Section: New Results
Program specification and proof
Certification of purely functional programs
François Pottier and Yann Régis-Gianas have developed a discipline that allows specifying and certifying strict, purely functional programs.
More specifically, they consider Core ML, a strict, purely functional programming language, equipped with higher-order functions, algebraic data structures, and polymorphism. They allow Core ML programs to be decorated with logical assertions, which serve as pre- or post-conditions, and define an algorithm that extracts proof obligations out of annotated programs. The proof obligations are then fed to an external, off-the-shelf theorem prover.
This approach is inspired by earlier work, such as ESC/Java, Caduceus, or Krakatoa. However, it has never been applied to a programming language in the ML family. A technical difficulty lies in the specification of higher-order functions, which requires higher-order logic. The treatment of algebraic data structures and polymorphism is relatively straightforward.
This work is presented in an as-yet-unpublished paper [Oops!] , and a prototype tool has been implemented by Yann Régis-Gianas. The tool has been used to specify and check OCaml's balanced binary tree implementation. While the specifications must be hand-written, as in earlier work by Filliâtre and Letouzey  , the proof is almost entirely automatic, thanks to the automated first-order theorem prover Ergo.
Analysis of imperative programs
Arthur Charguéraud and François Pottier have developed a type system, featuring regions, capabilities, and notions of linearity, which allows fine-grained reasoning about aliasing and ownership in imperative programs with dynamic memory allocation.
The type system is closely inspired by earlier work, such as the Calculus of Capabilities, Alias Types, or Adoption and Focus. Charguéraud and Pottier's principal contribution is a type-directed translation of imperative programs into a purely functional calculus. Like the well-known monadic translation, this is a store-passing translation. It is, however, much more fine-grained, because the store is partitioned into multiple fragments, which are threaded through a computation only if they are relevant to it. Furthermore, the decomposition of the store into fragments can evolve dynamically to reflect ownership transfers.
This work is presented in an as-yet-unpublished paper [Oops!] . Charguéraud and Pottier's long-term objective is to define a system for specifying and certifying imperative programs on top of this type system. The system would be analogous to the one developed by Pottier and Régis-Gianas (see section 6.3.1 ), but would support side effects.
Focal and Zenon
Focal — a joint effort with LIP6 (U. Paris 6) and Cedric (CNAM) — is a programming language and a set of tools for software-proof codesign. The most important feature of the language is an object-oriented module system that supports multiple inheritance, late binding, and parameterization with respect to data and objects. Within each module, the programmer writes specifications, code, and proofs, which are all treated uniformly by the module system.
Focal proofs are done in a hierarchical language invented by Leslie Lamport  . Each leaf of the proof tree is a lemma that must be proved before the proof is detailed enough for verification by Coq. The Focal compiler translates this proof tree into an incomplete proof script. This proof script is then completed by Zenon, the automatic prover provided by Focal. Zenon is a tableau-based prover for first-order logic with equality. It is developed by Damien Doligez with the help of David Delahaye.
Version 0.5.0 of Zenon was released in November. A paper describing Zenon was presented at the LPAR 2007 conference [Oops!] .
A complete rewrite of Zenon is in progress. It will enhance the efficiency of Zenon by using purely functional data structures and by implementing a better heuristic for finding instantiations of universal hypotheses and existential conclusions.
Tools for TLA+
Participants : Damien Doligez, Leslie Lamport [ Microsoft Research ] , Stephan Merz [ project Mosel ] , Georges Gonthier [ Microsoft Research ] , Kaustuv Chaudhuri [ Microsoft Research-INRIA Joint Centre ] .
Damien Doligez is head of the “Tools for Proofs” team in the Microsoft-INRIA Joint Centre. The aim of this team is to extend the TLA+ language with a formal language for hierarchical proofs, formalizing the ideas in  , and to build tools for writing TLA+ specifications and mechanically checking the corresponding formal proofs.
We have finished the design of the proof language and started implementing the front-end processor (parser and type-checker) and updating the existing TLA+ tools to deal with the new language. Kaustuv Chaudhuri was hired in November for a 2-year post-doctoral position; he will be the main architect and implementer of the “proof manager”, a development environment for developing TLA+ specification along with their proofs. The “proof manager” will use Isabelle and Zenon as back-ends provers.