2024Activity reportProject-TeamCAMBIUM

6.1.1 OCaml

• Functional Description:
  The OCaml language is a functional programming language that combines safety with expressiveness through the use of a precise and flexible type system with automatic type inference. The OCaml system is a comprehensive implementation of this language, featuring two compilers (a bytecode compiler, for fast prototyping and interactive use, and a native-code compiler producing efficient machine code for x86, ARM, PowerPC, RISC-V and System Z), a debugger, and a documentation generator. Many other tools and libraries are contributed by the user community and organized around the OPAM package manager.
• URL:
  https://­ocaml.­org/
• Publications:
  hal-03146495, hal-03510931, hal-03145030, hal-01929508, hal-03125031, hal-00772993, hal-00914493, hal-00914560, inria-00074804, hal-01499973, hal-01499946
• Contact:
  Damien Doligez
• Participants:
  Florian Angeletti, Damien Doligez, Xavier Leroy, Luc Maranget, Gabriel Scherer, David Allsopp, Stephen Dolan, Alain Frisch, Jacques Garrigue, Anil Madhavapeddy, Kc Sivaramakrishnan, Nicolas Ojeda Bar, Leo White

6.1.2 Compcert

• Name:
  The CompCert formally-verified C compiler
• Keywords:
  Compilers, Formal methods, Deductive program verification, C, Coq
• Functional Description:
  CompCert is a compiler for the C programming language. Its intended use is the compilation of life-critical and mission-critical software written in C and meeting high levels of assurance. It accepts most of the ISO C 99 language, with some exceptions and a few extensions. It produces machine code for the ARM, PowerPC, RISC-V, and x86 architectures. What sets CompCert C apart from any other production compiler, is that it is formally verified to be exempt from miscompilation issues, using machine-assisted mathematical proofs (the Coq proof assistant). In other words, the executable code it produces is proved to behave exactly as specified by the semantics of the source C program. This level of confidence in the correctness of the compilation process is unprecedented and contributes to meeting the highest levels of software assurance. In particular, using the CompCert C compiler is a natural complement to applying formal verification techniques (static analysis, program proof, model checking) at the source code level: the correctness proof of CompCert C guarantees that all safety properties verified on the source code automatically hold as well for the generated executable.
• URL:
  https://­compcert.­org/
• Contact:
  Xavier Leroy
• Participants:
  Xavier Leroy, Sandrine Blazy, Jacques-Henri Jourdan, Sylvie Boldo, Guillaume Melquiond
• Partner:
  AbsInt Angewandte Informatik GmbH

6.1.3 Diy

• Name:
  Do It Yourself
• Keyword:
  Parallelism
• Functional Description:
  The diy suite provides a set of tools for testing shared memory models: the litmus tool for running tests on hardware, various generators for producing tests from concise specifications, and herd, a memory model simulator. Tests are small programs written in x86, Power or ARM assembler that can thus be generated from concise specification, run on hardware, or simulated on top of memory models. Test results can be handled and compared using additional tools.
• URL:
  http://­diy.­inria.­fr/
• Contact:
  Luc Maranget
• Participants:
  Jade Alglave, Luc Maranget
• Partner:
  University College London UK

6.1.4 Menhir

• Keywords:
  Compilation, Context-free grammars, Parsing
• Functional Description:
  Menhir is a LR(1) parser generator for the OCaml programming language. That is, Menhir compiles LR(1) grammar specifications down to OCaml code. Menhir was designed and implemented by François Pottier and Yann Régis-Gianas.
• Publications:
  hal-03478172, hal-01633123, hal-01417004
• Contact:
  François Pottier

6.1.5 CFML

• Name:
  Interactive program verification using characteristic formulae
• Keywords:
  Coq, Software Verification, Deductive program verification, Separation Logic
• Functional Description:
  The CFML tool supports the verification of OCaml programs through interactive Coq proofs. CFML proofs establish the full functional correctness of the code with respect to a specification. They may also be used to formally establish bounds on the asymptotic complexity of the code. The tool is made of two parts: on the one hand, a characteristic formula generator implemented as an OCaml program that parses OCaml code and produces Coq formulae, and, on the other hand, a Coq library that provides notations and tactics for manipulating characteristic formulae interactively in Coq.
• URL:
  http://­www.­chargueraud.­org/­softs/­cfml/
• Contact:
  Arthur Charguéraud
• Participants:
  Arthur Charguéraud, Armaël Guéneau, François Pottier

6.1.6 TLAPS

• Name:
  TLA+ proof system
• Keyword:
  Proof assistant
• Functional Description:
  TLAPS is a platform for developing and mechanically verifying proofs about specifications written in the TLA+ language. The TLA+ proof language is hierarchical and explicit, allowing a user to decompose the overall proof into proof steps that can be checked independently. TLAPS consists of a proof manager that interprets the proof language and generates a collection of proof obligations that are sent to backend verifiers. The current backends include the tableau-based prover Zenon for first-order logic, Isabelle/TLA+, an encoding of TLA+ set theory as an object logic in the logical framework Isabelle, an SMT backend designed for use with any SMT-lib compatible solver, and an interface to a decision procedure for propositional temporal logic.
• URL:
  https://­tla.­msr-inria.­inria.­fr/­tlaps/­content/­Home.­html
• Contact:
  Stephan Merz
• Participants:
  Damien Doligez, Stephan Merz
• Partner:
  Microsoft

6.1.7 ZENON

• Name:
  The Zenon automatic theorem prover
• Keywords:
  Automated theorem proving, First-order logic
• Functional Description:

  Zenon is an automatic theorem prover based on the tableaux method. Given a first-order statement as input, it outputs a fully formal proof in the form of a Coq or Isabelle proof script. It has special rules for efficient handling of equality and arbitrary transitive relations. Although still in the prototype stage, it already gives satisfying results on standard automatic-proving benchmarks.

  Zenon is designed to be easy to interface with front-end tools (for example integration in an interactive proof assistant) and also to retarget to output scripts for different frameworks (for example Dedukti).

• URL:
  http://­zenon-prover.­org/
• Publications:
  inria-00338299v1, hal-02305831v1, inria-00315920v1, hal-00909784v1, tel-01420460v2, hal-00909688v1, hal-01204701v2, hal-01171360v1, hal-01100512v1, hal-01099338v1, hal-01243593v1, hal-01420638v1, hal-01342849v1
• Contact:
  Damien Doligez
• Participant:
  Damien Doligez

6.1.8 hevea

• Name:
  hevea is a fast latex to html translator.
• Keywords:
  LaTeX, Web
• Functional Description:

  HEVEA is a LATEX to html translator. The input language is a fairly complete subset of LATEX 2 (old LATEX style is also accepted) and the output language is html that is (hopefully) correct with respect to version 5. HEVEA understands LATEX macro definitions. Simple user style files are understood with little or no modifications. Furthermore, HEVEA customisation is done by writing LATEX code.

