The EPI Gallinette aims at developing a new generation of proof assistants, with the belief that practical experiments must go in pair with foundational investigations:

Software quality is a requirement that is becoming more and more prevalent,
by now far exceeding the traditional scope of embedded systems. The
development of tools to construct software that respects a given specification
is a major challenge facing computer science. Proof assistants
such as Coq provide a formal method whose central
innovation is to produce certified programs by transforming
the very activity of programming. Programming and proving are merged
into a single development activity, informed by an elegant but rigid
mathematical theory inspired by the correspondence between programming,
logic and algebra: the Curry-Howard correspondence. For the
certification of programs, this approach has shown its efficiency
in the development of important pieces of certified software such
as the C compiler of the CompCert project .
The extracted CompCert compiler is reliable and efficient, running
only 15% slower than GCC 4 at optimisation level 2 (gcc -O2),
a level of optimisation that was considered before to be highly unreliable.

Proof assistants can also be used to formalise mathematical
theories: they not only provide a means of representing mathematical
theories in a form amenable to computer processing, but their internal
logic provides a language for reasoning about such theories. In the
last decade, proof assistants have been used to verify extremely large
and complicated proofs of recent mathematical results, sometimes requiring
either intensive computations ,
or intricate combinations of a multitude of mathematical theories
. But formalised mathematics is more than just proof
checking and proof assistants can help with organisation mathematical
knowledge or even with the discovery of new constructions and proofs.

Unfortunately, the rigidity of the theory behind proof assistants impedes their expressiveness both as programming languages and as logical systems. For instance, a program extracted from Coq only uses a purely functional subset of OCaml, leaving behind important means of expression such as side-effects and objects. Limitations also appear in the formalisation of advanced mathematics: proof assistants do not cope well with classical axioms such as excluded middle and choice which are sometimes used crucially. The fact of the matter is that the development of proof assistants cannot be dissociated from a reflection on the nature of programs and proofs coming from the Curry-Howard correspondence. In the EPC Gallinette, we propose to address several drawbacks of proof assistants by pushing the boundaries of this correspondence.

In the 1970's, the Curry-Howard correspondence was seen as a perfect match between functional programs, intuitionistic logic, and Cartesian closed categories. It received several generalisations over the decades, and now it is more widely understood as a fertile correspondence between computation, logic, and algebra. Nowadays, the view of the Curry-Howard correspondence has evolved from a perfect match to a collection of theories meant to explain similar structures at work in logic and computation, underpinned by mathematical abstractions. By relaxing the requirement of a perfect match between programs and proofs, and instead emphasising the common foundations of both, the insights of the Curry-Howard correspondence may be extended to domains for which the requirements of programming and mathematics may in fact be quite different.

Consider the following two major theories of the past decades, which were until recently thought to be irreconcilable:

We now outline a series of scientific challenges aimed at understanding of type theory, effects, and their combination.

More precisely, three key axes of improvement have been identified:

To validate the new paradigms, we propose in Section three particular application fields in which members of the team already have a strong expertise: code refactoring, constraint programming and symbolic computation.

The democratisation of proof assistants based on type theory has likely been impeded by one central problem: the mismatch between the conception of equality in mathematics and its formalisation in type theory. Indeed, some basic principles that are used implicitly in mathematics—such as Church’s principle of propositional extensionality, which says that two propositions are equal when they are logically equivalent—are not derivable in type theory. Even more problematically, from a computer science point of view, the basic concept of two functions being equal when they are equal at every “point” of their domain is also not derivable: rather, it must be added as an additional axiom. Of course, these principles are consistent with type theory so that working under the corresponding additional assumptions is safe. But the use of these assumptions in a definition potentially clutters its computational behaviour: since axioms are computational black boxes, computation gets stuck at the points of the code where they have been used.

We propose to investigate how expressive logical transformations such as forcing and sheaf construction might be used to enhance the computational and logical power of proof assistants—with a particular emphasis on their implementation in the Coq proof assistant by the means of effective translations (or compilation phases). One of the main topics of this task, in connection to the ERC project CoqHoTT, is the integration in Coq of new concepts inspired by homotopy type theory such as the univalence principle, and higher inductive types.

