The Proval project-team is a research team common to INRIA - Saclay Île-de-France, CNRS and Université Paris-Sud. Researchers are also members of the LRI (Laboratoire de Recherche en Informatique, UMR 8623).

Critical software applications in the domain of transportation, telecommunication or electronic transactions are put on the market within very short delays. In order to guarantee a dependable behavior, it is mandatory for a large part of the validation of the system to be done in a mechanical way.

The ProVal team addresses this question and consequently participates to the INRIA major scientific priorities: “Programming: Security and Reliability of Computing Systems”.

Our approach uses
*Type Theory*as a theoretical basis, a formalism which gives a clear semantics for representing, on a computer, both computation and deduction.

Type theory is a natural formalism for the specification and proof of
*higher-order functional programs*, but we also use it as the kernel for
*deductive verification of imperative programs*. It serves as a support for modeling activities (e.g. pointer programs, random computations, floating-point arithmetic, semantics).

Verification conditions (VCs) generated from programs annotated with specifications can often be expressed in simple formalisms (fragments of first-order logic) and consequently be solved
using
*automated deduction*. Building specialized tools for solving VCs, integrating different proof technologies, in particular interactive and automated ones, are important activities in our
group.

When sophisticated tools are used for analyzing safety-critical code, their reliability is an important question: in an industrial setting, there is often a certification process. This certification is based on an informal satisfaction of development rules. We believe that decision procedures, compilers or verification condition generators (VCGs) should not act as black boxes but should be themselves specified and proved, or should produce evidence of the correctness of their output. This choice is influential in the design of our tools and is also a good challenge for them.

The project develops a generic environment (
*Why*) for proving programs.
*Why*generates sufficient conditions for a program to meet its expected behavior, that can be solved using interactive or automatic provers. On top of this tool, we have built dedicated
environments for proving C (
*Frama-C*/
*Jessie*) or Java (
*Krakatoa*) programs.

With the arrival of Sylvie Boldo in 2005 and Guillaume Melquiond in 2008 as junior researchers, the team is developing a strong expertise in the area of formal verification of floating-point arithmetic.

Our research activities are detailed further, following the three themes:

Interactive proofs of programs,

Proof of imperative and object-oriented programs,

Automated deduction for program proof.

Development of tools and applications is an important transversal activity for these four themes.

A new trend emerging in 2010-2011 is the construction of international program verification benchmarks and program verification competitions. Benchmarks include the VACID0 challenges (
http://

A paper by S. Conchon, E. Contejean and M. Iguernelala
presenting their work on automated reasoning modulo
associative-commutative theories got the best theoretical paper award of ETAPS Conferences
http://

Higher-order strongly typed programming languages such as Objective Caml help improving the quality of software development. Static typing automatically detects possible execution errors. Higher-order functions, polymorphism, modules and functors are powerful tools for the development of generic reusable libraries. Our general goal is to enrich such a software environment with a language of annotations as well as libraries for datatypes, abstract notions and associated theorems which can express logical properties of programs and ease the possibility to automatically and interactively develop proofs of correctness of the programs.

In the past, we made contributions to the
*Coq*proof assistant by adding functionalities for improving the development of formally proved functional programs. A first contribution is a new method to extract OCaml modular code from
*Coq*proofs (P. Letouzey PhD thesis
,
). This extraction mechanism is an original feature for the
*Coq*system, and has been used by several teams around the world in order to get efficient certified code
. Another contribution (M. Sozeau PhD thesis
,
) is an extension of the
*Coq*input language for building programs with strong specifications by writing only the computational part and generating separately proof obligations (which are usually solved by
tactics) and also a mechanism generalizing Type Classes à la Haskell which gives overloading in programs and proofs and facilitates the development of generic tactics..

We are using the capability of the
*Coq*system to model both computation and deduction in order to explore different classes of applications. These examples involve the development of large reusable
*Coq*libraries and suggest domain-specific specification and proof strategies.

C. Paulin in collaboration with Ph. Audebaud from ENS Lyon, proposed a method for modeling probabilistic programs in
*Coq*
. The method is based on a monadic interpretation of probabilistic
programs as probability measures. A large
*Coq*library has been developed and made publicly available (see also Section
). D. Baelde has been using this library to formally prove the security of
Watermarking algorithms (see also section
).

Many industrial programs (weather forecasts, plane trajectories, simulations...) use floating-point computations, typically double precision floating-point numbers . Even if each computation is as good as it can be (except for elementary functions like sine, or exponential), the final result may be very wrong with no warnings, or the program will produce unexpected behaviors (like division by zero). This is the reason why guarantees should be provided to the user. We mean to guarantee for example that, for all or part of the possible inputs, the result obtained is correct (or near enough) and that no exceptional behavior will occur .

A high level of guarantee is obtained by formal proofs in
*Coq*. We maintain and develop large
*Coq*libraries for floating-point arithmetic: core definitions, axiomatic and computational rounding operations, high-level properties. It provides a framework for developers to formally
certify numerical applications. A new such library is described in Section
.

Certifying the result of tools for analysing programs is a good challenge in the domain of proofs of higher-order functional programs. We obtained several results concerning formal proofs
in
*Coq*corresponding to automated deduction. These results are described in Section
.

A PhD thesis started in Sep. 2009 has for main objective the development of a certified version the Frama-C/Jessie/Why verification chain.

A foundation step of the project is the PhD thesis of Jean-Christophe Filliâtre
that proposes to establish soundness of a program with imperative
features (assignments, while loops, but also exceptions and exception handlers) by means of a translation into an equivalent purely functional program with logical annotations. Such an
annotated functional program is very well-suited to be expressed in
*Coq*'s type theory, hence this approach allowed for the first time to prove imperative programs with
*Coq*
.

Following this thesis, a new tool called
*Why*was developed. It takes as input an imperative program and a specification that this program is expected to fulfil. It produces on one hand a set of
*verification conditions*(VCs): logical formulas which have to be proved in the
*Coq*system ; and on the other hand a
*Coq*-term which contains a functional translation of the imperative program and a proof of correctness of this program based on the VCs. It was early remarked that this tool was
independent of
*Coq*, because the VCs can be validated in other interactive tools or with automatic provers. This multi-prover architecture is a powerful feature of
*Why*: it spreads this technology well beyond the
*Coq*community.

