7.1.1 Alt-Ergo

• Name:
  Automated theorem prover for software verification
• Keywords:
  Software Verification, Automated theorem proving
• Functional Description:
  Alt-Ergo is an automatic solver of formulas based on SMT technology. It is especially designed to prove mathematical formulas generated by program verification tools, such as Frama-C for C programs, or SPARK for Ada code. Initially developed in Toccata research team, Alt-Ergo's distribution and support are provided by OCamlPro since September 2013.
• Release Contributions:
  the "SAT solving" part can now be delegated to an external plugin, new experimental SAT solver based on mini-SAT, provided as a plugin. This solver is, in general, more efficient on ground problems, heuristics simplification in the default SAT solver and in the matching (instantiation) module, re-implementation of internal literals representation, improvement of theories combination architecture, rewriting some parts of the formulas module, bugfixes in records and numbers modules, new option "-no-Ematching" to perform matching without equality reasoning (i.e. without considering "equivalence classes"). This option is very useful for benchmarks coming from Atelier-B, two new experimental options: "-save-used-context" and "-replay-used-context". When the goal is proved valid, the first option allows to save the names of useful axioms into a ".used" file. The second one is used to replay the proof using only the axioms listed in the corresponding ".used" file. Note that the replay may fail because of the absence of necessary ground terms generated by useless axioms (that are not included in .used file) during the initial run.
• URL:
  https://­alt-ergo.­ocamlpro.­com/
• Contact:
  Sylvain Conchon
• Participants:
  Alain Mebsout, Évelyne Contejean, Mohamed Iguernelala, Stephane Lescuyer, Sylvain Conchon
• Partner:
  OCamlPro

7.1.2 CoqInterval

• Name:
  Interval package for Coq
• Keywords:
  Interval arithmetic, Coq
• Functional Description:

  CoqInterval is a library for the proof assistant Coq.

  It provides several tactics for proving theorems on enclosures of real-valued expressions. The proofs are performed by an interval kernel which relies on a computable formalization of floating-point arithmetic in Coq.

  The Marelle team developed a formalization of rigorous polynomial approximation using Taylor models in Coq. In 2014, this library has been included in CoqInterval.

• URL:
  https://­coqinterval.­gitlabpages.­inria.­fr/
• Publications:
  hal-04114233, hal-04515714, hal-04702129, hal-03168208, tel-02194683, hal-04859533, hal-00180138, hal-00797913, hal-01086460, hal-01289616, hal-01630143
• Contact:
  Guillaume Melquiond
• Participants:
  Pierre Roux, Paul Geneau De Lamarliere, Assia Mahboubi, Erik Martin Dorel, Guillaume Melquiond, Jean-Michel Muller, Laurence Rideau, Laurent Théry, Micaela Mayero, Mioara Joldes, Nicolas Brisebarre, Thomas Sibut-Pinote

7.1.3 Coquelicot

• Name:
  The Coquelicot library for real analysis in Coq
• Keywords:
  Coq, Real analysis
• Functional Description:
  Coquelicot is library aimed for supporting real analysis in the Coq proof assistant. It is designed with three principles in mind. The first is the user-friendliness, achieved by implementing methods of automation, but also by avoiding dependent types in order to ease the stating and readability of theorems. This latter part was achieved by defining total function for basic operators, such as limits or integrals. The second principle is the comprehensiveness of the library. By experimenting on several applications, we ensured that the available theorems are enough to cover most cases. We also wanted to be able to extend our library towards more generic settings, such as complex analysis or Euclidean spaces. The third principle is for the Coquelicot library to be a conservative extension of the Coq standard library, so that it can be easily combined with existing developments based on the standard library.
• URL:
  http://­coquelicot.­saclay.­inria.­fr/
• Publications:
  tel-01228517, hal-00860648, hal-00712938, hal-00880212, hal-01169321, hal-00642206
• Contact:
  Guillaume Melquiond
• Participants:
  Catherine Lelay, Guillaume Melquiond, Sylvie Boldo

7.1.4 Cubicle

• Name:
  The Cubicle model checker modulo theories
• Keywords:
  Model Checking, Software Verification
• Functional Description:
  Cubicle is an open source model checker for verifying safety properties of array-based systems, which corresponds to a syntactically restricted class of parametrized transition systems with states represented as arrays indexed by an arbitrary number of processes. Cache coherence protocols and mutual exclusion algorithms are typical examples of such systems.
• URL:
  https://­github.­com/­cubicle-model-checker/­cubicle
• Contact:
  Sylvain Conchon
• Participants:
  Alain Mebsout, Sylvain Conchon

7.1.5 Flocq

• Name:
  The Flocq formalization of floating-point arithmetic for the Coq proof assistant
• Keyword:
  Floating-point
• Functional Description:

  The Flocq library for the Coq proof assistant is a comprehensive formalization of floating-point arithmetic: core definitions, axiomatic and computational rounding operations, high-level properties. It provides a framework for developers to formally verify numerical applications.

  Flocq is currently used by the CompCert verified compiler to support floating-point computations.

• URL:
  https://­flocq.­gitlabpages.­inria.­fr/
• Publications:
  hal-03233227, inria-00534854, hal-00743090, hal-00862689, hal-01091186, hal-01091189, hal-01632617
• Contact:
  Guillaume Melquiond
• Participants:
  Guillaume Melquiond, Pierre Roux, Sylvie Boldo

7.1.6 Gappa

• Name:
  The Gappa tool for automated proofs of arithmetic properties
• Keywords:
  Floating-point, Arithmetic code, Software Verification, Constraint solving
• Functional Description:
  Gappa is a tool intended to help formally verifying numerical programs dealing with floating-point or fixed-point arithmetic. It has been used to write robust floating-point filters for CGAL and it is used to verify elementary functions in CRlibm. While Gappa is intended to be used directly, it can also act as a backend prover for the Why3 software verification plateform or as an automatic tactic for the Coq proof assistant.
• URL:
  https://­gappa.­gitlabpages.­inria.­fr/
• Publications:
  hal-03233227, tel-02194683, inria-00070739, inria-00344518, inria-00070330, tel-01094485, inria-00071232, inria-00432726, ensl-00379167, ensl-00200830, hal-01110666, hal-01110669, hal-01632617
• Contact:
  Guillaume Melquiond
• Participants:
  Guillaume Melquiond, Tom Hubrecht

