2025Activity report​​​‌Project-TeamCAMBIUM

5.1.1 OCaml​‌

• Keywords:
  Programming language, Functional​​ programming, Compilers
• Functional Description:​​​‌
  The OCaml language is​ a functional programming language​‌ that combines safety with​​ expressiveness through the use​​​‌ of a precise and​ flexible type system with​‌ automatic type inference. The​​ OCaml system is a​​​‌ comprehensive implementation of this​ language, featuring two compilers​‌ (a bytecode compiler, for​​ fast prototyping and interactive​​​‌ use, and a native-code​ compiler producing efficient machine​‌ code for x86, ARM,​​ PowerPC, RISC-V and System​​​‌ Z), a debugger, and​ a documentation generator. Many​‌ other tools and libraries​​ are contributed by the​​​‌ user community and organized​ around the OPAM package​‌ manager.
• URL:
  https://­ocaml.­org/
• Publications:​​
  hal-04884634, hal-04681703,​​​‌ hal-04794404, hal-03917754,​ hal-03947986, hal-04407119,​‌ hal-03146495, hal-03510931,​​ hal-03145030, hal-01929508,​​ hal-03125031, hal-00772993,​​​‌ hal-00914493, hal-00914560,‌ inria-00074804, hal-01499973,‌​‌ hal-01499946
• Contact:
  Florian Angeletti​​
• Participant:
  13 anonymous participants​​​‌

5.1.2 Compcert

• Name:
  The‌ CompCert formally-verified C compiler‌​‌
• Keywords:
  Compilers, Formal methods,​​ Deductive program verification, C,​​​‌ Coq
• Functional Description:
  CompCert‌ is a compiler for‌​‌ the C programming language.​​ Its intended use is​​​‌ the compilation of life-critical‌ and mission-critical software written‌​‌ in C and meeting​​ high levels of assurance.​​​‌ It accepts most of‌ the ISO C 99‌​‌ language, with some exceptions​​ and a few extensions.​​​‌ It produces machine code‌ for the ARM, PowerPC,‌​‌ RISC-V, and x86 architectures.​​ What sets CompCert C​​​‌ apart from any other‌ production compiler, is that‌​‌ it is formally verified​​ to be exempt from​​​‌ miscompilation issues, using machine-assisted‌ mathematical proofs (the Coq‌​‌ proof assistant). In other​​ words, the executable code​​​‌ it produces is proved‌ to behave exactly as‌​‌ specified by the semantics​​ of the source C​​​‌ program. This level of‌ confidence in the correctness‌​‌ of the compilation process​​ is unprecedented and contributes​​​‌ to meeting the highest‌ levels of software assurance.‌​‌ In particular, using the​​ CompCert C compiler is​​​‌ a natural complement to‌ applying formal verification techniques‌​‌ (static analysis, program proof,​​ model checking) at the​​​‌ source code level: the‌ correctness proof of CompCert‌​‌ C guarantees that all​​ safety properties verified on​​​‌ the source code automatically‌ hold as well for‌​‌ the generated executable.
• URL:​​
  https://­compcert.­org/
• Contact:
  Xavier Leroy​​​‌
• Participant:
  5 anonymous participants‌
• Partner:
  AbsInt Angewandte Informatik‌​‌ GmbH

5.1.3 Diy

• Name:​​
  Do It Yourself
• Keyword:​​​‌
  Parallelism
• Functional Description:
  The‌ diy suite provides a‌​‌ set of tools for​​ testing shared memory models:​​​‌ the litmus tool for‌ running tests on hardware,‌​‌ various generators for producing​​ tests from concise specifications,​​​‌ and herd, a memory‌ model simulator. Tests are‌​‌ small programs written in​​ x86, Power or ARM​​​‌ assembler that can thus‌ be generated from concise‌​‌ specification, run on hardware,​​ or simulated on top​​​‌ of memory models. Test‌ results can be handled‌​‌ and compared using additional​​ tools.
• URL:
  http://­diy.­inria.­fr/
• Contact:​​​‌
  Luc Maranget
• Participant:
  2‌ anonymous participants
• Partner:
  University‌​‌ College London UK

5.1.4​​ Menhir

• Keywords:
  Compilation, Context-free​​​‌ grammars, Parsing
• Functional Description:‌
  Menhir is a LR(1)‌​‌ parser generator for the​​ OCaml programming language. That​​​‌ is, Menhir compiles LR(1)‌ grammar specifications down to‌​‌ OCaml code. Menhir was​​ designed and implemented by​​​‌ François Pottier and Yann‌ Régis-Gianas.
• Publications:
  hal-03478172,‌​‌ hal-01633123, hal-01417004
• Contact:​​
  François Pottier

5.1.5 CFML​​​‌

• Name:
  Interactive program verification‌ using characteristic formulae
• Keywords:‌​‌
  Coq, Software Verification, Deductive​​ program verification, Separation Logic​​​‌
• Functional Description:
  The CFML‌ tool supports the verification‌​‌ of OCaml programs through​​ interactive Coq proofs. CFML​​​‌ proofs establish the full‌ functional correctness of the‌​‌ code with respect to​​ a specification. They may​​​‌ also be used to‌ formally establish bounds on‌​‌ the asymptotic complexity of​​ the code. The tool​​​‌ is made of two‌ parts: on the one‌​‌ hand, a characteristic formula​​ generator implemented as an​​​‌ OCaml program that parses‌ OCaml code and produces‌​‌ Coq formulae, and, on​​​‌ the other hand, a​ Coq library that provides​‌ notations and tactics for​​ manipulating characteristic formulae interactively​​​‌ in Coq.
• URL:
  http://­www.­chargueraud.­org/­softs/­cfml/​
• Contact:
  Arthur Charguéraud
• Participant:​‌
  3 anonymous participants

5.1.6​​ TLAPS

• Name:
  TLA+ proof​​​‌ system
• Keyword:
  Proof assistant​
• Functional Description:
  TLAPS is​‌ a platform for developing​​ and mechanically verifying proofs​​​‌ about specifications written in​ the TLA+ language. The​‌ TLA+ proof language is​​ hierarchical and explicit, allowing​​​‌ a user to decompose​ the overall proof into​‌ proof steps that can​​ be checked independently. TLAPS​​​‌ consists of a proof​ manager that interprets the​‌ proof language and generates​​ a collection of proof​​​‌ obligations that are sent​ to backend verifiers. The​‌ current backends include the​​ tableau-based prover Zenon for​​​‌ first-order logic, Isabelle/TLA+, an​ encoding of TLA+ set​‌ theory as an object​​ logic in the logical​​​‌ framework Isabelle, an SMT​ backend designed for use​‌ with any SMT-lib compatible​​ solver, and an interface​​​‌ to a decision procedure​ for propositional temporal logic.​‌
• URL:
  https://­tla.­msr-inria.­inria.­fr/­tlaps/­content/­Home.­html
• Contact:
  Stephan​​ Merz
• Participant:
  2 anonymous​​​‌ participants
• Partner:
  Microsoft

5.1.7​ ZENON

• Name:
  The Zenon​‌ automatic theorem prover
• Keywords:​​
  Automated theorem proving, First-order​​​‌ logic
• Functional Description:

  Zenon​ is an automatic theorem​‌ prover based on the​​ tableaux method. Given a​​​‌ first-order statement as input,​ it outputs a fully​‌ formal proof in the​​ form of a Coq​​​‌ or Isabelle proof script.​ It has special rules​‌ for efficient handling of​​ equality and arbitrary transitive​​​‌ relations. Although still in​ the prototype stage, it​‌ already gives satisfying results​​ on standard automatic-proving benchmarks.​​​‌

  Zenon is designed to​ be easy to interface​‌ with front-end tools (for​​ example integration in an​​​‌ interactive proof assistant) and​ also to retarget to​‌ output scripts for different​​ frameworks (for example Dedukti).​​​‌

• URL:
  http://­zenon-prover.­org/
• Publications:
  inria-00338299v1​, hal-02305831v1, inria-00315920v1​‌, hal-00909784v1, tel-01420460v2​​, hal-00909688v1, hal-01204701v2​​​‌, hal-01171360v1, hal-01100512v1​, hal-01099338v1, hal-01243593v1​‌, hal-01420638v1, hal-01342849v1​​
• Contact:
  Damien Doligez
• Participant:​​​‌
  an anonymous participant

5.1.8​ hevea

• Name:
  hevea is​‌ a fast latex to​​ html translator.
• Keywords:
  LaTeX,​​​‌ Web
• Functional Description:

  HEVEA​ is a LATEX to​‌ html translator. The input​​ language is a fairly​​​‌ complete subset of LATEX​ 2 (old LATEX style​‌ is also accepted) and​​ the output language is​​​‌ html that is (hopefully)​ correct with respect to​‌ version 5. HEVEA understands​​ LATEX macro definitions. Simple​​​‌ user style files are​ understood with little or​‌ no modifications. Furthermore, HEVEA​​ customisation is done by​​​‌ writing LATEX code.

  HEVEA​ is written in Objective​‌ Caml, as many lexers.​​ It is quite fast​​​‌ and flexible. Using HEVEA​ it is possible to​‌ translate large documents such​​ as manuals, books, etc.​​​‌ very quickly. All documents​ are translated as one​‌ single html file. Then,​​ the output file can​​​‌ be cut into smaller​ files, using the companion​‌ program HACHA. HEVEA can​​ also be instructed to​​​‌ output plain text or​ info files.