Since 2002, we tackle programs written in mainstream programming languages. We first considered Java source code annotated with JML (Java Modeling Language). This method was implemented in
a new tool called
*Krakatoa*
. The approach is based on a translation from annotated Java
programs into the specific language of
*Why*, we then can reuse
*Why*'s VCG mechanism and choose between different provers for establishing these VCs. From 2003, we followed the same approach for programs written in ANSI C
.

The combination of the
*Why*VC generator and the front-ends dealing with C or Java form a tool box for program verification, called the
*Why*platform. Its overall architecture is shown on Figure
. Nowadays, the front-end for C is in fact integrated in the Frama-C
environment for static analysis of C programs (
http://

The central issue for the design of our platform is the modeling of memory heap for Java and C programs, handling possible aliasing (two different pointer or object expressions
representing the same memory location): the
*Why*VC generator does not handle aliasing by itself, indeed it does not support any form of complex data structures like objects, structures, pointers. On the other hand, it supports
declaration of a kind of algebraic specifications: abstract data types specified by first-order functions, predicates and axioms. As a consequence, there is a general approach for using
*Why*as a target language for
*programming the semantics*of higher-level programming languages
. The
*Krakatoa*and the Jessie memory models are inspired by the `component-as-array' representation due to Bornat, following an old idea from Burstall, and commonly used to verify pointers
programs
. Each field declaration
*Why*variable

An important difficulty with programs handling pointers is to specify side-effects of a function or a method. The annotation languages offer the
*assigns*clauses in specifications in order to delimitate the part of memory which is modified by a function or a method. We proposed an original modeling for such clauses
.

This kind of memory model does not scale up well for large programs. We designed an improved modeling of memory heap incorporating ideas from static analysis of memory separation, and from Reynolds' separation logic. Experiments on a C code proposed by Dassault Aviation were successful , .

The use of
*Why*as intermediate language opens interesting new approaches for reasoning on programs. We studied the specification of global properties, by reuse of the validation term of
*Why*in order to define a model of each function, and then express and prove properties of functions composition. Such an approach was investigated by J. Andronick in the framework
of proofs of security properties on smart cards
,
. We also proposed a way to handle the Java Card transaction
mechanism (a specificity of Java Card memory with both persistent and volatile parts), by indeed generating a
*Why*model
*on-the-fly*for each Java Card applet
, thanks again to the flexibility of the approach using
*Why*as an intermediate language.

The techniques we are developing can be naturally applied in domains which require to develop critical software for which there is a high need of certification.

The
*Krakatoa*tool was successfully used for the formal verification of a commercial smart card applet
proposed by Gemalto. This case study have been conducted in
collaboration with LOOP and Jive groups. Banking applications are concerned with security problems that can be the confidentiality and protection of data, authentication, etc. The translation
of such specifications into assertions in the source code of the program is an essential problem. We have been working on a Java Card applet for an electronic purse Demoney
developed by the company Trusted Logic for experimental purpose.
Other Java Card case studies have been conducted in collaboration with Gemalto by J. Andronick and N. Rousset, in particular on global properties and Java Card transactions
,
.

To illustrate the effectiveness of the approach on C programs, T. Hubert and C. Marché performed a full verification of a C implementation of the Schorr-Waite algorithm
, using
*Coq*for the proofs. This is an allocation-free graph-marking algorithm used in garbage collectors, which is considered as a benchmark for verification tools. Other industrial case
studies have been investigated by T. Hubert (with Dassault Aviation)
and by Y. Moy (with France Telecom)
,
.

Since the beginning of 2011, we propose on the web a
*Gallery of Verified programs*(
http://

Our group has a long tradition of research on automated reasoning, in particular on equational logic, rewriting, and constraint solving. The main topics that have been under study in recent
years are termination proofs techniques, the issue of combination of decision procedures, and generation of proof traces. Our theoretical results are mainly materialized inside our two
automated provers CiME and
*Alt-Ergo*.

On the termination topic, we have studied new techniques which can be automated. A fundamental result of ours is a criterion for checking termination
*modularly*and
*incrementally*
, and further generalizations
. These criteria and methods have been implemented into the CiME2
rewrite toolbox
. Around 2002, several projects of development of termination tools
arose in the world. We believe we have been pioneer in this growth, and indeed we organized in 2004 the first competition of such tools.

A direction of research on termination techniques was also to apply our new approaches (for rewriting) to other computing formalisms, first to Prolog programs
and then to membership equational programs
, a paradigm used in the
*Maude*system
.

Our research related to combination of decision procedures was initiated by a result obtained in collaboration with Shankar's group at SRI-international who develops the PVS environment, showing how decision procedures for disjoint theories can be combined as soon as each of them provides a so-called “canonizer” and a “solver”. Existing combination methods in the literature are generally not very well understood, and S. Conchon had a major contribution, in collaboration with Sava Krstić from OGI School of Science and Engineering (Oregon Health and Science University, USA), which is a uniform description of combination of decision procedures, by means of a system of inference rules, clearly distinguished from their strategy of application, allowing much clearer proofs of soundness and completeness , .

In the specific domain of program verification, the goals to be proved are given as formulae in a polymorphic multi-sorted first-order logic. Some of the sorts, such as integers and
arrays, are built-in as they come from the usual data-types of programming languages. Polymorphism is used as a convenience for defining the memory models of C and Java programs and is
handled at the level of the
*Why*tool.

In order to be able to use all the available automated theorem provers (Simplify, SMT provers), including those which handle only untyped formulae (Simplify), one has to provide a way to get rid of polymorphism.

S. Conchon and É. Contejean have proposed an encoding of polymorphic multi-sorted logic (PSL) into unsorted logic based on term transformation, rather than addition of sort predicates which was used till then. This approach was extended further by S. Lescuyer , J.-F. Couchot , N. Stouls .

It would be more convenient to deal with polymorphism directly in the theorem prover. There was no such prover available at the beginning of 2006, that is why S. Conchon and
É. Contejean decided to develop a new tool called
*Alt-Ergo*which is dedicated to the resolution of polymorphic and multi-sorted proof obligations and takes as input the
*Why*syntax. In 2011,
*Alt-Ergo*is still the only existing prover dealing with parametric polymorphism.

*Alt-Ergo*contains also a Fourier-Motzkin decision procedure for linear arithmetics inequalities, a home-made SAT-solver and an instantiation mechanism.

