Section: New Results

Certification of Algorithms, Languages, Tools and Systems

Formalization and closedness of finite dimensional subspaces.

F. Faissole formalized a theory of finite dimensional subspaces of Hilbert spaces in order to apply the Lax-Milgram Theorem on such subspaces. He had to prove, in the Coq proof assistant, that finite dimensional subspaces of Hilbert spaces are closed in the context of general topology using filters [19]. He also formalized both finite dimensional modules and finite dimensional subspaces of modules. He compared the two formalizations and showed a complementarity between them. He proved that the product of two finite dimensional modules is a finite dimensional module [27].

Verified numerical approximations of improper definite integrals.

The CoqInterval library provides some tactics for computing and formally verifying numerical approximations of real-valued expressions inside the Coq system. In particular, it is able to compute reliable bounds on proper definite integrals [111]. A. Mahboubi, G. Melquiond, and T. Sibut-Pinote extended these algorithms to also cover some improper integrals, e.g., those with an unbounded integration domain [40]. This makes CoqInterval one of the very few tools able to produce reliable results for improper integrals, be they formally verified or not.

A Coq Formal Proof of the Lax–Milgram theorem.

S. Boldo, F. Clément, F. Faissole, V. Martin, and M. Mayero worked on a Coq formal proof of the Lax–Milgram theorem. It is one of the theoretical cornerstone for the correctness of the Finite Element Method. It required many results from linear algebra, geometry, functional analysis, and Hilbert spaces [13] [24].

Formalization of numerical filters

S. Boldo, D. Gallois-Wong, and T. Hilaire developped a formalization in the Coq proof assistant of numerical filters. It includes equivalences between several expressions and the formal proof of the Worst-Case Peak Gain Theorem to bound the magnitude of the outputs (and every intern variable) of stable filters.

A Verified OCaml Library.

Abstract Libraries are the basic building blocks of any realistic programming project. It is thus of utmost interest for a programmer to build her software on top of bug-free libraries. At the ML family workshop [38], A. Charguéraud, J.-C. Filliâtre, M. Pereira and F. Pottier presented the ongoing VOCAL project, which aims at building a mechanically verified library of general-purpose data structures and algorithms, written in the OCaml language. A key ingredient of VOCAL is the design of a specification language for OCaml, independently of any verification tool.

Formal Analysis of shell scripts.

The shell language is widely used for various system administration tasks on UNIX machines. The CoLiS project aims at applying formal methods for verifying scripts used for installation of packages of software distributions. The syntax and semantics of shell are particularly treacherous. They proposed a new language called CoLiS which, on the one hand, has well-defined static semantics and avoids some of the pitfalls of the shell, and, on the other hand, is close enough to the shell to be the target of an automated translation of the scripts in our corpus. In collaboration with N. Jeannerod and R. Treinen, C. Marché formalized the syntax and semantics of CoLiS in Why3, defined an interpreter for the language in the WhyML programming language, and present an automated proof in the Why3 proof environment of soundness and completeness of this interpreter with respect to the formal semantics [22]. The development is available in Toccata's gallery http://toccata.lri.fr/gallery/colis_interpreter.en.html. This formalized interpreter is extracted to OCaml and the verified code is integrated into a prototype software toolset developed by I. Dami and C. Marché [36].

A verified yet efficient arbitrary-precision integer library.

R. Rieu-Helft used the Why3 system to implement, specify, and verify a library of arbitrary-precision integer arithmetic: comparison, addition, multiplication, shifts, division. A lot of efforts were put into replicating and verifying the numerous implementation tricks the GMP library uses to achieve state-of-the-art performances, especially for the division algorithm. While the resulting library is nowhere near as fast as the hand-written assembly code GMP uses, it is competitive with the generic C code of GMP for small integers (i.e., mini-GMP) [23]. The development is available in Toccata's gallery http://toccata.lri.fr/gallery/multiprecision.en.html.

Case study: algorithms for matrix multiplication.

M. Clochard, L. Gondelman and M. Pereira worked on a case study about matrix multiplication. Two variants for the multiplication of matrices are proved: a naive version using three nested loops and Strassen's algorithm. To formally specify the two multiplication algorithms, they developed a new Why3 theory of matrices, and they applied a reflection methodology to conduct some of the proofs. A first version of this work was presented at the VSTTE Conference in 2016 [78]. An extended version that considers arbitrary rectangular matrices instead of square ones is published in the Journal of Automated Reasoning [12]. The development is available in Toccata's gallery http://toccata.lri.fr/gallery/verifythis_2016_matrix_multiplication.en.html.

Case studies: Strongly Connected Components in Directed Graphs

As part of a larger set of case studies on algorithms on graphs http://pauillac.inria.fr/~levy/why3/, R. Chen and J.-J. Lévy work on formal verification of algorithms for computing strongly connected components of directed graphs. The formal proofs are conducted using Why3. The formal proof of Tarjan's algorithm was presented at the French-speaking symposium JFLA 2017 [25] and then at the VSTTE 2017 international conference [17]

A Formally Proved, Complete Algorithm for Path Resolution with Symbolic Links

In the context of file systems like those of Unix, path resolution is the operation that given a character string denoting an access path, determines the target object (a file, a directory, etc.) designated by this path. This operation is not trivial because of the presence of symbolic links. Indeed, the presence of such links may induce infinite loops in the resolution process. R. Chen, M. Clochard and C. Marché consider a path resolution algorithm that always terminates, detecting if it enters an infinite loop and reports a resolution failure in such a case. They propose a formal specification of path resolution and they formally prove that their algorithm terminates on any input, and is correct and complete with respect to this formal specification. [11]. The development is available in Toccata's gallery http://toccata.lri.fr/gallery/path_resolution.en.html.