7.1.7 Why3

• Name:
  The Why3 environment for deductive verification
• Keywords:
  Formal methods, Trusted software, Software Verification, Deductive program verification
• Functional Description:
  Why3 is an environment for deductive program verification. It provides a rich language for specification and programming, called WhyML, and relies on external theorem provers, both automated and interactive, to discharge verification conditions. Why3 comes with a standard library of logical theories (integer and real arithmetic, Boolean operations, sets and maps, etc.) and basic programming data structures (arrays, queues, hash tables, etc.). A user can write WhyML programs directly and get correct-by-construction OCaml programs through an automated extraction mechanism. WhyML is also used as an intermediate language for the verification of C, Java, or Ada programs.
• URL:
  https://­www.­why3.­org/
• Contact:
  Claude Marche
• Participants:
  Andriy Paskevych, Claude Marche, François Bobot, Guillaume Melquiond, Jean-Christophe Filliâtre, Levs Gondelmans, Martin Clochard
• Partners:
  CNRS, Université Paris-Sud

7.1.8 Coq

• Name:
  The Coq Proof Assistant
• Keyword:
  Proof assistant
• Scientific Description:
  Coq is an interactive proof assistant based on the Calculus of (Co-)Inductive Constructions, extended with universe polymorphism. This type theory features inductive and co-inductive families, an impredicative sort and a hierarchy of predicative universes, making it a very expressive logic. The calculus allows to formalize both general mathematics and computer programs, ranging from theories of finite structures to abstract algebra and categories to programming language metatheory and compiler verification. Coq is organised as a (relatively small) kernel including efficient conversion tests on which are built a set of higher-level layers: a powerful proof engine and unification algorithm, various tactics/decision procedures, a transactional document model and, at the very top an integrated development environment (IDE).
• Functional Description:
  Coq provides both a dependently-typed functional programming language and a logical formalism, which, altogether, support the formalisation of mathematical theories and the specification and certification of properties of programs. Coq also provides a large and extensible set of automatic or semi-automatic proof methods. Coq's programs are extractible to OCaml, Haskell, Scheme, ...
• Release Contributions:
  An overview of the new features and changes, along with the full list of contributors is available at https://coq.inria.fr/refman/changes.html#version-8-20 .
• News of the Year:
  Coq version 8.16 integrates changes to the Coq kernel and performance improvements along with a few new features. See the detailed changes at https://coq.inria.fr/refman/changes.html#version-8-16 for an overview of the new features and changes, along with the full list of contributors.
• URL:
  http://­coq.­inria.­fr/
• Contact:
  Matthieu Sozeau
• Participants:
  Yves Bertot, Frédéric Besson, Tej Chajed, Cyril Cohen, Pierre Corbineau, Pierre Courtieu, Maxime Dénès, Jim Fehrle, Julien Forest, Emilio Jesús Gallego Arias, Gaëtan Gilbert, Georges Gonthier, Benjamin Grégoire, Jason Gross, Hugo Herbelin, Vincent Laporte, Olivier Laurent, Assia Mahboubi, Kenji Maillard, Erik Martin Dorel, Guillaume Melquiond, Pierre-Marie Pedrot, Clément Pit-Claudel, Kazuhiko Sakaguchi, Vincent Semeria, Michael Soegtrop, Arnaud Spiwack, Matthieu Sozeau, Enrico Tassi, Laurent Théry, Anton Trunov, Li-Yao Xia, Theo Zimmermann

7.1.9 creusot

• Name:
  Creusot
• Keywords:
  Rust, Specification language, Deductive program verification
• Functional Description:

  Creusot is a tool for deductive verification of Rust code. It allows you to annotate your code with specifications, invariants and assertions and then verify them formally and automatically, proving, mathematically, that your code satisfies your specifications.

  Creusot works by translating Rust code to WhyML, the verification and specification language of Why3. Users can then leverage the full power of Why3 to (semi)-automatically discharge the verification conditions.

• Release Contributions:
  This is the first version, providing the main process to go from a Rust program annotated with Pearlite specifications to a set of verifications conditions to be discharged by external SMT solvers.
• URL:
  https://­github.­com/­xldenis/­creusot/
• Publications:
  hal-03737878, hal-03526634, hal-02962804
• Contact:
  Xavier Denis
• Participants:
  Xavier Denis, Jacques-Henri Jourdan, Claude Marche
• Partners:
  Université Paris-Saclay, CNRS

7.1.10 coq-num-analysis

• Name:
  Numerical analysis Coq library
• Keywords:
  Formal methods, Coq, Numerical analysis, Finite element modelling
• Scientific Description:
  These Coq developments are based on the Coquelicot library for real analysis. Version 1.0 includes the formalization and proof of: (1) the Lax-Milgram theorem, including results from linear algebra, geometry, functional analysis and Hilbert spaces, (2) the Lebesgue integral, including large parts of the measure theory,the building of the Lebesgue measure on real numbers, integration of nonnegative measurable functions with the Beppo Levi (monotone convergence) theorem, Fatou's lemma, the Tonelli theorem, and the Bochner integral with the dominated convergence theorem.
• Functional Description:
  Formal developments and proofs in Coq of numerical analysis problems. The current long-term goal is to formally prove parts of a C++ library implementing the Finite Element Method.
• News of the Year:

  The formalization in Coq of simplicial Lagrange finite elements is complete. This include the formalizations of the definitions and main properties of monomials, their representation using multi-indices, Lagrange polynomials, the vector space of polynomials of given maximum degree (about 6 kloc). This also includes algebraic complements on the formalization of the definitions and main properties of operators on finite families of any type, the specific cases of abelian monoids (sum), vector spaces (linear combination), and affine spaces (affine combination, barycenter, affine mapping), sub-algebraic structures, and basics of finite dimension linear algebra (about 31 kloc). A new version (2.0) of the opam package will be available soon, and a paper will follow.

