The general objective of the Toccata project is to promote formal
specification and computer-assisted proof in the development of
software that requires high assurance in terms of safety and
correctness with respect to its intended behavior.
Such safety-critical software appears in many application domains like
transportation (e.g., aviation, aerospace, railway, and more and more in cars),
communication (e.g., internet, smartphones), health devices, etc. The
number of tasks performed by software is quickly increasing, together
with the number of lines of code involved. Given the need of high
assurance of safety in the functional behavior of such applications,
the need for automated (i.e., computer-assisted) methods and
techniques to bring guarantee of safety became a major challenge. In
the past and at present, the most widely used approach to check safety
of software is to apply heavy test campaigns, which take a
large part of the costs of software development. Yet they cannot
ensure that all the bugs are caught, and remaining bugs may have
catastrophic causes (e.g., the Heartbleed bug in OpenSSL library
discovered in 2014 https://

Generally speaking, software verification approaches pursue three goals: (1) verification should be sound, in the sense that no bugs should be missed, (2) verification should not produce false alarms, or as few as possible, (3) it should be as automatic as possible. Reaching all three goals at the same time is a challenge. A large class of approaches emphasizes goals (2) and (3): testing, run-time verification, symbolic execution, model checking, etc. Static analysis, such as abstract interpretation, emphasizes goals (1) and (3). Deductive verification emphasizes (1) and (2). The Toccata project is mainly interested in exploring the deductive verification approach, although we also consider the other ones in some cases.

In the past decade, there have been significant progress made in the
domain of deductive program verification. They are emphasized by some
success stories of application of these techniques on industrial-scale
software. For example, the Atelier B system was used to develop
part of the embedded software of the Paris metro line
14 39 and other railway-related systems; a
formally proved C compiler was developed using the Coq proof
assistant 56; the L4-verified project developed a
formally verified micro-kernel with high security guarantees, using
analysis tools on top of the Isabelle/HOL proof
assistant 55. A bug in the JDK implementation of
TimSort was discovered using the KeY
environment 62 and a fixed version was
proved sound. Another sign of recent progress is the emergence of
deductive verification competitions (e.g.,
VerifyThis 1). Finally, recent trends in the
industrial practice for development of critical software is to require
more and more guarantees of safety, e.g., the new DO-178C standard for
developing avionics software adds to the former DO-178B the use of
formal models and formal methods. It also emphasizes the need for
certification of the analysis tools involved in the process.

There are two main families of approaches for deductive
verification. Methods in the first family build on top of mathematical
proof assistants (e.g., Coq, Isabelle) in which both the model and the
program are encoded; the proof that the program meets its
specification is typically conducted in an interactive way using the
underlying proof construction engine. Methods from the second family
proceed by the design of standalone tools taking as input a program in
a particular programming language (e.g., C, Java) specified with a
dedicated annotation language (e.g., ACSL 36,
JML 45) and automatically producing a set of
mathematical formulas (the verification conditions) which are
typically proved using automatic provers (e.g., Z3 63,
Alt-Ergo 48, CVC4 35).

The first family of approaches usually offers a higher level of assurance than the second, but also demands more work to perform the proofs (because of their interactive nature) and makes them less easy to adopt by industry. Moreover, they generally do not allow to directly analyze a program written in a mainstream programming language like Java or C. The second kind of approaches has benefited in the past years from the tremendous progress made in SAT and SMT solving techniques, allowing more impact on industrial practices, but suffers from a lower level of trust: in all parts of the proof chain (the model of the input programming language, the VC generator, the back-end automatic prover), potential errors may appear, compromising the guarantee offered. Moreover, while these approaches are applied to mainstream languages, they usually support only a subset of their features.

One of our original skills is the ability to conduct proofs by using automatic provers and proof assistants at the same time, depending on the difficulty of the program, and specifically the difficulty of each particular verification condition. We thus believe that we are in a good position to propose a bridge between the two families of approaches of deductive verification presented above. Establishing this bridge is one of the goals of the Toccata project: we want to provide methods and tools for deductive program verification that can offer both a high amount of proof automation and a high guarantee of validity. Indeed, an axis of research of Toccata is the development of languages, methods and tools that are themselves formally proved correct. Recent advances in the foundations of deductive verification include various aspects such as reasoning efficiently on bitvector programs 7 or providing counterexamples when a proof does not succeed 49.

