2023Activity reportProjectTeamTOCCATA
RNSR: 201221053L Research center Inria Saclay Centre at Université ParisSaclay
 In partnership with:CNRS, Université ParisSaclay
 Team name: Certified Programs, Certified Tools, Certified FloatingPoint Computations
 In collaboration with:Laboratoire de Méthodes Formelles
 Domain:Algorithmics, Programming, Software and Architecture
 Theme:Proofs and Verification
Keywords
Computer Science and Digital Science
 A2.1.1. Semantics of programming languages
 A2.1.4. Functional programming
 A2.1.6. Concurrent programming
 A2.1.10. Domainspecific languages
 A2.1.11. Proof languages
 A2.4.2. Modelchecking
 A2.4.3. Proofs
 A6.2.1. Numerical analysis of PDE and ODE
 A7.2. Logic in Computer Science
 A7.2.1. Decision procedures
 A7.2.2. Automated Theorem Proving
 A7.2.3. Interactive Theorem Proving
 A7.2.4. Mechanized Formalization of Mathematics
 A8.10. Computer arithmetic
Other Research Topics and Application Domains
 B5.2.2. Railway
 B5.2.3. Aviation
 B5.2.4. Aerospace
 B6.1. Software industry
 B9.5.1. Computer science
 B9.5.2. Mathematics
1 Team members, visitors, external collaborators
Research Scientists
 Claude Marché [Team leader, INRIA, Senior Researcher, HDR]
 Sylvie Boldo [INRIA, Senior Researcher, HDR]
 JeanChristophe Filliâtre [CNRS, Senior Researcher, HDR]
 Armaël Guéneau [INRIA, Researcher]
 Guillaume Melquiond [INRIA, Senior Researcher, HDR]
Faculty Members
 Sylvain Conchon [UNIV PARIS SACLAY, Professor, HDR]
 Micaela Mayero [Univ. SorbonneParisNord, Associate Professor, from Sep 2023, On leave (délégation) , HDR]
 Andriy Paskevych [UNIV PARIS SACLAY, Associate Professor]
PhD Students
 Léo Andrès [OCamlPro, CIFRE]
 Xavier Denis [Université ParisSaclay]
 Paul Geneau De Lamarlière [MERCE, CIFRE, from Mar 2023]
 Antoine Lanco [UNIV PARIS SACLAY, ATER, until Sep 2023]
 Josué Moreau [INRIA]
 Houda Mouhcine [INRIA]
 Clément Pascutto [Taridès, CIFRE, until May 2023]
 Paul Patault [Univ ParisSaclay, from Sep 2023]
Technical Staff
 Paul Bonnot [INRIA, Engineer]
 Paul Geneau De Lamarlière [INRIA, Engineer, until Feb 2023]
 David Hamelin [INRIA, Engineer, from Nov 2023]
 Matteo Manighetti [INRIA, Engineer, from May 2023]
 Solène Moreau [INRIA, Engineer, until Feb 2023]
Interns and Apprentices
 Gabriel Desfrene [INRIA, Intern, from May 2023 until Jul 2023]
 Tom Hubrecht [ENS PARISSACLAY, Intern, from Mar 2023 until Jul 2023]
 Valeran Maytie [INRIA, Intern, from May 2023 until Jul 2023]
 Dominik Josef Stolz [UNIV PARIS SACLAY, Intern, from Mar 2023 until Jul 2023]
Administrative Assistant
 Joyce Soares Brito [INRIA]
Visiting Scientists
 Arnaud Golfouse [LMF, from Oct 2023]
 Raphaël RieuHelft [TrustInSoft, partly on leave (plan de relance France 2030)]
External Collaborators
 Thibaut Balabonski [Université ParisSaclay, LMF]
 JacquesHenri Jourdan [CNRS, LMF]
 Chantal Keller [Université ParisSaclay, LMF]
2 Overall objectives
The general objective of the Toccata project is to promote formal specification and computerassisted proof in the development of software that requires high assurance in terms of safety and correctness with respect to its intended behavior. Such safetycritical software appears in many application domains like transportation (e.g. aviation, aerospace, railway, automotive), communication (e.g. internet, smartphones), health devices, data management on clouds (confidentialty issues), etc. The number of tasks performed by software is quickly increasing, together with the number of lines of code involved. Given the need of high assurance of safety in the functional behavior of such applications, the need for automated (in the sense computerassisted) methods and techniques to bring guarantee of safety became a major challenge. In the past and at present, the most widely used approach to check safety of software is to apply heavy test campaigns, which take a large part of the costs of software development. Yet these campaigns cannot ensure that all the bugs are caught, and remaining bugs may have catastrophic consequences.
Generally speaking, software verification approaches pursue three goals: (1) verification should be sound, in the sense that no bugs should be missed, (2) verification should not produce false alarms, or as few as possible, (3) it should be as automatic as possible. Reaching all three goals at the same time is a challenge. A large class of approaches emphasizes goals (2) and (3): testing, runtime verification, symbolic execution, model checking, etc. Static analysis, such as abstract interpretation, emphasizes goals (1) and (3). Deductive verification emphasizes (1) and (2). The Toccata project is mainly interested in exploring the deductive verification approach, although we also combine with the other techniques occasionally.
In the past decade, significant progress has been made in the domain of deductive program verification. This is emphasized by some success stories of application of these techniques on industrialscale software. For example, the Atelier B system was used to develop part of the embedded software of the Paris metro line 14 41 and other railwayrelated systems; a formally proved C compiler was developed using the Coq proof assistant 61; the L4verified project developed a formally verified microkernel with high security guarantees, using analysis tools on top of the Isabelle/HOL proof assistant 59. A bug in the JDK implementation of TimSort was discovered using the KeY environment 58 and a fixed version was proved sound. Another sign of recent progress is the emergence of deductive verification competitions (e.g. VerifyThis 42). Finally, recent trends in the industrial practice for development of critical software is to require more and more guarantees of safety, e.g. the DO178C standard for developing avionics software adds to the former DO178B the use of formal models and formal methods. It also emphasizes the need for certification of the analysis tools involved in the process.
3 Research program
Panorama of Deductive Verification
There are two main families of approaches for deductive verification. Methods in the first family build on top of mathematical proof assistants (e.g. Coq, Isabelle) in which both the model and the program are encoded; the proof that the program meets its specification is typically conducted in an interactive way using the underlying proof construction engine. Methods from the second family proceed by the design of standalone tools taking as input a program in a particular programming language (e.g. C, Java) specified with a dedicated annotation language (e.g. ACSL 40, JML 49) and automatically producing a set of mathematical formulas (the verification conditions) which are typically proved using automatic provers (e.g. Z3 63, AltErgo 50, CVC5 39).
The first family of approaches usually offers a smaller Trusted Code Base (TCB) than the second, but also demands more work to perform the proofs (because of their interactive nature) and makes them less easy to adopt by industry. Moreover, they generally do not allow to directly analyze a program written in a mainstream programming language like Java or C. The second kind of approaches has benefited in the past years from the tremendous progress made in SAT and SMT solving techniques, allowing more impact on industrial practices, but suffers from a lower level of trust: in all parts of the proof chain (the model of the input programming language, the VC generator, the backend automatic prover), potential errors may appear, compromising the guarantee offered. Moreover, while these approaches are applied to mainstream languages, they usually support only a subset of their features.
Overall Goals of the Toccata Project
One of our original skills is the ability to conduct proofs by using automatic provers and proof assistants at the same time, depending on the difficulty of the program, and specifically the difficulty of each particular verification condition. We thus believe that we are in a good position to propose a bridge between the two families of approaches of deductive verification presented above. Establishing this bridge is one of the goals of the Toccata project: we want to provide methods and tools for deductive program verification that can offer both a high amount of proof automation and a high guarantee of validity.
In industrial applications, numerical calculations are very common (e.g. control software in transportation). Typically they involve floatingpoint numbers. Some of the members of Toccata have an internationally recognized expertise on deductive program verification involving floatingpoint computations. Our past work includes a new approach for proving behavioral properties of numerical C programs using FramaC/Jessie 35, various examples of applications of that approach 47, the use of the Gappa solver for proving numerical algorithms 54, an approach to take architectures and compilers into account when dealing with floatingpoint programs 48, 65. We also contributed to the Handbook of FloatingPoint Arithmetic 64. A representative case study is the analysis and the proof of both the method error and the rounding error of a numerical analysis program solving the onedimension acoustic wave equation 4544. Our experience led us to a conclusion that verification of numerical programs can benefit a lot from combining automatic and interactive theorem proving 46, 47, 56, 57. Verification of numerical programs is another main axis of Toccata.
Let us conclude with more general considerations: we want to keep on with general audience actions (see Section 11.3), and industrial transfer through sustained longterm collaboration with industrial partners (Section 4). Our scientific programme detailed below is structured into the following four axes.
 Foundations and spreading of deductive program verification;
 Reasoning on mutable memory in program verification;
 Verification of Computer Arithmetic;
 Spreading Formal Proofs.
3.1 Foundations and spreading of deductive program verification
This axis covers the fundational studies we pursue regarding deductive verification. A nonexhaustive list of subjects we want to address is as follows.
 The search for improved methods to generate verification conditions, relying for example on new calculi, on better notion of abstraction, or on automatic discovery of invariants.
 Uniform approaches to obtain correctbyconstruction programs and libraries, in particular by automatic extraction of executable code (in OCaml, C, CakeML, etc.) from verified programs, and including innovative general methods like advanced ghost code, ghost monitoring, etc. A representative publication is the presentation of a new notion called ghost monitors 5.
 Improvement of automated reasoning techniques: methods dedicated to deductive verification, so as to improve proof automation; improved combination of interactive provers and fully automated ones, proof by reflection.
 Providing feedback in case of proof failures, e.g. based on generation of counterexamples, or symbolic execution.
A significant part of the work achieved in this axis is related to the Why3 toolbox and its ecosystem, displayed on Figure 1. The red background boxes represent tools that we develop ourselves, whereas blue background ones are developed by others. SPARK2014 is developed by AdaCore. FramaC and Wp are developed by CEAlist and directly produce logical formulas to be passed to provers. TISAnalyzer is developed by TrustInSoft and J${}^{3}$ is a collaboration between TrustInSoft and us. We develop the frontends microC and microPython mainly for teaching purpose. The frontend for Ladder programs is a software developed internally by MERCE. Yellow background boxes represent libraries of specifications of logic datatypes with their logical properties. A representative publication is an article on abstraction and genericity features of Why3 8.
3.2 Reasoning on mutable memory in program verification
This axis concerns specifically the techniques for reasoning on programs where memory aliasing is the central issue. It covers the methods based on typebased alias analysis and related memory models, on specific program logics such as separation logics, and extended modelchecking. It concerns the application on analysis of C or C++ codes, on Ada codes involving pointers, but also concurrent programs in general. The main topics are:
 The study of advanced type systems dedicated to verification, for controlling aliasing, and their use for obtaining easiertoprove verification conditions. Modern typing systems in the style of Rust, involving ownership and borrowing, are considered. A representation publication is a paper 10 on the semantic foundation of the verification of Rust programs.
 The design of frontends of Why3 for the proofs of programs where aliasing cannot be fully controlled statically, via adequate memory models, aiming in particular at extraction to C; and also for concurrent programs.
 The continuation of fruitful work on concurrent parameterized systems, and its corresponding specific SMTbased modelchecking. A reference publication is 6.
3.3 Verification of Computer Arithmetic
This axis, which bridges the domains of computer arithmetic and of formal verification, is a major originality of Toccata. The main topics are as follows.
 We are studying the fundamental blocks of formalizing floatingpoint computations, algorithms, and error analysis.
 A significant effort is dedicated to verification of numerical programs written in mainstream languages such as C or Ada. This involves combining specifications in real numbers and computation in floatingpoint, and underlying automated reasoning techniques with floatingpoint numbers and real numbers. We also contributed to the automation of reasoning on floatingpoint numbers 7.
 Related to the formalization of mathematics, we aim at verifying numerical analysis programs, in particular numerical schemes for solving partial differential equations. A representative publication is a paper on the formalization of Lebesgue integration 3 and a paper on certified approximations of integrals 9.
Boldo and Melquiond are authors of a reference book 4 on the formal verification of numerical programs.
3.4 Spreading Formal Proofs
The general goal of this axis, which was a new one proposed in 2019, was to encourage spreading of deductive verification through actions showing how our methods and tools can be used on programs that we develop ourselves. Since this axis is dedicated to applications in a general manner, positioning barely makes sense since a vast majority of research groups in computer science in the world would claim to conduct case studies and largescale applications.
Representative of these significant case studies are the automated analysis of Debian packages installation 1 and the automated analysis of Ladder programs 2.
4 Application domains
4.1 Industrial Transfer Actions
The application domains we target involve safetycritical software, that is where a highlevel guarantee of soundness of functional execution of the software is wanted. Currently our industrial collaborations or impact mainly belong to the domain of transportation: aerospace, aviation, railway, automotive.

