There is an emerging consensus that formal methods must be used as a matter of course in software development. Most software is too complex to be fully understood by one programmer or even a team of programmers, and requires the help of computerized techniques such as testing and model checking to analyze and eliminate entire classes of bugs. Moreover, in order for the software to be maintainable and reusable, it not only needs to be bug-free but also needs to have fully specified behavior, ideally accompanied with formal and machine-checkable proofs of correctness with respect to the specification. Indeed, formal specification and machine verification is the only way to achieve the highest level of assurance (EAL7) according to the ISO/IEC Common Criteria.1

Historically, achieving such a high degree of certainty in the operation of software has required significant investment of manpower, and hence of money. As a consequence, only software that is of critical importance (and relatively unchanging), such as monitoring software for nuclear reactors or fly-by-wire controllers in airplanes, has been subjected to such intense scrutiny. However, we are entering an age where we need trustworthy software in more mundane situations, with rapid development cycles, and without huge costs. For example: modern cars are essentially mobile computing platforms, smart-devices manage our intensely personal details, elections (and election campaigns) are increasingly fully computerized, and networks of drones monitor air pollution, traffic, military arenas, etc. Bugs in such systems can certainly lead to unpleasant, dangerous, or even life-threatening incidents.

The field of formal methods has stepped up to meet this growing need for trustworthy general purpose software in recent decades. Techniques such as computational type systems and explicit program annotations/contracts, and tools such as model checkers and interactive theorem provers, are starting to become standard in the computing industry. Indeed, many of these tools and techniques are now a part of undergraduate computer science curricula. In order to be usable by ordinary programmers (without PhDs in logic), such tools and techniques have to be high level and rely heavily on automation. Furthermore, multiple tools and techniques often need to marshaled to achieve a verification task, so theorem provers, solvers, model checkers, property testers, etc. need to be able to communicate with—and, ideally, trust—each other.

With all this sophistication in formal tools, there is an obvious
question: what should we trust?
Sophisticated formal reasoning tools are, generally speaking, complex
software artifacts themselves; if we want complex software to undergo
rigorous formal analysis we must be prepared to formally analyze the
tools and techniques used in formal reasoning itself.
Historically, the issue of trust has been addressed by means of
relativizing it to small and simple cores.
This is the basis of industrially successful formal reasoning systems
such as Coq, Isabelle, HOL4, and ACL2.
However, the relativization of trust has led to a balkanization of the
formal reasoning community, since the Coq kernel, for example, is
incompatible with the Isabelle kernel, and neither can directly
cross-validate formal developments built with the other.
Thus, there is now a burgeoning cottage industry of translations and
adaptations of different formal proof languages for bridging the gap.
A number of proposals have also been made for universal or
retargetable proof languages (e.g., Dedukti, ProofCert) so that the
cross-platform trust issues can be factorized into single trusted
checkers.

Beyond mutual incompatibility caused by relativized trust, there is a
bigger problem that the proof evidence that is accepted by small
kernels is generally far too detailed to be useful.
Formal developments usually occurs at a much higher level, relying on
algorithmic techniques such as unification, simplification, rewriting,
and controlled proof search to fill in details.
Indeed, the most reusable products of formal developments tend to be
these algorithmic techniques and associated collections of
hand-crafted rules.
Unfortunately, these techniques are even less portable than the fully
detailed proofs themselves, since the techniques are often implemented
in terms of the behaviors of the trusted kernels.
We can broadly say that the problem with relativized trust is that it
is based on the operational interpretation of implementations
of trusted kernels.
There still remains the question of meta-theoretic correctness.
Most formal reasoning systems implement a variant of a well known
mathematical formalism (e.g., Martin-Löf type theory, set theory,
higher-order logic), but it is surprising that hardly any mainstream
system has a formalized meta-theory.2
Furthermore, formal reasoning systems are usually associated with
complicated checkers for side-conditions that often have unclear
mathematical status.
For example, the Coq kernel has a built-in syntactic termination
checker for recursive fixed-point expressions that is required to work
correctly for the kernel to be sound.
This termination checker evolves and improves with each version of
Coq, and therefore the most accurate documentation of its behavior is
its own source code.
Coq is not special in this regard: similar trusted features exist in
nearly every mainstream formal reasoning system.

