The *Toccata* team (http://

The general objective of the Toccata project is to promote formal specification and computer-assisted proof in the development of software that requires high assurance in terms of safety and correctness with respect to the intended behavior of the software.

The importance of software in critical systems increased a lot in the last decade. Critical software appears in various application domains like transportation (e.g., aviation, railway), communication (e.g., smartphones), banking, etc. The number of tasks performed by software is quickly increasing, together with the number of lines of code involved. Given the need of high assurance of safety in the functional behavior of such applications, the need for automated (i.e., computer-assisted) methods and techniques to bring guarantee of safety became a major challenge. In the past and at present, the most widely used approach to check safety of software is to apply heavy test campaigns. These campaigns take a large part of the costs of software development, yet they cannot ensure that all the bugs are caught.

Generally speaking, software verification approaches pursue three goals: (1) verification should be sound, in the sense that no bugs should be missed, (2) verification should not produce false alarms, or as few as possible (3) it should be as automated as possible. Reaching all three goals at the same time is a challenge. A large class of approaches emphasizes goals (2) and (3): testing, run-time verification, symbolic execution, model checking, etc. Static analysis, such as abstract interpretation, emphasizes goals (1) and (3). Deductive verification emphasizes (1) and (2). The Toccata project is mainly interested in exploring the deductive verification approach, although we also consider the others in some cases.

In the past decade, there has been significant progress made in the
domain of deductive program verification. They are emphasized by some
success stories of application of these techniques on industrial-scale
software. For example, the *Atelier B* system was used to develop part of
the embedded software of the Paris metro line 14 and
other railroad-related systems; a formally proved C compiler was
developed using the Coq proof assistant ; Microsoft's
hypervisor for highly secure virtualization was verified using
VCC and the Z3 prover ; the
L4-verified project developed a formally verified micro-kernel with
high security guarantees, using analysis tools on top of the
Isabelle/HOL proof assistant . Another sign of
recent progress is the emergence of deductive verification
competitions (e.g., VerifyThis , VScomp ).

Finally, recent trends in the industrial practice for development of critical software is to require more and more guarantees of safety, e.g., the upcoming DO-178C standard for developing avionics software adds to the former DO-178B the use of formal models and formal methods. It also emphasizes the need for certification of the analysis tools involved in the process.

There are two main families of approaches for deductive
verification. Methods in the first family build on top of mathematical
proof assistants (e.g., Coq, Isabelle) in which both the model and the
program are encoded; the proof that the program meets its
specification is typically conducted in an interactive way using the
underlying proof construction engine. Methods from the second family
proceed by the design of standalone tools taking as input a program in
a particular programming language (e.g., C, Java) specified with a
dedicated annotation language (e.g., ACSL ,
JML ) and automatically producing a set of
mathematical formulas (the *verification conditions*) which are
typically proved using automatic provers (e.g., Z3,
Alt-Ergo , CVC3 , CVC4).

The first family of approaches usually offers a higher level of assurance than the second, but also demands more work to perform the proofs (because of their interactive nature) and makes them less easy to adopt by industry. Moreover, they do not allow to directly analyze a program written in a mainstream programming language like Java or C. The second kind of approaches has benefited in the past years from the tremendous progress made in SAT and SMT solving techniques, allowing more impact on industrial practices, but suffers from a lower level of trust: in all parts of the proof chain (the model of the input programming language, the VC generator, the back-end automatic prover), potential errors may appear, compromising the guarantee offered. Moreover, while these approaches are applied to mainstream languages, they usually support only a subset of their features.

In the former ProVal project, we have been working on the design of
methods and tools for deductive verification of programs. One of our
original skills was the ability to conduct proofs by using automatic
provers and proof assistants at the same time, depending on the
difficulty of the program, and specifically the difficulty of each
particular verification condition. We thus believe that we are in a good
position to propose a bridge between the two families of approaches of
deductive verification presented above.
Establishing this bridge is one of the goals of the Toccata project:
we want to provide methods and tools for deductive program
verification that can offer both a high amount of proof automation
and a high guarantee of validity. Toward this objective, a new axis
of research was proposed: the development of *certified* analysis
tools that are themselves formally proved correct.

The reader should be aware that the word “certified”
in this scientific programme means “verified by a formal specification
and a formal proof that the program meets this specification”. This
differs from the standard meaning of “certified” in an industrial
context where it means a conformance to some rigorous process and/or
norm. We believe this is the right term to use, as it was used for the
*Certified Compiler* project , the new
conference series *Certified Programs and Proofs*, and more
generally the important topics of *proof certificates*.

In industrial applications, numerical calculations are very common (e.g. control software in transportation). Typically they involve floating-point numbers. Some of the members of Toccata have an internationally recognized expertise on deductive program verification involving floating-point computations. Our past work includes a new approach for proving behavioral properties of numerical C programs using Frama-C/Jessie , various examples of applications of that approach , the use of the Gappa solver for proving numerical algorithms , an approach to take architectures and compilers into account when dealing with floating-point programs , . We also contributed to the Handbook of Floating-Point Arithmetic . A representative case study is the analysis and the proof of both the method error and the rounding error of a numerical analysis program solving the one-dimension acoustic wave equation . Our experience led us to a conclusion that verification of numerical programs can benefit a lot from combining automatic and interactive theorem proving , . Certification of numerical programs is the other main axis of Toccata.

Our scientific programme in structured into four objectives:

deductive program verification;

automated reasoning;

formalization and certification of languages, tools and systems;

proof of numerical programs.

We detail these objectives below.

Permanent researchers: A. Charguéraud, S. Conchon, J.-C. Filliâtre, C. Marché, G. Melquiond, A. Paskevich

This ecosystem is central in our work; it is displayed on Figure . The boxes in red background correspond to the tools we develop in the Toccata team.

The initial design of Why3 was presented in 2012 , . In the past years, the main improvements concern the specification language (such as support for higher-order logic functions ) and the support for provers. Several new interactive provers are now supported: PVS 6 (used at NASA), Isabelle2014 (planned to be used in the context of Ada program via Spark), and Mathematica. We also added support for new automated provers: CVC4, Metitarski, Metis, Beagle, Princess, and Yices2. More technical improvements are the design of a Coq tactic to call provers via Why3 from Coq, and the design of a proof session mechanism . Why3 was presented during several invited talks , , , .

J.-C. Filliâtre, L. Gondelman, and A. Paskevich have designed a general approach to the concept of ghost code which is a subset of program code that serves the purposes of specification and verification: it can be erased from the program without affecting its result. This work forms the basis of the support for ghost code in Why3.

At the level of the C front-end of Why3 (via Frama-C), we have
proposed an approach to add a notion of refinement on C
programs , and an approach to reason about
pointer programs with a standard logic, via *separation predicates*

The Ada front-end of Why3 has mainly been developed during the past three
years, leading to the release of SPARK2014 (http://

In collaboration with J. Almeida, M. Barbosa, J. Pinto, and B. Vieira (University do Minho, Braga, Portugal), J.-C. Filliâtre has developed a method for certifying programs involving cryptographic methods. It uses Why as an intermediate language .

With M. Pereira and S. Melo de Sousa (Universidade da Beira Interior, Covilhã, Portugal), J.-C. Filliâtre has developed an environment for proving ARM assembly code. It uses Why3 as an intermediate VC generator. It was presented at the Inforum conference (best student paper).

A. Charguéraud has recently extended his tool
CFML to
support, in addition to the verification of the full functional
correctness of a piece of code, the verification of the asymptotic
complexity of the code .
Even though it had been previously
established that, in theory, amortized analysis can be explained as
the manipulation of *time credits*, and that time credits can be
encoded as resources in Separation Logic, CFML is the first
practical tool to support the formal verification of amortized
analyses for arbitrarily complex pieces of code.