  HEVEA is written in Objective Caml, as many lexers. It is quite fast and flexible. Using HEVEA it is possible to translate large documents such as manuals, books, etc. very quickly. All documents are translated as one single html file. Then, the output file can be cut into smaller files, using the companion program HACHA. HEVEA can also be instructed to output plain text or info files.

  Information on HEVEA is available at http://hevea.inria.fr/.

• URL:
  http://­hevea.­inria.­fr/
• Contact:
  Luc Maranget

7.1.1 The CompCert formally-verified compiler

Participants: Xavier Leroy, Michael Schmidt [AbsInt GmbH], Bernhard Schommer [Saarland University and AbsInt GmbH].

Since 2005, in the context of our work on compiler verification, we have been developing and formally verifying CompCert, a moderately-optimizing compiler for a large subset of the C programming language. CompCert generates assembly code for the ARM, PowerPC, RISC-V, and x86 architectures 43. The compiler is written mostly within the specification language of the Rocq proof assistant, out of which Rocq's extraction facility generates executable OCaml code. The compiler comes with a 100000-line machine-checked proof of semantic preservation, establishing that the generated assembly code executes exactly as prescribed by the semantics of the source C program.

This year, we improved the performance of the generated code through

• more precise value analysis, for integer multiplication, division and modulus, for values of Boolean type, and for function parameters of small integer types, thus improving the effectiveness of constant propagation and redundant cast elimination;
• more precise value numbering for results of memory loads, addressing a missed opportunity for redundant load elimination on ARM and RISC-V;
• a refined heuristic for “if”-conversion, turning it off in cases where it would prevent later, more profitable optimizations of conditional branches in the continuation of the “if”;
• more aggressive simplifications of comparison and selection operations during the CSE pass.

We also added minimal syntactic support for the _Float16 type and for ISO C99 array declarators involving static, so as to improve compatibility with existing standard header files.

These improvements were released as part of CompCert versions 3.14 in May 2024 and 3.15 in December 2024.

7.1.2 The OCaml system

Participants: Florian Angeletti, Damien Doligez, Sébastien Hinderer, Xavier Leroy, Luc Maranget, David Allsop [Cambridge University], Nick Barnes [Tarides], Stephen Dolan [Cambridge University], Jacques Garrigue [University of Nagoya], Sadiq Jaffer [Tarides], Guillaume Munch-Maccagnoni [Inria team Gallinette], Olivier Nicole [Tarides], Nicolás Ojeda Bär [Lexifi], KC Sivaramakrishnan [IIT Madras], Gabriel Scherer [Inria team Picube].

On January 18, 2024, OCaml received the 2023 ACM SIGPLAN Programming Languages Software Award (§5.2).

In 2024, we have released two minor versions of OCaml, namely OCaml 5.2.0 and OCaml 5.3.0, and two patch releases, namely OCaml 4.14.2 and OCaml 5.2.1.

Some of the highlights in OCaml 5.2.0 are:

• Re-introduced GC compaction
• Restored native backend for POWER 64 bits
• Thread sanitizer support
• New module Dynarray
• New flag -H for hidden include directories
• Project-wide occurrence metadata support for developer tools
• Raw identifiers
• Local open in type expressions
• About 20 new functions in the standard library
• 46 fixes and improvements in the runtime system
• 51 bug fixes

Compared with the OCaml 4.14 branch, OCaml 5.2.0 was still a somewhat experimental release. And, indeed, the initial release of OCaml 5.2 was followed on November 18 by a patch release, OCaml 5.2.1, which fixed significant bugs in the runtime system.

On January 8, 2025, we published OCaml 5.3.0. Some of the highlights in OCaml 5.3.0 are:

• Syntax for deep effect handlers
• Restored MSVC port
• Re-introduced statistical memory profiling (statmemprof)
• utf-8-encoded Unicode source files and modest support of Unicode identifiers
• More space-efficient implementation of Dynarray
• Improved metadata on the pairs of declarations and definitions for merlin
• About 20 new functions in the standard library
• 29 fixes and improvements in the runtime system
• Improved error messages for first-class modules, functors, labelled arguments, and type mismatches
• 39 bug fixes

With the re-introduced of the support for the MSVC port and the statmemprof memory profiler, the OCaml 5 branch has restored feature parity with OCaml 4. The focus next year will thus likely shift on fixing the remaining performance bugs in OCaml 5. Then, in the upcoming years, we plan to gradually abandon long-term support for OCaml 4.

Meanwhile, the OCaml 4.14 branch has been maintained as a stable version of the OCaml 4 language. OCaml 4.14.2 was released on March 14, 2024.

7.1.3 The diy tool suite

Participants: Hadrien Renaud [University College London], Artem Khyzha, Nikos Nikorelis, Vladimir Murzin [ARM Ltd.], Jade Alglave [ARM Ltd. and University College London], Luc Maranget.

The diy suite provides a set of tools for testing shared memory models: the litmus tool for running tests on hardware, various generators for producing tests from concise specifications, and herd, a memory model simulator. Tests are small programs written in x86, Power, ARM, generic (LISA) assembler, or a subset of the C language that can thus be generated from concise specifications, run on hardware, or simulated on top of memory models. Test results can be handled and compared using additional tools. One distinctive feature of our system is Cat, a domain-specific language for memory models.

This year, Luc Maranget has worked on combining virtual memory with the ASL-based implementation of AArch64. ASL is a specification language developed by ARM to describe the behaviour of hardware systems. This includes not only machine instructions, but also other hardware processes, such as virtual-to-physical memory translation, also known as page table walk. The herd simulator features an interpreter for ASL, whose main author is Hadrien Renaud. Executing the complete memory access code, including page table walks, is challenging, due to efficiency issues and to semantic considerations. The existence of efficiency issues is not surprising, given the classical phenomenon of state explosion in concurrency. The semantic difficulties stem from the fact that the official ASL code has not always been written with a concurrency semantics in mind.

Luc Maranget acts as the main maintainer and coordinator of the toolbox: with others, he reviews and validates the pull requests submitted by contributors. diy now has about 10 frequent contributors, most of whom are employed by ARM as engineers or interns. Nikos Nikoleris, Artem Khyzha and Vladimir Murzin are cited for their regular and significant contributions and reviews.

7.1.4 TLA+

Participants: Rosalie Defourné [Inria Nancy], Damien Doligez, Ioannis Filippidis, Stéphane Glondu [Inria Nancy], Andrew Helwer [Disjunctive Consulting], Igor Konnov [Informal Systems], Markus Kuppe [Microsoft Research], Leslie Lamport [Microsoft Research], Stephan Merz [Inria team Veridis], Karolis Petrauskas.