In the Coq proof assistant, the sort proof
irrelevance, can be expressed formally as: raison d'être of the sort

The univalence principle is becoming widely accepted as a very promising
avenue to provide new foundations for mathematics and type theory.
However, this principle has not yet been incorporated into a proof
assistant. Indeed, the very mathematical structures (known as

Hence a major objective is to achieve a complete internalisation of univalence in intensional type theory, including an integration to a new version of Coq. We will strive to keep compatibility with previous versions, in particular from a performance point of view. Indeed, the additional complexity of homotopy type theory should not induce an overhead in the type checking procedure used by the software if we want our new framework to become rapidly adopted by the community. Concretely, we will make sure that the compilation time of Coq’s Standard Library will be of the same order of magnitude.

Extending the power of a logic using model transformations (e.g.,
forcing transformation , or the sheaf
construction ) is a classic topic of mathematical
logic , . However, these ideas have
not been much investigated in the setting of type theory, even though
they may provide a useful framework for extending the logical power
of proof assistant in a modular way. There is a good reason for this:
with a syntactic notion of equality, the underlying structure of type
theory does not conform to the structure of topos used in mathematical
logic. A direct incorporation of the standard techniques is therefore
not possible. However, a univalent notion of equality brings type
theory closer to the required algebraic structure, as it corresponds
to the notion of

The Gallinette project advocates the use of distinct compilation phases as a methodology for the design of a new generation of proof assistants featuring modular extensions of a core logic. The essence of a compiler is the separation of the complexity of a translation process into modular stages, and the organization of their re-composition. This idea finds a natural application in the design of complex proof assistants (Figure ). For instance, the definition of type classes in Coq follows this pattern, and is morally given by the means of a translation into a type-class free kernel. More recently, a similar approach by compilation stages, using the forcing transformation, was used to relax the strict positivity condition guarding inductive types , . We believe that this flavour of compilation-based strategies offers a promising direction of investigation for the purpose of defining a decidable type checking algorithm for HoTT.

We propose the incorporation of effects in the theory of proof assistants at a foundational level. Not only would this allow for certified programming with effects, but it would moreover have implications for both semantics and logic.

We mean effects in a broad sense that encompasses both Moggi's
monads and Girard's linear
logic . These two seminal works have given rise to respective
theories of effects (monads) and resources (co-monads). Recent advances,
however have unified these two lines of thought: it is now clear that
the defining feature of effects, in the broad sense, is sensitivity
to evaluation order , .

In contrast, the type theory that forms the foundations of proof assistants
is based on pure “the next
difficult step [...] currently under investigation”.

Any realistic program contains effects: state, exceptions, input-output.
More generally, evaluation order may simply be important for complexity
reasons. With this in mind, many works have focused on certified programming
with effects: notably Ynot , and more recently

We propose to develop the foundations of a type theory with effects
taking into account the logical and semantic aspects, and to study
their practical and theoretical consequences. A type theory that integrates
effects would have logical, algebraic and computational implications
when viewed through the Curry-Howard correspondence. For instance,
effects such as control operators establish a link with classical
proof theory . Indeed, control
operators provide computational interpretations of type isomorphisms
such as

The goal is to develop a type theory with effects that accounts both for practical experiments in certified programming, and for clues from denotational semantics and logical phenomena, in a unified setting.

A crucial step is the integration of dependent types with effects,
a topic which has remained “currently under investigation”
ever since the beginning. The difficulty resides
in expressing the dependency of types on terms that can perform side-effects
during the computation. On the side of denotational semantics, several
extensions of categorical models for effects with dependent types
have been proposed , using axioms that should
correspond to restrictions in terms of expressivity but whose practical
implications, however, are not immediately transparent. On the side
of logical approaches , , , ,
one first considers a drastic restriction to terms that do not compute,
which is then relaxed by semantic means. On the side of systems for
certified programming such as

Thus, the recurring idea is to introduce restrictions on the dependency
in order to establish an encapsulation of effects. In our approach,
we seek a principled description of this idea by developing the concept
of semantic value (thunkables, linears) which arose from foundational
considerations , , and
whose relevance was highlighted in recent works , .
The novel aspect of our approach is to seek a proper extension of
type theory which would provide foundations for a classical type theory
with axiom of choice in the style of Herbelin ,
but which moreover could be generalised to effects other than just
control by exploiting an abstract and adaptable notion of semantic
value.

