The EPI Gallinette aims at developing a new generation of proof assistants, with the belief that practical experiments must go in pair with foundational investigations:

The goal is to advance proof assistants both as certified programming languages and mechanised logical systems. Advanced programming and mathematical paradigms must be integrated, notably dependent types and effects. The distinctive approach is to implement new programming and logical paradigms on top of Coq by considering the latter as a target language for compilation.

The aim of foundational investigations is to extend the boundaries of the Curry-Howard correspondence. It is seen both as providing foundations for programming languages and logic, and as a purveyor of techniques essential to the development of proof assistants. Under this perspective, the development of proof assistants is seen as a total experiment using the correspondence in every aspect: programming languages, type theory, proof theory, rewriting and algebra.

Software quality is a requirement that is becoming more and more prevalent,
by now far exceeding the traditional scope of embedded systems. The
development of tools to construct software that respects a given specification
is a major challenge facing computer science. *Proof assistants
*such as Coq provide a formal method whose central
innovation is to produce *certified programs *by transforming
the very activity of programming. Programming and proving are merged
into a single development activity, informed by an elegant but rigid
mathematical theory inspired by the correspondence between programming,
logic and algebra: the *Curry-Howard correspondence*. For the
certification of programs, this approach has shown its efficiency
in the development of important pieces of certified software such
as the C compiler of the CompCert project .
The extracted CompCert compiler is reliable and efficient, running
only 15% slower than GCC 4 at optimisation level 2 (`gcc -O2`),
a level of optimisation that was considered before to be highly unreliable.

Proof assistants can also be used to *formalise mathematical
theories*: they not only provide a means of representing mathematical
theories in a form amenable to computer processing, but their internal
logic provides a language for reasoning about such theories. In the
last decade, proof assistants have been used to verify extremely large
and complicated proofs of recent mathematical results, sometimes requiring
either intensive computations ,
or intricate combinations of a multitude of mathematical theories
. But formalised mathematics is more than just proof
checking and proof assistants can help with the organisation mathematical
knowledge or even with the discovery of new constructions and proofs.

Unfortunately, the rigidity of the theory behind proof assistants impedes their expressiveness both as programming languages and as logical systems. For instance, a program extracted from Coq only uses a purely functional subset of OCaml, leaving behind important means of expression such as side-effects and objects. Limitations also appears in the formalisation of advanced mathematics: proof assistants do not cope well with classical axioms such as excluded middle and choice which are sometimes used crucially. The fact of the matter is that the development of proof assistants cannot be dissociated from a reflection on the nature of programs and proofs coming from the Curry-Howard correspondence. In the EPC Gallinette, we propose to address several drawbacks of proof assistants by pushing the boundaries of this correspondence.

In the 1970's, the Curry-Howard correspondence was seen as a perfect match between functional programs, intuitionistic logic, and Cartesian closed categories. It received several generalisations over the decades, and now it is more widely understood as a fertile correspondence between computation, logic, and algebra. Nowadays, the view of the Curry-Howard correspondence has evolved from a perfect match to a collection of theories meant to explain similar structures at work in logic and computation, underpinned by mathematical abstractions. By relaxing the requirement of a perfect match between programs and proofs, and instead emphasising the common foundations of both, the insights of the Curry-Howard correspondence may be extended to domains for which the requirements of programming and mathematics may in fact be quite different.

Consider the following two major theories of the past decades, which were until recently thought to be irreconcilable:

**(Martin-Löf) Type theory:** introduced by Martin-Löf in 1971,
this formalism is both a programming language and
a logical system. The central ingredient is the use of *dependent
types* to allow fine-grained invariants to be expressed in program
types. In 1985, Coquand and Huet developed a similar system called
the *calculus of constructions*, which served as logical foundation
of the first implementation of Coq. This kind of systems is still
under active development, especially with the recent advent of homotopy
type theory (HoTT) which gives a new point of view
on types and the notion of equality in type theory.

**The theory of effects:** starting in the 1980's, Moggi
and Girard put forward monads and co-monads as describing
various compositional notions of computation. In this theory, programs
can have side-effects (state, exceptions, input-output), logics can
be non-intuitionistic (linear, classical), and different computational
universes can interact (modal logics). Recently, the safe and automatic
management of resources has also seen a coming of age (Rust, Modern
C++) confirming the importance of linear logic for various programming
concepts. It is now understood that the characteristic feature of
the theory of effects is sensitivity to *evaluation order*, in
contrast with type theory which is built around the assumption that
evaluation order is irrelevant.

We now outline a series of scientific challenges aimed at understanding of type theory, effects, and their combination.

More precisely, three key axes of improvement have been identified:

Making the notion of equality closer to what is usually assumed when doing proofs on black board, with a balance between irrelevant equality for simple structures and equality up-to equivalences for more complex ones (Section ). Such a notion of equality should allow one to implement traditional model transformations that enhance the logical power of the proof assistant using distinct compilation phases.

Advancing the foundations of effects within the Curry-Howard approach. The objective is to pave the way for the integration of effects in proof assistants and to prototype the corresponding implementation. This integration should allow for not only certified programming with effects, but also the expression of more powerful logics (Section ).

Making more programming features (notably, object polymorphism) available in proof assistants, in order to scale to practical-sized developments. The objective is to enable programming styles closer to common practices. One of the key challenges here is to leverage gradual typing to dependent programming (Section ).

To validate the new paradigms, we propose in Section three particular application fields in which members of the team already have a strong expertise: code refactoring, constraint programming and symbolic computation.

The democratisation of proof assistants based on type theory has likely been impeded one central problem: the mismatch between the conception of equality in mathematics and its formalisation in type theory. Indeed, some basic principles that are used implicitly in mathematics—such as Church’s principle of propositional extensionality, which says that two propositions are equal when they are logically equivalent—are not derivable in type theory. Even more problematically, from a computer science point of view, the basic concept of two functions being equal when they are equal at every “point” of their domain is also not derivable: rather, it must be added as an additional axiom. Of course, these principles are consistent with type theory so that working under the corresponding additional assumptions is safe. But the use of these assumptions in a definition potentially clutters its computational behaviour: since axioms are computational black boxes, computation gets stuck at the points of the code where they have been used.

We propose to investigate how expressive logical transformations such as forcing and sheaf construction might be used to enhance the computational and logical power of proof assistants—with a particular emphasis on their implementation in the Coq proof assistant by the means of effective translations (or compilation phases). One of the main topics of this task, in connection to the ERC project CoqHoTT, is the integration in Coq of new concepts inspired by homotopy type theory such as the univalence principle, and higher inductive types.