A specifically challenging aspect of deductive verification methods is
how one does deal with memory mutation in general, an issue that
appear under various similar form such the reasoning on mutable data
structures or on concurrent programs, with the common denominator of
the tracking of memory change on shared data. The ability to track
aliasing is also a key for the ability of specifying programs and
conduct proofs using the advanced notion of ghost code6.

In industrial applications, numerical calculations are very common (e.g. control software in transportation). Typically they involve floating-point numbers. Some of the members of Toccata have an internationally recognized expertise on deductive program verification involving floating-point computations. Our past work includes a new approach for proving behavioral properties of numerical C programs using Frama-C/Jessie 34, various examples of applications of that approach 43, the use of the Gappa solver for proving numerical algorithms 61, an approach to take architectures and compilers into account when dealing with floating-point programs 44, 60. We contributed to the CompCert verified compiler, regarding the support for floating-point operations 2. We also contributed to the Handbook of Floating-Point Arithmetic 59. A representative case study is the analysis and the proof of both the method error and the rounding error of a numerical analysis program solving the one-dimension acoustic wave equation 4140. We published a reference book on the verification of floating-point algorithms with Coq 3. Our experience led us to a conclusion that verification of numerical programs can benefit a lot from combining automatic and interactive theorem proving 42, 43, 50. Verification of numerical programs is another main axis of Toccata.

Deductive program verification methods are built upon theorem provers to decide whether a expected proof obligation on a program is a valid mathematical proposition, hence working on deductive verification requires a certain amount of work on the aspect of design of theorem provers. We are involved in particular in the Alt-Ergo SMT solver, for which we designed an original approach for reasoning on arithmetic facts 510 ; and the Gappa tool dedicated to reasoning on rounding errors in floating-point computations 8. Proof by reflection is also a powerful approach for advanced reasoning about programs 9.

In the past, we have been more and more involved in the development of significantly large case studies and applications, such as for example the verification of matrix multiplication algorithms 4, the design of verified OCaml librairies 46, the realization of a platform for verification of shell scripts 37, or the correct-by-construction design of an efficient library for arbitrary-precision arithmetic 9.

Our scientific programme detailed below is structured into four axes:

Let us conclude with more general considerations about our agenda of the next four years: we want to keep on

Permanent researchers: S. Conchon, J.-C. Filliâtre, C. Marché, G. Melquiond, A. Paskevich

This axis covers the central theme of the team: deductive verification, from the point of view of its foundations but also our will to spread its use in software development. The general motto we want to defend is “deductive verification for the masses”. A non-exhaustive list of subjects we want to address is as follows.

A significant part of the work achieved in this axis is related to the Why3 toolbox and its ecosystem, displayed on Figure 1. The boxes in red background correspond to the tools we develop in the Toccata team.

Permanent researchers: J.-C. Filliâtre, C. Marché, G. Melquiond, A. Paskevich

This axis concerns specifically the techniques for reasoning on programs where aliasing is the central issue. It covers the methods based on type-based alias analysis and related memory models, on specific program logics such as separation logics, and extended model-checking. It concerns the application on analysis of C or C++ codes, on Ada codes involving pointers, but also concurrent programs in general. The main topics planned are:

Permanent researchers: S. Boldo, C. Marché, G. Melquiond

We of course want to keep this axis which is a major originality of Toccata. The main topics of the next 4 years will be:

Permanent researchers: S. Boldo, S. Conchon, J.-C. Filliâtre, C. Marché, G. Melquiond, A. Paskevich

This axis covers applications in general. The applications we currently have in mind are:

The application domains we target involve safety-critical software, that is where a high-level guarantee of soundness of functional execution of the software is wanted. Currently our industrial collaborations or impact mainly belong to the domain of transportation: aerospace, aviation, railway, automotive.

Generally speaking, we believe that our increasing industrial impact is a representative success for our general goal of spreading deductive verification methods to a larger audience, and we are firmly engaged into continuing such kind of actions in the future.