Transfer to the community of Atelier B
in the context of the FUI project LCHIP, we investigated the use of Why3 and AltErgo as an alternative backend for checking proof obligations generated by Atelier B, whose main applications are railroadrelated.

ProofInUseAdaCore collaboration: transfer to the community of
Ada development
Since the creation of the ProofInUse joint lab in 2014, with AdaCore company, we have a growing impact on the community of industrial development of safetycritical applications written in Ada. See that web page for a an overview of AdaCore's customer projects, in particular those involving the use of the SPARK Pro tool set. This impact involves both the use of Why3 for generating VCs on Ada source codes, and the use of AltErgo for performing proofs of those VCs. This action allowed AdaCore company to get new customers, in particular the domains of application of deductive formal verification are from the historical domain of aerospace (e.g. this link or this link) but went beyond: application in automotive (e.g. Denso, Toyata), medical and security (e.g. Nvidia). A joint publication of Nvidia and AdaCore 34 in 2023 exposes, with their own words, the benefit of using high level verification for securing Nvidia chips.

ProofInUseTrustInSoft collaboration
In 2017 we started to collaborate with the TrustInSoft company for the verification of C and C++ codes. We started with a CIFRE thesis funding, which explored the use of Why3 to design verified and reusable C libraries 68, and then with a bilateral contract towards the design of the J${}^{3}$ plugin in TISAnalyzer, bringing deductive verification techniques in this platfrom, including counterexamples when proofs fail. The impact on TrustInSoft customers is not yet easily identifiable; it will hopefully increase in particular in the context of the new project Décysif led by TrustInSoft.

ProofInUseMERCE collaboration
In 2019 we started to collaborate with Mitsubishi Electric R&D Centre Europe in Rennes, France. The R&D programme is twofold: first the verification of Ladder programs for PLCs, second the verification of numerical C codes. MERCE has now a mature platform for Ladder verification, which has yet to be made really usable by development teams. This work received the FMICS best paper award in 2021. The work of numerical programs is increasing in importance. We have preliminary results on logsumexp functions 30 and a CIFRE thesis started in 2023, aiming at designing better proof environments for verifying programs with complex numeric computations. A patent entitled Automatic implementation of formallyverified numerical programs has been filled in 2022 at EPO.

CIFRE thesis with Tarides
The CIFRE thesis of Clément Pascutto with Tarides, in 2020–2023, brought mature tooling for verifying function contracts and invariants on OCaml at runtime. The resulting tool, ortac, efficiently addresses the problem of capturing prestates in order to evaluation function postconditions 55. Tarides continues the development of ortac and uses it on its own code base.

CIFRE thesis with OCamlPro
The CIFRE thesis of Léo Andrès with OCamlPro, in 2021–2024, targets the compilation of OCaml to WebAssembly (Wasm for short), as an alternative to its compilation to JavaScript. It requires some extensions to Wasm, such as WasmGC, and the thesis already confirmed the adequacy of such extensions 17. A byproduct of the thesis is the implementation of a new, efficient interpreter for Wasm, owi.
Generally speaking, we believe that our increasing industrial impact is a representative success for our general goal of spreading deductive verification methods to a larger audience, and we are firmly engaged into continuing such kind of actions in the next years.
4.2 Other socioeconomic impact
We believe our impact is not limited to industrial actions per se.
A first point is that during the years, the young students that we train, either as a PhD position or a temporary engineer positions, easily got positions in private companies. Indeed we believe we can say that we contributed to the creation of jobs in several companies.
Another important part of our social impact is our work with high school students. With new curricula including more computer science than ever before, it was important to provide good reference books. With this in mind, we have contributed three books aimed at high school and preparatory school students 37, 36, 38.
The impact is not limited to books: we also helped a teacher to design a lesson to learn the basic notions of program verification (say: loop invariants) using the Why3 tool (article IREMI). We are also part each year of stands at “Fête de la science” in November or special events towards girls. We also often go to (high) schools for presenting either our job or our research (except during the Covid pandemic).
The social impact in national education is finally made highly evident by our implication in the organization of the new agrégation d'informatique which is in charge to select and recruit the best highlevel teachers for the new programmes.
5 Social and environmental responsibility
5.1 Footprint of research activities
Our research activities make use of standard computers for developing software and developing formal proofs. We have no use of specific large size computing resources. Though, we are making use of external services for continuous integration. A continuous integration methodology for mature software like Why3 is indeed mandatory for ensuring a safe software engineering process for maintenance and evolution. We make the necessary efforts to keep the energy consumption of such a continuous integration process as low as possible.
Ensuring the reproducibility of proofs in formal verification is essential. It is thus mandatory to replay such proofs regularly to make sure that our changes in our software do not loose existing proofs. For example, we need to make sure that the case studies in formal verification that we present in our gallery are reproducible. We also make the necessary efforts to keep the energy consumption for replaying proofs low, by doing it only when necessary.
As widely accepted nowadays, the major sources of environmental impact of research is travel to international conferences by plane, and renewal of electronic devices. The number of travels we made in 2022 remained very low with respect to previous years, of course because of the Covid pandemic, and the fact that many conferences were now proposed online participation. We intend to continue limiting the environmental impact of our travels. Concerning renewal of electronic devices, that is mainly laptops and monitors, we have always been careful on keeping them usable for as long time as possible.
5.2 Impact of research results
Our research results aims at improving the quality of software, in particular in missioncritical contexts. As such, making software safer is likely to reduce the necessity for maintenance operations and thus reducing energy costs.
Our efforts are mostly towards ensuring the safety of functional behavior of software, but we also increasingly consider the verification of their time or memory consumption. Reducing those would naturally induce a reduction in energy consumption.
Our research never involve any processing of personal data, and consequently we have no concern about preserving individual privacy, and no concern with respect to the RGPD (Règlement Général sur la Protection des Données).
Recently, S. Boldo was in the program committee of the first PROPL workshop (Programming for the Planet ) to see how we may help topics such as climate analysis, modelling, forecasting, policy, and diplomacy.
6 Highlights of the year
 S. Boldo and G. Melquiond, together with C. P. Jeannerod and J.M. Muller, published a reference survey (86 pages) on FloatingPoint Arithmetic 12 in the journal Acta Numerica.
7 New software, platforms, open data
7.1 New software
7.1.1 AltErgo

Name:
Automated theorem prover for software verification

Keywords:
Software Verification, Automated theorem proving

Functional Description:
AltErgo is an automatic solver of formulas based on SMT technology. It is especially designed to prove mathematical formulas generated by program verification tools, such as FramaC for C programs, or SPARK for Ada code. Initially developed in Toccata research team, AltErgo's distribution and support are provided by OCamlPro since September 2013.

