Section: New Results
Program specification and proof
Interactive verification of functional programs
Participant : Arthur Charguéraud.
In recent work  , Arthur Charguéraud and François Pottier designed a type system which can be used to direct a fine-grained translation of well-typed imperative ML programs into a purely functional language. Thanks to this translation, one is able to verify an imperative program simply by verifying its functional counterpart. In order to complete the setting, a technique for formally reasoning on functional programs is required.
Arthur Charguéraud proposed a framework for modular verification of purely functional OCaml code using the Coq proof assistant. It relies on a deep embedding , that is, a description of the syntax and the semantics of a programming language in the logic of a proof assistant. Technically, programs are specified through lemmas describing their intended big-step behaviour, and they are verified through proofs of such lemmas.
In theory, this approach can be used to verify any true property of any given program. It imposes no restriction on the code, apart from its purity, and benefits from the strong expressiveness of Coq. Its pratical abilities have been established through a complete specification and verification of OCaml's list library, as well as a proof of total correctness for a bytecode compiler and interpreter for Mini-ML. This work is presented in a paper  that has been submitted for publication.
The Zenon automatic theorem prover
Participant : Damien Doligez.
Damien Doligez continued the development of Zenon, a tableau-based automatic theorem prover for first-order logic with equality with extensions. The major developments this year include specialized rules for set theory (used for TLA+), as well as induction rules for recursive functions defined on inductive data types (used for Focal). Zenon was also extended with a back-end proof generator that produces proof scripts for the Isabelle system. Zenon version 0.6.3 was released in December.
Zenon is used within the Focal project  , a joint effort with LIP6 and CNAM-CEDRIC. Focal is a programming language and a set of tools for software-proof codesign. Focal proofs are done in a hierarchical language invented by Leslie Lamport  . Each leaf of the proof tree is a lemma that must be proved before the proof is detailed enough for verification by Coq. The Focal compiler translates this proof tree into an incomplete proof script, which is then completed by Zenon.
Other uses of Zenon are being considered in the context of the Action de Recherche Coopérative “Quotient” ( http://quotient.loria.fr/ ).
Tools for TLA+
Participants : Damien Doligez, Leslie Lamport [ Microsoft Research ] , Stephan Merz [ project Mosel ] , Kaustuv Chaudhuri [ Microsoft Research-INRIA Joint Centre ] , Simon Zambrowski [ Microsoft Research-INRIA Joint Centre ] .
Damien Doligez is head of the “Tools for Proofs” team in the Microsoft-INRIA Joint Centre. The aim of this team is to extend the TLA+ language with a formal language for hierarchical proofs, formalizing the ideas in  , and to build tools for writing TLA+ specifications and mechanically checking the corresponding formal proofs.
We have finished the design of the proof language and we have a first prototype of the front-end processor (parser and type-checker). Kaustuv Chaudhuri was hired in November 2007 for a 2-year post-doctoral position; he is the main architect and implementer of the “proof manager”, a development environment for developing TLA+ specification with their proofs. The “proof manager” uses Isabelle and Zenon as back-ends. These developments are described in an article published in the KEAPPA workshop  .
Simon Zambrowski has started working on a TLA+ plug-in for the Eclipse integrated development environment.