S. Conchon and A. Mebsout, in collaboration with F. Zaïdi (VALS team, LRI), A. Goel and S. Krstić (Strategic Cad Labs, INTEL) have proposed a new model-checking approach for verifying safety properties of array-based systems. This is a syntactically restricted class of parametrized transition systems with states represented as arrays indexed by an arbitrary number of processes. Cache coherence protocols and mutual exclusion algorithms are typical examples of such systems. It was first presented at CAV 2012 and detailed further . It was applied to the verification of programs with fences . The core algorithm has been extended with a mechanism for inferring invariants. This new algorithm, called BRAB, is able to automatically infer invariants strong enough to prove industrial cache coherence protocols. BRAB computes over-approximations of backward reachable states that are checked to be unreachable in a finite instance of the system. These approximations (candidate invariants) are then model-checked together with the original safety properties. Completeness of the approach is ensured by a mechanism for backtracking on spurious traces introduced by too coarse approximations , .

In the context of the ERC DeepSea project *chunked sequence* data structure
that supports logarithmic concatenation and splitting, motivated
by application to parallelism.
In particular, A. Charguéraud and his co-authors have built, on top of
the aforementioned work,
fast and robust parallel graph traversal algorithms
for parallel BFS and parallel DFS , .

To provide an easy access to the case studies that we develop using
Why3 and its front-ends, we have published a *gallery of verified
programs* on our web page
http://

Other case studies that led to publications are the design of a
library of data-structures based on
AVLs , and the verification a two-lines
C program (solving the

A. Charguéraud put the new *time credit* extension of CFML
to practice to verify the correctness and asympotic complexity of
a *chunked sequence*
data structure , particularly challenging due
to its use of Tarjan's data structural bootstrapping technique.
Furthermore, A. Charguéraud and F. Pottier applied they same approach
to formalize an efficient implementation of the classic Union Find
data structure, which features the bound expressed in terms of the inverse
Ackermann function .

For other case studies, see also sections of numerical programs and formalization of languages and tools.

Several research groups in the world develop their own approaches, techniques, and tools for deductive verification. With respect to all these related approaches and tools, our originality is our will to use more sophisticated specification languages (with inductive definitions, higher-order features and such) and the ability to use a large set of various theorem provers, including the use of interactive theorem proving to deal with complex functional properties.

The RiSE
team

The KeY project

The “software engineering” group at Augsburg, Germany,
develops the KIV
system

The VeriFast
system

The Mobius Program Verification
Environment

The Lab for Automated Reasoning and Analysis

The TLA environment

The F* project

The KeY and KIV environments mentioned above are partly based on interactive theorem provers. There are other approaches on top of general-purpose proof assistants for proving programs that are not purely functional:

The Ynot project

Front-ends to Isabelle were developed to deal with simple sequential imperative programs or C programs . The L4-verified project is built on top of Isabelle.

Permanent researchers: S. Conchon, É. Contejean, G. Melquiond, A. Paskevich

J. C. Blanchette and A. Paskevich have designed an extension to the TPTP TFF (Typed First-order Form) format of theorem proving problems to support rank-1 polymorphic types (also known as ML-style parametric polymorphism) . This extension, named TFF1, has been incorporated in the TPTP standard.

S. Conchon defended his *habilitation à diriger des
recherches* in December 2012. The memoir
provides a useful survey of the scientific work of the
past 10 years, around the SMT solving techniques, that led to the
tools Alt-Ergo and Cubicle as they are nowadays.

C. Dross, J. Kanig, S. Conchon, and A. Paskevich have proposed a
generic framework for adding a decision procedure for a theory or a
combination of theories to an SMT prover. This mechanism is based
on the notion of instantiation patterns, or *triggers*, which
restrict instantiation of universal premises and can effectively
prevent a combinatorial explosion. A user provides an
axiomatization with triggers, along with a proof of completeness and
termination in the proposed framework, and obtains in return a sound,
complete and terminating solver for his theory. A prototype
implementation was realized on top of
Alt-Ergo. As a case study, a feature-rich
axiomatization of doubly-linked lists was proved complete and
terminating . C. Dross
defended her PhD thesis in April 2014 . The
main results of the thesis are: (1) a formal semantics of the notion
of *triggers* typically used to control quantifier
instantiation in SMT solvers, (2) a general setting to show how a
first-order axiomatization with triggers can be proved correct,
complete, and terminating, and (3) an extended DPLL(T) algorithm to
integrate a first-order axiomatization with triggers as a decision
procedure for the theory it defines. Significant case studies were
conducted on examples coming from SPARK programs, and on the
benchmarks on B set theory constructed within the BWare project.

S. Conchon, É. Contejean and M. Iguernelala have presented a modular
extension of ground AC-completion for deciding formulas in the
combination of the theory of equality with user-defined AC symbols,
uninterpreted symbols and an arbitrary signature-disjoint Shostak
theory X . This work extends the results presented
in by showing that a simple preprocessing
step allows to get rid of a full AC-compatible reduction ordering,
and to simply use a partial multiset extension of a
*non-necessarily AC-compatible* ordering.

S. Conchon, M. Iguernelala, and A. Mebsout have designed a collaborative framework for reasoning modulo simple properties of non-linear arithmetic . This framework has been implemented in the Alt-Ergo SMT solver.

S. Conchon, G. Melquiond and C. Roux have described a dedicated procedure for a theory of floating-point numbers which allows reasoning on approximation errors. This procedure is based on the approach of the Gappa tool: it performs saturation of consequences of the axioms, in order to refine bounds on expressions. In addition to the original approach, bounds are further refined by a constraint solver for linear arithmetic . This procedure has been implemented in Alt-Ergo.

In collaboration with A. Mahboubi (Inria project-team Typical), and G. Melquiond, the group involved in the development of Alt-Ergo have implemented and proved the correctness of a novel decision procedure for quantifier-free linear integer arithmetic . This algorithm tries to bridge the gap between projection and branching/cutting methods: it interleaves an exhaustive search for a model with bounds inference. These bounds are computed provided an oracle capable of finding constant positive linear combinations of affine forms. An efficient oracle based on the Simplex procedure has been designed. This algorithm is proved sound, complete, and terminating and is implemented in Alt-Ergo.

Most of the results above are detailed in M. Iguernelala's PhD thesis .

We have been quite successful in the application of Alt-Ergo to industrial development: qualification by Airbus France, integration of Alt-Ergo into the Spark Pro toolset.

In the context of the BWare project, aiming at using Why3 and Alt-Ergo for discharging proof obligations generated by Atelier B, we made progress into several directions. The method of translation of B proof obligations into Why3 goals was first presented at ABZ'2012 . Then, new drivers have been designed for Why3, in order to use new back-end provers Zenon modulo and iProver modulo. A notion of rewrite rule was introduced into Why3, and a transformation for simplifying goals before sending them to back-end provers was designed. Intermediate results obtained so far in the project were presented both at the French conference AFADL and at ABZ'2014 .

On the side of Alt-Ergo, recent developments have been made to efficiently discharge proof obligations generated by Atelier B. This includes a new plugin architecture to facilitate experiments with different SAT engines, new heuristics to handle quantified formulas, and important modifications in its internal data structures to boost performances of core decision procedures. Benchmarks realized on more than 10,000 proof obligations generated from industrial B projects show significant improvements .

Hybrid automatons interleave continuous behaviors (described by differential equations) with discrete transitions. D. Ishii and G. Melquiond have worked on an automated procedure for verifying safety properties (that is, global invariants) of such systems .

Automated Theorem Proving is a large community, but several sub-groups can be identified:

The SMT-LIB community gathers people interested in reasoning
modulo theories. In this community, only a minority of participants are
interested in supporting first-order quantifiers at the same time as
theories. SMT solvers that support quantifiers are Z3 (Microsoft
Research Redmond, USA), CVC3 and its successor CVC4

The TPTP community gathers people interested in first-order theorem proving.

