Keywords
 A2.1.1. Semantics of programming languages
 A2.1.2. Imperative programming
 A2.1.3. Objectoriented programming
 A2.1.4. Functional programming
 A2.1.11. Proof languages
 A2.2.3. Memory management
 A2.4.3. Proofs
 A7.2.3. Interactive Theorem Proving
 A7.2.4. Mechanized Formalization of Mathematics
 A8.4. Computer Algebra
 B6.1. Software industry
1 Team members, visitors, external collaborators
Research Scientists
 Nicolas Tabareau [Team leader, INRIA, Senior Researcher, HDR]
 Assia Mahboubi [INRIA, Senior Researcher, HDR]
 Kenji Maillard [INRIA, ISFP, from Dec 2022]
 Guillaume Munch [INRIA, Researcher]
 PierreMarie Pedrot [INRIA, Researcher]
 Matthieu Sozeau [INRIA, Researcher]
Faculty Members
 Julien Cohen [UNIV NANTES, Associate Professor]
 Rémi Douence [IMT ATLANTIQUE, Associate Professor, HDR]
 Hervé Grall [IMT ATLANTIQUE, Associate Professor, until Sep 2022]
 Guilhem Jaber [UNIV NANTES, Associate Professor]
PostDoctoral Fellows
 Yannick Forster [INRIA]
 Matthieu Piquerez [INRIA]
PhD Students
 Martin Baillon [INRIA]
 Enzo Crance [MITSUBISHI ELECTRIC]
 Pierre Giraud [INRIA]
 Christopher Hughes [Inria, until Nov 2022]
 Hamza Jaafar [INRIA]
 Meven LennonBertrand [UNIV NANTES, until Aug 2022]
Technical Staff
 Gaetan Gilbert [INRIA, Engineer]
 Kenji Maillard [INRIA, Engineer, until Nov 2022]
 Loic Pujet [UNIV NANTES, Engineer, until Aug 2022]
 Kazuhiko Sakaguchi [INRIA, Engineer, from Nov 2022]
Interns and Apprentices
 Arthur Adjedj [ENS Lyon, Intern, from Jun 2022 until Jul 2022]
 Yann Leray [ENS Paris, from Mar 2022 until Jul 2022]
 Iwan Quemerais [ENS LYON  Student, Intern, from Jun 2022 until Jul 2022]
 Yee Jian Tan [National University of Singapore, from May 2022 until Aug 2022, Bachelor Student]
 Tomàs Javier Vallejos Parada [Escuela de Ingeniería y Ciencias de la Facultad de Ciencias Físicas y Matemáticas de la Universidad de Chile, Intern, from Apr 2022 until Aug 2022]
Administrative Assistant
 AnneClaire Binetruy [INRIA]
Visiting Scientist
 Kazuhiko Sakaguchi [University of Tsukuba  Japan , from Jun 2022 until Jun 2022, Phd Student]
2 Overall objectives
The EPI Gallinette aims at developing a new generation of proof assistants, with the belief that practical experiments must go in pair with foundational investigations:
 The goal is to advance proof assistants both as certified programming languages and mechanised logical systems. Advanced programming and mathematical paradigms must be integrated, notably dependent types and effects. The distinctive approach is to implement new programming and logical paradigms on top of Coq by considering the latter as a target language for compilation.
 The aim of foundational investigations is to extend the boundaries of the CurryHoward correspondence. It is seen both as providing foundations for programming languages and logic, and as a purveyor of techniques essential to the development of proof assistants. Under this perspective, the development of proof assistants is seen as a fullfledged experiment using the correspondence in every aspect: programming languages, type theory, proof theory, rewriting and algebra.
3 Research program
3.1 Scientific Context
Software quality is a requirement that is becoming more and more prevalent, by now far exceeding the traditional scope of embedded systems. The development of tools to construct software that respects a given specification is a major challenge in computer science. Proof assistants such as Coq 57 provide a formal method whose central innovation is to produce certified programs by transforming the very activity of programming. Programming and proving are merged into a single development activity, informed by an elegant but rigid mathematical theory inspired by the correspondence between programming, logic and algebra: the CurryHoward correspondence. For the certification of programs, this approach has shown its effectiveness in the development of important pieces of certified software such as the C compiler of the CompCert project 88. The extracted CompCert compiler is reliable and efficient, running only 15% slower than GCC 4 at optimisation level 2 (gcc O2), a level of optimisation that was considered before to be unreliable from critical applications such as embedded systems.
Proof assistants can also be used to formalise mathematical theories: they not only provide a means of representing mathematical theories in a form amenable to computer processing, but their internal logic provides a language for reasoning about such theories. In the last decade, proof assistants have been used to verify extremely large and complicated proofs of recent mathematical results, sometimes requiring either intensive computations 69, 73 or intricate combinations of a multitude of mathematical theories 68. But formalised mathematics is more than just proof checking and proof assistants can help with the organisation of mathematical knowledge or even with the discovery of new constructions and proofs.
Unfortunately, the rigidity of the theory behind proof assistants restricts their expressiveness both as programming languages and as logical systems. For instance, a program extracted from Coq only uses a purely functional subset of OCaml, leaving behind important means of expression such as sideeffects and objects. Limitations also appear in the formalisation of advanced mathematics: proof assistants do not cope well with classical axioms such as excluded middle and choice which are sometimes used crucially. The fact of the matter is that the development of proof assistants cannot be dissociated from a reflection on the nature of programs and proofs coming from the CurryHoward correspondence. In the EPC Gallinette, we propose to address several limitations of proof assistants by pushing the boundaries of this correspondence.
In the 1970's, the CurryHoward correspondence was seen as a perfect match between functional programs, intuitionistic logic, and Cartesian closed categories. It received several generalisations over the decades, and now it is more widely understood as a fertile correspondence between computation, logic, and algebra.
Nowadays, the CurryHoward correspondence is not perceived as a perfect match anymore, but rather as a collection of theories meant to explain similar structures at work in logic and computation, underpinned by mathematical abstractions. By relaxing the requirement of a perfect match between programs and proofs, and instead emphasising the common foundations of both, the insights of the CurryHoward correspondence may be extended to domains for which the requirements of programming and mathematics may in fact be quite different.
Consider the following two major theories of the past decades, which were until recently thought to be irreconcilable:
 (MartinLöf) Type theory: introduced by MartinLöf in 1971, this formalism 95 is both a programming language and a logical system. The central ingredient is the use of dependent types to allow finegrained invariants to be expressed in program types. In 1985, Coquand and Huet developed a similar system called the calculus of constructions, which served as logical foundation of the first implementation of Coq. This kind of systems is still under active development, especially with the recent advent of homotopy type theory (HoTT) 109 that gives a new point of view on types and the notion of equality in type theory.
 The theory of effects: starting in the 1980's, Moggi 100 and Girard 66 put forward monads and comonads as describing various compositional notions of computation. In this theory, programs can have sideeffects (state, exceptions, inputoutput), logics can be nonintuitionistic (linear, classical), and different computational universes can interact (modal logics). Recently, the safe and automatic management of resources has also seen a coming of age (Rust, Modern C++) confirming the importance of linear logic for various programming concepts. It is now understood that the characteristic feature of the theory of effects is sensitivity to evaluation order, in contrast with type theory which is built around the assumption that evaluation order is irrelevant.
We now outline a series of scientific challenges aimed at understanding of type theory, effects, and their combination.
More precisely, three key axes of improvement have been identified:
 Making the notion of equality closer to what is usually assumed when doing proofs on black board, with a balance between irrelevant equality for simple structures and equality upto equivalences for more complex ones (Section 3.2). Such a notion of equality should allow one to implement traditional model transformations that enhance the logical power of the proof assistant using distinct compilation phases.
 Advancing the foundations of effects within the CurryHoward approach. The objective is to pave the way for the integration of effects in proof assistants and to prototype the corresponding implementation. This integration should allow for not only certified programming with effects, but also the expression of more powerful logics (Section 3.3).
 Making more programming features (notably, object polymorphism) available in proof assistants, in order to scale to practicalsized developments. The objective is to enable programming styles closer to common practices. One of the key challenges here is to leverage gradual typing to dependent programming (Section 3.4).
To validate the new paradigms, we propose in Section 3.5 three particular application fields in which members of the team already have a strong expertise: code refactoring, constraint programming and symbolic computation.
3.2 Enhance the computational and logical power of proof assistants
The democratisation of proof assistants based on type theory has likely been impeded by one central problem: the mismatch between the conception of equality in mathematics and its formalisation in type theory. Indeed, some basic principles that are used implicitly in mathematics—such as Church’s principle of propositional extensionality, which says that two propositions are equal when they are logically equivalent—are not derivable in type theory. Even more problematically, from a computer science point of view, the basic concept of two functions being equal when they are equal at every “point” of their domain is also not derivable: rather, it must be added as an additional axiom. Of course, these principles are consistent with type theory so that working under the corresponding additional assumptions is safe. But the use of these assumptions in a definition potentially clutters its computational behaviour: since axioms are computational black boxes, computation gets stuck at the points of the code where they have been used.
We propose to investigate how expressive logical transformations such as forcing 79 and sheaf construction might be used to enhance the computational and logical power of proof assistants—with a particular emphasis on their implementation in the Coq proof assistant by the means of effective translations (or compilation phases). One of the main topics of this task, in connection to the ERC project CoqHoTT, is the integration in Coq of new concepts inspired by homotopy type theory 109 such as the univalence principle, and higher inductive types.
3.2.1 A definitional proofirrelevant version of Coq.
In the Coq proof assistant, the sort $\mathrm{\mathbf{P}\mathbf{r}\mathbf{o}\mathbf{p}}$ stands for the universe of types which are propositions. That is, when a term $P$ has type $\mathrm{\mathbf{P}\mathbf{r}\mathbf{o}\mathbf{p}}$, the only relevant fact is whether $P$ is inhabited (that is true) or not (that is false). This property, known as proof irrelevance, can be expressed formally as: $\forall x\phantom{\rule{4pt}{0ex}}y:P,x=y$. Originally, the raison d'être of the sort $\mathrm{\mathbf{P}\mathbf{r}\mathbf{o}\mathbf{p}}$ was to characterise types with no computational meaning with the intention that terms of such types could be erased upon extraction. However, the assumption that every element of $\mathrm{\mathbf{P}\mathbf{r}\mathbf{o}\mathbf{p}}$ should be proof irrelevant has never been integrated to the system. Indeed, in Coq, proof irrelevance for the sort $\mathrm{\mathbf{P}\mathbf{r}\mathbf{o}\mathbf{p}}$ is not incorporated into the theory: it is only compatible with it, in the sense that its assumption does not give rise to an inconsistent theory. In fact, the exact status of the sort $\mathrm{\mathbf{P}\mathbf{r}\mathbf{o}\mathbf{p}}$ in Coq has never been entirely clarified, which explains in part this lack of integration. Homotopy type theory brings fresh thinking on this issue and suggests turning $\mathrm{\mathbf{P}\mathbf{r}\mathbf{o}\mathbf{p}}$ into the collection of terms that a certain static inference procedure tags as proof irrelevant. The goal of this task is to integrate this insight in the Coq system and to implement a definitional proofirrelevant version of the sort $\mathrm{\mathbf{P}\mathbf{r}\mathbf{o}\mathbf{p}}$.
3.2.2 Extend the Coq proof assistant with a computational version of univalence
The univalence principle is becoming widely accepted as a very promising avenue to provide new foundations for mathematics and type theory. However, this principle has not yet been incorporated into a proof assistant. Indeed, the very mathematical structures (known as $\infty $groupoids) motivating the theory remain to this day an active area of research. Moreover, a correct and decidable type checking procedure for the whole theory raises both computational complexity and logical coherence issues. Observational type theory 36, as implemented in Epigram, provides a firststage approximation to homotopy type theory, but only deals with functional extensionality and does not capture univalence. Coquand and his collaborators have obtained significant results on the computational meaning of univalence using cubical sets 46, 52. Bickford has initiated a promising formalisation work 1 in the NuPRL system. However, a complete formalisation in intensional type theory remains an open problem.
Hence a major objective is to achieve a complete internalisation of univalence in intensional type theory, including an integration to a new version of Coq. We will strive to keep compatibility with previous versions, in particular from a performance point of view. Indeed, the additional complexity of homotopy type theory should not induce an overhead in the type checking procedure used by the software if we want our new framework to become rapidly adopted by the community. Concretely, we will make sure that the compilation time of Coq’s Standard Library will be of the same order of magnitude.
3.2.3 Extend the logical power of type theory without axioms in a modular way
Extending the power of a logic using model transformations (e.g., forcing transformation 80, 79 or the sheaf construction 112) is a classic topic of mathematical logic 53, 86. However, these ideas have not been much investigated in the setting of type theory, even though they may provide a useful framework for extending the logical power of proof assistant in a modular way. There is a good reason for this: with a syntactic notion of equality, the underlying structure of type theory does not conform to the structure of topos used in mathematical logic. A direct incorporation of the standard techniques is therefore not possible. However, a univalent notion of equality brings type theory closer to the required algebraic structure, as it corresponds to the notion of $\infty $topos recently studied by Lurie 93. The goal of this task is to revisit model transformations in the light of the univalence principle, and to obtain in this way new internal transformations in type theory which can in turn be seen as compilation phases. The general notion of an internal syntactical translation has already been investigated in the team 47.
3.2.4 Methodology: Extending type theory with different compilation phases
The Gallinette project advocates the use of distinct compilation phases as a methodology for the design of a new generation of proof assistants featuring modular extensions of a core logic. The essence of a compiler is the separation of the complexity of a translation process into modular stages, and the organization of their recomposition. This idea finds a natural application in the design of complex proof assistants (Figure 1). For instance, the definition of type classes in Coq follows this pattern, and is morally given by the means of a translation into a typeclass free kernel. More recently, a similar approach by compilation stages, using the forcing transformation, was used to relax the strict positivity condition guarding inductive types 80, 79. We believe that this flavour of compilationbased strategies offers a promising direction of investigation for the purpose of defining a decidable type checking algorithm for HoTT.
3.3 Semantic and logical foundations for effects in proof assistants based on type theory
We propose the incorporation of effects in the theory of proof assistants at a foundational level. Not only would this allow for certified programming with effects, but it would moreover have implications for both semantics and logic.
We mean effects in a broad sense that encompasses both Moggi's monads 100 and Girard's linear logic 66. These two seminal works have given rise to respective theories of effects (monads) and resources (comonads). Recent advances, however have unified these two lines of thought: it is now clear that the defining feature of effects, in the broad sense, is sensitivity to evaluation order 89, 58.
In contrast, the type theory that forms the foundations of proof assistants is based on pure $\lambda $calculus and is built on the assumption that evaluation order is irrelevant. Evaluation order is therefore the blind spot of type theory. In Moggi 101, integrating the dependent types of type theory with monads is “the next difficult step [...] currently under investigation”.
Any realistic program contains effects: state, exceptions, inputoutput. More generally, evaluation order may simply be important for complexity reasons. With this in mind, many works have focused on certified programming with effects: notably Ynot 105, and more recently ${\mathrm{F}}^{\u2606}$118 and Idris 48, which propose various ways for encapsulating effects and restricting the dependency of types on effectful terms. Effects are either specialised, such as the monads with Hoarestyle pre and postconditions found in Ynot or ${\mathrm{F}}^{\u2606}$, or more general, such as the algebraic effects implemented in Idris. But whereas there are several experiments and projects pursuing the certification of programs with effects, each making its own choices on how effects and dependency should be merged, there is on the other hand a deficit of logical and semantic investigations.
We propose to develop the foundations of a type theory with effects taking into account the logical and semantic aspects, and to study their practical and theoretical consequences. A type theory that integrates effects would have logical, algebraic and computational implications when viewed through the CurryHoward correspondence. For instance, effects such as control operators establish a link with classical proof theory 71. Indeed, control operators provide computational interpretations of type isomorphisms such as $A\cong \neg \neg A$ and $\neg \forall xA\cong \exists x\neg A$ (e.g. 102), whereas the conventional wisdom of type theory holds that such axioms are nonconstructive (this is for instance the point of view that has been advocated so far in homotopy type theory 109). Another example of an effect with logical content is state (more precisely memoization) which is used to provide constructive content to the classical dependent axiom of choice 45, 83, 75. In the long term, a whole body of literature on the constructive content of classical proofs is to be explored and integrated, providing rich sources of inspiration: Kohlenbach's proof mining 82 and Simpson's reverse mathematics 116, for instance, are certainly interesting to investigate from the CurryHoward perspective.
The goal is to develop a type theory with effects that accounts both for practical experiments in certified programming, and for clues from denotational semantics and logical phenomena, in a unified setting.
3.3.1 Models for integrating effects with dependent types
A crucial step is the integration of dependent types with effects, a topic which has remained “currently under investigation” 101 ever since the beginning. The difficulty resides in expressing the dependency of types on terms that can perform sideeffects during the computation. On the side of denotational semantics, several extensions of categorical models for effects with dependent types have been proposed 33, 120 using axioms that should correspond to restrictions in terms of expressivity but whose practical implications, however, are not immediately transparent. On the side of logical approaches 75, 76, 87, 99, one first considers a drastic restriction to terms that do not compute, which is then relaxed by semantic means. On the side of systems for certified programming such as ${\mathrm{F}}^{\u2606}$, the type system ensures that types only depend on pure and terminating terms.