In the Coq proof assistant, the sort *proof
irrelevance,* can be expressed formally as: *raison d'être* of the sort

The univalence principle is becoming widely accepted as a very promising
avenue to provide new foundations for mathematics and type theory.
However, this principle has not yet been incorporated into a proof
assistant. Indeed, the very mathematical structures (known as

Hence a major objective is to achieve a complete internalisation of univalence in intensional type theory, including an integration to a new version of Coq. We will strive to keep compatibility with previous versions, in particular from a performance point of view. Indeed, the additional complexity of homotopy type theory should not induce an overhead in the type checking procedure used by the software if we want our new framework to become rapidly adopted by the community. Concretely, we will make sure that the compilation time of Coq’s Standard Library will be of the same order of magnitude.

Extending the power of a logic using model transformations (*e.g.,*
forcing transformation , or the sheaf
construction ) is a classic topic of mathematical
logic , . However, these ideas have
not been much investigated in the setting of type theory, even though
they may provide a useful framework for extending the logical power
of proof assistant in a modular way. There is a good reason for this:
with a syntactic notion of equality, the underlying structure of type
theory does not conform to the structure of topos used in mathematical
logic. A direct incorporation of the standard techniques is therefore
not possible. However, a univalent notion of equality brings type
theory closer to the required algebraic structure, as it corresponds
to the notion of

The Gallinette project advocates the use of distinct compilation phases as a methodology for the design of a new generation of proof assistants featuring modular extensions of a core logic. The essence of a compiler is the separation of the complexity of a translation process into modular stages, and the organization of their re-composition. This idea finds a natural application in the design of complex proof assistants (Figure ). For instance, the definition of type classes in Coq follows this pattern, and is morally given by the means of a translation into a type-class free kernel. More recently, a similar approach by compilation stages, using the forcing transformation, was used to relax the strict positivity condition guarding inductive types , . We believe that this flavour of compilation-based strategies offers a promising direction of investigation for the propose of defining a decidable type checking algorithm for HoTT.

We propose the incorporation of effects in the theory of proof assistants at a foundational level. Not only would this allow for certified programming with effects, but it would moreover have implications for both semantics and logic.

We mean *effects* in a broad sense that encompasses both Moggi's
monads and Girard's linear
logic . These two seminal works have given rise to respective
theories of effects (monads) and resources (co-monads). Recent advances,
however have unified these two lines of thought: it is now clear that
the defining feature of effects, in the broad sense, is sensitivity
to evaluation order , .

In contrast, the type theory that forms the foundations of proof assistants
is based on pure *“the next
difficult step [...] currently under investigation”*.

Any realistic program contains effects: state, exceptions, input-output.
More generally, evaluation order may simply be important for complexity
reasons. With this in mind, many works have focused on certified programming
with effects: notably Ynot , and more recently

We propose to develop the foundations of a type theory with effects
taking into account the logical and semantic aspects, and to study
their practical and theoretical consequences. A type theory that integrates
effects would have logical, algebraic and computational implications
when viewed through the Curry-Howard correspondence. For instance,
effects such as control operators establish a link with classical
proof theory . Indeed, control
operators provide computational interpretations of type isomorphisms
such as

The goal is to develop a type theory with effects that accounts both for practical experiments in certified programming, and for clues from denotational semantics and logical phenomena, in a unified setting.

A crucial step is the integration of dependent types with effects,
a topic which has remained *“currently under investigation”*
ever since the beginning. The difficulty resides
in expressing the dependency of types on terms that can perform side-effects
during the computation. On the side of denotational semantics, several
extensions of categorical models for effects with dependent types
have been proposed , using axioms that should
correspond to restrictions in terms of expressivity but whose practical
implications, however, are not immediately transparent. On the side
of logical approaches , , , ,
one first considers a drastic restriction to terms that do not compute,
which is then relaxed by semantic means. On the side of systems for
certified programming such as

Thus, the recurring idea is to introduce restrictions on the dependency
in order to establish an encapsulation of effects. In our approach,
we seek a principled description of this idea by developing the concept
of *semantic value* (thunkables, linears) which arose from foundational
considerations , , and
whose relevance was highlighted in recent works , .
The novel aspect of our approach is to seek a proper extension of
type theory which would provide foundations for a classical type theory
with axiom of choice in the style of Herbelin ,
but which moreover could be generalised to effects other than just
control by exploiting an abstract and adaptable notion of semantic
value.

In our view, the common idea that evaluation order does not matter
for pure and termination computations should serve as a bridge between
our proposals for dependent types in the presence of effects and traditional
type theory. Building on the previous goal, we aim to study the relationship
between semantic values, purity, and parametricity theorems , .
Our goal is to characterise parametricity as a form of intuitionistic*
depolarisation* following the method by which the first game model
of full linear logic was given (Melliès , ).
We have two expected outcomes in mind: enriching type theory with
intensional content without losing its properties, and giving an explanation
of the dependent types in the style of Idris and

An integrated type theory with effects requires an understanding of
evaluation order from the point of view of rewriting. For instance,
rewriting properties can entail the decidability of some conversions,
allowing the automation of equational reasoning in types .
They can also provide proofs of computational consistency (that terms
are not all equivalent) by showing that extending calculi with new
constructs is conservative . In our approach,
the

One goal is to prove computational consistency or decidability of conversions purely using advanced rewriting techniques following a technique introduced in . Another goal is the characterisation of weak reductions: extensions of the operational semantics to terms with free variables that preserve termination, whose iteration is equivalent to strong reduction , . We aim to show that such properties derive from generic theorems of higher-order rewriting , so that weak reduction can easily be generalised to richer systems with effects.

Proof theory and rewriting are a source of *coherence theorems
*in category theory, which show how calculations in a category can
be simplified with an embedding into a structure with stronger properties
, . We aim to explore such results
for categorical models of effects , . Our key
insight is to consider the reflection between *indirect and direct
models * , as a coherence theorem:
it allows us to embed the traditional models of effects into structures
for which the rewriting and proof-theoretic techniques from the previous
section are effective.

Building on this, we are further interested in connecting operational
semantics to 2-category theory, in which a second dimension is traditionally
considered for modelling conversions of programs rather than equivalences.
This idea has been successfully applied for the

The unified theory of effects and resources prompts an investigation into the semantics of safe and automatic resource management, in the style of Modern C++ and Rust. Our goal is to show how advanced semantics of effects, resources, and their combination arise by assembling elementary blocks, pursuing the methodology applied by Melliès and Tabareau in the context of continuations . For instance, by combining control flow (exceptions, return) with linearity allows us to describe in a precise way the “Resource Acquisition Is Initialisation” idiom in which the resource safety is ensured with scope-based destructors. A further step would be to reconstruct uniqueness types and borrowing using similar ideas.

