Project Team Proval

Members
Overall Objectives
Scientific Foundations
Application Domains
Software
New Results
Contracts and Grants with Industry
Partnerships and Cooperations
Dissemination
Bibliography
PDF e-pub XML


Section: Scientific Foundations

Interactive proofs of programs

Participants : Sylvie Boldo, Évelyne Contejean, Jean-Christophe Filliâtre, Guillaume Melquiond, Christine Paulin-Mohring.

Higher-order strongly typed programming languages such as Objective Caml help improving the quality of software development. Static typing automatically detects possible execution errors. Higher-order functions, polymorphism, modules and functors are powerful tools for the development of generic reusable libraries. Our general goal is to enrich such a software environment with a language of annotations as well as libraries for datatypes, abstract notions and associated theorems which can express logical properties of programs and ease the possibility to automatically and interactively develop proofs of correctness of the programs.

In the past, we made contributions to the Coq proof assistant by adding functionalities for improving the development of formally proved functional programs. A first contribution is a new method to extract OCaml modular code from Coq proofs (P. Letouzey PhD thesis [80] , [81] ). This extraction mechanism is an original feature for the Coq system, and has been used by several teams around the world in order to get efficient certified code  [78] . Another contribution (M. Sozeau PhD thesis  [91] , [92] ) is an extension of the Coq input language for building programs with strong specifications by writing only the computational part and generating separately proof obligations (which are usually solved by tactics) and also a mechanism generalizing Type Classes à la Haskell which gives overloading in programs and proofs and facilitates the development of generic tactics..

We are using the capability of the Coq system to model both computation and deduction in order to explore different classes of applications. These examples involve the development of large reusable Coq libraries and suggest domain-specific specification and proof strategies.

Randomized algorithms

C. Paulin in collaboration with Ph. Audebaud from ENS Lyon, proposed a method for modeling probabilistic programs in Coq  [49] . The method is based on a monadic interpretation of probabilistic programs as probability measures. A large Coq library has been developed and made publicly available (see also Section 5.12 ). D. Baelde has been using this library to formally prove the security of Watermarking algorithms (see also section 6.1 ).

Floating-point programs

Many industrial programs (weather forecasts, plane trajectories, simulations...) use floating-point computations, typically double precision floating-point numbers  [93] . Even if each computation is as good as it can be (except for elementary functions like sine, or exponential), the final result may be very wrong with no warnings, or the program will produce unexpected behaviors (like division by zero). This is the reason why guarantees should be provided to the user. We mean to guarantee for example that, for all or part of the possible inputs, the result obtained is correct (or near enough) and that no exceptional behavior will occur  [55] .

A high level of guarantee is obtained by formal proofs in Coq. We maintain and develop large Coq libraries for floating-point arithmetic: core definitions, axiomatic and computational rounding operations, high-level properties. It provides a framework for developers to formally certify numerical applications. A new such library is described in Section  5.9 .

Certification of tools

Certifying the result of tools for analysing programs is a good challenge in the domain of proofs of higher-order functional programs. We obtained several results concerning formal proofs in Coq corresponding to automated deduction. These results are described in Section  3.3 .

A PhD thesis started in Sep. 2009 has for main objective the development of a certified version the Frama-C/Jessie/Why verification chain.