2024Activity reportProject-TeamCAMBIUM
RNSR: 201923244M- Research center Inria Paris Centre
- In partnership with:Collège de France
- Team name: Programming languages: type systems, concurrency, proofs of programs
- Domain:Algorithmics, Programming, Software and Architecture
- Theme:Proofs and Verification
Keywords
Computer Science and Digital Science
- A1.1.1. Multicore, Manycore
- A1.1.3. Memory models
- A2.1. Programming Languages
- A2.1.1. Semantics of programming languages
- A2.1.3. Object-oriented programming
- A2.1.4. Functional programming
- A2.1.6. Concurrent programming
- A2.1.11. Proof languages
- A2.2. Compilation
- A2.2.1. Static analysis
- A2.2.2. Memory models
- A2.2.4. Parallel architectures
- A2.2.5. Run-time systems
- A2.4. Formal method for verification, reliability, certification
- A2.4.1. Analysis
- A2.4.3. Proofs
- A2.5.4. Software Maintenance & Evolution
- A7.1.2. Parallel algorithms
- A7.2. Logic in Computer Science
- A7.2.2. Automated Theorem Proving
- A7.2.3. Interactive Theorem Proving
- A7.3. Calculability and computability
Other Research Topics and Application Domains
- B5.2.3. Aviation
- B6.1. Software industry
- B6.6. Embedded systems
- B9.5.1. Computer science
1 Team members, visitors, external collaborators
Research Scientists
- François Pottier [Team leader, INRIA, Senior Researcher]
- Damien Doligez [INRIA, Researcher]
- Yannick Forster [INRIA, Researcher]
- Jean-Marie Madiot [INRIA, Researcher]
- Luc Maranget [INRIA, Researcher]
- Didier Remy [INRIA, Senior Researcher]
Faculty Member
- Xavier Leroy [COLLEGE DE FRANCE, Professor]
Post-Doctoral Fellow
- Euisun Yoon [INRIA, Post-Doctoral Fellow, from Feb 2024]
PhD Students
- Clément Allain [INRIA]
- Clément Blaudeau [INRIA, from Sep 2024]
- Clément Blaudeau [UNIV PARIS, until Sep 2024]
- Frédéric Bour [TARIDES, until Apr 2024]
- Tiago Lopes Soares [UNIV NOVA LISBONNE]
- Alexandre Moine [INRIA, until Sep 2024]
- Remy Seassau [INRIA]
- Samuel Vivien [PSL, from Oct 2024]
Interns and Apprentices
- Wassel Bousmaha [ENS DE LYON, Intern, from Jun 2024 until Jul 2024]
- Mathis Bouverot-Dupuis [ENS PARIS, Intern, from Sep 2024]
- Weituo Dai [INRIA, Intern, from May 2024 until Sep 2024]
- Malo Monin [INRIA, Intern, from May 2024 until Jul 2024]
- Yee Jian Tan [INRIA, Intern, from May 2024 until Aug 2024]
- Jules Viennot [École Polytechnique, from Apr 2024 until Sep 2024]
- Samuel Vivien [ENS PARIS, Intern, until Feb 2024]
- Poyraz Yilan [INRIA, Intern, from May 2024 until Jul 2024]
Administrative Assistant
- Helene Milome [INRIA]
2 Overall objectives
The research conducted in the Cambium team aims at improving the safety, reliability and security of software through advances in programming languages and in formal program verification. Our work is centered on the design, formalization, and implementation of programming languages, with particular emphasis on type systems and type inference, formal program verification, shared-memory concurrency and weak memory models. We are equally interested in theoretical foundations and in applications to real-world problems. The OCaml programming language, the CompCert C compiler, and the Coq proof assistant embody many of our research results.
2.1 Software reliability and reusability
Software nowadays plays a pervasive role in our environment: it runs not only on general-purpose computers, as found in homes, offices, and data centers, but also on mobile phones, credit cards, inside transportation systems, factories, and so on. Furthermore, whereas building a single isolated software system was once rightly considered a daunting task, today, tens of millions of developers throughout the world collaborate to develop software components that have complex interdependencies. Does this mean that the “software crisis” of the early 1970s, which Dijkstra described as follows, is over?
By now it is generally recognized that the design of any large sophisticated system is going to be a very difficult job, and whenever one meets people responsible for such undertakings, one finds them very much concerned about the reliability issue, and rightly so. – Edsger W. Dijkstra
To some extent, the crisis is indeed over. In the past five decades, strong emphasis has been put on modularity and reusability. It is by now well-understood how to build reusable software components, thus avoiding repeated programming effort and reducing costs. The availability of hundreds of thousands of such components, hosted in collaborative repositories, has allowed the software industry to bloom in a manner that was unimaginable a few decades ago.
As pointed out by Dijkstra, however, the problem is not just to build software, but to ensure that it works. Today, the reliability of most software leaves a lot to be desired. Consumer-grade software, including desktop, Web, and mobile phone applications, often crashes or exhibits unexpected behavior. This results in loss of time, loss of data, and also can often be exploited for malicious purposes by attackers. Reliability includes safety—exhibiting appropriate behavior under normal usage conditions—and security—resisting abuse in the hands of an attacker.
Today, achieving very high levels of reliability is possible, albeit at a tremendous cost in time and money. In the aerospace industry, for instance, high reliability is obtained via meticulous development processes, extensive testing efforts, and external reviewing by independent certification authorities. There and elsewhere, formal verification is also used, instead of or in addition to the above methods. In the hardware industry, model-checking is used to verify microprocessor components. In the critical software industry, deductive program verification has been used to verify operating system kernels, file systems, compilers, and so on. Unfortunately, these methods are difficult to apply in industries that have strong cost and time-to-market constraints, such as the automotive industry, let alone the general software industry.
Today, thus, we arguably still are experiencing a “reliable-software crisis”. Although we have become pretty good at producing and evolving software, we still have difficulty producing cheap reliable software.
How to resolve this crisis remains, to a large extent, an open question. Modularity and reusability seem needed now more than ever, not only in order to avoid repeated programming effort and reduce the likelihood of errors, but also and foremost to avoid repeated specification and verification effort. Still, apparently, the languages that we use to write software are not expressive enough, and the logics and tools that we use to verify software are not mature enough, for this crisis to be behind us.
2.2 Qualities of a programming language
A programming language is the medium through which an intent (software design) is expressed (program development), acted upon (program execution), and reasoned about (verification). It would be a mistake to argue that, with sufficient dedication, effort, time and cleverness, good software can be written in any programming language. Although this may be true in principle, in reality, the choice of an adequate programming language can be the deciding factor between software that works and software that does not, or even cannot be developed at all.
We believe, in particular, that it is crucial for a programming language to be safe, expressive, to encourage modularity, and to have a simple, well-defined semantics.
-
Safety. The execution of a program must not ever be allowed to go wrong in an unpredictable way. Examples of behaviors that must be forbidden include
reading or writing data outside of the memory area assigned by the operating system to the process and executing arbitrary data as if it were code. A programming language is safe if every safety violation is gracefully detected either at compile time or at runtime.
- Expressiveness. The programming language should allow programmers to think in terms of concise, high-level abstractions—including the concepts and entities of the application domain—as opposed to verbose, low-level representations or encodings of these concepts.
- Modularity. The programming language should make it easy to develop a software component in isolation, to describe how it is intended to be composed with other components, and to check at composition time that this intent is respected.
- Semantics. The programming language should come with a mathematical definition of the meaning of programs, as opposed to an informal, natural-language description. This definition should ideally be formal, that is, amenable to processing by a machine. A well-defined semantics is a prerequisite for proving that the language is safe (in the above sense) and for proving that a specific program is correct (via model-checking, deductive program verification, or other formal methods).
The safety of a programming language is usually achieved via a combination of design decisions, compile-time type-checking, and runtime checking. As an example design decision, memory deallocation, a dangerous operation, can be placed outside of the programmer's control. As an example of compile-time type-checking, attempting to use an integer as if it were a pointer can be considered a type error; a program that attempts to do this is then rejected by the compiler before it is executed. Finally, as an example of runtime checking, attempting to access an array outside of its bounds can be considered a runtime error: if a program attempts to do this, then its execution is aborted.
Type-checking can be viewed as an automated means of establishing certain correctness properties of programs. Thus, type-checking is a form of “lightweight formal methods” that provides weak guarantees but whose burden seems acceptable to most programmers. However, type-checking is more than just a program analysis that detects a class of programming errors at compile time. Indeed, types offer a language in which the interaction between one program component and the rest of the program can be formally described. Thus, they can be used to express a high-level description of the service provided by this component (i.e., its API), independently of its implementation. At the same time, they protect this component against misuse by other components. In short, “type structure is a syntactic discipline for enforcing levels of abstraction”. In other words, types offer basic support for expressiveness and modularity, as described above.
For this reason, types play a central role in programming language design. They have been and remain a fundamental research topic in our group. More generally, the design of new programming languages and new type systems and the proof of their safety has been and remains an important theme. The continued evolution of OCaml, as well as the design and formalization of Mezzo 38, are examples.
2.3 Design, implementation, and evolution of OCaml
Our group's expertise in programming language design, formalization and implementation has traditionally been focused mainly on the programming language OCaml 35. OCaml can be described as a high-level statically-typed general-purpose programming language. Its main features include first-class functions, algebraic data structures and pattern matching, automatic memory management, support for traditional imperative programming (mutable state, exceptions), and support for modularity and encapsulation (abstract types; modules and functors; objects and classes).