In our view, the common idea that evaluation order does not matter
for pure and terminating computations should serve as a bridge between
our proposals for dependent types in the presence of effects and traditional
type theory. Building on the previous goal, we aim to study the relationship
between semantic values, purity, and parametricity theorems , .
Our goal is to characterise parametricity as a form of intuitionistic
depolarisation following the method by which the first game model
of full linear logic was given (Melliès , ).
We have two expected outcomes in mind: enriching type theory with
intensional content without losing its properties, and giving an explanation
of the dependent types in the style of Idris and

An integrated type theory with effects requires an understanding of
evaluation order from the point of view of rewriting. For instance,
rewriting properties can entail the decidability of some conversions,
allowing the automation of equational reasoning in types .
They can also provide proofs of computational consistency (that terms
are not all equivalent) by showing that extending calculi with new
constructs is conservative . In our approach,
the

One goal is to prove computational consistency or decidability of conversions purely using advanced rewriting techniques following a technique introduced in . Another goal is the characterisation of weak reductions: extensions of the operational semantics to terms with free variables that preserve termination, whose iteration is equivalent to strong reduction , . We aim to show that such properties derive from generic theorems of higher-order rewriting , so that weak reduction can easily be generalised to richer systems with effects.

Proof theory and rewriting are a source of coherence theorems
in category theory, which show how calculations in a category can
be simplified with an embedding into a structure with stronger properties
, . We aim to explore such results
for categorical models of effects , . Our key
insight is to consider the reflection between indirect and direct
models , as a coherence theorem:
it allows us to embed the traditional models of effects into structures
for which the rewriting and proof-theoretic techniques from the previous
section are effective.

Building on this, we are further interested in connecting operational
semantics to 2-category theory, in which a second dimension is traditionally
considered for modelling conversions of programs rather than equivalences.
This idea has been successfully applied for the

The unified theory of effects and resources prompts an investigation into the semantics of safe and automatic resource management, in the style of Modern C++ and Rust. Our goal is to show how advanced semantics of effects, resources, and their combination arise by assembling elementary blocks, pursuing the methodology applied by Melliès and Tabareau in the context of continuations . For instance, combining control flow (exceptions, return) with linearity allows us to describe in a precise way the “Resource Acquisition Is Initialisation” idiom in which the resource safety is ensured with scope-based destructors. A further step would be to reconstruct uniqueness types and borrowing using similar ideas.

The development of tools to construct software systems that respect
a given specification is a major challenge of current and future research
in computer science. Certified programming with dependent types has
recently attracted a lot of interest, and Coq is the de facto
standard for such endeavours, with an increasing number of users,
pedagogical resources, and large-scale projects. Nevertheless, significant
work remains to be done to make Coq more usable from a software engineering
point of view. The Gallinette team proposes to make progress on three
lines of work: (i) the development of gradual certified programming,
(ii) the integration of imperative features and object polymorphism
in Coq, and (iii) the development of robust tactics for proof engineering
for the scaling of formalised libraries.

One of the main issues faced by a programmer starting to internalise in a proof assistant code written in a more permissive world is that type theory is constrained by a strict type discipline which lacks flexibility. Concretely, as soon as you start giving a more precise type/specification to a function, the rest of the code interacting with this function needs to be more precise too. To address this issue, the Gallinette team will put strong efforts into the development of gradual typing in type theory to allow progressive integration of code that comes from a more permissive world.