This project produces and maintains tools for managing and verifying proofs in the proof language of TLA+  42.

After switching to an open-source development model in 2023, we have seen a significant increase in external contributions to the project. We expect these contributions to lead to a new release in early 2025. TLA+ attracts more and more industrial users. A TLA+ foundation, funded by some of them, has been established. As of the end of 2024, the foundation has started a grant program to foster the development of tools and documentation for TLA+.

7.1.5 Basic OCaml libraries

Participants: Wassel Bousmaha [ENS Lyon], Jean-Marie Madiot, François Pottier.

In 2024, François Pottier implemented several OCaml libraries that provide basic data structures:

• baby offers persistent sets and maps, based on height-balanced and weight-balanced binary search trees. Compared with the modules Set and Map in OCaml's standard library, this library offers potentially better performance, and more operations. The architecture of the library is modular: the high-level layer, which implements the operations on sets and maps, is independent of the low-level layer, which implements the balancing logic. This modular architecture, as well as the weight-balancing logic, are due to Blelloch, Ferizovic and Sun (2022). During a 6-week internship, co-advised by Jean-Marie Madiot and François Pottier, Wassel Bousmaha verified the correctness of the weight-balancing code and did a (partial) proof of its worst-case time complexity.
• hector offers dynamic arrays, also known as vectors. From an algorithmic point of view, this library offers nothing new. Compared with the module Dynarray in OCaml's standard library, this library offers a different compromise: because it does not guarantee memory safety in the presence of data races, and because it does not attempt to avoid a certain kind of memory leak, it offers potentially better performance, and its code is simpler.
• flatunionfind offers a union-find algorithm inside a vector.
• hachis offers mutable sets and maps, based on hash tables with linear probing. Compared with the module Hashtbl in OCaml's standard library, it can offer better performance.

As a side effect, these projects led to a few improvements in monolith, a test framework for OCaml libraries.

7.2.1 Formalizing and improving OCaml modules

Participants: Clément Blaudeau, Didier Rémy, Gabriel Radanne [Inria team Cash].

We began our work on the formalization of modules in 2021 by revisiting, improving, and adapting F-ing modules 46 to OCaml.

This year, we finalized the formalization of $M^{\omega }$, a type system for OCaml modules, extended with transparent ascription. Compared with earlier work, this system offers a better account of the “signature avoidance” problem. $M^{\omega }$ retains a “path-based” source syntax, in the style of OCaml, but internally uses $F^{\omega }$ types. Its soundness is ensured by an elaboration of terms into $F^{\omega }$. The signature avoidance problem appears during the reverse translation from $F^{\omega }$-like inferred signatures back to OCaml style and is solved following a principled approach. This work has been accepted for presentation at the conference OOPSLA 2024 17.

Furthermore, as an alternative to $M^{\omega }$, we proposed ZipML, an equivalent system, which works directly with OCaml-style path-based signatures. It extends OCaml signatures with zipper signatures in order to avoid signature avoidance problems and achieve the same expressiveness as $M^{\omega }$. Its soundness has been proved by elaboration into $M^{\omega }$. It is well-suited for implementing transparent ascription in OCaml and fixing OCaml's unsatisfactory treatment of the signature avoidance problem. A formalization of ZipML has been accepted for presentation at the conference POPL 2025 16.

Both works are part of Clément Blaudeau's dissertation, which he defended in December 2024.

7.2.2 Implementing and formalizing Modular Explicits

Participants: Samuel Vivien, Didier Rémy, Vincent Laviron [OCamlPro].

Modular explicits are functions that take modules as arguments. This language feature is necessary to elaborate modular implicits. Therefore, it is considered a prerequisite for an implementation of Samuel Vivien's thesis.

During a 5-month internship at OCamlPro, Samuel Vivien, supervised by Vincent Laviron, implemented modular explicits in the OCaml compiler. This work was then formalized with the help of Didier Rémy 32. The code is currently under review for integration in the OCaml compiler.

7.2.3 Designing and formalizing Modular Implicits

Participants: Samuel Vivien, Didier Rémy.

Modular implicits are modules that are passed as implicit parameters to functions. Our work on modular implicits is based on a proposal and prototype implementation by White, Bour and Yallop 47. Extending OCaml with modular implicits seems desirable because OCaml's functors are extremely verbose, preventing their use at a small scale. Modular implicits would give us some of the flexibility and ease of use of Haskell's type classes. To this end, we have been working on defining a clear specification of implicit argument synthesis and on optimizing the synthesis algorithm so that it scales up to real-world applications.

In 2024, we continued our work on modular implicits by making a tour of all of the prerequisites for modular implicits. Samuel Vivien started implementing some of them in the OCaml compiler. In particular, this led to the design of a new mechanism to track principality of type inference in OCaml in a way that is compatible with modular implicits. We have just started the formalization of this mechanism.

7.2.4 Data race freedom à la mode

Participants: Aïna Linn Georges [MPI-SWS], Benjamin Peters [MPI-SWS], Laila Elbeheiry [MPI-SWS], Leo White [Jane Street], Stephen Dolan [Jane Street], Richard A. Eisenberg [Jane Street], Chris Casinghino [Jane Street], François Pottier, Derek Dreyer [MPI-SWS].

This work explores an extension of OCaml's type system that guarantees data race freedom for multi-threaded OCaml programs. Building on recent work at Jane Street that extends OCaml with modes that keep track of locality, uniqueness, and affinity, it introduces two new mode axes, contention and portability, which record whether data has been shared or can be shared between multiple threads.

Although this basic type-and-mode system has limited expressive power by itself, it can express APIs for capsules, regions of memory whose access is controlled by a unique ghost key, and reader-writer locks, which allow a thread to safely acquire partial or full ownership of a key. This allows complex data structures (which may involve aliasing and mutable state) to be safely shared between threads.

The soundness of this system is established by building a semantic model of the system in the Iris program logic on top of the Rocq proof assistant. These results have been accepted for presentation at the conference POPL 2025 20.

7.2.5 A declarative approach to LR(1) syntax error messages

Participants: Frédéric Bour, François Pottier.

LRgrep is a declarative language, and a supporting tool, whose purpose is to let the author of an LR(1) parser describe the syntax error messages that the parser should produce when the input is syntactically incorrect. The language allows matching the parser's stack using a specialized variety of regular expressions. The design and implementation of LRgrep are the subject of Frédéric Bour's PhD work.

The problem presents different aspects: designing a convenient and expressive language to characterize error situations, efficiently compiling this language, and, finally, providing tools to assist with designing and maintaining error messages.