Through the creation of the ProofInUse joint lab
(https://

The impact of ProofInUse can also be measured in term of job
creation: the first two ProofInUse engineers, D. Hauzar and
C. Fumex, employed initially on Inria temporary positions, have now
been hired on permanent positions in AdaCore company. It is also
interesting to notice that this effort allowed AdaCore company to
get new customers, in particular the domains of application of
deductive formal verification went beyond the historical domain of
aerospace: application in automotive
(https://

ParcourSup (https://

The expected properties of the algorithms in question are documented
in natural
language (https://

In the year 2019 we have been involved in a project for verification of these algorithms. The choice of the proof environment to prove the ParcourSup algorithms could have naturally turner to our Krakatoa tool 57, 58, dedicated to Java, but this one is rather old: it only supports version 1.4 of Java (the Java code of ParcoursSup requires version 8), and is not really maintained due to lack of users. Other similar proof environments exist in the world, such as KeY 32 and VeriFast 51, but these tools do not support Java version 8 yet. The most promising candidate was OpenJML 47, which supports Java version 8.

In addition, our experience in proof of programs leads us to think that to prove the ParcourSup code, it is better to begin to consider an abstraction of the Java code, written directly in the intermediate language of Why3, in order to focus from the start on writing formal specifications necessary, then the search for the invariants to insert in the coded. The analysis with Why3 of 1-rate only algorithm allowed to validate several of the properties stated in the specification.

Later on, an analysis of Java code with OpenJML identified risks of errors in execution due to capacity overrun in calculations arithmetic. The proof of absence of run-time errors in this code was not fully achieved, we had to modify the Java code slightly. The original code was correct, but beyond the capabilities of OpenJML. The proof of the functional behavior of the Java code (properties described in the specification document in French) could not be made due to OpenJML limitations.

We finally implemented a new protoype JML2Why3 to go further in the proof of functional properties of the Java code. No only we were able to obtain again the proof of absence of overflow arithmetic and no null pointer dereferencing, but we could formally establish the property that the final call order is indeed a permutation (hence a bijection) of the initial list of wishes: in particular, no candidate can be forgotten by the code.

A report details the conclusion of this analysis 29.

Impactful results were produced in the context of the CoLiS project for the formal analysis of Debian packages. A first important step was the version 2 of the design of the CoLiS language done by B. Becker, C. Marché and other co-authors 38, that includes a modified formal syntax, a extended formal semantics, together with the design of concrete and symbolic interpreters. Those interpreters are specified and implemented in Why3, proved correct (following the initial approach for the concrete interpreter published in 2018 52 and an approach for symbolic interpretation 37), and finally extracted to OCaml code.

To make the extracted code effective, it must be linked together with a library that implements a solver for feature constraints 54, and also a library that formally specifies the behavior of basic UNIX utilities. The latter library is documented in details in a research report 53.

A third result is a large verification campaign running the CoLiS toolbox on all the packages of the current Debian distribution. The results of this campaign were reported in another article 15 that was presented at TACAS conference in 2020. The most visible side effect of this experiment is the discovery of bugs: more than 150 bug reports have been filled against various Debian packages.

The current plans for continuation of the ProofInUse joint lab
(https://

CoqInterval is a library for the proof assistant Coq.

It provides several tactics for proving theorems on enclosures of real-valued expressions. The proofs are performed by an interval kernel which relies on a computable formalization of floating-point arithmetic in Coq.

The Marelle team developed a formalization of rigorous polynomial approximation using Taylor models in Coq. In 2014, this library has been included in CoqInterval.

The Flocq library for the Coq proof assistant is a comprehensive formalization of floating-point arithmetic: core definitions, axiomatic and computational rounding operations, high-level properties. It provides a framework for developers to formally verify numerical applications.

Flocq is currently used by the CompCert verified compiler to support floating-point computations.

Some highlights from this release are:

See the Zenodo citation
https://

Coq version 8.13 integrates many usability improvements, as well as extensions of the core language. The main changes include:

See the changelog for an overview of the new features and changes, along with the full list of contributors.
https://

The purpose of the LCHIP project 25 is to ease the development of SIL4 certified systems and software, and to drastically reduce costs associated with their development. To achieve this goal, LCHIP combines a complete development environment for the B formal language and a safety executing platform.