The architecture of
*Alt-Ergo*is modular: each part is described by a small set of inference rules and is implemented as an OCaml functor. Moreover, the code is short (

A common issue to both termination techniques and decision procedures is that automatic provers use complex algorithms for checking validity of formula or termination of a computation, but
when they answer that the problem is solved, they do not give any more useful information. It is highly desirable that they give a
*proof trace*, that is some kind of certificate that could be double-checked by a third party, such as an interactive proof assistant like
*Coq*. Indeed
*Coq*is based on a relatively small and stable kernel, so that when it checks that a proof is valid, it can be trusted. Morevoer, a subpart of Coq has been proven correct in Coq
.

In addition to efficient termination techniques, CiME implements in particular a semi-decision procedure for the equality modulo a set of axioms, based on ordered completion. In 2005,
the former human readable proof traces have been replaced by
*Coq*certificates, based on reified proof objects for a FOL logic modelled inside
*Coq*
.

É. Contejean, A. Paskevich, X. Urbain and the Cédric participants of the A3PAT project, Pierre Courtieu, Olivier Pons (CNAM), and Julien Forest, (ENSIIE) develop the new version of
the CiME tool, CiME 3, associated with a
*Coq*library called Coccinelle developed by É. Contejean. A trace generator outputs a trace for
*Coq*in the unified framework provided by the Coccinelle library
. Coccinelle contains the corresponding modelling of terms
algebras and rewriting statements, and also some generic theorems which are needed for establishing a rewriting property from a trace. For example, in order to produce a certificate of
termination for a rewriting system, one may provide as a trace an ordering that contains the rewrite system, but it is also needed to have a proof that this ordering is well-founded. Such a
proof (for RPO for instance) is part of Coccinelle as a generic property. Coccinelle also contains as generic theorems some powerful criteria of termination: dependency pairs
, the main modularity theorem for termination presented in the
thesis of Urbain
as well as innermost termination, dependency pairs for it and its
equivalence with standard termination in some specific cases
.

The main improvement over the previous approach
is that the
*Coq*development is parameterized with respect to the equality predicate (instead of using the
*Coq*native equality). This allows to deal uniformly with equality modulo a set of axioms, with termination of a set of rewrite rules, and with rewriting modulo a set of equations,
such as associativity-commutativity.

Certifying termination proofs gained interest in the term rewriting community. Groups are either developing their own certifier, or producing traces for other's, thanks to a shared XML format. Since 2007, the termination competition has a category for certified termination proofs.

Further note that our efforts are not limited to termination proofs, and to date CiME 3 is the only tool able to prove and to certify
*confluence*of term rewriting systems
.

The Coq implementation of S. Lescuyer is available in the form of tactics which allow one to automatically solve formulae combining propositional logic, equality and arithmetic. In order to make these tactics as efficient as may be, he has taken special care with performance in his implementation, in particular through the use of classical efficient data structures, which we provide as a separate library.

Many systems in telecommunication, banking or transportation involve sophisticated software for controlling critical operations. One major problem is to get a high-level of confidence in the algorithms or protocols that have been developed inside the companies or by partners.

Many smartcards in mobile phones are based on a (small) Java virtual machine. The card is supposed to execute applets that are loaded dynamically. The operating system itself is written in C, it implements security functions in order to preserve the integrity of data on the card or to offer authentication mechanisms. Applets are developed in Java, compiled, and then the byte-code is loaded and executed on the card. Applets or the operating systems are relatively small programs but they need to behave correctly and to be certified by an independent entity.

If the user expresses the expected behavior of the program as a formal specification, it is possible for a tool to check whether the program actually behaves according to the requirements.

Avionics or more generally transportation systems are another area were there are critical algorithms involved, for instance in Air Traffic control. We have collaborations in this domain with Dassault-Aviation and National Institute of Aerospace (NIA, Hampton, USA). Since 2011, we started a new collaboration with Mitsubishi Electric R&D Centre Europe (Rennes), on the construction of certified software for railroad transportation. We also recently started a collaboration with Adacore for a new environment for proving Ada source code, which has applications in transportation systems including aerospace.

CiME is a rewriting toolbox. Distributed since 1996 as open source, at URL
http://
*Coq*. CiME3 is also developed by the participants of the A3PAT project at the CNAM, and is distributed under the Cecill-C license.

Criteria for Software Self-Assessment

The
*Why*platform is a set of tools for deductive verification of Java and C source code. In both cases, the requirements are specified as annotations in the source, in a special style of
comments. For Java (and Java Card), these specifications are given in JML and are interpreted by the
*Krakatoa*tool. Analysis of C code must be done using the external
*Frama-C*environment, and its Jessie plugin which is distributed in
*Why*.

The platform is distributed as open source, under GPL license, at
http://
*Why*3 system described below.

The
*Krakatoa*and
*Jessie*front-ends are still maintained, although using now by default the
*Why*3 VC generator. These front-ends are described in a specific web page
http://

Criteria for Software Self-Assessment: A-3-up, SO-4, SM-4, EM-4, SDL-4, OC-4.

*Why*3 is the next generation of
*Why*.
*Why*3 clearly separates the purely logical specification part from generation of verification conditions for programs. It features a rich library of proof task transformations that can be
chained to produce a suitable input for a large set of theorem provers, including SMT solvers, TPTP provers, as well as interactive proof assistants.

It is distributed as open source, under GPL license, at
http://

*Why*3 is used as back-end of our own tools
*Krakatoa*and
*Jessie*, but also as back-end of the GNATprove tool (Adacore company), and in a near future of the WP plugin of Frama-C.
*Why*3 has been used to develop and prove a significant part of the programs of our team gallery
http://

Criteria for Software Self-Assessment: A-3-up, SO-4, SM-4-up, EM-4, SDL-5, OC-4.

*Alt-Ergo*is an automatic, little engine of proof dedicated to program verification, whose development started in 2006. It is fully integrated in the program verification tool chain
developed in our team. It solves goals that are directly written in the
*Why*'s annotation language; this means that
*Alt-Ergo*fully supports first order polymorphic logic with quantifiers.
*Alt-Ergo*also supports the standard
defined by the SMT-lib initiative.

It is currently used in our team to prove correctness of C and Java programs as part of the
*Why*platform and the new
*Why*3 system.
*Alt-Ergo*is also called as an external prover by the Pangolin tool developed by Y. Regis Gianas, INRIA project-team Gallium
http://

*Alt-Ergo*is distributed as open source, under the CeCILL-C license, at URL
http://

Criteria for Software Self-Assessment: A-5, SO-3, SM-3, EM-3, SDL-5, OC-4.