This year, Frédéric transformed the initial prototype into a robust tool and explored several applications of LRgrep. One important application is to improve the syntax error messages procuced by the OCaml compiler. Frédéric has shown that this is possible in principle, but carrying out this project fully will requires more time and manpower. Furthermore, Frédéric has applied LRgrep to two other languages. He has built an experimental version of the Catala compiler that uses LRgrep to produce error messages. He has also written a parser for the Elm language that uses LRgrep and tries to mimic the error messages of the Elm compiler.

This work is described in Frédéric Bour's dissertation, which he defended on December 18.

7.3.1 Axiomatic memory models and virtual memory

Participants: Jade Alglave [ARM Ltd. and University College London], Richard Grisenthwaite [ARM Ltd.], Artem Khyzha [ARM Ltd.], Luc Maranget, Nikos Nikoleris [ARM Ltd.].

This year, we reached a milestone in our long-term research effort to design and implement a concurrent memory model for virtual memory: a journal paper was published 12, 34.

In this work, we present our formalization of ARM's Virtual Memory System Architecture (VMSA). This work has been developed with, and ratified by, ARM and its partners, and is now part of the ARM Architecture Reference Manual. Additionally, we present our experimental validation methodology, which required extending KVM-unit-tests, a test harness for the Kernel Virtual Machine (KVM). We used this infrastructure to run around 1300 VMSA litmus tests on a variety of ARM machines, thereby validating our model with respect to existing hardware. Our testing uncovered infidelities to the definition of a feature called Translation Table Hardware Management, which led ARM to relax its architecture to accommodate those cases. Finally, as part of this work, we uncovered subtleties in the definition of a feature of the VMSA called Enhanced Translation Synchronization (ETS), which led ARM to deprecate ETS and replace it with a stronger feature called ETS2.

In this project, Luc Maranget is specifically in charge of software development and of experiments. The amount of work involved (in particular, experimental work) is much more significant than in similar previous work, due to the numerous features of virtual memory, such as permissions, TLBs, alternative mappings of a single physical page, fault handlers, and so on.

7.3.2 Semantics and sound implementation of AArch64 instructions

Participants: Hadrien Renaud [University College London], Jade Alglave [ARM Ltd. and University College London], Luc Maranget.

Hadrien Renaud is a PhD candidate under the supervision of Jade Alglave and Luc Maranget. Hadrien Renaud's thesis aims at automating the production of intra-instruction dependencies, based on their definitions in pseudo-code. The task requires not only significant implementation work but also an in-depth study of the semantics of instructions and of the nature of various intra-instruction dependencies. Luc Maranget acts as a co-advisor, focusing on language definition and implementation. We hold a weekly meeting.

This year, Hadrien Renaud made significant progress in the definition and implementation of a type system for the language ASL, which is used by ARM to specify the semantics of instructions. In particular, this type system is used a basis for sound optimisations. Hadrien successfully passed his second viva. Hadrien is also the author of numerous contributions to the herd simulator (a central part of our diy tool suite; §7.1.3), especially regarding the concurrent semantics of ASL, its type system, and its efficient implementation.

7.4.1 Implementing and verifying Kaplan and Tarjan's catenable deques

Participants: Jules Viennot, Arthur Wendling [Tarides], François Pottier, Armaël Guéneau [Inria team Toccata].

In 1999, Kaplan and Tarjan introduced purely functional, real-time catenable deques, a data structure that supports five fundamental operations, namely insertion and extraction of one element at either end and concatenation. All operations are performed with a worst-case time complexity of $O\left(1\right)$. Furthermore, this data structure is persistent: no operation modifies or destroys its argument.

Kaplan and Tarjan's paper provides an English description of this data structure, without code. This data structure is in fact extremely difficult to implement: in the 25 years that have elapsed since the paper was published, no implementation appeared.

Recently, though, Arthur Wendling was able to implement this data structure in OCaml. His implementation makes sophisticated use of OCaml's generalized algebraic data types (GADTs).

Then, Jules Viennot, supervised by Armaël Guéneau and François Pottier, ported Wendling's code from OCaml to Rocq and verified its correctness. This work stresses the limits of Rocq's expressiveness. It is the first published or verified implementation of Kaplan and Tarjan's catenable deques.

A paper on this topic will be submitted to a journal in 2025.

7.4.2 Meta-programming in Rocq

Participants: Yannick Forster, Matthieu Sozeau [Inria team Gallinette], Weituo Dai, Thomas Lamiaux [Inria team Gallinette], Mathis Bouverot-Dupuis.

The state of meta-programming in the Rocq Prover (previously known as the Coq proof assistant) is diverse and has grown organically over the years. Various meta-programming languages are used to implement the kernel, tactics, and plugins.

Yannick Forster has supervised Weituo Dai's internship, whose aim was to develop a meta-programming framework that offers guarantees to the user, such as a guarantee that the generated program or proof does not contain unbound variables.

Yannick Forster has also supervised Mathis Bouverot-Dupuis, who investigated the state of the art in meta-programming in both Rocq and Lean.

In 2025, Mathis Bouverot-Dupuis is planning to start a PhD on developing a robust meta-programming framework based on the lessons learned through 40 years of organic development of such frameworks in Rocq.

7.4.3 The MetaRocq project

Participants: Yannick Forster, Matthieu Sozeau [Inria team Gallinette], Nicolas Tabareau [Inria team Gallinette], Yee-Jian Tan, Thomas Lamiaux [Inria team Gallinette].

The MetaRocq project (previously known as MetaCoq) is an umbrella project that contains several subprojects. These include a formal definition of Rocq's type theory and a verified type- and proof-checker for Rocq.

This definition leaves out a crucial part of Rocq's type theory—arguably even the most crucial part—namely, the guard checker, which is in charge of enforcing the strong normalization of Rocq's programming language, and thereby the logical consistency of the system.

Yee-Jian Tan and Yannick Forster have developed an implementation of Rocq's guard checker in Rocq itself. Compared to the opaque 2000-line-long uncommented OCaml implementation, this is a significant step forward.

Together with Matthieu Sozeau and Nicolas Tabareau, Yannick Forward co-supervises Thomas Lamiaux's PhD thesis. They will continue to investigate the exact specification of Rocq's guard checker and work towards a mechanized consistency proof for the system.

7.4.4 Verified extraction from Rocq to OCaml

Participants: Yannick Forster, Matthieu Sozeau [Inria team Gallinette], Nicolas Tabareau [Inria team Gallinette].

In 2023, we have developed a novel extraction pipeline from Rocq to OCaml, which is implemented and verified in Rocq itself. Its correctness theorem offers clear guarantees for safe interoperability. This work has been accepted for presentation at the conference PLDI 2024 19 and has received a Distinguished Paper Award.