The development of tools to construct software systems that respect
a given specification is a major challenge of current and future research
in computer science. Certified programming with dependent types has
recently attracted a lot of interest, and Coq is the *de facto*
standard for such endeavours, with an increasing number of users,
pedagogical resources, and large-scale projects. Nevertheless, significant
work remains to be done to make Coq more usable from a software engineering
point of view. The Gallinette team proposes to make progress on three
lines of work: (i) the development of gradual certified programming,
(ii) the integration of imperative features and object polymorphism
in Coq, and (iii) the development of robust tactics for proof engineering
for the scaling of formalised libraries.

One of the main issues faced by a programmer starting to internalise in a proof assistant code written in a more permissive world is that type theory is constrained by a strict type discipline which lacks flexibility. Concretely, as soon that you start giving more a precise type/specification to a function, the rest of the code interacting with this functions needs to be more precise too. To address this issue, the Gallinette team will put strong efforts into the development of gradual typing in type theory to allow progressive integration of code that comes from a more permissive world.

Indeed, on the way to full verification, programmers can take advantage of a gradual approach in which some properties are simply asserted instead of proven, subject to dynamic verification. Tabareau and Tanter have made preliminary progress in this direction . This work, however, suffers from a number of limitations, the most important being the lack of a mechanism for handling the possibility of runtime errors within Coq. Instead of relying on axioms, this project will explore the application of Section to embed effects in Coq. This way, instead of postulating axioms for parts of the development that are too hard/marginal to be dealt with, the system adds dynamic checks. Then, after extraction, we get a program that corresponds to the initial program but with dynamic check for parts that have not been proven, ensuring that the program will raise an error instead of going outside its specification.

This will yield new foundations of gradual certified programming, both more expressive and practical. We will also study how to integrate previous techniques with the extraction mechanism of Coq programs to OCaml, in order to exploit the exception mechanism of OCaml.

Abstract data types (ADTs) become useful as the size of programs grows
since they provide for a modular approach, allowing abstractions about
data to be expressed and then instantiated. Moreover, ADTs are natural
concepts in the calculus of inductive constructions. But while it
is easy to declare an ADT, it is often difficult to implement an efficient
one. Compare this situation with, for example, Okasaki's purely functional
data structures which implement ADTs like queues
in languages with imperative features. Of course, Okasaki's queues
enforce some additional properties for free, such as persistence,
but the programmer may prefer to use and to study a simpler implementation
without those additional properties. Also in certified symbolic computation
(see ), an efficient functional
implementation of ADTs is often not available, and efficiency is a
major challenge in this area. Relying on the theoretical work done
in , we will equip Coq with imperative
features and we will demonstrate how they can be used to provide efficient
implementations of ADTs. However, it is also often the case that imperative
implementation are hard-to-reason-on, requiring for instance the use
of separation logic. But in that case, we could take benefice of recent
works on integration of separation logic in the Coq proof assistant
and in particular the Iris project http://

Object-oriented programming has evolved since its foundation based on the representation of computations as an exchange of messages between objects. In modern programming languages like Scala, which aims at a synthesis between object-oriented and functional programming, object-orientation concretely results in the use of hierarchies of interfaces ordered by the subtyping relation and the definition of interface implementations that can interoperate. As observed by Cook and Aldrich , , interoperability can be considered as the essential feature of objects and is a requirement for many modern frameworks and ecosystems: it means that two different implementations of the same interface can interoperate.

Our objective is to provide a representation of object-oriented programs, by focusing on subtyping and interoperability.

For subtyping, the natural solution in type theory is coercive subtyping , as implemented in Coq, with an explicit operator for coercions. This should lead to a shallow embedding, but has limitations: indeed, while it allows subtyping to be faithfully represented, it does not provide a direct means to represent union and intersection types, which are often associated with subtyping (for instance intersection types are present in Scala). A more ambitious solution would be to resort to subsumptive subtyping (or semantic subtyping ): in its more general form, a type algebra is extended with boolean operations (union, intersection, complementing) to get a boolean algebra with operators (the original type constructors). Subtying is then interpreted as the natural partial order of the boolean algebra.

We propose to use the type class machinery of Coq to implement semantic subtyping for dependent type theory. Using type class resolution, we can emulate inference rules of subsumptive subtyping without modifying Coq internally. This has also another advantage. As subsumptive subtyping for dependent types should be undecidable in general, using type class resolution allows for an incomplete yet extensible decision procedure.

When developing certified software, a major part of the effort is
spent not only on writing proof scripts, but on *rewriting* them,
either for the purpose of code maintenance or because of more significant
changes in the base definitions. Regrettably, proof scripts suffer
more often than not from a bad programming style, and too many proof
developers casually neglect the most elementary principles of well-behaved
programmers. As a result, many proof scripts are very brittle, user-defined
tactics are often difficult to extend, and sometimes even lack a clear
specification. Formal libraries are thus generally very fragile pieces
of software. One reason for this unfortunate situation is that proof
engineering is very badly served by the tools currently available
to the users of the Coq proof assistant, starting with its tactic
language. One objective of the Gallinette team is to develop better
tools to write proof scripts.

Completing and maintaining a large corpus of formalised mathematics
requires a well-designed tactic language. This language should both
accommodate the possible specific needs of the theories at stake,
and help with diagnostics at refactoring time. Coq's tactic language
is in fact two-leveled. First, it includes a basic tactic language,
to organise the deductive steps in a proof script and to perform the
elementary bureaucracy. Its second layer is a meta-programming language,
which allows user to defined their own new tactics at toplevel. Our
first direction of work consists in the investigation of the appropriate
features of the *basic tactic language*. For instance, the design
of the Ssreflect tactic language, and its support for the small scale
reflection methodology , has been a
key ingredient in at least two large scale formalisation endeavours:
the Four Colour Theorem and of the Odd Order
Theorem . Building on our experience with the Ssreflect
tactic language, we will contribute to the ongoing work on the basic
tactic language for Coq. The second objective of this task is to contribute
to the design of a *typed tactic language*. In particular, we
will build on the work of Ziliani and his collaborators ,
extending it with reasoning about the effects that tactics have on
the “state of a proof” (e.g. number of sub-goals, metavariables in
context). We will also develop a novel approach for incremental type
checking of proof scripts, so that programmers gain access to a richer
discovery- engineering interaction with the proof assistant.