Indeed, on the way to full verification, programmers can take advantage of a gradual approach in which some properties are simply asserted instead of proven, subject to dynamic verification. Tabareau and Tanter have made preliminary progress in this direction . This work, however, suffers from a number of limitations, the most important being the lack of a mechanism for handling the possibility of runtime errors within Coq. Instead of relying on axioms, this project will explore the application of Section to embed effects in Coq. This way, instead of postulating axioms for parts of the development that are too hard/marginal to be dealt with, the system adds dynamic checks. Then, after extraction, we get a program that corresponds to the initial program but with dynamic checks for parts that have not been proven, ensuring that the program will raise an error instead of going outside its specification.

This will yield new foundations of gradual certified programming, both more expressive and practical. We will also study how to integrate previous techniques with the extraction mechanism of Coq programs to OCaml, in order to exploit the exception mechanism of OCaml.

Abstract data types (ADTs) become useful as the size of programs grows since they provide for a modular approach, allowing abstractions about data to be expressed and then instantiated. Moreover, ADTs are natural concepts in the calculus of inductive constructions. But while it is easy to declare an ADT, it is often difficult to implement an efficient one. Compare this situation with, for example, Okasaki's purely functional data structures which implement ADTs like queues in languages with imperative features. Of course, Okasaki's queues enforce some additional properties for free, such as persistence, but the programmer may prefer to use and to study a simpler implementation without those additional properties. Also in certified symbolic computation (see ), an efficient functional implementation of ADTs is often not available, and efficiency is a major challenge in this area. Relying on the theoretical work done in , we will equip Coq with imperative features and we will demonstrate how they can be used to provide efficient implementations of ADTs. However, it is also often the case that imperative implementations are hard-to-reason-on, requiring for instance the use of separation logic. But in that case, we benefit from recent works on integration of separation logic in the Coq proof assistant and in particular the .

Object-oriented programming has evolved since its foundation based on the representation of computations as an exchange of messages between objects. In modern programming languages like Scala, which aims at a synthesis between object-oriented and functional programming, object-orientation concretely results in the use of hierarchies of interfaces ordered by the subtyping relation and the definition of interface implementations that can interoperate. As observed by Cook and Aldrich , , interoperability can be considered as the essential feature of objects and is a requirement for many modern frameworks and ecosystems: it means that two different implementations of the same interface can interoperate.

Our objective is to provide a representation of object-oriented programs, by focusing on subtyping and interoperability.

For subtyping, the natural solution in type theory is coercive subtyping , as implemented in Coq, with an explicit operator for coercions. This should lead to a shallow embedding, but has limitations: indeed, while it allows subtyping to be faithfully represented, it does not provide a direct means to represent union and intersection types, which are often associated with subtyping (for instance intersection types are present in Scala). A more ambitious solution would be to resort to subsumptive subtyping (or semantic subtyping ): in its more general form, a type algebra is extended with boolean operations (union, intersection, complementing) to get a boolean algebra with operators (the original type constructors). Subtyping is then interpreted as the natural partial order of the boolean algebra.

We propose to use the type class machinery of Coq to implement semantic subtyping for dependent type theory. Using type class resolution, we can emulate inference rules of subsumptive subtyping without modifying Coq internally. This has also another advantage. As subsumptive subtyping for dependent types should be undecidable in general, using type class resolution allows for an incomplete yet extensible decision procedure.

When developing certified software, a major part of the effort is
spent not only on writing proof scripts, but on rewriting them,
either for the purpose of code maintenance or because of more significant
changes in the base definitions. Regrettably, proof scripts suffer
more often than not from a bad programming style, and too many proof
developers casually neglect the most elementary principles of well-behaved
programmers. As a result, many proof scripts are very brittle, user-defined
tactics are often difficult to extend, and sometimes even lack a clear
specification. Formal libraries are thus generally very fragile pieces
of software. One reason for this unfortunate situation is that proof
engineering is very badly served by the tools currently available
to the users of the Coq proof assistant, starting with its tactic
language. One objective of the Gallinette team is to develop better
tools to write proof scripts.