7.4.5 Synthetic computability theory in Rocq

Participants: Yannick Forster, Dominik Kirst [Ben-Gurion University], Felix Jahn [Saarland University], Gert Smolka [Saarland University], Niklas Mück [MPI-SWS, Germany], Haoyi Zeng [Saarland University].

Proofs in traditional computability theory are notoriously hard to formalize, due to their reliance on models of computation such as Turing machines. In synthetic computability, one abstracts away from models of computation, which is possible thanks to a formal foundation for mathematics where functions and propositions are strictly separated. This is the case in many constructive foundations for mathematics, including the one that underlies the Rocq proof assistant.

Continuing a long line of work on synthetic computability in proof assistants, Yannick Forster, Dominik Kirst and Niklas Mück have obtained results on oracle computability, specifically a proof of Post's theorem concerning the arithmetical hierarchy. This work has been accepted for presentation at the conference CSL 2024 24.

Yannick Forster has supervised the Bachelor's thesis of Haoyi Zeng at Saarland University on Post's problem, where intermediate results have been presented at the workshops TYPES 2024 and CCC 2024, jointly with Dominik Kirst.

He has furthermore co-supervised the Bachelor's theses of Fabian Brenner and Janis Bailitis on a synthetic undecidability proof of contextual equivalence in finitary PCF and on a mechanised proof of Löb's theorem, respectively, both jointly with Dominik Kirst.

Yannick Forster has given an invited talk about this line of work at the 14th Panhellenic Logic Symposium in Thessoliniki, Greece.

7.4.6 Type inference logics

Participants: Denis Carnier [KU Leuven], Steven Keuchel [Vrije Universiteit Brussels], François Pottier.

Denis Carnier and Steven Keuchel designed and implemented, inside the Coq proof assistant, a domain-specific constraint language for type inference and elaboration, together with a verified constraint solver. This work is based on an earlier unverified design by François Pottier, which was published at ICFP 2014. These new results have been accepted for presentation at the conference OOPSLA 2024 18.

7.5.1 Verifying heap space bounds for concurrent programs under garbage collection

Participants: Alexandre Moine, Arthur Charguéraud, François Pottier.

For two decades, Separation Logic has been applied mainly to functional correctness proofs: that is, it has been used to prove that a program cannot crash and must eventually produce a correct result. It has also been extended with time credits, which endow it with the ability to reason about the time complexity of a program. In our group, this topic has been studied in previous years by François Pottier, Armaël Guéneau, and Glen Mével.

In 2021, Jean-Marie Madiot and François Pottier presented a separation logic with space credits 44, which allows establishing verified space complexity bounds in the presence of garbage collection for an assembly-like language. In 2022, Alexandre Moine, Arthur Charguéraud and François Pottier scaled it up to a high-level sequential language 45.

This year, Alexandre Moine, Arthur Charguéraud and François Pottier further extended this work to a concurrent setting. They proposed both new language features and a new program logic, IrisFit.

The new features include polling points, which are automatically inserted by the compiler, and are used to ensure a liveness property; and protected sections, which are delimited by the programmer, and where polling points must not be inserted.

The new logic, IrisFit, involves “pointed-by-thread” assertions, which keep track of the existence of stack-to-heap pointers in a reasonably lightweight manner. Furthermore, by exploiting the presence of protected sections, it is able to establish tighter space complexity bounds.

The final version of this work has been accepted for publication in the journal ACM TOPLAS and will appear in 2025.

7.5.2 Osiris: formal semantics and reasoning rules for OCaml

Participants: Remy Seassau, François Pottier, Irene Yoon, Jean-Marie Madiot.

The Osiris project aims to develop an instance of the Iris separation logic, inside the Rocq proof assistant, and to customize it for the OCaml programming language, so as to provide end users with a powerful, state-of-the-art, ready-to-use program verification environment for OCaml.

In 2023, a number of preliminary results were obtained, culminating in the definition of a formal semantics of a large fragment of OCaml and two sets of reasoning rules. The first set of rules forms a Hoare logic for a pure subset of OCaml. The second set of rules forms a separation logic, based on Iris, for the complete language, including impure expressions.

In 2024, Irene Yoon, Remy Seassau, and François Pottier extended the semantics with effect handlers. Irene Yoon then integrated reasoning rules from earlier work by de Vilhena and Pottier 5 into Osiris's separation logic.

Jean-Marie Madiot developed a new version of the pure Hoare logic judgment, handling non-confluent expressions and simplifying inversion reasoning, and an executable variant of the semantics, allowing the formal semantics to be tested, by comparing it with the behavior of the OCaml compilers.

Remy Seassau added support for reasoning about deep pattern matching by extending the reasoning rules and developing user-facing proof tactics. Remy and Irene put a lot of work into improving the pure Hoare logic. The internal definition of the logic was reworked, and rules for recursive functions and their proofs of correctness were developed.

In the future, significant work is still needed to facilitate program verification with Osiris, to carry out case studies, and to add support for several advanced features of OCaml, such as parallelism.

7.5.3 Verifying tail-call optimization modulo constructors

Participants: Clément Allain, Frédéric Bour, Basile Clément [OCamlPro], François Pottier, Gabriel Scherer [Inria team Picube].

Tail-call optimization (TCO), a well-known optimization performed by many compilers for functional programming languages, optimizes tail calls by deallocating the stack frame of the caller before jumping to the callee. Tail-call optimization modulo constructors (TMC) improves upon TCO by also optimizing the situation where a function call is not a tail call because it is followed by the application of a constructor. A canonical example appears in the most natural implementation of the map function on lists. In such a situation, the code can be transformed into destination-passing style: first, a memory block is allocated and partially initialized; then, a tail call takes place, and the responsibility of completing the initialization of the memory block is delegated to the callee.

TMC has been implemented in the OCaml compiler by Frédéric Bour, Basile Clément and Gabriel Scherer 39. Based on this work, Clément Allain and François Pottier have formalized and verified TMC for an untyped sequential $\lambda$-calculus equipped with mutable heap cells. The correctness of the transformation is expressed as a termination-preserving behavioral program refinement. The proof relies on a relational separation logic that is constructed on top of Iris. It is mechanized in the Rocq proof assistant.

This work has been accepted for presentation at the conference POPL 2025 13.

7.5.4 Snapshottable stores

Participants: Clément Allain, Basile Clément [OCamlPro], Alexandre Moine, Gabriel Scherer [Inria team Picube].

Many algorithms, including type inference algorithms and SMT solvers, require data structures that support efficient backtracking.

