Team Gallium

Overall Objectives
Scientific Foundations
Application Domains
New Results
Contracts and Grants with Industry
Other Grants and Activities

Section: New Results

Program specification and program proof

Characteristic formulae for interactive program verification

Participant : Arthur Charguéraud.

Arthur Charguéraud has developed a new approach to program verification, based on characteristic formulae. The characteristic formula of a program is a higher-order logic formula that describes the behavior of that program, in the sense that it is sound and complete with respect to the semantics. This formula can be exploited in an interactive theorem prover to establish that a program satisfies a specification expressed in the style of Separation Logic, with respect to total correctness.

The characteristic formula of a program is automatically generated from its source code alone. In particular, there is no need to annotate the source code with specifications or loop invariants, as such information can be given in interactive proof scripts. Characteristic formulae, which are expressed in terms of basic logical connectives, can be pretty-printed so as to closely resemble the source code that they describe, even though they do not refer to the syntax of the programming language. Thanks to this pretty-printing mechanism, proof obligations are easily readable.

Characteristic formulae serve as a basis for a tool, called CFML, that supports the verification of Caml programs using the Coq proof assistant. More precisely, CFML supports higher-order functions, recursion, mutual recursion, polymorphic recursion, tuples, data constructors, pattern matching, references, records and arrays. This tool has been applied to the verification of a number of purely-functional data structures and of imperative higher-order functions.

A paper describing characteristic formulae for purely-functional programs was published at ICFP 2010 [16] . Their generalization to imperative programs is described in Arthur Charguéraud's PhD thesis [11] .

A generic fixed point combinator for Coq

Participant : Arthur Charguéraud.

In a theorem prover such as Coq or Isabelle/HOL, recursive functions must terminate on all arguments, otherwise the soundness of the logic would be compromised. Similarly, a productivity requirement applies to co-recursive functions (i.e., recursive functions over co-inductive data structures) and to co-recursive values. In Coq, the termination and productivity requirements are enforced through syntactic analyses. Those analyses are inherently limited, making it difficult to formalize nontrivial circular definitions.

Building on the theory of optimal fixed points of Manna and Shamir [45] , as well as on contraction conditions for co-recursive definitions [46] , Arthur Charguéraud developed a generic fixed point combinator. This “optimal fixed point combinator”, which can be defined in higher-order logic equipped with Hilbert's epsilon operator, allows for a direct and effective formalization of advanced definitions involving recursion, co-recursion, or both at the same time. In particular, the combinator supports higher-order recursion and nested recursion, and it offers a proper treatment of partial functions in the sense that domains need not be hard-wired in the definition of functionals.

The optimal fixed point combinator is described in a paper presented at ITP 2010 [17] . The development is entirely formalized in a Coq library, which provides a practical way to formalize advanced circular definitions in Coq.

The Zenon automatic theorem prover

Participant : Damien Doligez.

Damien Doligez continued the development of Zenon, a tableau-based prover for first-order logic with equality and theory-specific extensions. This year, Zenon was extended to handle TLA+ records, tuples, and sequences. The Isabelle back-end was tuned for proofs involving strings, integers, and CASE expressions. This resulted in speed-up of the time taken by Isabelle to check these proofs. Zenon version 0.6.3 was released in February.

Tools for TLA+

Participants : Damien Doligez, Leslie Lamport [Microsoft Research] , Stephan Merz [EPI Mosel] , Denis Cousineau [Microsoft Research-INRIA Joint Centre] , Dan Ricketts [Microsoft Research-INRIA Joint Centre] .

Damien Doligez is head of the “Tools for Proofs” team in the Microsoft-INRIA Joint Centre. The aim of this team is to extend the TLA+ language with a formal language for hierarchical proofs, formalizing the ideas in  [42] , and to build tools for writing TLA+ specifications and mechanically checking the corresponding formal proofs.

This year, the TLA+ project released the second version of the TLA+ tools: the GUI-based TLA Toolbox and the TLA+ Proof System, an environment for writing and checking TLA+ proofs. In this new version, the Toolbox and the Proof System interact to provide an IDE for developing proofs, with folding of proof subtrees, coloring of subgoals depending on their status (proved, failed, unknown), clickable error reports, etc. The system is described in a paper presented at IJCAR 2010 [18] .


Logo Inria