Completing and maintaining a large corpus of formalised mathematics
requires a well-designed tactic language. This language should both
accommodate the possible specific needs of the theories at stake,
and help with diagnostics at refactoring time. Coq's tactic language
is in fact two-leveled. First, it includes a basic tactic language,
to organise the deductive steps in a proof script and to perform the
elementary bureaucracy. Its second layer is a meta-programming language,
which allows users to define their own new tactics at toplevel. Our
first direction of work consists in the investigation of the appropriate
features of the basic tactic language. For instance, the design
of the Ssreflect tactic language, and its support for the small scale
reflection methodology , has been a
key ingredient in at least two large scale formalisation endeavours:
the Four Colour Theorem and of the Odd Order
Theorem . Building on our experience with the Ssreflect
tactic language, we will contribute to the ongoing work on the basic
tactic language for Coq. The second objective of this task is to contribute
to the design of a typed tactic language. In particular, we
will build on the work of Ziliani and his collaborators ,
extending it with reasoning about the effects that tactics have on
the “state of a proof” (e.g. number of sub-goals, metavariables in
context). We will also develop a novel approach for incremental type
checking of proof scripts, so that programmers gain access to a richer
discovery—engineering interaction with the proof assistant.

The first three axes of the EPC Gallinette aim at developing a new generation of proof assistants. But we strongly believe that foundational investigations must go hand in hand with practical experiments. Therefore, we expect to benefit from existing expertise and collaborations in the team to experiment our extensions of Coq on real world developments. It should be noticed that those practical experiments are strongly guided by the deep history of research on software engineering of team members.

In the context of refactoring of C programs, we intend to formalise program transformations that are written in an imperative style to test the usability of our addition of effects in the proof assistant. This subject has been chosen based on the competence of members of the team.

We plan to make use of the internalisation of the object-oriented paradigm in the context of constraint programming. Indeed, this domain is made of very complex algorithms that are often developed using object-oriented programming (as it is the case for instance for CHOCO, which is developed in the Tasc Group at IMT Atlantique, Nantes). We will in particular focus on filtering algorithms in constraint solvers, for which research publications currently propose new algorithms with manual proofs. Their formalisation in Coq is challenging. Another interesting part of constraint solving to formalise is the part that deals with program generation (as opposed to extraction). However, when there are numerous generated pieces of code, it is not realistic to prove their correctness manually, and it can be too difficult to prove the correctness of a generator. So we intend to explore a middle path that consists in generating a piece of code along with its corresponding proof (script or proof term). A target application could be interval constraints (for instance Allen interval algebra or region connection calculus) that can generate thousands of specialised filtering algorithms for a small number of variables .

Finally, Rémi Douence has already worked (articles publishing , , , , , , PhD Thesis advising , ) with different members of the Tasc team. Currently, he supervises with Nicolas Beldiceanu the PhD Thesis of Jovial Cheukam Ngouonou in the Tasc team. He studies graph invariants to enhance learning algorithms. This work requires proofs, manually done for now, we would like to explore when these proofs could be mechanized.

We will investigate how the addition of effects in the Coq proof assistant can facilitate the marriage of computer algebra with formal proofs. Computer algebra systems on one hand, and proof assistants on the other hand, are both designed for doing mathematics with the help of a computer, by the means of symbolic computations. These two families of systems are however very different in nature: computer algebra systems allow for implementations faithful to the theoretical complexity of the algorithms, whereas proof assistants have the expressiveness to specify exactly the semantics of the data-structures and computations.

Experiments have been run that link computer algebra systems with Coq , . These bridges rely on the implementation of formal proof-producing core algorithms like normalisation procedures. Incidentally, they require non trivial maintenance work to survive the evolution of both systems. Other proof assistants like the Isabelle/HOL system make use of so-called reflection schemes: the proof assistant can produce code in an external programming language like SML, but also allows to import the values output by these extracted programs back inside the formal proofs. This feature extends the trusted base of code quite significantly but it has been used for major achievements like a certified symbolic/numeric ODE solver .

We would like to bring Coq closer to the efficiency and user-friendliness of computer algebra systems: for now it is difficult to use the Coq programming language so that certified implementations of computer algebra algorithms have the right, observable, complexity when they are executed inside Coq. We see the addition of effects to the proof assistant as an opportunity to ease these implementations, for instance by making use of caching mechanisms or of profiling facilities. Such enhancements should enable the verification of computation-intensive mathematical proofs that are currently beyond reach, like the validation of Helfgott's proof of the weak Goldbach conjecture .

