## Section: Scientific Foundations

### Certified Numerical Programs

In recent years, we demonstrated our capability towards specifying
and proving properties of floating-point programs, properties which
are both complex and precise about the behavior of those programs:
see the
publications [65] , [109] , [61] , [104] , [64] , [59] , [98] , [96]
but also the web galleries of certified programs at
our Web
page (http://toccata.lri.fr/gallery/index.en.html ),
the Hisseo project (http://hisseo.saclay.inria.fr/ ),
S. Boldo's page (http://www.lri.fr/~sboldo/research.html ),
and industrial case studies in the U3CAT ANR project. The ability to
express such complex properties comes from models developed in
*Coq* [5] . The ability to combine proof by
reasoning and proof by computation is a key aspect when dealing with
floating-point programs. Such a modeling provides a safe basis when
dealing with C source code [4] . However, the
proofs can get difficult even on short programs, and to achieve them
some automation is needed, and obtained by combining SMT solvers and
*Gappa* [62] , [79] , [46] [9] .
Finally, the precision of the verification is obtained thanks to
precise models of floating-point computations, taking into account the
peculiarities of the architecture (e.g. x87 80-bit floating-point
unit) and also the compiler optimizations [66] , [102] .

The directions of research concerning floating-point programs that we want to pursue are the following.

#### Making Formal Verification of Floating-point Programs Easier

A first goal is to ease the formal verification of floating-point programs: the primary objective is still to improve the scope and efficiency of our methods, so as to ease further the verification of numerical programs. The on-going development of the Flocq library should be continued towards the formalization of bit-level manipulations and also of exceptional values (e.g. infinities). We believe that good candidates for applications of our techniques are smart algorithms to compute efficiently with floats, which operate at the bit-level. The formalization of real numbers need to be revamped too: higher-level numerical algorithms are usually built on some mathematical properties (e.g. computable approximations of ideal approximations), which then have to be proved during the formal verification of these algorithms.

Easing the verification of numerical programs also implies more
automation. SMT solvers are generic provers well-suited for
automatically discharging verification conditions, but they tend to be
confused by floating-point arithmetic [31] . Our goal is
to improve the arithmetic theories of *Alt-Ergo*, so that they support
floating-point arithmetic along their other theories, if possible by
reusing the heuristics developed for *Gappa*.

#### Continuous Quantities, Numerical Analysis

The goal is to handle floating-point programs that are related to continuous quantities. This includes numerical analysis programs we have already worked on [14] [61] [3] . But our work is only a beginning: we were able to solve the difficulties to prove one particular scheme for one particular partial differential equation. We need to be able to easily prove this kind of programs. This requires new results that handle generic schemes and many partial differential equations. The idea is to design a toolbox to prove these programs with as much automation as possible. We wish this could be used by numerical analysts that are not or hardly familiar with formal methods, but are interested in the formal correctness of their schemes and their programs.

Another very interesting kind of programs (especially for industrial
developers) are those based on *hybrid* systems, that is where
both discrete and continuous quantities are involved. This is a longer term
goal than four years, but we may try to go towards this direction. A
first problem is to be able to specify hybrid systems: what are they
exactly expected to do? Correctness usually means not going into a
forbidden state but we may want additional behavioral properties. A
second problem is the interface with continuous systems, such as
sensors. How can we describe their behavior? Can we be sure that the
formal specification fits? We may think about Ariane V where one piece
of code was shamelessly reused from Ariane IV. Ensuring that such a
reuse is allowed requires to correctly specify the input ranges and
bandwidths of physical sensors.

Studying hybrid systems is among the goals of the new ANR project Cafein.

#### Certification of Floating-point Analyses

In coordination with our second theme, another objective is to port the
kernel of *Gappa* into either *Coq* or *Why3*, and then extract a
certified executable. Rather than verifying the results of the tool
*a posteriori* with a proof checker, they would then be certified
*a priori*. This would simplify the inner workings of *Gappa*,
help to support new features (e.g. linear arithmetic, elementary
functions), and make it scale better to larger formulas, since the
tool would no longer need to carry certificates along its
computations. Overall the tool would then be able to tackle a wider
range of verification conditions.

An ultimate goal would be to develop the decision procedure for
floating-point computations, for SMT context, that is mentioned in
Section refsec:atp, directly as a certified program in *Coq* or *Why3*.