  Information on​‌ HEVEA is available at​​ http://hevea.inria.fr/.

• URL:
  http://­hevea.­inria.­fr/
• Contact:​​​‌
  Luc Maranget

6.1.1 The CompCert​​ formally-verified compiler

Participants: Xavier​​ Leroy, Michael Schmidt​​​‌ [AbsInt GmbH],, Bernhard‌ Schommer [Saarland University and‌​‌ AbsInt GmbH]..

Since​​ 2005, in the context​​​‌ of our work on‌ compiler verification, we have‌​‌ been developing and formally​​ verifying CompCert, a moderately-optimizing​​​‌ compiler for a large‌ subset of the C‌​‌ programming language. CompCert generates​​ assembly code for the​​​‌ ARM, PowerPC, RISC-V, and‌ x86 architectures 49.‌​‌ The compiler is written​​ mostly within the specification​​​‌ language of the Rocq‌ proof assistant, out of‌​‌ which Rocq's extraction facility​​ generates executable OCaml code.​​​‌ The compiler comes with‌ a 100000-line machine-checked proof‌​‌ of semantic preservation, establishing​​ that the generated assembly​​​‌ code executes exactly as‌ prescribed by the semantics‌​‌ of the source C​​ program.

This year, we​​​‌ extended CompCert towards the‌ generation of position-independent code‌​‌ (PIC) and position-independent executables​​ (PIE). This allows CompCert​​​‌ to produce shared libraries‌ and improves code security.‌​‌

We also improved the​​ neededness analysis of 64-bit​​​‌ integer operations, which allows‌ for the removal of‌​‌ more useless integer computations.​​ We also extended common​​​‌ subexpression elimination (CSE) and‌ dead code elimination to‌​‌ optimize calls to known,​​ pure built-in functions and​​​‌ arithmetic helper functions.

These‌ improvements were released as‌​‌ part of CompCert version​​ 3.16 in September 2025.​​​‌

6.1.2 The OCaml system‌

Participants: Florian Angeletti,‌​‌ Damien Doligez, Sébastien​​ Hinderer, Xavier Leroy​​​‌, Luc Maranget,‌ Clément Allain, Samuel‌​‌ Vivien, David Allsop​​ [Cambridge University], Nick​​​‌ Barnes [Tarides], Stephen‌ Dolan [Cambridge University],‌​‌ Jacques Garrigue [University of​​ Nagoya], Sadiq Jaffer​​​‌ [Tarides], Guillaume Munch-Maccagnoni‌ [Inria team Gallinette],‌​‌ Olivier Nicole [Tarides],​​ Nicolás Ojeda Bär [Lexifi]​​​‌, KC Sivaramakrishnan [IIT‌ Madras], Gabriel Scherer‌​‌ [Inria team Picube].​​

This year we released​​​‌ one new minor version‌ of OCaml, OCaml 5.4.0.‌​‌ Some of the highlights​​ of this new version​​​‌ are:

• Labeled tuples
• Immutable‌ arrays
• Array literal syntax‌​‌ (through type-directed disambiguation) for​​ immutable arrays and arrays​​​‌ of floating-point numbers
• Atomic‌ record fields
• Four new‌​‌ standard library modules: Pair​​, Pqueue, Repr​​​‌, and Iarray
• Restored‌ “memory cleanup upon exit”‌​‌ mode
• A new chapter​​ in the manual on​​​‌ profiling OCaml programs on‌ Linux and macOS

As‌​‌ usual, this release also​​ contains many incremental changes:​​​‌

• Many runtime and code‌ generation improvements
• More than‌​‌ thirty new standard library​​ functions
• Nearly a dozen​​​‌ improved error messages
• Around‌ fifty bug fixes

6.1.3‌​‌ The diy tool suite​​

Participants: Hadrien Renaud [University​​​‌ College London], Artem‌ Khyzha, Nikos Nikorelis‌​‌, Vladimir Murzin [ARM​​ Ltd.], Jade Alglave​​​‌ [ARM Ltd. and University‌ College London], Luc‌​‌ Maranget.

The diy​​ suite provides a set​​​‌ of tools for testing‌ shared memory models: the‌​‌ litmus tool for running​​ tests on hardware, various​​​‌ generators for producing tests‌ from concise specifications, and‌​‌ herd, a memory​​ model simulator. Tests are​​​‌ small programs written in‌ x86, Power, ARM, generic‌​‌ (LISA) assembler, or a​​ subset of the C​​​‌ language that can thus‌ be generated from concise‌​‌ specifications, run on hardware,​​​‌ or simulated on top​ of memory models. Test​‌ results can be handled​​ and compared using additional​​​‌ tools. One distinctive feature​ of our system is​‌ Cat, a domain-specific language​​ for memory models.

This​​​‌ year saw many enhancements​ and maintenance work. As​‌ a developer, Luc Maranget​​ contributed to the global​​​‌ coherence of the tools,​ adding specific features such​‌ as “instructions as data”​​ for all architectures, ensuring​​​‌ that newly implemented instructions​ are available in all​‌ tools, extending test suites,​​ etc.

Luc Maranget acts​​​‌ as the main maintainer​ and coordinator of the​‌ toolbox: with others, he​​ reviews and validates the​​​‌ pull requests submitted by​ contributors. diy now has​‌ about 10 frequent contributors,​​ most of whom are​​​‌ employed by ARM as​ engineers or interns. Nikos​‌ Nikoleris, Artem Khyzha and​​ Vladimir Murzin are cited​​​‌ for their regular and​ significant contributions and reviews.​‌

6.1.4 TLA+

Participants: Damien​​ Doligez, Andrew Helwer​​​‌ [Disjunctive Consulting], Igor​ Konnov [Informal Systems],,​‌ Markus Kuppe [Oracle],,​​ Stephan Merz [Inria Nancy].​​​‌, Karolis Petrauskas [Individual​ contributor].

This project​‌ produces and maintains tools​​ for managing and verifying​​​‌ proofs in the proof​ language of TLA+  48​‌.

We have been​​ working on the maintenance​​​‌ and development of the​ TLAPM software, which takes​‌ place on GitHub, with​​ the help of external​​​‌ contributors.

6.1.5 Menhir

Participants:​ François Pottier.

From​‌ September to December 2025,​​ François Pottier spent significant​​​‌ effort cleaning up and​ restructuring the code of​‌ the parser generator Menhir​​. This effort should​​​‌ make the code easier​ to modify and reuse.​‌ As immediate benefits, several​​ stand-alone libraries have been​​​‌ isolated: intPQueue, which​ offers fast priority queues;​‌ patricia, which offers​​ immutable integer maps; and​​​‌ bitsets, which offers​ immutable bit sets and​‌ mutable vectors. Furthermore, Menhir​​ has been extended with​​​‌ a new GLR back-end,​ which allows non-deterministic parsing,​‌ that is, parsing with​​ an ambiguous context-free grammar.​​​‌ No paper about this​ work has not been​‌ published yet.

6.2.1 Implementing and formalizing​ Modular Explicits

Participants: Samuel​‌ Vivien, Didier Rémy​​, Gabriel Scherer [Inria​​​‌ team Picube].

Modular​ explicits are functions that​‌ take modules as arguments.​​ This language feature is​​​‌ a prerequisite for the​ elaboration of modular implicits​‌ (§6.2.2).

In​​ 2025, our work on​​​‌ modular explicits has been​ continued. On the implementation​‌ side, their integration in​​ the OCaml compiler has​​​‌ been approved; they will​ be included in the​‌ upcoming version 5.5. On​​ the formalization side, we​​​‌ detailed type inference for​ module-dependent functions and described​‌ their elaboration into ${\mathrm{F}}^{\omega }$, following the​​​‌ framework introduced by Blaudeau​ and Rémy for OCaml​‌ modules 41. This​​ work has been presented​​​‌ at the conference JFLA​ 2026 25.

6.2.2​‌ Designing and formalizing Modular​​ Implicits

Participants: Samuel Vivien​​​‌, Didier Rémy,​ Gabriel Scherer [Inria team​‌ Picube].

Modular implicits​​ are modules that are​​​‌ passed as implicit parameters​ to functions. Our work​‌ on modular implicits is​​ based on a proposal​​ and prototype implementation by​​​‌ White, Bour and Yallop‌ 52. Extending OCaml‌​‌ with modular implicits seems​​ desirable because OCaml's functors​​​‌ are extremely verbose, preventing‌ their use at a‌​‌ small scale. Modular implicits​​ would give us some​​​‌ of the flexibility and‌ ease of use of‌​‌ Haskell's type classes. To​​ this end, we have​​​‌ been working on defining‌ a clear specification of‌​‌ implicit argument synthesis and​​ on optimizing the synthesis​​​‌ algorithm so that it‌ scales up to real-world‌​‌ applications.

In 2025, we​​ separated our work in​​​‌ two steps, namely module‌ inference and interaction with‌​‌ the core language. We​​ worked mainly on module​​​‌ inference, by implementing a‌ prototype for the OCaml‌​‌ compiler and by formalizing​​ module inference. A presentation​​​‌ about this work has‌ been given at the‌​‌ workshop ML 2025 29​​.