Basile Clément and Gabriel Scherer designed and implemented an OCaml library that provides reusable backtracking support, for use by authors of data structures. Then, Clément Allain and Alexandre Moine wrote a specification for (the core functions of) this library and verified their correctness. The proof was carried out on top of Iris inside the Rocq proof assistant.

This work has been accepted for presentation at the conference ICFP 2024 14 and has received a Distinguished Paper Award.

7.5.5 Verification of concurrent OCaml 5 programs in separation logic

Participants: Clément Allain.

The release of OCaml 5, which introduced parallelism into the language, created a need for safe and efficient concurrent data structures. Several new libraries, such as Saturn 41, aim at addressing this need. From the perspective of formal verification, this is an opportunity to apply and further state-of-the-art techniques to provide stronger guarantees.

In this context, Clément Allain is working on the verification of concurrent OCaml 5 programs using separation logic. Preliminary results on the verification of Saturn have been presented at the OCaml Workshop 2024 30.

The methodology used in this work consists in translating OCaml programs into a language that is deeply embedded inside Coq. Then, these programs can be specified and verified using the concurrent separation logic Iris. To this end, Allain proposed a formal semantics and a program logic for a fragment of OCaml 5. This work has been presented at the conference JFLA 2025 22. A more comprehensive paper is in preparation.

7.5.6 Gospel

Participants: Tiago Soares, François Pottier, Mário Pereira [NOVA LINCS].

Gospel is a formal specification language for OCaml. It allows a library's interface files to contain not only types, but also logical specifications, which describe the library's behavior. The design of Gospel, however, is not yet fixed.

For expert users, we want Gospel to be understood also as a pleasant surface syntax for Separation Logic specifications. Therefore, our work has focused on introducing ways to describe ownership within Gospel specifications. We have introduced lenses, which offer lightweight notation to talk about ownership of a data structure in memory and to describe the connection between the physical and logical representations of this data structure. Tiago Soares has implemented a prototype tool which translates Gospel specifications down to separation logic specifications, which can be pretty-printed either in the syntax of CFML or in the syntax of Iris. Our paper on the Gospel ecosystem 26 presents this prototype tool and shows how it complements the existing Gospel ecosystem.

7.6.1 A Two-Phase Infinite/Finite Low-Level Memory Model

Participants: Calvin Beck [University of Pennsylvania], Irene Yoon, Hanxi Chen [University of Pennsylvania], Yannick Zakowski [Inria team Cash], Steve Zdancewic [University of Pennsylvania].

This project reconciles complex low-level memory model features, such as pointer-integer casts, with desired refinements that are needed to justify the correctness of program transformations. The idea is to use a “two-phase” memory model. One level has an unbounded memory and corresponding unbounded integer type; the other has finite memory. The connection between the two levels is made explicit by a notion of refinement that handles out-of-memory behaviors. This approach allows more optimizations and establishes a clear boundary between the idealized semantics of a program and the implementation of that program on finite hardware. The two-phase memory model has been incorporated into an LLVM IR semantics, demonstrating its utility in practice in the context of a low-level language with features like undef and bitcast. A paper that describes this approach has been presented at the conference ICFP 202415.

7.6.2 A validator for Flambda2

Participants: Irene Yoon, Chris Casinghino [Jane Street].

Flambda2 is an optimizing middle-end for the OCaml compiler. It is developed by researchers and engineers and OCamlPro and Jane Street.

This project aims at building a validation tool for Flambda2. Flambda2's optimizations are focused on inlining and applying simplifications that become possible after inlining. Although these transformations sound innocuous, they are one of the most importan and tricky optimizations in the compiler pipeline. The validator increases confidence in Flambda2's optimizations by providing a concise, declarative definition of a reduction relation that allows the optimized and unoptimized versions of the program to be reduced to syntactically equivalent terms.

Preliminary results have been presented at the 2024 OCaml workshop, an international workshop without proceedings.

7.6.3 Velliris: a relational separation logic for LLVM IR

Participants: Irene Yoon, Lennard Gaher [MPI-SWS], Simon Spies [MPI-SWS], Youngju Song [MPI-SWS], Derek Dreyer [MPI-SWS], Steve Zdancewic [University of Pennsylvania].

Velliris is a relational separation logic framework for LLVM IR. It is integrated with the VIR formal semantics. It provides expressive reasoning principles for LLVM IR programs, with a practical ghost theory over LLVM IR resources. Formally, Velliris is implemented by constructing, within the Iris separation logic framework, a novel and general coinductive simulation over Interaction Trees with interpretations into state monads. We prove Velliris sound by establishing a contextual adequacy theorem that lifts simulation results from the embedded logic to the ambient logic.

Preliminary results have been presented in an invited talk at the 2024 Iris Workshop, an international workshop without proceedings.

8.1.1 Tarides

Participants: Frédéric Bour, Thomas Refis, François Pottier, Didier Rémy.

One of our PhD students, Frédéric Bour, who defended in December 2024, was employed by Tarides under a CIFRE agreement.

Tarides is a small high-tech software company, with a strong expertise in virtualization, distributed systems, and programming languages. Several of their key products, such as MirageOS, are developed using OCaml. Tarides contributes a significant amount of manpower to the OCaml ecosystem. We maintain strong informal ties with this company.

8.2.1 The Caml Consortium

Participants: Damien Doligez.

The Caml Consortium is a formal structure where industrial and academic users of OCaml can support the development of the language and associated tools, express their specific needs, and contribute to the long-term stability of OCaml. Membership fees are used to fund specific developments targeted towards industrial users. Members of the Consortium automatically benefit from very liberal licensing conditions on the OCaml system, allowing for instance the OCaml compiler to be embedded within proprietary applications.

Damien Doligez chairs the Caml Consortium.

The Consortium currently has 5 member companies:

• Esterel / ANSYS
• Facebook
• Jane Street
• LexiFi
• SimCorp

One might think that the Caml Consortium could be superseded by the OCaml Software Foundation, discussed below. However, the Caml Consortium remains alive, because it is able to offer special licensing conditions. The above companies still need the Consortium's license. Most of them are also sponsors of the OCaml Foundation.

8.2.2 The OCaml Software Foundation

Participants: Damien Doligez, Xavier Leroy.

The OCaml Software Foundation, established in 2018 under the umbrella of the Inria Foundation, aims to promote, protect, and advance the OCaml programming language and its ecosystem, and to support and facilitate the growth of a diverse and international community of OCaml users.

Damien Doligez and Xavier Leroy serve as advisors on the foundation's Executive Committee.

We receive substantial basic funding from the OCaml Software Foundation in order to support research activity related to OCaml.

10.1.1 Organisation of scientific events

Yannick Forster was the workshop co-chair of the 29th ACM SIGPLAN International Conference on Functional Programming (ICFP 2024).