Thus, the recurring idea is to introduce restrictions on the dependency in order to establish an encapsulation of effects. In our approach, we seek a principled description of this idea by developing the concept of semantic value (thunkables, linears) which arose from foundational considerations 65, 115, 103 and whose relevance was highlighted in recent works 90, 107. The novel aspect of our approach is to seek a proper extension of type theory which would provide foundations for a classical type theory with axiom of choice in the style of Herbelin 75, but which moreover could be generalised to effects other than just control by exploiting an abstract and adaptable notion of semantic value.
3.3.2 Intuitionistic depolarisation
In our view, the common idea that evaluation order does not matter for pure and terminating computations should serve as a bridge between our proposals for dependent types in the presence of effects and traditional type theory. Building on the previous goal, we aim to study the relationship between semantic values, purity, and parametricity theorems 114, 67. Our goal is to characterise parametricity as a form of intuitionistic depolarisation following the method by which the first game model of full linear logic was given (Melliès 96, 97). We have two expected outcomes in mind: enriching type theory with intensional content without losing its properties, and giving an explanation of the dependent types in the style of Idris and ${\mathrm{F}}^{\u2606}$ where purity and terminationchecking play a role.
3.3.3 Developing the rewriting theory of calculi with effects
An integrated type theory with effects requires an understanding of evaluation order from the point of view of rewriting. For instance, rewriting properties can entail the decidability of some conversions, allowing the automation of equational reasoning in types 31. They can also provide proofs of computational consistency (that terms are not all equivalent) by showing that extending calculi with new constructs is conservative 117. In our approach, the $\lambda $calculus is replaced by a calculus modelling the evaluation in an abstract machine 59. We have shown how this approach generalises the previous semantic and prooftheoretic approaches 37, 89, 91, and overcomes their shortcomings 104.
One goal is to prove computational consistency or decidability of conversions purely using advanced rewriting techniques following a technique introduced in 117. Another goal is the characterisation of weak reductions: extensions of the operational semantics to terms with free variables that preserve termination, whose iteration is equivalent to strong reduction 32, 62. We aim to show that such properties derive from generic theorems of higherorder rewriting 113, so that weak reduction can easily be generalised to richer systems with effects.
3.3.4 Direct models and categorical coherence
Proof theory and rewriting are a source of coherence theorems in category theory, which show how calculations in a category can be simplified with an embedding into a structure with stronger properties 94, 85. We aim to explore such results for categorical models of effects 89, 58. Our key insight is to consider the reflection between indirect and direct models 65, 103 as a coherence theorem: it allows us to embed the traditional models of effects into structures for which the rewriting and prooftheoretic techniques from the previous section are effective.
Building on this, we are further interested in connecting operational semantics to 2category theory, in which a second dimension is traditionally considered for modelling conversions of programs rather than equivalences. This idea has been successfully applied for the $\lambda $calculus 81, 77 but does not scale yet to more realistic models of computation. In our approach, it has already been noticed that the expected symmetries coming from categorical dualities are better represented, motivating a new investigation into this longstanding question.
3.3.5 Models of effects and resources
The unified theory of effects and resources 58 prompts an investigation into the semantics of safe and automatic resource management, in the style of Modern C++ and Rust. Our goal is to show how advanced semantics of effects, resources, and their combination arise by assembling elementary blocks, pursuing the methodology applied by Melliès and Tabareau in the context of continuations 98. For instance, combining control flow (exceptions, return) with linearity allows us to describe in a precise way the “Resource Acquisition Is Initialisation” idiom in which the resource safety is ensured with scopebased destructors. A further step would be to reconstruct uniqueness types and borrowing using similar ideas.
3.4 Language extensions for the scaling of proof assistants
The development of tools to construct software systems that respect a given specification is a major challenge of current and future research in computer science. Certified programming with dependent types has recently attracted a lot of interest, and Coq is the de facto standard for such endeavours, with an increasing number of users, pedagogical resources, and largescale projects. Nevertheless, significant work remains to be done to make Coq more usable from a software engineering point of view. The Gallinette team proposes to make progress on three lines of work: (i) the development of gradual certified programming, (ii) the integration of imperative features and object polymorphism in Coq, and (iii) the development of robust tactics for proof engineering for the scaling of formalised libraries.
3.4.1 Gradual Certified Programming
One of the main issues faced by a programmer starting to internalise in a proof assistant code written in a more permissive world is that type theory is constrained by a strict type discipline which lacks flexibility. Concretely, as soon as you start giving a more precise type/specification to a function, the rest of the code interacting with this function needs to be more precise too. To address this issue, the Gallinette team will put strong efforts into the development of gradual typing in type theory to allow progressive integration of code that comes from a more permissive world.
Indeed, on the way to full verification, programmers can take advantage of a gradual approach in which some properties are simply asserted instead of proven, subject to dynamic verification. Tabareau and Tanter have made preliminary progress in this direction 119. This work, however, suffers from a number of limitations, the most important being the lack of a mechanism for handling the possibility of runtime errors within Coq. Instead of relying on axioms, this project will explore the application of Section 3.3 to embed effects in Coq. This way, instead of postulating axioms for parts of the development that are too hard/marginal to be dealt with, the system adds dynamic checks. Then, after extraction, we get a program that corresponds to the initial program but with dynamic checks for parts that have not been proven, ensuring that the program will raise an error instead of going outside its specification.
This will yield new foundations of gradual certified programming, both more expressive and practical. We will also study how to integrate previous techniques with the extraction mechanism of Coq programs to OCaml, in order to exploit the exception mechanism of OCaml.
3.4.2 Imperative features and object polymorphism in the Coq proof assistant
Imperative features.
Abstract data types (ADTs) become useful as the size of programs grows since they provide for a modular approach, allowing abstractions about data to be expressed and then instantiated. Moreover, ADTs are natural concepts in the calculus of inductive constructions. But while it is easy to declare an ADT, it is often difficult to implement an efficient one. Compare this situation with, for example, Okasaki's purely functional data structures 106 which implement ADTs like queues in languages with imperative features. Of course, Okasaki's queues enforce some additional properties for free, such as persistence, but the programmer may prefer to use and to study a simpler implementation without those additional properties. Also in certified symbolic computation (see 3.5.3), an efficient functional implementation of ADTs is often not available, and efficiency is a major challenge in this area. Relying on the theoretical work done in 3.3, we will equip Coq with imperative features and we will demonstrate how they can be used to provide efficient implementations of ADTs. However, it is also often the case that imperative implementations are hardtoreasonon, requiring for instance the use of separation logic. But in that case, we benefit from recent works on integration of separation logic in the Coq proof assistant and in particular the Iris project.
Object polymorphism.
Objectoriented programming has evolved since its foundation based on the representation of computations as an exchange of messages between objects. In modern programming languages like Scala, which aims at a synthesis between objectoriented and functional programming, objectorientation concretely results in the use of hierarchies of interfaces ordered by the subtyping relation and the definition of interface implementations that can interoperate. As observed by Cook and Aldrich 56, 35, interoperability can be considered as the essential feature of objects and is a requirement for many modern frameworks and ecosystems: it means that two different implementations of the same interface can interoperate.
Our objective is to provide a representation of objectoriented programs, by focusing on subtyping and interoperability.
For subtyping, the natural solution in type theory is coercive subtyping 92, as implemented in Coq, with an explicit operator for coercions. This should lead to a shallow embedding, but has limitations: indeed, while it allows subtyping to be faithfully represented, it does not provide a direct means to represent union and intersection types, which are often associated with subtyping (for instance intersection types are present in Scala). A more ambitious solution would be to resort to subsumptive subtyping (or semantic subtyping 64): in its more general form, a type algebra is extended with boolean operations (union, intersection, complementing) to get a boolean algebra with operators (the original type constructors). Subtyping is then interpreted as the natural partial order of the boolean algebra.
We propose to use the type class machinery of Coq to implement semantic subtyping for dependent type theory. Using type class resolution, we can emulate inference rules of subsumptive subtyping without modifying Coq internally. This has also another advantage. As subsumptive subtyping for dependent types should be undecidable in general, using type class resolution allows for an incomplete yet extensible decision procedure.
3.4.3 Robust tactics for proof engineering for the scaling of formalised libraries
When developing certified software, a major part of the effort is spent not only on writing proof scripts, but on rewriting them, either for the purpose of code maintenance or because of more significant changes in the base definitions. Regrettably, proof scripts suffer more often than not from a bad programming style, and too many proof developers casually neglect the most elementary principles of wellbehaved programmers. As a result, many proof scripts are very brittle, userdefined tactics are often difficult to extend, and sometimes even lack a clear specification. Formal libraries are thus generally very fragile pieces of software. One reason for this unfortunate situation is that proof engineering is very badly served by the tools currently available to the users of the Coq proof assistant, starting with its tactic language. One objective of the Gallinette team is to develop better tools to write proof scripts.
Completing and maintaining a large corpus of formalised mathematics requires a welldesigned tactic language. This language should both accommodate the possible specific needs of the theories at stake, and help with diagnostics at refactoring time. Coq's tactic language is in fact twoleveled. First, it includes a basic tactic language, to organise the deductive steps in a proof script and to perform the elementary bureaucracy. Its second layer is a metaprogramming language, which allows users to define their own new tactics at toplevel. Our first direction of work consists in the investigation of the appropriate features of the basic tactic language. For instance, the design of the Ssreflect tactic language, and its support for the small scale reflection methodology 70, has been a key ingredient in at least two large scale formalisation endeavours: the Four Colour Theorem 69 and of the Odd Order Theorem 68. Building on our experience with the Ssreflect tactic language, we will contribute to the ongoing work on the basic tactic language for Coq. The second objective of this task is to contribute to the design of a typed tactic language. In particular, we will build on the work of Ziliani and his collaborators 121, extending it with reasoning about the effects that tactics have on the “state of a proof” (e.g. number of subgoals, metavariables in context). We will also develop a novel approach for incremental type checking of proof scripts, so that programmers gain access to a richer discovery—engineering interaction with the proof assistant.
3.5 Practical experiments
The first three axes of the EPC Gallinette aim at developing a new generation of proof assistants. But we strongly believe that foundational investigations must go hand in hand with practical experiments. Therefore, we expect to benefit from existing expertise and collaborations in the team to experiment our extensions of Coq on real world developments. It should be noticed that those practical experiments are strongly guided by the deep history of research on software engineering of team members.
3.5.1 Certified Code Refactoring
In the context of refactoring of C programs, we intend to formalise program transformations that are written in an imperative style to test the usability of our addition of effects in the proof assistant. This subject has been chosen based on the competence of members of the team.
We are currently working on the formalisation of refactoring tools in Coq 55. Automatic refactoring of programs in industrial languages is difficult because of the large number of potential interactions between language features that are difficult to predict and to test. Indeed, all available refactoring tools suffer from bugs : they fail to ensure that the generated program has the same behaviour as the input program. To cope with that difficulty, we have chosen to build a refactoring tool with Coq : a program transformation is written in the Coq programming language, then proven correct on all possible inputs, and then an OCaml executable program is generated by the platform. We rely on the CompCert C formalisation of the C language. CompCert is currently the most complete formalisation of an industrial language, which justifies that choice. We have three goals in that project :
 Build a refactoring tool that programmers can rely on and make it available in a popular platform (such as Eclipse, IntelliJ or FramaC).
 Explore large, drastic program transformations such as replacing a design architecture for an other one, by applying a sequence of small refactoring operations (as we have done for Java and Haskell programs before 54, 51, 34), while ensuring behaviour preservation.
 Explore the use of enhancements of proof systems on large developments. For instance, refactoring tools are usually developed in the imperative/object paradigm, so the extension of Coq with side effects or with object features proposed in the team can find a direct usecase here.
3.5.2 Certified Constraint Programming
We plan to make use of the internalisation of the objectoriented paradigm in the context of constraint programming. Indeed, this domain is made of very complex algorithms that are often developed using objectoriented programming (as it is the case for instance for CHOCO, which is developed in the Tasc Group at IMT Atlantique, Nantes). We will in particular focus on filtering algorithms in constraint solvers, for which research publications currently propose new algorithms with manual proofs. Their formalisation in Coq is challenging. Another interesting part of constraint solving to formalise is the part that deals with program generation (as opposed to extraction). However, when there are numerous generated pieces of code, it is not realistic to prove their correctness manually, and it can be too difficult to prove the correctness of a generator. So we intend to explore a middle path that consists in generating a piece of code along with its corresponding proof (script or proof term). A target application could be interval constraints (for instance Allen interval algebra or region connection calculus) that can generate thousands of specialised filtering algorithms for a small number of variables 42.
Finally, Rémi Douence has already worked (articles publishing 72, 111, 61, 44, 39, 38, PhD Thesis advising 110, 40) with different members of the Tasc team. Currently, he supervises with Nicolas Beldiceanu the PhD Thesis of Jovial Cheukam Ngouonou in the Tasc team. He studies graph invariants to enhance learning algorithms. This work requires proofs, manually done for now, we would like to explore when these proofs could be mechanized.
3.5.3 Certified Symbolic Computation
We will investigate how the addition of effects in the Coq proof assistant can facilitate the marriage of computer algebra with formal proofs. Computer algebra systems and proof assistants are both designed for doing mathematics with the help of a computer, by the means of symbolic computations. These two families of systems are however very different in nature: computer algebra systems allow for implementations faithful to the theoretical complexity of the algorithms, whereas proof assistants have the expressiveness to specify exactly the semantics of the datastructures and computations. By adding effects in the Coq proof assistant, it should be possible to specify and certify computer algebra routines in Coq, thus getting efficiency at the same time as formal correctness.
Experiments have been run that link computer algebra systems with Coq 60, 50. These bridges rely on the implementation of formal proofproducing core algorithms like normalisation procedures. Incidentally, they require non trivial maintenance work to survive the evolution of both systems. Other proof assistants like the Isabelle/HOL system make use of socalled reflection schemes: the proof assistant can produce code in an external programming language like SML, but also allows to import the values output by these extracted programs back inside the formal proofs. This feature extends the trusted base of code quite significantly but it has been used for major achievements like a certified symbolic/numeric ODE solver 78.
We would like to bring Coq closer to the efficiency and userfriendliness of computer algebra systems: for now it is difficult to use the Coq programming language so that certified implementations of computer algebra algorithms have the right, observable, complexity when they are executed inside Coq. We see the addition of effects to the proof assistant as an opportunity to ease these implementations, for instance by making use of caching mechanisms or of profiling facilities. Such enhancements should enable the verification of computationintensive mathematical proofs that are currently beyond reach, like the validation of Helfgott's proof of the weak Goldbach conjecture 74.
4 Application domains
Programming
 Correct and certified software engineering through the development and the advancement of Coq (e.g. gradualizing type theory, MetaCoq) and practical experiments for its application.
 More general contributions to programming languages: theoretical works advancing semantic techniques (e.g. deciding equivalence between programs, abstract syntaxes and rewriting, models of effects and resources), and practical works for functional programming (e.g. related to OCaml and Rust).
Foundations of mathematics
 Formalisation of mathematics
 Contributions to mathematical logic: type theory (e.g. dependent types and univalence), proof theory (e.g. constructive classical logic), categorical logic (e.g. higher algebra, models of focusing and linear logic)
5 Highlights of the year
 The Gallinette team has organized the TYPES'22 conference in June in Nantes (140 participants).
 The paper 9 has been selected as a distinguished paper of the POPL’22 conference.
 Gaëtan Gilbert has been hired as a permanent research engineer on Dec 1st 2022.
 Kenji Maillard has been hired on an Inria Starting Faculty Position (ISFP) on Dec 1st 2022.
 Guilhem Jaber is on leave at Inria since Sept 1st 2022.
6 New software and platforms
6.1 New software
6.1.1 Ltac2