Bibtex2html is a generator of HTML pages of bibliographic references. Distributed as open source since 1997, under the GPL license, at
http://

Bibtex2html is also distributed as a package in most Linux distributions. Package popularity contests show that it is among the 20% most often installed packages.

OCamlgraph is a graph library for Objective Caml. It features many graph data structures, together with many graph algorithms. Data structures and algorithms are provided independently of
each other, thanks to OCaml module system. OCamlgraph is distributed as open source, under the LGPL license, at
http://

Mlpost is a tool to draw scientific figures to be integrated in

Functory is a distributed computing library for Objective Caml. The main features of this library include (1) a polymorphic API, (2) several implementations to adapt to different deployment scenarios such as sequential, multi-core or network, and (3) a reliable fault-tolerance mechanism. Functory was presented at JFLA 2011 and at TFP 2011 .

Criteria for Software Self-Assessment: A-2, SO-3, SM-3, EM-3, SDL-4, OC-4.

The Flocq library for the
*Coq*proof assistant is a comprehensive formalization of floating-point arithmetic: core definitions, axiomatic and computational rounding operations, high-level properties
. It provides a framework for developers to formally certify
numerical applications.

It is distributed as open source, under a LGPL license, at
http://

Criteria for Software Self-Assessment: A-3, SO-4, SM-4, EM-3, SDL-4, OC-4.

Given a logical property involving interval enclosures of mathematical expressions, Gappa tries to verify this property and generates a formal proof of its validity. This formal proof can be
machine-checked by an independent tool like the
*Coq*proof-checker, so as to reach a high level of confidence in the certification
.

Since these mathematical expressions can contain rounding operators in addition to usual arithmetic operators, Gappa is especially well suited to prove properties that arise when certifying a numerical application, be it floating-point or fixed-point. Gappa makes it easy to compute ranges of variables and bounds on absolute or relative roundoff errors.

Gappa is being used to certify parts of the mathematical libraries of several projects, including CRlibm, FLIP, and CGAL. It is distributed as open source, under a Cecill-B / GPL
dual-license, at
http://

Criteria for Software Self-Assessment: A-3, SO-4, SM-3, EM-3, SDL-4, OC-4.

The Interval package provides several tactics for helping a
*Coq*user to prove theorems on enclosures of real-valued expressions. The proofs are performed by an interval kernel which relies on a computable formalization of floating-point arithmetic
in
*Coq*.

It is distributed as open source, under a LGPL license, at
http://

In 2010, the Flocq library was used to straighten and fill the floating-point proofs of the Interval package.

Criteria for Software Self-Assessment: A-2, SO-3, SM-2, EM-3, SDL-4, OC-4.

The ALEA library is a
*Coq*development for modeling randomized functional programs as distributions using a monadic transformation. It contains an axiomatisation of the real interval

It is distributed as open source, at
http://

Coccinelle is a Coq library for term rewriting. Besides the usual definitions and theorems of term algebras, term rewriting and term ordering, it also models some of the algorithms
implemented in the CiME toolbox, such a matching, matching modulo associativity-commutativity, computation of the one-step reducts of a term, RPO comparison between two terms, etc. The RPO
algorithm can effectively be run inside Coq, and is used in the Color developement (
http://

Coccinelle is developed by Évelyne Contejean, available at (
http://

P. Herms, together with C. Marché and B. Monate (CEA List), developed a certified VC generator, using Coq. The program for VC calculus and its specifications are both written in Coq, but the code is crafted so that it can be extracted automatically into a stand-alone executable. It is also designed in a way that allows the use of arbitrary first-order theorem provers to discharge the generated obligations . This is a first step towards a certified VC generator for C programs annotated with ACSL .

Until now, we only considered the proof of sequential programs. However the rely/guarantee approach give a natural way to extend deductive verification to concurrent
programs. During his internship supervised by C. Paulin, N. Gaspar explored this idea. He formalised in Coq the axiomatic semantics of a simple concurrent language using the rely-guarranty
approach
and proposed a translation of this language into
*Why*programs in order to automatically generate the proof obligations.

W. Urribarrí, together with C. Paulin, proposed an extension of the
*Why*language with modules and functors together with a refinement calculus in order to organise large developments in a structured and abstract way. She built a prototype
implementation of this calculus.

D. Baelde, in cooperation with P. Courtieu (CNAM), D. Gross-Amblard (U. Bourgogne and Rennes), C. Paulin and X. Urbain proposed a formal proof of security for two watermarking algorithms. The proof uses a reduction of an arbitrary attack unmarking the data to the discovery of a secret key. It has been fully formalized in Coq using the ALEA library. This work has been presented at the conference TYPES 2011 and a paper is in preparation.

Generating multimedia streams, such as in a netradio, is a task which is complex and difficult to adapt to every users' needs. D. Baelde, in cooperation with R. Beauxis (Tulane University, LA, USA) and S. Mimram (CEA List) introduce a novel approach, based on a dedicated high-level functional programming language, called Liquidsoap, for generating, manipulating and broadcasting multimedia streams . Unlike traditional approaches, which are based on configuration files or static graphical interfaces, it also allows the user to build complex and highly customized systems. This language is based on a model for streams and contains operators and constructions, which make it adapted to the generation of streams. The interpreter of the language also ensures many properties concerning the good execution of the stream generation.

The Why3 reimplementation of the
*Why*platform, started in 2010, was publicly released in 2011
. The main developers are A. Paskevich,
J.-C. Filliâtre, F. Bobot, and C. Marché. The language of
*Why*, both programming and annotation parts, was significantly extended: algebraic types, records, pattern matching, recursive logical definitions are now supported. These logical
declarations are structured in modules (a.k.a. theories). The module language comes with an original mechanism for reusing theories in specialized contexts using partial instantiations.
These new features have been presented at the first international workshop on intermediate verification languages (BOOGIE 2011)
and will be presented at VSTTE 2012
.

A. Tafat and C. Marché used the Why3 system to perform a complete proof of the “Binary Heaps” challenge from the VACID-0 international collection . Solving this challenge is a case study for a general approach of abstract interfaces for C programs, currently under development by A. Tafat, based on initial ideas described together with S. Boulmé which were published in a 2011 in a special issue .