6.2.3 Omnidirectional type​​​‌ inference

Participants: Didier Rémy‌, Gabriel Scherer [Inria‌​‌ team Picube], Alistair​​ O'Brien [Cambridge University].​​​‌

The Damas-Hindley-Milner (ML) type‌ system owes its success‌​‌ to principality, the​​ property that every well-typed​​​‌ expression has a unique‌ most general type. This‌​‌ makes inference predictable and​​ efficient. Yet, principality is​​​‌ fragile: many extensions‌ of ML—GADTs, higher-rank polymorphism,‌​‌ and static overloading—break it​​ by introducing fragile constructs​​​‌ that resist principal inference.‌ Existing approaches recover principality‌​‌ through directional inference algorithms,​​ which propagate known type​​​‌ information in a fixed‌ order. However, the rigidity‌​‌ of a static inference​​ order often causes otherwise​​​‌ well-typed programs to be‌ rejected.

We propose omnidirectional‌​‌ type inference, where type​​ information flows in a​​​‌ dynamic order, suspending typing‌ constraints when progress requires‌​‌ known type information and​​ resuming once such information​​​‌ becomes available. This approach‌ is straightforward for simply-typed‌​‌ systems, but extending it​​ to ML is challenging​​​‌ due to let-generalization.‌ We introduce incremental instantiation‌​‌, allowing partially solved​​ type schemes containing suspended​​​‌ constraints to be instantiated,‌ with a mechanism to‌​‌ incrementally update instances as​​ the scheme is refined.​​​‌ Omnidirectionality provides a general‌ framework for restoring principality‌​‌ in the presence of​​ fragile features. We demonstrate​​​‌ its versatility on two‌ fundamentally different features of‌​‌ OCaml: static overloading of​​ record labels and datatype​​​‌ constructors and semi-explicit first-class‌ polymorphism. This work has‌​‌ been presented at the​​ workshop WITS 2026 and​​​‌ has been submitted for‌ journal publication 28,‌​‌ 37.

As a​​ side topic, Didier Rémy​​​‌ revisited and improved semi-unification-based‌ type inference for ML,‌​‌ using scopes to track​​ polymorphism. He implemented this​​​‌ type inference technique in‌ a small experimental prototype,‌​‌ which he extended with​​ omnidirectional inference applied to​​​‌ static overloading. This work‌ has not yet been‌​‌ published.

6.2.4 Formalization of​​ recursive modules

Participants: Didier​​​‌ Rémy, Litao Zhou‌.

Litao Zhou has‌​‌ been a visiting intern​​ at Cambium from October​​​‌ 2025 until March 2026,‌ on leave from Hong-Kong‌​‌ University. He and Didier​​ Rémy have worked on​​​‌ the formalization of recursive‌ modules. Following a previous‌​‌ approach by Clément Blaudeau​​ and Didier Rémy 41​​​‌, where a module‌ language named $M^{\mathrm{\omega ‌‌}}$ was elaborated into ${\mathrm{F‌}}^{\omega }$, they extended​ $M^{\omega }$ with recursive​‌ modules in a way​​ that allows the so-called​​​‌ double vision, as​ proposed by Derek Dreyer.​‌ This work has not​​ yet been published.

6.2.5​​​‌ Tail Modulo Async-Await

Participants:​ Emma Nardino [ENS Lyon]​‌, Ludovic Henrio [CNRS]​​, Gabriel Radanne [Inria​​​‌ team Cash], Yannick​ Zakowski.

We extend​‌ the tail-call optimization by​​ extending it to asynchronous​​​‌ calls. We first introduce​ Tail-Modulo-Await, a novel code​‌ transformation for asynchronous tail​​ recursive functions that prevents​​​‌ the creation of unnecessary​ tasks. We then show​‌ how to combine Tail-Modulo-Await​​ with the existing Tail-Modulo-Cons​​​‌ optimization; we obtain an​ optimization that can turn​‌ a recursive function with​​ multiple tail calls under​​​‌ constructors into a parallel​ version of the function,​‌ also optimized in space.​​

This year, we have​​​‌ completed a paper formalization​ of the transformation, as​‌ well as proof-of-concept implementation​​ for OCaml. A draft​​​‌ paper about this work​ has been written 36​‌; we expect to​​ submit it for publication​​​‌ in 2026.

6.2.6 Mapping​ and explaining syntax errors​‌ with LRgrep

Participants: Frédéric​​ Bour, François Pottier​​​‌.

LR parsers and​ generated parsers are often​‌ criticized for their perceived​​ inability to produce good​​​‌ syntax error messages. Yet,​ we believe, this inability​‌ is not inherent to​​ LR parsing or to​​​‌ the use of a​ parser generator. Instead, we​‌ claim, this perception is​​ caused mainly by the​​​‌ lack of languages and​ tools that allow the​‌ problem of producing good​​ syntax error messages to​​​‌ be addressed at a​ suitable level of abstraction.​‌ To remedy this problem,​​ during his PhD thesis,​​​‌ defended in December 2024,​ Frédéric Bour developed the​‌ LRgrep language and its​​ compiler. In 2025, Frédéric​​​‌ Bour and François Pottier​ wrote a short tutorial​‌ paper on LRgrep. The​​ paper demonstrates how to​​​‌ use LRgrep to construct​ good syntax error explanations​‌ for an LR parser.​​ This paper has been​​​‌ presented at the conference​ JFLA 2026 22.​‌

6.3.1 Choice​​ Trees: reasoning about nondeterministic,​​​‌ recursive, impure programs in​ Rocq

Participants: Nicolas Chappe​‌ [ENS Lyon], Paul​​ He [University of Pennsylvania]​​​‌, Ludovic Henrio [CNRS]​, Eleftherios Ioannidis [University​‌ of Pennsylvania], Yannick​​ Zakowski, Steve Zdancewic​​​‌ [University of Pennsylvania].​

Choice Trees are a​‌ monad for modeling nondeterministic,​​ recursive, and impure programs​​​‌ in Rocq. They extend​ Interaction Trees to support​‌ non-determinism, providing notably bisimulations​​ and simulations to reason​​​‌ about them. In addition​ to a monadic interpretation​‌ of effects, they support​​ the refinement of non-deterministic​​​‌ choices.

Choice trees have​ initially been introduced at​‌ POPL 2023. This year,​​ we have published an​​​‌ extended version in the​ Journal of Functional Programming​‌ 44 describing the current​​ state of the library,​​​‌ and in particular a​ novel characterization of the​‌ core bisimulation supporting more​​ expressive proof rules.

6.3.2​​​‌ Executable semantics for a​ concurrent subset of LLVM​‌ IR

Participants: Nicolas Chappe​​ [ENS Lyon], Ludovic​​​‌ Henrio [CNRS], Yannick​ Zakowski.

The Vellvm​‌ project formalizes the semantics​​ of LLVM IR in​​ a denotational style, as​​​‌ a monadic interpreter built‌ on Interaction Trees. In‌​‌ this work, we explore​​ the perspective of extending​​​‌ Vellvm to support threads‌ and a weakly consistent‌​‌ memory model. We demonstrate​​ that Choice Trees (§​​​‌6.3.1) are a‌ viable structure to this‌​‌ end by instantiating the​​ approach over a minimal​​​‌ concurrent subset of LLVM‌ IR. This work has‌​‌ been presented at CPP​​ 2025 45.

6.3.3​​​‌ Layers of confluence for‌ actors

Participants: Åsmund Aqissaq‌​‌ Arild Kløvstad [University of​​ Oslo], Einar Broch​​​‌ Johnsen [University of Oslo]‌, Ludovic Henrio [CNRS]‌​‌, Violet Ka I​​ Pun [Western Norway University​​​‌ of Applied Sciences],‌ Yannick Zakowski.

We‌​‌ introduce a novel proof​​ method to prove the​​​‌ confluence, i.e., the observational‌ determinacy, of programs written‌​‌ in an actor-like programming​​ paradigm. The approach, based​​​‌ on a result by‌ de Bruijn that allows‌​‌ stratifying a rewrite system​​ and its proof of​​​‌ confluence in levels, is‌ formalized in the Rocq‌​‌ proof assistant. This year,​​ we have finished the​​​‌ formalization of our case‌ study and written a‌​‌ paper that has been​​ presented at the conference​​​‌ CPP 2026 23.‌

6.3.4 An abstract, certified‌​‌ account of operational game​​ semantics

Participants: Peio Borthelle​​​‌ [Laboratoire LAMA], Tom‌ Hirschowitz [Laboratoire LAMA],‌​‌ Guilhème Jaber [Laboratoire LS2N]​​, Yannick Zakowski.​​​‌

Operational game semantics (OGS)‌ is a method for‌​‌ interpreting programs as labeled​​ transition systems over suitable​​​‌ games. Such an interpretation‌ is considered sound if‌​‌ weak bisimilarity of associated​​ strategies entails contextual equivalence.​​​‌ In this line of‌ work, we contribute to‌​‌ the unification and mechanization​​ of OGS by proposing​​​‌ an abstract notion of‌ language with evaluator, for‌​‌ which we construct a​​ generic OGS interpretation, which​​​‌ we prove sound.

This‌ year, this major development‌​‌ has been completed, leading​​ to a publication at​​​‌ ESOP 2025 42 and‌ to Peio Borthelle's successful‌​‌ PhD defense 43.​​

6.3.5 Structural temporal logic​​​‌ for mechanized program verification‌

Participants: Eleftherios Ioannidis [University‌​‌ of Pennsylvania], Yannick​​ Zakowski, Steve Zdancewic​​​‌ [University of Pennsylvania],‌ Sebastian Angel [University of‌​‌ Pennsylvania].

