded by the programme “Ingénierie
Numérique & Sécurité” of the ANR. It is funded for a period of
48 months and it has started on October 1st,
2014. http://
Our aim is to develop computeraided proofs of numerical values, with certified and reasonably tight error bounds, without sacrificing efficiency. Applications to zerofinding, numerical quadrature or global optimization can all benefit from using our results as building blocks. We expect our work to initiate a "fast and reliable" trend in the symbolicnumeric community. This will be achieved by developing interactions between our fields, designing and implementing prototype libraries and applying our results to concrete problems originating in optimal control theory.
Partners: team ARIC (Inria Grenoble RhôneAlpes), team MARELLE (Inria Sophia Antipolis  Méditerranée), team SPECFUN (Inria Saclay  ÎledeFrance), Université Paris 6, and LAAS (Toulouse).
The Soprano research project is funded by the programme “Sciences et
technologies logicielles” of the ANR, for a period of
42 months, starting on October 1st, 2014. http://
The SOPRANO project aims at preparing the next generation of verificationoriented solvers by gathering experts from academia and industry. We will design a new framework for the cooperation of solvers, focused on model generation and borrowing principles from SMT (current standard) and CP (wellknown in optimization). Our main scientific and technical objectives are the following. The first objective is to design a new collaboration framework for solvers, centered around synthesis rather than satisfiability and allowing cooperation beyond that of NelsonOppen while still providing minimal interfaces with theoretical guarantees. The second objective is to design new decision procedures for industryrelevant and hardtosolve theories. The third objective is to implement these results in a new opensource platform. The fourth objective is to ensure industrialadequacy of the techniques and tools developed through periodical evaluations from the industrial partners.
Partners: team DIVERSE (Inria Rennes  Bretagne Atlantique), Adacore, CEA List, Université ParisSud, and OCamlPro.
The CAFEIN research project is funded by the programme “Ingénierie
Numérique & Sécurité” of the ANR, for a period
of 3 years, starting on February 1st, 2013.
https://
This project addresses the formal verification of functional properties at specification level, for safety critical reactive systems. In particular, we focus on command and control systems interacting with a physical environment, specified using the synchronous language Lustre.
A first goal of the project is to improve the level of automation of formal verification, by adapting and combining existing verification techniques such as SMTbased temporal induction, and abstract interpretation for invariant discovery. A second goal is to study how knowledge of the mathematical theory of hybrid command and control systems can help the analysis at the controller's specification level. Third, the project addresses the issue of implementing real valued specifications in Lustre using floatingpoint arithmetic.
Partners: ONERA, CEA List, ENSTA, teams Maxplus (Inria Saclay  ÎledeFrance), team Parkas (Inria Paris  Rocquencourt), Perpignan University, Prover Technology, Rockwell Collins.
The BWare research project is funded by the programme “Ingénierie
Numérique & Sécurité” of the ANR, a period of 4
years, starting on September 1st, 2012. http://
BWare is an industrial research project that aims to provide a mechanized framework to support the automated verification of proof obligations coming from the development of industrial applications using the B method and requiring high guarantee of confidence. The methodology used in this project consists of building a generic platform of verification relying on different theorem provers, such as firstorder provers and SMT solvers. The variety of these theorem provers aims at allowing a wide panel of proof obligations to be automatically verified by the platform. The major part of the verification tools used in BWare have already been involved in some experiments, which have consisted in verifying proof obligations or proof rules coming from industrial applications . This therefore should be a driving factor to reduce the risks of the project, which can then focus on the design of several extensions of the verification tools to deal with a larger amount of proof obligations.
The partners are: Cedric laboratory at CNAM (CPR Team, project leader); teams Gallium and Deducteam (Inria Paris  Rocquencourt) ; Mitsubishi Electric R&D Centre Europe, ClearSy (the company which develops and maintains Atelier B), and the startup OCamlPro.
The Verasco research project is funded by the programme “Ingénierie
Numérique & Sécurité” of the ANR, for a period of 4
years and a half, starting on January 1st, 2012. Project website:
http://
The main goal of the project is to investigate the formal verification of static analyzers and of compilers, two families of tools that play a crucial role in the development and validation of critical embedded software. More precisely, the project aims at developing a generic static analyzer based on abstract interpretation for the C language, along with a number of advanced abstract domains and domain combination operators, and prove the soundness of this analyzer using the Coq proof assistant. Likewise, the project keeps working on the CompCert C formallyverified compiler, the first realistic C compiler that has been mechanically proved to be free of miscompilation, and carry it to the point where it could be used in the critical software industry.
Partners: teams Gallium and Abstraction (Inria Paris  Rocquencourt), Airbus avionics and simulation (Toulouse), IRISA (Rennes), Verimag (Grenoble).