In 2011, we set up a web gallery to publicly expose the programs that we specified and proved. This is the so-called ProVal collection of verified programs, and available
at URL
http://

K. Krishnamani and C. Marché proposed a technique for automatically generating loop invariants in C programs. It is based on the well-known predicate
abstraction approach, which is adapted to take into account pre-existing specifications, and to proceed modularly, that is each function of a program is processed independently, with its
own sets of predicates. The approach is also extended in order to generate universally quantified invariants
. The prototype is available as a Frama-C plugin at URL
http://

C. Dross, together with Y. Moy (Adacore) and J.-C. Filliâtre, addressed the problem of verifying programs involving
*containers*. Containers such as lists, vectors, sets or maps are an attractive alternative to ad-hoc data structures based on pointers. C. Dross gave a definition of containers
whose aim is to facilitate their use in certified software, using modern proof technology and novel specification languages. Correct usage of containers and user-provided correctness
properties can be checked either by execution during testing or by formal proof with an automatic prover. It relies on a formal semantics for containers and an axiomatization of this
semantics targeted at automatic provers. C. Dross proved in Coq that the formal semantics is consistent and that the axiomatization thereof is correct. This work was presented at TAP
2011
.

Proving that pointer programs preserve data invariants, in a modular way, is known to be a challenge. R. Bardou and C. Marché designed a new approach based on
advanced static typing systems (based on memory regions and permissions) to control memory updates and ownership of data
. A prototype implementation is built, called Capucine, available
for download at
http://

Separation logic has shown to be an elegant way to deal with programs which use data-structures with pointers. However it requires a specific logical language, provers, and specific reasoning techniques. In his PhD. F. Bobot introduced a technique to express ideas from separation logic in the traditional framework of deductive verification . He proposed to derive “separation predicates” from user-supplied inductive definitions. These predicates come with suitable axiomatization, including frame rules, expressed in usual first-order logic. This translation takes special care to ensure the best use of automated theorem provers.

In his thesis , S. Lescuyer formalized and designed purely reflexive tactics for automated deduction in Coq.

É. Contejean, together with Pierre Courtieu, Julien Forest, Olivier Pons and Xavier Urbain (Cedric Laboratory, CNAM & ENSIIE) presented the last version of the rewriting toolkit CiME3 at RTA 2011 . Amongst other original features, this version enjoys two kinds of engines: to handle and discover proofs of various properties of rewriting systems, and to generate Coq scripts from proof traces given in certification problem format in order to certify them with a skeptical proof assistant like Coq. Thus, these features open the way for using CiME3 to add automation to proofs of termination or confluence in a formal development in the Coq proof assistant.

F. Bobot and A. Paskevich studied translation from a first-order logic with polymorphic types à la ML (which is the base logic of the
*Why*platform and the
*Alt-Ergo*theorem prover) to a many-sorted or one-sorted logic implemented in mainstream automated theorem provers. They devised a three-stage scheme where the last stage eliminates
polymorphic types while adding the necessary “annotations” to preserve soundness, and the first two stages serve to protect certain terms so that they can keep their original types and
unannotated form. Such protection allows to make use of provers' built-in theories and operations. This work generalizes the previous study by S. Lescuyer and J.-F. Couchot
onto arbitrary monomorphic types, e.g. array types. It was
presented at FroCoS 2011
(see also an extended version with full proofs
). These results are part of F. Bobot's PhD thesis
.

T. Nguyen and C. Marché have worked on how to prove floating-point programs while taking into account architecture- and compiler-dependent features such as the use of the x87 stack in Intel micro-processors. This is done by analyzing the assembly code generated by the compiler ,

S. Boldo and C. Marché published a survey article on the proofs of numerical C programs using both automatic provers and Coq .

S. Boldo and T. Nguyen have worked on how to prove numerical programs on multiple architectures and compilers . More precisely, it covers all the compiler choices about the use of extended registers, FMA, and reorganization of additions.

S. Boldo and J.-M. Muller (CNRS, Arénaire, LIP, ÉNS Lyon) have worked on new floating-point algorithms for computing the exact and approximated errors of the FMA (fused multiply-and-add) .

S. Boldo and G. Melquiond have developed in Coq a comprehensive formalization of floating-point arithmetic: core definitions, axiomatic and computational rounding operations, high-level properties . It provides a framework for developers to formally certify numerical applications.

G. Melquiond, in collaboration with F. de Dinechin (Arénaire, LIP, ÉNS Lyon) and C. Lauter (Intel Hillsboro), has improved the methodology for formally proving floating-point mathematical functions when their correctness depends on relative errors .

S. Boldo, J.-C. Filliâtre and G. Melquiond, in collaboration with F. Clément (Estime, INRIA Paris-Rocquencourt) and M. Mayero (University Paris 13) have finished a full formal proof of a program solving a partial differential equation (the wave equation) using a finite difference scheme . This proof includes both the mathematical convergence proof (method error) , a tricky floating-point proof and proofs of the absence of runtime errors.

C. Lelay, under the supervision of S. Boldo and G. Melquiond, has worked on differentiability in Coq. The goal was to prove the existence of a solution to the wave equation thanks to D'Alembert's formula and to automatize the process as much as possible .

G. Melquiond, in collaboration with W. G. Nowak (Institute of Mathmatics, Austria) and P. Zimmermann (Caramel, INRIA Nancy-Lorraine), has designed new methods for computing guaranteed enclosures of the Masser-Gramain constant, a two-dimensional analogue of the Euler-Mascheroni constant .

G. Melquiond, in collaboration with J-M. Muller (CNRS, Arénaire, LIP, ÉNS Lyon) and E. Martin-Dorel (Arénaire, LIP, ÉNS Lyon), has worked on weakening the assumptions floating-point error-free transformations rely on .

The Hi-Lite project (
http://

Hi-Lite is a project aiming at popularizing formal methods for the development of high-integrity software. It targets ease of adoption through a loose integration of formal proofs with testing and static analysis, that allows combining techniques around a common expression of specifications. Its technical focus is on modularity, that allows a divide-and-conquer approach to large software systems, as well as an early adoption by all programmers in the software life cycle.

Our involvements in that project include the use of the Alt-Ergo prover as back-end to already existing tools for SPARK/ADA, and the design of a verification chain for an extended SPARK/ADA
language to verification conditions, via the
*Why*VC generator.

This project is funded by the french ministry of industry (FUI), the Île-de-France region and the Essonne general council for 36 months from September 2010.

In conjunction with the INRIA funding of ADT Alt-Ergo, a specific support contract has started in Sep 09, between INRIA, CEA Saclay and Airbus France at Toulouse. This is to support our efforts for the maintainance and to feature updates of Alt-Ergo, for its use at Airbus software development and certification of avionics critical code.