Interaction Trees​​ provide a language embedded​​​‌ in Rocq to conveniently‌ model programming languages as‌​‌ expanded labeled transition systems,​​ with support for monadic​​​‌ implementations of these labels.‌ We consider here the‌​‌ verification of temporal properties​​ of computations described as​​​‌ such infinite trees. To‌ do so, we formalize‌​‌ an LTL logic through​​ a mixed inductive/coinductive characterization,​​​‌ and establish a proof‌ system to interactively establish‌​‌ such properties. This work​​ has been presented at​​​‌ the conference OOPSLA 2025‌ 16.

6.3.6 MTrees:‌​‌ mixing monadic effects and​​ labeled transition systems in​​​‌ Rocq

Participants: Peio Borthelle‌ [Laboratoire LAMA], Cyril‌​‌ Cohen [Cash], Ludovic​​ Henrio [CNRS], Théa​​​‌ Hervier [ENS Lyon],‌ Yannick Zakowski.

Interaction‌​‌ Trees introduced a mechanization​​ of the initial iterative​​​‌ monad over a given‌ set of free operations.‌​‌ Additional effects are then​​ realized by monadic interpretation​​​‌ of these operations. In‌ this work, we explore‌​‌ a different route: mechanizing​​​‌ the initial iterative monad​ supporting both a given​‌ set of free operations​​ and a given polynomial​​​‌ monad. This new approach​ leads to the study​‌ of highly generic notions​​ of weak bisimilarity, contributes​​​‌ to better understand and​ unify works such as​‌ Choice Trees, and suggest​​ new semantic domains for​​​‌ programming languages.

This year,​ Théa Hervier has covered​‌ concrete instances during her​​ master's internship 32.​​​‌ We have then mechanized​ the general case; Peio​‌ Borthelle introduced a novel​​ notion of weak bisimilarity​​​‌ with respect to which​ we established the initiality.​‌ In the upcoming months,​​ we expect to formalize​​​‌ a case study and​ submit our results to​‌ POPL 2027.

6.3.7 Axiomatic​​ memory models and virtual​​​‌ memory

Participants: Jade Alglave​ [ARM Ltd. and University​‌ College London], Richard​​ Grisenthwaite [ARM Ltd.],​​​‌ Artem Khyzha [ARM Ltd.]​, Luc Maranget,​‌ Nikos Nikoleris [ARM Ltd.]​​.

6.3.8 Semantics and​​​‌ sound implementation of AArch64​ instructions

Participants: Hadrien Renaud​‌ [University College London],​​ Jade Alglave [ARM Ltd.​​​‌ and University College London]​, Luc Maranget.​‌

Hadrien Renaud is a​​ PhD candidate under the​​​‌ supervision of Jade Alglave​ and Luc Maranget. Hadrien​‌ Renaud's thesis aims at​​ automating the production of​​​‌ intra-instruction dependencies, based on​ their definitions in pseudo-code.​‌ The task requires not​​ only significant implementation work​​​‌ but also an in-depth​ study of the semantics​‌ of instructions and of​​ the nature of various​​​‌ intra-instruction dependencies. Luc Maranget​ acts as a co-advisor,​‌ focusing on language definition​​ and implementation. We hold​​​‌ a weekly meeting.

This​ year, Hadrien Renaud achieved​‌ significant progress toward the​​ objective of extending our​​​‌ memory model simulator. More​ specifically, the herd simulator​‌ can now combine ARM​​ Virtual Memory System Architecture​​​‌ (VMSA) and instruction semantics​ as specified in ARM​‌ Architecture Specification Language. It​​ is important to notice​​​‌ that VMSA possesses an​ official specification in Cat​‌, our language for​​ memory models and that​​​‌ ASL now has a​ parallel implementation that generates​‌ intra-instruction dependencies. As a​​ result we now provide​​​‌ an implementation that is​ based upon official specifications.​‌

6.4.1 Constructive reverse mathematics​

Participants: Yannick Forster,​‌ Dominik Kirst [Inria team​​ Picube], Timothée Huneau​​​‌, Sam van Gool​ [ENS Paris-Saclay], Jean​‌ Caspar, Martin Baillon​​ [Inria team Picube],​​​‌ Pierre-Marie Pédrot [Inria team​ Gallinette], Assia Mahboubi​‌ [Inria team Gallinette].​​

Constructive mathematics is based​​​‌ on logically economical foundations​ for mathematics, which exclude​‌ some logical axioms that​​ are usually assumed in​​​‌ classical foundations of mathematics.​ In particular, constructive mathematics​‌ enforces constructions: for example,​​ proofs of existence must​​​‌ construct explicit witnesses.

Some​ theorems of classical mathematics​‌ are not provable in​​ constructive mathematics because they​​​‌ rely on axioms of​ classical mathematics. To study​‌ such theorems and understand​​ their exact status, constructive​​​‌ reverse mathematics proves that​ axioms imply a theorem,​‌ and that, conversely, the​​ theorem implies the axioms,​​​‌ thus establishing equivalences, also​ known as exact characterizations.​‌

Continuing a long line​​ of past work, Yannick​​ Forster and Dominik Kirst​​​‌ have supervised Timothée Huneau's‌ internship. Timothée studied the‌​‌ exact status of the​​ Löwenheim-Skolem theorem in model​​​‌ theory of first-order logic.‌ Timothée has now started‌​‌ a PhD on extending​​ this work into a​​​‌ general study of the‌ reverse status of results‌​‌ in model theory.

Independently,​​ Yannick Forster has worked​​​‌ on understanding constructive subtleties‌ when defining the notion‌​‌ of continuous total functions​​ in constructive mathematics. This​​​‌ resulted in a paper‌ at FSCD 2025 21‌​‌. This work is​​ continued in an internship​​​‌ by Jean Caspar, whose‌ aim is to generalize‌​‌ the notions of continuity​​ so that they apply​​​‌ to partial functions.

6.4.2‌ Synthetic computability theory

Participants:‌​‌ Yannick Forster, Dominik​​ Kirst [Inria team Picube]​​​‌, Haoyi Zeng [Saarland‌ University], Takako Nemoto‌​‌ [Tohoku University], Martin​​ Trucchi [Inria team Picube]​​​‌, Sara Rousta [Inria‌ team Picube].

Proofs‌​‌ in traditional computability theory​​ are notoriously hard to​​​‌ formalize, due to their‌ reliance on models of‌​‌ computation such as Turing​​ machines. In synthetic computability,​​​‌ one abstracts away from‌ models of computation, which‌​‌ is possible thanks to​​ a formal foundation for​​​‌ mathematics where functions and‌ propositions are strictly separated.‌​‌ This is the case​​ in many constructive foundations​​​‌ for mathematics, including the‌ one that underlies the‌​‌ Rocq proof assistant.

Continuing​​ a long line of​​​‌ work on synthetic computability‌ in proof assistants, Yannick‌​‌ Forster, Dominik Kirst, Haoyi​​ Zeng, and Takako Nemoto​​​‌ have written a paper‌ on the status of‌​‌ Post's problem in synthetic​​ computability theory 39.​​​‌

Yannick Forster and Dominik‌ Kirst co-supervise the internships‌​‌ of Martin Trucchi and​​ Sara Routa in the​​​‌ Picube team. Martin studies‌ synthetic notions of randomness,‌​‌ such as Kolmogorov and​​ Martin-Löf randomness. Sara studies​​​‌ how to define realisability‌ semantics for arithmetic using‌​‌ synthetic axioms.

Yannick Forster​​ has given an invited​​​‌ talk about this line‌ of work at the‌​‌ 33rd EACSL Annual Conference​​ on Computer Science Logic​​​‌ (CSL 2025) and at‌ the Simons Institute for‌​‌ the Theory of Computing​​ and SLMath Joint Workshop:​​​‌ AI for Mathematics and‌ Theoretical Computer Science in‌​‌ April 2025.

6.4.3 A​​ lazy, concurrent convertibility checker​​​‌

Participants: Nathanaëlle Courant [OCamlPro]‌, Xavier Leroy.‌​‌

During her PhD (defended​​ in 2024), Nathanaëlle Courant​​​‌ developed a novel algorithm‌ to decide convertibility, that‌​‌ is, to test whether​​ two terms (such as​​​‌ types or logical propositions)‌ are equal up to‌​‌ some computation steps. Convertibility​​ plays a crucial role​​​‌ in the implementation of‌ proof assistants such as‌​‌ the Rocq prover.

This​​ year, Nathanaëlle Courant and​​​‌ Xavier Leroy reformulated this‌ algorithm using a simple‌​‌ process calculus, and extended​​ it to handle $\mathrm{\eta ‌}$-conversion, that is, the‌ equivalence between $\lambda \mathrm{x‌‌}.Mx$ and​​ $M$. Convertibility up​​​‌ to $\eta$ is used‌ in Agda, Lean, and‌​‌ Rocq.

A paper about​​ this work has been​​​‌ presented at the conference‌ POPL 2026 14.‌​‌

6.4.4 Meta-programming in Rocq​​

Participants: Yannick Forster,​​​‌ Matthieu Sozeau [Inria team‌ Gallinette], Weituo Dai‌​‌, Thomas Lamiaux [Inria​​​‌ team Gallinette], Mathis​ Bouverot-Dupuis.

The state​‌ of meta-programming in the​​ Rocq Prover (previously known​​​‌ as the Coq proof​ assistant) is diverse and​‌ has grown organically over​​ the years. Various meta-programming​​​‌ languages are used to​ implement the kernel, tactics,​‌ and plugins.