Keywords:
Coq, Proof assistant

Functional Description:
A replacement for Ltac, the tactic language of Coq.

Contact:
PierreMarie Pedrot
6.1.2 Equations

Keywords:
Coq, Dependent PatternMatching, Proof assistant, Functional programming

Scientific Description:
Equations is a tool designed to help with the definition of programs in the setting of dependent type theory, as implemented in the Coq proof assistant. Equations provides a syntax for defining programs by dependent patternmatching and wellfounded recursion and compiles them down to the core type theory of Coq, using the primitive eliminators for inductive types, accessibility and equality. In addition to the definitions of programs, it also automatically derives useful reasoning principles in the form of propositional equations describing the functions, and an elimination principle for calls to this function. It realizes this using a purely definitional translation of highlevel definitions to core terms, without changing the core calculus in any way, or using axioms.
The main features of Equations include:
Dependent patternmatching in the style of Agda/Epigram, with inaccessible patterns, with and where clauses. The use of the K axiom or a proof of K is configurable, and it is able to solve unification problems without resorting to the K rule if not necessary.
Support for wellfounded and mutual recursion using measure/wellfoundedness annotations, even on indexed inductive types, using an automatic derivation of the subterm relation for inductive families.
Support for mutual and nested structural recursion using with and where auxilliary definitions, allowing to factor multiple uses of the same nested fixpoint definition. It proves the expected elimination principles for mutual and nested definitions.
Automatic generation of the defining equations as rewrite rules for every definition.
Automatic generation of the unfolding lemma for wellfounded definitions (requiring only functional extensionality).
Automatic derivation of the graph of the function and its elimination principle. In case the automation fails to prove these principles, the user is asked to provide a proof.
A new dependent elimination tactic based on the same splitting tree compilation scheme that can advantageously replace dependent destruction and sometimes inversion as well. The as clause of dependent elimination allows to specify exactly the patterns and naming of new variables needed for an elimination.
A set of Derive commands for automatic derivation of constructions from an inductive type: its signature, noconfusion property, wellfounded subterm relation and decidable equality proof, if applicable.

Functional Description:
Equations is a function definition plugin for Coq (supporting Coq 8.13 to 8.17, with special support for the CoqHoTT library), that allows the definition of functions by dependent patternmatching and wellfounded, mutual or nested structural recursion and compiles them into core terms. It automatically derives the clauses equations, the graph of the function and its associated elimination principle.
Equations is based on a simplification engine for the dependent equalities appearing in dependent eliminations that is also usable as a separate tactic, providing an axiomfree variant of dependent destruction.

Release Contributions:
This is a new major release of Equations, working with Coq 8.15 to 8.17. This version adds an improved syntax (less ,separation), integration with the CoqHoTT library and numerous bug fixes. See the reference manual for details.
This version introduces minor breaking changes along with the following features:
Enhancements of pattern interpretation
No explicit shadowing of pattern variables is allowed anymore. This fixes numerous bugs where generated implicit names introduced by the elaboration of patterns could shadow usergiven names, leading to incorrect names in righthand sides and confusing environments.
Improved syntax for "concise" clauses separated by , at toplevel or inside with subprograms. We no longer require to separate them by ,. For example, the following definition is now accepted:
Equations foo : nat > nat :=  0 => 1  S n => S (foo n). The old syntax is however still supported for backwards compatibility.
Multiple patterns can be separated by , in addition to , as in:
Equations trans {A} {x y z : A} (e : x = y) (e' : y = z) : x = z :=  1, 1 => 1. Require Import Equations.Equations. does not work anymore. One has to use Require Import Equations.Prop.Equations to load the plugin's default instance where equality is in Prop. From Equations Require Import Equations is unaffected.
Use Require Import Equations.HoTT.All to use the HoTT variant of the library compatible with the Coq HoTT library The plugin then reuses the definition of paths from the HoTT library and all its constructions are universe polymorphic. As for the HoTT library alone, coq must be passed the arguments noinit indicesmatter to use the library and plugin. The coqequations opam package depends optionally on coqhott, so if coqhott is installed before it, coqequations will automatically install the HoTT library variant in addition to the standard one. This variant of Equations allows to write very concise dependent patternmatchings on equality:
Require Import Equations.HoTT.All. Equations sym {A} {x y : A} (e : x = y) : y = x :=  1 => 1. New attribute #[tactic=tac] to set locally the default tactic to solve remaining holes. The goals on which the tactic applies are now always of the form Γ  τ where Γ is the context where the hole was introduced and τ the expected type, even when using the Obligation machinery to solve them, resulting in a possible incompatibility if the obligation tactic treated the context differently than the conclusion. By default, the program_simpl tactic performs a simpl call before introducing the hypotheses, so you might need to add a simpl in * to your tactics.
New attributes #[derive(equations=yes,no, eliminator=yesno)] can be used in place of the (noeqns, noind) flags which are deprecated.

News of the Year:
Equations 1.3, was fist released in September 2021, bringing bugfixes, an improved grammar and more robust proof automation tactics. It has been maintained and updated to the latest Coq versions.
 URL:
 Publications:

Contact:
Matthieu Sozeau

Participant:
Matthieu Sozeau
6.1.3 MathComponents

Name:
Mathematical Components library

Keyword:
Proof assistant

Functional Description:
The Mathematical Components library is a set of Coq libraries that cover the prerequiste for the mechanization of the proof of the Odd Order Theorem.
 URL:

Contact:
Assia Mahboubi

Participants:
Alexey Solovyev, Andrea Asperti, Assia Mahboubi, Cyril Cohen, Enrico Tassi, François Garillot, Georges Gonthier, Ioana Pasca, Jeremy Avigad, Laurence Rideau, Laurent Théry, Russell O'Connor, Sidi Ould Biha, Stéphane Le Roux, Yves Bertot
6.1.4 Mathcompanalysis

Name:
Mathematical Components Analysis

Keyword:
Proof assistant

Functional Description:
This library adds definitions and theorems to the Mathcomponents library for real numbers and their mathematical structures.

Release Contributions:
The main change is the split into two packages coqmathcompclassical and coqmathcompanalysis.

News of the Year:
In 2021 were added parts of the theory of convergence for sequences and series, of trigonometric functions, and of measurable spaces and measures.
 URL:
 Publication:

Contact:
Cyril Cohen

Participants:
Cyril Cohen, Georges Gonthier, Marie Kerjean, Assia Mahboubi, Damien Rouhling, Laurence Rideau, PierreYves Strub, Reynald Affeldt, Laurent Théry, Yves Bertot

Partners:
Ecole Polytechnique, AIST Tsukuba
6.1.5 MetaCoq

Keyword:
Coq

Scientific Description:
The MetaCoq project aims to provide a certified metaprogramming environment in Coq. It builds on TemplateCoq, a plugin for Coq originally implemented by Malecha (Extensible proof engineering in intensional type theory, Harvard University, 2014), which provided a reifier for Coq terms and global declarations, as represented in the Coq kernel, as well as a denotation command. Recently, it was used in the CertiCoq certified compiler project (Anand et al., in: CoqPL, Paris, France, 2017), as its frontend language, to derive parametricity properties (Anand and Morrisett, in: CoqPL’18, Los Angeles, CA, USA, 2018). However, the syntax lacked semantics, be it typing semantics or operational semantics, which should reflect, as formal specifications in Coq, the semantics of Coq ’s type theory itself. The tool was also rather bare bones, providing only rudimentary quoting and unquoting commands. MetaCoq generalizes it to handle the entire polymorphic calculus of cumulative inductive constructions, as implemented by Coq, including the kernel’s declaration structures for definitions and inductives, and implement a monad for general manipulation of Coq’s logical environment. The MetaCoq framework allows Coq users to define many kinds of general purpose plugins, whose correctness can be readily proved in the system itself, and that can be run efficiently after extraction. Examples of implemented plugins include a parametricity translation and a certified extraction to callbyvalue lambdacalculus. The metatheory of Coq itself is verified in MetaCoq along with verified conversion, typechecking and erasure procedures providing higly trustable alternatives to the procedures in Coq's OCaml kernel. MetaCoq is hence a foundation for the development of higherlevel certified tools on top of Coq's kernel. A metaprogramming and proving framework for Coq.
MetaCoq is made of 4 main components:  The entry point of the project is the TemplateCoq quoting and unquoting library for Coq which allows quotation and denotation of terms between three variants of the Coq AST: the OCaml one used by Coq's kernel, the Coq one defined in MetaCoq and the one defined by the extraction of the MetaCoq AST, allowing to extract OCaml plugins from Coq implementations.  The PCUIC component is a full formalization of Coq's typing and reduction rules, along with proofs of important metatheoretic properties: weakening, substitution, validity, subject reduction and principality. The PCUIC calculus differs slightly from the TemplateCoq one and verified translations between the two are provided.  The checker component contains verified implementations of weakhead reduction, conversion and type inference for the PCUIC calculus, along with a verified checker for Coq theories.  The erasure compoment contains a verified implementation of erasure/extraction from PCUIC to untyped (callbyvalue) lambda calculus extended with a dummy value for erased terms.