This 2 years support contract has started in Sep 10, between INRIA and Airbus France at Toulouse. This is to support our efforts for the DO-178B qualification of Alt-Ergo.

Hisseo is a 3 years Digiteo project that started in September 2008.
http://

The Hisseo project focuses on the problems related to the treatment of floating-point computations in the compilation process, especially in the case of the compilation of critical C code.

Partners: CEA List (Saclay), INRIA Paris-Rocquencourt (Team Gallium).

Coquelicot is a 3 years Digiteo project that started in September 2011.
http://

The Coquelicot project aims at creating a modern formalization of the real numbers in Coq, with a focus on practicality. This is sorely needed to ease the verification of numerical applications, especially those involving advanced mathematics.

Partners: LIX (Palaiseau), University Paris 13

Pactole is a 3 year Digiteo project which started in October 2009.

The Pactole project focuses on automation and formal verification for ubiquitous, large scale environments. Tasks include proof automation techniques for distributed systems, verification conditions for fault tolerant distributed systems, specification and design of fundamental services for mobile sensor networks. The principal investigator of Pactole is Xavier Urbain.

Partners: CÉDRIC (CNAM/ENSIIE), LIP6 (UPMC).

U3CAT (Unification of Critical C Code Analysis Techniques) is a project funded by ANR within its programme “Systèmes Embarqués et Grandes Infrastructures - ARPEGE”. It aims at verification techniques of C programs, and is partly a follow-up of the former CAT project. It started in January 2009 and will end in 2012.

The main goal of the project is to integrate various analysis techniques in a single framework, and make them cooperate in a sound way. We address the following general issues:

Verification techniques for floating-point programs;

Specification and verification of dynamic or temporal properties;

Combination of static analysis techniques;

Management of verification sessions and activities;

Certification of the tools chains for compilation and for verification.

Partners: CEA-List (Saclay, project leader), Lande team (INRIA Rennes), Gallium team (INRIA Rocquencourt), Dassault Aviation (Saint-Cloud), Airbus France (Toulouse), ATOS Origin (Toulouse), CNAM Cedric laboratory (Evry), CS Communication & Systems (Toulouse), Hispano-Suiza/Safran (Moissy-Cramayel).

The
*ADT*(Action de Développement Technologique) Alt-Ergo is a 2-years project funded by INRIA, started in September 2009.

The goal is the maturation of the Alt-Ergo prover towards its use in an industrial context in particular for avionics. The expected outcomes of this ADT are the following:

improving the efficiency of Alt-Ergo;

fine tuning of Alt-Ergo for the SMT competition;

generation of counter-examples;

the qualification of Alt-Ergo for the norm DO-178B.

External Collaborators: Airbus France (Toulouse), Dassault Aviation (Saint-Cloud), team Typical (INRIA, École Polytechnique).

FOST (Formal prOofs of Scientific compuTation programs) is a 3 years ANR “Blanc” project started in January 2009. S. Boldo is the principal investigator of this project.
http://

The FOST project follows CerPAN's footprints as it aims at developing new methods to bound the global error of a numerical program. These methods will be very generic in order to prove a large range of numerical analysis programs. Moreover, FOST aims at providing reusable methods that are understandable by non-specialists of formal methods.

Partners: University Paris 13, INRIA Paris - Rocquencourt (Estime).

This project is funded by ANR (program SESUR).
http://

It started on january 2008 for 4 years; the coordinator is Yassine Lakhnech from VERIMAG.

The SCALP project (Security of Cryptographic Algorithms with Probabilities) aims at developing automated tools for the verification of cryptographic systems.

Partners: Verimag, INRIA Sophia-Antipolis(Everest then Marelle team), ENS Lyon, LRI, CNAM.

DECERT (DEduction and CERTification) is an ANR “Domaines Emergents” project. It started on January 2009 for 3 years; the coordinator is Thomas Jensen from the Lande team of IRISA/INRIA Rennes.

The goal of the project DECERT is to design and implement new efficient cooperating decision procedures (in particular for fragments of arithmetics), to standardize output interfaces based on certificates proof objects and to integrate SMT provers with skeptical proof assistants and larger verification contexts such as the Rodin tool for B and the Frama-C/Jessie tool chain for verifying C programs.

The partners are: CEA List, LORIA/INRIA Nancy - Grand Est, IRISA/INRIA Rennes - Bretagne Atlantique, INRIA Sophia Antipolis - Méditerranée, Systerel

Program: COST (European Cooperation in the field of Scientific and Technical Research,
http://

Project acronym: FoVeOOS (IC-0701,
http://

Project title: Formal Verification of Object-Oriented Software

Duration: May 2008 - April 2012

Coordinator: B. Beckert, University Karlsruhe, Germany

Other partners: 40 academic groups among 18 countries in Belgium, Denmark, Estonia, France, Germany, Ireland, Israel, Italy, The Netherlands, New Zealand, Norway, Poland, Portugal, Romania, Spain, Sweden, Switzerland and United Kingdom.

Abstract: The aim of this action is to develop verification technology with the reach and power to assure dependability of object-oriented programs on industrial scale.

D. Ishii (National Institute of Informatics, Japan) visited the team for 8 months to work on applying program verification methods to hybrid systems.

S. Boldo supervised the 6-month post-doc intern of E. Makarov (from University of Vermont, USA) about numerical analysis proofs in higher dimensions.

C. Marché supervised the post-doc intern of K. Krishnamani (from University of Trento, Italy) until August: predicate abstraction techniques for critical C
programs (
http://

S. Conchon and G. Melquiond supervise the post-doc intern of Cody Roux since May 2011: integration of the Gappa theorem prover in the Alt-Ergo SMT solver.

S. Conchon supervises the post-doc intern of D. Cousineau since October 2011: interpretation of Alt-Ergo's proof traces in the Coq proof assistant.

C. Paulin supervised the internship of N. Gaspar (Universidade da Beira Interior, Portugal) from January to September 2011. He studied the formal proof of concurrent programs using a rely-guarantee approach.

E. Contejean, together with V. Benzaken (LRI), supervise the internship of S. Yuan (Zhejiang University, China) from October 2011 to March 2012: Automated constraints verification for databases with SMT solvers.

C. Paulin is the representative of Univ. Paris-Sud for the education part of the EIT KIC ICT Labs. She contributed to the proposition of two master programs as well as the action on weaving Innovation and Entrepreneurship in Doctoral programs and the preparation of the SummerSchool “Imagine the future in ICT”.