The first three axes of the EPC Gallinette aim at developing a new generation of proof assistants. But we strongly believe that foundational investigations must go hand in hand with practical experiments. Therefore, we expect to benefit from existing expertise and collaborations in the team to experiment our extensions of Coq on real world developments. It should be noticed that those practical experiments are strongly guided by the deep history of research on software engineering of team members.

In the context of refactoring of C programs, we intend to formalise program transformations that are written in an imperative style to test the usability of our addition of effects in the proof assistant. This subject has been chosen based on the competence of members of the team.

Build a refactoring tool that programmers can rely on and make it available in a popular platform (such as Eclipse, IntelliJ or Frama-C).

Explore large, drastic program transformations such as replacing a design architecture for an other one, by applying a sequence of small refactoring operations (as we have done for Java and Haskell programs before , , ), while ensuring behaviour preservation.

Explore the use of enhancements of proof systems on large developments. For instance, refactoring tools are usually developed in the imperative/object paradigm, so the extension of Coq with side effects or with object features proposed in the team can find a direct use-case here.

We plan to make use of the internalisation of the object-oriented paradigm in the context of constraint programming. Indeed, this domain is made of very complex algorithms that are often developed using object-oriented programming (as it is the case for instance for CHOCO, which is developed in the Tasc Group at IMT Atlantique, Nantes). We will in particular focus on filtering algorithms in constraint solvers, for which research publications currently propose new algorithms with manual proofs. Their formalisation in Coq is challenging. Another interesting part of constraint solving to formalise is the part that deals with program generation (as opposed to extraction). However, when there are numerous generated pieces of code, it is not realistic to prove their correctness manually, and it can be too difficult to prove the correctness of a generator. So we intend to explore a middle path that consists in generating a piece of code along with its corresponding proof (script or proof term). A target application could be interval constraints (for instance Allen interval algebra or region connection calculus) that can generate thousands of specialised filtering algorithms for a small number of variables .

Finally, Rémi Douence has already worked (articles publishing , , , PhD Thesis advising ) with different members of the Tasc team. Currently, he supervises with Nicolas Beldiceanu the PhD Thesis of Ekaterina Arafailova in the Tasc team. She studies finite transducers to model time-series constraints , , . This work requires proofs, manually done for now, we would like to explore when these proofs could be mechanised.

We will investigate how the addition of effects in the Coq proof assistant can facilitate the marriage of computer algebra with formal proofs. Computer algebra systems on one hand, and proof assistants on the other hand, are both designed for doing mathematics with the help of a computer, by the means of symbolic computations. These two families of systems are however very different in nature: computer algebra systems allow for implementations faithful to the theoretical complexity of the algorithms, whereas proof assistants have the expressiveness to specify exactly the semantic of the data-structures and computations.

Experiments have been run that link computer algebra systems with Coq , . These bridges rely on the implementation of formal proof-producing core algorithms like normalisation procedures. Incidentally, they require non trivial maintenance work to survive the evolution of both systems. Other proof assistants like the Isabelle/HOL system make use of so-called reflection schemes: the proof assistant can produce code in an external programming language like SML, but also allows to import the values output by these extracted programs back inside the formal proofs. This feature extends the trusted base of code quite significantly but it has been used for major achievements like a certified symbolic/numeric ODE solver .

We would like to bring Coq closer to the efficiency and user-friendliness of computer algebra systems: for now it is difficult to use the Coq programming language so that certified implementations of computer algebra algorithms have the right, observable, complexity when they are executed inside Coq. We see the addition of effects to the proof assistant as an opportunity to ease these implementations, for instance by making use of caching mechanisms or of profiling facilities. Such enhancements should enable the verification of computation-intensive mathematical proofs that are currently beyond reach, like the validation of Helfgott's proof of the weak Goldbach conjecture .

The team has been created as a project team on June 2018. Two new permanent members have joined the team:

Guilhem Jaber, as an assistant professor of the University of Nantes (September 2018).

Pierre-Marie Pédrot as an Inria researcher (October 2018).

*The Coq Proof Assistant*

Keywords: Proof - Certification - Formalisation

Scientific Description: Coq is an interactive proof assistant based on the Calculus of (Co-)Inductive Constructions, extended with universe polymorphism. This type theory features inductive and co-inductive families, an impredicative sort and a hierarchy of predicative universes, making it a very expressive logic. The calculus allows to formalize both general mathematics and computer programs, ranging from theories of finite structures to abstract algebra and categories to programming language metatheory and compiler verification. Coq is organised as a (relatively small) kernel including efficient conversion tests on which are built a set of higher-level layers: a powerful proof engine and unification algorithm, various tactics/decision procedures, a transactional document model and, at the very top an IDE.

Functional Description: Coq provides both a dependently-typed functional programming language and a logical formalism, which, altogether, support the formalisation of mathematical theories and the specification and certification of properties of programs. Coq also provides a large and extensible set of automatic or semi-automatic proof methods. Coq's programs are extractible to OCaml, Haskell, Scheme, ...

Release Functional Description: Coq version 8.8.2 contains the result of refinements and stabilization of features and deprecations, cleanups of the internals of the system along with a few new features.

Summary of changes:

Kernel: fix a subject reduction failure due to allowing fixpoints on non-recursive values (#407), by Matthieu Sozeau. Handling of evars in the VM (#935) by Pierre-Marie Pédrot.

Notations: many improvements on recursive notations and support for destructuring patterns in the syntax of notations by Hugo Herbelin.

Proof language: tacticals for profiling, timing and checking success or failure of tactics by Jason Gross. The focusing bracket { supports single-numbered goal selectors, e.g. 2:{, (#6551) by Théo Zimmermann.

Vernacular: cleanup of definition commands (#6653) by Vincent Laporte and more uniform handling of the Local flag (#1049), by Maxime Dénès. Experimental Show Extraction command (#6926) by Pierre Letouzey. Coercion now accepts Prop or Type as a source (#6480) by Arthur Charguéraud. Export modifier for options allowing to export the option to modules that Import and not only Require a module (#6923), by Pierre-Marie Pédrot.

Universes: many user-level and API level enhancements: qualified naming and printing, variance annotations for cumulative inductive types, more general constraints and enhancements of the minimization heuristics, interaction with modules by Gaëtan Gilbert, Pierre-Marie Pédrot and Matthieu Sozeau.