Functional Description:
MetaCoq is a framework containing a formalization and verified implementation of Coq's kernel in Coq along with a verified erasure procedure. It provides tools for manipulating Coq terms and developing certified plugins (i.e. translations, compilers or tactics) in Coq.

Release Contributions:
This new version integrates:
Support for primitive integers and floating point values, using the same typechecking mechanism as Coq's kernel, up to the erased lambdabox language. Better computational behavior of the safe checker. Support for nix and cachix (useful for CI, allows to reuse remotely compiled components) Registering of projections for inductive types defined as records More efficient etaexpansion transformation using environment maps instead of association lists.

News of the Year:
This year has shown improvements on the clarity of the specification of PCUIC and the efficiency of the typechecker and erasure implementations. New verified phases in the erasure pipeline allow to connect to the CertiCoq certified compiler and bootstrap it.
 URL:
 Publications:

Contact:
Matthieu Sozeau

Participants:
Abhishek Anand, Danil Annenkov, Meven Bertrand, Jakob Botsch Nielsen, Simon Boulier, Cyril Cohen, Yannick Forster, Kenji Maillard, Gregory Malecha, Matthieu Sozeau, Nicolas Tabareau, Théo Winterhalter

Partners:
Concordium Blockchain Research Center, Aarhus University, Denmark, Saarland University
6.1.6 Coq

Name:
The Coq Proof Assistant

Keywords:
Proof, Certification, Formalisation

Scientific Description:
Coq is an interactive proof assistant based on the Calculus of (Co)Inductive Constructions, extended with universe polymorphism. This type theory features inductive and coinductive families, an impredicative sort and a hierarchy of predicative universes, making it a very expressive logic. The calculus allows to formalize both general mathematics and computer programs, ranging from theories of finite structures to abstract algebra and categories to programming language metatheory and compiler verification. Coq is organised as a (relatively small) kernel including efficient conversion tests on which are built a set of higherlevel layers: a powerful proof engine and unification algorithm, various tactics/decision procedures, a transactional document model and, at the very top an integrated development environment (IDE).

Functional Description:
Coq provides both a dependentlytyped functional programming language and a logical formalism, which, altogether, support the formalisation of mathematical theories and the specification and certification of properties of programs. Coq also provides a large and extensible set of automatic or semiautomatic proof methods. Coq's programs are extractible to OCaml, Haskell, Scheme, ...

Release Contributions:
Coq version 8.16 integrates changes to the Coq kernel and performance improvements along with a few new features. We highlight some of the most impactful changes here:
The guard checker (see Guarded) now ensures strong normalization under any reduction strategy.
Irrelevant terms (in the SProp sort) are now squashed to a dummy value during conversion, fixing a subject reduction issue and making proof conversion faster.
Introduction of reversible coercions, which allow coercions relying on metalevel resolution such as typeclasses or canonical structures. Also allow coercions that do not fullfill the uniform inheritance condition.
Generalized rewriting support for rewriting with Typevalued relations and in Type contexts, using the Classes.CMorphisms library.
Added the boolean equality scheme command for decidable inductive types.
Added a Print Notation command.
Incompatibilities in name generation for Program obligations, eauto treatment of tactic failure levels, use of ident in notations, parsing of module expressions.
Standard library reorganization and deprecations.
Improve the treatment of standard library numbers by Extraction.
See https://coq.inria.fr/refman/changes.html#version816 for a detailed changelog.

News of the Year:
Coq version 8.14 integrates many usability improvements, as well as an important change in the core language. See the changelog at https://coq.inria.fr/refman/changes.html#version814 for an overview of the new features and changes, along with the full list of contributors.
 URL:

Contact:
Matthieu Sozeau

Participants:
Yves Bertot, Frederic Besson, Tej Chajed, Cyril Cohen, Pierre Corbineau, Pierre Courtieu, Maxime Denes, Jim Fehrle, Julien Forest, Emilio Jesús Gallego Arias, Gaetan Gilbert, Georges Gonthier, Benjamin Grégoire, Jason Gross, Hugo Herbelin, Vincent Laporte, Olivier Laurent, Assia Mahboubi, Kenji Maillard, Érik MartinDorel, Guillaume Melquiond, PierreMarie Pedrot, Clément PitClaudel, Kazuhiko Sakaguchi, Vincent Semeria, Michael Soegtrop, Arnaud Spiwack, Matthieu Sozeau, Enrico Tassi, Laurent Théry, Anton Trunov, LiYao Xia, Theo Zimmermann

Partners:
CNRS, Université ParisSud, ENS Lyon, Université ParisDiderot
6.1.7 memproflimits

Keyword:
Library

Scientific Description:
Memproflimits is an implementation of perthread global memory limits, and perthread allocation limits à la Haskell, and CPUbound thread cancellation, for OCaml, compatible with multiple threads.
Memproflimits interrupts the execution by raising an asynchronous exception: an exception that can arise at almost any location in the program. It is provided with a guide on how to recover from asynchronous exceptions and other unexpected exceptions, summarising for the first time practical knowledge acquired in OCaml by the Coq proof assistant as well as in other programming languages.
Memproflimits is probabilistic, as it is based on the statistical memory accountant memprof. It is provided with a statistical analysis that the user can rely on to have guarantees about the enforcement of limits.

Functional Description:
Memproflimits is an implementation of (perthread) global memory limits, (perthread) allocation limits, and cancellation of CPUbound threads, for OCaml. Memproflimits interrupts a computation by raising an exception asynchronously and offers features to recover from them such as interruptsafe resources.
It is provided with an extensive documentation with examples which explains what must be done to ensure one recovers from an interrupt. This documentation summarises for the first time the experience acquired in OCaml in the Coq proof assistant, as well as in other situations in other programming languages.

Release Contributions:
Initial version.

News of the Year:
Version 0.2.0, first official and supported (nonprototype) release.
 URL:
 Publication:

Author:
Guillaume Munch

Contact:
Guillaume Munch
6.1.8 ocamlboxroot

Keywords:
Interoperability, Library, Ocaml, Rust

Scientific Description:
Boxroot is an implementation of roots for the OCaml GC based on concurrent allocation techniques. These roots are designed to support a calling convention to interface between Rust and OCaml code that reconciles the latter's foreign function interface with the idioms from the former.

Functional Description:
Boxroot implements fast movable roots for OCaml in C. A root is a data type which contains an OCaml value, and interfaces with the OCaml GC to ensure that this value and its transitive children are kept alive while the root exists. This can be used to write programs in other languages that interface with programs written in OCaml.
 URL:

Contact:
Guillaume Munch

Participants:
Guillaume Munch, Gabriel Scherer
7 New results
7.1 Type Theory and Proof Assistants
Participants: Martin Baillon, Yannick Forster, Gaëtan Gilbert, Meven LennonBertand, Assia Mahboubi, Kenji Maillard, PierreMarie Pédrot, Loïc Pujet, Matthieu Sozeau, Nicolas Tabareau.
7.1.1 Type Theory
Gradualizing the Calculus of Inductive Constructions.
Acknowledging the ordeal of a fully formal development in a proof assistant such as Coq, we have investigated in 12 gradual variations on the Calculus of Inductive Construction (CIC) for swifter prototyping with imprecise types and terms. We observe, with a nogo theorem, a crucial tradeoff between graduality and the key properties of canonicity, decidability and closure of universes under dependent product that CIC enjoys. Beyond this Fire Triangle of Graduality, we explore the gradualization of CIC with three different compromises, each relaxing one edge of the Fire Triangle. We develop a parametrized presentation of Gradual CIC that encompasses all three variations, and jointly develop their metatheory. We first present a bidirectional elaboration of Gradual CIC to a dependentlytyped cast calculus, which elucidates the interrelation between typing, conversion, and graduality. We then establish the metatheory of this cast calculus through both a syntactic model into CIC, which provides weak canonicity, confluence, and when applicable, normalization, and a monotone model that purports the study of the graduality of two of the three variants. This work informs and paves the way towards the development of malleable proof assistants and dependentlytyped programming languages.
A Reasonably Gradual Type Theory.
Gradualizing the Calculus of Inductive Constructions (CIC) involves dealing with subtle tensions between normalization, graduality, and conservativity with respect to CIC. Recently, GCIC has been proposed as a parametrized gradual type theory that admits three variants, each sacrificing one of these properties. For devising a gradual proof assistant based on CIC, normalization and conservativity with respect to CIC are key, but the tension with graduality needs to be addressed. Additionally, several challenges remain: (1) The presence of two wildcard terms at any type—the error and unknown terms—enables trivial proofs of any theorem, jeopardizing the use of a gradual type theory in a proof assistant; (2) Supporting general indexed inductive families, most prominently equality, is an open problem; (3) Theoretical accounts of gradual typing and graduality so far do not support handling type mismatches detected during reduction; (4) Precision and graduality are external notions not amenable to reasoning within a gradual type theory. All these issues manifest primally in CastCIC, the cast calculus used to define GCIC. In 13, we present an alternative to CastCIC called GRIP. GRIP is a reasonably gradual type theory that addresses the issues above, featuring internal precision and general exception handling. For consistent reasoning about gradual terms, GRIP features an impure sort of types inhabited by errors and unknown terms, and a pure sort of strict propositions. By adopting a novel interpretation of the unknown term that carefully accounts for universe levels, GRIP satisfies graduality for a large and welldefined class of terms, in addition to being normalizing and a conservative extension of CIC. Internal precision supports reasoning about graduality within GRIP itself, for instance to characterize gradual exceptionhandling terms, and supports gradual subset types. We develop the metatheory of GRIP using a model formalized in Coq, and provide a prototype implementation of GRIP in Agda.
Observational Equality: Now For Good.
Building on the recent extension of dependent type theory with a universe of definitionally proofirrelevant types, we introduce in 14$T{T}^{obs}$, a new type theory based on the setoidal interpretation of dependent type theory. $T{T}^{obs}$ equips every type with an identity relation that satisfies function extensionality, propositional extensionality, and definitional uniqueness of identity proofs (UIP). Compared to other existing proposals to enrich dependent type theory with these principles, our theory features a notion of reduction that is normalizing and provides an algorithmic canonicity result, which we formally prove in Agda using the logical relation framework of Abel et al. Our paper thoroughly develops the metatheoretical properties of $T{T}^{obs}$, such as the decidability of the conversion and of the type checking, as well as consistency. We also explain how to extend our theory with quotient types, and we introduce a setoidal version of Swan's Id types that turn it into a proper extension of MLTT with inductive equality.
Impredicative Observational Equality
In dependent type theory, impredicativity is a powerful logical principle that allows the definition of propositions that quantify over arbitrarily large types, potentially resulting in selfreferential propositions. Impredicativity can provide a system with increased logical strength and flexibility, but in counterpart it comes with multiple incompatibility results. In particular, Abel and Coquand showed that adding definitional uniqueness of identity proofs (UIP) to the main proof assistants that support impredicative propositions (Coq and Lean) breaks the normalization procedure, and thus the typechecking algorithm. However, it was not known whether this stems from a fundamental incompatibility between UIP and impredicativity or if a more suitable algorithm could decide typechecking for a type theory that supports both. In 23, we design a theory that handles both UIP and impredicativity by extending the recently introduced observational type theory TTobs with an impredicative universe of definitionally proofirrelevant types, as initially proposed in the seminal work on observational equality of 36. We prove decidability of conversion for the resulting system, that we call CCobs, by harnessing proofirrelevance to avoid computing with impredicative proof terms. Additionally, we prove normalization for CCobs in plain MartinLöf type theory, thereby showing that adding proofirrelevant impredicativity does not increase the computational content of the theory.
Gardening with the Pythia: A model of continuity in a dependent setting.
In 16,we generalize to a rich dependent type theory a proof originally developed by Escardó 63 that all System T functionals are continuous. It relies on the definition of a syntactic model of Baclofen Type Theory, a type theory where dependent elimination must be strict, into the Calculus of Inductive Constructions. The model is given by three translations: the axiom translation, that adds an oracle to the context; the branching translation, based on the dialogue monad, turning every type into a tree; and finally, a layer of algebraic binary parametricity, binding together the two translations. In the resulting type theory, every function $f:(\mathbb{N}\to \mathbb{N})\to \mathbb{N}$ is externally continuous.
MetaCoq and CertiCoq.
The MetaCoq project formalizes the theory of Coq, a reference implementation of its typechecking kernel and a verified erasure pipeline. During this year, we completed the completeness proof of the system, including a bidirectional version of the typechecker described in 12, and improved both the clarity of the specification and the efficiency of the implementations of typechecking and erasure. In parallel, work on later stages of the erasure pipeline consisted in proving various optimization phases correct, to bring the idealized $\lambda $box language produced by the verified erasure function down to a more standard lambdacalculus where recursion is not guarded, constructors are fully applied and there are no "dummy" pattern matches on irrelevant values. This allows in particular to connect straightforwardly to the CertiCoq project compiling down to CompCert Clight (which has seen its first beta release in October) and to the first untyped intermediate language of the OCaml compiler (through a formalization of the Malfunction language). CertiCoq now enjoys a bootstrapped implementation: it can compile itself, and can also compile the certified checker of MetaCoq. In addition it supports primitives values (ints, floats) and a primitive FFI. We are working on articles on both MetaCoq and these two verified extraction facilities.
7.1.2 Proof Assistants
The Advantages of Maintaining a Multitask, ProjectSpecific Bot: An Experience Report.
Bots are becoming a popular method for automating basic everyday tasks in many software projects. This is true in particular because of the availability of many offtheshelf taskspecific bots that teams can quickly adopt (which are sometimes completed with additional taskspecific custom bots). Based on our experience in the Coq project, where we have developed and maintained a multitask projectspecific bot, we argue that this alternative approach to project automation should receive more attention because it strikes a good balance between productivity and adaptibility. In 15, we describe the kind of automation that our bot implements, what advantages we have gained by maintaining a projectspecific bot, and the technology and architecture choices that have made it possible. We draw conclusions that should generalize to other mediumsized software teams willing to invest in project automation without disrupting their workflows.
Compositional preprocessing for automated reasoning in dependent type theory.
In the context of interactive theorem provers based on a dependent type theory, automation tactics (dedicated decision procedures, call of automated solvers, ...) are often limited to goals which are exactly in some expected logical fragment. This very often prevents users from applying these tactics in other contexts, even similar ones. 18 discusses the design and the implementation of preprocessing operations for automating formal proofs in the Coq proof assistant. It presents the implementation of a wide variety of predictible, atomic goal transformations, which can be composed in various ways to target different backends. A gallery of examples illustrates how it helps to expand significantly the power of automation engines.
Trakt : Uniformiser les types pour automatiser les preuves.
Dans un assistant de preuve comme Coq, un même objet mathématique peut souvent être formalisé par différentes structures de données. Par exemple, le type Z des entiers binaires, dans la bibliothèque standard de Coq, représente les entiers relatifs tout comme le type ssrint, des entiers unaires, fourni par la bibliothèque MathComp. En pratique, cette situation familière en programmation est un frein à la preuve formelle automatique. Dans 24, nous présentons trakt, un outil dont l'objectif est de faciliter l'accès des utilisateurs de Coq aux tactiques d'automatisation, pour la représentation des théories décidables de leur choix. Cet outil construit une formule auxiliaire à partir d'un but utilisateur, et une preuve que cette dernière implique ce but initial. La formule auxiliaire est conçue pour être adaptée aux outils de preuve automatique (lia, SMTCoq, etc). Cet outil est extensible, grâce à une API permettant à l'utilisateur de définir plusieurs natures de plongements dans un jeu de structures de données de référence. Le métalangage CoqElpi, utilisé pour l'implémentation, fournit des facilités bienvenues pour la gestion des lieurs et la mise en oeuvre des parcours de termes en jeu dans ces tactiques.
7.2 Logical Foundations of Programming Languages
Participants: Hamza Jaafar, Guillhem Jaber, Guillaume MunchMaccagnoni.
Games, mobile processes, and functions.
In 22, a tight connection between two models of the λcalculus is established, namely Milner's encoding into the πcalculus (precisely, the Internal πcalculus), and operational game semantics (OGS). The operational correspondence between the behaviours of the encoding provided by π and OGS is first explored, for various LTSs: the standard LTS for π and a new 'concurrent' LTS for OGS; an 'outputprioritised' LTS for π and the standard alternating LTS for OGS. Then it is shown that the equivalences induced on λterms by all these LTSs (for π and OGS) coincide. These connections allow us to transfer results and techniques between π and OGS. In particular upto techniques from π onto OGS are imported and congruence and compositionality results for OGS from those of π are derived. The study is illustrated for callbyvalue; similar results hold for callbyname.
Mixing linearitybased and GC allocation techniques in a functional programming language.
25 reports an experiment with a large pages allocator for the OCaml runtime, with measured performance improvements. One goal was to evaluate the possible performance of a page table for multicore OCaml, a data structure of the OCaml runtime used by libraries implementing experimental memory allocation and memory sharing schemes. While we did not use original techniques, some of the results are unexpected a priori based on expressed beliefs in the OCaml community: it lets programs run faster rather than slower, by letting staticallyallocated values be skipped during garbage collection.
In 26, we propose a new API and implementation for managing garbage collector (GC) roots for the OCaml foreignfunction interface (FFI), which offers:
 better performance than existing APIs (local or global roots);
 efficient support for OCaml 5 with a more multicorefriendly design, with perdomain data structures;
 a reasoning based on resourcemanagement idioms, enabling an easier FFI for Rust.
Our contributions include a C library called Boxroot which is already in use in several OCamlRust interfacing libraries (ocamlrs, ocamlinterop). We believe that this approach generalizes beyond OCaml, to other FFI situations where a language with GC interacts with a language without pervasive GC.
The first paper reports, in essence, the good hypothetical performance of embedding (borrowing) linearlyallocated values inside garbagecollected values. The second paper reports a symmetrical result: how to efficiently embed (own) garbagecollected values inside linearlyallocated values. Taken together, the broader motivation is to show the feasibility of basing linear allocation with reuse 84, 41 in languages that would still leverage stateofart garbage collection for nonlinear values.
7.3 Program Certifications and Formalisation of Mathematics
Participants: Yannick Forster, Rémi Douence.
Synthetic Kolmogorov Complexity in Coq.
In 21, we present a generalised, constructive, and machinechecked approach to Kolmogorov complexity in the constructive type theory underlying the Coq proof assistant. By proving that nonrandom numbers form a simple predicate, we obtain elegant proofs of undecidability for random and nonrandom numbers and a proof of uncomputability of Kolmogorov complexity. We use a general and abstract definition of Kolmogorov complexity and subsequently instantiate it to several definitions frequently found in the literature. Whereas textbook treatments of Kolmogorov complexity usually rely heavily on classical logic and the axiom of choice, we put emphasis on the constructiveness of all our arguments, however without blurring their essence. We first give a highlevel proof idea using classical logic, which can be formalised with Markov's principle via folklore techniques we subsequently explain. Lastly, we show how to eliminate Markov's principle from a certain class of computability proofs, rendering all our results fully constructive. All our results are machinechecked by the Coq proof assistant, which is enabled by using a synthetic approach to computability: rather than formalising a model of computation, which is wellknown to introduce a considerable overhead, we abstractly assume a universal function, allowing the proofs to focus on the mathematical essence.
Constructive and Synthetic Reducibility Degrees: Post's Problem for Manyone and Truthtable Reducibility in Coq.
In 19, 30, we present a constructive analysis and machinechecked theory of oneone, manyone, and truthtable reductions based on synthetic computability theory in the Calculus of Inductive Constructions, the type theory underlying the proof assistant Coq. We give elegant, synthetic, and machinechecked proofs of Post's landmark results that a simple predicate exists, is enumerable, undecidable, but manyone incomplete (Post's problem for manyone reducibility), and a hypersimple predicate exists, is enumerable, undecidable, but truthtable incomplete (Post's problem for truthtable reducibility). In synthetic computability, one assumes axioms allowing to carry out computability theory with all definitions and proofs purely in terms of functions of the type theory with no mention of a model of computation. Proofs can focus on the essence of the argument, without having to sacrifice formality. Synthetic computability also clears the lense for constructivisation. Our constructively careful definition of simple and hypersimple predicates allows us to not assume classical axioms, not even Markov's principle, still yielding the expected strong results.
Parametric Church’s Thesis: Synthetic Computability Without Choice.
In synthetic computability, pioneered by Richman, Bridges 49, and Bauer 43, one develops computability theory without an explicit model of computation. This is enabled by assuming an axiom equivalent to postulating a function $\phi $ to be universal for the space $\mathbb{N}\to \mathbb{N}$ (${\mathrm{CT}}_{\phi}$, a consequence of the constructivist axiom CT), Markov's principle, and at least the axiom of countable choice. Assuming CT and countable choice invalidates the law of excluded middle, thereby also invalidating classical intuitions prevalent in textbooks on computability. On the other hand, results like Rice's theorem are not provable without a form of choice. In contrast to existing work, we base our investigations in constructive type theory with a separate, impredicative universe of propositions where countable choice does not hold and thus a priori ${\mathrm{CT}}_{\phi}$ and the law of excluded middle seem to be consistent. In 27, we introduce various parametric strengthenings of ${\mathrm{CT}}_{\phi}$, that are equivalent to assuming ${\mathrm{CT}}_{\phi}$ and an Smn operator for $\phi $ like in the Smn theorem. The strengthened axioms allow developing synthetic computability theory without choice, as demonstrated by elegant synthetic proofs of Rice's theorem. Moreover, they seem to be not in conflict with classical intuitions since they are consequences of the traditional analytic form of CT. Besides explaining the novel axioms and proofs of Rice's theorem we contribute machinechecked proofs of all results in the Coq proof assistant.
A Computational CantorBernstein and Myhill's Isomorphism Theorem in Constructive Type Theory: Proof Pearl.
The CantorBernstein theorem (CB) from set theory, stating that two sets which can be injectively embedded into each other are in bijection, is inherently classical in its full generality, i.e. implies the law of excluded middle, a result due to Pradic and Brown 108. Recently, Escardó has provided a proof of CB in univalent type theory, assuming the law of excluded middle. It is a natural question to ask which restrictions of CB can be proved without axiomatic assumptions. In 20, we give a partial answer to this question contributing an assumptionfree proof of CB restricted to enumerable discrete types, i.e. types which can be computationally treated. In fact, we construct several bijections from injections: The first is by translating a proof of the Myhill isomorphism theorem from computability theory—stating that 1equivalent predicates are recursively isomorphicto constructive type theory, where the bijection is constructed in stages and an algorithm with an intricate termination argument is used to extend the bijection in every step. The second is also constructed in stages, but with a simpler extension algorithm sufficient for CB. The third is constructed directly in such a way that it only relies on the given enumerations of the types, not on the given injections. We aim at keeping the explanations simple, accessible, and concise in the style of a "proof pearl". All proofs are machinechecked in Coq but should transport to other foundations: they do not rely on impredicativity, on choice principles, or on large eliminations.
Acquiring Maps of Interrelated Conjectures on Sharp Bounds.
To automate the discovery of conjectures on combinatorial objects, we introduce in 17 the concept of a map of sharp bounds on characteristics of combinatorial objects, that provides a set of interrelated sharp bounds for these combinatorial objects. We then describe a Bound Seeker, a constraintprogrammingbased system, that gradually acquires maps of conjectures. The system was tested for searching conjectures on bounds on characteristics of digraphs: it constructs sixteen maps involving 431 conjectures on sharp lower and upperbounds on eight digraph characteristics.
8 Bilateral contracts and grants with industry
8.1 Bilateral Contracts with Industry
CoqExtra
Participants: PierreMarie Pédrot, Matthieu Sozeau, Nicolas Tabareau, Yannick Forster, Pierre Giraud, Kazuhiko Sakaguchi.

Title:
A Formally Verified Extraction Mechanism using Precise Type Specifications

Duration:
2020  2023

Coordinator:
Nicolas Tabareau

Partners:
 Inria
 Nomadic Labs

Inria contact:
Nicolas Tabareau

Summary:
The extraction mechanism from Coq to OCaml can be seen as a compilation phase, from a functional language with dependent types to a functional language with a weaker type system. It is very useful to be able to run and link critical pieces of code that have been certified with the rest of a software system. For instance, for Tezos, it is important to certify the Michelson language for smart contracts and then to be able to extract it to OCaml so that it interacts with the rest of the code that has been developed. Unfortunately, the current extraction mechanism of Coq suffers from two major flaws that prevent extraction from being used in complex situations—and in particular for the Michelson language. First, the extraction mechanism does not make use of new features of OCaml type system, such as Generalized Abstract Data Types (GADTs). This prevents code using indexed inductive types (Coq’s generalization of GADTs) to be extracted to code using GADTs. Therefore, in the case of Michelson, the extracted code does not correspond at all to the seminal implementation of Michelson in OCaml as it jeopardizes its type specification. The second flaw comes from the fact that extraction sometimes produces illtyped pieces of code (even if it uses Obj.magic to cheat the type system), for instance when the arity of a function depends on some value. Therefore, the extracted program fails to typechecked in OCaml and cannot be used.

Expected Impact:
This project proposes to remedy to the situation so that the formalized Michelson implementation can be extracted to OCaml in a satisfactory and certified way. But this project is also of great interest outside Nomadic Labs as it will allow Coq users to use a better extraction mechanism and, on a longer term, it will allow OCaml developers to prove their OCaml programs using a formal semantics of (a fragment of) OCaml defined in Coq.
CIFRE PhD grant, funded by Mitsubishi Electric R&D Centre Europe (MERCE)
Participants: Assia Mahboubi, Enzo Crance.

Title:
Automated theorem proving and dependent types: automated reasoning for interactive proof assistants

Duration:
2020  2023

Coordinator:
Denis Cousineau (MERCE), Assia Mahboubi (Inria)

Partners:
 Inria
 Mitsubishi Electric R&D Centre Europe (MERCE)

Inria contact:
Assia Mahboubi

Summary:
The aim of this project is to vastly improve the automated reasoning skills of proof assistants based on dependent type theory, and in particular of the Coq proof assistant. Automated provers, like SAT solvers or SMT solvers, can provide fast decision answers on large formulas, typically quantifierfree first order statements generated by code analysis instruments like static analyzers. Modern provers are moreover able to produce additional data, called certificates, which contain enough information for an a posteriori verification of their results, e.g., using a formal proof. In this project, we would like to use this feature to expand the automation available to users of proof assistants. The main motivation here is thus to increase the class of goals that can be proved formally and automatically by the interactive proof assistant, rather than to work on the formal verification of specific albeit large decision problems. In this case, the central research problem is to bridge the gap between the rich specification language of the proof assistant, and the restricted fragment handled by the automated prover. This project will thus investigate the design, and the implementation, of the corresponding translation phase. This translation transforms a logical statement possibly featuring userdefined data structures and higherorder quantifications, into another statement, logically stronger, than can be sent to the automated prover. We thus aim at a triple objective: expressivity, extensibility and efficiency. This grant is funding the PhD of Enzo Crance.