At the VSTTE 2010 conference was organized a first and informal program verification competition (
http://

On behalf of the VSTTE 2012 conference (Philadelphia, USA, January 2012), A. Paskevich and J.-C. Filliâtre organized the first formal VSTTE program verification competition (
https://

S. Boldo is member of the editorial committee of the popular science web site
*interstices*,
http://

J.-C. Filliâtre is member of the editorial board of the
*Journal of Functional Programming*.

C. Marché co-edited with B. Beckert a special issue of Elsevier Lectures Notes in Computer Science devoted to selected papers of the conference FoVeOOS'10 .

C. Paulin is member of the editorial board of the
*Journal of Formalized Reasoning*.

J.-C. Filliâtre edited a special issue of Software Tools for Technology Transfer devoted to selected papers of the workshop VSTTE 2009. This includes an introduction paper on deductive software verification .

J.-C. Filliâtre is a member of IFIP Working Group 1.9/2.15 (Verified Software)

S. Conchon, program chair of the Journées Francophones des Langages Applicatifs (JFLA 2011), La Bresse, France, January 2011.

S. Boldo, member of the program committee of JFLA 2011, and the Fourth International Workshop on Numerical Software Verification (NSV 2011, affiliated to CAV).

D. Baelde, G. Melquiond, members of the program committee of JFLA 2012.

É. Contejean is a member of program committees of the ACM SIGPLAN 2011 Workshop on Partial Evaluation and Program Manipulation (PEPM 2011, co-located with POPL, Austin, Texas), the International Workshop on Proof Search in Axiomatic Theories and Type Theories (PSATTT 20011, affiliated to CADE, Wroclaw, Poland).

C. Marché, member of program committees of the 2nd International Conference on Formal Verification of Object-Oriented Software (FoVeOOS 2011, Turin, Italy), the 23rd International Conference on Automated Deduction (CADE 2011, Wroclaw, Poland), and the the first International Workshop on Intermediate Verification Languages (BOOGIE 2011, affiliated to CADE).

C. Paulin, member of the program committee of the second and third conference on Interactive Theorem Proving (ITP 2011 & 2012), and the Fifth ACM SIGPLAN Workshop on Programming Languages meets Program Verification (PLPV 2011), affiliated to POPL.

J.-C. Filliâtre, member of the program committee of the second conference on Interactive Theorem Proving (ITP 2011), the workshop “Analyze to Compile, Compile to Analyze” (ACCA 2011), and the conference Verified Software: Theories, Tools and Experiments (VSTTE 2012).

C. Marché: president of PhD committee of Diego Caminha Barbosa de Oliveira (University Nancy 2, March 14th, 2011)

C. Marché: reviewer, PhD of Beatriz Alarcón (University of Valencia, Spain, May 26th, 2011)

C. Marché: reviewer, PhD of Mauricio Alba Castro (University of Valencia, Spain, Nov 25th, 2011)

C. Marché: reviewer, PhD of Séverine Maingaud (University Paris 7, Dec 13th, 2011)

C. Paulin: examinator, PhD of Mathias Krieger (University Paris-Sud 11, Dec 9th, 2011)

S. Boldo, “Contours de la communauté”, invited talk at the
*4es Rencontres Arithmétique de l'Informatique Mathématique*(RAIM'11) in Perpignan. (Collected data about the outline of the computer arithmetic community in France: sites, themes,
fundings...).

J.-C. Filliâtre, “Memo Tables”, invited at the IFIP Working Group 2.8
*Functional Programming*(Marble Falls, Texas, USA, March 7–11, 2011).

P. Herms, “Certification of a Verification Condition Generator in Coq”, seminar of the Gallium-Moscova teams, Rocquencourt, June 20th.

C. Marché, “Verifying Behavioral Specifications of Programs: the Why Approach”, seminar of the ELP team, Departamento de Sistemas Informáticos y Computación, Universidad Politécnica de Valencia, Spain, March 25th.

T. Nguyen, “Hardware-independent proofs of numerical programs ”, seminar of the Arenaire team, Lyon, January 20th.

C. Paulin, “About Inductive-Recursive Definitions in Coq”, invited speaker at the workshop on Proofs and Programs, Gothenburg, Sweden, Oct. 22th.

S. Conchon, E. Contejean and M. Iguernelala got the award 2011 of the European Association for Theoretical Computer Science
http://

C. Paulin received an honorary doctorate from the University of Gothenburg in Sweden on October 21, 2011.

S. Boldo, elected member of the Inria Evaluation Committee.

S. Boldo, member of the CLHS ,
*comité local hygiène et sécurité*and member of the CLFP,
*comité local de formation permanente*.

S. Boldo, member of the committee for the monitoring of PhD students (
*commission de suivi des doctorants*).

S. Boldo, member of the MECSI group for networking about computer science popularization inside INRIA.

C. Paulin participates to the board of INRIA Saclay - Île-de-France Comité des Projets (assembly of Team leaders).

C. Paulin is a member of the “Commission Scientifique” (in charge of selecting PhD students, post-doc, invited researchers funded by INRIA Saclay - Île-de-France).

E. Contejean and C. Marché, nominated members of the
*“conseil du laboratoire”*of LRI since April 2010.

C. Marché, French National Coordinator for the COST action “Formal Verification of Object-Oriented Programs” (2008-2012).

C. Marché (since April 2007) and C. Paulin (since Sep. 2010) , members of the program committee of Digiteo Labs, the world-class research park in
*Île-de-France*region dedicated to information and communication science and technology,
http://

C. Marché, member of the selection committee of the “DIM Logiciels et Systèmes Complexes”, providing grants to research projects, funded by
*Île-de-France*regional council and Digiteo cluster,
http://

G. Melquiond, elected officer of the IEEE-1788 standardization committee on interval arithmetic since 2008.

G. Melquiond, C. Paulin, members of the
*“commission consultative de spécialistes de l'université”*, Section 27, University Paris-Sud since April 2010.

G. Melquiond is an examiner for the computer science entrance exam to École Normale Supérieure since 2010.

C. Paulin, director of the Graduate school in Computer Science at University Paris Sud
http://

C. Paulin is deputy director of the LRI.

C. Paulin was the president of an hiring committee for a professor position at University Paris-Sud. She participated to two hiring commitees (professor position at ENSEEIHT Toulouse and assistant professor for the PPS laboratory at University Paris Diderot)

C. Paulin participated to the review panels for the German Excellence Initiative proposals for Graduate Schools in informatics.