Library: Decimal Numbers library (#6599) by Pierre Letouzey and various small improvements.

Documentation: a large community effort resulted in the migration of the reference manual to the Sphinx documentation tool. The new documentation infrastructure (based on Sphinx) is by Clément Pit-Claudel. The migration was coordinated by Maxime Dénès and Paul Steckler, with some help of Théo Zimmermann during the final integration phase. The 14 people who ported the manual are Calvin Beck, Heiko Becker, Yves Bertot, Maxime Dénès, Richard Ford, Pierre Letouzey, Assia Mahboubi, Clément Pit-Claudel, Laurence Rideau, Matthieu Sozeau, Paul Steckler, Enrico Tassi, Laurent Théry, Nikita Zyuzin.

Tools: experimental -mangle-names option to coqtop/coqc for linting proof scripts (#6582), by Jasper Hugunin. Main changes:

Critical soundness bugs were fixed between versions 8.8.0 and 8.8.2, and a PDF version of the reference manual was made available. The Windows installer also includes many more external packages that can be individually selected for installation.

On the implementation side, the dev/doc/changes.md file documents the numerous changes to the implementation and improvements of interfaces. The file provides guidelines on porting a plugin to the new version.

More information can be found in the CHANGES file. Feedback and bug reports are extremely welcome.

Distribution Installers for Windows 32 bits (i686), Windows 64 bits (x8_64) and macOS are available. They come bundled with CoqIDE. Windows binaries now include the Bignums library.

Complete sources of the files installed by the Windows installers are made available, to comply with license requirements.

News Of The Year: Version 8.8.0 was released in April 2018 and version 8.8.2 in September 2018. This is the third release of Coq developed on a time-based development cycle. Its development spanned 6 months from the release of Coq 8.7 and was based on a public road-map. It attracted many external contributions. Code reviews and continuous integration testing were systematically used before integration of new features, with an important focus given to compatibility and performance issues.

The main advances in this version are cleanups and fixes in the many different components of the system, ranging from low level kernel fixes to advances in the support of notations and tacticals for selecting goals. A large community effort was made to move the documentation to the Sphinx format, providing a more accessible online ressource to users.

Participants: Abhishek Anand, C. J. Bell, Yves Bertot, Frédéric Besson, Tej Chajed, Pierre Courtieu, Maxime Denes, Julien Forest, Emilio Jesús Gallego Arias, Gaëtan Gilbert, Benjamin Grégoire, Jason Gross, Hugo Herbelin, Ralf Jung, Matej Kosik, Sam Pablo Kuper, Xavier Leroy, Pierre Letouzey, Assia Mahboubi, Cyprien Mangin, Érik Martin-Dorel, Olivier Marty, Guillaume Melquiond, Pierre-Marie Pédrot, Benjamin C. Pierce, Lars Rasmusson, Yann Régis-Gianas, Lionel Rieg, Valentin Robert, Thomas Sibut-Pinote, Michael Soegtrop, Matthieu Sozeau, Arnaud Spiwack, Paul Steckler, George Stelle, Pierre-Yves Strub, Enrico Tassi, Hendrik Tews, Laurent Théry, Amin Timany, Vadim Zaliva and Théo Zimmermann

Partners: CNRS - Université Paris-Sud - ENS Lyon - Université Paris-Diderot

Contact: Matthieu Sozeau

Publication: The Coq Proof Assistant, version 8.8.0

URL: http://

*Mathematical Components library*

Functional Description: The Mathematical Components library is a set of Coq libraries that cover the mechanization of the proof of the Odd Order Theorem.

Release Functional Description: The library includes 16 more theory files, covering in particular field and Galois theory, advanced character theory, and a construction of algebraic numbers.

Participants: Alexey Solovyev, Andrea Asperti, Assia Mahboubi, Cyril Cohen, Enrico Tassi, François Garillot, Georges Gonthier, Ioana Pasca, Jeremy Avigad, Laurence Rideau, Laurent Théry, Russell O'Connor, Sidi Ould Biha, Stéphane Le Roux and Yves Bertot

Contact: Assia Mahboubi

Functional Description: Ssreflect is a tactic language extension to the Coq system, developed by the Mathematical Components team.

Participants: Assia Mahboubi, Cyril Cohen, Enrico Tassi, Georges Gonthier, Laurence Rideau, Laurent Théry and Yves Bertot

Contact: Yves Bertot

Keywords: Coq - Proof assistant

Functional Description: A replacement for Ltac, the tactic language of Coq.

Contact: Pierre-Marie Pédrot

In a recent paper, Herbelin developed a calculus

Infinite types and formulas are known to have really curious and unsound behaviours. For instance, they allow to type

Systems programming languages C++11 and Rust have developed techniques
and idioms for the safe management of resources called
*“Resource acquisition is initialisation”* (RAII) and
*move semantics*. We have related resources from systems
programming to the notion of resource put forward by linear logic, by
giving a construction in terms of categorical semantics for a resource
modality that model RAII and move semantics. This work was presented
by at the workshop LOLA 2018 in Oxford .

Thanks to a new logical and semantic understanding of resource-management techniques in systems programming languages, we have proposed a design for an extension of functional programming language towards systems programming, centred on the OCaml language, and based on a notion of resource polymorphism inspired by the C++11 language and by the works on polarisation in proof theory.

Distributed applications are challenging to program because they have to deal with a plethora of concerns, including synchronisation, locality, replication, security and fault tolerance. Aspect-oriented programming (AOP) is a paradigm that promotes better modularity by providing means to encapsulate cross-cutting concerns in entities called aspects. Over the last years, a number of distributed aspect-oriented programming languages and systems have been proposed, illustrating the benefits of AOP in a distributed setting. Chemical calculi are particularly well-suited to formally specify the behaviour of concurrent and distributed systems. The join calculus is a functional name-passing calculus, with both distributed and object-oriented extensions. It is used as the basis of concurrency and distribution features in several mainstream languages like C# (Polyphonic C#, now C

Type theories with equality reflection, such as extensional type theory (ETT), are convenient theories in which to formalise mathematics, as they make it possible to consider provably equal terms as convertible. Although type-checking is undecidable in this context, variants of ETT have been implemented, for example in NuPRL and more recently in Andromeda. The actual objects that can be checked are not proof-terms, but derivations of proof-terms. This suggests that any derivation of ETT can be translated into a typecheckable proof term of intensional type theory (ITT). However, this result, investigated categorically by Hofmann in 1995, and 10 years later more syntactically by Oury, has never given rise to an effective translation. In , we provide the first syntactical translation from ETT to ITT with uniqueness of identity proofs and functional extensionality. This translation has been defined and proven correct in Coq and yields an executable plugin that translates a derivation in ETT into an actual Coq typing judgment. Additionally, we show how this result is extended in the context of homotopy to a two-level type theory.