LCHIP (Low Cost High Integrity Platform) is aimed at easing the
development of safety critical applications (up to SIL4) by
providing: (i) a complete IDE able to automatically generate and
prove bounded complexity software (ii) a low cost, safe execution
platform. The full support of DSLs and third party code generators
will enable a seamless deployment into existing development cycles.
LCHIP gathers scientific results obtained during the last 20 years
in formal methods, proof, refinement, code generation, etc. as well
as a unique return of experience on safety critical systems design.
http://
Partners: 2 technology providers (ClearSy, OcamlPro), in charge of building the architecture of the platform ; 3 labs (IFSTTAR, LIP6, LRI), to improve LCHIP IDE features ; 2 large companies (SNCF, RATP), representing public ordering parties, to check compliance with standard and industrial railway usecase.
The project lead by ClearSy has started in April 2016 and lasts 3 years. It is funded by BpiFrance as well as French regions.
Verification of parameterized distributed systems, 20162021.
Partners: Université Paris VI  Université Paris XI  Inria NANCY
Project acronym: ERC Deepsea
Project title: Parallel dynamic computations
Duration: Jun. 2013  Jun. 2018
Coordinator: Umut A. Acar
Other partners: Carnegie Mellon University
Abstract:
The objective of this project is to develop abstractions, algorithms and languages
for parallelism and dynamic parallelism with applications to problems
on large data sets.
Umut A. Acar (affiliated to Carnegie Mellon University and Inria Paris  Rocquencourt)
is the principal investigator of this ERCfunded project.
The other main researchers involved are
Mike Rainey (Inria, Gallium team), who is fulltime on the project,
and Arthur Charguéraud (Inria, Toccata team), who works
40% of his time to the project.
Project website: http://
Program: COST (European Cooperation in Science and Technology).
Project acronym: EUTypes https://
Project title: The European research network on types for programming and verification
Duration: 20152019
Coordinator: Herman Geuvers, Radboud University Nijmegen, The Netherlands
Other partners: 36 members countries, see http://
Abstract: Types are pervasive in programming and information technology. A type defines a formal interface between software components, allowing the automatic verification of their connections, and greatly enhancing the robustness and reliability of computations and communications. In rich dependent type theories, the full functional specification of a program can be expressed as a type. Type systems have rapidly evolved over the past years, becoming more sophisticated, capturing new aspects of the behaviour of programs and the dynamics of their execution.
This COST Action will give a strong impetus to research on type theory and its many applications in computer science, by promoting (1) the synergy between theoretical computer scientists, logicians and mathematicians to develop new foundations for type theory, for example as based on the recent development of "homotopy type theory”, (2) the joint development of type theoretic tools as proof assistants and integrated programming environments, (3) the study of dependent types for programming and its deployment in software development, (4) the study of dependent types for verification and its deployment in software analysis and verification. The action will also tie together these different areas and promote crossfertilisation.
Imperial College London (UK)
Certification of JavaScript, AJACS project
Ran Chen is a PhD student from Institute of Software (Chinese Academy of Sciences, Beijing, China) visiting the team for 10 months under the supervision of C. Marché and J.J. Lévy (PiR2 team, Inria Paris). She is working on the formal verification of graphs algorithms, and also in the context of the CoLiS project on verification of some aspects of the Unix file system and shell scripts.
Cláudio Belo Lourenço is a PhD student from Universidade do Minho, Portugal. He studies deductive verification of imperative programs and the behaviour of different kinds of verification condition generators . The goal of his visit is to use Why3 as a platform for prototyping and experimental evaluation of these generators.
F. Faissole has spent two months visiting B. Spitters at Aarhus University (Denmark) They proposed an extension of ALEA library to continuous datatypes..
M. Roux has spent three months with D. Jovanovic and
B. Dutertre at SRI (California, USA). They worked on extending
Sally, the new model checker of SRI based on SAL, to add the
verification of parameterized cache coherence protocols. The
software can be found on https://
S. Conchon has been invited a month at SRI by D. Jovanovic. During this visit, he has collaborated with CSL researchers to compare the design and implementation choices between the model checkers Sally and Cubicle.
S. Boldo, vicepresident of the 28th “Journées Francophones des Langages Applicatifs” (JFLA 2017)
J.C. Filliâtre, organizer of EJCP (École Jeunes
Chercheurs en Programmation du GDR GPL) at Lille on June
27–July 1, 2016. 42 participants. http://
A. Paskevich, program chair of the 9th Working Conference on Verified Software: Theories, Tools, and Experiments (VSTTE 2017), in collaboration with Thomas Wies (NYU).