LCHIP avoids most testing by taking care of the verification of the software (type check, proof, compilation). The B method underlying this project enforces the development to be mathematically sound by producing proof obligations (PO). Those logical fomulas are expressed in first order logic extended with set theory and integer arithmetic. To target full proof automation of POs, the LCHIP platform integrates several automatic theorem provers. As a proof-of-concept, a connection to third-party provers has been conducted through the Why3 tool. This experiment produced excellent results in terms of proof automation, in particular for the Alt-Ergo prover.

M. Clochard, C. Marché and A. Paskevich
proposed a new approach to deductive program verification based on
auxiliary programs called ghost monitors. This technique
is useful when the syntactic structure of the target program is
not well suited for verification, for example, when an essentially
recursive algorithm is implemented in an iterative fashion. This
new approach consists in implementing, specifying, and verifying
an auxiliary program that monitors the execution of the target
program, in such a way that the correctness of the monitor entails
the correctness of the target. The ghost monitor maintains the
necessary data and invariants to facilitate the proof. It can be
implemented and verified in any suitable framework, which does not
have to be related to the language of the target programs. This
technique is also applicable when one wants to establish
relational properties between two target programs written in
different languages and having different syntactic structure.

Ghost monitors can be used to specify and prove fine-grained
properties about the infinite behaviors of target programs.
Since this cannot be easily done using existing verification
frameworks, this work introduces a dedicated language for ghost
monitors, with an original construction to catch and handle
divergent executions. The soundness of the underlying program
logic is established using a particular flavor of transfinite
games. This language and its soundness are formalized and
mechanically checked. 17

Several new results were produced in the context of the CoLiS project for the formal analysis of Debian packages. A first important step is the version 2 of the design of the CoLiS language done by B. Becker, C. Marché and other co-authors 38, that includes a modified formal syntax, a extended formal semantics, together with the design of concrete and symbolic interpreters. Those interpreters are specified and implemented in Why3, proved correct (following the initial approach for the concrete interpreter published in 2018 52 and the recent approach for symbolic interpretation mentioned above 37), and finally extracted to OCaml code.

To make the extracted code effective, it must be linked together with a library that implements a solver for feature constraints 54, and also a library that formally specifies the behavior of basic UNIX utilities. The latter library is documented in details in a research report 53.

A third result is a large verification campaign running the CoLiS toolbox on all the packages of the current Debian distribution. The results of this campaign were reported in another article 15 that was presented at TACAS conference in 2020. The most visible side effect of this experiment is the discovery of bugs: more than 150 bugs report have been filled against various Debian packages.

We have bilateral contracts which are closely related to a joint effort called the ProofInUse joint Laboratory. The objective of ProofInUse is to provide verification tools, based on mathematical proof, to industry users. These tools are aimed at replacing or complementing the existing test activities, whilst reducing costs.

This joint laboratory is a follow-up of the former “LabCom
ProofInUse” between Toccata and the SME AdaCore, funded by the ANR
programme “Laboratoires communs”, from April 2014 to March 2017
http://

This collaboration is a joint effort of the Inria project-team Toccata and the AdaCore company which provides development tools for the Ada programming language. It is funded by a 5-year bilateral contract from Jan 2019 to Dec 2023.

The SME AdaCore is a software publisher specializing in providing software development tools for critical systems. A previous successful collaboration between Toccata and AdaCore enabled Why3 technology to be put into the heart of the AdaCore-developed SPARK technology.

The objective of ProofInUse-AdaCore is to significantly increase the capabilities and performances of the Spark/Ada verification environment proposed by AdaCore. It aims at integration of verification techniques at the state-of-the-art of academic research, via the generic environment Why3 for deductive program verification developed by Toccata.

This bilateral contract is part of the ProofInUse effort. This collaboration joins efforts of the Inria project-team Toccata and the company Mitsubishi Electric R&D (MERCE) in Rennes. It is funded by a bilateral contract of 18 months from Nov 2019 to April 2021.

MERCE has strong and recognized skills in the field of formal methods. In the industrial context of the Mitsubishi Electric Group, MERCE has acquired knowledge of the specific needs of the development processes and meets the needs of the group in different areas of application by providing automatic verification and demonstration tools adapted to the problems encountered.

The objective of ProofInUse-MERCE is to significantly improve on-going MERCE tools regarding the verification of Programmable Logic Controllers and also regarding the verification of numerical C codes.