Release Contributions:
the "SAT solving" part can now be delegated to an external plugin, new experimental SAT solver based on miniSAT, provided as a plugin. This solver is, in general, more efficient on ground problems, heuristics simplification in the default SAT solver and in the matching (instantiation) module, reimplementation of internal literals representation, improvement of theories combination architecture, rewriting some parts of the formulas module, bugfixes in records and numbers modules, new option "noEmatching" to perform matching without equality reasoning (i.e. without considering "equivalence classes"). This option is very useful for benchmarks coming from AtelierB, two new experimental options: "saveusedcontext" and "replayusedcontext". When the goal is proved valid, the first option allows to save the names of useful axioms into a ".used" file. The second one is used to replay the proof using only the axioms listed in the corresponding ".used" file. Note that the replay may fail because of the absence of necessary ground terms generated by useless axioms (that are not included in .used file) during the initial run.
 URL:

Contact:
Sylvain Conchon

Participants:
Alain Mebsout, Évelyne Contejean, Mohamed Iguernelala, Stéphane Lescuyer, Sylvain Conchon

Partner:
OCamlPro
7.1.2 CoqInterval

Name:
Interval package for Coq

Keywords:
Interval arithmetic, Coq

Functional Description:
CoqInterval is a library for the proof assistant Coq.
It provides several tactics for proving theorems on enclosures of realvalued expressions. The proofs are performed by an interval kernel which relies on a computable formalization of floatingpoint arithmetic in Coq.
The Marelle team developed a formalization of rigorous polynomial approximation using Taylor models in Coq. In 2014, this library has been included in CoqInterval.
 URL:
 Publications:

Contact:
Guillaume Melquiond

Participants:
Assia Mahboubi, Érik MartinDorel, Guillaume Melquiond, JeanMichel Muller, Laurence Rideau, Laurent Théry, Micaela Mayero, Mioara Joldes, Nicolas Brisebarre, Thomas SibutPinote
7.1.3 Coquelicot

Name:
The Coquelicot library for real analysis in Coq

Keywords:
Coq, Real analysis

Functional Description:
Coquelicot is library aimed for supporting real analysis in the Coq proof assistant. It is designed with three principles in mind. The first is the userfriendliness, achieved by implementing methods of automation, but also by avoiding dependent types in order to ease the stating and readability of theorems. This latter part was achieved by defining total function for basic operators, such as limits or integrals. The second principle is the comprehensiveness of the library. By experimenting on several applications, we ensured that the available theorems are enough to cover most cases. We also wanted to be able to extend our library towards more generic settings, such as complex analysis or Euclidean spaces. The third principle is for the Coquelicot library to be a conservative extension of the Coq standard library, so that it can be easily combined with existing developments based on the standard library.
 URL:

Contact:
Sylvie Boldo

Participants:
Catherine Lelay, Guillaume Melquiond, Sylvie Boldo
7.1.4 Cubicle

Name:
The Cubicle model checker modulo theories

Keywords:
Model Checking, Software Verification

Functional Description:
Cubicle is an open source model checker for verifying safety properties of arraybased systems, which corresponds to a syntactically restricted class of parametrized transition systems with states represented as arrays indexed by an arbitrary number of processes. Cache coherence protocols and mutual exclusion algorithms are typical examples of such systems.
 URL:

Contact:
Sylvain Conchon

Participants:
Alain Mebsout, Sylvain Conchon
7.1.5 Flocq

Name:
The Flocq formalization of floatingpoint arithmetic for the Coq proof assistant

Keywords:
Floatingpoint, Arithmetic code, Coq

Functional Description:
The Flocq library for the Coq proof assistant is a comprehensive formalization of floatingpoint arithmetic: core definitions, axiomatic and computational rounding operations, highlevel properties. It provides a framework for developers to formally verify numerical applications.
Flocq is currently used by the CompCert verified compiler to support floatingpoint computations.
 URL:
 Publications:

Contact:
Sylvie Boldo

Participants:
Guillaume Melquiond, Pierre Roux, Sylvie Boldo
7.1.6 Gappa

Name:
The Gappa tool for automated proofs of arithmetic properties

Keywords:
Floatingpoint, Arithmetic code, Software Verification, Constraint solving

Functional Description:
Gappa is a tool intended to help formally verifying numerical programs dealing with floatingpoint or fixedpoint arithmetic. It has been used to write robust floatingpoint filters for CGAL and it is used to verify elementary functions in CRlibm. While Gappa is intended to be used directly, it can also act as a backend prover for the Why3 software verification plateform or as an automatic tactic for the Coq proof assistant.
 URL:
 Publications:

Contact:
Guillaume Melquiond

Participant:
Guillaume Melquiond
7.1.7 Why3

Name:
The Why3 environment for deductive verification

Keywords:
Formal methods, Trusted software, Software Verification, Deductive program verification

Functional Description:
Why3 is an environment for deductive program verification. It provides a rich language for specification and programming, called WhyML, and relies on external theorem provers, both automated and interactive, to discharge verification conditions. Why3 comes with a standard library of logical theories (integer and real arithmetic, Boolean operations, sets and maps, etc.) and basic programming data structures (arrays, queues, hash tables, etc.). A user can write WhyML programs directly and get correctbyconstruction OCaml programs through an automated extraction mechanism. WhyML is also used as an intermediate language for the verification of C, Java, or Ada programs.
 URL:

Contact:
Claude Marche

Participants:
Andriy Paskevych, Claude Marche, François Bobot, Guillaume Melquiond, JeanChristophe Filliâtre, Levs Gondelmans, Martin Clochard

Partners:
CNRS, Université ParisSud
7.1.8 Coq

Name:
The Coq Proof Assistant

Keywords:
Proof, Certification, Formalisation

Scientific Description:
Coq is an interactive proof assistant based on the Calculus of (Co)Inductive Constructions, extended with universe polymorphism. This type theory features inductive and coinductive families, an impredicative sort and a hierarchy of predicative universes, making it a very expressive logic. The calculus allows to formalize both general mathematics and computer programs, ranging from theories of finite structures to abstract algebra and categories to programming language metatheory and compiler verification. Coq is organised as a (relatively small) kernel including efficient conversion tests on which are built a set of higherlevel layers: a powerful proof engine and unification algorithm, various tactics/decision procedures, a transactional document model and, at the very top an integrated development environment (IDE).

Functional Description:
Coq provides both a dependentlytyped functional programming language and a logical formalism, which, altogether, support the formalisation of mathematical theories and the specification and certification of properties of programs. Coq also provides a large and extensible set of automatic or semiautomatic proof methods. Coq's programs are extractible to OCaml, Haskell, Scheme, ...

Release Contributions:
An overview of the new features and changes, along with the full list of contributors is available at https://coq.inria.fr/refman/changes.html#version818 .

News of the Year:
Coq version 8.16 integrates changes to the Coq kernel and performance improvements along with a few new features. See the detailed changes at https://coq.inria.fr/refman/changes.html#version816 for an overview of the new features and changes, along with the full list of contributors.
 URL:

Contact:
Matthieu Sozeau

Participants:
Yves Bertot, Frédéric Besson, Tej Chajed, Cyril Cohen, Pierre Corbineau, Pierre Courtieu, Maxime Dénès, Jim Fehrle, Julien Forest, Emilio Jesús Gallego Arias, Gaëtan Gilbert, Georges Gonthier, Benjamin Grégoire, Jason Gross, Hugo Herbelin, Vincent Laporte, Olivier Laurent, Assia Mahboubi, Kenji Maillard, Érik MartinDorel, Guillaume Melquiond, PierreMarie Pedrot, Clément PitClaudel, Kazuhiko Sakaguchi, Vincent Semeria, Michael Soegtrop, Arnaud Spiwack, Matthieu Sozeau, Enrico Tassi, Laurent Théry, Anton Trunov, LiYao Xia, Theo Zimmermann

Partners:
CNRS, Université ParisSud, ENS Lyon, Université ParisDiderot
7.1.9 creusot

Name:
Creusot

Keywords:
Rust, Specification language, Deductive program verification

Functional Description:
Creusot is a tool for deductive verification of Rust code. It allows you to annotate your code with specifications, invariants and assertions and then verify them formally and automatically, proving, mathematically, that your code satisfies your specifications.
Creusot works by translating Rust code to WhyML, the verification and specification language of Why3. Users can then leverage the full power of Why3 to (semi)automatically discharge the verification conditions.

Release Contributions:
This is the first version, providing the main process to go from a Rust program annotated with Pearlite specifications to a set of verifications conditions to be discharged by external SMT solvers.
 URL:
 Publications:

Contact:
Xavier Denis

Participants:
Xavier Denis, JacquesHenri Jourdan, Claude Marche

Partners:
Université ParisSaclay, CNRS
7.1.10 coqnumanalysis

Name:
Numerical analysis Coq library

Keywords:
Coq, Numerical analysis, Real analysis

Scientific Description:
These Coq developments are based on the Coquelicot library for real analysis. Version 1.0 includes the formalization and proof of: (1) the LaxMilgram theorem, including results from linear algebra, geometry, functional analysis and Hilbert spaces, (2) the Lebesgue integral, including large parts of the measure theory,the building of the Lebesgue measure on real numbers, integration of nonnegative measurable functions with the Beppo Levi (monotone convergence) theorem, Fatou's lemma, the Tonelli theorem, and the Bochner integral with the dominated convergence theorem.

Functional Description:
Formal developments and proofs in Coq of numerical analysis problems. The current longterm goal is to formally prove parts of a C++ library implementing the Finite Element Method.