Expected Impact:
Enhancing the automated reasoning skills of proof assistants based on dependent type theory will be key to their wider usage in industry. As of today, they are considered too expensive to be used in the large outside of specific niches.
OCamlRust
Participants: Guillaume MunchMaccagnoni.

Title:
OCaml/Rust bindings

Duration:
20212023

Coordinator:
Gabriel Scherer (INRIA Saclay, EPI Partout)

Participants:
 Guillaume MunchMaccagnoni (INRIA Rennes, EPI Gallinette),
 JacquesHenri Jourdan (CNRS, LRI)

Partners:
Inria, Nomadic Labs

Inria contact:
Gabriel Scherer

Summary:
We often want to write programs with components in several different programming languages. Interfacing two languages typically goes through lowlevel, unsafe interfaces. The OCaml/Rust project studies safer interfaces between OCaml and Rust.

Expected Impact:
We investigated safe lowlevel representations of OCaml values on the Rust side, representing GC ownership, and developed a calling convention that reconciles the OCaml FFI idioms with Rust idioms. We also developed Boxroot, a new API to register values with the OCaml GC, for use when interfacing with Rust (and other programming languages) and possibly when writing concurrent programs. This resulted in novel techniques which can benefit other pairs of languages in the future. These works are now integrated in the ocamlrs interface between OCaml and Rust used in the industry.
CAVOC
Participants: Guilhem Jaber, Hamza Jaafar.

Title:
Compositional Automated Verification for OCaml

Duration:
20212024

Coordinator:
Guilhem Jaber

Partners:
 Inria
 Nomadic Labs

Inria contact:
Guilhem Jaber

Summary:
This project aims to develop a sound and precise static analyzer for OCaml, that can catch large classes of bugs represented by uncaught exceptions. It will deal with both userdefined exceptions, and builtin ones used to represent error behaviors, like the ones triggered by failwith, assert, or a match failure. Via “assertfailure” detection, it will thus be able to check that invariants annotated by users hold. The analyzer will reason compositionally on programs, in order to analyze them at the granularity of a function or of a module. It will be sound in a strong way: if an OCaml module is considered to be correct by the analyzer, then one will have the guarantee that no OCaml code interacting with this module can trigger uncaught exceptions coming from the code of this module. In order to be precise, it will take into account the abstraction properties provided by the type system and the module system of the language: local values, abstracted definition of types, parametric polymorphism. The goal being that most of the interactions taken into account correspond to typeable OCaml code (that do not use unsafe features of the Obj Module, or the Foreign Function Interface to some external code).

Expected Impact:
Being modular the analyzer should be able to automatically check the absence of bugs of a large base of code written in the considered subset of OCaml. This subset will include most of the codebase developed by Nomadic Labs, which is an heavy user of GADT, for example to enforce subject reduction in the implementation of Michelson. We would then be able to get a higher degree of trust in its codebase, and possibly to find undetected bugs in it. The impact of this project could be large for the OCaml ecosystem in general, where automated analysis of programs to check soundness properties of the code could be really useful (for example for the Coq proof assistant, whose full analysis would be nonetheless too ambitious for this project).
9 Partnerships and cooperations
9.1 International initiatives
9.1.1 Associate Teams in the framework of an Inria International Lab or in the framework of an Inria International Program
GECO
Participants: Kenji Maillard, Matthieu Sozeau, Nicolas Tabareau.

Title:
Gradual verification and robust proof Engineering for COq

Duration:
2018 > 2022

Coordinator:
Éric Tanter (etanter@dcc.uchile.cl)

Partners:
 Universidad de Chile

Inria contact:
Nicolas Tabareau
9.1.2 Participation in other International Programs
Participants: Assia Mahboubi.
A. Mahboubi holds a parttime endowed professor position in the Department of Mathematics at the Vrije Universiteit Amsterdam (the Netherlands).
9.2 International research visitors
9.2.1 Visits of international scientists
Other international visits to the team
Éric Tanter

Status
Full Professor

Institution of origin:
Universidad de Chile

Country:
Chile

Dates:
JuneJuly 2022

Context of the visit:
Inria GECO associate team TYPES'22 Conference in Nantes

Mobility program/type of mobility:
research stay
9.3 European initiatives
9.3.1 H2020 projects
FRESCO
Participants: Christopher Hughes, Assia Mahboubi, Matthieu Piquerez.
FRESCO project on cordis.europa.eu

Title:
Fast and Reliable Symbolic Computation

Duration:
From November 1, 2021 to October 31, 2026

Partners:
 INSTITUT NATIONAL DE RECHERCHE EN INFORMATIQUE ET AUTOMATIQUE (INRIA), France

Inria contact:
Assia Mahboubi

Coordinator:
Assia Mahboubi

Summary:
The use of computers for formulating conjectures, but also for substantiating proof steps, pervades mathematics, even in its most abstract fields. Most computer proofs are produced by symbolic computations, using computer algebra systems. Sadly, these systems suffer from severe, intrinsic flaws, key to their amazing efficiency, but preventing any flavor of posthoc verification.
But can computer algebra become reliable while remaining fast? Bringing a positive answer to this question represents an outstanding scientific challenge per se, which this project aims at solving.
Our starting point is that interactive theorem provers are the best tools for representing mathematics in silico. But we intend to disrupt their architecture, shaped by decades of applications in computer science, so as to dramatically enrich their programming features, while remaining compatible with their logical foundations.
We will then design a novel generation of mathematical software, based on the firm grounds of modern programming language theory. This environment will feature a new, highlevel, performanceoriented programming language, devised for writing efficient and correct code easily, and for serving the frontline of research in computational mathematics. Users will have access to fast implementations, and to powerful proving technologies for verifying any component à la carte, with high productivity. Logic and computerbased formal proofs will prevent runtime errors, and incorrect mathematical semantics.
We will maintain a close, continuous collaboration with interested highprofile mathematicians, on the verification of cuttingedge research results, today beyond the reach of formal proofs. We ambition to empower mathematical journals to install highquality artifact evaluation, when peerreviewing falls short of assessing computer proofs. This project will eventually impact the use of formal methods in engineering, in areas like cryptography or signalprocessing.
Coqaml
Participants: Yannick Forster, Nicolas Tabareau.
Coqaml project on cordis.europa.eu

Title:
Verified Extraction from Coq to OCaml with GADTs

Duration:
From December 1, 2021 to November 30, 2023

Partners:
 INSTITUT NATIONAL DE RECHERCHE EN INFORMATIQUE ET AUTOMATIQUE (INRIA), France

Inria contact:
Nicolas Tabareau
 Coordinator:

Summary:
The Coq proof assistant is a popular tool to verify the correctness of securitycritical software. The CompCert C compiler, some implementations of blockchain languages, and the implementation of the P256 elliptic curve in Google’s BoringSSL library are all OCaml programs obtained by extraction from Coq functions.
While a type checker for Coq has recently been verified via a machinechecked mathematical proof based on the MetaCoq project for verified metaprogramming, the extraction process from Coq to OCaml is still part of the trusted computing base (TCB).
The Coqaml project will minimise the TCB for extracted programs even further by also providing a machinechecked correctness proof for the extraction mechanism to OCaml. Under the supervision of Nicolas Tabareau, head of the Inria Gallinette team in Nantes, the experienced researcher (ER) will implement Coq's extraction as mechanically verified MetaCoqplugin, obtaining the guarantee that extracted OCaml programs behave exactly like the Coq function specified.
In order to be usable in industrial applications, Coqaml will include a novel extraction targeting generalized algebraic datatypes (GADTs) in OCaml. The project includes a secondment of the ER to Nomadic Labs in Paris, who require GADTs as target for Coq's extraction. The intermediate semantic correctness proof for type and proof erasure, allowing axioms like functional extensionality or proof irrelevance in verified programs, can also be exploited in other extraction projects like the CertiCoq compiler from Coq to C code.
The Coqaml project is interdisciplanary by design, spanning logic, type theory, programming languages, and compilers. The density of some of the world’s leading experts on Coq and type theory in the Gallinette team and the expertise at Nomadic Labs will ensure that the environment is ideal for the success of the Coqaml project and the most beneficial development of the ER, greatly enhancing his future career prospects.
9.4 National initiatives
NUSCAP
Participants: Enzo Crance, Assia Mahboubi.

Title:
Numerical Safety for ComputerAided Proofs

Program:
ANR AAPG2020,

Type:
PRC, CES 48

Duration:
Feb 2021  Jan 2024

Coordinator:
UMR CNRS  ENS Lyon  UCB Lyon 1  INRIA 5668

Local Contact:
Assia Mahboubi

Summary:
The last twenty years have seen the advent of computeraided proofs in mathematics and this trend is getting more and more important. They request various levels of numerical safety, from fast and stable computations to formal proofs of the computations. Hovewer, the necessary tools and routines are usually ad hoc, sometimes unavailable, or inexistent. On a complementary perspective, numerical safety is also critical for complex guidance and control algorithms, in the context of increased satellite autonomy. We plan to design a whole set of theorems, algorithms and software developments, that will allow one to study a computational problem on all (or any) of the desired levels of numerical rigor. Key developments include fast and certified spectral methods and polynomial arithmetic, with subsequent formal verifications. There will be a strong feedback between the development of our tools and the applications that motivate it.
ReCiProg
Participants: Guilhem Jaber.

Title:
Reasoning on Circular proofs for Programming

Program:
ANR AAPG2021,

Type:
PRC, CES 48

Duration:
Jan 2022  Jan 2025

Coordinator:
UMR CNRS  IRIF  Université de Paris

Local Contact:
Guilhem Jaber

Summary:
ReCiProg is a collaborative project (LyonMarseilleNantesParis) aiming at extending the proofsasprograms correspondence (also known as CurryHoward correspondence) to recursive programs and circular proofs for logic and type systems using induction and coinduction. The project will contribute both to the necessary theoretical foundations of circular proofs and to the software development allowing to enhance the use of coinductive types and coinductive reasoning in the Coq proof assistant: such coinductive types present, in the current state of the art serious defects that the project will aim at solving.
DyVerSe
Participants: Guillaume Munch.

Title:
Dynamic Versatile Semantics

Program:
ANR AAPG2019,

Type:
PRC, CES 48

Duration:
Jan 2020  Dec 2023

Coordinator:
Pierre Clairambault (CR CNRS, LIP, UMR 5668)

Local Contact:
Guillaume MunchMaccagnoni

Summary:
DyVerSe aims to develop a theoretical framework for dynamic/game semantics for programming languages, capturing in one versatile setting a spectrum of computational features, representative of the heterogeneity of software (e.g. higherorder functions, concurrency, probabilities or other quantitative aspects). Our ambition is (1) to help unify denotational semantics by providing the missing link between various incompatible models focusing on specific aspects, and (2) to provide a toolbox to reason compositionally about the dynamic behaviour of programs, with an eye towards specification and verification.
CANofGAS
Participants: Guilhem Jaber.

Title:
Cost Analysis of Game Semantics

Program:
Inria Exploratory Action,

Duration:
Sep 2022  Dec 2025

Coordinator:
Beniamino Accattoli (CR Inria, LIX, PARTOUT Team) and Guilhem Jaber (MCF, LS2N, Gallinette Team)

Local Contact:
Guilhem Jaber

Summary:
CANofGAS aims at capturing the time and space cost of the evaluation of higherorder programs at the semantic level. The directions we plan to explore are using the advances in reasonable cost models to develop a costbased understanding of game semantics. In particular, we aim at modelling the efficient callbyneed evaluation scheme, at work for instance in the Haskell language and in the Coq proof assistant.
9.5 Regional initiatives
ASCOC
Participants: Hamza Jaafar, Guilhem Jaber.

Title:
Analyse Statique Compositionnelle pour OCaml

Program:
Atlanstic 2020/Amorçage grant

Duration:
09/2020  12/2022

Coordinator:
G. Jaber.

Summary:
Compositional Analysis of OCaml code
10 Dissemination
This section involves all the permanent members of the team.
Participants: Julien Cohen, Rémi Douence, Guilhem Jaber, Assia Mahboubi, Kenji Maillard, Guillaume Munch, PierreMarie Pedrot, Matthieu Sozeau, Nicolas Tabareau.
10.1 Promoting scientific activities
10.1.1 Scientific events: organisation
28th International Conference on Types for Proofs and Programs (TYPES 2022)

Date:
2025th June 2022, Nantes, France.

Sponsorship:
CNRS, Inria, EU COST
 Website
Mathematical Components Workshop 2023

Date:
7th December, Sophia Antipolis, France.