This bilateral contract is part of the ProofInUse effort. This collaboration joins efforts of the Inria project-team Toccata and the company TrustInSoft in Paris. It is funded by a bilateral contract of 18 months from Dec 2020 to April 2022.

TrustInSoft is an SME that offers the TIS-Analyzer environment for
analysis of safety and security properties of source codes
written in C and C++ languages. A version of TIS-Analyzer is
available online, under the name TaaS (TrustInSoft as a
Service, https://

The objective of ProofInUse-TrustInSoft is to integrate Deductive Verification in the platform TIS-Analyzer, with a special interest in the generation of counterexample to help the user in case of proof failure.

A contract will be signed in 2021 between the CEA-DAM
(“Direction des applications militaires”) and Toccata about
the management of the PhD thesis of Louise Ben Salem-Knapp with
William Weens (CEA-DAM) and Guillaume Perrin (CEA-DAM).

This topic of the PhD is between computer science and applied mathematics. We consider algorithms from numerical analysis and verify their good behavior on computers. This behavior, proven by supposing that the computations are perfect, could be put in fault by the problems of round-off errors and of overflows due to computations in floating-point arithmetic. We plan to study the impact of round-off errors in a hydrodynamic code. Hydrodynamics is the skeleton model of many physical models used in industry. It contains numerous technical, mathematical and numerical difficulties, which does not prevent its massive use in the simulation industry on increasingly complex problems. Today, the resolution of such problems requires the use of super-calculators, as well as the implementation of algorithms adapted to massively parallel calculation. The very large number of calculations required to produce results raises the question of their numerical quality.

Jointly with the thesis of R. Rieu-Helft, supervised in collaboration with the TrustInSoft company, we established a 3-year bilateral collaboration contract, that ended in November 2020. The aim is to design methods that make it possible to design an arbitrary-precision integer library that, while competitive with the state-of-the-art library GMP, is formally verified. Not only are GMP's algorithm especially intricate from an arithmetic point of view, but numerous tricks were also used to optimize them. We are using the Why3 programming language to implement the algorithms, we are developing reflection-based procedures to verify them, and we finally extract them as a C library that is binary-compatible with GMP 921. The PhD thesis has been defended in Nov. 2020 27.

EMC2 is an ERC Synergy project that aims to overcome some of the current limitations in the field of molecular simulation and aims to provide academic communities and industrial companies with new generation, dramatically faster and quantitatively reliable molecular simulation software. This will enable those communities to address major technological and societal challenges of the 21st century in health, energy and the environment for instance.

Abstract: Types are pervasive in programming and information technology. A type defines a formal interface between software components, allowing the automatic verification of their connections, and greatly enhancing the robustness and reliability of computations and communications. In rich dependent type theories, the full functional specification of a program can be expressed as a type. Type systems have rapidly evolved over the past years, becoming more sophisticated, capturing new aspects of the behaviour of programs and the dynamics of their execution.

This COST Action will give a strong impetus to research on type theory and its many applications in computer science, by promoting (1) the synergy between theoretical computer scientists, logicians and mathematicians to develop new foundations for type theory, for example as based on the recent development of "homotopy type theory”, (2) the joint development of type theoretic tools as proof assistants and integrated programming environments, (3) the study of dependent types for programming and its deployment in software development, (4) the study of dependent types for verification and its deployment in software analysis and verification. The action will also tie together these different areas and promote cross-fertilisation.

The CoLiS research project is funded by the programme “Société de
l'information et de la communication” of the ANR, for a period of
60 months, starting on October 1st,
2015. http://

The project aims at developing formal analysis and verification techniques and tools for scripts. These scripts are written in the POSIX or bash shell language. Our objective is to produce, at the end of the project, formal methods and tools allowing to analyze, test, and validate scripts. For this, the project will develop techniques and tools based on deductive verification and tree transducers stemming from the domain of XML documents.