News of the Year:
The formalization in Coq of simplicial Lagrange finite elements is almost complete. This include the formalizations of the definitions and main properties of monomials, their representation using multiindices, Lagrange polynomials, the vector space of polynomials of given maximum degree (about 6 kloc). This also includes algebraic complements on the formalization of the definitions and main properties of operators on finite families of any type, the specific cases of abelian monoids (sum), vector spaces (linear combination), and affine spaces (affine combination, barycenter, affine mapping), subalgebraic structures, and basics of finite dimension linear algebra (about 22 kloc). A new version (2.0) of the opam package will be available soon, and a paper will follow.
We have also contributed to the Coquelicot library by adding the algebraic structure of abelian monoid, which is now the base of the hierarchy of canonical structures of the library.
 URL:
 Publications:

Contact:
Sylvie Boldo

Participants:
Sylvie Boldo, François Clement, Micaela Mayero, Vincent Martin, Stéphane Aubry, Florian Faissole, Houda Mouhcine, Louise Leclerc

Partners:
LIPN (Laboratoire d'Informatique de l'Université Paris Nord), LMAC (Laboratoire de Mathématiques Appliquées de Compiègne)
7.2 Open data
The use of data in the Toccata is quite simple and perfectly open. First of all, we never make use of any personal data, so we have no issue in being conforming to European rules such as RGPD.
Our data is in fact mainly made of programs, but also and importantly equipped with formal specifications. These specifications are often completed with additional formal annotations in the code itself so as the make the code automatically provable conforming to its specifications. The most important kind of such internal annotations are the loop invariants. Exposing such loop invariants is always a crucial information to make the proofs automatic and reproducible. One may even say that loop invariants are the central arguments for the correctness of an algorithm. Given the importance of such data for reproducibility of proofs, we decided to make it available openly. This is why we decided to build a gallery of verified programs that is augmented regularly.
Other similar anontated programs are part of the tests suites of our tools, and are typically rechecked regularly in continuous integration processes. This for example the case for Why3 and Creusot. Such a practice is crucial to maintain the reproducibility of proofs in a long term, when the tools themselves evolve.
8 New results
8.1 Foundations and Spreading of Deductive Program Verification
Participants: Andrei Paskevich, Antoine Lanco, Claude Marché, Clément Pascutto, Guillaume Melquiond, JeanChristophe Filliâtre, Léo Andrès, Quentin Garchery, Solène Moreau, Sylvain Conchon, Xavier Denis.
Programming language semantics
A representative fundational work is those of Balabonski, Lanco, and Melquiond who devised a callbyneed lambdacalculus enabling strong reduction (i.e. reduction inside the body of abstractions) and guarantees that arguments are only evaluated if needed and at most once 1160. This calculus uses explicit substitutions and subsumes the existing strongcallbyneed strategy, but allows for more reduction sequences, and often shorter ones, while preserving the neededness. The calculus is strongly normalizing. Moreover, by adding some restrictions to it, the calculus gains the diamond property and only performs reduction sequences of minimal length, which makes it systematically better than the existing strategies. The Abella proof assistant has been used to formalize part of this calculus.
Improving Verification Condition Generation
Continuationpassing style allows us to devise an extremely economical abstract syntax for a generic algorithmic language. This syntax is flexible enough to naturally express conditionals, loops, (higherorder) function calls, and exception handling. It is typeagnostic and stateagnostic, which means that we can combine it with a wide range of type and effect systems. Paskevich 31 shows how programs written in the continuationpassing style can be augmented in a natural way with specification annotations, ghost code, and sideeffect discipline. He defines the rules of verification condition generation for this syntax, and shows that the resulting formulas are nearly identical to what traditional approaches, like the weakest precondition calculus, produce for the equivalent algorithmic constructions. This amounts to a minimalistic yet versatile abstract syntax for annotated programs for which one can compute verification conditions without sacrificing their size, legibility, and amenability to automated proof, compared to more traditional methods. This makes it an excellent candidate for internal code representation in program verification tools, a subject of the ongoing PhD thesis of P. Patault.
Inference of invariants
The discovery of invariants is another important topic. A fully automatic generation of invariants was studied in collaboration with an industrial partner: we devised an original abstract interpretation based approach using a domain of parametrized binary decision diagrams 27.
Formal Specification Language for C code
ACSL, short for ANSI/ISO C Specification Language, is meant to express precisely and unambiguously the expected behavior of a piece of C code. It plays a central role in FramaC, as nearly all plugins eventually manipulate ACSL specifications, either to generate properties that are to be verified, or to assess that the code is conforming to these specifications. It is thus very important to have a clear view of ACSL's semantics in order to be sure that what you check with FramaC is really what you mean. Marché contributed to a chapter 28 of the FramaC book, describing the language in an agnostic way, independently of the various verification plugins that are implemented in the FramaC platform. It contains many examples and exercises that introduce the main features of the language and insists on the most common pitfalls that users, even experienced ones, may encounter.
8.2 Reasoning on mutable memory in program verification
Participants: Andrei Paskevich, Armaël Guéneau, Claude Marché, Clément Pascutto, Guillaume Melquiond, JeanChristophe Filliâtre, Léo Andrès, Sylvain Conchon, Xavier Denis.
Verification of Rust programs
One of the major success of Toccata during the last years is represented by the results obtained concerning the verification of Rust programs. Rust is a fairly recent programming language for system programming, bringing static guarantees of memory safety through a strong ownership policy. This feature opens promising advances for deductive verification of Rust code. The project underlying the PhD thesis of Denis 51, supervised by Jourdan and Marché, is to propose techniques for the verification of Rust program, using a translation to a purelyfunctional language. The challenge of this translation is the handling of mutable borrows: pointers which control of aliasing in a region of memory. To overcome this, we used a technique inspired by prophecy variables to predict the final values of borrows 52. This method is implemented in a standalone tool called Creusot 53. The specification language of Creusot features the notion of prophecy mentioned above, which is central for the specification of behavior of programs performing memory mutation. Prophecies also permit efficient automated reasoning for verifying about such programs. Moreover, Rust provides advanced abstraction features based on a notion of traits, extensively used in the standard library and in user code. The support for traits is another main feature of Creusot, because it is at the heart of its approach, in particular for providing complex abstraction of the functional behavior of programs 53. An important step to take further in the applicability of Creusot on a wide variety of Rust code is to support iterators, which are ubiquitous and in fact idiomatic in Rust programming (for example, every for loop is in fact internally desugared into an iterator). Denis and Jourdan 20 proposed a new approach to simplify the specifications of Rust code in presence of iterators, and to also make the proofs more automatic.
Reasoning on Memory Separation using Arithmetic
Paskevich and Filliâtre 26 proposed an approach that helps to improve automation of proofs for certain classes of pointermanipulating programs. It consists in mapping a recursive data structure onto a numerical domain, in such a way that ownership and separation properties can be expressed in terms of simple arithmetic inequalities. In addition to making the proof simpler, this provides for a clearer and more natural specification.
Reasoning on Resources
Ownership can also be used to reason about resources other than program memory. Guéneau, Jourdan et al. 24 present formal reasoning rules for verifying amortized complexity bounds in a language with thunks. Thunks can be used to construct persistent data structures with good amortized complexity, by suspending expensive computations and memoizing their result. Based on the notion of time credits and debits, this work presents a complete machinechecked reconstruction of Okasaki's reasoning rules on thunks in a rich separation logic with time credits, and demonstrates their applicability by verifying several of Okasaki's data structures.
Ownership and WellBracketedness
Ability to reason about ownership is also fertile ground for designing reasoning principles that capture powerful semantic properties of programs. In particular, Guéneau et al. 25 show that it is possible to capture wellbracketedness in a Hoarestyle program logic based on separation logic, providing proof rules to show correctness of wellbracketed programs both directly and also through defining unary and binary logical relations models based on this program logic.
Multilanguage verification
Most of the existing verification tools and systems focus on programs that are written in a single programming language. In practice, however, programs are often composed of components written in different programming languages, interacting through a foreign function interface (FFI). Guéneau et al. 22 develop a novel multilanguage program verification system, dubbed Melocoton, for reasoning about OCaml, C, and their interactions through the OCaml FFI. Melocoton consists of the first formal semantics of (a large subset of) the OCaml FFI—previously only described in prose in the OCaml manual—as well as the first program logic to reason about the interactions of programs components written in OCaml and C. The Melocoton program logic is based on separation logic and expressive enough to express finegrained transfers of ownership between the different languages. It has been fully mechanized in Coq on top of the Iris separation logic framework.
Capability Machines
A capability machine is a type of CPU allowing finegrained privilege separation using capabilities, machine words that represent certain kinds of authority. Guéneau et al. 13 present a mathematical model and accompanying proof methods that can be used for formal verification of functional correctness of programs running on a capability machine, even when they invoke and are invoked by unknown (and possibly malicious) code. They use a program logic called Cerise for reasoning about known code, and an associated logical relation, for reasoning about unknown code. The logical relation formally captures the capability safety guarantees provided by the capability machine. The Cerise program logic, logical relation, and all the examples considered in the paper have been mechanized using the Iris program logic framework in the Coq proof assistant. In subsequent work, they show that this approach enables the formal verification of fullsystem security properties under multiple attacker models: different security objectives of the full system can be verified under a different choice of trust boundary (i.e. under a different attacker model) 69. The proposed verification approach is modular, and is robust: code outside the trust boundary for a given security objective can be arbitrary, unverified attackerprovided code.
Distributed Programs and Concurrency