Other Inria teams develop provers: veriT by team Veridis, and Psyche by team Parsifal.

Other groups develop provers dedicated to very specific cases,
such as
Metitarski *cf* objective 4.

It should be noticed that a large number of provers mentioned above are connected to Why3 as back-ends.

Permanent researchers: S. Boldo, A. Charguéraud, É. Contejean, C. Marché, G. Melquiond, C. Paulin

S. Boldo, C. Lelay, and G. Melquiond have worked on the Coquelicot library, designed to be a user-friendly Coq library about real analysis . An easier way of writing formulas and theorem statements is achieved by relying on total functions in place of dependent types for limits, derivatives, integrals, power series, and so on. To help with the proof process, the library comes with a comprehensive set of theorems and some automation. We have exercised the library on several use cases: on an exam at university entry level , for the definitions and properties of Bessel functions , and for the solution of the one-dimensional wave equation . We have also conducted a survey on the formalization of real arithmetic and real analysis in various proof systems .

Watermarking techniques are used to help identify copies of publicly released information. They consist in applying a slight and secret modification to the data before its release, in a way that should remain recognizable even in (reasonably) modified copies of the data. Using the Coq Alea library, which formalizes probability theory and probabilistic programs, D. Baelde together with P. Courtieu, D. Gross-Amblard from Rennes and C. Paulin have established new results about the robustness of watermarking schemes against arbitrary attackers . The technique for proving robustness is adapted from methods commonly used for cryptographic protocols and our work illustrates the strengths and particularities of the Alea style of reasoning about probabilistic programs.

P. Herms, together with C. Marché and B. Monate (CEA List), has developed a certified VC generator, using Coq. The program for VC calculus and its specifications are both written in Coq, but the code is crafted so that it can be extracted automatically into a stand-alone executable. It is also designed in a way that allows the use of arbitrary first-order theorem provers to discharge the generated obligations . On top of this generic VC generator, P. Herms developed a certified VC generator for C source code annotated using ACSL. This work is the main result of his PhD thesis .

A. Tafat and C. Marché have developed a certified VC generator using Why3 , . The challenge was to formalize the operational semantics of an imperative language, and a corresponding weakest precondition calculus, without the possibility to use Coq advanced features such as dependent types or higher-order functions. The classical issues with local bindings, names and substitutions were solved by identifying appropriate lemmas. It was shown that Why3 can offer a significantly higher amount of proof automation compared to Coq.

The full formalization of the JavaScript language specification,
following the prose from the *ECMAScript Language
Specification, version 5*, has been completed by the *JsCert*
team , which includes A. Charguéraud from
Toccata and 7 collaborators from Imperial College and Inria
Rennes. For describing the 600+ evaluation rules, we have relied on a novel
technique: the *pretty-big-step* semantics, which was developed
by A. Charguéraud .
The formalization led to the discovery of bugs in the official
standard, in the official test suites, and in all major browsers. It
has raised the interest of several members of the ECMAScript
standardization committee, and that of the developers of secure
subsets for JavaScript.

M. Clochard, C. Marché, and A. Paskevich have developed a general setting for developing programs involving binders, using Why3. This approach was successfully validated on two case studies: a verified implementation of untyped lambda-calculus and a verified tableaux-based theorem prover .

M. Clochard, J.-C. Filliâtre, C. Marché, and A. Paskevich
have developed a case study on the formalization of semantics of
programming languages using
Why3 . This case study aims at
illustrating recent improvements of Why3 regarding the support for
higher-order logic features in the input logic of Why3, and how
these are encoded into first-order logic, so that goals can be
discharged by automated provers. This case study also illustrates
how reasoning by induction can be done without need for
interactive proofs, via the use of *lemma functions*.

M. Clochard and L. Gondelman have developed a formalization of a simple compiler in Why3 . It compiles a simple imperative language into assembler instructions for a stack machine. This case study was inspired by a similar example developed using Coq and interactive theorem proving. The aim is to improve significantly the degree of automation in the proofs. This is achieved by the formalization of a Hoare logic and a Weakest Precondition Calculus on assembly programs, so that the correctness of compilation is seen as a formal specification of the assembly instructions generated.

S. Dumbrava and É. Contejean, with
V. Benzaken (VALS team, at LRI) have proposed a *Coq*
formalization of the relational data model which underlies
relational database systems. More precisely, we have presented
and formalized the data definition part of the model including
integrity constraints. We have also
modeled two different query language formalisms: relational
algebra and conjunctive queries. Finally, we have presented logical query
optimization and proved the main “database theorems”: algebraic
equivalences, the homomorphism theorem and conjunctive query
minimization .

The objective of formalizing languages and algorithms is very general, and it is pursued by several Inria teams. One common trait is the use of the Coq proof assistant for this purpose: Pi.r2 (development of Coq itself and its meta-theory), Gallium (semantics and compilers of programming languages), Marelle (formalization of mathematics), SpecFun (real arithmetic), Celtique (formalization of static analyzers).

Other environments for the formalization of languages include

ACL2
system

Isabelle
environment

The team “Trustworthy Systems” at NICTA in
Australia

The PVS system

In the Toccata team, we do not see these alternative environments as competitors, even though, for historical reasons, we are mainly using Coq. Indeed both Isabelle and PVS are available as back-ends of Why3.

Permanent researchers: S. Boldo, C. Marché, G. Melquiond

Linked with objective 1 (Deductive Program Verification), the methodology for proving numerical C programs has been presented by S. Boldo in her habilitation and as invited speaker . An application is the formal verification of a numerical analysis program. S. Boldo, J.-C. Filliâtre, and G. Melquiond, with F. Clément and P. Weis (POMDAPI team, Inria Paris - Rocquencourt), and M. Mayero (LIPN), completed the formal proof of the second-order centered finite-difference scheme for the one-dimensional acoustic wave .

Several challenging floating-point algorithms have been studied and proved. This includes an algorithm by Kahan for computing the area of a triangle: S. Boldo proved an improvement of its error bound and new investigations in case of underflow . This includes investigations about quaternions. They should be of norm 1, but due to the round-off errors, a drift of this norm is observed over time. C. Marché determined a bound on this drift and formally proved it correct . P. Roux formally verified an algorithm for checking that a matrix is semi-definite positive . The challenge here is that testing semi-definiteness involves algebraic number computations, yet it needs to be implemented using only approximate floating-point operations.

Because of compiler optimizations (or bugs), the floating-point semantics of a program might change once compiled, thus invalidating any property proved on the source code. We have investigated two ways to circumvent this issue, depending on whether the compiler is a black box. When it is, T. Nguyen has proposed to analyze the assembly code it generates and to verify it is correct . On the contrary, S. Boldo and G. Melquiond (in collaboration with J.-H. Jourdan and X. Leroy) have added support for floating-point arithmetic to the CompCert compiler and formally proved that none of the transformations the compiler applies modify the floating-point semantics of the program .

Linked with objectives 2 (Automated Reasoning) and 3 (Formalization and Certification of Languages, Tools and Systems), G. Melquiond has implemented an efficient Coq library for floating-point arithmetic and proved its correctness in terms of operations on real numbers . It serves as a basis for an interval arithmetic on which Taylor models have been formalized. É. Martin-Dorel and G. Melquiond have integrated these models into CoqInterval . This Coq library is dedicated to automatically proving the approximation properties that occur when formally verifying the implementation of mathematical libraries (libm).

Double rounding occurs when the target precision of a floating-point computation is narrower than the working precision. In some situations, this phenomenon incurs a loss of accuracy. P. Roux has formally studied when it is innocuous for basic arithmetic operations . É. Martin-Dorel and G. Melquiond (in collaboration with J.-M. Muller) have formally studied how it impacts algorithms used for error-free transformations . These works were based on the Flocq formalization of floating-point arithmetic for Coq.