Yannick Forster is a member of the operations team of the ACM SIGPLAN Long-Term Mentoring Committee (SIGPLAN-M).

10.1.2 Participation in program committees

Yannick Forster was a member of the program committee for the conferences ITP 2024, CiE 2024, TFP 2024, and TYPES 2024.

Xavier Leroy served as associate chair of the program committee of the 52nd ACM SIGPLAN Symposium on Principles of Programming Languages (POPL 2025).

Jean-Marie Madiot was a member of the program committee for the conference PLDI 2025.

Irene Yoon was a member of the the program committee for the conferences ICFP 2025 and CPP 2025 and for the workshops Coq 2024, HOPE 2024, and CoqPL 2025.

10.1.3 Participation in editorial boards

Yannick Forster is an ex-officio member of the steering committee of ITP.

Xavier Leroy is a member of the editorial boards of Journal of Automated Reasoning.

Xavier Leroy is a member of the newly-created Conseil Scientifique (scientific advisory board) of the Arte TV channel.

10.1.4 Invited talks

Yannick Forster has given an invited talk about synthetic computability theory at the 14th Panhellenic Logic Symposium in Thessaloniki, Greece.

Irene Yoon gave an invited talk at the 2024 Iris Workshop in Zürich, Switzerland.

10.1.5 Research administration

Luc Maranget is an elected member of Inria's Commission d'Évaluation (CE).

Luc Maranget represents the Cambium team in the Comité des utilisateurs des moyens informatiques (CUMI).

François Pottier is the president of Inria Paris' Comité de Suivi Doctoral. Since June 2023, he is Inria's delegate in the pedagogical team of MPRI.

Didier Rémy Inria's delegate in the management board of MPRI.

10.2.1 Teaching

This year, the members of our team have taught or assisted in teaching the following courses:

• Licence (L1): Programmation fonctionnelle pour le Web, Clément Allain, 24 HETD, Université Paris Cité, France.
• Licence (L3): Programmation fonctionnelle, Clément Allain, 24 HETD, Université Paris Cité, France.
• Licence (L3): Outils logiques, Clément Blaudeau, 24h TD, Université de Paris Cité, France.
• Master (M2): Proof assistants (course coordinator), Yannick Forster, 18 HETD, MPRI, Université Paris Cité, France.
• Open lectures: Structures de contrôle: de «goto» aux effets algébriques, Xavier Leroy, 16 HETD, Collège de France, France.
• Master (M2): Proofs of Programs (course coordinator), Jean-Marie Madiot, 18 HETD, MPRI, Université Paris Cité, France.
• Licence (L3): Principles of programming languages, Jean-Marie Madiot, 40 HETD, École Polytechnique, France.
• Licence (L3): Programmation fonctionnelle, Alexandre Moine, 24 HETD, Université de Paris, France.
• Master (M2): Functional programming and type systems (course coordinator), François Pottier, 22 HETD, MPRI, Université Paris Cité, France.
• Licence (L1): Initiation à la Programmation 1, Remy Seassau, 16 HETD, Université Paris Cité, France.
• Master (M1): Interpretation and Compilation of Languages, Tiago Soares, 30 HETD, NOVA School of Science and Technology, Universidade Nova de Lisboa, Portugal.
• Licence (L1): Principes de Fonctionnement des Machines Binaires, Samuel Vivien, 36 HETD, Université Paris Cité, France.

10.2.2 Supervision

The following PhD theses are in progress or have been defended in 2024:

• PhD in progress: Clément Allain, Parallel programming infrastructure for OCaml 5, Université Paris Cité, since October 2022, advised by Gabriel Scherer and François Pottier.
• PhD (completed): Clément Blaudeau, Formalizing and improving OCaml modules, Université Paris Cité, since October 2021, advised by Didier Rémy and Gabriel Radanne (Inria team Cash); defended on December 9, 2024.
• PhD (completed): Frédéric Bour, An interactive, modular proof environment for OCaml, Université Paris Cité, since August 2020, advised by François Pottier and Thomas Gazagnaire (Tarides); defended on December 18, 2024.
• PhD (completed): Nathanaëlle Courant, Towards an efficient and formally-verified convertibility checker, Université Paris Cité, since September 2019, advised by Xavier Leroy; defended on September 19, 2024 33.
• PhD (completed): Alexandre Moine, Formal verification of space bounds, Université Paris Cité, since October 2021, advised by Arthur Charguéraud and François Pottier; defended on September 20, 2024.
• PhD in progress: Remy Seassau, Osiris : a Separation Logic Verification Framework for OCaml, Université Paris Cité, since October 2023, advised by François Pottier.
• PhD in progress: Tiago Soares, Integrating Exceptions and Control Effects in the Specification and Proof of OCaml Programs, NOVA School of Science and Technology, Universidade Nova de Lisboa and Université Paris Cité, since September 2023, advised by Mário Pereira and François Pottier.
• PhD in progress: Samuel Vivien, Theory and Practice of Modular Implicits: Design, Formalization, Implementation, and Applications, ENS-PSL, since October 2024, advised by Didier Rémy and Gabriel Scherer.

10.2.3 Juries

Yannick Forster was a member of the jury for the PhD thesis of Louise Dubois de Prisque (ENS Paris-Saclay; defended July 2024).

Xavier Leroy was a member of the hiring committee for a professorship in computer science at ENS Lyon.

Xavier Leroy was a reviewer and viva voce examiner for the PhD thesis of Yann Herklotz Grave (Imperial College; defended April 2024).

François Pottier was a member of the CRCN/ISFP hiring committee for Inria Paris.

François Pottier was a reviewer for the PhD thesis of Nicolas Chappe (ENS Lyon; defended November 2024). He was the president of the jury for the PhD thesis of Son Ho (Université Paris Cité; defended December 2024).

Didier Rémy was a member of the jury for the PhD thesis of Mickaël Laurent (Université Paris Cité; defended June 2024).