Our work regarding concurrent programs is mostly represented by new methods based on modelchecking, and implemented in the Cubicle tool. The Model Checking Modulo Theories (MCMT) framework is a powerful model checking technique for verifying safety properties of parameterized transition systems. In MCMT, logical formulas are used to represent both transitions and sets of states and safety properties are verified by an SMTbased backward reachability analysis. To be fully automated, the class of formulas handled in MCMT is restricted to cubes, i.e. existentially quantified conjunction of literals. While being very expressive, cubes cannot define properties with a global termination condition, usually described by a universally quantified formula. Conchon and Korneva 19 presented the Cubicle Fuzzy Loop (CFL), a fuzzingbased extension for Cubicle. To prove safety, Cubicle generates invariants, making use of forward exploration strategies like BFS or DFS on finite model instances. However, these standard algorithms are quickly faced with the state explosion problem due to Cubicle’s purely nondeterministic semantics. This causes them to struggle at discovering critical states, hindering invariant generation. CFL replaces this approach with a powerful DFSlike algorithm inspired by fuzzing. Cubicle’s purely nondeterministic execution loop is modified to provide feedback on newly discovered states and visited transitions. This feedback is used by CFL to construct schedulers that guide the model exploration. Not only does this provide Cubicle with a bigger variety of states for generating invariants, it also quickly identifies unsafe models. As a bonus, it adds testing capabilities to Cubicle, such as the ability to detect deadlocks. The first experiments yielded promising results. CFL effectively allows Cubicle to generate crucial invariants, useful to handle hierarchical systems, while also being able to trap bad states and deadlocks in hardtoreach areas of such models.
8.3 Verification of Computer Arithmetic
Participants: Claude Marché, Guillaume Melquiond, Houda Mouhcine, Josué Moreau, Paul Bonnot, Paul Geneau de Lamarlière, Sylvie Boldo.
Error analysis for LogarithmSumExponential
We have a long tradition of study of various subtle algorithms involving numerical computations, and verified properties regarding accuracy in particular when using floatingpoint numbers. A set of numerical programs that we studied this year is related to combination of exponential and logarithm functions, Bonnot et al. 30 provide certified bounds on the accuracy of the logsumexp function known in the context of Machine Learning 62. Writing a formal proof offers the highest possible confidence in the correctness of a mathematical library. This comes at a large cost though, since formal proofs require taking into account all the details, even the seemingly insignificant ones, which makes them tedious to write. This issue is compounded by the fact that the objects whose properties we need to verify (floatingpoint numbers) are not the ones we would like to reason about (real numbers and integers). Geneau, Melquiond and Faissole 21 explore some ways of reducing the overhead of formal proofs in the setting of mathematical libraries, so as to let the user focus on the details that really matter.
Automating the reasoning on FloatingPoint Numbers and Real Numbers
Performing a formal verification inside a proof system such as Coq might be a costly endeavor. In some cases, it might be much more efficient to turn the whole process of proof generation and proof checking into the evaluation of a boolean formula, accompanied with a proof that, if this formula evaluates to true, then the original property holds. This approach has long been used for proofs that involve computations on large integers. MartinDorel, Melquiond and Roux 14 have shown that computational reflection can also be achieved using floatingpoint arithmetic, despite the inherent roundoff errors, thus leveraging the large computing power of the floatingpoint units for formal proofs.
Survey on FloatingPoint Arithmetic
Boldo et al. published a survey on floatingpoint arithmetic 12 as an openaccess journal paper in Acta Numerica in order to spread the knowledge on computer arithmetic.
Formalization of Mathematics
The correctness of programs solving partial differential equations may rely on mathematics yet unformalized, such as Sobolev spaces. Boldo et al. 43 therefore formalized the mathematical concept of Lebesgue integration and the associated results in Coq ($\sigma $algebras, measures, simple functions, and integration of nonnegative measurable functions, up to the full formal proofs of the Beppo Levi Theorem and Fatou's Lemma). Boldo et al. 29, 18 extended this formalization with Tonelli's theorem, stating that the (double) integral of a nonnegative measurable function of two variables can be computed by iterated integrals, and allowing to switch the order of integration.
Manifest Termination
In formal systems combining dependent types and inductive types, such as Coq, nonterminating programs are frowned upon. They can indeed be made to return impossible results, thus endangering the consistency of the system, although the transient usage of a nonterminating Y combinator, typically for searching witnesses, is safe. To avoid this issue, the definition of a recursive function is allowed only if one of its arguments is of an inductive type and any recursive call is performed on a syntactically smaller argument. If there is no such argument, the user has to artificially add one, e.g., an accessibility property. Free monads can still be used to address general recursion and elegant methods make possible to extract partial functions from sophisticated recursive schemes. The latter yet rely on an inductive characterization of the domain of a function, and of its computational graph, which in turn might require a substantial effort of specification and proof. This leads to a rather frustrating situation when computations are involved. Indeed, the user first has to formally prove that the function will terminate, then the computation can be performed, and finally a result is obtained (assuming the user waited long enough). But since the computation did terminate, what was the point of proving that it would terminate? Mahboubi and Melquiond 23 investigated how users of proof assistants based on variants of the Calculus of Inductive Constructions could benefit from manifestly terminating computations.
8.4 Spreading Formal Proofs
Participants: Andrei Paskevich, Antoine Lanco, Armaël Guéneau, Claude Marché, Clément Pascutto, Guillaume Melquiond, Houda Mouhcine, JeanChristophe Filliâtre, Josué Moreau, Léo Andrès, Paul Bonnot, Paul Geneau de Lamarlière, Solène Moreau, Sylvain Conchon, Sylvie Boldo, Xavier Denis, Yacine El Haddad.
Specifying, Testing, and Verifying OCaml programs
Our work on OCaml programs is not limited to purely static verification: we worked on runtime assertion checking for OCaml. In behavioural specifications of imperative languages, postconditions may refer to the prestate of the function, usually with an old operator. Therefore, code performing runtime verification has to record prestate values required to evaluate the postconditions, typically by copying part of the memory state, which causes severe verification overhead, both in memory and CPU time. Filliâtre and Pascutto 55, 67 consider the problem of efficiently capturing prestates in the context of Ortac, a runtime assertion checking tool for OCaml. Their contribution is a postcondition transformation that reduces the subset of the prestate to copy. They formalize this transformation, and they provide proof that it is sound and improves the performance of the instrumented programs. They illustrate the benefits of this approach with a maze generator. Benchmarks show that unoptimized instrumentation is not practicable, while their transformation restores performances similar to the program without any runtime check.
Leveraging Formal Specifications to Generate Fuzzing Suites
When testing a library, developers typically first have to capture the semantics they want to check. They then write the code implementing these tests and find relevant test cases that expose possible misbehaviours. In this work, Osborne and Pascutto 66, 67 present a tool that automatically takes care of these last two steps by automatically generating fuzz testing suites from OCaml interfaces annotated with formal behavioral specifications. They also show some ongoing experiments on the capabilities and limitations of fuzzing applied to realworld libraries.
Compiling OCaml to WebAssembly
As part of his CIFRE PhD with OCamlPro, Léo Andrès formalizes a compilation scheme from OCaml to WebAssembly. This ongoing work already validated several Wasm extensions 17. A byproduct of the thesis is the implementation of a new, efficient interpreter for Wasm, owi. Léo collaborates with José Fragoso Santos and Filipe Marques (Universidade de Lisboa, Portugal), who are using owi for concolic execution of WebAssembly programs.
9 Bilateral contracts and grants with industry
We have bilateral contracts which are closely related to a joint effort called the ProofInUse consortium. The objective of ProofInUse is to provide verification tools, based on mathematical proof, to industry users. These tools are aimed at replacing or complementing the existing test activities, whilst reducing costs.
This consortium is a followup of the former LabCom ProofInUse between Toccata and the SME AdaCore, funded by the ANR programme “Laboratoires communs”, from April 2014 to March 2017.
9.1 ProofInUseAdaCore Collaboration
Participants: Claude Marché [contact], JeanChristophe Filliâtre, Andrei Paskevich, Guillaume Melquiond, Solène Moreau.
This collaboration is a joint effort of the Inria projectteam Toccata and the AdaCore company which provides development tools for the Ada programming language. It is funded by a 5year bilateral contract from Jan 2019 to Dec 2023.
The SME AdaCore is a software publisher specializing in providing software development tools for critical systems. A previous successful collaboration between Toccata and AdaCore enabled Why3 technology to be put into the heart of the AdaCoredeveloped SPARK technology.
The objective of ProofInUseAdaCore is to significantly increase the capabilities and performances of the Spark/Ada verification environment proposed by AdaCore. It aims at integration of verification techniques at the stateoftheart of academic research, via the generic environment Why3 for deductive program verification developed by Toccata.
9.2 ProofInUseMERCE Collaboration
Participants: Claude Marché [contact], Guillaume Melquiond, Paul Bonnot, Paul Geneau de Lamarlière.
This bilateral contract is part of the ProofInUse effort. This collaboration joins efforts of the Inria projectteam Toccata and the company Mitsubishi Electric R&D (MERCE) in Rennes. It is funded by a bilateral contract of 3 years and 6 months from Nov 2019 to April 2023.
MERCE has strong and recognized skills in the field of formal methods. In the industrial context of the Mitsubishi Electric Group, MERCE has acquired knowledge of the specific needs of the development processes and meets the needs of the group in different areas of application by providing automatic verification and demonstration tools adapted to the problems encountered.
The objective of ProofInUseMERCE is to significantly improve ongoing MERCE tools regarding the verification of Programmable Logic Controllers and also regarding the verification of numerical C codes.
9.3 ProofInUseTrustInSoft Collaboration
Participants: Claude Marché [contact], Guillaume Melquiond, Raphaël RieuHelft, Paul Bonnot.
This bilateral contract is part of the ProofInUse effort. This collaboration joins efforts of the Inria projectteam Toccata and the company TrustInSoft in Paris. It is funded by a bilateral contract of 24 months from Dec 2020 to Nov 2022.
TrustInSoft is an SME that offers the TISAnalyzer environment for analysis of safety and security properties of source codes written in C and C++ languages. A version of TISAnalyzer is available online, under the name TaaS (TrustInSoft as a Service).
The objective of ProofInUseTrustInSoft is to integrate Deductive Verification in the platform TISAnalyzer, under the form of a new plugin called Jcube. One specific interest resides in the generation of counterexample to help the user in case of proof failure.
9.4 Action “Plan de relance” ToccataTrustInSoft
Participants: Claude Marché [contact], Raphaël RieuHelft.
Toccata and the company TrustInSoft set up a research action in the context of the national “plan de relance”. It is funded for 24 months from January 2022 to December 2023. The funding covers the leave of R. RieuHelft for 80% time as an invited researcher in Toccata.
The objective of this action is to extend the ProofInUseTrustInSoft collaboration towards two axes: a refinement of the Jcube memory model incorporating a static separation analysis, and the support of the C++ language.
9.5 CIFRE contract with Tarides company
Participants: JeanChristophe Filliâtre [contact], Clément Pascutto.
Clément Pascutto started a CIFRE PhD in June 2020, under the supervision of JeanChristophe Filliâtre (at Toccata) and Thomas Gazagnaire (at Tarides). The subject of the PhD is the dynamic and deductive verification of OCaml programs and its application to distributed data structures.
9.6 CIFRE contract with OCamlPro company
Participants: JeanChristophe Filliâtre [contact], Léo Andrès.
Léo Andrès started a CIFRE PhD in October 2021, under the supervision of JeanChristophe Filliâtre (at Toccata) and Pierre Chambart and Vincent Laviron (at OCamlPro). The subject of the PhD is the design, formalization, and implementation of a garbage collector for WebAssembly.
10 Partnerships and cooperations
10.1 European initiatives
10.1.1 H2020 projects
EMC2, ERC Synergy project
EMC2 project on cordis.europa.eu