OCaml meets most of the key criteria that we have put forth above. Thanks to its static type discipline, which rejects unsafe programs, it is safe. Because its type system is equipped with powerful features, such as polymorphism, abstract types, and type inference, it is expressive, modular, and concise. Although OCaml as a whole does not have a formal semantics, many fragments of it have been formally studied in isolation. As a result, we believe that OCaml is a good language in which to develop complex software components and software systems and (possibly) to verify that they are correct.
OCaml has long served a dual role as a vehicle for our programming language research and as a mature real-world programming language. This remains true today, and we wish to preserve this dual role. On the research side, there are many directions in which the language could be extended. On the applied side, OCaml is used within academia (for research and for teaching) and in the industry. It is maintained by a community of active contributors, which extends beyond our team at Inria. It comes with a package manager, opam, a rich ecosystem of libraries, and a set of programming tools, including an IDE (Merlin), support for debugging and performance profiling, etc.
OCaml has been used to develop many complex systems, such as proof assistants (Coq, HOL Light), automated theorem provers (Alt-Ergo, Zenon), program verification tools (Why3), static analysis engines (Astrée, Frama-C, Infer, Flow), programming languages and compilers (SCADE, Reason, Hack), Web servers (Ocsigen), operating systems (MirageOS, Docker), financial systems (at companies such as Jane Street, LexiFi, Nomadic Labs), and so on.
2.4 Software verification
We have already mentioned the importance of formal verification to achieve the highest levels of software quality. One of our major contributions to this field has been the verification of programming tools, namely the CompCert optimizing compiler for the C language 43 and the Verasco abstract interpretation-based static analyzer 40. Technically, this is deductive verification of purely functional programs, using the Coq proof assistant both as the prover and the programming language. Scientifically, CompCert and Verasco are milestones in the area of program proof, due to the complexity and realism of the code generation, optimization, and static analysis techniques that are verified. Practically, these formally-verified tools strengthen the guarantees that can be obtained by formal verification of critical software and reduce the need for other verification activities, attracting the interest of Airbus and other companies that develop critical embedded software.
CompCert is implemented almost entirely in Gallina, the purely functional programming language that lies at the heart of Coq. Extraction, a whole-program translation from Gallina to OCaml, allows Gallina programs to be compiled to native code and efficiently executed. Unfortunately, Gallina is a very restrictive language: it rules out all side effects, including nontermination, mutable state, exceptions, delimited control, nondeterminism, input/output, and concurrency. In comparison, most industrial programming languages, including OCaml, are vastly more expressive and convenient. Thus, there is a clear need for us to also be able to verify software components that are written in OCaml and exploit side effects.
To reason about the behavior of effectful programs, one typically uses a “program logic”, that is, a system of deduction rules that are tailor-made for this purpose, and can be built into a verification tool. Since the late 1960s, program logics for imperative programming languages with global mutable state have been in wide use. A key advance was made in the 2000s with the appearance of Separation Logic, which emphasizes local reasoning and thereby allows reasoning about a callee independently of its caller, about one heap fragment independently of the rest of the heap, about one thread independently of all other threads, and so on. Today, this field is extremely active: the development of powerful program logics for rich effectful programming languages, such as OCaml or Multicore OCaml, is a thriving and challenging research area.
Our team has expertise in this field. For several years, François Pottier has been investigating the theoretical foundations and applications of several features of Separation Logics, such as “hidden state” and “monotonic state”, and has developed expertise in Iris, a modern Separation Logic that is jointly developed by several European research teams. Jean-Marie Madiot has contributed to the Verified Software Toolchain, which includes a version of Concurrent Separation Logic for a subset of C. Arthur Charguéraud1 has developed CFML, an implementation of Separation Logic for a subset of OCaml. Armaël Guéneau2 has extended CFML with the ability to simultaneously verify the correctness and the time complexity of an OCaml component. Glen Mével3 has extended Iris with support for the weak memory model of OCaml 5, while Paulo de Vilhena has extended it with support for effect handlers. Alexandre Moine, in collaboration with Madiot, Pottier, and Charguéraud, has extended Iris with the ability to verify the space complexity of an OCaml component. Clément Allain has carried out a proof of compiler correctness using a relational variant of Iris and has verified several lock-free concurrent data structures using Iris.
We envision several ways of using OCaml components that have been verified using a program logic. In the simplest scenario, some key OCaml components, such as the standard library, are verified, and are distributed for use in unverified applications. This increases the general trustworthiness of the OCaml system, but does not yield strong guarantees of correctness. In a second scenario, a fully verified application is built out of verified OCaml components, therefore it comes with an end-to-end correctness guarantee. In a third scenario, while some components are written and verified directly at the level of OCaml, others are first written and verified in Gallina, then translated down to verified OCaml components by an improved version of Coq's extraction mechanism. In this scenario, it is possible to fully verify an application that combines effectful OCaml code and side-effect-free Gallina code. This scenario represents an improvement over the current state of the art. Today, CompCert includes several OCaml components, which cannot be verified in Coq. As a result, the data produced by these components must be validated by verified checkers.
2.5 Shared-memory concurrency
Concurrent shared-memory programming seems required in order to extract maximum performance out of the multicore general-purpose processors that have been in wide use for more than a decade. (GPUs and other special-purpose processors offer even greater raw computing power, but are not easily exploited in the symbolic computing applications that we are usually interested in.) Unfortunately, concurrent programming is notoriously more difficult than sequential programming. This can be attributed to a “state-space explosion problem”: the number of permitted program executions grows exponentially with the number of concurrent agents involved. Shared memory introduces an additional, less notorious, difficulty: on a modern multicore processor, execution does not follow the strong model where the instructions of one thread are interleaved with the instructions of other threads, and where reads and writes to memory instantaneously take effect. To properly understand and analyze a program, one must first formally define the semantics of the programming language, or of the device that is used to execute the program. The aspect of the semantics that governs the interaction of threads through memory is known as a memory model. Most modern memory models are weak in the sense that they offer fewer guarantees than the strong model sketched above.
Describing a memory model in precise mathematical language, in a manner that is at the same time faithful with respect to real-world machines and exploitable as a basis for reasoning about programs, is a challenging problem and a domain of active research, where thorough testing and verification are required.
Luc Maranget and Jean-Marie Madiot have acquired an expertise in the domain of weak memory models, including so-called axiomatic models and event-structure-based models. Moreover, Luc Maranget develops diy-herd-litmus, a unique software suite for defining, simulating and testing memory models. In short, diy generates so-called litmus tests from concise specifications; herd simulates litmus tests with respect to memory models expressed in the domain-specific language Cat; litmus executes litmus tests on real hardware. These tools have been instrumental in finding bugs in the deployed processors IBM Power5 and ARM Cortex-A9. Moreover, within industry, some models are now written in Cat, either for internal use, such as the AArch64 model by Will Deacon (ARM), or for publication, such as the RISC-V model by Luc Maranget and the HSA model by Jade Alglave and Luc Maranget.
For a long time, the OCaml language and runtime system have been restricted to sequential execution, that is, execution of a single computation thread on a single processor core. Yet, since OCaml 5, it is possible to execute multiple threads in parallel. The runtime system has been deeply impacted: in particular, OCaml's garbage collector has been replaced with an entirely new concurrent collector. The memory model has been been clearly defined, both on paper and in Coq. Also since OCaml 5, the language has been extended with effect handlers, a generalization of exception handlers. Effect handlers are a form of delimited control: they allow suspending a computation, storing it in memory, and resuming it at a later time.
3 Research program
Our research proposal is organized along three main axes, namely programming language design and implementation, concurrency, and program verification. These three areas have strong connections. For instance, the definition and implementation of OCaml intersects the first two axes, whereas creating verification technology for OCaml programs intersects the last two.
In short, the “programming language design and implementation” axis includes:
- The search for richer type disciplines, in an effort to make our programming languages safer and more expressive. Two domains, namely modules and effects, appear of particular interest. In addition, we view type inference as an important cross-cutting concern.
- The continued evolution of OCaml. The major evolutions that we envision in the medium term are the possible addition of a strong type-and-effect system, the addition of modular implicits, and a redesign of the type-checker.
- Research on refactoring and program transformations.
- Research on meta-programming techniques, in particular for proof assistants.
The “concurrency” axis includes:
- Research on weak memory models, including axiomatic models, operational models, and event-structure models.
- Research on the OCaml 5 memory model. This might include proving that the axiomatic and operational presentations of the model agree; testing the OCaml 5 implementation to ensure that it conforms to the model; and extending the model with new features, should the need arise.
The “program verification” axis includes:
- The continued evolution of CompCert.
- Building new verified tools, such as verified compilers for domain-specific languages, verified components for the Coq type-checker, and so on.
- Verifying algorithms and data structures implemented in OCaml, including concurrent data structures, and enriching Separation Logic with new features, if needed, to better support this activity.
- The continued development of tools for TLA+.
4 Application domains
4.1 Formal methods
We develop techniques and tools for the formal verification of critical software:
- program logics based on CFML and Iris for the deductive verification of software, including concurrency and algorithmic complexity aspects;
- verified development tools such as the CompCert verified C compiler, which extends properties established by formal verification at the source level all the way to the final executable code.