Partners: Université Paris-Diderot, IRIF laboratory (formerly PPS & LIAFA), coordinator; Inria Lille, team LINKS

The Vocal research project is funded by the programme “Société de
l'information et de la communication” of the ANR, for a period of 60
months, starting on October 1st, 2015. See https://

The goal of the Vocal project is to develop the first formally verified library of efficient general-purpose data structures and algorithms. It targets the OCaml programming language, which allows for fairly efficient code and offers a simple programming model that eases reasoning about programs. The library will be readily available to implementers of safety-critical OCaml programs, such as Coq, Astrée, or Frama-C. It will provide the essential building blocks needed to significantly decrease the cost of developing safe software. The project intends to combine the strengths of three verification tools, namely Coq, Why3, and CFML. It will use Coq to obtain a common mathematical foundation for program specifications, as well as to verify purely functional components. It will use Why3 to verify a broad range of imperative programs with a high degree of proof automation. Finally, it will use CFML for formal reasoning about effectful higher-order functions and data structures making use of pointers and sharing.

Partners: team Gallium (Inria Paris-Rocquencourt), team DCS (Verimag), TrustInSoft, and OCamlPro.

LCHIP (Low Cost High Integrity Platform) is aimed at easing the
development of safety critical applications (up to SIL4) by
providing: (i) a complete IDE able to automatically generate and
prove bounded complexity software (ii) a low cost, safe execution
platform. The full support of DSLs and third party code generators
will enable a seamless deployment into existing development cycles.
LCHIP gathers scientific results obtained during the last 20 years
in formal methods, proof, refinement, code generation, etc. as well
as a unique return of experience on safety critical systems design.
http://

Partners: 2 technology providers (ClearSy, OcamlPro), in charge of building the architecture of the platform; 3 labs (IFSTTAR, LIP6, LRI), to improve LCHIP IDE features; 2 large companies (SNCF, RATP), representing public ordering parties, to check compliance with standard and industrial railway use-case.

The project led by ClearSy has started in April 2016 and lasts 3 years. It is funded by BpiFrance as well as French regions.

Verification of PARameterized DIstributed systems. A parameterized
system specification is a specification for a whole class of
systems, parameterized by the number of entities and the properties
of the interaction, such as the communication model
(synchronous/asynchronous, order of delivery of message, application
ordering) or the fault model (crash failure, message loss). To
assist and automate verification without parameter instantiation,
PARDI uses two complementary approaches. First, a fully automatic
model checker modulo theories is considered. Then, to go beyond the
intrinsic limits of parameterized model checking, the project
advocates a collaborative approach between proof assistant and model
checker. http://

The project led by Toulouse INP/IRIT started in 2016 and lasts for 4 years. Partners: Université Pierre et Marie Curie (LIP6), Université Paris-Sud (LRI), Inria Nancy (team VERIDIS)

The last twenty years have seen the advent of computer-aided proofs in
mathematics and this trend is getting more and more important. They
request various levels of numerical safety, from fast and stable
computations to formal proofs of the computations. Hovewer, the
necessary tools and routines are usually ad hoc, sometimes
unavailable, or inexistent. On a complementary perspective, numerical
safety is also critical for complex guidance and control algorithms,
in the context of increased satellite autonomy. We plan to design a
whole set of theorems, algorithms and software developments, that will
allow one to study a computational problem on all (or any) of the
desired levels of numerical rigor. Key developments include fast and
certified spectral methods and polynomial arithmetic, with subsequent
formal verifications. There will be a strong feedback between the
development of our tools and the applications that motivate it.
https://

The project led by École Normale Supérieure de Lyon (LIP) has started in February 2021 and lasts for 4 years. Partners: Inria (teams Aric, Galinette, Lfant, Marelle, Toccata), École Polytechnique (LIX), Sorbonne Université (LIP6), Université Sorbonne Paris Nord (LIPN), CNRS (LAAS).

In 2020, the members of the Toccata team reviewed numerous papers for numerous international conferences. Here is a non-exhaustive list.

In 2020, the members of the Toccata team reviewed numerous papers for numerous international journals. Here is a non-exhaustive list.

Together with Thibaut Balabonski and Kim Nguyen, Sylvain Conchon and
Jean-Christophe Filliâtre wrote Numérique et Sciences
Informatiques, 24 leçons avec exercices
corrigés. Terminale26 (Ellipses, 2020).
It is a second volume, the first one targeting the “classe de
Première” (Ellipses, 2019).

Sylvie Boldo took part of a popularization radio program about
computer science
https://