We now list the main pieces of software partially or totally developed in the team.

Building on the recent extension of dependent type theory with a universe of definitionally proof-irrelevant types, we introduce in

An alternative to working with model structures is to pursue the idea of pushing synthetic Homotopy Theory further, so as to deal with higher coherences directly inside Type Theory. In
we show that, by extending univalent type theory with a universe of definitionally associative and unital polynomial monads, we arrive at a coinductive definition of opetopic type which is able to encode a number of fully coherent algebraic structures. In particular, our approach leads to a definition of

Proof assistants play a dual role as programming languages and logical systems. As programming languages, proof assistants offer standard modularity mechanisms such as first-class functions, type polymorphism and modules. As logical systems, however, modularity is lacking, and understandably so: incompatible reasoning principles-such as univalence and uniqueness of identity proofs-can indirectly lead to logical inconsistency when used in a given development, even when they appear to be confined to different modules. The lack of logical modularity in proof assistants also hinders the adoption of richer programming constructs, such as effects. In , we propose the multiverse, a general type-theoretic approach to endow proof assistants with logical modularity. The multiverse consists of multiple universe hierarchies that statically describe the reasoning principles and effects available to define a term at a given type. We identify sufficient conditions for this structuring to modularly ensure that incompatible principles do not interfere, and to locally restrict the power of dependent elimination when necessary. This extensible approach generalizes the ad-hoc treatment of the sort of propositions in the Coq proof assistant. We illustrate the power of the multiverse by describing the inclusion of Coq-style propositions, the strict propositions of Gilbert et al., the exceptional type theory of Pédrot and Tabareau, and general axiomatic extensions of the logic.

Many of our work on proof assistants are based on the .

Dependently typed programming languages and proof assistants such as Agda and Coq rely on computation to automatically simplify expressions during type checking. To overcome the lack of certain programming primitives or logical principles in those systems, it is common to appeal to axioms to postulate their existence. However, one can only postulate the bare existence of an axiom, not its computational behaviour. Instead, users are forced to postulate equality proofs and appeal to them explicitly to simplify expressions, making axioms dramatically more complicated to work with than built-in primitives. On the other hand, the equality reflection rule from extensional type theory solves these problems by collapsing computation and equality, at the cost of having no practical type checking algorithm. In , we introduce Rewriting Type Theory (RTT), a type theory where it is possible to add computational assumptions in the form of rewrite rules. Rewrite rules go beyond the computational capabilities of intensional type theory, but in contrast to extensional type theory, they are applied automatically so type checking does not require input from the user. To ensure type soundness of RTT—as well as effective type checking—we provide a framework where confluence of user-defined rewrite rules can be checked modularly and automatically, and where adding new rewrite rules is guaranteed to preserve subject reduction. The properties of RTT have been formally verified using the MetaCoq framework and an implementation of rewrite rules is already available in the Agda proof assistant.

Reasoning modulo equivalences is natural for everyone, including mathematicians. Unfortunately, in proof assistants based on type theory, which are frequently used to mechanize mathematical results and carry out program verification efforts, equality is appallingly syntactic and, as a result, exploiting equivalences is cumbersome at best. Parametricity and univalence are two major concepts that have been explored in the literature to transport programs and proofs across type equivalences, but they fall short of achieving seamless, automatic transport. This work developed in first clarifies the limitations of these two concepts when considered in isolation, and then devises a fruitful marriage between both. The resulting concept, called univalent parametricity, is an extension of parametricity strengthened with univalence that fully realizes programming and proving modulo equivalences. Our approach handles both type and term dependency, as well as type-level computation. In addition to the theory of univalent parametricity, we present a lightweight framework implemented in the Coq proof assistant that allows the user to transparently transfer definitions and theorems for a type to an equivalent one, as if they were equal. For instance, this makes it possible to conveniently switch between an easy-to-reason-about representation and a computationally-efficient representation, as soon as they are proven equivalent. The combination of parametricity and univalence supports transport à la carte: basic univalent transport, which stems from a type equivalence, can be complemented with additional proofs of equivalences between functions over these types, in order to be able to transport more programs and proofs, as well as to yield more efficient terms. We illustrate the use of univalent parametricity on several examples, including a recent integration of native integers in Coq. This work paves the way to easier-to-use proof assistants by supporting seamless programming and proving modulo equivalences.