- improvements to the trustworthiness of different components of the Coq proof assistant, which is in turn used in other projects.
Some of these techniques have already been used in the nuclear industry (MTU Friedrichshafen uses CompCert to develop emergency diesel generators) and are under evaluation in the aerospace industry.
4.2 High-assurance software
Software that is not critical enough to undergo formal verification can still benefit greatly, in terms of reliability and security, from a functional, statically-typed programming language. The OCaml type system offers several advanced tools (generalized algebraic data types, abstract types, extensible variant and object types) to express many data structure invariants and safety properties and have them automatically enforced by the type-checker. This makes OCaml a popular language to develop high-assurance software, in particular in the financial industry. OCaml is the implementation language for the Tezos blockchain and cryptocurrency. It is also used for automated trading at Jane Street and for modeling and pricing of financial contracts at Bloomberg, Lexifi and Simcorp. OCaml is also widely used to implement code verification and generation tools at Facebook, Microsoft, CEA, Esterel Technologies, and many academic research groups, at Inria and elsewhere.
4.3 Design and test of microprocessors
The diy tool suite and the underlying methodology is in use at ARM Ltd to design and test the memory model of ARM architectures. In particular, the internal reference memory model of the ARMv8 (or AArch64) architecture has been written “in house” in Cat, our domain-specific language for specifying and simulating memory models. Moreover, our test generators and runtime infrastructure are used routinely at ARM to test various implementations of their architectures.
4.4 Teaching programming
Our work on the OCaml language family has an impact on the teaching of programming. OCaml is one of the programming languages selected by the French Ministry of Education for teaching Computer Science in classes préparatoires scientifiques. OCaml is also widely used for teaching advanced programming in engineering schools, colleges and universities in France, the USA, and Japan. The MOOC “Introduction to Functional Programming in OCaml”, developed at University Paris Diderot, is available on the France Université Numérique platform and comes with an extensive platform for self-training and automatic grading of exercises, developed in OCaml itself.
5 Highlights of the year
5.1 On Inria's evolution
Note : Readers are advised that the Institute does not endorse the text in the “Highlights of the year” section, which is the sole responsibility of the team leader.
At the end of 2024, Inria's top management enacted a new “contrat d'objectifs, de moyens et de performance” (COMP), which defines Inria's objectives for the period 2024–2028. We are very unhappy and concerned about the content of this document and the way it was imposed.
- Neither the staff nor their representative bodies were given the opportunity to participate in (or influence) the drafting of this document.
- The document defines Inria's main mission as “contributing to the digital sovereignty of the Nation through research and innovation” and proposes to amend Inria's founding decree to reflect this new definition. We strongly believe that our primary mission is (and should remain) the advancement of human knowledge through research. Research is not a means to achieve “digital sovereignty”, whatever that may mean. Research should not be associated with any particular nation, whatever that nation may be.
- The document announces the creation of a funding agency within Inria. France already has an independent funding agency, the ANR. The creation of a new funding agency within a research institute is unnecessary and a waste of resources. It is also likely to create confusion, opacity, and conflicts of interest.
- Many aspects of the document reflect a desire to drive research in a top-down manner, for example through the selection of “strategic partner institutions” and “strategic themes”. This threatens the fundamental freedom of researchers to choose their research topics and collaborations.
- The document indicates that all of Inria's research should have “dual nature”, that is, both civilian and military applications. While some of the institute's research may have military applications, the vast majority of it is independent of the military, and should remain so.
- The document announces a desire to place all of Inria in a “restricted regime area” (ZRR), which means that the hiring of researchers and interns will be reviewed and possibly vetoed by the Fonctionnaire Sécurité Défense. This creates administrative delays, subjects hiring to opaque criteria, and discourages the hiring of foreign nationals, thus harming research and collaboration.
- Staff opposition to these policies, which has been expressed in several votes and petitions, has been largely ignored.
5.2 Awards
The OCaml programming language and system has received the ACM SIGPLAN Programming Languages Software Award. This is the 2023 award, which was announced at POPL 2024. The citation recognizes OCaml's impact in industry, research, and education:
The OCaml Compiler Distribution is the reference implementation of the OCaml language, a dialect of ML that aims to be pragmatic, both in language features and implementation, encouraging a simple programming style that yields good performance and usability. It has a large user base in industry, research, and education throughout the world, and was used to implement a number of other impactful systems, notably in verification: Coq proof assistant, CompCert verified compiler, Why3 verified programming environment, Frama-C, Astrée and Gillian static analyzers, Infer, Hack and Flow projects at Meta, SLAM/SDV and F* at Microsoft, etc.
In 2024, the following papers have received Distinguished Paper Awards:
- “Verified Extraction from Coq to OCaml” 19 at the conference PLDI 2024;
- “Snapshottable Stores” 14 at the conference ICFP 2024;
- “Data race freedom à la mode” 20 at the conference POPL 2025.
In each of these ACM conferences, distinguished paper awards are given out by the programme committee to about 10% of the papers that are presented at the conference.
6 New software, platforms, open data
6.1 New software
6.1.1 OCaml
-
Functional Description:
The OCaml language is a functional programming language that combines safety with expressiveness through the use of a precise and flexible type system with automatic type inference. The OCaml system is a comprehensive implementation of this language, featuring two compilers (a bytecode compiler, for fast prototyping and interactive use, and a native-code compiler producing efficient machine code for x86, ARM, PowerPC, RISC-V and System Z), a debugger, and a documentation generator. Many other tools and libraries are contributed by the user community and organized around the OPAM package manager.
- URL:
- Publications:
-
Contact:
Damien Doligez
-
Participants:
Florian Angeletti, Damien Doligez, Xavier Leroy, Luc Maranget, Gabriel Scherer, David Allsopp, Stephen Dolan, Alain Frisch, Jacques Garrigue, Anil Madhavapeddy, Kc Sivaramakrishnan, Nicolas Ojeda Bar, Leo White
6.1.2 Compcert
-
Name:
The CompCert formally-verified C compiler
-
Keywords:
Compilers, Formal methods, Deductive program verification, C, Coq
-
Functional Description:
CompCert is a compiler for the C programming language. Its intended use is the compilation of life-critical and mission-critical software written in C and meeting high levels of assurance. It accepts most of the ISO C 99 language, with some exceptions and a few extensions. It produces machine code for the ARM, PowerPC, RISC-V, and x86 architectures. What sets CompCert C apart from any other production compiler, is that it is formally verified to be exempt from miscompilation issues, using machine-assisted mathematical proofs (the Coq proof assistant). In other words, the executable code it produces is proved to behave exactly as specified by the semantics of the source C program. This level of confidence in the correctness of the compilation process is unprecedented and contributes to meeting the highest levels of software assurance. In particular, using the CompCert C compiler is a natural complement to applying formal verification techniques (static analysis, program proof, model checking) at the source code level: the correctness proof of CompCert C guarantees that all safety properties verified on the source code automatically hold as well for the generated executable.
- URL:
-
Contact:
Xavier Leroy
-
Participants:
Xavier Leroy, Sandrine Blazy, Jacques-Henri Jourdan, Sylvie Boldo, Guillaume Melquiond
-
Partner:
AbsInt Angewandte Informatik GmbH
6.1.3 Diy
-
Name:
Do It Yourself
-
Keyword:
Parallelism
-
Functional Description:
The diy suite provides a set of tools for testing shared memory models: the litmus tool for running tests on hardware, various generators for producing tests from concise specifications, and herd, a memory model simulator. Tests are small programs written in x86, Power or ARM assembler that can thus be generated from concise specification, run on hardware, or simulated on top of memory models. Test results can be handled and compared using additional tools.
- URL:
-
Contact:
Luc Maranget
-
Participants:
Jade Alglave, Luc Maranget
-
Partner:
University College London UK
6.1.4 Menhir
-
Keywords:
Compilation, Context-free grammars, Parsing
-
Functional Description:
Menhir is a LR(1) parser generator for the OCaml programming language. That is, Menhir compiles LR(1) grammar specifications down to OCaml code. Menhir was designed and implemented by François Pottier and Yann Régis-Gianas.
- Publications:
-
Contact:
François Pottier
6.1.5 CFML
-
Name:
Interactive program verification using characteristic formulae
-
Keywords:
Coq, Software Verification, Deductive program verification, Separation Logic
-
Functional Description:
The CFML tool supports the verification of OCaml programs through interactive Coq proofs. CFML proofs establish the full functional correctness of the code with respect to a specification. They may also be used to formally establish bounds on the asymptotic complexity of the code. The tool is made of two parts: on the one hand, a characteristic formula generator implemented as an OCaml program that parses OCaml code and produces Coq formulae, and, on the other hand, a Coq library that provides notations and tactics for manipulating characteristic formulae interactively in Coq.
- URL:
-
Contact:
Arthur Charguéraud
-
Participants:
Arthur Charguéraud, Armaël Guéneau, François Pottier
6.1.6 TLAPS
-
Name:
TLA+ proof system
-
Keyword:
Proof assistant
-
Functional Description:
TLAPS is a platform for developing and mechanically verifying proofs about specifications written in the TLA+ language. The TLA+ proof language is hierarchical and explicit, allowing a user to decompose the overall proof into proof steps that can be checked independently. TLAPS consists of a proof manager that interprets the proof language and generates a collection of proof obligations that are sent to backend verifiers. The current backends include the tableau-based prover Zenon for first-order logic, Isabelle/TLA+, an encoding of TLA+ set theory as an object logic in the logical framework Isabelle, an SMT backend designed for use with any SMT-lib compatible solver, and an interface to a decision procedure for propositional temporal logic.