  We have also contributed to the Coquelicot library by adding the algebraic structure of abelian monoid, which is now the base of the hierarchy of canonical structures of the library.

• URL:
  https://­lipn.­univ-paris13.­fr/­coq-num-analysis/
• Publications:
  hal-01344090, hal-01391578, hal-03105815, hal-03471095, hal-03516749, hal-03889276, hal-04713897, tel-04884651
• Contact:
  Sylvie Boldo
• Participants:
  Sylvie Boldo, François Clement, Micaela Mayero, Vincent Martin, Stéphane Aubry, Florian Faissole, Houda Mouhcine, Louise Leclerc

Toccata's Gallery of Verified Programs

• Contributors:
  Ali Ayad, Andrei Paskevich, Asma Tafat, Benedikt Becker, Christine Paulin-Mohring, Claire Dross, Claude Marché, Cláudio Belo Lourenço, Clément Fumex, François Bobot, Guillaume Melquiond, Jean-Christophe Filliâtre, Josué Moreau, Leon Gondelman, Léo Andrès, Martin Clochard, Mário Pereira, Nicolas Jeannerod, Paul Bonnot, Paul Patault, Quentin Garchery, Ran Chen, Raphaël Rieu-Helft, Romain Bardou, Sylvain Dailler, Sylvie Boldo, Thi Minh Tuyen Nguyen, Xavier Denis, Yannick Moy, Yuto Takei
• Description:
  This data set is a collection of programs formally verified, performed by tools developed in our team. The programs range from simple representative code, as good examples for teaching, to large case studies. These also include solutions to the successive VerifyThis challenges that appeared during the recent years.
• Project link:
  Toccata Gallery
• Publications:
  45, see also all references given inside the data set itself
• Contact:
  Claude Marché, Jean-Christophe Filliâtre
• Release contributions:
  The current version on the web is synchronised with Why3 version 1.8.0 released in December 2024

Improving Verification Condition Generation

Filliâtre, Paskevich and Patault introduce Coma, a formally defined intermediate verification language. Specification annotations in Coma take the form of assertions mixed with the executable program code. A special programming construct representing the abstraction barrier is used to separate, inside a subroutine, the “interface” part of the code, which is verified at every call site, from the “implementatio” part, which is verified only once, at the definition site. In comparison with traditional contract-based specification, this offers the user an additional degree of freedom, as they can provide separate specification (or none at all) for different execution paths. They define a verification condition generator for Coma and prove its correctness. For programs where specification is given in a traditional way, with abstraction barriers at the function entries and exits, the verification conditions are similar to the ones produced by a classical weakest-precondition calculus. For programs where abstraction barriers are placed in the middle of a function definition, the user-written specification is seamlessly completed with the verification conditions generated for the exposed part of the code. In addition, their procedure can factorize selected subgoals on the fly, which leads to more compact verification conditions. They illustrate the use of Coma on two non-trivial examples, which have been formalized and verified using their implementation: a second-order regular expression engine and a sorting algorithm written in unstructured assembly code. An article presenting this work is accepted for presenting at the ESOP Conference in 2025 34.

Inference of Invariants

The automatic discovery of invariants is an important topic to increase the automation of deductive verification. A fully automatic generation of invariants was studied in collaboration with an industrial partner: Cousineau and Marché 20 devised an original abstract interpretation based approach using a domain of parametrized binary decision diagrams. This includes an application to the verification of Ladder programs, discussed below in axis 4.

Formal Specification Language for C code

ACSL, short for ANSI/ISO C Specification Language 29, is meant to express precisely and unambiguously the expected behavior of a piece of C code. It plays a central role in Frama-C, as nearly all plug-ins eventually manipulate ACSL specifications, either to generate properties that are to be verified, or to assess that the code is conforming to these specifications. It is thus very important to have a clear view of ACSL's semantics in order to be sure that what you check with Frama-C is really what you mean. Marché contributed to a chapter 27 of the Frama-C book, describing the language in an agnostic way, independently of the various verification plug-ins that are implemented in the Frama-C platform. It contains many examples and exercises that introduce the main features of the language and insists on the most common pitfalls that users, even experienced ones, may encounter.

Automated Reasoning on Inductive Predicates

Filliâtre, Paskevich and Saudubray 24, 22 worked on an extension of the Why3 tool to allow proofs by induction on instances of inductive predicates, i.e. on finitely constructed derivations. It consists of a new matching construction to analyze the form of such a derivation, on the one hand, and a new notion of variant to justify the termination of a recursive function that proceeds according to the size of a derivation, on the other hand. They show how this extension can be implemented conservatively, with almost nothing changed in the verification condition generator of Why3. They illustrate the robustness of this contribution by translating from Coq to Why3 a non-trivial proof containing a large number of reasonings by induction on inductive predicates.

Cross-Language Symbolic Execution

One key problem in the field of software security is to expose software vulnerabilities effectively. Traditional testing methods have shown inadequacy in terms of path coverage and bug detection, due to their reliance on concrete input values. Hui and Andrès 14 proposed the idea of combining symbolic execution with runtime annotation checking. By using symbolic input values instead of concrete ones, the specified program properties can be checked on all the corner cases. They introduce two implementations of symbolic runtime annotation checkers: one for C, using the ANSI/ISO C Specification Language, and one for WebAssembly, using the Weasel specification language designed by them. Their approach combines the ease of use and the expressiveness of runtime annotation checking, as well as the power of program analysis.

Reasoning on the Amortized Time Complexity

Ownership can also be used to reason about resources other than program memory. Guéneau, Jourdan et al. 17 present formal reasoning rules for verifying amortized complexity bounds in a language with thunks. Thunks can be used to construct persistent data structures with good amortized complexity, by suspending expensive computations and memoizing their result. Based on the notion of time credits and debits, this work presents a complete machine-checked reconstruction of Okasaki's reasoning rules on thunks in a rich separation logic with time credits, and demonstrates their applicability by verifying several of Okasaki's data structures.