Title:
Extremescale Mathematicallybased Computational Chemistry

Duration:
From September 1, 2019 to February 28, 2026

Partners:
 INSTITUT NATIONAL DE RECHERCHE EN INFORMATIQUE ET AUTOMATIQUE (INRIA), France
 ECOLE NATIONALE DES PONTS ET CHAUSSEES (ENPC), France
 CENTRE NATIONAL DE LA RECHERCHE SCIENTIFIQUE CNRS (CNRS), France
 SORBONNE UNIVERSITE, France

Inria contact:
Laura GRIGORI (Alpines)
 Coordinator:

Summary:
Molecular simulation has become an instrumental tool in chemistry, condensed matter physics, molecular biology, materials science, and nanosciences. It will allow to propose de novo design of e.g. new drugs or materials provided that the efficiency of underlying software is accelerated by several orders of magnitude.
The ambition of the EMC2 project is to achieve scientific breakthroughs in this field by gathering the expertise of a multidisciplinary community at the interfaces of four disciplines: mathematics, chemistry, physics, and computer science. It is motivated by the twofold observation that, i) building upon our collaborative work, we have recently been able to gain efficiency factors of up to 3 orders of magnitude for polarizable molecular dynamics in solution of multimillion atom systems, but this is not enough since ii) even larger or more complex systems of major practical interest (such as solvated biosystems or molecules with stronglycorrelated electrons) are currently mostly intractable in reasonable clock time. The only way to further improve the efficiency of the solvers, while preserving accuracy, is to develop physically and chemically sound models, mathematically certified and numerically efficient algorithms, and implement them in a robust and scalable way on various architectures (from standard academic or industrial clusters to emerging heterogeneous and exascale architectures).
EMC2 has no equivalent in the world: there is nowhere such a critical number of interdisciplinary researchers already collaborating with the required track records to address this challenge. Under the leadership of the 4 PIs, supported by highly recognized teams from three major institutions in the Paris area, EMC2 will develop disruptive methodological approaches and publicly available simulation tools, and apply them to challenging molecular systems. The project will strongly strengthen the local teams and their synergy enabling decisive progress in the field.
FRESCO, ERC Consolidator project