- URL:
-
Contact:
Stephan Merz
-
Participants:
Damien Doligez, Stephan Merz
-
Partner:
Microsoft
6.1.7 ZENON
-
Name:
The Zenon automatic theorem prover
-
Keywords:
Automated theorem proving, First-order logic
-
Functional Description:
Zenon is an automatic theorem prover based on the tableaux method. Given a first-order statement as input, it outputs a fully formal proof in the form of a Coq or Isabelle proof script. It has special rules for efficient handling of equality and arbitrary transitive relations. Although still in the prototype stage, it already gives satisfying results on standard automatic-proving benchmarks.
Zenon is designed to be easy to interface with front-end tools (for example integration in an interactive proof assistant) and also to retarget to output scripts for different frameworks (for example Dedukti).
- URL:
- Publications:
-
Contact:
Damien Doligez
-
Participant:
Damien Doligez
6.1.8 hevea
-
Name:
hevea is a fast latex to html translator.
-
Keywords:
LaTeX, Web
-
Functional Description:
HEVEA is a LATEX to html translator. The input language is a fairly complete subset of LATEX 2 (old LATEX style is also accepted) and the output language is html that is (hopefully) correct with respect to version 5. HEVEA understands LATEX macro definitions. Simple user style files are understood with little or no modifications. Furthermore, HEVEA customisation is done by writing LATEX code.
HEVEA is written in Objective Caml, as many lexers. It is quite fast and flexible. Using HEVEA it is possible to translate large documents such as manuals, books, etc. very quickly. All documents are translated as one single html file. Then, the output file can be cut into smaller files, using the companion program HACHA. HEVEA can also be instructed to output plain text or info files.
Information on HEVEA is available at http://hevea.inria.fr/.
- URL:
-
Contact:
Luc Maranget
7 New results
7.1 Long-term software projects
7.1.1 The CompCert formally-verified compiler
Participants: Xavier Leroy, Michael Schmidt [AbsInt GmbH], Bernhard Schommer [Saarland University and AbsInt GmbH].
Since 2005, in the context of our work on compiler verification, we have been developing and formally verifying CompCert, a moderately-optimizing compiler for a large subset of the C programming language. CompCert generates assembly code for the ARM, PowerPC, RISC-V, and x86 architectures 43. The compiler is written mostly within the specification language of the Rocq proof assistant, out of which Rocq's extraction facility generates executable OCaml code. The compiler comes with a 100000-line machine-checked proof of semantic preservation, establishing that the generated assembly code executes exactly as prescribed by the semantics of the source C program.
This year, we improved the performance of the generated code through
- more precise value analysis, for integer multiplication, division and modulus, for values of Boolean type, and for function parameters of small integer types, thus improving the effectiveness of constant propagation and redundant cast elimination;
- more precise value numbering for results of memory loads, addressing a missed opportunity for redundant load elimination on ARM and RISC-V;
- a refined heuristic for “if”-conversion, turning it off in cases where it would prevent later, more profitable optimizations of conditional branches in the continuation of the “if”;
- more aggressive simplifications of comparison and selection operations during the CSE pass.
We also added minimal syntactic support for the _Float16 type and for ISO C99 array declarators involving static, so as to improve compatibility with existing standard header files.
These improvements were released as part of CompCert versions 3.14 in May 2024 and 3.15 in December 2024.
7.1.2 The OCaml system
Participants: Florian Angeletti, Damien Doligez, Sébastien Hinderer, Xavier Leroy, Luc Maranget, David Allsop [Cambridge University], Nick Barnes [Tarides], Stephen Dolan [Cambridge University], Jacques Garrigue [University of Nagoya], Sadiq Jaffer [Tarides], Guillaume Munch-Maccagnoni [Inria team Gallinette], Olivier Nicole [Tarides], Nicolás Ojeda Bär [Lexifi], KC Sivaramakrishnan [IIT Madras], Gabriel Scherer [Inria team Picube].
On January 18, 2024, OCaml received the 2023 ACM SIGPLAN Programming Languages Software Award (§5.2).
In 2024, we have released two minor versions of OCaml, namely OCaml 5.2.0 and OCaml 5.3.0, and two patch releases, namely OCaml 4.14.2 and OCaml 5.2.1.
Some of the highlights in OCaml 5.2.0 are:
- Re-introduced GC compaction
- Restored native backend for POWER 64 bits
- Thread sanitizer support
- New module Dynarray
- New flag -H for hidden include directories
- Project-wide occurrence metadata support for developer tools
- Raw identifiers
- Local open in type expressions
- About 20 new functions in the standard library
- 46 fixes and improvements in the runtime system
- 51 bug fixes
Compared with the OCaml 4.14 branch, OCaml 5.2.0 was still a somewhat experimental release. And, indeed, the initial release of OCaml 5.2 was followed on November 18 by a patch release, OCaml 5.2.1, which fixed significant bugs in the runtime system.
On January 8, 2025, we published OCaml 5.3.0. Some of the highlights in OCaml 5.3.0 are:
- Syntax for deep effect handlers
- Restored MSVC port
- Re-introduced statistical memory profiling (statmemprof)
- utf-8-encoded Unicode source files and modest support of Unicode identifiers
- More space-efficient implementation of Dynarray
- Improved metadata on the pairs of declarations and definitions for merlin
- About 20 new functions in the standard library
- 29 fixes and improvements in the runtime system
- Improved error messages for first-class modules, functors, labelled arguments, and type mismatches
- 39 bug fixes
With the re-introduced of the support for the MSVC port and the statmemprof memory profiler, the OCaml 5 branch has restored feature parity with OCaml 4. The focus next year will thus likely shift on fixing the remaining performance bugs in OCaml 5. Then, in the upcoming years, we plan to gradually abandon long-term support for OCaml 4.
Meanwhile, the OCaml 4.14 branch has been maintained as a stable version of the OCaml 4 language. OCaml 4.14.2 was released on March 14, 2024.
7.1.3 The diy tool suite
Participants: Hadrien Renaud [University College London], Artem Khyzha, Nikos Nikorelis, Vladimir Murzin [ARM Ltd.], Jade Alglave [ARM Ltd. and University College London], Luc Maranget.
The diy suite provides a set of tools for testing shared memory models: the litmus tool for running tests on hardware, various generators for producing tests from concise specifications, and herd, a memory model simulator. Tests are small programs written in x86, Power, ARM, generic (LISA) assembler, or a subset of the C language that can thus be generated from concise specifications, run on hardware, or simulated on top of memory models. Test results can be handled and compared using additional tools. One distinctive feature of our system is Cat, a domain-specific language for memory models.
This year, Luc Maranget has worked on combining virtual memory with the ASL-based implementation of AArch64. ASL is a specification language developed by ARM to describe the behaviour of hardware systems. This includes not only machine instructions, but also other hardware processes, such as virtual-to-physical memory translation, also known as page table walk. The herd simulator features an interpreter for ASL, whose main author is Hadrien Renaud. Executing the complete memory access code, including page table walks, is challenging, due to efficiency issues and to semantic considerations. The existence of efficiency issues is not surprising, given the classical phenomenon of state explosion in concurrency. The semantic difficulties stem from the fact that the official ASL code has not always been written with a concurrency semantics in mind.
Luc Maranget acts as the main maintainer and coordinator of the toolbox: with others, he reviews and validates the pull requests submitted by contributors. diy now has about 10 frequent contributors, most of whom are employed by ARM as engineers or interns. Nikos Nikoleris, Artem Khyzha and Vladimir Murzin are cited for their regular and significant contributions and reviews.
7.1.4 TLA+
Participants: Rosalie Defourné [Inria Nancy], Damien Doligez, Ioannis Filippidis, Stéphane Glondu [Inria Nancy], Andrew Helwer [Disjunctive Consulting], Igor Konnov [Informal Systems], Markus Kuppe [Microsoft Research], Leslie Lamport [Microsoft Research], Stephan Merz [Inria team Veridis], Karolis Petrauskas.
This project produces and maintains tools for managing and verifying proofs in the proof language of TLA+ 42.
After switching to an open-source development model in 2023, we have seen a significant increase in external contributions to the project. We expect these contributions to lead to a new release in early 2025. TLA+ attracts more and more industrial users. A TLA+ foundation, funded by some of them, has been established. As of the end of 2024, the foundation has started a grant program to foster the development of tools and documentation for TLA+.
7.1.5 Basic OCaml libraries
Participants: Wassel Bousmaha [ENS Lyon], Jean-Marie Madiot, François Pottier.
In 2024, François Pottier implemented several OCaml libraries that provide basic data structures:
- baby offers persistent sets and maps, based on height-balanced and weight-balanced binary search trees. Compared with the modules Set and Map in OCaml's standard library, this library offers potentially better performance, and more operations. The architecture of the library is modular: the high-level layer, which implements the operations on sets and maps, is independent of the low-level layer, which implements the balancing logic. This modular architecture, as well as the weight-balancing logic, are due to Blelloch, Ferizovic and Sun (2022). During a 6-week internship, co-advised by Jean-Marie Madiot and François Pottier, Wassel Bousmaha verified the correctness of the weight-balancing code and did a (partial) proof of its worst-case time complexity.