The Partout project is interested in the principles of deductive
and computational formalisms.
In the broadest sense, we are interested in the question of
trustworthy and verifiable meta-theory.
At one end, this includes the well studied foundational questions of
the meta-theory of logical systems and type systems: cut-elimination
and focusing in proof theory, type soundness and normalization
theorems in type theory, etc.
The focus of our research here is on the fundamental relationships
behind the the notions of computation and deduction.
We are particularly interested in relationships that go beyond the
well known correspondences between proofs and programs.3
Indeed, interpreting computation in terms of deduction (as in
logic programming) or deduction in terms of computation (as in
rewrite systems or in model checking) can often lead to fruitful and
enlightening research questions, both theoretical and practical.

From another end, Partout works on the question of the
essential nature of deductive or computational formalisms.
For instance, we are interested in the question of proof
identity that attempts to answer the following question: when are
two proofs of the same theorem the same?
Surprisingly, this very basic question is left unanswered in
proof theory, the branch of mathematics that supposedly treats
proofs as algebraic objects of interest.
We also pay particular attention to the combinatorial and
complexity-theoretic properties of the formalisms.
Indeed, it is surprising that until very recently the

To put trustworthy meta-theory to use, the Partout project also
works on the design and implementations of formal reasoning tools and
techniques.
We study the mathematical principles behind the representations of
formal concepts (structural operational semantics (SOS)
style.
We also work on foundational questions about induction and
co-induction, which are used in intricate combinations in
metamathematics.

Software and hardware systems perform computation (systems that
process, compute and perform) and deduction (systems that
search, check or prove). The makers of those systems express their
intent using various frameworks such as programming languages,
specification languages, and logics. The Partout project aims
at developing and using mathematical principles to design better
frameworks for computation and reasoning. Principles of expression are
researched from two directions, in tandem:

Foundational approaches, from theories to applications: studying fundamental problems of programming and proof theory.

Examples include studying the complexity of reduction strategies in lambda-calculi with sharing, or studying proof representations that quotient over rule permutations and can be adapted to many different logics.

Empirical approaches, from applications to theories: studying systems currently in use to build a theoretical understanding of the practical choices made by their designers.

Examples include studying realistic implementations of programming languages and proof assistants, which differ in interesting ways from their usual high-level formal description (regarding of sharing of code and data, for example), or studying new approaches to efficient automated proof search, relating them to existing approaches of proof theory, for example to design proof certificates or to generalize them to non-classical logics.

One of the strengths of Partout is the co-existence of a number
of different expertise and points of view. Many dichotomies exist in
the study of computation and deduction:
functional programming vs logic programming,
operational semantics vs denotational semantics,
constructive logic vs classical logic,
proof terms vs proof nets, etc.
We do not identify with any one of them in particular, rather with
them as a whole, believing in the value of interaction and
cross-fertilization between different approaches.
Partout defines its scope through the following core tenets:

More concretely, the research in Partout will be centered around
the following four themes:

The Partout team studies the structure of mathematical proofs, in ways that often makes them more amenable to automated theorem proving – automatically searching the space of proof candidates for a statement to find an actual proof – or a counter-example.

(Due to fundamental computability limits, fully-automatic proving is only possible for simple statements, but this field has been making a lot of progress in recent years, and is in particular interested with the idea of generating verifiable evidence for the proofs that are found, which fits squarely within the expertise of Partout.)

Our work on the structure of proofs also suggests ways how they could be presented to a user, edited and maintained, in particular in “proof assistants”, automated tool to assist the writing of mathematical proofs with automatic checking of their correctness.

Our work also gives insight on the structure and properties of programming languages. We can improve the design or implementation of programming languages, help programmers or language implementors reason about the correctness of the programs in a given language, or reason about the cost of execution of a program.

This release includes a major refactoring of the Abella documentation generator. Abella developments can now be easily converted into interactive web-based presentations that can be used without having to run Abella by the reader.

This release also fixes a number of outstanding issues with the 2.0.7 and earlier releases. At least two of these fixes involve soundness issues with regard to higher-order arguments.

Abella is now also independently packaged for MacOS (homebrew), FreeBSD, and OpenBSD.