Peano Arithmetic and $\mu$MALL

Formal theories of arithmetic have traditionally been based on either classical or intuitionistic logic, leading to the development of Peano and Heyting arithmetic, respectively. In a collaboration with D. Miller, Manighetti 33 propose to use $\mu$MALL as a formal theory of arithmetic based on linear logic. This formal system is presented as a sequent calculus proof system that extends the standard proof system for multiplicative-additive linear logic (MALL) with the addition of the logical connectives universal and existential quantifiers (first-order quantifiers), term equality and non-equality, and the least and greatest fixed point operators. They demonstrate how functions defined using $\mu$MALL relational specifications can be computed using a simple proof search algorithm. By incorporating weakening and contraction into $\mu$MALL, they obtain $\mu$LK+, a natural candidate for a classical sequent calculus for arithmetic. While important proof theory results are still lacking for $\mu$LK+ (including cut-elimination and the completeness of focusing), they prove that μLK+ is consistent and that it contains Peano arithmetic. They also prove some conservativity results regarding μLK+ over $\mu$MALL.

Verification of Rust programs

One of the major success of Toccata during the last years is represented by the results obtained concerning the verification of Rust programs. Rust is a fairly recent programming language for system programming, bringing static guarantees of memory safety through a strong ownership policy. This feature opens promising advances for deductive verification of Rust code. The project underlying the PhD thesis of Denis 60, supervised by Jourdan and Marché, is to propose techniques for the verification of Rust program, using a translation to a purely-functional language. The challenge of this translation is the handling of mutable borrows: pointers which control of aliasing in a region of memory. To overcome this, we used a technique inspired by prophecy variables to predict the final values of borrows 61. This method is implemented in a standalone tool called Creusot 62. The specification language of Creusot features the notion of prophecy mentioned above, which is central for the specification of behavior of programs performing memory mutation. However, so far, this prophecy-based encoding has only been described in the idealized setting of a core calculus.

Recently, Golfouse, Jourdan and Guéneau, in collaboration with Xavier Denis and Dominic Stolz, show how one might "scale" this technique up to the setting of a realistic verification tool. After describing why doing so is non-trivial, we show how to integrate this encoding with two common features of deductive verification systems: ghost code and type invariants. Additionally, we provide concrete implementation strategies for key aspects of the encoding that were unspecified but turn out to be crucial when considering realistic programs. We implemented this work as an extension of Creusot and present it in a draft paper, which we plan to submit for publication in 2025.

Ownership and Well-Bracketedness

Ability to reason about ownership is also fertile ground for designing reasoning principles that capture powerful semantic properties of programs. In particular, Guéneau et al. 18 show that it is possible to capture well-bracketedness in a Hoare-style program logic based on separation logic, providing proof rules to show correctness of well-bracketed programs both directly and also through defining unary and binary logical relations models based on this program logic.

Multi-language Verification

Guéneau continued work on the Melocoton program multi-language verification framework 68, together with master interns Gurvan Debaussart and Valeran Maytie. They extended Melocoton and its Coq mechanization with new semantics and reasoning rules for the interactions between OCaml exceptions and the OCaml FFI, and for so-called "GC roots" provided by the OCaml FFI.

Inference of Specifications for Closures

In many programs, closures allow to express data transformations in a concise way. But when a verification tool is used, they must be accompanied by specifications that are often longer than their body. This is a particularly unpleasant problem, since these closures are often simple and their specification is redundant. Patault, Golfouse and Denis 16 presented a mechanism for inferring the specification of closures for the formal verification of Rust programs. They propose the use of the intermediate verification language Coma as a backend for the deductive verification tool Creusot. Their design is able to manage the internal mutable state of a closure and to infer its specification. They use this mechanism to verify in an ergonomic and modular way a series of Rust programs using higher-order functions.

Safe Libraries for Computer Algebra

Low-level libraries used in computer algebra systems, such as GMP, BLAS/LAPACK, etc., are usually written in C, Fortran, and Assembly, and make heavy use of arrays and pointers. Melquiond and Moreau 15, 21 have designed Capla, a programming language dedicated to writing such libraries. This language, halfway between C and Rust, is designed to be safe and to ease the deductive verification of programs, while being low-level enough to be suitable for this kind of computationally intensive applications. They have also written a compiler for this language, based on CompCert. The safety of the language has been formally proved using the Coq proof assistant, and so has the property of semantics preservation for the compiler.

Reasoning about Floating-Point Programs

Numerical programs make use of the floating-point representation of numbers to perform computations that ideally should be done on mathematical real numbers. The floating-point representation induces approximations on the computations ultimately performed. We have a long tradition of study of subtle algorithms involving such numerical computations. A set of numerical programs that we studied this year is related to the combination of exponential and logarithm functions, that is, the log-sum-exp function known in the context of Machine Learning 73, for which Bonnot et al. 12 provide certified bounds on its accuracy.

Boyer, Faissole, and Melquiond 35 have patented a method and system to transform a program, which includes mathematical functions applied to floating-point variables (and thus suffers from numerical approximations and rounding errors), in order to achieve a specified global accuracy.

Bonnot, Boyer, Faissole, and Marché 31 propose to bound the error between the computed result and the ideal computation by a formula involving the assumed precision of the input of the programs, together with the accuracy properties of the auxiliary mathematical functions that are called as basic blocks. Obtaining such an accuracy property needs a high expertise in floating-point computer arithmetic. The proposed methodology is able to automatically generate such form of accuracy formulas from a given input program. Moreover the generated formulas are certified correct with a high level of confidence, thanks to the automated construction of formal proofs of their validity. The methodology is implemented and experimented on several examples involving approximations of elementary functions such as sine, cosine, exponential and logarithm.