Sponsorship:
ERC, Inria
 Website
Member of the organizing committees
Matthieu Sozeau and Nicolas Tabareau organized the TYPES 2022 conference.
10.1.2 Scientific events: selection
The Gallinette team had held the TYPES 2022 conference in June 2022 in Nantes.
Chair of conference program committees
 PierreMarie Pédrot was a Program Committee cochair of TYPES 2022 and the TYPES 2022 postproceedings.
Member of the conference program committees
 Nicolas Tabareau was a Program Committee member of POPL 2022.
 PierreMarie Pédrot was a Program Committee member of APLAS 2022, WITS 2022 and CPP 2023.
 Guilhem Jaber was a Program Commitee member of ESOP 2022 and PPDP 2022.
 Assia Mahboubi was a Program Commitee member of the international conference ICFP 2022, FOSSACS 2022, LICS 2022 and of the national conference JFLAs.
 Kenji Maillard was a Program Commitee member of LFMTP 2022, CPP 2023 and OOPSLA 2022.
10.1.3 Journal
Member of the editorial boards
 Assia Mahboubi is a member of the editorial board of the Journal of Automated Reasoning.
Reviewer  reviewing activities
 PierreMarie Pédrot was a reviewer for the Workshop on TypeDriven Development (TyDe'22) and the Journal of Functional Programming.
 Matthieu Sozeau was a reviewer for the Journal of Functional Programming.
 Assia Mahboubi was a reviewer for the Journal of Automated Reasoning.
 Guillaume MunchMaccagnoni was a reviewer for the journal Logical Methods in Computer Science.
10.1.4 Invited talks
 Assia Mahboubi has given invited talks at the 150th anniversary conference of the SMF and at the conference in the honor of Thierry Coquand's 60th birthday.
10.1.5 Other administrative duties
 Matthieu Sozeau acted as the project coordinator of Coq.
 PierreMarie Pédrot was the release manager of Coq 8.16.
10.2 Teaching  Supervision  Juries
10.2.1 Teaching
 Licence : Julien Cohen, Discrete Mathematics, 48h, L1 (IUT), IUT Nantes, France
 Licence : Julien Cohen, Introduction to proof assistants (Coq), 8h, L2 (PEIP : IUT/Engineering school), Polytech Nantes, France
 Licence : Julien Cohen, Functional Programming (Scala), 22h, L2 (IUT), IUT Nantes, France
 Master : Julien Cohen, Object oriented programming (Java), 32h, M1 (Engineering school), Polytech Nantes, France
 Master : Julien Cohen, Functional programming (OCaml), 18h, M1 (Engineering school), Polytech Nantes, France
 Master : Julien Cohen, Tools for software engineering (proof with FramaC, test, code management), 20h, M1 (Engineering school), Polytech Nantes, France
 Licence : Rémi Douence, Object Oriented Design and Programming, 45h, L1 (engineers), IMTAtlantique, Nantes, France
 Licence : Rémi Douence, Object Oriented Design and Programming Project, 30h, L1 (apprenticeship), IMTAtlantique, Nantes, France
 Master : Rémi Douence, Functional Programming with Haskell, 45h, M1 (engineers), IMTAtlantique, Nantes, France
 Master : Rémi Douence, Functional Programming with Haskell, 20h, M1 (apprenticeship), IMTAtlantique, Nantes, France
 Master : Rémi Douence, Formal Methods: Model checking with Alloy and from Haskell to Coq, 11h, M1 (apprenticeship), IMTAtlantique, Nantes, France
 Master : Rémi Douence, Introduction to scientific research in computer science (Project: compilation in Java of Haskell Class Types), 45h, M2 (apprenticeship), IMTAtlantique, Nantes, France
 Licence : Hervé Grall, Algorithms and Discrete Mathematics, 25h , L3 (engineers), IMTAtlantique, Nantes, France
 Licence : Hervé Grall, Object Oriented Design and Programming, 25h , L3 (engineers), IMTAtlantique, Nantes, France
 Licence, Master : Hervé Grall, Modularity and Typing, 40h, L3 and M1, IMTAtlantique, Nantes, France
 Master : Hervé Grall, Serviceoriented Computing, 40h, M1 and M2, IMTAtlantique, Nantes, France
 Master : Hervé Grall, Research Project  (Linear) Logic Programming in Coq, 90h (1/3 supervised), M1 and M2, IMTAtlantique, Nantes, France
 Licence : Guilhem Jaber, Computer Tools for Science, 18h, L1, Nantes Université France
 Licence : Guilhem Jaber, Foundations of Computer Science, 54h, L3, Nantes Université France
 Licence : Guilhem Jaber, Logic in Computer Science, 48h, L2, Nantes Université France
 Licence : Guilhem Jaber, Functional Programming, 36h, L3, Nantes Université France
 Master : Guilhem Jaber, Verification and Formal Proofs, 18h, M1, Nantes Université, France
 Master : Guilhem Jaber, Modelisation and Verification of Concurrent Systems, 9h, M2, Nantes Université, France
 Master : Nicolas Tabareau, Homotopy Type Theory, 24h, M2 LMFI, Université Paris Diderot, France
 Master : Matthieu Sozeau, Proof Assistants, 24h, M2 MPRI, Université Paris Diderot, France
10.2.2 Supervision
 Meven LennonBertrand has defended his Phd on June 2022, advisors: Matthieu Sozeau and Nicolas Tabareau 28.
 Loïc Pujet has defended his Phd in Dec 2022, advisors: Nicolas Tabareau 29
 PhD in progress: Martin Baillon, Syntactic Models of Type Theory and Continuity Principles, Univ Nantes, advisors: Assia Mahboubi and PierreMarie Pédrot
 PhD in progress: Pierre Benjamin Giraud, Formalizing extraction of Coq to OCaml, Univ Nantes, advisors: PierreMarie Pédrot, Matthieu Sozeau and Nicolas Tabareau
 PhD in progress: Enzo Crance, Automated theorem proving and dependent types: automated reasoning for interactive proof assistants, Univ Nantes, advisors: Denis Cousineau and Assia Mahboubi
 PhD in progress: Antoine Allioux, Coherent Higher Structures in Homotopy Type Theory, Univ Paris Diderot, advisors: PierreLouis Curien (Univ. Paris Diderot), Eric Finster (Univ. Birmingham) and Matthieu Sozeau
 PhD in progress: Hamza Jaafar, Operational Game Semantics for OCaml, Univ. Nantes, advisor: Guilhem Jaber and Nicolas Tabareau
 PhD in progress: Peio Borthelle, Formalized Game Semantics for Interoperability, Univ. Savoie MontBlanc, advisor: Tom Hirschowitz, Guilhem Jaber and Yannick Zakowski
10.2.3 Juries
 Nicolas Tabareau was a member of the jury for a full professorship position at Nantes Université.
 Assia Mahboubi was a member of the jury for a full professorship position at Nantes Université, for a PhD position at the Vrije Universiteit Amsterdam, for Chargés de recherches at Inria Nancy Grand Est.
 Assia Mahboubi was a member of the jury of the Gilles Kahn PhD prize.
 Assia Mahboubi has served on the PhD jury of Meven LennonBertrand (Nantes Université), Louis Noizet (Université de Rennes), Gabriel Hondet (Université Paris Saclay).
10.3 Popularization
10.3.1 Articles and contents
Guilhem Jaber participated in the production of a popular science magazine during the residence of journalists from "Les Autres Possible".
10.3.2 Education
Guilhem Jaber participated in an art and science teaching module for second year bachelor student with Pascale Kuntz and artists from "Compagnie Brume". This experience was covered in a paper in L'Étudiant.
10.3.3 Interventions
Guilhem Jaber and Assia Mahboubi participated to performances of the "Pièces à pédales", an art and science collaboration with the Athenor theater (SaintNazaire, France) and composer Alessandro Bosetti. It was performed in GMEA (Albi, France) and GMEM, (Marseille, France).
11 Scientific production
11.1 Major publications
 1 inproceedingsCompeting inheritance paths in dependent type theory: a case study in functional analysis.IJCAR 2020  International Joint Conference on Automated ReasoningParis, FranceJune 2020, 119
 2 articleTheorems for free from separation logic specifications.Proceedings of the ACM on Programming Languages5ICFPAugust 2021, 129
 3 articleThe Taming of the Rew: A Type Theory with Computational Assumptions.Proceedings of the ACM on Programming Languages2021
 4 inproceedingsTypes are internal infinitygroupoids.LICS 2021Rome, ItalyJune 2021
 5 articleSyTeCi: Automating Contextual Equivalence for HigherOrder Programs with References.Proceedings of the ACM on Programming Languages282020, 128
 6 inproceedingsRussian Constructivism in a Prefascist Theory.LICS 2020  ThirtyFifth Annual ACM/IEEE Symposium on Logic in Computer ScienceSaarbrücken, GermanyIEEEJuly 2020, 114
 7 articleThe Fire Triangle.Proceedings of the ACM on Programming LanguagesJanuary 2020, 128
 8 inproceedingsImpredicative Observational Equality.POPL 2023 Proceedings of the 50th ACM SIGPLAN Symposium on Principles of Programming LanguagesPOPL 2023  50th ACM SIGPLAN Symposium on Principles of Programming Languages7Proceedings of the ACM on programming languagesBoston, United StatesJanuary 2023, 74
 9 inproceedingsObservational Equality: Now For Good.POPLPhiladelphie, United StatesJanuary 2022
 10 articleCoq Coq Correct! Verification of Type Checking and Erasure for Coq, in Coq.Proceedings of the ACM on Programming LanguagesJanuary 2020, 128
 11 articleThe Marriage of Univalence and Parametricity.Journal of the ACM (JACM)681January 2021, 144
11.2 Publications of the year
International journals
 12 articleGradualizing the Calculus of Inductive Constructions.ACM Transactions on Programming Languages and Systems (TOPLAS)2022
 13 articleA Reasonably Gradual Type Theory.Proceedings of the ACM on Programming LanguagesSeptember 2022
 14 articleObservational Equality: Now For Good.Proceedings of the ACM on Programming Languages6POPLJanuary 2022, 129
 15 articleThe Advantages of Maintaining a Multitask, ProjectSpecific Bot: An Experience Report.IEEE SoftwareJune 2022, 27
International peerreviewed conferences
 16 inproceedingsGardening with the PythiaA model of continuity in a dependent setting.CSL 2022  Computer Science LogicGöttingen, GermanyFebruary 2022, 119
 17 inproceedingsAcquiring Maps of Interrelated Conjectures on Sharp Bounds.CP 2022  28th International Conference on Principles and Practice of Constraint Programming235Leibniz International Proceedings in Informatics (LIPIcs)Haifa, IsraelSchloss Dagstuhl  LeibnizZentrum für InformatikJuly 2022, 118
 18 inproceedingsCompositional preprocessing for automated reasoning in dependent type theory.CPP 2023  Certified Programs and ProofsBoston, United States2023
 19 inproceedingsConstructive and Synthetic Reducibility Degrees: Post's Problem for Manyone and Truthtable Reducibility in Coq.CSL 2023  31st EACSL Annual Conference on Computer Science LogicWarsaw, PolandFebruary 2023
 20 inproceedingsA Computational CantorBernstein and Myhill's Isomorphism Theorem in Constructive Type Theory: Proof Pearl.CPP 2023  Proceedings of the 12th ACM SIGPLAN International Conference on Certified Programs and ProofsBoston, United StatesJanuary 2023
 21 inproceedingsSynthetic Kolmogorov Complexity in Coq.ITP 2022  13th International Conference on Interactive Theorem ProvingHaifa, IsraelAugust 2022
 22 inproceedingsGames, mobile processes, Dfunctions.CSL 2022  30th EACSL Annual Conference on Computer Science LogicGöttingen, Germany2022, 135
 23 inproceedingsImpredicative Observational Equality.POPL 2023 Proceedings of the 50th ACM SIGPLAN Symposium on Principles of Programming LanguagesPOPL 2023  50th ACM SIGPLAN Symposium on Principles of Programming Languages7Proceedings of the ACM on programming languagesBoston, United StatesJanuary 2023, 74
National peerreviewed Conferences
 24 inproceedingsTrakt : Uniformiser les types pour automatiser les preuves (démonstration).Journées Francophones des Langages ApplicatifsJFLA 2022  33èmes Journées Francophones des Langages ApplicatifsSaintMédardd'Excideuil, FranceFebruary 2022, 261263
Conferences without proceedings
 25 inproceedingsEfficient “out of heap” pointers for multicore OCaml.OCaml 2022  OCaml Users and Developers WorkshopLjubljana, SloveniaSeptember 2022, 17
 26 inproceedingsBoxroot, fast movable GC roots for a better FFI.ML Family WorkshopLjubljana, SloveniaSeptember 2022
Scientific book chapters
 27 inbookParametric Church’s Thesis: Synthetic Computability Without Choice.13137Logical Foundations of Computer ScienceLecture Notes in Computer ScienceSpringer International PublishingDecember 2022, 7089
Doctoral dissertations and habilitation theses
 28 thesisTypage Bidirectionnel pour le Calcul des Constructions Inductives.Nantes UniversitéJune 2022
 29 thesisComputing with Extensionality Principles in Type Theory.Nantes UniversitéDecember 2022
Reports & preprints
 30 miscA Constructive and Synthetic Theory of Reducibility: Myhill's Isomorphism Theorem and Post's Problem for Manyone and Truthtable Reducibility in Coq (Full Version).February 2022
11.3 Cited publications
 31 incollectionUntyped Algorithmic Equality for MartinLöf’s Logical Framework with Surjective Pairs.Typed Lambda Calculi and Applications3461Lecture Notes in Computer ScienceSpringer Berlin Heidelberg2005, 2338URL: http://dx.doi.org/10.1007/11417170_4
 32 articleOpen CallbyValue.Programming Languages and SystemsJanuary 2016, URL: http://dx.doi.org/10.1007/9783319479583_12
 33 inproceedingsDependent Types and Fibred Computational Effects.Proc. FoSSaCS2015
 34 inproceedingsTransformations between Composite and Visitor Implementations in Java.Software Engineering and Advanced Applications (SEAA), 2013 39th EUROMICRO Conference onSept 2013, 2532URL: http://dx.doi.org/10.1109/SEAA.2013.53
 35 inproceedingsThe power of interoperability: why objects are inevitable.ACM Symposium on New Ideas in Programming and Reflections on Software, Onward! 2013, part of SPLASH '13, Indianapolis, IN, USA, October 2631, 20132013, 101116
 36 inproceedingsObservational equality, now!Proceedings of the ACM Workshop on Programming Languages meets Program Verification (PLPV 2007)Freiburg, GermanyOctober 2007, 5768
 37 articleLogic Programming with Focusing Proof in Linear Logic.Journal of Logic and Computation231992, 297347
 38 articleGlobal Constraint Catalog, Volume II, TimeSeries Constraints.CoRRabs/1609.089252016, URL: http://arxiv.org/abs/1609.08925
 39 inproceedingsTimeSeries Constraints: Improvements and Application in CP and MIP Contexts.Integration of AI and OR Techniques in Constraint Programming  13th International Conference, CPAIOR 2016, Banff, AB, Canada, May 29  June 1, 2016, Proceedings2016, 1834URL: https://doi.org/10.1007/9783319339542_2
 40 phdthesisFunctional description of sequence constraints and synthesis of combinatorial objects.Ecole nationale supérieure MinesTélécom AtlantiqueSeptember 2018
 41 articleLively Linear Lisp: "Look Ma, No Garbage!".SIGPLAN Not.278aug 1992, 89–98URL: https://doi.org/10.1145/142137.142162
 42 inproceedingsOpen Packing for FacadeLayout Synthesis Under a General Purpose Solver.Principles and Practice of Constraint Programming  21st International Conference, CP 2015, Cork, Ireland, August 31  September 4, 2015, Proceedings2015, 508523URL: http://dx.doi.org/10.1007/9783319232195_36
 43 articleFirst Steps in Synthetic Computability Theory.Electronic Notes in Theoretical Computer Science155Proceedings of the 21st Annual Conference on Mathematical Foundations of Programming Semantics (MFPS XXI)2006, 531URL: https://www.sciencedirect.com/science/article/pii/S1571066106001861
 44 articleUsing finite transducers for describing and synthesising structural timeseries constraints.Constraints2112016, 2240URL: http://dx.doi.org/10.1007/s1060101592003
 45 articleOn the computational content of the axiom of choice.The Journal of Symbolic Logic63021998, 600622
 46 articleA model of type theory in cubical sets.Preprint, September2013
 47 inproceedingsThe next 700 syntactical models of type theory.Certified Programs and Proofs (CPP 2017)Paris, FranceJanuary 2017, 182  194
 48 articleIdris, a generalpurpose dependently typed programming language: Design and implementation.J. Funct. Program.2352013, 552593URL: https://doi.org/10.1017/S095679681300018X
 49 bookVarieties of Constructive Mathematics.London Mathematical Society Lecture Note SeriesCambridge University Press1987