Title:
Fast and Reliable Symbolic Computation

Duration:
November 2021 – October 2026

Coordinator:
Assia Mahboubi
 Website
Using computers to formulate conjectures and consolidate proof steps pervades all mathematics fields, even the most abstract. Most computer proofs are produced by symbolic computations, using computer algebra systems. However, these systems suffer from severe, intrinsic flaws, rendering computational correction and verification challenging. The FRESCO project aims to shed light on whether computer algebra could be both reliable and fast. Researchers will disrupt the architecture of proof assistants, which serve as the best tools for representing mathematics in silico, enriching their programming features while preserving their compatibility with their logical foundations. They will also design novel mathematical software that should feature a highlevel, performanceoriented programming environment for writing efficient code to boost computational mathematics.
10.2 National initiatives
10.2.1 ANR NuSCAP
Participants: Guillaume Melquiond [contact], Sylvie Boldo.
The last twenty years have seen the advent of computeraided proofs in mathematics and this trend is getting more and more important. They request various levels of numerical safety, from fast and stable computations to formal proofs of the computations. Hovewer, the necessary tools and routines are usually ad hoc, sometimes unavailable, or inexistent. On a complementary perspective, numerical safety is also critical for complex guidance and control algorithms, in the context of increased satellite autonomy. We plan to design a whole set of theorems, algorithms and software developments, that will allow one to study a computational problem on all (or any) of the desired levels of numerical rigor. Key developments include fast and certified spectral methods and polynomial arithmetic, with subsequent formal verifications. There will be a strong feedback between the development of our tools and the applications that motivate it.
The project led by École Normale Supérieure de Lyon (LIP) has started in February 2021 and lasts for 4 years. Partners: Inria (teams Aric, Galinette, Lfant, Marelle, Toccata), École Polytechnique (LIX), Sorbonne Université (LIP6), Université Sorbonne Paris Nord (LIPN), CNRS (LAAS).
10.2.2 ANR GOSPEL
Participants: JeanChristophe Filliâtre [contact], Andrei Paskevich, Armaël Guéneau.
A specification language extends a programming language by allowing code and specifications to be written in a single document. Examples include SparkAda, JML, and ACSL, which extend Ada, Java, and C with syntax for specifications.
By offering a specification language to programmers, one encourages them to document, test, and verify their code as they write it, not as a separate step that is too easily postponed. From a technical point of view, the presence of specifications makes it possible to test or verify each module independently and is the key to scalability. From a pragmatic point of view, embedding specifications in the code allows them to be automatically distributed (via a package management system) to every programmer; this is the key to practical adoption.
The GOSPEL project proposes to develop Gospel, a specification language that extends the programming language OCaml; to develop an ecosystem of tools based on Gospel; and to demonstrate and validate these tools via several case studies.
The project led by Inria Paris has started in October 2022 and lasts for 4 years. Partners: Inria Paris (team Cambium), Université ParisSaclay (LMF), Tarides, Nomadic Labs.
10.2.3 Project “SecurEval” of PEPR Cybersécurité
Participants: Sylvain Conchon [contact].
The SecureVal project aims to design new tools, benefiting from new digital technologies, to verify the absence of hardware and software vulnerabilities, and carry out the proof of compliance required.
In order to deal effectively with modern digital systems, code analysis techniques, which originated in the world of critical systems, must be overhauled to adapt to the objectives of security assessments and to scale up to complex systems, combining dedicated functionalities and thirdparty libraries. For example, the design of new fault models, the support of emerging languages, the visualization of formal guarantees, the use of learning techniques to automate repetitive actions or optimize the extraction of relevant information, or the development of approaches combining static and dynamic analyses.
The project is led by CEAList, it started in 2022 and lasts for 6 years.
10.2.4 Project IDemo “Décysif”
The grant covers 3 PhD positions and 24 months of engineer position.
The Décysif project is a very new project started in december 2023, for 4 years. Its general goal is the promotion of formal verification for critical systems regarding cybersecurity. This project will fund our future research on Rust program verification, and it contains a workpackage dedicated towards industrialization of the Creusot tool.
The project is led by TrustInSoft company, with AdaCore and OCamlPro as other partners.
10.2.5 Inria Project LiberAbaci
Participants: Sylvie Boldo [contact].
The Défi Inria LiberAbaci is a collaborative project aimed at improving the accessibility of the Coq interactive proof system for an audience of mathematics students in the early academic years.
The head is Yves Bertot and the involved teams are: Cambium (Paris), Camus (Strasbourg), Gallinette (Nantes) PiCube (Paris), Spades (Grenoble), Stamp (Sophia Antipolis), Toccata (Saclay), LIPN (Villetaneuse).
11 Dissemination
Participants: Andrei Paskevich, Antoine Lanco, Armaël Guéneau, Claude Marché, Guillaume Melquiond, JeanChristophe Filliâtre, Josué Moreau, Sylvain Conchon, Sylvie Boldo.
11.1 Promoting scientific activities
11.1.1 Scientific events: organisation
Member of the conference program committees
 S. Boldo, 30th IEEE Symposium on Computer Arithmetic, ARITH'2023
 S. Boldo, 15th NASA Formal Methods Symposium, NFM'2023
 S. Boldo, 14th International Conference on Interactive Theorem Proving, ITP'2023
 S. Conchon, 27th International Conference on Engineering of Complex Computer Systems, ICECSS 2023
 S. Conchon, Formal Methods in Computer Aided Design, FMCAD 2023
 G. Melquiond, 30th IEEE Symposium on Computer Arithmetic, ARITH'2023
 S. Boldo, 31st IEEE Symposium on Computer Arithmetic, ARITH'2024
 S. Boldo, 1st workshop on Programming for the Planet, PROPL'2024
 S. Boldo, 35th Journées Francophones des Langages Applicatifs, JFLA'24
11.1.2 Journal
Member of the editorial boards
 S. Boldo: member of the editorial board of IEEE Transactions on Emerging Topics in Computing (TETC), 2023.
 J.C. Filliâtre: member of the editorial board of the Journal of Functional Programming, since 2011.
 J.C. Filliâtre: member of the editorial board of the journal Formal Aspects of Computing, since 2021.
 G. Melquiond: member of the editorial board of Reliable Computing, since 2019.
 A. Paskevich, member of the editorial board of Formal Methods in System Design, since 2021.
11.1.3 Invited talks
 S. Boldo was invited speaker at the JFLA (Journées Francophones des Langages Applicatifs) in PrazsurArly in February 2023.
 S. Boldo and A. Guéneau were invited speaker at the GT SCALP (a subgroup of the GDR IM) in Orléans in Novembre 2023.
 J.C. Filliâtre, Why3, une plateforme pour la vérification déductive16, Journées FAC 2023, Toulouse, France
 J.C. Filliâtre, 33Structures de données semipersistantes, Collège de France, mars 2023
 G. Melquiond, “Numerical Computations and Formal Proofs”, Certified and SymbolicNumeric Computation, May 22–26, 2023, web page
11.1.4 Leadership within the scientific community
 S. Boldo, elected chair of the ARITH working group of the GDRIM (a CNRS subgroup of computer science) with L.S. Didier (Univ. Toulon).
 S. Boldo, steering committee member of the IEEE International Symposium on Computer Arithmetic.
 J.C. Filliâtre, chair of IFIP WG 1.9/2.15 verified Software.
11.1.5 Scientific expertise
 S. Conchon, member of a recruitment committee for a full assistant professor position in computer science at Sorbonne University, 2023.
 S. Conchon, member of a recruitment committee for a full professor position in computer science at ParisCité University, 2023.
11.1.6 Research administration
 S. Boldo, steering committee member of the IEEE International Symposium on Computer Arithmetic from 2019 to 2023.
 S. Boldo, president of the concours de l'agrégation d'informatique, 20222024.
 G. Melquiond, member of the Bureau du Comité des Projets of InriaSaclay
11.2 Teaching  Supervision  Juries
11.2.1 Teaching
 S. Conchon and J.C. Filliâtre, DIU Enseigner l'Informatique au Lycée, 2 weeks, rectorat de Versailles (together with T. Balabonski and K. Nguyen).
 J.C. Filliâtre, Langages de programmation et compilation, 25h, L3, École Normale Supérieure, France.
 J.C. Filliâtre, Les bases de l'algorithmique et de la programmation, 15h, L3, École Polytechnique, France.
 J.C. Filliâtre, Compilation, 18h, M1, École Polytechnique, France.
 A. Guéneau, Programmation avancée, 12h, L3, ENS ParisSaclay, France.
 A. Lanco, Introduction à l'informatique, 24h, L1, Université ParisSaclay, France.
 A. Lanco, Programmation fonctionnelle, 24h, L2, Université ParisSaclay, France.
 A. Lanco, Projet, 20h, L3, Université ParisSaclay, France.
 A. Lanco, Sécurité des systèmes d'information, 24h, M1, Université ParisSaclay, France.
 C. Marché, Proofs of Programs, 12h, M2, Master Parisien de Recherche en Informatique (MPRI).
 G. Melquiond, Initiation à la recherche, 12h, M1, MPRI, École Normale Supérieure ParisSaclay, France.
 J. Moreau, Algorithmique, 16h, L3, Université ParisSaclay, France.
 A. Paskevich, Vérification Déductive, 12h, M1, MPRI, Université ParisSaclay, France.
 A. Paskevich, Programmation système, 56h, BUT2, IUT d'Orsay, Université ParisSaclay, France.
11.2.2 Supervision
 PhD: A. Lanco, “Stratégies pour la réduction forte”, since Oct. 2019, supervised by T. Balabonski and G. Melquiond. Defended in December 2023 60.
 PhD: C. Pascutto, “Runtime and Deductive Verification of OCaml programs and applications to Mergeable Data Structures”, since June 2020, supervised by J.C. Filliâtre. Defended in 2023 67.
 PhD: X. Denis, “Deductive program verification for Rust”, since Oct. 2020, supervised by J.H. Jourdan and C. Marché. Defended in December 2023 51.
 PhD in progress: L. Andrès, “Formalization of a garbage collector for WebAssembly”, since Oct. 2021, supervised by J.C. Filliâtre.
 PhD in progress: H. Mouhcine, “Preuves formelles en mathématiques appliquées: vérification d'un générateur de formules de quadrature”, since Oct 2021, supervised by S. Boldo, F. Clément, and M. Mayero.
 PhD in progress: J. Moreau, “A lowlevel programming language for formally verified computer algebra”, since Oct. 2022, supervised by G. Melquiond.
 PhD in progress: P. Geneau de Lamarlière, “Design of formally verified floatingpoint components”, since Sep. 2022, supervised by G. Melquiond.
 PhD in progress: P. Patault, “Conception et étude d'un langage de programmation adapté à la vérification déductive”, since Oct. 2023, supervised by J.C. Filliâtre and A. Paskevich.
 PhD in progress: A. Golfouse, “Vérification de programme Rust avancée: invariants de types, code fantôme, possession fantôme et algèbre de ressources, concurrence et aliasing”, since Oct. 2023, supervised by J.H. Jourdan and A. Guéneau.
11.2.3 Juries
 S. Boldo, reviewer of the habilitation of Guillaume Revy (U. Perpignan, 19 July 2023)
 S. Boldo, reviewer for a PhD at University of Melbourne, Australia in August 2023. Note this is an anonymous review.
 S. Boldo, member (maybe president) of the PhD defense of ElMehdi El Arar (U. ParisSaclay, 19 December 2023)
 S. Conchon, reviewer of the PhD defense of N. Nalpon, INSA Toulouse, March 13th 2023.
 S. Conchon, member and president of the PhD defense of D. Nizard, Université ParisSaclay, April 12th 2023.
 S. Conchon, reviewer of the PhD defense of L. Sguerra, Mines Paris  PSL, April 19th 2023.
 S. Conchon, reviewer of the PhD defense of G. Raimondi, University of Rennes, December 18th 2023.
 C. Marché, reviewer of the PhD defense of W. Ouédraogo, Institut Polytechnique de Paris, Sep 15th, 2023.
 G. Melquiond, member of the jury of the PhD defense of Enzo Crance (U. Nantes, Dec 19th, 2023).
11.3 Popularization
11.3.1 Articles and contents
 S. Boldo, Le dilemme du fabricant de tables32, popularization journal La Recherche
11.3.2 Interventions
 S. Boldo, animation of a stand at “Fête de la science” each year.
12 Scientific production
12.1 Major publications