The Distributed Assertion Management Framework (DAMF) is a proposed collection of formats and techniques to enable heterogeneous formal reasoning systems and users to communicate assertions in a decentralized, reliable, and egalitarian manner. An assertion is a unit of mathematical knowledge—think lemmas, theorems, corollaries, etc.—that is cryptographically signed by its originator.

DAMF is based on content-addressable storage using the InterPlanetary File System (IPFS) network, and uses the InterPlanetary Linked Data (IPLD) data model to represent assertions and all their components.

Dispatch is an intermediary tool for publishing, retrieval, and trust analysis in the Distributed Assertion Management Framework (DAMF). Dispatch specifies a family of JSON-based formats for DAMF objects and implements the main DAMF processes. It is intended to be usable by both human users and tools.

Dispatch is being developed as part of the exploratory action W3Proof.

MOIN is a SWI Prolog theorem prover for classical and intuitionstic modal logics. The modal and intuitionistic modal logics considered are all the 15 systems occurring in the modal S5-cube, and all the decidable intuitionistic modal logics in the IS5-cube. MOIN also provides a protptype implementation for the intuitionistic logics for which decidability is not known (IK4,ID5 and IS4). MOIN is consists of a set of Prolog clauses, each clause representing a rule in one of the three proof systems. The clauses are recursively applied to a given formula, constructing a proof-search tree. The user selects the nested proof system, the logic, and the formula to be tested. In the case of classic nested sequent and Maehara-style nested sequents, MOIN yields a derivation, in case of success of the proof search, or a countermodel, in case of proof search failure. The countermodel for classical modal logics is a Kripke model, while for intuitionistic modal logic is a bi-relational model. In case of Gentzen-style nested sequents, the prover does not perform a countermodel extraction.

A system description of MOIN is available at https://hal.inria.fr/hal-02457240

This release adds support for inductive theorem proving using sized relations in the style of Abella.

This release also adds preliminary support for three-dimensional representations of the proof state (using WebGL and the Three.js library).

External Collaborators: Nguyễn, Lê Thành Dũng (ENS Lyon)

Following our result from last year, where we have shown that BV and pomset logic are different 27, we have continued our efforts and studied the complexity of the two logics. Our results are published in 10.

External Collaborators: Danko Ilik (Siemens)

A compiler consists of a sequence of phases going from lexical analysis to code generation. Ideally, the formal verification of a compiler should include the formal verification of every component of the tool-chain. In order to contribute to the end-to-end verification of compilers, we implemented a verified lexer generator with usage similar to OCamllex. This software-Coqlex-reads a lexer specification and generates a lexer equipped with Coq proofs of its correctness. Although the performance of the generated lexers does not measure up to the performance of a standard lexer generator such as OCamllex, the safety guarantees it comes with make it an interesting alternative to use when implementing totally verified compilers or other language processing tools.

More details on this work can be found here 11

External Collaborators:
Marianna Girlando (Amsterdam), Sonia Marin (Birmingham), Roman Kuznets (Vienna)

In this work, published in 20, we demonstrate decidability for the intuitionistic modal logic S4 first formulated by Fischer Servi. This solves a problem that has been open for almost thirty years since it had been posed in Simpson's PhD thesis in 1994. We obtain this result by performing proof search in a labelled deductive system that, instead of using only one binary relation on the labels, employs two: one corresponding to the accessibility relation of modal logic and the other corresponding to the order relation of intuitionistic Kripke frames. Our search algorithm outputs either a proof or a finite counter-model, thus, additionally establishing the finite model property for intuitionistic S4, which has been another long-standing open problem in the area.

Structural proof theory has been used to provide a principled approach to designing term representations and operations (such as substitutions) on them. In the past, the negative polarity approach has been the only one used. In our recent work, we have considered, instead, using the positive polarity approach. This has lead us to a principled description of sharing within terms. While sharing has been described previously in various setting, the one based on proof theory has certain advantages since it is less ad hoc and comes with its own notion of substitution (derived immediately from using cut elimination). This approach also provides a natural setting for treating binding structures within programs. Details of this approach are available from our CSL 2023 paper 13. Wu has developed this positive perspective further in his APLAS 2023 paper 21.