International journals

• 12 articleJ.Jade Alglave, R.Richard Grisenthwaite, A.Artem Khyzha, L.Luc Maranget and N.Nikos Nikoleris. Puss in Boots: Formalizing Arm’s Virtual Memory System Architecture.IEEE Micro446November 2024, 83-91HALDOIback to text
• 13 articleC.Clément Allain, F.Frédéric Bour, B.Basile Clément, F.François Pottier and G.Gabriel Scherer. Tail Modulo Cons, OCaml, and Relational Separation Logic.Proceedings of the ACM on Programming Languages9POPLJanuary 2025, 2337-2363HALDOIback to text
• 14 articleC.Clément Allain, B.Basile Clément, A.Alexandre Moine and G.Gabriel Scherer. Snapshottable Stores.Proceedings of the ACM on Programming Languages8ICFPAugust 2024, 338-369HALDOIback to textback to text
• 15 articleC.Calvin Beck, I.Irene Yoon, H.Hanxi Chen, Y.Yannick Zakowski and S.Steve Zdancewic. A Two-Phase Infinite/Finite Low-Level Memory Model: Reconciling Integer–Pointer Casts, Finite Space, and undef at the LLVM IR Level of Abstraction.Proceedings of the ACM on Programming Languages8ICFPAugust 2024, 789-817HALDOIback to text
• 16 articleC.Clément Blaudeau, D.Didier Rémy and G.Gabriel Radanne. Avoiding Signature Avoidance in ML Modules with Zippers.Proceedings of the ACM on Programming LanguagesPOPL9January 2025HALDOIback to text
• 17 articleC.Clément Blaudeau, D.Didier Rémy and G.Gabriel Radanne. Fulfilling OCaml Modules with Transparency.Proceedings of the ACM on Programming Languages8OOPSLA1April 2024, 194-222HALDOIback to text
• 18 articleD.Denis Carnier, F.François Pottier and S.Steven Keuchel. Type Inference Logics.Proceedings of the ACM on Programming Languages8OOPSLA2October 2024, 2125-2155HALDOIback to text
• 19 articleY.Yannick Forster, M.Matthieu Sozeau and N.Nicolas Tabareau. Verified Extraction from Coq to OCaml.Proceedings of the ACM on Programming Languages8PLDIJune 2024, 52-75HALDOIback to textback to text
• 20 articleA. L.Aïna Linn Georges, B.Benjamin Peters, L.Laila Elbeheiry, L.Leo White, S.Stephen Dolan, R. A.Richard A Eisenberg, C.Chris Casinghino, F.François Pottier and D.Derek Dreyer. Data Race Freedom à la Mode.Proceedings of the ACM on Programming Languages9POPLJanuary 2025, 656-686HALDOIback to textback to text
• 21 articleA.Alexandre Moine, S.Sam Westrick and S.Stephanie Balzer. DisLog: A Separation Logic for Disentanglement.Proceedings of the ACM on Programming Languages8POPLJanuary 2024HALDOI

International peer-reviewed conferences

• 22 inproceedingsC.Clément Allain. Zoo: A framework for the verification of concurrent OCaml 5 programs using separation logic.36es Journées Francophones des Langages Applicatifs (JFLA 2025)Roiffé, FranceJanuary 2025HALback to text
• 23 inproceedingsL.Liron Cohen, Y.Yannick Forster, D.Dominik Kirst, B.Bruno da Rocha Paiva and V.Vincent Rahli. Separating Markov's Principles.39th Annual ACM/IEEE Symposium on Logic in Computer Science (LICS '24)Talinn, EstoniaJuly 2024HALDOI
• 24 inproceedingsY.Yannick Forster, D.Dominik Kirst and N.Niklas Mück. The Kleene-Post and Post's Theorem in the Calculus of Inductive Constructions.32nd EACSL Annual Conference on Computer Science Logic (CSL 2024)Napoli, FranceSchloss Dagstuhl – Leibniz-Zentrum für Informatik2024HALDOIback to text
• 25 inproceedingsF.François Pottier, A.Armaël Guéneau, J.-H.Jacques-Henri Jourdan and G.Glen Mével. Thunks and Debits in Separation Logic with Time Credits.Proceedings of the ACMPOPL 2024 - 51st ACM SIGPLAN Symposium on Principles of Programming Languages8POPLLondres, United KingdomACMJanuary 2024HAL
• 26 inproceedingsT.Tiago Soares, I.Ion Chirica and M.Mário Pereira. Static and Dynamic Verification of OCaml Programs: The Gospel Ecosystem.Leveraging Applications of Formal Methods, Verification and Validation. Specification and VerificationISoLA15222Heraklion, Greece2024HALback to text

National peer-reviewed Conferences

• 27 inproceedingsC.Clément Allain and G.Gabriel Scherer. Correct tout seul, sûr à plusieurs.35es Journées Francophones des Langages Applicatifs (JFLA 2024)Saint-Jacut-de-la-Mer, FranceJanuary 2024HAL
• 28 inproceedingsF.François Pottier. Correct, Fast LR(1) Unparsing.35es Journées Francophones des Langages Applicatifs (JFLA 2024)Saint-Jacut-de-la-Mer, FranceJanuary 2024HAL
• 29 inproceedingsM.Milla Valnet, N.Nathanaëlle Courant, G.Guillaume Bury, P.Pierre Chambart and V.Vincent Laviron. Chamelon : un minimiseur pour et en OCaml.35es Journées Francophones des Langages Applicatifs (JFLA 2024)Saint-Jacut-de-la-Mer, FranceJanuary 2024HAL

Conferences without proceedings

• 30 inproceedingsC.Clément Allain, V.Vesa Karvonen and C.Carine Morel. Saturn: a library of verified concurrent data structures for OCaml 5.OCaml Workshop 2024 - ICFP 2024Milan, ItalyAugust 2024HALback to text
• 31 inproceedingsX.Xavier Leroy. Well-founded recursion done right.CoqPL 2024: The Tenth International Workshop on Coq for Programming LanguagesLondon, United Kingdom2024HAL
• 32 inproceedingsS.Samuel Vivien and D.Didier Rémy. On the design and implementation of Modular Explicits.OCaml Workshop @ ICFP 2024Milan, ItalySeptember 2024HALback to text

Doctoral dissertations and habilitation theses

• 33 thesisN.Nathanaëlle Courant. Towards an efficient and formally-verified convertibility checker.Université Paris CitéSeptember 2024HALback to text

Reports & preprints

• 34 miscJ.Jade Alglave, R.Richard Grisenthwaite, A.Artem Khyzha, L.Luc Maranget and N.Nikos Nikoleris. Puss In Boots: on formalising Arm's Virtual Memory System Architecture (extended version).May 2024HALback to text
• 35 reportX.Xavier Leroy, D.Damien Doligez, A.Alain Frisch, J.Jacques Garrigue, D.Didier Rémy, K.Kc Sivaramakrishnan and J.Jérôme Vouillon. The OCaml system release 5.2: Documentation and user's manual.InriaMay 2024, 1044HALback to text
• 36 reportX.Xavier Leroy. The CompCert C verified compiler: Documentation and user’s manual: Version 3.15.InriaDecember 2024, 1-80HAL
• 37 miscA.Amin Timany, S. O.Simon Oddershede Gregersen, L.Léo Stefanesco, J. K.Jonas Kastberg Hinrichsen, L.Léon Gondelman, A.Abel Nieto and L.Lars Birkedal. Trillium: Higher-Order Concurrent and Distributed Separation Logic for Intensional Refinement.August 2024HAL