- hector offers dynamic arrays, also known as vectors. From an algorithmic point of view, this library offers nothing new. Compared with the module Dynarray in OCaml's standard library, this library offers a different compromise: because it does not guarantee memory safety in the presence of data races, and because it does not attempt to avoid a certain kind of memory leak, it offers potentially better performance, and its code is simpler.
- flatunionfind offers a union-find algorithm inside a vector.
- hachis offers mutable sets and maps, based on hash tables with linear probing. Compared with the module Hashtbl in OCaml's standard library, it can offer better performance.
As a side effect, these projects led to a few improvements in monolith, a test framework for OCaml libraries.
7.2 Programming language design and implementation
7.2.1 Formalizing and improving OCaml modules
Participants: Clément Blaudeau, Didier Rémy, Gabriel Radanne [Inria team Cash].
We began our work on the formalization of modules in 2021 by revisiting, improving, and adapting F-ing modules 46 to OCaml.
This year, we finalized the formalization of , a type system for OCaml modules, extended with transparent ascription. Compared with earlier work, this system offers a better account of the “signature avoidance” problem. retains a “path-based” source syntax, in the style of OCaml, but internally uses types. Its soundness is ensured by an elaboration of terms into . The signature avoidance problem appears during the reverse translation from -like inferred signatures back to OCaml style and is solved following a principled approach. This work has been accepted for presentation at the conference OOPSLA 2024 17.
Furthermore, as an alternative to , we proposed ZipML, an equivalent system, which works directly with OCaml-style path-based signatures. It extends OCaml signatures with zipper signatures in order to avoid signature avoidance problems and achieve the same expressiveness as . Its soundness has been proved by elaboration into . It is well-suited for implementing transparent ascription in OCaml and fixing OCaml's unsatisfactory treatment of the signature avoidance problem. A formalization of ZipML has been accepted for presentation at the conference POPL 2025 16.
Both works are part of Clément Blaudeau's dissertation, which he defended in December 2024.
7.2.2 Implementing and formalizing Modular Explicits
Participants: Samuel Vivien, Didier Rémy, Vincent Laviron [OCamlPro].
Modular explicits are functions that take modules as arguments. This language feature is necessary to elaborate modular implicits. Therefore, it is considered a prerequisite for an implementation of Samuel Vivien's thesis.
During a 5-month internship at OCamlPro, Samuel Vivien, supervised by Vincent Laviron, implemented modular explicits in the OCaml compiler. This work was then formalized with the help of Didier Rémy 32. The code is currently under review for integration in the OCaml compiler.
7.2.3 Designing and formalizing Modular Implicits
Participants: Samuel Vivien, Didier Rémy.
Modular implicits are modules that are passed as implicit parameters to functions. Our work on modular implicits is based on a proposal and prototype implementation by White, Bour and Yallop 47. Extending OCaml with modular implicits seems desirable because OCaml's functors are extremely verbose, preventing their use at a small scale. Modular implicits would give us some of the flexibility and ease of use of Haskell's type classes. To this end, we have been working on defining a clear specification of implicit argument synthesis and on optimizing the synthesis algorithm so that it scales up to real-world applications.
In 2024, we continued our work on modular implicits by making a tour of all of the prerequisites for modular implicits. Samuel Vivien started implementing some of them in the OCaml compiler. In particular, this led to the design of a new mechanism to track principality of type inference in OCaml in a way that is compatible with modular implicits. We have just started the formalization of this mechanism.
7.2.4 Data race freedom à la mode
Participants: Aïna Linn Georges [MPI-SWS], Benjamin Peters [MPI-SWS], Laila Elbeheiry [MPI-SWS], Leo White [Jane Street], Stephen Dolan [Jane Street], Richard A. Eisenberg [Jane Street], Chris Casinghino [Jane Street], François Pottier, Derek Dreyer [MPI-SWS].
This work explores an extension of OCaml's type system that guarantees data race freedom for multi-threaded OCaml programs. Building on recent work at Jane Street that extends OCaml with modes that keep track of locality, uniqueness, and affinity, it introduces two new mode axes, contention and portability, which record whether data has been shared or can be shared between multiple threads.
Although this basic type-and-mode system has limited expressive power by itself, it can express APIs for capsules, regions of memory whose access is controlled by a unique ghost key, and reader-writer locks, which allow a thread to safely acquire partial or full ownership of a key. This allows complex data structures (which may involve aliasing and mutable state) to be safely shared between threads.
The soundness of this system is established by building a semantic model of the system in the Iris program logic on top of the Rocq proof assistant. These results have been accepted for presentation at the conference POPL 2025 20.
7.2.5 A declarative approach to LR(1) syntax error messages
Participants: Frédéric Bour, François Pottier.
LRgrep is a declarative language, and a supporting tool, whose purpose is to let the author of an LR(1) parser describe the syntax error messages that the parser should produce when the input is syntactically incorrect. The language allows matching the parser's stack using a specialized variety of regular expressions. The design and implementation of LRgrep are the subject of Frédéric Bour's PhD work.
The problem presents different aspects: designing a convenient and expressive language to characterize error situations, efficiently compiling this language, and, finally, providing tools to assist with designing and maintaining error messages.
This year, Frédéric transformed the initial prototype into a robust tool and explored several applications of LRgrep. One important application is to improve the syntax error messages procuced by the OCaml compiler. Frédéric has shown that this is possible in principle, but carrying out this project fully will requires more time and manpower. Furthermore, Frédéric has applied LRgrep to two other languages. He has built an experimental version of the Catala compiler that uses LRgrep to produce error messages. He has also written a parser for the Elm language that uses LRgrep and tries to mimic the error messages of the Elm compiler.
This work is described in Frédéric Bour's dissertation, which he defended on December 18.
7.3 Semantics of shared-memory concurrency
7.3.1 Axiomatic memory models and virtual memory
Participants: Jade Alglave [ARM Ltd. and University College London], Richard Grisenthwaite [ARM Ltd.], Artem Khyzha [ARM Ltd.], Luc Maranget, Nikos Nikoleris [ARM Ltd.].
This year, we reached a milestone in our long-term research effort to design and implement a concurrent memory model for virtual memory: a journal paper was published 12, 34.
In this work, we present our formalization of ARM's Virtual Memory System Architecture (VMSA). This work has been developed with, and ratified by, ARM and its partners, and is now part of the ARM Architecture Reference Manual. Additionally, we present our experimental validation methodology, which required extending KVM-unit-tests, a test harness for the Kernel Virtual Machine (KVM). We used this infrastructure to run around 1300 VMSA litmus tests on a variety of ARM machines, thereby validating our model with respect to existing hardware. Our testing uncovered infidelities to the definition of a feature called Translation Table Hardware Management, which led ARM to relax its architecture to accommodate those cases. Finally, as part of this work, we uncovered subtleties in the definition of a feature of the VMSA called Enhanced Translation Synchronization (ETS), which led ARM to deprecate ETS and replace it with a stronger feature called ETS2.
In this project, Luc Maranget is specifically in charge of software development and of experiments. The amount of work involved (in particular, experimental work) is much more significant than in similar previous work, due to the numerous features of virtual memory, such as permissions, TLBs, alternative mappings of a single physical page, fault handlers, and so on.
7.3.2 Semantics and sound implementation of AArch64 instructions
Participants: Hadrien Renaud [University College London], Jade Alglave [ARM Ltd. and University College London], Luc Maranget.
Hadrien Renaud is a PhD candidate under the supervision of Jade Alglave and Luc Maranget. Hadrien Renaud's thesis aims at automating the production of intra-instruction dependencies, based on their definitions in pseudo-code. The task requires not only significant implementation work but also an in-depth study of the semantics of instructions and of the nature of various intra-instruction dependencies. Luc Maranget acts as a co-advisor, focusing on language definition and implementation. We hold a weekly meeting.
This year, Hadrien Renaud made significant progress in the definition and implementation of a type system for the language ASL, which is used by ARM to specify the semantics of instructions. In particular, this type system is used a basis for sound optimisations. Hadrien successfully passed his second viva. Hadrien is also the author of numerous contributions to the herd simulator (a central part of our diy tool suite; §7.1.3), especially regarding the concurrent semantics of ASL, its type system, and its efficient implementation.
7.4 Program verification and mechanized mathematics
7.4.1 Implementing and verifying Kaplan and Tarjan's catenable deques
Participants: Jules Viennot, Arthur Wendling [Tarides], François Pottier, Armaël Guéneau [Inria team Toccata].
In 1999, Kaplan and Tarjan introduced purely functional, real-time catenable deques, a data structure that supports five fundamental operations, namely insertion and extraction of one element at either end and concatenation. All operations are performed with a worst-case time complexity of . Furthermore, this data structure is persistent: no operation modifies or destroys its argument.
Kaplan and Tarjan's paper provides an English description of this data structure, without code. This data structure is in fact extremely difficult to implement: in the 25 years that have elapsed since the paper was published, no implementation appeared.
Recently, though, Arthur Wendling was able to implement this data structure in OCaml. His implementation makes sophisticated use of OCaml's generalized algebraic data types (GADTs).