 1 articleThe CoLiS Platform for the Analysis of Maintainer Scripts in Debian Software Packages.International Journal on Software Tools for Technology Transfer2022HALback to text
 2 articleAutomated Formal Analysis of Temporal Properties of Ladder Programs.International Journal on Software Tools for Technology Transfer2462022, 977997HALDOIback to text
 3 articleA Coq Formalization of Lebesgue Integration of Nonnegative Functions.Journal of Automated Reasoning662022, 175–213HALDOIback to text
 4 bookComputer Arithmetic and Formal Proofs: Verifying Floatingpoint Algorithms with the Coq System.ISTE Press  ElsevierDecember 2017, URL: https://hal.inria.fr/hal01632617back to text
 5 inproceedingsDeductive Verification with Ghost Monitors.POPL 2020  47th ACM SIGPLAN Symposium on Principles of Programming LanguagesNew Orleans, United States2020HALDOIback to text
 6 articleDeclarative Parameterized Verification of Distributed Protocols via the Cubicle Model Checker.Fundamenta Informaticae1784February 2021, 347378HALDOIback to text
 7 inproceedingsA Threetier Strategy for Reasoning about FloatingPoint Numbers in SMT.Computer Aided Verification2017, URL: https://hal.inria.fr/hal01522770back to text
 8 inproceedingsAbstraction and Genericity in Why3.ISoLA 2021  9th International Symposium On Leveraging Applications of Formal Methods, Verification and Validation12476Rhodes, Greece2020HALDOIback to text
 9 articleFormally Verified Approximations of Definite Integrals.Journal of Automated Reasoning622February 2019, 281300HALDOIback to text
 10 inproceedingsRustHornBelt: a semantic foundation for functional verification of Rust programs with unsafe code.PLDI 2022  43rd ACM SIGPLAN International Conference on Programming Language Design and ImplementationSan Diego CA USA, United StatesACMJune 2022, 841856HALDOIback to text
12.2 Publications of the year
International journals
 11 articleA strong callbyneed calculus.Logical Methods in Computer Science191March 2023, 39HALDOIback to text
 12 articleFloatingpoint arithmetic.Acta Numerica32May 2023, 203290HALDOIback to textback to text
 13 articleCerise: Program Verification on a Capability Machine in the Presence of Untrusted Code.Journal of the ACM (JACM)September 2023HALDOIback to text
 14 articleEnabling FloatingPoint Arithmetic in the Coq Proof Assistant.Journal of Automated Reasoning6733September 2023HALDOIback to text
 15 articleWhyMP, a Formally Verified ArbitraryPrecision Integer Library.Journal of Symbolic Computation115March 2023, 7495HALDOI
Invited conferences
 16 inproceedingsWhy3, une plateforme pour la vérification déductive.Journées FAC 2023Toulouse, FranceApril 2023HALback to text
International peerreviewed conferences
 17 inproceedingsWasocaml: compiling OCaml to WebAssembly.IFL 2023  The 35th Symposium on Implementation and Application of Functional LanguagesBraga, PortugalAugust 2023HALback to textback to text
 18 inproceedingsA Coq Formalization of Lebesgue Induction Principle and Tonelli's Theorem.Proceedings of the 25th International Symposium on Formal Methods25th International Symposium on Formal Methods (FM 2023)14000Lecture Notes in Computer ScienceLübeck, GermanyMarch 2023, 3955HALDOIback to text
 19 inproceedingsThe Cubicle Fuzzy Loop: A FuzzingBased Extension for the Cubicle Model Checker.Software Engineering and Formal Methods14323Lecture Notes in Computer ScienceEindhoven, NetherlandsSpringer Nature SwitzerlandOctober 2023, 3046HALDOIback to text
 20 inproceedingsSpecifying and Verifying Higherorder Rust Iterators.Tools and Algorithms for the Construction and Analysis of Systems (TACAS)13994Lecture Notes in Computer ScienceParis, FranceSpringerApril 2023, 93110HALDOIback to text
 21 inproceedingsSlimmer Formal Proofs for Mathematical Libraries.30th IEEE International Symposium on Computer Arithmetic2023 IEEE 30th Symposium on Computer Arithmetic (ARITH 2023)Portland (Oregon), United StatesSeptember 2023, 4HALback to text
 22 inproceedingsMelocoton: A Program Logic for Verified Interoperability Between OCaml and C.Proceedings of the ACMOOPSLA 2023  ObjectOriented Programming, Systems, Languages & Applications 2023Cascais, PortugalACMOctober 2023HALDOIback to text
 23 inproceedingsManifest Termination.TYPES 2023  29th International Conference on Types for Proofs and ProgramsValencia, SpainJune 2023, 13HALback to text
 24 inproceedingsThunks and Debits in Separation Logic with Time Credits.Proceedings of the ACMPOPL 2024  51st ACM SIGPLAN Symposium on Principles of Programming Languages8POPLLondres, United KingdomACMJanuary 2024HALback to text
 25 inproceedingsThe Logical Essence of WellBracketed Control Flow.Proceedings of the ACMPOPL 2024  51st ACM SIGPLAN Symposium on Principles of Programming LanguagesLondres, United KingdomACMJanuary 2024HALback to text
National peerreviewed Conferences
 26 inproceedingsL'arithmétique de séparation.JFLA 2023  34èmes Journées Francophones des Langages ApplicatifsPrazsurArly, FranceJanuary 2023, 274283HALback to text
 27 inproceedingsDe l'avantage de nuancer les décisions binaires.JFLA 2024  35es Journées Francophones des Langages ApplicatifsSaintJacut de la Mer, France2024HALback to text
Scientific book chapters
 28 inbookFormally Expressing what a Program Should Do: the ACSL Language.Guide to Software Verification with FramaC  Core Components, Usages, and ApplicationsSpringer2024HALback to text
Reports & preprints
 29 reportLebesgue Induction and Tonelli's Theorem in Coq.RR9457Institut National de Recherche en Informatique et en Automatique (INRIA)January 2023, 17HALback to text
 30 reportFormally Verified Bounds on Rounding Errors in Concrete Implementations of LogarithmSumExponential Functions.RR9531InriaDecember 2023HALback to textback to text
 31 miscFlexible Verification Conditions with Continuations and Barriers.September 2023HALback to text
12.3 Other
Scientific popularization
 32 articleLe dilemme du fabricant de tables.La Recherche572January 2023HALback to text
Educational activities
 33 unpublishedStructures de données semipersistantes.March 2023, DoctoralFranceHALback to text
12.4 Cited publications
 34 miscNVIDIA: Adoption of SPARK Ushers in a New Era in SecurityCritical Software Developmen.2023back to text
 35 inproceedingsMultiProver Verification of FloatingPoint Programs.Fifth International Joint Conference on Automated Reasoning6173Lecture Notes in Artificial IntelligenceEdinburgh, ScotlandSpringerJuly 2010, 127141URL: http://hal.inria.fr/inria00534333back to text
 36 bookNumérique et Sciences Informatiques, 24 leçons avec exercices corrigés. Terminale.Ellipses2020, URL: https://hal.inria.fr/hal03023099back to text
 37 bookNumérique et Sciences Informatiques, 30 leçons avec exercices corrigés. Première..Ellipses2019, URL: https://inria.hal.science/hal02379073back to text
 38 bookInformatique  MP2I/MPI  CPGE 1re et 2e années  Cours et exercices corrigés.Ellipses2022, URL: https://hal.inria.fr/hal03886751back to text
 39 inproceedingscvc5: A Versatile and IndustrialStrength SMT Solver.Tools and Algorithms for the Construction and Analysis of Systems13243Lecture Notes in Computer ScienceSpringer2022, 415442back to text
 40 manualACSL: ANSI/ISO C Specification Language, version 1.4.2009back to text
 41 inproceedingsMETEOR : A successful application of B in a large project.Proceedings of FM'99: World Congress on Formal MethodsLecture Notes in Computer Science (SpringerVerlag)Springer VerlagSeptember 1999, 369387back to text
 42 articleLet's Verify This with Why3.International Journal on Software Tools for Technology Transfer (STTT)1762015, 709727HALback to text
 43 articleA Coq Formalization of Lebesgue Integration of Nonnegative Functions.Journal of Automated Reasoning662022, 175213URL: https://hal.inria.fr/hal03471095back to text
 44 inproceedingsFormal Proof of a Wave Equation Resolution Scheme: the Method Error.Interactive Theorem Proving6172Lecture Notes in Computer ScienceSpringer2010, 147162URL: http://hal.inria.fr/inria00450789/enback to text
 45 articleWave Equation Numerical Resolution: a Comprehensive Mechanized Proof of a C Program.Journal of Automated Reasoning504April 2013, 423456URL: http://hal.inria.fr/hal00649240/en/back to text
 46 inproceedingsCombining Coq and Gappa for Certifying FloatingPoint Programs.16th Symposium on the Integration of Symbolic Computation and Mechanised Reasoning5625Lecture Notes in Artificial IntelligenceGrand Bend, CanadaSpringerJuly 2009, 5974back to text
 47 articleFormal verification of numerical programs: from C annotated programs to mechanical proofs.Mathematics in Computer Science542011, 377393URL: http://hal.inria.fr/hal00777605back to textback to text
 48 articleProofs of numerical programs when the compiler optimizes.Innovations in Systems and Software Engineering722011, 151160URL: http://hal.inria.fr/hal00777639back to text
 49 articleAn overview of JML tools and applications.International Journal on Software Tools for Technology Transfer (STTT)73June 2005, 212232back to text
 50 inproceedingsAltErgo 2.2.SMT Workshop: International Workshop on Satisfiability Modulo TheoriesOxford, United KingdomJuly 2018HALback to text
 51 phdthesisDeductive Verification of Rust Programs.Université ParisSaclay2023back to textback to text
 52 techreportDeductive program verification for a language with a Rustlike typing discipline.Université de ParisSeptember 2020, URL: https://hal.archivesouvertes.fr/hal02962804back to text
 53 inproceedingsCreusot: a Foundry for the Deductive Verication of Rust Programs.International Conference on Formal Engineering Methods  ICFEMLecture Notes in Computer ScienceMadrid, SpainSpringer2022, URL: https://hal.inria.fr/hal03737878back to textback to text
 54 articleCertifying the floatingpoint implementation of an elementary function using Gappa.IEEE Transactions on Computers6022011, 242253URL: http://hal.inria.fr/inria00533968/en/back to text
 55 inproceedingsOptimizing Prestate Copies in Runtime Verification of Function Postconditions.22nd International Conference on Runtime Verification2022, URL: https://hal.inria.fr/hal03690675v1back to textback to text
 56 techreportAutomated Verification of FloatingPoint Computations in Ada Programs.RR9060InriaApril 2017, 53URL: https://hal.inria.fr/hal01511183back to text
 57 inproceedingsAutomating the Verification of FloatingPoint Programs.Verified Software: Theories, Tools, and Experiments. Revised Selected Papers Presented at the 9th International Conference VSTTELecture Notes in Computer Science10712Heidelberg, GermanySpringerDecember 2017, URL: https://hal.inria.fr/hal01534533/back to text
 58 inbookOpenJDK's Java.utils.Collection.sort() Is Broken: The Good, the Bad and the Worst Case.Computer Aided Verification: 27th International Conference, CAV 2015, San Francisco, CA, USA, July 1824, 2015, Proceedings, Part ID.Daniel KroeningC. S.Corina S. PăsăreanuChamSpringer International Publishing2015, 273289back to text
 59 articleseL4: Formal verification of an OS kernel.Communications of the ACM536June 2010, 107115back to text
 60 phdthesisStratégies pour la réduction forte.Université ParisSaclay2023back to textback to text
 61 articleA formally verified compiler backend.Journal of Automated Reasoning4342009, 363446URL: http://hal.inria.fr/inria00360768/en/back to text
 62 inproceedingsThe Power of LogSumExp: Sequential Density Ratio Matrix Estimation for SpeedAccuracy Optimization.International Conference on Machine Learning139Proceedings of Machine Learning Research2021, 77927804URL: https://proceedings.mlr.press/v139/miyagawa21a.htmlback to text
 63 inproceedingsZ3, An Efficient SMT Solver.TACAS4963Lecture Notes in Computer ScienceSpringer2008, 337340back to text
 64 bookHandbook of Floatingpoint Arithmetic (2nd edition).Birkhäuser BaselJuly 2018HALback to text
 65 inproceedingsHardwareDependent Proofs of Numerical Programs.Certified Programs and ProofsLecture Notes in Computer ScienceSpringerDecember 2011, 314329URL: http://hal.inria.fr/hal00772508back to text
 66 inproceedingsLeveraging Formal Specifications to Generate Fuzzing Suites.OCaml Users and Developers Workshop, colocated with the 26th ACM SIGPLAN International Conference on Functional Programming2021, URL: https://hal.inria.fr/hal03328646back to text
 67 phdthesisRuntime Verification of OCaml Programs.Université ParisSaclay2023back to textback to textback to text
 68 articleA Why3 proof of GMP algorithms.Journal of Formalized Reasoning2019, URL: https://inria.hal.science/hal02477578back to text
 69 inproceedingsProving fullsystem security properties under multiple attacker models on capability machines.CSF 2022  35th IEEE Computer Security Foundations Symposium2022, URL: https://hal.inria.fr/hal03826851back to text