In September​​ 2025, Mathis Bouverot-Dupuis started​​​‌ a PhD, supervised by​ Yannick Forster and François​‌ Pottier. He aims to​​ develop a robust meta-programming​​​‌ framework based on the​ lessons learned through 40​‌ years of organic development​​ of such frameworks in​​​‌ Rocq,

Mathis gave a​ talk about his 2024​‌ internship on investigating the​​ needs for such a​​​‌ framework at the conference​ TYPES 2025. A paper​‌ in the form of​​ an experience report has​​​‌ been accepted for presentation​ at the conference ESOP​‌ 2026 31.

6.4.5​​ The MetaRocq project

Participants:​​​‌ Yannick Forster, Matthieu​ Sozeau [Inria team Gallinette]​‌, Nicolas Tabareau [Inria​​ team Gallinette], Yee-Jian​​​‌ Tan, Thomas Lamiaux​ [Inria team Gallinette].​‌

The MetaRocq project (previously​​ known as MetaCoq) is​​​‌ an umbrella project that​ contains several subprojects. These​‌ include a formal definition​​ of Rocq's type theory​​​‌ and a verified type-​ and proof-checker for Rocq.​‌

Several crucial parts of​​ Rocq's type theory have​​​‌ not yet been formally​ studied. These include the​‌ guard checker, which ensures​​ that recursive functions terminate,​​​‌ and the strict positivity​ condition, which ensures that​‌ inductive type definitions are​​ consistent. The proof assistant​​​‌ Lean, a younger sibling​ to Rocq, largely shares​‌ the same type theory.​​

In 2024, Yee-Jian Tan​​​‌ carried out an internship,​ supervised by Yannick Forster,​‌ on understanding the current​​ implementation of Rocq's guard​​​‌ checker. This year, he​ presented this work at​‌ the conference TYPES 2025.​​

Together with Matthieu Sozeau​​​‌ and Nicolas Tabareau, Yannick​ Forster co-supervises Thomas Lamiaux's​‌ PhD thesis in the​​ Gallinette team in Nantes.​​​‌ They have submitted a​ paper which clarifies the​‌ strict positivity condition, focusing​​ in particular on nested​​​‌ inductive types, both in​ Rocq and in Lean​‌ 33.

6.4.6 Code​​ generation from proof assistants​​​‌

Participants: Yannick Forster,​ Matthieu Sozeau [Inria team​‌ Gallinette], Nicolas Tabareau​​ [Inria team Gallinette],​​​‌ Hugo Segoufin, Simon​ Dima, Zoe Paraskevopoulou​‌ [National Technical University of​​ Athens], Bas Spitters​​​‌ [University of Aarhus].​

Based on the extraction​‌ pipeline from Rocq to​​ OCaml developed by Yannick​​​‌ Forster, Matthieu Sozeau, and​ Nicolas Tabareau, Yannick Forster​‌ carries on a collaboration​​ whose aim is to​​​‌ extend the code generation​ abilities of proof assistants,​‌ with a concern of​​ verifying the correctness of​​​‌ the generation algorithms.

Yannick​ Forster has given an​‌ invited talk about this​​ line of work at​​​‌ the Workshop on Logical​ Frameworks and Meta Languages:​‌ Theory and Practice (LFMTP​​ 2025).

6.4.7 Implementing and​​​‌ verifying Kaplan and Tarjan's​ catenable deques

Participants: Jules​‌ Viennot, Arthur Wendling​​ [Tarides], François Pottier​​​‌, Armaël Guéneau [Inria​ team Toccata].

In​‌ 1999, Kaplan and Tarjan​​ introduced purely functional, real-time​​​‌ catenable deques, a​ data structure that supports​‌ five fundamental operations, namely​​ insertion and extraction of​​ one element at either​​​‌ end and concatenation. All‌ operations are performed with‌​‌ a worst-case time complexity​​ of $O\left(\mathrm{1‌}\right)$. Furthermore, this‌ data structure is persistent:‌​‌ no operation modifies or​​ destroys its argument.

Kaplan​​​‌ and Tarjan's paper provides‌ an English description of‌​‌ this data structure, without​​ code. This data structure​​​‌ is in fact extremely‌ difficult to implement: in‌​‌ the 25 years that​​ have elapsed since the​​​‌ paper was published, no‌ implementation appeared.

In 2024,‌​‌ Arthur Wendling was able​​ to implement this data​​​‌ structure in OCaml. His‌ implementation makes sophisticated use‌​‌ of OCaml's generalized algebraic​​ data types (GADTs). Then,​​​‌ Jules Viennot, supervised by‌ Armaël Guéneau and François‌​‌ Pottier, ported Wendling's code​​ from OCaml to Rocq​​​‌ and verified its correctness.‌ This work stresses the‌​‌ limits of Rocq's expressiveness.​​ It is the first​​​‌ published or verified implementation‌ of Kaplan and Tarjan's‌​‌ catenable deques.

A paper​​ on this topic has​​​‌ been submitted to the‌ journal Logical Methods in‌​‌ Computer Science in May​​ 2025. The reviewers requested​​​‌ additional clarifications and a‌ performance evaluation. The paper‌​‌ has been revised and​​ submitted again in January​​​‌ 2026.

6.5.1‌​‌ Implementing and verifying Kaplan,​​ Okasaki, and Tarjan's simple​​​‌ catenable deques

Participants: Juliette‌ Ponsonnet [ENS Lyon],‌​‌ François Pottier.

In​​ 2000, Kaplan, Okasaki, and​​​‌ Tarjan proposed a “simple”‌ persistent catenable deque data‌​‌ structure. This data structure​​ has mutable internal state​​​‌ and relies on a‌ restricted form of mutation.‌​‌ It supports insertion and​​ extraction at either end,​​​‌ as well as concatenation,‌ with worst-case amortized time‌​‌ complexity $O\left(\mathrm{1}\right)$. Compared with​​​‌ Kaplan and Tarjan's catenable‌ deques (§6.4.7),‌​‌ this data structure is​​ simpler, possibly faster in​​​‌ practice, but offers a‌ weaker time complexity guarantee.‌​‌

In 2025, during a​​ six-week internship, Juliette Ponsonnet,​​​‌ advised by François Pottier,‌ implemented Kaplan, Okasaki, and‌​‌ Tarjan's simple catenable deques​​ in OCaml. Furthermore, she​​​‌ carried out two program‌ verification efforts about this‌​‌ data structure, and obtained​​ the following two results.​​​‌ First, using Iris, she‌ proved that the code‌​‌ is correct, in sequential​​ and concurrent usage scenarios.​​​‌ Second, using Iris with‌ time credits, she verified‌​‌ that, provided concurrent accesses​​ are forbidden, every operation​​​‌ has amortized time complexity‌ $O(1)‌‌$. This required repairing​​ a possible mistake in​​​‌ Kaplan, Okasaki, and Tarjan's‌ description.

A paper on‌​‌ these results has been​​ accepted for publication and​​​‌ presentation at the conference‌ JFLA 2026 24.‌​‌

6.5.2 Verification of concurrent​​ OCaml 5 programs in​​​‌ separation logic

Participants: Clément‌ Allain, Gabriel Scherer‌​‌ [Inria team Picube].​​

The release of OCaml​​​‌ 5, which introduced parallelism‌ into the language, created‌​‌ a need for safe​​ and efficient concurrent data​​​‌ structures. Several new libraries,‌ such as Saturn 47‌​‌, aim at addressing​​ this need. From the​​​‌ perspective of formal verification,‌ this is an opportunity‌​‌ to apply and further​​ state-of-the-art techniques to provide​​​‌ stronger guarantees.

Clément Allain‌ designed and implemented Zoo,‌​‌ a framework for verifying​​​‌ fine-grained concurrent OCaml 5​ algorithms. Following a pragmatic​‌ approach, he defined ZooLang,​​ a limited fragment of​​​‌ the OCaml language, embedded​ inside Rocq, which is​‌ sufficient to faithfully express​​ these algorithms. He formalized​​​‌ its semantics via a​ deep embedding in the​‌ Rocq proof assistant, uncovering​​ several subtle aspects of​​​‌ physical equality in the​ process. He provided a​‌ tool that translates OCaml​​ programs into ZooLang abstract​​​‌ syntax. The programs can​ then be specified and​‌ verified using the concurrent​​ separation logic Iris. To​​​‌ illustrate the applicability of​ Zoo, he verified a​‌ subset of the OCaml​​ standard library and a​​​‌ collection of fined-grained concurrent​ data structures from the​‌ libraries Saturn 47 and​​ Eio 50.

This​​​‌ work has been presented​ at the conference POPL​‌ 2026 12 and in​​ Clément Allain's PhD thesis,​​​‌ which he defended in​ December 2025 30.​‌

6.5.3 A verified parallel​​ scheduler for OCaml 5​​​‌

Participants: Clément Allain,​ Gabriel Scherer [Inria team​‌ Picube].

Clément Allain​​ implemented a realistic parallel​​​‌ scheduler for OCaml 5​ and verified it using​‌ the Zoo framework (§​​6.5.2). This scheduler​​​‌ relies on a work-stealing​ strategy to perform load​‌ balancing but also supports​​ other scheduling strategies thanks​​​‌ to its flexible interface.​ Several basic benchmarks demonstrate​‌ that its performance is​​ on par with other​​​‌ schedulers from the OCaml​ ecosystem.