While every other software team is adopting off-the-shelf bots to automate everyday tasks, the Coq team has made a different choice by developing and maintaining a project-specific bot from the ground up. In , we describe the reasons for this choice, what kind of automation this has allowed us to implement, how the many features of this custom bot have evolved based on internal feedback, and the technology and architecture choices that have made it possible.

In , , we show how to use operational game semantics as a guide to develop relational techniques for establishing contextual equivalences with respect to contexts drawn from a hierarchy of four call-by-value higher-order languages: with either general or ground-type references and with either call/cc or no control operator. In game semantics, differences between the contexts can be captured by the absence or presence of the O-visibility and O-bracketing conditions.The proposed technique, which we call Kripke normal-form bisimulations, combines insights from normal-form bisimulation and Kripke logical relations with game semantics. In particular, the role of the heap and the name history is abstracted away using Kripke-style world transition systems. The differences between the four kinds of contexts manifest themselves through simple local conditions that can be shown to correspond to O-visibility and O-bracketing, as applicable.The technique is sound and complete by virtue of correspondence with operational game semantics. Moreover, it sheds a new light on other related developments, such as backtracking and private transitions in Kripke logical relations, which can be related to specific phenomena in game models.

Separation logic specifications with abstract predicates intuitively enforce a discipline that constrains when and how calls may be made between a client and a library. Thus a separation logic specification of a library intuitively enforces a protocol on the trace of interactions between a client and the library. In , we show how to formalize this intuition and demonstrate how to derive free theorems about such interaction traces from abstract separation logic specifications. We present several examples of free theorems. In particular, we prove that a so-called logically atomic concurrent separation logic specification of a concurrent module operation implies that the operation is linearizable. All the results presented in this paper have been mechanized and formally proved in the Coq proof assistant using the Iris higher-order concurrent separation logic framework.

In , , we propose a logic for temporal properties of higher-order programs that handle infinite objects like streams or infinite trees, represented via coinductive types. Specifications of programs use safety and liveness properties. Programs can then be proven to satisfy their specification in a compositional way, our logic being based on a type system. The logic is presented as a refinement type system over the guarded λ-calculus, a λ-calculus with guarded recursive types. The refinements are formulae of a modal μ-calculus which embeds usual temporal modal logics. The semantics of our system is given within a rich structure, the topos of trees, in which we build a realizability model of the temporal refinement type system.

One goal of resource management is to ensure the correctness of programs in the face of failures and interruptions. We have proposed a model for asynchronous interrupt-safety in OCaml and developed a library based on this model that implements resource limits and thread cancellation for OCaml .

Proof assistants are pieces of software designed for the realization of digital libraries of formalized mathematics. The latter libraries contain definitions, statements, and proofs, all formalized in a fixed variant of logic. In particular, the verification of the well-formedness of statements, and of the correctness of proofs, boils down to a mechanical process, associated with the underlying logical formalism. The kernel of a proof assistant is the software component which performs this verification, while the actual proof assistant implements a collection of automation techniques, which allow users to conduct in practice the formalization of arbitrarily sophisticated mathematical definitions and theories. The memoir presents an overview of three main contributions to the formal verification of mathematical theories in dependent type theory. The first of these contributions deals with the realization of a library of digitized mathematics covering the standard undergraduate background in algebra, as well as some more advanced chapters in finite group theory. The two other contributions are related to the issues pertaining to the formal verification of computational mathematical proofs, by the means of symbolic algorithms and of rigorous numerical methods respectively.

A. Mahboubi holds a part-time endowed professor position in the Department of Mathematics at the Vrije Universiteit Amsterdam (the Netherlands).

This section involves all the permanent members of the team.

The Gallinette team is organizing in Nantes, 20-25th June 2022.