When a proof system checks a formal proof, we can say that its kernel asserts that the formula is a theorem in a particular logic. We describe a general framework in which such assertions can be made globally available so that any proof assistant willing to trust the assertion's creator can use that assertion without rechecking any associated formal proof. This framework, called DAMF, is heterogeneous and allows each participant to decide which tools and operators they are willing to trust in order to accept external assertions. This framework can also be integrated into existing proof systems by making minor changes to the input and output subsystems of the prover. DAMF achieves a high level of distributivity using off-the-shelf technologies such as IPFS, IPLD, and public key cryptography. We illustrate the framework by describing an implemented tool, called DISPATCH, for validating and publishing assertion objects and a modified version of the Abella theorem prover that can use and publish such assertions. The details of the DAMF system can be found in the FroCos 2023 paper 17 and the earlier report 24.

In 1935, Gentzen captured the way human think about formal proofs using the natural deduction proof system. This system was based on describing complete proofs and is based on a kind of annotated tree structure. In practice, however, it is also natural to consider the process of extending partial proofs until they become complete. In his LICS 2023 paper 12, Miller describes a simply motivated way to describe proofs based on proof search based on multiset rewriting of various annotated formula objects. This proof framework, called PSF, incorporates many structural features of proof (many, comming from Linear Logic) that were not part of Gentzen's original natural deduction proof systems.

External Collaborators:
Nicolas Behr (IRIF), Paul-André Melliès (IRIF)

Motivated by compositional categorical rewriting theory, we introduce a convolution product over presheaves of double categories which generalizes the usual Day tensor product of presheaves of monoidal categories. One interesting aspect of the construction is that this convolution product is in general only oplax associative. For that reason, we identify several classes of double categories for which the convolution product is not just oplax associative, but fully associative. This includes in particular framed bicategories on the one hand, and double categories of compositional rewriting theories on the other. For the latter, we establish a formula which justifies the view that the convolution product categorifies the rule algebra product. These results were published at FSCD 2023 18.

Delta lenses are functors equipped with a suitable choice of lifts, and are used to model bidirectional transformations between systems. In this paper, we construct an algebraic weak factorisation system whose R-algebras are delta lenses. Our approach extends a semi-monad for delta lenses previously introduced by Johnson and Rosebrugh, and generalises to any suitable category equipped with an orthogonal factorisation system and an idempotent comonad. We demonstrate how the framework of an algebraic weak factorisation system provides a natural setting for understanding the lifting operation of a delta lens, and also present an explicit description of the free delta lens on a functor. Published in 19

External Collaborators:
Horace Blanc (independent researcher), Claudio Sacerdoti Coen (Bologna University).

This work develops the first formalization of Milner’s classic translation of the

This work has been published in the proceedings of an international conference 15.

This is an essay about the lambda calculus, published in the proceedings of an international conference for essays on programming languages and related topics 26.

The essay discusses a gap between the theory of the lambda calculus and functional languages, namely the fact that the former does not give a status to sharing, the essential ingredient for efficiency in the latter. The essay provides an overview of the perspective of the author, who has been and still is studying sharing from various angles. In particular, it explains how sharing impacts the equational and denotational semantics of the lambda calculus, breaking some expected properties, and demanding the development of new, richer semantics of the lambda calculus.

This work is the extended journal version 9 of the conference paper with the same title from 2022. It was selected for the special issue of the conference LICS 2022.

This paper introduces the exponential substitution calculus (ESC), a new presentation of cut elimination for IMELL, based on proof terms and building on the idea that exponentials can be seen as explicit substitutions. The idea in itself is not new, but here it is pushed to a new level, inspired by Accattoli and Kesner's linear substitution calculus (LSC). One of the key properties of the LSC is that it naturally models the sub-term property of abstract machines, that is the key ingredient for the study of reasonable time cost models for the

External Collaborators:
Pablo Barenbaum (Universidad Nacional de Quilmes &
3 Universidad de Buenos Aires, Argentina).

Abstract machines for strong evaluation of the

This work has been published in the proceedings of an international conference 14.

External Collaborators:
Giulio Guerrieri (Aix Marseille University), Maico Leberle (independent researcher).