Writing a formal proof offers the highest possible confidence in the correctness of a mathematical library. This comes at a large cost though, since formal proofs require taking into account all the details, even the seemingly insignificant ones, which makes them tedious to write. Faissole, Geneau and Melquiond 13, 19 propose a methodology and some dedicated automation, and apply them to the use case of a faithful binary64 approximation of exponential. The peculiarity of this use case is that the target of the formal verification is not a simple modeling of an external code, it is an actual floating-point function defined in the logic of the Coq proof assistant, which is thus usable inside proofs once its correctness has been fully verified. This function presents all the attributes of a state-of-the-art implementation: bit-level manipulations, large tables of constants, obscure floating-point transformations, exceptional values, etc. This function has been integrated into the proof strategies of the CoqInterval library, bringing a 20x speedup with respect to the previous implementation.

Formalization of Mathematics for Numerical Analysis

The correctness of programs solving partial differential equations may rely on mathematics yet unformalized, such as Sobolev spaces. Boldo et al. 46 therefore formalized the mathematical concept of Lebesgue integration and the associated results in Coq ($\sigma$-algebras, measures, simple functions, and integration of non-negative measurable functions, up to the full formal proofs of the Beppo Levi Theorem and Fatou's Lemma). Boldo et al. 50, 49 extended this formalization with Tonelli's theorem, stating that the (double) integral of a nonnegative measurable function of two variables can be computed by iterated integrals, and allowing to switch the order of integration.

In her PhD thesis 28 defended in 2024, Houda Mouhcine presented results about Lagrange polynomials on simplicial finite elements, and their fundamental property called unisolvence. All the developments are distributed as part of the Coq-Num-Analysis library.

Compiling OCaml to WebAssembly

As part of his CIFRE PhD with OCamlPro, Andrès 38 formalizes a compilation scheme from OCaml to WebAssembly. This on-going work already validated several Wasm extensions 37. A by-product of the thesis is the implementation of a new, efficient interpreter for Wasm, owi. Filliâtre and Andrès collaborate with José Fragoso Santos and Filipe Marques (Universidade de Lisboa, Portugal), who are using owi for concolic execution of WebAssembly programs  11. Owi is built around a modular, monadic interpreter capable of both normal and symbolic execution of Wasm programs. Monads have been identified as a way to write modular interpreters since 1995 and this strategy has allowed us to build a robust and performant symbolic execution tool which our evaluation shows to be the best currently available for Wasm. Moreover, because WebAssembly is a compilation target for multiple languages (such as Rust and C), Owi can be used to find bugs in C and Rust code, as well as in codebases mixing the two. They demonstrate this flexibility through illustrative examples and evaluate its scalability via comprehensive experiments using the 2024 Test-Comp benchmarks. Results show that Owi achieves comparable performance to state-of-the-art tools like KLEE and Symbiotic, and exhibits advantages in specific scenarios where KLEE's approximations could lead to false negatives.

Programmable Logic Controllers

Programmable Logic Controllers are industrial digital computers used as automation controllers in manufacturing processes. The Ladder language is a programming language used to develop software for such controllers. A long-term collaboration with MERCE as for goal the verification that a given Ladder program conforms to an expected behaviour expressed by a timing chart, describing a scenario of execution. This method relies on a modelling of Ladder programs in WhyML, the language of the Why3 environment for deductive program verification. In this approach, the WhyML modelling of individual Ladder instructions has to be trusted. Recently, Cousineau et al.  32 propose a methodology to increase the trust in the WhyML modelling of Ladder instructions. The approach relies on a comparison of the execution of Ladder programs with an execution by Why3 of a simulation of the translated program. With this technique, they have been able to validate their modelling of Ladder instructions, and also discover and fix a subtle bug in the modelling of one particular instruction.

Purely Functional Catenable Deques, Formally Verified

Twenty-five years ago, Kaplan and Tarjan 69 established a striking result: there exist “purely functional, real-time deques with catenation”. In this on-going work, Guéneau, in collaboration with Jules Viennot, Arthur Wendling and François Pottier, present the first implementation of Kaplan and Tarjan's catenable deques. This implementation is expressed in the purely functional subset of the OCaml language. Furthermore, they present the first verified implementation of Kaplan and Tarjan's catenable deques. This implementation is expressed in Gallina, the programming language of the Coq proof assistant, and its correctness is stated and verified within Coq. Source code and a journal paper for this contribution are being finalized and will be submitted for publication at the beginning of 2025.

Coq as a Computer Algebra System

User interfaces for the Coq proof assistant focus on the ability to write and verify proofs, and mostly ignore Coq's ability to compute. Melquiond 26 shows how the tactic-in-term feature and some adhoc vernacular commands can provide a user experience closer to the one found in computer algebra systems. This work has been implemented in the CoqInterval library.

Teaching Mathematics with Coq

As part of the LiberAbaci défi, we have worked on how to use Coq for teaching mathematics.

M. Mayero et al. have been teaching an 18 hour introductory course in formal proofs to L1 students for 3 years at "Sorbonne Paris Nord" University. We present the used methodology and some of the encountered pitfalls, providing both technical and pedagogical aspects 25.

We also worked on worksheets in Coq for students to learn about divisibility and binomials. These basic topics are a good case study as they are widely taught in the early academic years (or before in France). Boldo et al. 23, 30 present technical and pedagogical choices, together with the numerous exercises they developed. As expected, it requires additional Coq material such as other lemmas and dedicated tactics. The worksheets are freely available and flexible in several ways.

10.1.1 H2020 projects

10.2.1 ANR NuSCAP

Participants: Guillaume Melquiond [contact], Sylvie Boldo.

The last twenty years have seen the advent of computer-aided proofs in mathematics and this trend is getting more and more important. They request various levels of numerical safety, from fast and stable computations to formal proofs of the computations. Hovewer, the necessary tools and routines are usually ad hoc, sometimes unavailable, or inexistent. On a complementary perspective, numerical safety is also critical for complex guidance and control algorithms, in the context of increased satellite autonomy. We plan to design a whole set of theorems, algorithms and software developments, that will allow one to study a computational problem on all (or any) of the desired levels of numerical rigor. Key developments include fast and certified spectral methods and polynomial arithmetic, with subsequent formal verifications. There will be a strong feedback between the development of our tools and the applications that motivate it.