As part of​‌ this effort, Clément Allain​​ verified the Chase-Lev work-stealing​​​‌ deque, as implemented in​ the Saturn library 47​‌. He showed that​​ this data structure has​​​‌ a subtle external and​ future-dependent linearization point. To​‌ deal with it, we​​ introduce new abstractions that​​​‌ help exploit prophecy variables​ in Iris.

This work​‌ has been submitted for​​ publication at the conference​​​‌ PLDI 2026.

6.5.4 Osiris:​ formal semantics and reasoning​‌ rules for OCaml

Participants:​​ Remy Seassau, François​​​‌ Pottier, Irene Yoon​, Jean-Marie Madiot.​‌

The Osiris project aims​​ to develop an instance​​​‌ of the Iris separation​ logic, inside the Rocq​‌ proof assistant, and to​​ customize it for the​​​‌ OCaml programming language, so​ as to provide end​‌ users with a powerful,​​ state-of-the-art, ready-to-use program verification​​​‌ environment for OCaml.

As​ part of this long-running​‌ project, a first paper​​ about Osiris has been​​​‌ published and presented at​ the conference ICFP 2025​‌ 19. This paper​​ presents a mechanized dynamic​​​‌ semantics for a fragment​ of OCaml, structured as​‌ a monadic interpreter, running​​ on top of a​​​‌ monad whose behavior is​ described by a small-step​‌ operational semantics. For this​​ dynamic semantics, we construct​​​‌ two program logics, Horus​ and Osiris. Horus, a​‌ Hoare logic, allows reasoning​​ about side-effect-free expressions only;​​​‌ Osiris, an instance of​ Iris, allows reasoning about​‌ all kinds of expressions.​​

After this paper was​​​‌ published, we have added​ support for concurrency in​‌ the dynamic semantics and​​ in the program logic.​​​‌

6.5.5 Gospel: a formal​ specification language for OCaml​‌

Participants: Tiago Soares,​​ François Pottier, Mário​​​‌ Pereira [NOVA LINCS].​

Gospel is a formal​‌ specification language for OCaml.​​ It allows a library's​​ interface files to contain​​​‌ not only types, but‌ also logical specifications, which‌​‌ describe the library's behavior.​​ Gospel can be viewed​​​‌ as a pleasant surface‌ syntax for Separation Logic‌​‌ specifications.

In 2025, we​​ added lenses to the​​​‌ language; they are a‌ lightweight notation for the‌​‌ Separation Logic assertions that​​ relate a runtime data​​​‌ structure and its logical‌ model. Furthermore, we defined‌​‌ an intermediate language, GospelSL,​​ which can be translated​​​‌ both into CFML and‌ into Iris, and re-implemented‌​‌ our translation of Gospel​​ into CFML and Iris.​​​‌ In the process, we‌ had to more clearly‌​‌ define certain features of​​ Gospel, such as the​​​‌ way in which program‌ values can be used‌​‌ in logical formulae. This​​ update to the Gospel​​​‌ ecosystem has been presented‌ at the conference JFLA‌​‌ 2026 51.

6.5.6​​ Verification of parallel real-time​​​‌ programs

Participants: Jean-Marie Madiot‌, Dumitru Potop-Butucaru [Inria‌​‌ team AT-PRO], Poyraz​​ Yilan.

In some​​​‌ settings, real-time programs can‌ be transformed to parallel‌​‌ and concurrent C programs​​ that satisfy a strong​​​‌ notion of confluence. As‌ a first step towards‌​‌ the formal verification of​​ the soundness of these​​​‌ transformations, while taking into‌ account the relaxed memory‌​‌ model of the C​​ language, Jean-Marie Madiot, Dumitru​​​‌ Potop-Butucaru, and Poyraz Yilan‌ (then an intern at‌​‌ Cambium) developed a framework​​ for a class of​​​‌ such programs.

This framework‌ offers a set of‌​‌ reasoning rules whose correctness​​ is proved based on​​​‌ Iris and on another,‌ intricate, logic for the‌​‌ C11 release/acquire synchronization discipline.​​ These new rules, which​​​‌ are tailored for this‌ class of programs, establish‌​‌ program safety and are​​ much simpler to use​​​‌ than the general C11‌ rules.

Poyraz is starting‌​‌ a CIFRE PhD thesis​​ with Airbus on this​​​‌ subject.

6.5.7 Separation logic‌ for one-shot undelimited continuations‌​‌

Participants: Xavier Leroy,​​ Paulo de Vilhena [Imperial​​​‌ College].

For his‌ forthcoming book on control‌​‌ structures for programming languages,​​ Xavier Leroy conducted a​​​‌ survey of program logics‌ for reasoning about control‌​‌ operators. Several logics have​​ been proposed for the​​​‌ call/cc operator, which captures‌ undelimited, multi-shot (reusable) continuations.‌​‌ However, these logics are​​ rather ad hoc and​​​‌ difficult to use. In‌ contrast, the PhD work‌​‌ of Paulo de Vilhena,​​ supervised by François Pottier,​​​‌ develops elegant separation logic‌ rules for the user-defined‌​‌ effects and handlers of​​ OCaml 5, which implement​​​‌ delimited, one-shot (affine) continuations.‌

What about undelimited, one-shot‌​‌ continuations, as captured by​​ the call/1cc operator of​​​‌ Bruggeman, Waddell and Dybvig?‌ Xavier Leroy and Paulo‌​‌ de Vilhena found that​​ call/1cc admits a simple​​​‌ reasoning rule in separation‌ logic. Furthermore, this rule‌​‌ is similar to the​​ rule for goto jumps​​​‌ in Hoare logic. Xavier‌ Leroy and Paulo de‌​‌ Vilhena proved the soundness​​ of this call/1cc rule​​​‌ in two different ways,‌ one using the Iris‌​‌ framework and the other​​ using a basic separation​​​‌ logic built directly on‌ a continuation-based transition semantics.‌​‌ This work has not​​ yet been published.

7.1.1​​​‌ The Caml Consortium

Participants:​ Damien Doligez.

The​‌ Caml Consortium is a​​ formal structure where industrial​​​‌ and academic users of​ OCaml can support the​‌ development of the language​​ and associated tools, express​​​‌ their specific needs, and​ contribute to the long-term​‌ stability of OCaml. Membership​​ fees are used to​​​‌ fund specific developments targeted​ towards industrial users. Members​‌ of the Consortium automatically​​ benefit from very liberal​​​‌ licensing conditions on the​ OCaml system, allowing for​‌ instance the OCaml compiler​​ to be embedded within​​​‌ proprietary applications.

Damien Doligez​ chairs the Caml Consortium.​‌

The Consortium currently has​​ 5 member companies:

• Esterel​​​‌ / ANSYS
• Facebook
• Jane​ Street
• LexiFi
• SimCorp

One​‌ might think that the​​ Caml Consortium could be​​​‌ superseded by the OCaml​ Software Foundation, discussed below.​‌ However, the Caml Consortium​​ remains alive, because it​​​‌ is able to offer​ special licensing conditions. The​‌ above companies still need​​ the Consortium's license. Most​​​‌ of them are also​ sponsors of the OCaml​‌ Foundation.

7.1.2 The OCaml​​ Software Foundation

Participants: Damien​​​‌ Doligez, Xavier Leroy​.

The OCaml Software​‌ Foundation, established in​​ 2018 under the umbrella​​​‌ of the Inria Foundation,​ aims to promote, protect,​‌ and advance the OCaml​​ programming language and its​​​‌ ecosystem, and to support​ and facilitate the growth​‌ of a diverse and​​ international community of OCaml​​​‌ users.

Damien Doligez and​ Xavier Leroy serve as​‌ advisors on the foundation's​​ Executive Committee.

We receive​​​‌ substantial basic funding from​ the OCaml Software Foundation​‌ in order to support​​ research activity related to​​​‌ OCaml.

9.1.1 Organisation​ of scientific events

Participants:​‌ Yannick Forster, François​​ Pottier, Yannick Zakowski​​​‌.

Yannick Forster was​ the senior co-chair of​‌ the Programming Languages Mentoring​​ Workshop (PLMW) co-located with​​​‌ POPL 2025 in Denver.​ Yannick Forster is an​‌ ex-officio member of the​​ steering committee of ITP.​​

Along with Philippe Aghion,​​​‌ Nalini Anantharaman, Patrick Boucheron‌ and Stéphane Mallat, Xavier‌​‌ Leroy co-organized the October​​ 2025 Colloquium of Collège​​​‌ de France, whose theme‌ was Formes de l'intelligence‌​‌.

François Pottier was​​ the local organizer and​​​‌ the program chair of‌ the workshop Iris 2025,‌​‌ which took place at​​ Inria Paris in June​​​‌ 2025.

Yannick Zakowski served‌ as webchair for POPL‌​‌ 2026, general chair for​​ CPP 2026, vice president​​​‌ for JFLA 2026.

9.1.2‌ Participation in program committees‌​‌

Participants: Yannick Forster,​​ Jean-Marie Madiot, François​​​‌ Pottier, Yannick Zakowski‌.

Yannick Forster was‌​‌ the co-chair of the​​ program committee for the​​​‌ International Conference on Interactive‌ Theorem Proving (ITP 2025).‌​‌ Yannick Forster was also​​ a member for the​​​‌ program committees for the‌ conferences PLDI 2025 and‌​‌ CICM 2025.