50
inproceedingsA ComputerAlgebraBased Formal Proof of the Irrationality of
$$ (3).Interactive Theorem Proving8558Lecture Notes in Computer ScienceSpringer2014  51 inproceedingsPractical Use of Static Composition of Refactoring Operations.Proceedings of the 28th Annual ACM Symposium on Applied ComputingSAC '13Coimbra, PortugalACM2013, 17001705URL: http://dx.doi.org/10.1145/2480362.2480684
 52 miscCubical Type Theory: a constructive interpretation of the univalence axiom.To appear in postproceedings of Types for Proofs and Programs (TYPES 2015)2016
 53 bookSet theory and the continuum hypothesis.WA Benjamin New York1966
 54 inproceedingsInvertible Program Restructurings for Continuing Modular Maintenance.Software Maintenance and Reengineering (CSMR), 2012 16th European Conference onMarch 2012, 347352URL: http://dx.doi.org/10.1109/CSMR.2012.42
 55 inproceedingsRenaming Global Variables in C Mechanically Proved Correct.Proceedings of the Fourth International Workshop on Verification and Program Transformation, Eindhoven, The Netherlands, 2nd April 2016216Electronic Proceedings in Theoretical Computer ScienceOpen Publishing Association2016, 5064URL: http://dx.doi.org/10.4204/EPTCS.216.3
 56 inproceedingsOn understanding data abstraction, revisited.Proceedings of the 24th Annual ACM SIGPLAN Conference on ObjectOriented Programming, Systems, Languages, and Applications, OOPSLA 2009, October 2529, 2009, Orlando, Florida, USA2009, 557572URL: http://doi.acm.org/10.1145/1640089.1640133
 57 bookThe Coq proof assistant reference manual.Version 8.52015, URL: http://coq.inria.fr
 58 inproceedingsA Theory of Effects and Resources: Adjunction Models and Polarised Calculi.Proc. POPL2016, URL: http://dx.doi.org/10.1145/2837614.2837652
 59 articleThe duality of computation.ACM SIGPLAN Notices352000, 233243
 60 articleDealing with algebraic expressions over a field in Coq using Maple.J. Symbolic Comput.395Special issue on the integration of automated reasoning and computer algebra systems2005, 569592URL: http://dx.doi.org/10.1016/j.jsc.2004.12.004
 61 inproceedingsLazy Composition of Representations in Java.Software Composition, 8th International Conference, SC 2009, Zurich, Switzerland, July 23, 2009. Proceedings2009, 5571URL: https://doi.org/10.1007/9783642026553_6
 62 inproceedingsCallbypushvalue from a linear logic point of view.European Symposium on Programming Languages and SystemsSpringer2016, 202228
 63 articleContinuity of Gödel's System T Definable Functionals via Effectful Forcing.Electronic Notes in Theoretical Computer Science298Proceedings of the Twentyninth Conference on the Mathematical Foundations of Programming Semantics, MFPS XXIX2013, 119141URL: https://www.sciencedirect.com/science/article/pii/S157106611300056X
 64 articleSemantic Subtyping: Dealing Settheoretically with Function, Union, Intersection, and Negation Types.J. ACM554September 2008, 19:119:64
 65 articleDirect Models for the Computational Lambda Calculus.Electr. Notes Theor. Comput. Sci.201999, 245292
 66 articleLinear Logic.Theoretical Computer Science501987, 1102
 67 inproceedingsNormal Forms and CutFree Proofs as Natural Transformations.in : Logic From Computer Science, Mathematical Science Research Institute Publications 21SpringerVerlag1992, 217241
 68 incollectionA MachineChecked Proof of the Odd Order Theorem.Interactive Theorem Proving7998Lecture Notes in Computer ScienceSpringer Berlin Heidelberg2013, 163179URL: http://dx.doi.org/10.1007/9783642396342_14
 69 articleFormal proofsthe fourcolour theorem.Notices of the AMS55112008, 13821393
 70 techreportA Small Scale Reflection Extension for the Coq system.RR6455The Reference Manual of the Ssreflect extension to the Coq tactic language, available at http://hal.inria.fr/inria00258384INRIA2008
 71 inproceedingsA FormulaeasTypes Notion of Control.Seventeenth Annual ACM Symposium on Principles of Programming LanguagesACM Press1990, 4758
 72 inproceedingsNo Java without Caffeine: A Tool for Dynamic Analysis of Java Programs.17th IEEE International Conference on Automated Software Engineering (ASE 2002), 2327 September 2002, Edinburgh, Scotland, UK2002, 117URL: https://doi.org/10.1109/ASE.2002.1115000
 73 articleA formal proof of the Kepler conjecture.CoRRabs/1501.021552015, URL: http://arxiv.org/abs/1501.02155
 74 articleThe ternary Goldbach conjecture is true.ArXiv eprintsDecember 2013
 75 inproceedingsA Constructive Proof of Dependent Choice, Compatible with Classical Logic.LICS 2012  27th Annual ACM/IEEE Symposium on Logic in Computer ScienceDubrovnik, CroatiaIEEE Computer SocietyJune 2012, 365374
 76 inproceedingsToward dependent choice: a classical sequent calculus with dependent types.TYPES 20152015
 77 articleCartesian closed 2categories and permutation equivalence in higherorder rewriting.Logical Methods in Computer Science9319 pages2013, 10
 78 inproceedingsVerified Reachability Analysis of Continuous Systems.Tools and Algorithms for the Construction and Analysis of Systems  21st International Conference, TACAS 2015, Held as Part of the European Joint Conferences on Theory and Practice of Software, ETAPS 2015, London, UK, April 1118, 2015. Proceedings9035Lecture Notes in Computer ScienceSpringer2015, 3751
 79 inproceedingsThe Definitional Side of the Forcing.Proceedings of the 31st Annual ACM/IEEE Symposium on Logic in Computer Science, LICS '16, New York, NY, USA, July 58, 20162016, 367376
 80 inproceedingsExtending type theory with forcing.Logic in Computer Science (LICS), 2012IEEE2012, 395404
 81 articleThe Virtues of EtaExpansion.J. Funct. Program.521995, 135154
 82 bookApplied proof theory: proof interpretations and their use in mathematics.Springer Science & Business Media2008
 83 articleRealizability algebras II : new models of ZF + DC.Logical Methods in Computer Science812012
 84 articleThe linear abstract machine.Theoretical Computer Science5911988, 157180URL: https://www.sciencedirect.com/science/article/pii/0304397588901004
 85 bookIntroduction to higher order categorical logic.New York, NY, USACambridge University Press1986
 86 bookSheaves in Geometry and Logic.SpringerVerlag1992
 87 inproceedingsA classical realizability model for a semantical value restriction.European Symposium on Programming Languages and SystemsSpringer2016, 476502
 88 articleFormal certification of a compiler backend or: programming a compiler with a proof assistant.ACM SIGPLAN Notices4112006, 4254
 89 bookCallByPushValue: A Functional/Imperative Synthesis.2Semantic Structures in ComputationSpringer2004
 90 inproceedingsContextual isomorphisms.Proceedings of the 44th ACM SIGPLAN Symposium on Principles of Programming LanguagesACM2017, 400414
 91 articleFocusing and polarization in linear, intuitionistic, and classical logics.Theor. Comput. Sci.410462009, 47474768
 92 articleCoercive subtyping: Theory and implementation.Inf. Comput.2232013, 1842
 93 bookHigher topos theory.Annals of mathematics studiesPrinceton, N.J., OxfordPrinceton University Press2009
 94 articleNatural associativity and commutativity.Selected Papers1979, 415433
 95 articleAn intuitionistic theory of types: predicative part.Logic Colloquium '73Studies in Logic and the Foundations of Mathematics801975, 73118
 96 articleAsynchronous Games 3 An Innocent Model of Linear Logic.Electr. Notes Theor. Comput. Sci.1222005, 171192
 97 inproceedingsAsynchronous Games 4: A Fully Complete Model of Propositional Linear Logic.LICS2005, 386395
 98 articleResource modalities in tensor logic.Ann. Pure Appl. Logic16152010, 632653
 99 inproceedingsA classical sequent calculus with dependent types.European Symposium on ProgrammingSpringer2017, 777803
 100 inproceedingsComputational lambdacalculus and monads.Proceedings of the Fourth Annual IEEE Symposium on Logic in Computer Science (LICS 1989)Pacific Grove, CA, USAIEEE Computer Society PressJune 1989, 1423
 101 articleNotions of computation and monads.Inf. Comput.931July 1991, 5592URL: http://dx.doi.org/10.1016/08905401(91)900524
 102 inproceedingsFormulaeasTypes for an Involutive Negation.Proceedings of the joint meeting of the TwentyThird EACSL Annual Conference on Computer Science Logic and the TwentyNinth Annual ACM/IEEE Symposium on Logic in Computer Science (CSLLICS)2014
 103 inproceedingsModels of a NonAssociative Composition.Proc. FoSSaCS8412LNCSSpringer2014, 397412
 104 unpublishedNote on Curry's style for Linear CallbyPushValue.May 2017, URL: https://hal.inria.fr/hal01528857
 105 miscYnot: Reasoning with the awkward squad.2008
 106 bookPurely functional data structures.Cambridge University Press1999
 107 unpublishedAn Effectful Way to Eliminate Addiction to Dependence.January 2017,
 108 unpublishedCantorBernstein implies Excluded Middle.December 2021, Update: fixed an error on the applicability of thm 1, added some acks and a ref
 109 bookHomotopy Type Theory: Univalent Foundations for Mathematics.http://homotopytypetheory.org/book2013
 110 phdthesisContrôle de la propagation et de la recherche dans un solveur de contraintes. (Controlling propagation and search within a constraint solver).École des mines de Nantes, France2014, URL: https://tel.archivesouvertes.fr/tel01060921
 111 articlePropagation engine prototyping with a domain specific language.Constraints1912014, 5776URL: https://doi.org/10.1007/s1060101391515
 112 articleLawvereTierney sheafification in Homotopy Type Theory.Journal of Formalized Reasoning922016
 113 inproceedingsHigherorder Rewriting.Proc. Rewrit. Tech. App.1631LNCSSpringer1999, 220239
 114 inproceedingsTypes, Abstraction and Parametric Polymorphism.IFIP Congress1983, 513523
 115 articleControl Categories and Duality: On the Categorical Semantics of the LambdaMu Calculus.Math. Struct in Comp. Sci.1122001, 207260
 116 bookSubsystems of Second Order Arithmetic.Cambridge Books OnlineCambridge University Press2009, URL: http://dx.doi.org/10.1017/CBO9780511581007
 117 articleExtending the Extensional Lambda Calculus with Surjective Pairing is Conservative.Logical Methods in Computer Science222006
 118 inproceedingsDependent Types and MultiMonadic Effects in F*.43nd ACM SIGPLANSIGACT Symposium on Principles of Programming Languages (POPL)ACMJanuary 2016, 256270URL: https://www.fstarlang.org/papers/mumon/
 119 inproceedingsGradual Certified Programming in Coq.Proceedings of the 11th ACM Dynamic Languages Symposium (DLS 2015)Pittsburgh, PA, USAACM PressOctober 2015, 2640
 120 articleA Framework for Dependent Types and Effects.arXiv preprint arXiv:1512.080092015
 121 articleMtac: A monad for typed tactic programming in Coq.Journal of Functional Programming252015, URL: http://dx.doi.org/10.1017/S0956796815000118