The project led by École Normale Supérieure de Lyon (LIP) has started in February 2021 and lasts for 4 years. Partners: Inria (teams Aric, Galinette, Lfant, Marelle, Toccata), École Polytechnique (LIX), Sorbonne Université (LIP6), Université Sorbonne Paris Nord (LIPN), CNRS (LAAS).

10.2.2 ANR GOSPEL

Participants: Jean-Christophe Filliâtre [contact], Andrei Paskevich, Armaël Guéneau.

A specification language extends a programming language by allowing code and specifications to be written in a single document. Examples include SparkAda, JML, and ACSL, which extend Ada, Java, and C with syntax for specifications.

By offering a specification language to programmers, one encourages them to document, test, and verify their code as they write it, not as a separate step that is too easily postponed. From a technical point of view, the presence of specifications makes it possible to test or verify each module independently and is the key to scalability. From a pragmatic point of view, embedding specifications in the code allows them to be automatically distributed (via a package management system) to every programmer; this is the key to practical adoption.

The GOSPEL project proposes to develop Gospel, a specification language that extends the programming language OCaml; to develop an ecosystem of tools based on Gospel; and to demonstrate and validate these tools via several case studies.

The project led by Inria Paris has started in October 2022 and lasts for 4 years. Partners: Inria Paris (team Cambium), Université Paris-Saclay (LMF), Tarides, Nomadic Labs.

10.2.3 Project “SecurEval” of PEPR Cybersécurité

Participants: Sylvain Conchon [contact].

The SecureVal project aims to design new tools, benefiting from new digital technologies, to verify the absence of hardware and software vulnerabilities, and carry out the proof of compliance required.

In order to deal effectively with modern digital systems, code analysis techniques, which originated in the world of critical systems, must be overhauled to adapt to the objectives of security assessments and to scale up to complex systems, combining dedicated functionalities and third-party libraries. For example, the design of new fault models, the support of emerging languages, the visualization of formal guarantees, the use of learning techniques to automate repetitive actions or optimize the extraction of relevant information, or the development of approaches combining static and dynamic analyses.

The project is led by CEA-List, it started in 2022 and lasts for 6 years.

10.2.4 Project I-Demo “Décysif”

The Décysif project is a project started in december 2023, for 4 years. Its general goal is the promotion of formal verification for critical systems regarding cybersecurity. This project will fund our future research on Rust program verification, and it contains a workpackage dedicated towards industrialization of the Creusot tool.

The project is led by TrustInSoft company, with AdaCore and OCamlPro as other partners.

10.2.5 Inria Project LiberAbaci

Participants: Sylvie Boldo [contact].

The Défi Inria LiberAbaci is a collaborative project aimed at improving the accessibility of the Coq interactive proof system for an audience of mathematics students in the early academic years.

The head is Yves Bertot and the involved teams are: Cambium (Paris), Camus (Strasbourg), Gallinette (Nantes) PiCube (Paris), Spades (Grenoble), Stamp (Sophia Antipolis), Toccata (Saclay), LIPN (Villetaneuse).

11.1.1 Scientific events: organisation

11.1.2 Scientific events: selection

11.1.3 Journal

11.1.4 Invited talks

• S. Boldo, March 27th 2024, university-industry day organized around the Coq proof assistant by Hugo Herbelin
• J.-C. Filliâtre, October 2024, workshop “Big Specification: Specification, Proof, and Testing at Scale”, Cambridge, UK.
• A. Guéneau, March 27th 2024, university-industry day organized around the Coq proof assistant by Hugo Herbelin
• A. Guéneau, January 20th 2024, 10th International Workshop on Coq for Programming Languages

11.1.5 Leadership within the scientific community

• S. Boldo, elected chair of the ARITH working group of the GDR-IM (a CNRS subgroup of computer science) with L.-S. Didier (Univ. Toulon).
• S. Boldo, steering committee member of the IEEE International Symposium on Computer Arithmetic.
• J.-C. Filliâtre, steering committee member of JFLA (Journées Francophones des Langages Applicatifs).
• J.-C. Filliâtre, member of IFIP WG 1.9/2.15 Verified Software.

11.1.6 Scientific expertise

• C. Marché, member of the recruitment committee for CRCN/ISFP positions at Inria Saclay, 2024.
• C. Marché, external reviewer for the examination of a promotion to a Full Professor position, University of British Columbia, Canada, 2024.
• S. Boldo and J.-C. Filliâtre, (local) members of the LMF scientific council.
• S. Boldo, member of the ENSIIE scientific council.

11.1.7 Research administration

• S. Boldo, steering committee member of the IEEE International Symposium on Computer Arithmetic from 2019 to 2024.
• S. Boldo, president of the concours de l'agrégation d'informatique, 2022-2025.
• J.-C. Filliâtre, leader of the Proof and Languages department of LMF.
• A. Guéneau, member of the Commission des Utilisateurs des Moyens Informatiques of Inria Saclay.
• A. Guéneau, member of the Commission de Développement Technologique of Inria Saclay.
• G. Melquiond, member of the Bureau du Comité des Projets of Inria Saclay.
• G. Melquiond, member of the Commission Consultative de l'Université Paris-Saclay (section 27).
• G. Melquiond, member of the Conseil de Politique Doctorale of Université Paris Saclay.
• G. Melquiond, member of the doctoral school STIC of Université Paris Saclay.
• G. Melquiond, member of the Mission Jeunes Chercheurs of Inria.
• G. Melquiond, member of the laboratory council of LMF.
• A. Paskevich, leader of the team Program Verification of LMF.