Then, Jules Viennot, supervised by Armaël Guéneau and François Pottier, ported Wendling's code from OCaml to Rocq and verified its correctness. This work stresses the limits of Rocq's expressiveness. It is the first published or verified implementation of Kaplan and Tarjan's catenable deques.
A paper on this topic will be submitted to a journal in 2025.
7.4.2 Meta-programming in Rocq
Participants: Yannick Forster, Matthieu Sozeau [Inria team Gallinette], Weituo Dai, Thomas Lamiaux [Inria team Gallinette], Mathis Bouverot-Dupuis.
The state of meta-programming in the Rocq Prover (previously known as the Coq proof assistant) is diverse and has grown organically over the years. Various meta-programming languages are used to implement the kernel, tactics, and plugins.
Yannick Forster has supervised Weituo Dai's internship, whose aim was to develop a meta-programming framework that offers guarantees to the user, such as a guarantee that the generated program or proof does not contain unbound variables.
Yannick Forster has also supervised Mathis Bouverot-Dupuis, who investigated the state of the art in meta-programming in both Rocq and Lean.
In 2025, Mathis Bouverot-Dupuis is planning to start a PhD on developing a robust meta-programming framework based on the lessons learned through 40 years of organic development of such frameworks in Rocq.
7.4.3 The MetaRocq project
Participants: Yannick Forster, Matthieu Sozeau [Inria team Gallinette], Nicolas Tabareau [Inria team Gallinette], Yee-Jian Tan, Thomas Lamiaux [Inria team Gallinette].
The MetaRocq project (previously known as MetaCoq) is an umbrella project that contains several subprojects. These include a formal definition of Rocq's type theory and a verified type- and proof-checker for Rocq.
This definition leaves out a crucial part of Rocq's type theory—arguably even the most crucial part—namely, the guard checker, which is in charge of enforcing the strong normalization of Rocq's programming language, and thereby the logical consistency of the system.
Yee-Jian Tan and Yannick Forster have developed an implementation of Rocq's guard checker in Rocq itself. Compared to the opaque 2000-line-long uncommented OCaml implementation, this is a significant step forward.
Together with Matthieu Sozeau and Nicolas Tabareau, Yannick Forward co-supervises Thomas Lamiaux's PhD thesis. They will continue to investigate the exact specification of Rocq's guard checker and work towards a mechanized consistency proof for the system.
7.4.4 Verified extraction from Rocq to OCaml
Participants: Yannick Forster, Matthieu Sozeau [Inria team Gallinette], Nicolas Tabareau [Inria team Gallinette].
In 2023, we have developed a novel extraction pipeline from Rocq to OCaml, which is implemented and verified in Rocq itself. Its correctness theorem offers clear guarantees for safe interoperability. This work has been accepted for presentation at the conference PLDI 2024 19 and has received a Distinguished Paper Award.
7.4.5 Synthetic computability theory in Rocq
Participants: Yannick Forster, Dominik Kirst [Ben-Gurion University], Felix Jahn [Saarland University], Gert Smolka [Saarland University], Niklas Mück [MPI-SWS, Germany], Haoyi Zeng [Saarland University].
Proofs in traditional computability theory are notoriously hard to formalize, due to their reliance on models of computation such as Turing machines. In synthetic computability, one abstracts away from models of computation, which is possible thanks to a formal foundation for mathematics where functions and propositions are strictly separated. This is the case in many constructive foundations for mathematics, including the one that underlies the Rocq proof assistant.
Continuing a long line of work on synthetic computability in proof assistants, Yannick Forster, Dominik Kirst and Niklas Mück have obtained results on oracle computability, specifically a proof of Post's theorem concerning the arithmetical hierarchy. This work has been accepted for presentation at the conference CSL 2024 24.
Yannick Forster has supervised the Bachelor's thesis of Haoyi Zeng at Saarland University on Post's problem, where intermediate results have been presented at the workshops TYPES 2024 and CCC 2024, jointly with Dominik Kirst.
He has furthermore co-supervised the Bachelor's theses of Fabian Brenner and Janis Bailitis on a synthetic undecidability proof of contextual equivalence in finitary PCF and on a mechanised proof of Löb's theorem, respectively, both jointly with Dominik Kirst.
Yannick Forster has given an invited talk about this line of work at the 14th Panhellenic Logic Symposium in Thessoliniki, Greece.
7.4.6 Type inference logics
Participants: Denis Carnier [KU Leuven], Steven Keuchel [Vrije Universiteit Brussels], François Pottier.
Denis Carnier and Steven Keuchel designed and implemented, inside the Coq proof assistant, a domain-specific constraint language for type inference and elaboration, together with a verified constraint solver. This work is based on an earlier unverified design by François Pottier, which was published at ICFP 2014. These new results have been accepted for presentation at the conference OOPSLA 2024 18.
7.5 Program verification in separation logic
7.5.1 Verifying heap space bounds for concurrent programs under garbage collection
Participants: Alexandre Moine, Arthur Charguéraud, François Pottier.
For two decades, Separation Logic has been applied mainly to functional correctness proofs: that is, it has been used to prove that a program cannot crash and must eventually produce a correct result. It has also been extended with time credits, which endow it with the ability to reason about the time complexity of a program. In our group, this topic has been studied in previous years by François Pottier, Armaël Guéneau, and Glen Mével.
In 2021, Jean-Marie Madiot and François Pottier presented a separation logic with space credits 44, which allows establishing verified space complexity bounds in the presence of garbage collection for an assembly-like language. In 2022, Alexandre Moine, Arthur Charguéraud and François Pottier scaled it up to a high-level sequential language 45.
This year, Alexandre Moine, Arthur Charguéraud and François Pottier further extended this work to a concurrent setting. They proposed both new language features and a new program logic, IrisFit.
The new features include polling points, which are automatically inserted by the compiler, and are used to ensure a liveness property; and protected sections, which are delimited by the programmer, and where polling points must not be inserted.
The new logic, IrisFit, involves “pointed-by-thread” assertions, which keep track of the existence of stack-to-heap pointers in a reasonably lightweight manner. Furthermore, by exploiting the presence of protected sections, it is able to establish tighter space complexity bounds.
The final version of this work has been accepted for publication in the journal ACM TOPLAS and will appear in 2025.
7.5.2 Osiris: formal semantics and reasoning rules for OCaml
Participants: Remy Seassau, François Pottier, Irene Yoon, Jean-Marie Madiot.
The Osiris project aims to develop an instance of the Iris separation logic, inside the Rocq proof assistant, and to customize it for the OCaml programming language, so as to provide end users with a powerful, state-of-the-art, ready-to-use program verification environment for OCaml.
In 2023, a number of preliminary results were obtained, culminating in the definition of a formal semantics of a large fragment of OCaml and two sets of reasoning rules. The first set of rules forms a Hoare logic for a pure subset of OCaml. The second set of rules forms a separation logic, based on Iris, for the complete language, including impure expressions.
In 2024, Irene Yoon, Remy Seassau, and François Pottier extended the semantics with effect handlers. Irene Yoon then integrated reasoning rules from earlier work by de Vilhena and Pottier 5 into Osiris's separation logic.
Jean-Marie Madiot developed a new version of the pure Hoare logic judgment, handling non-confluent expressions and simplifying inversion reasoning, and an executable variant of the semantics, allowing the formal semantics to be tested, by comparing it with the behavior of the OCaml compilers.
Remy Seassau added support for reasoning about deep pattern matching by extending the reasoning rules and developing user-facing proof tactics. Remy and Irene put a lot of work into improving the pure Hoare logic. The internal definition of the logic was reworked, and rules for recursive functions and their proofs of correctness were developed.
In the future, significant work is still needed to facilitate program verification with Osiris, to carry out case studies, and to add support for several advanced features of OCaml, such as parallelism.
7.5.3 Verifying tail-call optimization modulo constructors
Participants: Clément Allain, Frédéric Bour, Basile Clément [OCamlPro], François Pottier, Gabriel Scherer [Inria team Picube].
Tail-call optimization (TCO), a well-known optimization performed by many compilers for functional programming languages, optimizes tail calls by deallocating the stack frame of the caller before jumping to the callee. Tail-call optimization modulo constructors (TMC) improves upon TCO by also optimizing the situation where a function call is not a tail call because it is followed by the application of a constructor. A canonical example appears in the most natural implementation of the map function on lists. In such a situation, the code can be transformed into destination-passing style: first, a memory block is allocated and partially initialized; then, a tail call takes place, and the responsibility of completing the initialization of the memory block is delegated to the callee.
TMC has been implemented in the OCaml compiler by Frédéric Bour, Basile Clément and Gabriel Scherer 39. Based on this work, Clément Allain and François Pottier have formalized and verified TMC for an untyped sequential -calculus equipped with mutable heap cells. The correctness of the transformation is expressed as a termination-preserving behavioral program refinement. The proof relies on a relational separation logic that is constructed on top of Iris. It is mechanized in the Rocq proof assistant.
This work has been accepted for presentation at the conference POPL 2025 13.
7.5.4 Snapshottable stores
Participants: Clément Allain, Basile Clément [OCamlPro], Alexandre Moine, Gabriel Scherer [Inria team Picube].
Many algorithms, including type inference algorithms and SMT solvers, require data structures that support efficient backtracking.