Jean-Marie Madiot​​ was a member of​​​‌ the program committee for‌ the conference PLDI 2025.‌​‌

François Pottier was a​​ member of the program​​​‌ committee for the conference‌ JFLA 2026 and for‌​‌ the workshop RocqPL 2026.​​

Yannick Zakowski was a​​​‌ member of the program‌ committees for the conferences‌​‌ JFLA 2025, OOPSLA 2025,​​ and PLDI 2026. Yannick​​​‌ Zakowski served as Artifact‌ Evaluation Chair for the‌​‌ conferences ECOOP 2025 and​​ 2026.

9.1.3 Participation in​​​‌ editorial boards

Participants: Xavier‌ Leroy.

Xavier Leroy‌​‌ is a member of​​ the editorial board of​​​‌ the Journal of Automated‌ Reasoning. He is also‌​‌ a member of the​​ Conseil Scientifique (scientific advisory​​​‌ board) of the Arte‌ TV channel.

9.1.4 Invited‌​‌ talks

Participants: Yannick Forster​​.

Yannick Forster has​​​‌ given an invited talk‌ about synthetic computability theory‌​‌ at the 33rd EACSL​​ Annual Conference on Computer​​​‌ Science Logic (CSL 2025)‌ and at the Workshop‌​‌ on Logical Frameworks and​​ Meta Languages: Theory and​​​‌ Practice (LFMTP 2025).

9.1.5‌ Research administration

Participants: François‌​‌ Pottier, Luc Maranget​​, Didier Remy.​​​‌

Luc Maranget is an‌ elected member of Inria's‌​‌ Commission d'évaluation (CE). In​​ particular, he took part​​​‌ in two hiring committees‌ for chargé de recherche‌​‌ positions. Luc Maranget represents​​ the Cambium team in​​​‌ the Comité des utilisateurs‌ des moyens informatiques (CUMI).‌​‌

François Pottier is the​​ president of Inria Paris's​​​‌ Comité de Suivi Doctoral‌ (CSD).

François Pottier is‌​‌ Inria's delegate in the​​ pedagogical board of MPRI​​​‌.

Didier Rémy is‌ Inria's delegate in the‌​‌ management board of MPRI​​.

9.2.1‌ Teaching

Participants: Clement Allain‌​‌, Yannick Forster,​​ Xavier Leroy, Jean-Marie​​​‌ Madiot, François Pottier‌, Didier Remy,‌​‌ Tiago Lopes Soares,​​ Samuel Vivien, Remy​​​‌ Seassau.

This year,‌ the members of our‌​‌ team have taught or​​ assisted in teaching the​​​‌ following courses:

• Licence (L1):‌ Programmation fonctionnelle pour le‌​‌ Web, Clément Allain,​​ 24 HETD, Université Paris​​​‌ Cité, France.
• Master (M2):‌ Proof assistants, Yannick‌​‌ Forster, 18 HETD, MPRI,​​ Université Paris Cité, France.​​​‌
• Open lectures: Le calcul‌ sécurisé: calculer sur des‌​‌ données chiffrées ou privées​​, Xavier Leroy, 16​​​‌ HETD, Collège de France,‌ France.
• Licence (L3): Principles‌​‌ of programming languages,​​​‌ Jean-Marie Madiot, 40 HETD,​ École Polytechnique, France.
• Master​‌ (M2): Proofs of Programs​​ (course teacher and coordinator),​​​‌ Jean-Marie Madiot, 18 HETD,​ MPRI, Université Paris Cité,​‌ France.
• Master (M2): Functional​​ programming and type systems​​​‌, François Pottier, 18​ HETD, MPRI, Université Paris​‌ Cité, France.
• Master (M2):​​ Functional programming and type​​​‌ systems, Didier Remy,​ 3 HETD, MPRI, Université​‌ Paris Cité, France.
• Licence​​ (L1): Séminaire CAML,​​​‌ Remy Seassau, 48 HETD,​ EPITA, France.
• Licence (L1):​‌ Introduction to Programming,​​ Tiago Soares, 72 HETD,​​​‌ NOVA School of Science​ and Technology - UNL,​‌ Portugal.
• Licence (L1): Initiation​​ à la programmation 2​​​‌, Samuel Vivien, 24​ HETD, Université Paris Cité,​‌ France.
• Licence (L3): Langages​​ de programmation et compilation​​​‌, Samuel Vivien, 40​ HETD, ENS-PSL, France.
• License​‌ (L3): Séminaire du département​​ d'informatique de l'ENS de​​​‌ Lyon, Yannick Zakowski,​ 32 HETD, ENS de​‌ Lyon France.
• Master (M1):​​ Compilation and Program Analysis​​​‌, Yannick Zakowski (with​ Gabriel Radanne), 18 HETD,​‌ ENS de Lyon France.​​
• Master (M2): Functional programming​​​‌ and type systems,​ Yannick Zakowski, 15 HETD,​‌ MPRI, Université Paris Cité,​​ France.

9.2.2 Supervision

Participants:​​​‌ François Pottier, Yannick​ Forster, Yannick Zakowski​‌, Didier Remy,​​ Jean-Marie Madiot.

The​​​‌ following PhD theses are​ in progress or have​‌ been defended in 2025:​​

• PhD (completed): Clément Allain,​​​‌ Parallel programming infrastructure for​ OCaml 5, Université​‌ Paris Cité, since October​​ 2022, advised by Gabriel​​​‌ Scherer and François Pottier;​ defended on December 16,​‌ 2025 30.
• PhD​​ (in progress): Mathis Bouverot-Dupuis,​​​‌ Meta-programming with Scope Guarantees​, ENS Paris, since​‌ September 2025, advised by​​ Yannick Forster and François​​​‌ Pottier.
• PhD (in progress):​ Timothée Huneau, Unified Classical​‌ and Constructive Reverse Mathematics​​ for Model Theory,​​​‌ ENS Paris-Saclay, since October​ 2025, advised by Yannick​‌ Forster, Dominik Kirst, and​​ Sam van Gool.
• PhD​​​‌ (in progress): Emma Nardino,​ Formal Verification of Program​‌ Optimizations for the Async/Await​​ Programming Model, ENS​​​‌ Lyon, since September 2024,​ advised by Ludovic Henrio​‌ and Yannick Zakowski.
• PhD​​ (in progress): Remy Seassau,​​​‌ Developing a Specification Language​ and a Program Verification​‌ Framework for OCaml,​​ since October 2023, advised​​​‌ by François Pottier.
• PhD​ (in progress): Tiago Soares,​‌ Verifying OCaml Programs With​​ Exceptions and Control Effects​​​‌, since September 2023,​ advised by Mário Pereira​‌ (NOVA University, Lisboa) and​​ François Pottier.
• PhD (in​​​‌ progress): Samuel Vivien, Theory​ and practice of modular​‌ implicits: design, formalisation, implementation,​​ and applications, since​​​‌ October 2025, advised by​ Didier Rémy and Gabriel​‌ Scherer.
• PhD (in progress):​​ Poyraz Yilan, Certified compilation​​​‌ of critical parallel real-time​ programs, Sorbonne Université,​‌ CIFRE with Airbus, since​​ December 2025, advised by​​​‌ Dumitru Potop-Butucaru and Jean-Marie​ Madiot.

9.2.3 Juries

Participants:​‌ Yannick Forster, Xavier​​ Leroy, François Pottier​​​‌, Didier Remy,​ Yannick Zakowski.

Yannick​‌ Forster was a member​​ of the jury for​​​‌ the PhD thesis of​ Zhuo Chen (University of​‌ Melbourne; October 2025).

Xavier​​ Leroy was a member​​​‌ of the jury for​ the PhD thesis of​‌ Josué Moreau (Université Paris​​ Saclay; November 2025).

François​​ Pottier was a reviewer​​​‌ for the PhD theses‌ and habilitation theses of‌​‌ Ike Mulder (Radboud University;​​ February 2025), Simon Spies​​​‌ (Saarland University; May 2025),‌ Long Pham (Carnegie-Mellon University;‌​‌ July 2025), and Matthieu​​ Lemerre (HDR; Université Paris-Saclay;​​​‌ November 2025).

Didier Rémy‌ was a reviewer for‌​‌ the PhD thesis of​​ Guillaume Duboc (Université Paris​​​‌ Cité; January 2025).

Yannick‌ Zakowski was a reviewer‌​‌ for the PhD thesis​​ of Sergei Stepanenko (Aarhus​​​‌ University; October 2025).