S. Conchon, local chair for the 44th ACM SIGPLANSIGACT Symposium on Principles of Programming Languages (POPL 2017), held in Paris, France in January 2017.
G. Melquiond, web chair for the 23rd IEEE Symposium on Computer Arithmetic (Arith 23), held in Silicon Valley, USA in July 2016.
S. Boldo, member of the organization committee of the Inria Scientific Days in Rennes (June 2016).
S. Boldo, PC of the 23rd IEEE Symposium on Computer Arithmetic (ARITH 2016).
S. Boldo, PC of the 9th International Workshop on Numerical Software Verification (NSV 2016).
S. Boldo, PC of the 1st Workshop on HighConsequence Control Verification (HCCV 2016).
S. Boldo, PC of the 27th “Journées Francophones des Langages Applicatifs” (JFLA 2016).
A. Charguéraud, PC of the International Workshop on Hammers for Type Theories (HaTT 2016).
A. Charguéraud, PC of the Workshop on ML (ML 2016).
G. Melquiond, PC of the 3rd International Workshop on Coq for Programming Languages (CoqPL 2017).
The members of the Toccata team have reviewed papers for numerous international conferences.
G. Melquiond is a member of the editorial board of Reliable Computing.
S. Boldo is member of the editorial board of Binaire
http://
J.C. Filliâtre is member of the editorial board of the Journal of Functional Programming.
C. Paulin is member of the editorial board of the Journal of Formalized Reasoning.
The members of the Toccata team have reviewed numerous papers for numerous international journals.
S. Boldo gave an invited lecture at Effective Analysis: Foundations, Implementations, Certification in January 2016 at Marseille, France.
S. Boldo gave a keynote talk in Cambridge at a local workshop about Testing and Verification in Computational Science.
A. Charguéraud gave an invited talk at the Royal Society specialist meeting “Verified trustworthy software systems”, presenting an interactive interpreter for the semantics of JavaScript, in London, on April 7th.
S. Conchon gave an invited lecture “Model Checking Modulo
Theories with Cubicle” at the 2016 edition of the School for Junior
Researchers in Programming (École Jeunes Chercheurs en
Programmation, EJCP 2016, http://
A. Paskevich gave an invited lecture “Deductive Program
Verification using Why3” at the 2016 edition of the School for Junior
Researchers in Programming (École Jeunes Chercheurs en
Programmation, EJCP 2016, http://
C. Paulin, scientific leader of Labex DigiCosme
http://
C. Paulin, dean of the Faculty of Sciences of Université ParisSud, since July 2016.
S. Boldo, member of the reviewing board for the ANR (first step in 2016).
S. Boldo, member of the 2016 committee for the Gilles Kahn PhD award of the French Computer Science Society.
S. Conchon and A. Paskevich, members of the “commission consultative de spécialistes de l'université”, Section 27, University ParisSud since December 2014.
C. Marché, president of the evaluation committee of the joint
DigiteoDigiCosme call for projects
https://
C. Marché, member of the scientific commission of InriaSaclay, in charge of selecting candidates for PhD grants, Postdoc grants, temporary leaves from universities (“délégations”)
C. Marché, member of the “Bureau du Comité des Projets” of InriaSaclay, in charge of examining proposals for creation of new Inria projectteams.
C. Marché, member of a hiring committee for an associate professor position in computer science at CNAM, Paris, France. (sepoct 2016)
S. Boldo, member of the CCD, commission consultative des doctorants.
S. Boldo, member of the CLFP, comité local de formation permanente.
S. Boldo, scientific head for Saclay for the MECSI group for networking about computer science popularization inside Inria.
A. Charguéraud is vicepresident of Franceioi, a nonprofit organization in charge of the selection and the training of the French team to the International Olympiads in Informatics (IOI). Franceioi also provides online exercises in programming and algorithmics—in average, over 100,000 such exercises are solved every month on the website.
A. Charguéraud is a board member of the nonprofit organization Animath, which aims at developing interest in mathematics among young students.
A. Charguéraud and G. Melquiond are members of the committee for the monitoring of PhD students (“commission de suivi des doctorants”).
J.C. Filliâtre is correcteur au concours d'entrée à l'École Polytechnique et aux ENS (computer science examiner for the entrance exam at École Polytechnique and Écoles Normales Supérieures) since 2008.
C. Marché, director of the ProofInUse Joint Laboratory between
Inria and AdaCore, http://
C. Paulin, member of the “commission consultative de spécialistes de l'université”, Section 27, University ParisSud since April 2010. C. Paulin is the president of this committee since December 2014.
C. Paulin, chaired the hiring committee for a professor position in computer science at Université ParisSud.
J.C. Filliâtre, member of the board of GDR GPL, since January 2016.