J.-C. Filliâtre is
*correcteur au concours d'entrée à l'École Polytechnique*(computer science examiner for the entrance exam at École Polytechnique) since 2008.

X. Urbain, hiring committee for an assistant professor position at École Centrale, Paris (Spring 2011).

X. Urbain is an elected member of the board (
*“conseil d'administration”*) of École Nationale Supérieure d'Informatique pour l'Industrie et l'Entreprise (ENSIIE). Since July he is head of the teaching departement of ENSIIE.

Alt-Ergo is now used in the Spark Pro toolset, developed by Altran-Praxis, for the engineering of high-assurance software. Alt-Ergo can be used by customers as an alternate prover for automatically proving verification conditions.

As part of the qualification process of Alt-Ergo with Airbus industry (DO-178B), the technical documents (functional specifications and benchmark suite) have been accepted by Airbus. These documents will be submitted by Airbus to the certification authorities in 2012.

S. Conchon has started a collaboration with S. Krstic and A. Goel (Intel Strategic Cad Labs in Hillsboro, OR, USA) that aims in the development of an SMT-based model checker. With A. Mebsout and F. Zaidi (ForTesSe, LRI), they implement the Cubicle model checker which uses the Alt-Ergo theorem prover to discharge its proof obligations.

The Adacore company (Paris) implements a new tool GnatProve which aims at formal verification of Ada programs. They translate annotated Ada code into the
*Why*3 intermediate language and then use the
*Why*3 system to generate proof obligations and discharge them with available back-end provers.

J.-C. Filliâtre and C. Marché have started a collaboration with D. Mentré at Mitsubishi Electric R&D Centre Europe (Rennes), about the use of the
*Why*3 environment and its back-end provers as an alternative to the built-in prover of Atelier B.

Since April 2008, S. Boldo is member of the editorial committee of the popular science web site )i(:
http://

Since July 2009, S. Boldo is elected member of the board of the Animath association that promotes mathematics among young people.

S. Boldo, in collaboration with T. Viéville (INRIA Nancy Grand-Est) wrote two chapters of the book “Introduction à la science informatique”, edited by G. Dowek , . This book aims at helping the secondary school teachers for the incoming computer science teaching.

Licence (DUT): “Programmation Java” (L2), “Projet professionnel et Personnel” (L1), “Architecture” (L1), “Bases de données” (L2), A. Tafat (64h, “moniteur” position), Université Paris-Sud (IUT d'Orsay), France

Licence (DUT): “Systèmes d'exploitation” (L1), “Architecture des ordinateurs” (L1), M. Iguernelala (64h, “moniteur” position), Université Paris-Sud (IUT d'Orsay), France

Licence (DUT): “Systèmes d'exploitation” (L1 and L2), “Réseaux” (L2), A. Paskevich (156h), Université Paris-Sud (IUT d'Orsay), France

Licence : “Mathématiques pour l'Informatique” (L2), C. Paulin (50h), D. Baelde (20h), Université Paris-Sud, France

Licence professionnelle: “Programmation concurrente” (L3), A. Paskevich (36h), Université Paris-Sud (IUT d'Orsay), France

Licence: “Langages de programmation et compilation” (L3), J.-C. Filliâtre (24h), École Normale Supérieure, France

Licence: “INF421” (L3) et “INF431” (L3), J.-C. Filliâtre (70h), École Polytechnique, France

Licence: “Programmation fonctionnelle” (L3), S. Conchon (50h), Université Paris-Sud, France

Licence: “Programmation fonctionnelle” (L3), “Projet de programmation” (L3), F. Bobot (64h, “moniteur” position), Université Paris-Sud, France

Master: “Compilation” (M1), C. Paulin (50h), D. Baelde (28h), Université Paris-Sud, France

Master: “Projet de compilation” (M1), R. .Bardou (64h, “moniteur” position), Université Paris-Sud, France

Master Parisien de Recherche en Informatique (MPRI)
http://

Master Parisien de Recherche en Informatique (MPRI)
http://

Master Parisien de Recherche en Informatique (MPRI)
http://

8th LASER Summer School on Software Engineering
http://

Supervision of internships

S. Boldo and G. Melquiond supervised the internship of C. Lelay about differentiability in Coq (Master Logique Mathématique et Fondements de l'Informatique, Univ. Paris Diderot).

PhD & HdR:

HDR: J.-C. Filliâtre, Deductive Program Verification , Université Paris-Sud, Dec. 2nd 2011

PhD: S. Lescuyer, Formalizing and Implementing a Reflexive Tactic for Automated Deduction in Coq , Université Paris-Sud, Jan. 4th 2011, S. Conchon and É. Contejean

PhD: R. Bardou, Verification of Pointer Programs Using Regions and Permissions , Université Paris-Sud, Oct. 14th 2011, C. Marché

PhD: F. Bobot, Logique de séparation et vérification déductive , Université Paris-Sud, Dec. 12 2011, J.-C. Filliâtre

PhD in progress: T. Nguyen, Formal Proof of Numerical Programs with respect to Architecture and Compiler, since February 2009, S. Boldo, C. Marché

PhD in progress: M. Iguernelala, Forward and Backward Strategies in SMT solvers, since September 2009, S. Conchon, É. Contejean

PhD in progress: A. Tafat, Modular Verification of Pointer Programs, since September 2009, C. Marché

PhD in progress: P. Herms, Certification of a Tool Chain for Verification of C programs, since October 2009, C. Marché, B. Monate (CEA List)

PhD in progress: C. Dross, Theories and Techniques for Automated Proof of programs, since January 2011, S. Conchon, C. Marché, A. Paskevich, and industrial supervisors Y. Moy and J. Kanig from AdaCore company.

PhD in progress: Alain Mebsout, SMT-based Model-Checking, since September 2011, F. Zaidi, S. Conchon

PhD in progress: C. Lelay, Real numbers for the Coq proof assistant, since October 2011, S. Boldo, G. Melquiond.

PhD in progress: A. J. Compaore, Rewriting Techniques for (Space and Time) Simulation of Biological Processes, since November 2007, defence in Feb. 2012, X. Urbain and P. Le Gall (ECP & Université Évry).

PhD in progress: Z. Bouzid, Models and Algorithms for Emerging Systems, since October 2009, X. Urbain and S. Tixeuil, M. Gradinariu Potop-Butucaru (Université Paris 6).

PhD stopped: W. Urribarrí, Towards certified libraries, from Nov. 2006 to Sep. 2011. W. Urribarrí is now an engineer “development of secure software” at ClearSy.