By combining multi-precision arithmetic, interval arithmetic, and massively-parallel computations, G. Melquiond (in collaboration with G. Nowak and P. Zimmermann) has computed enough digits of the Masser-Gramain constant to invalidate a 30-year old conjecture about its closed form .

This objective deals both with formal verification and floating-point arithmetic, which is quite uncommon. Therefore our competitors/peers are few. We may only cite the works by J. Duracz and M. Konečný, Aston University in Birmingham, UK.

The Inria team AriC (Grenoble - Rhône-Alpes) is closer to our research interests, but they are lacking manpower on the formal proof side; we have numerous collaborations with them. The Inria team Caramel (Nancy - Grand Est) also shares some research interests with us, though fewer; again, they do not work on the formal aspect of the verification; we have some occasional collaborations with them.

There are many formalization efforts from chip manufacturers, such as AMD (using the ACL2 proof assistant) and Intel (using the Forte proof assistants) but the algorithms they consider are quite different from the ones we study. The works on the topic of floating-point arithmetic from J. Harrison at Intel using HOL Light are really close to our research interests, but they seem to be discontinued.

A few deductive program verification teams are willing to extend their tools toward floating-point programs. This includes the KeY project and SPARK. We have an ongoing collaboration with the latter, in the context of the ProofInUSe project.

Deductive verification is not the only way to prove programs. Abstract interpretation is widely used, and several teams are interested in floating-point arithmetic. This includes the Inria team Antique (Paris - Rocquencourt) and a CEA List team, who have respectively developed the Astrée and Fluctuat tools. This approach targets a different class of numerical algorithms than the ones we are interested in.

Other people, especially from the SMT community (*cf*
objective 2), are also interested in automatically proving formulas
about floating-point numbers, notably at Oxford University. They are
mainly focusing on pure floating-point arithmetic though and do not
consider them as approximation of real numbers.

Finally, it can be noted that numerous teams are working on the verification of numerical programs, but assuming the computations are real rather than floating-point ones. This is out of the scope of this objective.

The application domains we target involve safety-critical software, that is where a high-level guarantee of soundness of functional execution of the software is wanted. Currently our industrial collaborations mainly belong to the domain of transportation, including aeronautics, railroad, space flight, automotive.

Transportation is the domain considered in the context of the ANR U3CAT project, led by CEA, in partnership with Airbus France, Dassault Aviation, Sagem Défense et Sécurité. It included proof of C programs via Frama-C/Jessie/Why, proof of floating-point programs , the use of the Alt-Ergo prover via CAVEAT tool (CEA) or Frama-C/WP. Within this context, we contributed to a qualification process of Alt-Ergo with Airbus industry: the technical documents (functional specifications and benchmark suite) have been accepted by Airbus, and these documents were submitted by Airbus to the certification authorities (DO-178B standard) in 2012. This action is continued in the new project Soprano.

Aeronautics is the main target of the Verasco project, led by Verimag, on the development of certified static analyzers, in partnership with Airbus. This is a follow-up of the transfer of the CompCert certified compiler (Inria team Gallium) to which we contributed to the support of floating-point computations .

The former FUI
project Hi-Lite, led by Adacore company, introduced the use of Why3
and Alt-Ergo as back-end to SPARK2014, an environment for
verification of Ada programs. This is applied to the domain of
aerospace (Thales, EADS Astrium). At the very beginning of that
project, Alt-Ergo was added in the Spark Pro toolset (predecessor of
SPARK2014), developed by Altran-Praxis: Alt-Ergo can be used by
customers as an alternate prover for automatically proving
verification conditions. Its usage is described in the new edition
of the Spark book *iFacts*.

In the current ANR project BWare, we investigate the use of Why3 and
Alt-Ergo as an alternative back-end for checking proof obligations
generated by *Atelier B*, whose main applications are
railroad-related
software

S. Conchon (with A. Mebsout
and F. Zaidi from VALS team at LRI) has a long-term collaboration
with S. Krstic and A. Goel (Intel Strategic Cad Labs in Hillsboro,
OR, USA) that aims in the development of the SMT-based model checker
Cubicle (http://

Apart from transportation, energy is naturally an application in particular with our long-term partner CEA, in the context of U3CAT and Soprano projects. We also indirectly target communications and data, in particular in contexts with a particular need for security or confidentiality: smart phones, Web applications, health records, electronic voting, etc. These are part of the applications of SPARK , including verification of security-related properties, including cryptographic algorithms. Also, our new AJACS project addresses issues related to security and privacy in web applications written in Javascript, also including correctness properties.

C. Paulin-Mohring received the award “Michel Monpetit – Institut National de Recherche en Informatique et en Automatique” of the French Academy of Sciences (http://

J.-C. Filliâtre and G. Melquiond received the
“Best team” award of the VerifyThis@ETAPS2015 verification
competition
(http://

The *Concours Castor informatique*
(http://

Automated theorem prover for software verification

Keywords: Software Verification - Automated theorem proving

Functional Description

Alt-Ergo is an automatic solver of formulas based on SMT technology. It is especially designed to prove mathematical formulas generated by program verification tools, such as Frama-C for C programs, or SPARK for Ada code. Initially developed in Toccata research team, Alt-Ergo's distribution and support are provided by OCamlPro since September 2013.

Participants: Sylvain Conchon, Évelyne Contejean, Mohamed Iguernelala, Stéphane Lescuyer and Alain Mebsout

Partner: OCamlPro

Contact: Sylvain Conchon

Interactive program verification using characteristic formulae

Keywords: Coq - Software Verification - Deductive program verification - Separation Logic

Functional Description

The CFML tool supports the verification of OCaml programs through interactive Coq proofs. CFML proofs establish the full functional correctness of the code with respect to a specification. They may also be used to formally establish bounds on the asymptotic complexity of the code. The tool is made of two parts: on the one hand, a characteristic formula generator implemented as an OCaml program that parses OCaml code and produces Coq formulae, and, on the other hand, a Coq library that provides notation and tactics for manipulating characteristic formulae interactively in Coq.

Contact: Arthur Charguéraud

Keywords: Proof - Certification - Formalisation

Functional Description

Coq provides both a dependently-typed functional programming language and a logical formalism, which, altogether, support the formalisation of mathematical theories and the specification and certification of properties of programs. Coq also provides a large and extensible set of automatic or semi-automatic proof methods. Coq's programs are extractible to OCaml, Haskell, Scheme, ...

Participants: Benjamin Grégoire, Enrico Tassi, Bruno Barras, Yves Bertot, Pierre Boutillier, Xavier Clerc, Pierre Courtieu, Maxime Denes, Stéphane Glondu, Vincent Gross, Hugo Herbelin, Pierre Letouzey, Assia Mahboubi, Julien Narboux, Jean-Marc Notin, Christine Paulin-Mohring, Pierre-Marie Pédrot, Loïc Pottier, Matthias Puech, Yann Régis-Gianas, François Ripault, Matthieu Sozeau, Arnaud Spiwack, Pierre-Yves Strub, Benjamin Werner, Guillaume Melquiond and Jean-Christophe Filliâtre

Partners: CNRS - Université Paris-Sud - ENS Lyon - Université Paris-Diderot

Contact: Hugo Herbelin

URL: http://

Interval package for Coq

Keywords: Interval arithmetic - Coq

Functional Description

CoqInterval is a library for the proof assistant Coq. CoqInterval provides a method for proving automatically the inequality of two expression of real values.

The Interval package provides several tactics for helping a Coq user to prove theorems on enclosures of real-valued expressions. The proofs are performed by an interval kernel which relies on a computable formalization of floating-point arithmetic in Coq.

The Marelle team developed a formalization of rigorous polynomial approximation using Taylor models inside the Coq proof assistant, with a special focus on genericity and efficiency for the computations. In 2014, this library has been included in CoqInterval.

