Section: Research Program
Formalization and Certification of Languages, Tools and Systems
Permanent researchers: S. Boldo, A. Charguéraud, C. Marché, G. Melquiond, C. Paulin
Real Numbers, Real Analysis, Probabilities

S. Boldo, C. Lelay, and G. Melquiond have worked on the Coquelicot library, designed to be a userfriendly Coq library about real analysis [59], [60]. An easier way of writing formulas and theorem statements is achieved by relying on total functions in place of dependent types for limits, derivatives, integrals, power series, and so on. To help with the proof process, the library comes with a comprehensive set of theorems and some automation. We have exercised the library on several use cases: on an exam at university entry level [98], for the definitions and properties of Bessel functions [97], and for the solution of the onedimensional wave equation [99]. We have also conducted a survey on the formalization of real arithmetic and real analysis in various proof systems [12].

Watermarking techniques are used to help identify copies of publicly released information. They consist in applying a slight and secret modification to the data before its release, in a way that should remain recognizable even in (reasonably) modified copies of the data. Using the Coq Alea library, which formalizes probability theory and probabilistic programs, D. Baelde together with P. Courtieu, D. GrossAmblard from Rennes and C. Paulin have established new results about the robustness of watermarking schemes against arbitrary attackers [42]. The technique for proving robustness is adapted from methods commonly used for cryptographic protocols and our work illustrates the strengths and particularities of the Alea style of reasoning about probabilistic programs.
Formalization of Languages, Semantics

P. Herms, together with C. Marché and B. Monate (CEA List), has developed a certified VC generator, using Coq. The program for VC calculus and its specifications are both written in Coq, but the code is crafted so that it can be extracted automatically into a standalone executable. It is also designed in a way that allows the use of arbitrary firstorder theorem provers to discharge the generated obligations [92]. On top of this generic VC generator, P. Herms developed a certified VC generator for C source code annotated using ACSL. This work is the main result of his PhD thesis [91].

A. Tafat and C. Marché have developed a certified VC generator using Why3 [102], [103]. The challenge was to formalize the operational semantics of an imperative language, and a corresponding weakest precondition calculus, without the possibility to use Coq advanced features such as dependent types or higherorder functions. The classical issues with local bindings, names and substitutions were solved by identifying appropriate lemmas. It was shown that Why3 can offer a significantly higher amount of proof automation compared to Coq.

A. Charguéraud, together with Alan Schmitt (Inria Rennes) and Thomas Wood (Imperial College), has developed an interactive debugger for JavaScript. The interface, accessible as a webpage in a browser, allows to execute a given JavaScript program, following step by step the formal specification of JavaScript developped in prior work on JsCert [50]. Concretely, the tool acts as a doubledebugger: one can visualize both the state of the interpreted program and the state of the interpreter program. This tool is intended for the JavaScript committee, VM developpers, and other experts in JavaScript semantics.

M. Clochard, C. Marché, and A. Paskevich have developed a general setting for developing programs involving binders, using Why3. This approach was successfully validated on two case studies: a verified implementation of untyped lambdacalculus and a verified tableauxbased theorem prover [69].

M. Clochard, J.C. Filliâtre, C. Marché, and A. Paskevich have developed a case study on the formalization of semantics of programming languages using Why3 [67]. This case study aims at illustrating recent improvements of Why3 regarding the support for higherorder logic features in the input logic of Why3, and how these are encoded into firstorder logic, so that goals can be discharged by automated provers. This case study also illustrates how reasoning by induction can be done without need for interactive proofs, via the use of lemma functions.

M. Clochard and L. Gondelman have developed a formalization of a simple compiler in Why3 [68]. It compiles a simple imperative language into assembler instructions for a stack machine. This case study was inspired by a similar example developed using Coq and interactive theorem proving. The aim is to improve significantly the degree of automation in the proofs. This is achieved by the formalization of a Hoare logic and a Weakest Precondition Calculus on assembly programs, so that the correctness of compilation is seen as a formal specification of the assembly instructions generated.
Projectteam Positioning
The objective of formalizing languages and algorithms is very general, and it is pursued by several Inria teams. One common trait is the use of the Coq proof assistant for this purpose: Pi.r2 (development of Coq itself and its metatheory), Gallium (semantics and compilers of programming languages), Marelle (formalization of mathematics), SpecFun (real arithmetic), Celtique (formalization of static analyzers).
Other environments for the formalization of languages include

ACL2 system (http://www.cs.utexas.edu/~moore/acl2/): an environment for writing programs with formal specifications in firstorder logic based on a Lisp engine. The proofs are conducted using a prover based on the BoyerMoore approach. It is a rather old system but still actively maintained and powerful, developed at University of Texas at Austin. It has a strong industrial impact.

Isabelle environment (http://isabelle.in.tum.de/): both a proof assistant and an environment for developing pure applicative programs. It is developed jointly at University of Cambridge, UK, Technische Universität München, Germany, and to some extent by the VALS team at LRI, Université ParisSud. It features highly automated tactics based on ATP systems (the Sledgehammer tool).

The team “Trustworthy Systems” at NICTA in Australia (http://ssrg.nicta.com.au/projects/TS/) aims at developing highly trustable software applications. They developed a formally verified microkernel called seL4 [96], using a homemade layer to deal with C programs on top of the Isabelle prover.

The PVS system (http://pvs.csl.sri.com/) is an environment for both programming and proving (purely applicative) programs. It is developed at the Computer Science Laboratory of SRI international, California, USA. A major user of PVS is the team LFM (http://shemesh.larc.nasa.gov/fm/fmmainteam.html) at NASA Langley, USA, for the certification of programs related to air traffic control.
In the Toccata team, we do not see these alternative environments as competitors, even though, for historical reasons, we are mainly using Coq. Indeed both Isabelle and PVS are available as backends of Why3.