Master Parisien de Recherche en Informatique (MPRI)
https://
Master: Fondements de l'informatique et ingénierie du logiciel (FIIL)
https://
DUT (Diplôme Universitaire de Technologie): M1101 “Introduction aux systèmes informatiques”, A. Paskevich (36h), M3101 “Principes des systèmes d'exploitation”, A. Paskevich (58.5h), IUT d'Orsay, Université ParisSud, France.
Licence: “Langages de programmation et compilation” (L3), J.C. Filliâtre (26h), École Normale Supérieure, France.
Licence: “INF411: Les bases de l'algorithmique et de la programmation” (L3), J.C. Filliâtre (16h), École Polytechnique, France.
Licence: “Programmation fonctionnelle avancée” (L3), S. Conchon (45h), Université ParisSud, France.
Licence: “Introduction à la programmation fonctionnelle” (L2), S. Conchon (25h), Université ParisSud, France.
Raphaël RieuHelft (ENS, Paris) is a prePhD student doing an internship for 6 months under supervision of C. Marché, G. Melquiond and A. Paskevich. He is working on the design and the formal verification of a library for unbounded integer arithmetic. Why3 is used for formally verifying the functional behaviour of the library operations. Raphaël is also implementing in Why3 a mechanism for extracting code to the C language, in order to obtain a certified code that runs very efficiently.
Lucas Baudin (ENS, Paris) is a master 1 intern under the supervision of J.C. Filliâtre between September 2016 and January 2017. He is working on the inference of loop invariants by abstract interpretation in the tool Why3.
F. Faissole was a master 2 trainee under the supervision of S. Boldo between March and August 2016. He worked on the formal proof of the LaxMilgram theorem.
PhD: L. Gondelmans, “Obtention de programmes corrects par raffinement dans un langage de haut niveau”, Université ParisSaclay & Université ParisSud, December 13, 2016, supervised by J.C. Filliâtre and A. Paskevich.
PhD in progress: M. Clochard, “A unique language for developing programs and prove them at the same time”, since Oct. 2013, supervised by C. Marché and A. Paskevich.
PhD in progress: D. Declerck, “Vérification par des techniques de test et model checking de programmes C11”, since Sep. 2014, supervised by F. Zaïdi (LRI) and S. Conchon.
PhD in progress: M. Roux, “Model Checking de systèmes paramétrés et temporisés”, since Sep. 2015, supervised by Sylvain Conchon.
PhD in progress: M. Pereira, “A Verified Graph Library. Tools and techniques for the verification of modular higherorder programs, with extraction”, since May 2015, supervised by J.C. Filliâtre.
PhD in progress: A. Coquereau, “[ErgoFast] Amélioration de performances pour le solveur SMT AltErgo : conception d'outils d'analyse, optimisations et structures de données efficaces pour OCaml”, since Sep. 2015, supervised by Sylvain Conchon, Fabrice Le Fessant et Michel Mauny.
PhD in progress: F. Faissole, “Stabilité(s): liens entre l'arithmétique flottante et l'analyse numérique”, since Oct 2016, supervised by S. Boldo and A. Chapoutot.
J.C. Filliâtre: president of the PhD committee of A. Djoudi, “Analyse statique au niveau binaire”, Université Paris Saclay, France, December 2016.
S. Conchon: examiner of the PhD of M. Morterol,“Méthodes avancées de raisonnement en logique propositionnelle : application aux réseaux métaboliques”, Université ParisSaclay, December 2016.
S. Conchon: reviewer of the PhD of A. Blanchard, “Aide à la vérification de programmes concurrents par transformation de code et de spécifications”, Université d'Orléans, December 2016.
S. Conchon: reviewer of the HDR of X. Thirioux, “Verifying Embedded Systems”, Institut National Polytechnique de Toulouse, September 2016.
S. Conchon : examiner of the PhD of L. Cabaret, “Algorithmes d'étiquetage en composantes connexes efficaces pour architectures hautes performances”, September 2016.
A. Charguéraud is one of the three organizers of the Concours Castor informatique
http://
S. Boldo is a speaker for a MOOC for computer science teachers. She was also invited to Poitiers in November 2016 to discuss with teachers and present this MOOC.
S. Boldo was invited to a panel about teaching computer science before university in Besançon in June 2016 during the GDR GPL days.
During the “Fête de la science” on October 14th to 16th, S. Boldo gave several talks about computer arithmetic to teenagers and F. Faissole run a stand about an introduction to programming with robots.
S. Boldo and F. Voisin did an introduction to computer science with an activity on computer hardware as a 1hour extracurricular activity in schools for pupils in CM1CM2 on October 4th.
S. Boldo gave a talk during a girls & maths weekend on
November 22nd. See
http://