Participants: Guillaume Melquiond, Érik Martin-Dorel, Nicolas Brisebarre, Miora Maria Joldes, Micaela Mayero, Jean-Michel Muller, Laurence Rideau and Laurent Théry

Contact: Guillaume Melquiond

The Coquelicot library for real analysis in Coq

Keywords: Coq - Real analysis

Functional Description

Coquelicot is library aimed for supporting real analysis in the Coq proof assistant. It is designed with three principles in mind. The first is the user-friendliness, achieved by implementing methods of automation, but also by avoiding dependent types in order to ease the stating and readability of theorems. This latter part was achieved by defining total function for basic operators, such as limits or integrals. The second principle is the comprehensiveness of the library. By experimenting on several applications, we ensured that the available theorems are enough to cover most cases. We also wanted to be able to extend our library towards more generic settings, such as complex analysis or Euclidean spaces. The third principle is for the Coquelicot library to be a conservative extension of the Coq standard library, so that it can be easily combined with existing developments based on the standard library.

Participants: Sylvie Boldo, Catherine Lelay and Guillaume Melquiond

Contact: Sylvie Boldo

The Cubicle model checker modulo theories

Keywords: Model Checking - Software Verification

Functional Description

Cubicle is an open source model checker for verifying safety properties of array-based systems, which corresponds to a syntactically restricted class of parametrized transition systems with states represented as arrays indexed by an arbitrary number of processes. Cache coherence protocols and mutual exclusion algorithms are typical examples of such systems.

Participants: Sylvain Conchon and Alain Mebsout

Contact: Sylvain Conchon

The Flocq library for formalizing floating-point arithmetic in Coq

Keywords: Floating-point - Arithmetic code - Coq

Functional Description

The Flocq library for the Coq proof assistant is a comprehensive formalization of floating-point arithmetic: core definitions, axiomatic and computational rounding operations, high-level properties. It provides a framework for developers to formally certify numerical applications.

Flocq is currently used by the CompCert certified compiler for its support of floating-point computations.

Participants: Guillaume Melquiond and Sylvie Boldo

Contact: Sylvie Boldo

The Gappa tool for automated proofs of arithmetic properties

Keywords: Floating-point - Arithmetic code - Software Verification - Constraint solving

Functional Description

Gappa is a tool intended to help verifying and formally proving properties on numerical programs dealing with floating-point or fixed-point arithmetic. It has been used to write robust floating-point filters for CGAL and it is used to certify elementary functions in CRlibm. While Gappa is intended to be used directly, it can also act as a backend prover for the Why3 software verification plateform or as an automatic tactic for the Coq proof assistant.

Contact: Guillaume Melquiond

The Why3 environment for deductive verification

Keywords: Formal methods - Trusted software - Software Verification - Deductive program verification

Functional Description

Why3 is an environment for deductive program verification. It provides a rich language for specification and programming, called WhyML, and relies on external theorem provers, both automated and interactive, to discharge verification conditions. Why3 comes with a standard library of logical theories (integer and real arithmetic, Boolean operations, sets and maps, etc.) and basic programming data structures (arrays, queues, hash tables, etc.). A user can write WhyML programs directly and get correct-by-construction OCaml programs through an automated extraction mechanism. WhyML is also used as an intermediate language for the verification of C, Java, or Ada programs.

Participants: Jean-Christophe Filliâtre, Claude Marché, Guillaume Melquiond, Andriy Paskevych, François Bobot, Martin Clochard and Levs Gondelmans

Partners: CNRS - Université Paris-Sud

Contact: Claude Marché

URL: http://

M. Clochard, J.-C. Filliâtre, and A. Paskevich proposed a novel method to prove the relative safety of operations over bounded integers in a large class of programs. Their approach consists of introducing dedicated abstract types for the bounded integers and restricting the set of allowed operations over these types in such a way that it is impossible to reach the bound during a realistic execution of the program: for example, it would take several hundred years to overflow a 64-bit integer. This technique is aimed at integer variables that serve essentially as counters or size measures. It can be used alongside the traditional methods of proving the absence of overflows for other integer values in the same program. The proposed approach is implemented in Why3 and was presented at VSTTE 2015 .

J.-C. Filliâtre and M. Pereira proposed a new way to specify the behavior of a cursor data structure, with the objective of being able to verify both the implementation of a cursor and its use by client code. The approach is modular, which means that a program using a cursor can be verified independently of the way the cursor is implemented. An experimental evaluation has been conducted with Why3, with several implementations and client codes being verified. This work will be presented at JFLA 2016 .

D. Hauzar and C. Marché worked on counterexample generation from failed proof attempts. They designed a new approach for generating potential counterexamples in the deductive verification setting, and implemented in Why3. When the logic goal generated for a given verification condition is not shown unsatisfiable by an SMT solvers, some solver can propose a model. By carefully reverting the transformation chain (from an input program through the VC generator and the various translation steps to solvers), this model is turned into a potential counterexample that the user can exploit to analyze why its original code is not proved. The approach is implemented in the chain from Ada programs through SPARK, Why3, and SMT solvers CVC4 and Z3. This implementation is robust enough to be distributed in the next release Pro 16 of SPARK. A research report on this subject will appear in January 2016.

A. Charguéraud and F. Pottier (Inria Paris-Rocquencourt) obtained new
results in the machine-checked verification of asymptotic
complexity bounds, in addition to program correctness properties.
Verifying the time usage of a program is very important, because
otherwise a program might be proved to be functionally correct but
may appear to run into an infinite loop for particular input data.
More specifically, A. Charguéraud and F. Pottier
started from the extension of CFML with
*time credits* (encoding of time resources in Separation Logic),
developed last year by A. Charguéraud, and they used it to formally
produce a machine-checked proof of the correctness and time complexity of a
Union-Find data structure, implemented as an OCaml module. They thereby
demonstrate that the approach scales up to difficult complexity
analyses, and applies to actual executable code
(as opposed to pseudo-code). This work
was presented at ITP 2015 .
Furthermore, A. Charguéraud and F. Pottier co-advised
the M2 internship of Armaël Guéneau, who extended the time credits
approach so as to allow working conveniently with the big-

A. Charguéraud described a method for reasoning about mutable data structures that own their elements. In Separation Logic, representation predicates describe the ownership of a mutable data structure, by establishing a relationship between the entry point of the structure, the piece of heap over which this structure spans, and the logical model associated with the structure. When a data structure is polymorphic, such as in the case of a container, its representation predicate needs to be parameterized not just by the type of the items stored in the structure, but also by the representation predicates associated with these items. Such higher-order representation predicates can be used in particular to control whether containers should own their items. A. Charguéraud wrote a paper describing, through a collection of practical examples, solutions to the challenges associated with reasoning about accesses into data structures that own their elements. This paper will appear at CPP 2016 .

C. Dross, A. Paskevich, J. Kanig and S. Conchon published a journal paper about integration of first-order axiomatizations with triggers as decision procedures in an SMT solver. This work extends a part of C. Dross PhD thesis . A formal semantics of the notion of trigger is presented, with a general setting to show how a first-order axiomatization with triggers can be proved correct, complete, and terminating. An extended DPLL(T) algorithm can then integrate such an axiomatization with triggers, as a decision procedure for the theory it defines.

M. Clochard and L. Gondelman developed a formalization of a
simple compiler in *Why3*. It compiles a simple imperative language
into assembler instructions for a stack machine. This case study
was inspired by a similar example developed using Coq and
interactive theorem proving. The aim is to improve significantly
the degree of automation in the proofs. This is achieved by the
formalization of a Hoare logic and a Weakest Precondition Calculus
on assembly programs, so that the correctness of
compilation is seen as a formal specification of the assembly
instructions generated. This work was presented at the JFLA
conference in 2015 .