11.2.1 Teaching

• J.-C. Filliâtre, Langages de programmation et compilation, 25h, L3, École Normale Supérieure, France.
• J.-C. Filliâtre, Les bases de l'algorithmique et de la programmation, 15h, L3, École Polytechnique, France.
• J.-C. Filliâtre, Compilation, 18h, M1, École Polytechnique, France.
• P. Geneau de Lamarlière, Qualité de développement, 32h, BUT1, IUT d'Orsay, Université Paris-Saclay, France.
• P. Geneau de Lamarlière, Qualité de développement, 24h, BUT2, IUT d'Orsay, Université Paris-Saclay, France.
• P. Geneau de Lamarlière, Projet transverse, 9h, BUT1, IUT d'Orsay, Université Paris-Saclay, France.
• P. Geneau de Lamarlière, Projet transverse, 8h, BUT3, IUT d'Orsay, Université Paris-Saclay, France.
• P. Geneau de Lamarlière, Développement efficace, 12h, BUT3, IUT d'Orsay, Université Paris-Saclay, France.
• P. Geneau de Lamarlière, Qualité algorithmique, 12h, BUT5, IUT d'Orsay, Université Paris-Saclay, France.
• A. Guéneau, Programmation avancée, 12h, L3, ENS Paris-Saclay, France.
• C. Marché, Proofs of Programs, 12h, M2, Master Parisien de Recherche en Informatique (MPRI).
• G. Melquiond, Initiation à la recherche, 12h, M1, MPRI, École Normale Supérieure Paris-Saclay, France.
• J. Moreau, Architecture des ordinateurs, 24h, L2, Université Paris-Saclay, France.
• J. Moreau, Compilation, 24h, L3, Université Paris-Saclay, France.
• A. Paskevich, Vérification Déductive, 12h, M1, MPRI, Université Paris-Saclay, France.
• A. Paskevich, Programmation système, 56h, BUT2, IUT d'Orsay, Université Paris-Saclay, France.

11.2.2 Supervision

• PhD: L. Andrès, “Exécution symbolique pour tous ou Compilation d’OCaml vers WebAssembly”, since Oct. 2021, supervised by J.-C. Filliâtre. Defended in December 2024 38.
• PhD: H. Mouhcine, “Formal Proofs in Applied Mathematics: A Coq Formalization of Simplicial Lagrange Finite Elements”, since Oct 2021, supervised by S. Boldo, F. Clément, and M. Mayero. Defended in December 2024 28.
• PhD in progress: P. Geneau de Lamarlière, “Design of formally verified floating-point components”, since Sep. 2022, supervised by G. Melquiond.
• PhD in progress: J. Moreau, “A low-level programming language for formally verified computer algebra”, since Oct. 2022, supervised by G. Melquiond.
• PhD in progress: A. Golfouse, “Vérification de programme Rust avancée: invariants de types, code fantôme, possession fantôme et algèbre de ressources, concurrence et aliasing”, since Oct. 2023, supervised by J.-H. Jourdan and A. Guéneau.
• PhD in progress: P. Patault, “Conception et étude d'un langage de programmation adapté à la vérification déductive”, since Oct. 2023, supervised by J.-C. Filliâtre and A. Paskevich.
• PhD in progress: D. Hamelin, “Implémentation de calculs numériques en virgule fixe avec maîtrise de l’erreur d’arrondi.”, since Dec. 2024, supervised by S. Boldo, T. Hilaire (Sorbonne University) and P.-Y. Piriou (EDF).

11.2.3 Juries

• S. Boldo, president of the PhD jury of Louise Dubois De Prisque, “Prétraitement compositionnel en Coq”, July 10th, 2024, University Paris-Saclay.
• S. Boldo, president of the PhD jury of Matthieu Robeyns, “Algorithmes en précision mixte pour des approximations de rang faible de matrices et tenseurs”, December 10th, 2024, University Paris-Saclay.
• J.-C. Filliâtre, reviewer of the PhD thesis of J. Giet, September 26, 2024, Univ. PSL.
• J.-C. Filliâtre, reviewer of the habilitation thesis of F. Dabrowski, Nov 5, 2024, Univ. Orléans.
• J.-C. Filliâtre, reviewer of the PhD thesis of G. Parthasarathy, Nov 6, 2024, ETH Zurich.
• J.-C. Filliâtre, examiner of the PhD thesis of O. Martinot, Dec 2, 2024, Univ. Paris Cité.
• C. Marché, reviewer of the PhD thesis of Vytautas Astraukas “Leveraging Uniqueness for Modular Verification of Heap-Manipulating Programs”, March 27th, 2024, ETH Zürich, Switzerland.
• G. Melquiond, reviewer of the PhD thesis of Nathanaëlle Courant, “Vers un vérificateur de preuves Coq efficace et formellement prouvé”, September 19th, 2024, Université Paris Cité.

International journals

• 11 articleL.Léo Andrès, F.Filipe Marques, A.Arthur Carcano, P.Pierre Chambart, J.José Fragoso Femenin dos Santos and J.-C.Jean-Christophe Filliâtre. Owi: Performant Parallel Symbolic Execution Made Easy, an Application to WebAssembly.The Art, Science, and Engineering of Programming92October 2024HALback to text