Full-spectrum dependent types promise to enable the development of correct-by-construction software. However, even certified software needs to interact with simply-typed or untyped programs, be it to perform system calls, or to use legacy libraries. Trading static guarantees for runtime checks, the dependent interoperability framework provides a mechanism by which simply-typed values can safely be coerced to dependent types and, conversely, dependently-typed programs can defensively be exported to a simply-typed application. In , we give a semantic account of dependent interoperability. Our presentation relies on and is guided by a pervading notion of type equivalence, whose importance has been emphasised in recent work on homotopy type theory. Specifically, we develop the notion of type-theoretic partial Galois connections as a key foundation for dependent interoperability, which accounts for the partiality of the coercions between types. We explore the applicability of both monotone and antitone type-theoretic Galois connections in the setting of dependent interoperability. A monotone partial Galois connection enforces a translation of dependent types to runtime checks that are both sound and complete with respect to the invariants encoded by dependent types. Conversely, picking an antitone partial Galois connection instead lets us induce weaker, sound conditions that can amount to more efficient runtime checks. Our framework is developed in Coq; it is thus constructive and verified in the strictest sense of the terms. Using our library, users can specify domain-specific partial connections between data structures. Our library then takes care of the (sometimes, heavy) lifting that leads to interoperable programs. It thus becomes possible, as we shall illustrate, to internalise and hand-tune the extraction of dependently-typed programs to interoperable OCaml programs within Coq itself.

Homotopy Type Theory promises a unification of the concepts of equality and equivalence in Type Theory, through the introduction of the univalence principle. However, existing proof assistants based on type theory treat this principle as an axiom, and it is not yet clear how to extend them to handle univalence internally. In , we propose a construction grounded on a univalent version of parametricity to bring the benefits of univalence to the programmer and prover, that can be used on top of existing type theories. In particular, univalent parametricity strengthens parametricity to ensure preservation of type equivalences. We present a lightweight framework implemented in the Coq proof assistant that allows the user to transparently transfer definitions and theorems for a type to an equivalent one, as if they were equal. Our approach handles both type and term dependency. We study how to maximise the effectiveness of these transports in terms of computational behaviour, and identify a fragment useful for certified programming on which univalent transport is guaranteed to be effective. This work paves the way to easier-to-use environments for certified programming by supporting seamless programming and proving modulo equivalences.

Template-Coq , is a plugin for Coq, originally implemented by Malecha, which provides a reifier for Coq terms and global declarations , as represented in the Coq kernel, as well as a denotation command. Initially, it was developed for the purpose of writing functions on Coq's AST in Gallina. Recently, it was used in the CertiCoq certified compiler project, as its front-end language, to derive parametricity properties, and to extract Coq terms to a CBV λ-calculus. However, the syntax lacked semantics, be it typing semantics or operational semantics, which should reflect, as formal specifications in Coq, the semantics of Coq's type theory itself. The tool was also rather bare bones, providing only rudimentary quoting and unquoting commands. We generalise it to handle the entire Calculus of Inductive Constructions (CIC), as implemented by Coq, including the kernel's declaration structures for definitions and inductives, and implement a monad for general manipulation of Coq's logical environment. We demonstrate how this setup allows Coq users to define many kinds of general purpose plugins, whose correctness can be readily proved in the system itself, and that can be run efficiently after extraction. We give a few examples of implemented plugins, including a parametricity translation. We also advocate the use of Template-Coq as a foundation for higher-level tools.

Definitional equality—or conversion—for a type theory with a decidable type checking is the simplest tool to prove that two objects are the same, letting the system decide just using computation. Therefore, the more things are equal by conversion, the simpler it is to use a language based on type theory. Proof-irrelevance, stating that any two proofs of the same proposition are equal, is a possible way to extend conversion to make a type theory more powerful. However, this new power comes at a price if we integrate it naively, either by making type checking undecidable or by realising new axioms—such as uniqueness of identity proofs (UIP)—that are incompatible with other extensions, such as univalence. In , taking inspiration from homotopy type theory, we propose a general way to extend a type theory with definitional proof irrelevance, in a way that keeps type checking decidable and is compatible with univalence. We provide a new criterion to decide whether a proposition can be eliminated over a type (correcting and improving the so-called singleton elimination of Coq) by using techniques coming from recent development on dependent pattern matching without UIP. We show the generality of our approach by providing implementations for both Coq and Agda, both of which are planned to be integrated in future versions of those proof assistants.

Finding an elementary form for an antiderivative is often a difficult task, so numerical integration has become a common tool when it comes to making sense of a definite integral. Some of the numerical integration methods can even be made rigorous: not only do they compute an approximation of the integral value but they also bound its inaccuracy. Yet numerical integration is still missing from the toolbox when performing formal proofs in analysis. In , we present an efficient method for automatically computing and proving bounds on some definite integrals inside the Coq formal system. Our approach is not based on traditional quadrature methods such as Newton-Cotes formulas. Instead, it relies on computing and evaluating antiderivatives of rigorous polynomial approximations, combined with an adaptive domain splitting. Our approach also handles improper integrals, provided that a factor of the integrand belongs to a catalog of identified integrable functions. This work has been integrated to the CoqInterval library.

**Vercoma** (Atlanstic 2020/Attractivity grant)

Goal: Verified comupter mathematics.

Coordinator: A. Mahboubi.

Duration: 08/2018 - 08/2021.

**FastRelax** (ANR-14-CE25-0018).

Goal: Develop computer-aided proofs of numerical values, with certified and reasonably tight error bounds, without sacrificing efficiency.

Coordinator: Bruno Salvy (Inria, ENS Lyon).

Participant: A. Mahboubi.

Duration: 2014-2019.

Website: http://

Note: This project started when A. Mahboubi was still in the Specfun project at the Saclay Île-de-France CRI. The budget is still managed there, within the Toccata project, but remains available to A. Mahboubi.