S. Boldo, C. Lelay, and G. Melquiond worked on the Coquelicot
library, designed to be a user-friendly Coq library about real
analysis. An easier way of writing formulas and theorem statements
is achieved by relying on total functions in place of dependent
types for limits, derivatives, integrals, power series, and so on.
To help with the proof process, the library comes with a
comprehensive set of theorems and some automation. We have exercised
the library on several use cases: in an exam at university entry
level, for the definitions and properties of Bessel functions, and
for the solution of the one-dimensional wave equation.
These results are published in the journal
*Mathematics in Computer Science*
.

C. Lelay developed a new formalization of convergence with a focus on usability and genericity for the Coquelicot library. This formalization covers various parts of analysis: sequences, real functions, complex functions, vector functions, and so on. This work was presented at the 7th Coq Workshop .

C. Paulin wrote a gentle introduction to the Calculus of Inductive Construction, the formalism on which the Coq proof assistant is based , discussing both theoretical and pragmatic aspects of the design.

É. Martin-Dorel and G. Melquiond worked on integrating the
CoqInterval and CoqApprox libraries into a single package. The
CoqApprox library is dedicated to computing verified Taylor models of
univariate functions so as to compute approximation errors. The
CoqInterval library reuses this work to automatically prove bounds on
real-valued expressions. A large formalization effort took place during
this work, so as to get rid of all the holes remaining in the formal
proofs of CoqInterval. It was also the chance to perform a comparison
between numerous decision procedures dedicated to proving nonlinear
inequalities involving elementary functions. This work has been
published in the *Journal of Automated Reasoning*
.

S. Boldo and G. Melquiond, with J.-H. Jourdan and X. Leroy
(Gallium team, Inria Paris - Rocquencourt) extended the CompCert
compiler to get the first formally verified C compiler that provably
preserves the semantics of floating-point programs
This work, published in the *Journal of Automated Reasoning*
,
also covers the formalization of numerous algorithms of
conversion between integers and floating-point numbers.

S. Boldo worked on the fact that

S. Boldo worked on programs computing the average of two
floating-point numbers. As we want to take exceptional behaviors
into account, we cannot use the naive formula
`(x+y)/2`. Based on hints given by Sterbenz, she first wrote
an accurate program and formally proved its properties. She also
developed and formally proved a new algorithm that computes the
correct rounding of the average of two floating-point numbers
. This was published at the 17th
International Conference on Formal Engineering Methods.

P. Roux formalized a theory of numerical analysis for bounding the
round-off errors of a floating-point algorithm. This approach was
applied to the formal verification of a program for checking that a
matrix is semi-definite positive. The challenge here is that testing
semi-definiteness involves algebraic number computations, yet it needs
to be implemented using only approximate floating-point
operations. This work has been published in the *Journal of
Automated Reasoning* .

C. Lelay and G. Melquiond worked on formalizing in Coq a numerical domain for the Verasco abstract interpreter built upon the CompCert verified compiler. This abstract domain is a relational domain based on affine forms (zonotopes). It is meant to help verifying floating-point programs and it is expected to perform faster (but less accurately) than a more generic domain based on polyhedrons.

A. Charguéraud worked together with Umut Acar, Mike Rainey,
and Filip Sieczkowski,
as part of the ERC project *DeepSea*, on the development of
efficient data structures and algorithms targeting modern,
shared memory multicore architectures. A. Charguéraud was
involved in two major results obtained this year.

The first result is the development of fast and robust parallel graph traversal algorithms based on depth-first-search. This algorithm leverages a new sequence data structure for representing the set of edges remaining to be visited. This sequence itself builds on prior work on bootstrapped chunked sequences . In particular, the edge sequence structure uses a balanced split operation for partitioning the edges of a graph among the several processors involved in the computation. Compared with prior work, the new algorithm is designed and proved to be efficient not just for particular classes of graphs, but for all input graphs. This work has been published in the ACM/IEEE Conference on High Performance Computing (SC) .

Another result by A. Charguéraud and his co-authors is the
development of a calculus for parallel computing on
shared memory computers. Many languages for
writing parallel programs have been developed. These languages offer
several different abstractions for parallelism, such as fork-join,
async-finish, futures, etc. While they may seem similar, these
abstractions lead to different semantics, language design and
implementation decisions. In this work, we consider the question of
whether it would be possible to unify different approaches to
parallelism. To this end, we propose a calculus, called
*DAG-calculus* that can encode existing approaches to parallelism
based on fork-join, async-finish, and futures paradigms and possibly
others. We have shown that the approach is realistic by presenting an
implementation in C++ and by performing an empirical evaluation.
This work has been submitted for publication.

A. Charguéraud developed a patch to the OCaml compiler for improving type error messages, in particular to make the language more accessible to beginners. The problem of improving type error messages in ML has received quite a bit of attention over the past two decades, and many different strategies have been considered. The challenge is not only to produce error messages that are both sufficiently concise and systematically useful to the programmer, but also to handle a full-blown programming language and to cope with large-sized programs efficiently. A. Charguéraud's novel approach consists of a slight modification to the traditional ML type inference algorithm implemented in OCaml that, by significantly reducing the left-to-right bias, produces error messages that are more helpful to the programmer. This work was published this year in the journal Electronic Proceedings in Theoretical Computer Science .

ProofInUse is a joint project between the Toccata team and the
SME AdaCore. It was selected and funded by the ANR programme
“Laboratoires communs”, starting from April 2014, for 3 years
http://

The SME AdaCore is a software publisher specializing in providing
software development tools for critical systems. A previous
successful collaboration between Toccata and AdaCore enabled
*Why3* technology to be put into the heart of the
AdaCore-developed SPARK technology.

The goal is now to promote and transfer the use of deduction-based verification tools to industry users, who develop critical software using the programming language Ada. The proof tools are aimed at replacing or complementing the existing test activities, whilst reducing costs.

ELFIC is a working group of the Digicosme Labex. S. Boldo is the principal investigator. It began in 2014 for one year and was extended for one year.

The ELFIC project focuses on proving the correctness of the FELiScE (Finite Elements for Life Sciences and Engineering) C++ library which implements the finite element method for approximating solutions to partial differential equations. Finite elements are at the core of numerous simulation programs used in industry. The formal verification of this library will greatly increase confidence in all the programs that rely on it. Verification methods developed in this project will be a breakthrough for the finite element method, but more generally for the reliability of critical software relying on intricate numerical algorithms.

Partners: Inria team Pomdapi; Ecole Polytechnique, LIX; CEA LIST; Université Paris 13, LIPN; UTC, LMAC (Compiègne).

The CoLiS research project is funded by the programme “Société de
l'information et de la communication” of the ANR, for a period of
48 months, starting on October 1st,
2015. http://

The project aims at developing formal analysis and verification techniques and tools for scripts. These scripts are written in the POSIX or bash shell language. Our objective is to produce, at the end of the project, formal methods and tools allowing to analyze, test, and validate scripts. For this, the project will develop techniques and tools based on deductive verification and tree transducers stemming from the domain of XML documents.

Partners: Université Paris-Diderot, IRIF laboratory (formerly PPS & LIAFA), coordinator ; Inria Lille, team LINKS

The Vocal research project is funded by the programme “Société de l'information et de la communication” of the ANR, for a period of 48 months, starting on October 1st, 2015.

The goal of the Vocal project is to develop the first formally verified library of efficient general-purpose data structures and algorithms. It targets the OCaml programming language, which allows for fairly efficient code and offers a simple programming model that eases reasoning about programs. The library will be readily available to implementers of safety-critical OCaml programs, such as Coq, Astrée, or Frama-C. It will provide the essential building blocks needed to significantly decrease the cost of developing safe software. The project intends to combine the strengths of three verification tools, namely Coq, Why3, and CFML. It will use Coq to obtain a common mathematical foundation for program specifications, as well as to verify purely functional components. It will use Why3 to verify a broad range of imperative programs with a high degree of proof automation. Finally, it will use CFML for formal reasoning about effectful higher-order functions and data structures making use of pointers and sharing.