This paper provides foundations for strong (that is, possibly under abstraction) call-by-value evaluation for the

We also consider the call-by-extended-value approach to strong evalua- tion shown reasonable for time by Biernacka et al. The two approaches turn out to not be equivalent: terms may be externally divergent but terminating for call-by-extended-value.

This work has been published in the proceedings of an international conference 16.

External Collaborators:
Nicolas Chataing (ENS Paris),
Stephen Dolan (Jane Street),
Jeremy Yallop (Cambridge University)

This work proposes a new feature for the OCaml programming language that improves the programmer's control over the low-level representation of OCaml datatypes, by "unboxing" certain constructors of a variant type. This is useful in certain advanced situations to improve performance or reduce space usage.

Along the way we discovered an interesting theoretical problem related to the question of deciding normalization in lambda-calculi with recursive definitions. We propose an "on-the-fly" normalization algorithm in the first-order fragment of the simply-typed lambda-calculus with just functions. Its relation with existing higher-order algorithms is unclear and deserves further study.

This result was accepted for publication in 2024.

We are working on a library that provides mutable references with backtracking. That is, it is possible to take a snapshot of a group of references at once, and later go back to this snapshot, restoring the value of these references. This provides an easy way to equip imperative data-structures with backtracking; for example, we use this to implement a backtracking search algorithm that maintains an efficient Union-Find data structure.

Preliminary results in this direction were published at 22, and we are working on an improved version and possibly a formally verified implementation.

The goal of the thesis is to develop ways to optimize the performance of software, while not sacrificing the guarantees of safety already provided for non-optimized code. The software that Siemens is using for their self-driving trains (e.g. Metro 14 in Paris) is programmed in Ada. Due to the high safety requirements for the software, the used Ada compiler has to be certified. At the current state of the art, only non-optimized code fulfils all necessary requirements. Because of higher performance needs, we are interested in producing optimized code that also fulfils these reqirements.

Stated most generally, the aim of the thesis is to assure, at the same time:

The OCaml Software Foundation (OCSF),4 established in 2018 under the umbrella of the Inria Foundation, aims to promote, protect, and advance the OCaml programming language and its ecosystem, and to support and facilitate the growth of a diverse and international community of OCaml users.

Since 2019, Gabriel Scherer serves as the director of the foundation.

Nomadic Labs, a Paris-based company, has implemented the Tezos blockchain and cryptocurrency entirely in OCaml. In 2019, Nomadic Labs and Inria have signed a framework agreement (“contrat-cadre”) that allows Nomadic Labs to fund multiple research efforts carried out by Inria groups. Within this framework, we participate to the following grants, in collaboration with the project-team Cambium at INRIA Paris:

This grant is intended to fund a number of improvements to OCaml, including the addition of new features and a possible re-design of the OCaml type-checker. This grant funds the PhD thesis of Olivier Martinot on this topic.

This grant is intended to fund the day-to-day maintenance of OCaml as well as the considerable work involved in managing the release cycle.

This project teams up three research groups, one at Inria Saclay, one at the University of Bath, and one at University College London, who are driven by their joint interest in the development of a combinatorial proof theory which is able to treat formal proofs independently from syntactic proof systems.

We plan to focus our research in two major directions: First, study the normalization of combinatorial proofs, with possible applications for the implementation of functional programming languages, and second, study combinatorial proofs for the logic of bunched implications, with the possible application for separation logic and its use in the verification of imperative programs.

Miller made a 10-day research visit to the University of Birmingham to work with Prof. Anupam Das and his team during 29 November - 8 December 2023.

LambdaComb is an interdisciplinary project financed by the Agence Nationale de la Recherche (PRC grant ANR-21-CE48-0017). Broadly, the project aims to deepen connections between lambda calculus and logic on the one hand and combinatorics on the other. One important motivation for the project is the discovery over recent years of a host of surprising links between subsystems of lambda calculus and enumeration of graphs on surfaces, or "maps", the latter being an active subfield of combinatorics with roots in W. T. Tutte's work in the 1960s. Using these new links and other ideas and tools, the LambdaComb project aims to:

The project also intersects with and aims to shed new light on other established connections between logic and geometry, notably Joyal and Street's categorical framework of string diagrams as well as Girard's proof nets for linear logic.