International peer-reviewed conferences

• 12 inproceedingsP.Paul Bonnot, B.Benoît Boyer, F.Florian Faissole, C.Claude Marché and R.Raphaël Rieu-Helft. Formally Verified Rounding Errors of the Logarithm-Sum-Exponential Function.Formal Methods in Computer-Aided Design - FMCAD 2024Prague, Czech RepublicIEEEOctober 2024HALback to textback to text
• 13 inproceedingsF.Florian Faissole, P.Paul Geneau de Lamarlière and G.Guillaume Melquiond. End-to-End Formal Verification of a Fast and Accurate Floating-Point Approximation.Leibniz International Proceedings in Informatics15th International Conference on Interactive Theorem Proving309Tbilisi, GeorgiaSeptember 2024, 14:1-14:18HALDOIback to textback to text
• 14 inproceedingsZ.Zhicheng Hui and L.Léo Andrès. Cross-Language Symbolic Runtime Annotation Checking.36es Journées Francophones des Langages Applicatifs (JFLA 2025)Roiffé, FranceJanuary 2025HALback to text
• 15 inproceedingsG.Guillaume Melquiond and J.Josué Moreau. A Safe Low-level Language for Computer Algebra and its Formally Verified Compiler.Proceedings of the ACM on Programming Languages29th ACM SIGPLAN International Conference on Functional Programming8ICFPMilan, ItalyAugust 2024, 121-146HALDOIback to text
• 16 inproceedingsP.Paul Patault, A.Arnaud Golfouse and X.Xavier Denis. Remonter les barrières pour ouvrir une clôture: Inférence de spécification des clôtures pour la preuve de programmes Rust avec COMA.JFLA 2025 - 36es Journées Francophones des Langages ApplicatifsRoiffé, FranceJanuary 2025HALback to text
• 17 inproceedingsF.François Pottier, A.Armaël Guéneau, J.-H.Jacques-Henri Jourdan and G.Glen Mével. Thunks and Debits in Separation Logic with Time Credits.Proceedings of the ACMPOPL 2024 - 51st ACM SIGPLAN Symposium on Principles of Programming Languages8POPLLondres, United KingdomACMJanuary 2024HALback to textback to text
• 18 inproceedingsA.Amin Timany, A.Armaël Guéneau and L.Lars Birkedal. The Logical Essence of Well-Bracketed Control Flow.Proceedings of the ACMPOPL 2024 - 51st ACM SIGPLAN Symposium on Principles of Programming LanguagesLondres, United KingdomACMJanuary 2024HALback to text

National peer-reviewed Conferences

• 19 inproceedingsP.Paul Geneau de Lamarlière. Vérification de bout en bout d'une fonction de bibliothèque mathématique.JFLA 2025 - 36es Journées Francophones des Langages ApplicatifsRoiffé, FranceJanuary 2025HALback to textback to text
• 20 inproceedingsC.Claude Marché and D.Denis Cousineau. De l'avantage de nuancer les décisions binaires.35es Journées Francophones des Langages Applicatifs (JFLA 2024)Saint-Jacut-de-la-Mer, FranceJanuary 2024HALback to text
• 21 inproceedingsJ.Josué Moreau. Des briques de calcul formel plus solides avec Capla.JFLA 2025 - 36es Journées Francophones des Langages ApplicatifsRoiffé, FranceJanuary 2025HALback to text
• 22 inproceedingsH.Henri Saudubray, J.-C.Jean-Christophe Filliâtre and A.Andrei Paskevich. Faire chauffer Why3 avec de l'induction.JFLA 2025 - 36es Journées Francophones des Langages ApplicatifsRoiffé, FranceJanuary 2025HALback to text

Conferences without proceedings

• 23 inproceedingsS.Sylvie Boldo, F.François Clément, D.David Hamelin, M.Micaela Mayero and P.Pierre Rousselin. Teaching Divisibility and Binomials with Coq.13th International Workshop on Theorem proving components for Educational software - ThEdu 2024Nancy, FranceJuly 2024HALback to text
• 24 inproceedingsJ.-C.Jean-Christophe Filliâtre, A.Andrei Paskevich and H.Henri Saudubray. Proofs on Inductive Predicates in Why3.Big Specification: Specification, Proof, and Testing at ScaleCambridge, United KingdomOctober 2024HALback to text
• 25 inproceedingsM.Marie Kerjean, M.Micaela Mayero and P.Pierre Rousselin. Maths with Coq in L1, a pedagogical experiment.ThEdu 2024 - 13th International Workshop on Theorem proving components for Educational softwareNancy, FranceJuly 2024HALback to text
• 26 inproceedingsG.Guillaume Melquiond. Turning the Coq Proof Assistant into a Pocket Calculator.Coq 2024 - 15th Coq WorkshopTbilisi, GeorgiaSeptember 2024HALback to text

Scientific book chapters

• 27 inbookA.Allan Blanchard, C.Claude Marché and V.Virgile Prévosto. Formally Expressing what a Program Should Do: the ACSL Language.Guide to Software Verification with Frama-C - Core Components, Usages, and ApplicationsSpringer2024, 3-80HALDOIback to text

Doctoral dissertations and habilitation theses

• 28 thesisH.Houda Mouhcine. Preuves formelles en mathématiques appliquées : formalisation en Coq des éléments finis de Lagrange simpliciaux.Université Paris-SaclayDecember 2024HALback to textback to text

Reports & preprints

• 29 reportP.Patrick Baudin, P.Pascal Cuoq, J.-C.Jean-Christophe Filliâtre, C.Claude Marché, B.Benjamin Monate, Y.Yannick Moy and V.Virgile Prévosto. ANSI/ISO C Specification Language Version 1.20.CEA List2024HALback to textback to text
• 30 reportS.Sylvie Boldo, F.François Clément, D.David Hamelin, M.Micaela Mayero and P.Pierre Rousselin. Teaching Divisibility and Binomials with Coq.RR-9547InriaApril 2024, 13HALback to text
• 31 reportP.Paul Bonnot, B.Benoît Boyer, F.Florian Faissole and C.Claude Marché. Generating and Certifying Accuracy Properties of Floating-Point Programs.RR-9564inriaDecember 2024HALback to text
• 32 reportD.Denis Cousineau, H.Hiroaki Inoue, C.Claude Marché and D.David Mentré. A Methodological Guide for the Validation of Logic Modelling of Ladder Instructions.RT-0522InriaMarch 2024HALback to text
• 33 miscM.Matteo Manighetti and D.Dale Miller. Peano Arithmetic and μMALL.November 2024HALDOIback to text
• 34 miscA.Andrei Paskevich, P.Paul Patault and J.-C.Jean-Christophe Filliâtre. Coma, an Intermediate Verification Language with Explicit Abstraction Barriers.December 2024HALback to text

Patents

• 35 patentB.Benoît Boyer, F.Florian Faissole and G.Guillaume Melquiond. Method and system for converting an input computer program into an output computer program achieving a target global accuracy.EP4235397FranceJune 2024HALback to text