Partners: team Gallium (Inria Paris-Rocquencourt), team DCS (Verimag), TrustInSoft, and OCamlPro.

The AJACS research project is funded by the programme “Société de l'information et de la communication” of the ANR, for a period of 42 months, starting on October 1st, 2014.

The goal of the AJACS project is to provide strong security and privacy guarantees on the client side for web application scripts implemented in JavaScript, the most widely used language for the Web. The proposal is to prove correct analyses for JavaScript programs, in particular information flow analyses that guarantee no secret information is leaked to malicious parties. The definition of sub-languages of JavaScript, with certified compilation techniques targeting them, will allow deriving more precise analyses. Another aspect of the proposal is the design and certification of security and privacy enforcement mechanisms for web applications, including the APIs used to program real-world applications. On the Toccata side, the focus will be on the formalization of secure subsets of JavaScript, and on the mechanization of proofs of translations from high-level languages into JavaScript.

Partners: team Celtique (Inria Rennes - Bretagne Atlantique), team Prosecco (Inria Paris - Rocquencourt), team Indes (Inria Sophia Antipolis - Méditerranée), and Imperial College (London).

This is a research project funded by the programme “Ingénierie
Numérique & Sécurité” of the ANR. It is funded for a period of
48 months and it has started on October 1st,
2014. http://

Our aim is to develop computer-aided proofs of numerical values, with certified and reasonably tight error bounds, without sacrificing efficiency. Applications to zero-finding, numerical quadrature or global optimization can all benefit from using our results as building blocks. We expect our work to initiate a "fast and reliable" trend in the symbolic-numeric community. This will be achieved by developing interactions between our fields, designing and implementing prototype libraries and applying our results to concrete problems originating in optimal control theory.

Partners: team ARIC (Inria Grenoble Rhône-Alpes), team MARELLE (Inria Sophia Antipolis - Méditerranée), team SPECFUN (Inria Saclay - Île-de-France), Université Paris 6, and LAAS (Toulouse).

The Soprano research project is funded by the programme “Sciences et technologies logicielles” of the ANR, for a period of 42 months, starting on October 1st, 2014.

The SOPRANO project aims at preparing the next generation of verification-oriented solvers by gathering experts from academia and industry. We will design a new framework for the cooperation of solvers, focused on model generation and borrowing principles from SMT (current standard) and CP (well-known in optimization). Our main scientific and technical objectives are the following. The first objective is to design a new collaboration framework for solvers, centered around synthesis rather than satisfiability and allowing cooperation beyond that of Nelson-Oppen while still providing minimal interfaces with theoretical guarantees. The second objective is to design new decision procedures for industry-relevant and hard-to-solve theories. The third objective is to implement these results in a new open-source platform. The fourth objective is to ensure industrial-adequacy of the techniques and tools developed through periodical evaluations from the industrial partners.

Partners: team DIVERSE (Inria Rennes - Bretagne Atlantique), Adacore, CEA List, Université Paris-Sud, and OCamlPro.

The CAFEIN research project is funded by the programme “Ingénierie
Numérique & Sécurité” of the ANR, for a period
of 3 years, starting on February 1st, 2013.
https://

This project addresses the formal verification of functional properties at specification level, for safety critical reactive systems. In particular, we focus on command and control systems interacting with a physical environment, specified using the synchronous language Lustre.

A first goal of the project is to improve the level of automation of formal verification, by adapting and combining existing verification techniques such as SMT-based temporal induction, and abstract interpretation for invariant discovery. A second goal is to study how knowledge of the mathematical theory of hybrid command and control systems can help the analysis at the controller's specification level. Third, the project addresses the issue of implementing real valued specifications in Lustre using floating-point arithmetic.

Partners: ONERA, CEA List, ENSTA, teams Maxplus (Inria Saclay - Île-de-France), team Parkas (Inria Paris - Rocquencourt), Perpignan University, Prover Technology, Rockwell Collins.

The BWare research project is funded by the programme “Ingénierie
Numérique & Sécurité” of the ANR, a period of 4
years, starting on September 1st, 2012. http://

BWare is an industrial research project that aims to provide a mechanized framework to support the automated verification of proof obligations coming from the development of industrial applications using the B method and requiring high guarantee of confidence. The methodology used in this project consists of building a generic platform of verification relying on different theorem provers, such as first-order provers and SMT solvers. The variety of these theorem provers aims at allowing a wide panel of proof obligations to be automatically verified by the platform. The major part of the verification tools used in BWare have already been involved in some experiments, which have consisted in verifying proof obligations or proof rules coming from industrial applications . This therefore should be a driving factor to reduce the risks of the project, which can then focus on the design of several extensions of the verification tools to deal with a larger amount of proof obligations.

The partners are: Cedric laboratory at CNAM (CPR Team, project
leader); teams Gallium and Deducteam (Inria Paris - Rocquencourt) ;
Mitsubishi Electric R&D Centre Europe, ClearSy (the company which
develops and maintains *Atelier B*), and the start-up OCamlPro.

The Versaco research project is funded by the programme “Ingénierie
Numérique & Sécurité” of the ANR, for a period of 4
years and a half, starting on January 1st, 2012. Project website:
http://

The main goal of the project is to investigate the formal verification
of static analyzers and of compilers, two families of tools that play a
crucial role in the development and validation of critical embedded
software. More precisely, the project aims at developing a generic
static analyzer based on abstract interpretation for the C language,
along with a number of advanced abstract domains and domain combination
operators, and prove the soundness of this analyzer using the *Coq*
proof assistant. Likewise, the project keeps working on the CompCert C
formally-verified compiler, the first realistic C compiler that has
been mechanically proved to be free of miscompilation, and carry it to
the point where it could be used in the critical software industry.

Partners: teams Gallium and Abstraction (Inria Paris - Rocquencourt), Airbus avionics and simulation (Toulouse), IRISA (Rennes), Verimag (Grenoble).

Project acronym: ERC Deepsea

Project title: Parallel dynamic computations

Duration: Jun. 2013 - Jun. 2018

Coordinator: Umut A. Acar

Other partners: Carnegie Mellon University

Abstract:

The objective of this project is to develop abstractions, algorithms and languages
for parallelism and dynamic parallelism with applications to problems
on large data sets.
Umut A. Acar (affiliated to Carnegie Mellon University and Inria Paris - Rocquencourt)
is the principal investigator of this ERC-funded project.
The other main researchers involved are
Mike Rainey (Inria, Gallium team), who is full-time on the project,
and Arthur Charguéraud (Inria, Toccata team), who works
40% of his time to the project.
Project website: http://

Imperial College London (UK)

Certification of JavaScript, AJACS project

Andrew Tolmach, from Portland State University, visited the team as a one-year Digiteo Chair, in collaboration with other groups in the Paris area (LRI/Univ. Paris-Sud, LIX/Polytechnique, Inria Saclay and Rocquencourt). The project is to initiate a new research effort to develop principles, techniques, and tools for large-scale proof engineering. It is focused on the Coq proof assistant and is designed to take advantage of the deep pool of expertise available in the Paris area concerning both the use and the development of Coq. Initial results include: a precise description of requirements for large proof management; sample prototype tools addressing one or more of these requirements; and a technical survey of relevant proof representation options .

S. Conchon is the program committee co-Chair of ICFEM 2015
(CNAM, Paris, 3-6 November 2015). http://

A. Charguéraud is the organizer of the 2nd
International Workshop on Coq for Programming Languages, co-located with POPL, January 23rd 2016.
http://

A. Paskevich is the co-organizer of the 4th international workshop on Proof eXchange for Theorem Proving (PxTP 2015), affiliated with CADE-25 (August 2-3, 2015, Berlin, Germany).

S. Boldo and G. Melquiond are members of the organizing committee for the 22nd IEEE Symposium on Computer Arithmetic (ARITH 2015), held in Lyon in June 2015.