International journals​‌

• 11 articleC.Clément​​ Allain, F.Frédéric​​​‌ Bour, B.Basile​ Clément, F.François​‌ Pottier and G.Gabriel​​ Scherer. Tail Modulo​​​‌ Cons, OCaml, and Relational​ Separation Logic.Proceedings​‌ of the ACM on​​ Programming Languages9POPL​​​‌January 2025, 2337-2363​HALDOI
• 12 article​‌C.Clément Allain and​​ G.Gabriel Scherer.​​​‌ Zoo: A Framework for​ the Verification of Concurrent​‌ OCaml 5 Programs using​​ Separation Logic.Proceedings​​​‌ of the ACM on​ Programming Languages10POPL​‌January 2026, 1702-1729​​HALDOIback to​​​‌ text
• 13 articleC.​Clément Blaudeau, D.​‌Didier Rémy and G.​​Gabriel Radanne. Avoiding​​​‌ Signature Avoidance in ML​ Modules with Zippers.​‌Proceedings of the ACM​​ on Programming LanguagesPOPL​​​‌9January 2025HAL​DOI
• 14 articleN.​‌Nathanaëlle Courant and X.​​Xavier Leroy. A​​​‌ Lazy, Concurrent Convertibility Checker​.Proceedings of the​‌ ACM on Programming Languages​​10POPLJanuary 2026​​​‌, 53:1-53:27HALDOI​back to text
• 15​‌ articleA. L.Aïna​​ Linn Georges, B.​​​‌Benjamin Peters, L.​Laila Elbeheiry, L.​‌Leo White, S.​​Stephen Dolan, R.​​​‌ A.Richard A Eisenberg​, C.Chris Casinghino​‌, F.François Pottier​​ and D.Derek Dreyer​​​‌. Data Race Freedom​ à la Mode.​‌Proceedings of the ACM​​ on Programming Languages9​​​‌POPLJanuary 2025,​ 656-686HALDOI
• 16​‌ articleE.Eleftherios Ioannidis​​, Y.Yannick Zakowski​​​‌, S.Steve Zdancewic​ and S.Sebastian Angel​‌. Structural Temporal Logic​​ for Mechanized Program Verification​​​‌.Proceedings of the​ ACM on Programming Languages​‌9OOPSLA2October 2025​​, 1148-1175HALDOI​​​‌back to text
• 17​ articleX.Xavier Leroy​‌. Sciences du logiciel:​​ [résumé des cours et​​​‌ travaux : 2021-2022].​L'Annuaire du Collège de​‌ France. Résumés des cours​​ et travaux1222026​​​‌, 21-29HALDOI​
• 18 articleA.Alexandre​‌ Moine, A.Arthur​​ Charguéraud and F.François​​​‌ Pottier. Will it​ Fit? Verifying Heap Space​‌ Bounds of Concurrent Programs​​ under Garbage Collection.​​​‌ACM Transactions on Programming​ Languages and Systems (TOPLAS)​‌February 2025HALDOI​​
• 19 articleR.Remy​​​‌ Seassau, I.Irene​ Yoon, J.-M.Jean-Marie​‌ Madiot and F.François​​ Pottier. Formal Semantics​​​‌ and Program Logics for​ a Fragment of OCaml​‌.Proceedings of the​​ ACM on Programming Languages​​​‌9ICFPAugust 2025​, 128 - 159​‌HALDOIback to​​ text

International peer-reviewed conferences​​​‌

• 20 inproceedingsC.Clément​ Allain. Zoo: A​‌ framework for the verification​​ of concurrent OCaml 5​​​‌ programs using separation logic​.36es Journées Francophones​‌ des Langages Applicatifs (JFLA​​ 2025)Roiffé, FranceJanuary​​​‌ 2025HAL
• 21 inproceedings​M.Martin Baillon,​‌ Y.Yannick Forster,​​ A.Assia Mahboubi,​​ P.-M.Pierre-Marie Pédrot and​​​‌ M.Matthieu Piquerez.‌ A Zoo of Continuity‌​‌ Properties in Constructive Type​​ Theory.10th International​​​‌ Conference on Formal Structures‌ for Computation and Deduction‌​‌ (FSCD 2025)Birmingham, France​​Schloss Dagstuhl – Leibniz-Zentrum​​​‌ für Informatik2025HAL‌DOIback to text‌​‌
• 22 inproceedingsF.Frédéric​​ Bour and F.François​​​‌ Pottier. Mapping and‌ explaining syntax errors with‌​‌ LRgrep.JFLA 2026​​ – 37es Journées Francophones​​​‌ des Langages ApplicatifsJFLA‌ 2026 – 37es Journées‌​‌ Francophones des Langages Applicatifs​​Oberbronn, FranceJanuary 2026​​​‌HALback to text‌
• 23 inproceedingsL.Ludovic‌​‌ Henrio, E.Einar​​ Broch Johnsen, Å.​​​‌ A.Åsmund Aqissiaq Arild‌ Kløvstad, V.Violet‌​‌ Ka I Pun and​​ Y.Yannick Zakowski.​​​‌ Layers of Confluence for‌ Actors.CPP 2026‌​‌ - Certified Programs and​​ ProofsRennes, FranceJanuary​​​‌ 2026HALDOIback‌ to text
• 24 inproceedings‌​‌J.Juliette Ponsonnet and​​ F.François Pottier.​​​‌ Verified Persistent Catenable Deques‌.JFLA 2026 –‌​‌ 37es Journées Francophones des​​ Langages ApplicatifsJFLA 2026​​​‌ – 37es Journées Francophones‌ des Langages ApplicatifsOberbronn,‌​‌ FranceJanuary 2026HAL​​back to text
• 25​​​‌ inproceedingsS.Samuel Vivien‌, D.Didier Rémy‌​‌ and G.Gabriel Scherer​​. On the design​​​‌ and implementation of Modular‌ Explicits.JFLA 2026‌​‌ – 37es Journées Francophones​​ des Langages ApplicatifsJFLA​​​‌ 2026 – 37es Journées‌ Francophones des Langages Applicatifs‌​‌Oberbronn, FranceJanuary 2026​​HALback to text​​​‌

Conferences without proceedings

• 26‌ inproceedingsM.Mathis Bouverot-Dupuis‌​‌, T.Théo Winterhalter​​, K.Kathrin Stark​​​‌ and K.Kenji Maillard‌. Sulfur: a Reflective‌​‌ Tactic for Substitution Simplification​​.RocqPL 2026 -​​​‌ Rocq for Programming Languages‌Rennes, France2026HAL‌​‌
• 27 inproceedingsJ.Jean​​ Caspar and G.Guillaume​​​‌ Munch-Maccagnoni. S4 modal‌ sequent calculus as intermediate‌​‌ logic and intermediate language​​.PEPM 2026 -​​​‌ ACM SIGPLAN Workshop on‌ Partial Evaluation and Program‌​‌ ManipulationRennes, FranceACM​​2026HAL
• 28 inproceedings​​​‌A.Alistair O'Brien,‌ D.Didier Rémy and‌​‌ G.Gabriel Scherer.​​ Omnidirectional type inference for​​​‌ ML: 5th Workshop on‌ the Implementation of Type‌​‌ Systems.WITS 2026.​​ 5th Workshop on the​​​‌ Implementation of Type Systems‌Rennes, FranceJanuary 2026‌​‌HALback to text​​
• 29 inproceedingsS.Samuel​​​‌ Vivien, D.Didier‌ Rémy and G.Gabriel‌​‌ Scherer. Implicit modules,​​ a middle step towards​​​‌ modular implicits.Higher-order,‌ Typed, Inferred, Strict: ML‌​‌ Family Workshop 2025Singapore,​​ SingaporeOctober 2025HAL​​​‌back to text

Doctoral‌ dissertations and habilitation theses‌​‌

• 30 thesisC.Clément​​ Allain. Verification of​​​‌ fine-grained concurrent OCaml 5‌ algorithms using separation logic‌​‌.Université Paris Cité​​December 2025HALback​​​‌ to textback to‌ text

Reports & preprints‌​‌

• 31 miscM.Mathis​​ Bouverot-Dupuis and Y.Yannick​​​‌ Forster. Code Generation‌ via Meta-programming in Dependently‌​‌ Typed Proof Assistants.​​January 2026HALback​​​‌ to text
• 32 report‌T.Théa Hervier.‌​‌ MTrees : Mixing monadic​​ effects and Labelled Transition​​​‌ Systems in Rocq.‌ENS de LyonJune‌​‌ 2025HALback to​​​‌ text
• 33 miscT.​Thomas Lamiaux, Y.​‌Yannick Forster, M.​​Matthieu Sozeau and N.​​​‌Nicolas Tabareau. Nested​ Inductive Types: Justified and​‌ Usable Nested Inductive Types​​ in Lean and Rocq​​​‌.2025HALback​ to text
• 34 report​‌X.Xavier Leroy,​​ D.Damien Doligez,​​​‌ A.Alain Frisch,​ J.Jacques Garrigue,​‌ D.Didier Rémy,​​ K.Kc Sivaramakrishnan and​​​‌ J.Jérôme Vouillon.​ The OCaml system release​‌ 5.4: Documentation and user's​​ manual.InriaOctober​​​‌ 2025, 1107HAL​back to text
• 35​‌ reportX.Xavier Leroy​​. The CompCert C​​​‌ verified compiler: Documentation and​ user’s manual: Version 3.16​‌.InriaSeptember 2025​​, 1-79HAL
• 36​​​‌ miscE.Emma Nardino​, L.Ludovic Henrio​‌, G.Gabriel Radanne​​ and Y.Yannick Zakowski​​​‌. Tail Modulo Async-Await​.2025HALback​‌ to text
• 37 report​​A.Alistair O'Brien,​​​‌ D.Didier Rémy and​ G.Gabriel Scherer.​‌ Omnidirectional type inference for​​ ML: principality any way​​​‌.University of Cambridge,​ INRIA, IRIF, Université Paris​‌ Cité2025HALDOI​​back to text
• 38​​​‌ reportY.-J.Yee-Jian Tan​. Towards Formalising the​‌ Guard Checker of Coq​​.Ecole polytechnique; Inria​​​‌ - ParisMarch 2025​HAL
• 39 miscH.​‌Haoyi Zeng, Y.​​Yannick Forster, D.​​​‌Dominik Kirst and T.​Takako Nemoto. Post's​‌ Problem in Constructive Mathematics​​.January 2025HAL​​​‌back to text