Basile Clément and Gabriel Scherer designed and implemented an OCaml library that provides reusable backtracking support, for use by authors of data structures. Then, Clément Allain and Alexandre Moine wrote a specification for (the core functions of) this library and verified their correctness. The proof was carried out on top of Iris inside the Rocq proof assistant.
This work has been accepted for presentation at the conference ICFP 2024 14 and has received a Distinguished Paper Award.
7.5.5 Verification of concurrent OCaml 5 programs in separation logic
Participants: Clément Allain.
The release of OCaml 5, which introduced parallelism into the language, created a need for safe and efficient concurrent data structures. Several new libraries, such as Saturn 41, aim at addressing this need. From the perspective of formal verification, this is an opportunity to apply and further state-of-the-art techniques to provide stronger guarantees.
In this context, Clément Allain is working on the verification of concurrent OCaml 5 programs using separation logic. Preliminary results on the verification of Saturn have been presented at the OCaml Workshop 2024 30.
The methodology used in this work consists in translating OCaml programs into a language that is deeply embedded inside Coq. Then, these programs can be specified and verified using the concurrent separation logic Iris. To this end, Allain proposed a formal semantics and a program logic for a fragment of OCaml 5. This work has been presented at the conference JFLA 2025 22. A more comprehensive paper is in preparation.
7.5.6 Gospel
Participants: Tiago Soares, François Pottier, Mário Pereira [NOVA LINCS].
Gospel is a formal specification language for OCaml. It allows a library's interface files to contain not only types, but also logical specifications, which describe the library's behavior. The design of Gospel, however, is not yet fixed.
For expert users, we want Gospel to be understood also as a pleasant surface syntax for Separation Logic specifications. Therefore, our work has focused on introducing ways to describe ownership within Gospel specifications. We have introduced lenses, which offer lightweight notation to talk about ownership of a data structure in memory and to describe the connection between the physical and logical representations of this data structure. Tiago Soares has implemented a prototype tool which translates Gospel specifications down to separation logic specifications, which can be pretty-printed either in the syntax of CFML or in the syntax of Iris. Our paper on the Gospel ecosystem 26 presents this prototype tool and shows how it complements the existing Gospel ecosystem.
7.6 Verified Compilation
7.6.1 A Two-Phase Infinite/Finite Low-Level Memory Model
Participants: Calvin Beck [University of Pennsylvania], Irene Yoon, Hanxi Chen [University of Pennsylvania], Yannick Zakowski [Inria team Cash], Steve Zdancewic [University of Pennsylvania].
This project reconciles complex low-level memory model features, such as pointer-integer casts, with desired refinements that are needed to justify the correctness of program transformations. The idea is to use a “two-phase” memory model. One level has an unbounded memory and corresponding unbounded integer type; the other has finite memory. The connection between the two levels is made explicit by a notion of refinement that handles out-of-memory behaviors. This approach allows more optimizations and establishes a clear boundary between the idealized semantics of a program and the implementation of that program on finite hardware. The two-phase memory model has been incorporated into an LLVM IR semantics, demonstrating its utility in practice in the context of a low-level language with features like undef and bitcast. A paper that describes this approach has been presented at the conference ICFP 202415.
7.6.2 A validator for Flambda2
Participants: Irene Yoon, Chris Casinghino [Jane Street].
Flambda2 is an optimizing middle-end for the OCaml compiler. It is developed by researchers and engineers and OCamlPro and Jane Street.
This project aims at building a validation tool for Flambda2. Flambda2's optimizations are focused on inlining and applying simplifications that become possible after inlining. Although these transformations sound innocuous, they are one of the most importan and tricky optimizations in the compiler pipeline. The validator increases confidence in Flambda2's optimizations by providing a concise, declarative definition of a reduction relation that allows the optimized and unoptimized versions of the program to be reduced to syntactically equivalent terms.
Preliminary results have been presented at the 2024 OCaml workshop, an international workshop without proceedings.
7.6.3 Velliris: a relational separation logic for LLVM IR
Participants: Irene Yoon, Lennard Gaher [MPI-SWS], Simon Spies [MPI-SWS], Youngju Song [MPI-SWS], Derek Dreyer [MPI-SWS], Steve Zdancewic [University of Pennsylvania].
Velliris is a relational separation logic framework for LLVM IR. It is integrated with the VIR formal semantics. It provides expressive reasoning principles for LLVM IR programs, with a practical ghost theory over LLVM IR resources. Formally, Velliris is implemented by constructing, within the Iris separation logic framework, a novel and general coinductive simulation over Interaction Trees with interpretations into state monads. We prove Velliris sound by establishing a contextual adequacy theorem that lifts simulation results from the embedded logic to the ambient logic.
Preliminary results have been presented in an invited talk at the 2024 Iris Workshop, an international workshop without proceedings.
8 Bilateral contracts and grants with industry
8.1 Bilateral contracts with industry
8.1.1 Tarides
Participants: Frédéric Bour, Thomas Refis, François Pottier, Didier Rémy.
One of our PhD students, Frédéric Bour, who defended in December 2024, was employed by Tarides under a CIFRE agreement.
Tarides is a small high-tech software company, with a strong expertise in virtualization, distributed systems, and programming languages. Several of their key products, such as MirageOS, are developed using OCaml. Tarides contributes a significant amount of manpower to the OCaml ecosystem. We maintain strong informal ties with this company.
8.2 Bilateral grants with industry
8.2.1 The Caml Consortium
Participants: Damien Doligez.
The Caml Consortium is a formal structure where industrial and academic users of OCaml can support the development of the language and associated tools, express their specific needs, and contribute to the long-term stability of OCaml. Membership fees are used to fund specific developments targeted towards industrial users. Members of the Consortium automatically benefit from very liberal licensing conditions on the OCaml system, allowing for instance the OCaml compiler to be embedded within proprietary applications.
Damien Doligez chairs the Caml Consortium.
The Consortium currently has 5 member companies:
- Esterel / ANSYS
- Jane Street
- LexiFi
- SimCorp
One might think that the Caml Consortium could be superseded by the OCaml Software Foundation, discussed below. However, the Caml Consortium remains alive, because it is able to offer special licensing conditions. The above companies still need the Consortium's license. Most of them are also sponsors of the OCaml Foundation.
8.2.2 The OCaml Software Foundation
Participants: Damien Doligez, Xavier Leroy.
The OCaml Software Foundation, established in 2018 under the umbrella of the Inria Foundation, aims to promote, protect, and advance the OCaml programming language and its ecosystem, and to support and facilitate the growth of a diverse and international community of OCaml users.
Damien Doligez and Xavier Leroy serve as advisors on the foundation's Executive Committee.
We receive substantial basic funding from the OCaml Software Foundation in order to support research activity related to OCaml.
9 Partnerships and cooperations
9.1 National initiatives
Participants: Xavier Leroy, François Pottier, Jean-Marie Madiot, Remy Seassau, Tiago Soares.
The ANR GOSPEL project (2023–2026) involves four main participants, namely Inria Paris (team Cambium), LMF (Saclay), Tarides, Nomadic Labs, and two invited researchers, namely Arthur Charguéraud (Inria Strasbourg) and Mário Pereira (NOVA LINCS University, Lisbon). François Pottier is the head of the project. The total budget of the project is approximately 480K€, out of which the Cambium team receives 157K€.
The aim of this project is define Gospel, a standard specification language for OCaml, and to develop tools that can read Gospel specifications and connect them with formal program verification environments, such as Osiris. At Cambium, this project funds Remy Seassau's PhD thesis, whose aim is to develop Osiris (§7.5.2) and to connect it with Gospel. Tiago Soares, who is funded by a Portuguese grant, also works on Gospel.
10 Dissemination
10.1 Promotion of scientific activities
10.1.1 Organisation of scientific events
Yannick Forster was the workshop co-chair of the 29th ACM SIGPLAN International Conference on Functional Programming (ICFP 2024).
Yannick Forster is a member of the operations team of the ACM SIGPLAN Long-Term Mentoring Committee (SIGPLAN-M).
10.1.2 Participation in program committees
Yannick Forster was a member of the program committee for the conferences ITP 2024, CiE 2024, TFP 2024, and TYPES 2024.
Xavier Leroy served as associate chair of the program committee of the 52nd ACM SIGPLAN Symposium on Principles of Programming Languages (POPL 2025).
Jean-Marie Madiot was a member of the program committee for the conference PLDI 2025.
Irene Yoon was a member of the the program committee for the conferences ICFP 2025 and CPP 2025 and for the workshops Coq 2024, HOPE 2024, and CoqPL 2025.
10.1.3 Participation in editorial boards
Yannick Forster is an ex-officio member of the steering committee of ITP.
Xavier Leroy is a member of the editorial boards of Journal of Automated Reasoning.
Xavier Leroy is a member of the newly-created Conseil Scientifique (scientific advisory board) of the Arte TV channel.
10.1.4 Invited talks
Yannick Forster has given an invited talk about synthetic computability theory at the 14th Panhellenic Logic Symposium in Thessaloniki, Greece.
Irene Yoon gave an invited talk at the 2024 Iris Workshop in Zürich, Switzerland.
10.1.5 Research administration
Luc Maranget is an elected member of Inria's Commission d'Évaluation (CE).
Luc Maranget represents the Cambium team in the Comité des utilisateurs des moyens informatiques (CUMI).
François Pottier is the president of Inria Paris' Comité de Suivi Doctoral. Since June 2023, he is Inria's delegate in the pedagogical team of MPRI.