Title: Coq for Homotopy Type Theory

Programm: H2020

Type: ERC

Duration: June 2015 - May 2020

Coordinator: Inria

Inria contact: Nicolas TABAREAU

Every year, software bugs cost hundreds of millions of euros to companies and administrations. Hence, software quality is a prevalent notion and interactive theorem provers based on type theory have shown their efficiency to prove correctness of important pieces of software like the C compiler of the CompCert project. One main interest of such theorem provers is the ability to extract directly the code from the proof. Unfortunately, their democratization suffers from a major drawback, the mismatch between equality in mathematics and in type theory. Thus, significant Coq developments have only been done by virtuosos playing with advanced concepts of computer science and mathematics. Recently, an extension of type theory with homotopical concepts such as univalence is gaining traction because it allows for the first time to marry together expected principles of equality. But the univalence principle has been treated so far as a new axiom which breaks one fundamental property of mechanized proofs: the ability to compute with programs that make use of this axiom. The main goal of the CoqHoTT project is to provide a new generation of proof assistants with a computational version of univalence and use them as a base to implement effective logical model transformation so that the power of the internal logic of the proof assistant needed to prove the correctness of a program can be decided and changed at compile time—according to a trade-off between efficiency and logical expressivity. Our approach is based on a radically new compilation phase technique into a core type theory to modularize the difficulty of finding a decidable type checking algorithm for homotopy type theory. The impact of the CoqHoTT project will be very strong. Even if Coq is already a success, this project will promote it as a major proof assistant, for both computer scientists and mathematicians. CoqHoTT will become an essential tool for program certification and formalization of mathematics.

Program: COST

Project acronym: EUTYPES

Project title: The European research network on types for programming and verification

Duration: 21/03/2016 - 20/03/2020.

Coordinator: Herman Geuvers (Radboud Univerity, Nijmegen, The Netherlands)

Abstract: Types are pervasive in programming and information technology. A type defines a formal interface between software components, allowing the automatic verification of their connections, and greatly enhancing the robustness and reliability of computations and communications. In rich dependent type theories, the full functional specification of a program can be expressed as a type. Type systems have rapidly evolved over the past years, becoming more sophisticated, capturing new aspects of the behaviour of programs and the dynamics of their execution.

This COST Action will give a strong impetus to research on type theory and its many applications in computer science, by promoting (1) the synergy between theoretical computer scientists, logicians and mathematicians to develop new foundations for type theory, for example as based on the recent development of "homotopy type theory”, (2) the joint development of type theoretic tools as proof assistants and integrated programming environments, (3) the study of dependent types for programming and its deployment in software development, (4) the study of dependent types for verification and its deployment in software analysis and verification. The action will also tie together these different areas and promote cross-fertilisation.

Europe has a strong type theory community, ranging from foundational research to applications in programming languages, verification and theorem proving, which is in urgent need of better networking. A COST Action that crosses the borders will support the collaboration between groups and complementary expertise, and mobilise a critical mass of existing type theory research.

**Inria Chile**

Associate Team involved in the International Lab:

Title: Gradual verification and robust proof Engineering for COq

International Partner (Institution - Laboratory - Researcher):

Universidad de Chile (Chile) - DCC, Pleaid team - Éric Tanter

Start year: 2018

See also: http://

The development of tools to construct software systems that respect a given specification is a major challenge of current and future research in computer science. Interactive theorem provers based on type theory, such as Coq, have shown their effectiveness to prove correctness of important pieces of software like the C compiler of the CompCert project. Certified programming with dependent types is attracting a lot of attention recently, and Coq is the de facto standard for such endeavors, with an increasing amount of users, pedagogical material, and large-scale projects. Nevertheless, significant work remains to be done to make Coq more usable from a software engineering point of view.

This collaboration project gathers the expertise of researchers from Chile (Inria Chile, Universidad de Chile, Universidad Católica de Valparaíso) and France (Inria Nantes, Inria Paris), in different areas that are crucial to develop the vision of certified software engineering. The focus of this project is both theoretical and practical, covering novel foundations and methods, design of concrete languages and tools, and validation through specific case studies.

The end result will be a number of enhancements to the Coq proof assistant (frameworks, tactic language) together with guidelines and demonstrations of their applicability in realistic scenarios.

Ambrus Kaposi has visited Gallinette from April 15 to July 15 as part of the ERC 'Visiting Fellowship Programmes' whose aims it to promote the widening of participation of researchers with a high potential in the ERC calls. The Scientific Council of the ERC believes that increasing the international exposure of researchers can help them to develop their full research potential. For this reason the ERC has invited relevant national and regional authorities in Europe to fund potential ERC candidates from the country or the region to visit teams of existing ERC Principal Investigators. The purpose is to offer these potential candidates an opportunity to broaden and strengthen their research profile and vision in an internationally competitive research environment before applying for an ERC grant.

Simon Huber (University of Göteborg) has visited Simon Boulier and Nicolas Tabareau from Feb 26 to March 2 as a Short-Term Scientific Mission (STSM) funded by the EUTYPES COST Action.

Jesper Cockx (Chalmers University) has visited Gaetan Gilbert and Nicolas Tabareau from Feb 19 to Feb 23 as a Short-Term Scientific Mission (STSM) funded by the EUTYPES COST Action.

A. Defourné has visited the team from April to August for an internship on the subject “A Mini-ML with resource management”, supervised by G. Munch-Maccagnoni and R. Douence.

L. Pujet has visited the team from April to August for an internship on the subject “Interpreting Cubical Type Theory using forcing”, supervised by N. Tabareau.

A. Mahboubi has been appointed as Endowed Professor at the Vrije Universiteit Amsterdam on a chair entitled "Automated verification of mathematical proof".

G. Munch-Maccagnoni has visited the University of Cambridge from July 9th to July 19th to work with M. Fiore on the topic of categorical semantics of effects and resources in programming languages.

G. Munch-Maccagnoni has visited Jane Street on July 19th to work with L. White on the topic of resource management in the OCaml programming language.

N. Tabareau has co-organized (with Matthieu Sozeau) the Coq Workshop as part of FLoC 2018.

A. Mahboubi has co-chaired (with Jeremy Avigad) the ITP 2018 conference, part of FLoC 2018.

A. Mahboubi has co-organized (with Andrej Bauer, Martin Escardó and Peter Le Fanu Lumsdaine) the Dagsthul seminar 19341, Formalization of Mathematics in Type Theory.

A. Mahboubi has served in the FLoC 2018 Program Committee and Workshops Committee.

N. Tabareau has been a member of the program committee of FSCD'18 and ICFP'18 (External Review Committee).

A. Mahboubi has been a member of the program committee of the CPP 2018 and CICM 2018 conferences, and of the TYPES 2018 and HOTT/UF 2018 workshops.

N. Tabareau has served as an external reviewer for MFCS'18, WoLLIC'18.

A. Mahboubi has served as external reviewer for the post-proceedings of TYPES 2017.

A. Mahboubi is a member of the editorial board of the Journal of Automated Reasoning.

A. Mahboubi is associate editor of the Progress in Computer Science and Applied Logic series.

A. Mahboubi has served as reviewer for the Journal of Automated Reasoning, and for the Annals of Mathematics and Artifical Intelligence.

G. Munch-Maccagnoni has served as reviewer for the Journal of Automated Reasoning, and for Logical Methods in Computer Science.

A. Mahboubi has given an invited talk at the conference in honour of Thomas C. Hales on the occasion of his 60th birthday.

A. Mahboubi has given an invited course at the Journées Nationales du Calcul Formel 2018.

A. Mahboubi has given an invited course at the 19th Journées Louis Antoine.

A. Mahboubi and G. Munch-Maccagnoni have given invited talks in the seminar organized by Xavier Leroy at the Collège de France in December.

G. Munch-Maccagnoni has given an invited talk at the Journées Inaugurales du GT Scalp in November.

G. Munch-Maccagnoni has given an invited talk at the seminar of the Celtique team in Rennes in October.

G. Munch-Maccagnoni has given an invited talk at the seminar of the Gallium team in Paris in June.

G. Munch-Maccagnoni has given an invited talk at the Logic and Semantics seminar at the University of Cambridge in June.

A. Mahboubi is a member of the scientific committee of the GdR Informatique-Mathématiques.

A. Mahboubi is MC member for the COST Action CA15123 EUTypes, and a member of the core managment group of the project. She is leading the working group “Type-Theoretic Tools”.

A. Mahboubi has served in the Inria commitee examining the “Candidatures en détachements”.

A. Mahboubi has served as internal examiner in the jury of two “Maître de conférence” positions at Université de Nantes.

A. Mahboubi has served in the jury of an assistant professor position in computer science at Stockholm University (Sweden).

Licence : Julien Cohen, Discrete Mathematics, 48h, L1 (IUT Informatique), IUT Nantes, France

Licence : Object oriented programming, 32h, L3 (Ingineering school), Polytech Nantes, France

Master : Functional programming, 18h, M1 (Ingineering school), Polytech Nantes, France

Master : Tools for softaware engineering (proof, test, code management), 20h, M1 (Ingineering school), Polytech Nantes, France

Licence : Rémi Douence, Object Oriented Programming Project, 45h, L1 (apprenticeship), IMT-Atlantique, Nantes, France

Licence : Rémi Douence, Object Oriented Design and Programming, 25h , L3 (engineers), IMT-Atlantique, Nantes, France

Licence : Hervé Grall, Object Oriented Design and Programming, 25h , L3 (engineers), IMT-Atlantique, Nantes, France

Licence : Rémi Douence, Data Structures and Algorithms, 20h , L2 (engineers), IMT-Atlantique, Nantes, France

Licence : Rémi Douence, GUI, 20h, L2 (engineers), IMT-Atlantique, Nantes, France

Licence, Master : Hervé Grall, Modularity and Typing, 40h, L3 and M1, IMT-Atlantique, Nantes, France

Licence : Guilhem Jaber, Computer Tools for Science, 36h, L1, Université de Nantes France

Licence : Guilhem Jaber, Computer Architecure, 36h, L3, Université de Nantes France

Master : Hervé Grall, Service-oriented Computing, 40h, M1 and M2, IMT-Atlantique, Nantes, France

Master : Rémi Douence, Functional Programming with Haskell, 20h, M1 (engineers), IMT-Atlantique, Nantes, France

Master : Rémi Douence, Functional Programming with Haskell, 20h, M1 (apprenticeship), IMT-Atlantique, Nantes, France

Master : Rémi Douence, Introduction to scientific research in computer science (Project: an Haskell interpreter in Java), 45h, M2 (apprenticeship), IMT-Atlantique, Nantes, France

Master : Hervé Grall, Research Project - Certified Programming in Coq, 90h (1/3 supervised), M1 and M2, IMT-Atlantique, Nantes, France

Master : Nicolas Tabareau, Homotopy Type Theory, 24h, M2 LMFI, Université Paris Diderot, France

Master : Guilhem Jaber, Verification and Formal Proofs, 18h, M1, Université de Nantes, France

PhD : Simon Boulier, Extending Type Theory with Syntactical Models, IMT Altantique, 29 Nov 2018, advisor: Nicolas Tabareau

PhD in progress : Antoine Allioux, Coherent Structures in Dependent Type Theory and Higher Category Theory, Université Paris Diderot, advisors: Yves Guiraud and Matthieu Sozeau

PhD in progress : Gaetan Gilbert, A new foundation for the Coq proof assistant based on the insight of Homotopy Type Theory, IMT Atlantique, advisors: Matthieu Sozeau and Nicolas Tabareau

PhD in progress : Ambroise Lafont,Towards an unbiased approach to specify, implement, and prove properties on programming languages, IMT Atlantique, advisors: Tom Hirschowitz and Nicolas Tabareau

PhD in progress: Xavier Montillet, Rewriting theory for effects and dependent types, Univ Nantes, advisors: Guillaume Munch-Maccagnoni and Nicolas Tabareau

PhD in progress: Théo Winterhalter, Extending the flexibility of the universe hierarchy in type theory, Univ Nantes, advisors: Matthieu Sozeau and Nicolas Tabareau

PhD in progress: Igor Zhirkov, Certified Refactoring of C in the Coq proof assistant, advisors: Rémi Douence and Julien Cohen.

PhD in progress: Joachim Hotonnier, Deep Specification for Domain-Specific Modelling, advisors: Gerson Sunye (Naomod team), Massimo Tisi (Naomod team), Hervé Grall

A. Mahboubi has served as reviewer for the PhD of Andrea Gabrielli, defended October 22nd at Università di Firenze.

A. Mahboubi has served as external member on the PhD jury of Pierre Boutry, defended November 13th at Université de Strasbourg.

A. Mahboubi has served as external member on the PhD jury of Simon Boulier, defended November 29th at IMT Atlantique.

A. Mahboubi has served as external member on the PhD jury of Boris Djalal, defended December 3rd at IMT Atlantique.

J. Cohen has served as external member on the PhD jury of Thibaut Girka, defended July 3rd at Université Paris Diderot.

A. Mahboubi is working with composer Alessandro Bossetti and students of the professional high-school Lycée Michelet, on a project “Art and Mathematics”, supported by the Athenor theater.