Didier Rémy Inria's delegate in the management board of MPRI.
10.2 Teaching - Supervision - Juries
10.2.1 Teaching
This year, the members of our team have taught or assisted in teaching the following courses:
- Licence (L1): Programmation fonctionnelle pour le Web, Clément Allain, 24 HETD, Université Paris Cité, France.
- Licence (L3): Programmation fonctionnelle, Clément Allain, 24 HETD, Université Paris Cité, France.
- Licence (L3): Outils logiques, Clément Blaudeau, 24h TD, Université de Paris Cité, France.
- Master (M2): Proof assistants (course coordinator), Yannick Forster, 18 HETD, MPRI, Université Paris Cité, France.
- Open lectures: Structures de contrôle: de «goto» aux effets algébriques, Xavier Leroy, 16 HETD, Collège de France, France.
- Master (M2): Proofs of Programs (course coordinator), Jean-Marie Madiot, 18 HETD, MPRI, Université Paris Cité, France.
- Licence (L3): Principles of programming languages, Jean-Marie Madiot, 40 HETD, École Polytechnique, France.
- Licence (L3): Programmation fonctionnelle, Alexandre Moine, 24 HETD, Université de Paris, France.
- Master (M2): Functional programming and type systems (course coordinator), François Pottier, 22 HETD, MPRI, Université Paris Cité, France.
- Licence (L1): Initiation à la Programmation 1, Remy Seassau, 16 HETD, Université Paris Cité, France.
- Master (M1): Interpretation and Compilation of Languages, Tiago Soares, 30 HETD, NOVA School of Science and Technology, Universidade Nova de Lisboa, Portugal.
- Licence (L1): Principes de Fonctionnement des Machines Binaires, Samuel Vivien, 36 HETD, Université Paris Cité, France.
10.2.2 Supervision
The following PhD theses are in progress or have been defended in 2024:
- PhD in progress: Clément Allain, Parallel programming infrastructure for OCaml 5, Université Paris Cité, since October 2022, advised by Gabriel Scherer and François Pottier.
- PhD (completed): Clément Blaudeau, Formalizing and improving OCaml modules, Université Paris Cité, since October 2021, advised by Didier Rémy and Gabriel Radanne (Inria team Cash); defended on December 9, 2024.
- PhD (completed): Frédéric Bour, An interactive, modular proof environment for OCaml, Université Paris Cité, since August 2020, advised by François Pottier and Thomas Gazagnaire (Tarides); defended on December 18, 2024.
- PhD (completed): Nathanaëlle Courant, Towards an efficient and formally-verified convertibility checker, Université Paris Cité, since September 2019, advised by Xavier Leroy; defended on September 19, 2024 33.
- PhD (completed): Alexandre Moine, Formal verification of space bounds, Université Paris Cité, since October 2021, advised by Arthur Charguéraud and François Pottier; defended on September 20, 2024.
- PhD in progress: Remy Seassau, Osiris : a Separation Logic Verification Framework for OCaml, Université Paris Cité, since October 2023, advised by François Pottier.
- PhD in progress: Tiago Soares, Integrating Exceptions and Control Effects in the Specification and Proof of OCaml Programs, NOVA School of Science and Technology, Universidade Nova de Lisboa and Université Paris Cité, since September 2023, advised by Mário Pereira and François Pottier.
- PhD in progress: Samuel Vivien, Theory and Practice of Modular Implicits: Design, Formalization, Implementation, and Applications, ENS-PSL, since October 2024, advised by Didier Rémy and Gabriel Scherer.
10.2.3 Juries
Yannick Forster was a member of the jury for the PhD thesis of Louise Dubois de Prisque (ENS Paris-Saclay; defended July 2024).
Xavier Leroy was a member of the hiring committee for a professorship in computer science at ENS Lyon.
Xavier Leroy was a reviewer and viva voce examiner for the PhD thesis of Yann Herklotz Grave (Imperial College; defended April 2024).
François Pottier was a member of the CRCN/ISFP hiring committee for Inria Paris.
François Pottier was a reviewer for the PhD thesis of Nicolas Chappe (ENS Lyon; defended November 2024). He was the president of the jury for the PhD thesis of Son Ho (Université Paris Cité; defended December 2024).
Didier Rémy was a member of the jury for the PhD thesis of Mickaël Laurent (Université Paris Cité; defended June 2024).
10.3 Popularization
Xavier Leroy gave a popular science talk on Hilbert's program and the birth of computer science at the Sciences & Société conference series of Université de Nancy, in May 2024.
Anne Canteaut (Inria, EPI Cosmiq) and Xavier Leroy ran a round table discussion about cryptography with students at École de Guerre, Paris, in November 2024.
In December 2024, Xavier Leroy gave an introductory talk entitled “Can generative AI replace a human software developer?” to high-school students, in the context of the “Campus de l'innovation” of Collège de France.
11 Scientific production
11.1 Major publications
- 1 articleArmed Cats: formal concurrency modelling at Arm.ACM Transactions on Programming Languages and Systems (TOPLAS)43July 2021, 1 - 54HALDOI
- 2 articleAvoiding Signature Avoidance in ML Modules with Zippers.Proceedings of the ACM on Programming LanguagesPOPL9January 2025HALDOI
- 3 inproceedingsEnd-to-End Translation Validation for the Halide Language.OOPSLA 2022 - Conference on Object-Oriented Programming Systems, Languages, and Applications6Proceedings of the ACM on Programming Languages (PACMPL)No. OOPSLA1, Article 84Auckland, New ZealandDecember 2022HALDOI
- 4 articleVerified Code Generation for the Polyhedral Model.Proceedings of the ACM on Programming Languages5POPLJanuary 2021, 40:1-40:24HALDOI
- 5 articleA Separation Logic for Effect Handlers.Proceedings of the ACM on Programming LanguagesJanuary 2021HALDOIback to text
- 6 inproceedingsFormal Proof and Analysis of an Incremental Cycle Detection Algorithm.Interactive Theorem Proving141Leibniz International Proceedings in InformaticsSchloss Dagstuhl--Leibniz-Zentrum fuer InformatikSeptember 2019HAL
- 7 articleModular coinduction up-to for higher-order languages via first-order transition systems.Logical Methods in Computer ScienceVolume 17, Issue 3September 2021HALDOI
- 8 inproceedingsCosmo: A Concurrent Separation Logic for Multicore OCaml.ICFP 2020 - 25th ACM SIGPLAN International Conference on Functional ProgrammingICFP 2020ACMNew-York / Virtual, United StatesAugust 2020HALDOI
- 9 inproceedingsTime Credits and Time Receipts in Iris.European Symposium on Programming11423Lecture Notes in Computer ScienceSpringerApril 2019, 3-29HALDOI
- 10 articleA High-Level Separation Logic for Heap Space under Garbage Collection (Extended Version).Proceedings of the ACM on Programming Languages7POPL2023, 718-747HALDOI
- 11 inproceedingsExtending Intel-x86 Consistency and Persistency: Formalising the Semantics of Intel-x86 Memory Types and Non-Temporal Stores.POPL 2022 - Symposium on Principles of Programming LanguagesPhiladelphia, United StatesJanuary 2022HALDOI
11.2 Publications of the year
International journals
International peer-reviewed conferences
National peer-reviewed Conferences
Conferences without proceedings
Doctoral dissertations and habilitation theses
Reports & preprints
11.3 Cited publications
- 38 articleThe design and formalization of Mezzo, a permission-based programming language.ACM Transactions on Programming Languages and Systems3842016, 14:1--14:94URL: http://doi.acm.org/10.1145/2837022back to text
- 39 inproceedingsTail Modulo Cons.JFLA 2021 - Journées Francophones des Langages ApplicatifsSaint Médard d'Excideuil, FranceApril 2021HALback to text
- 40 inproceedingsA Formally-Verified C Static Analyzer.POPL'15: 42nd ACM Symposium on Principles of Programming LanguagesACM PressJanuary 2015, 247-259URL: http://dx.doi.org/10.1145/2676726.2676966back to text
- 41 softwareSaturn.2024, back to text
- 42 articleHow to write a 21st century proof.Journal of Fixed Point Theory and Applications1112012, 43--63URL: http://dx.doi.org/10.1007/s11784-012-0071-6back to text
- 43 articleFormal verification of a realistic compiler.Communications of the ACM5272009, 107--115URL: http://doi.acm.org/10.1145/1538788.1538814back to textback to text
- 44 articleA Separation Logic for Heap Space under Garbage Collection.Proceedings of the ACM on Programming Languages6POPLJanuary 2022, URL: http://cambium.inria.fr/~fpottier/publis/madiot-pottier-diamonds-2022.pdfback to text
- 45 articleA High-Level Separation Logic for Heap Space under Garbage Collection.Proceedings of the ACM on Programming Languages7POPLJanuary 2023, 718--747URL: https://doi.org/10.1145/3571218back to text
- 46 articleF-ing modules.Journal of Functional Programming245September 2014, 529--607URL: https://doi.org/10.1017/S0956796814000264back to text
- 47 inproceedingsModular implicits.Proceedings ML Family/OCaml Users and Developers workshops, ML/OCaml 2014, Gothenburg, Sweden, September 4-5, 2014198EPTCS2014, 22--63URL: https://doi.org/10.4204/EPTCS.198.2DOIback to text