G. Melquiond is a member of the organizing committee for the 23rd IEEE Symposium on Computer Arithmetic (ARITH 23), held in Santa Clara, CA, USA in July 2016.

S. Conchon is a member of the organizing committee for ICFEM
2015,CNAM, Paris, 3-6 November 2015.
http://

S. Conchon is local chair for the 44th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL 2017), held in Paris, France in January 2017.

A. Charguéraud is program chair for the 2nd International Workshop on Coq for Programming Languages, co-located with POPL, January 23rd 2016.
http://

A. Paskevich is the co-chair of the 4th international workshop on Proof eXchange for Theorem Proving (PxTP 2015), affiliated with CADE-25 (August 2-3, 2015, Berlin, Germany).

S. Boldo is a member of the program committee of the 26th Journées Francophones des Langages Applicatifs (JFLA 2015).

S. Boldo is a member of the program committee of the 8th International Workshop on Numerical Software Verification (NSV-8).

S. Boldo is a member of the program committee of the 22nd IEEE Symposium on Computer Arithmetic (ARITH 2015).

S. Boldo is a member of the program committee of the 27th Journées Francophones des Langages Applicatifs (JFLA 2016).

S. Boldo is a member of the program committee of the 23rd IEEE Symposium on Computer Arithmetic (ARITH 2016).

A. Charguéraud is a member of the program committee
for the 25th European Symposium on Programming (ESOP), to be held in April 2016,
http://

A. Paskevich is a member of the program committee of the 20th International Symposium on Formal Methods (FM 2015).

C. Paulin is a member of the program committee of the 4th ACM-SIGPLAN Conference on Certified Programs and Proofs (CPP 2015, colocated with POPL 2015).

C. Paulin is a member of the program committee of the conference on Mathematics of Program Construction (MPC 2015).

C. Paulin is a member of the program committee of the 21st International Conference on Types for Proofs and Programs (Types 2015).

C. Paulin is a member of the program committee of the 20th International Conferences on Logic for Programming, Artificial Intelligence and Reasoning (LPAR-20).

C. Paulin is a member of the program committee of the 31st Annual ACM/IEEE Symposium on Logic in Computer Science (LICS 2016).

C. Paulin is a member of the program committee of the 7th International Conference on Interactive Theorem Proving (ITP 2016).

The members of the Toccata team have reviewed papers for numerous international conferences.

G. Melquiond is a member of the editorial board of
*Reliable Computing*.

S. Boldo is member of the editorial committee of the popular science web site “)i(”:

S. Boldo is member of the editorial board of Binaire
http://

J.-C. Filliâtre is member of the editorial board of the
*Journal of Functional Programming*.

C. Paulin is member of the editorial board of the *Journal of Formalized Reasoning*.

The members of the Toccata team have reviewed numerous papers for numerous international journals.

S. Boldo was speaker in a panel at the 2015 congress of the French Computer Science Society, on February 4th in Orléans. The panel was about stereotypes and academic orientation of girls.

S. Boldo gave a talk at the French-Japanese Workshop on Numerical Computations in Paris, on March 25th.

S. Boldo gave several invited talks in French laboratories: for the Deducteam team (Inria Paris - Rocquencourt) on March 27th, for the Pequan team (UPMC, Paris) on November 30th, at the Digicosme Research Days on March 23rd.

A. Charguéraud was invited to teach at the
Spring School in Theoretical Computer Science, entitled
“Mechanizing proofs of programs”, June 26th,
http://

C. Marché, “An History of Frama-C”, Frama-C Day, CEA LIST,
March 13th, 2015, http://

G. Melquiond, “Formal verification of a floating-point elementary
function”, ARITH 22 tutorials, June 25th, 2015,
http://

C. Paulin gave a talk “Langages and systems for interactive proofs” at Collège de France as part of the seminar "Proving programs : why, when and how ?" organised by Gérard Berry http://

C. Paulin was invited by FRAE (Fondation de Recherche pour l'Aéronautique et l'Espace, http://

C. Paulin was invited to give a presentation at the Ecole Jeunes Chercheurs Informatique Mathématique (EJCIM 2015, http://

C. Paulin, scientific leader of Labex
DigiCosme http://

É. Contejean, leader of the VALS team of LRI since February 2014.

S. Boldo, member of the reviewing board for the ANR (first and second step in 2015, first step in 2016).

S. Boldo, member of the 2015 committee for the Gilles Kahn PhD award of the French Computer Science Society.

S. Conchon and A. Paskevich, members of the *“commission
consultative de spécialistes de l'université”*, Section 27,
University Paris-Sud since December 2014.

É. Contejean, elected member of the *“section 6 du
Comité National de la Recherche Scientifique”* since September
2012.

C. Marché, member of the *“jury de
l'agrégation externe de mathématiques”* as expert in
computer science, since 2012.

C. Marché, president of the evaluation committee of the joint
Digiteo-DigiCosme call for projects
https://

C. Marché, A. Paskevich, reviewer for the ANR (second step in 2015).

S. Boldo, member of the CCD, *commission consultative des
doctorants*.

S. Boldo, member of the CLFP, *comité local de formation
permanente*.

S. Boldo, scientific head for Saclay for the MECSI group for networking about computer science popularization inside Inria.

A. Charguéraud is vice-president of *France-ioi*, a
non-profit organization in charge of the selection and the training
of the French team to the International Olympiads in
Informatics (IOI). France-ioi also provides online exercises in
programming and algorithmics—in average, over 70,000 such
exercises are solved every month on the website.

A. Charguéraud is a board
member of the non-profit organization *Animath*, which aims at
developing interest in mathematics among young students.

A. Charguéraud and G. Melquiond are members of the
committee for the monitoring of PhD students (*“commission de
suivi des doctorants”*).

J.-C. Filliâtre is *correcteur au concours d'entrée à
l'École Polytechnique et aux ENS* (computer science examiner for the
entrance exam at École Polytechnique and Écoles Normales
Supérieures) since 2008.

C. Marché, director of the ProofInUse Joint Laboratory between
Inria and AdaCore, http://

C. Paulin, member of the *“commission
consultative de spécialistes de l'université”*, Section 27,
University Paris-Sud since April 2010.
C. Paulin is the president of this committee since December 2014.

G. Melquiond, elected officer of the IEEE-1788 standardization committee on interval arithmetic since 2008.

C. Paulin, chaired the hiring committee for a professor position in computer science at Université Paris-Sud.

J.-C. Filliâtre, member of the board of GDR GPL, since January 2016.

Master Parisien de Recherche en Informatique (MPRI)
https://

Master: Fondements de l'informatique et ingénierie du logiciel (FIIL)
https://

Licence: “Mathématiques pour l'informatique 2” (L2), C. Paulin (50h), Université Paris-Sud, France.

Licence: “Logique pour l'informatique” (L3), C. Paulin (54h), Université Paris-Sud, France.

Master: “Logique pour l'option informatique à l'agrégation” (M2), C. Paulin (21h), ENS Cachan, France.

Licence: “Programmation fonctionnelle avancée” (L3), S. Conchon (30h), Université Paris-Sud, France.

Licence: “Introduction à la programmation fonctionnelle” (L2), S. Conchon (10h), Université Paris-Sud, France.

Master: “Compilation et langages” (M1), S. Conchon (45h), Université Paris-Sud, France.

Master: “Software Model Checking” (M2), S. Conchon (10h), Université Paris-Sud, France.

Licence: “Langages de programmation et compilation” (L3), J.-C. Filliâtre (26h), École Normale Supérieure, France.

Licence: “INF411: Les bases de l'algorithmique et de la programmation” (L3), J.-C. Filliâtre (16h), École Polytechnique, France.

DUT (Diplôme Universitaire de Technologie): M1101 “Introduction aux systèmes informatiques” (S1), A. Paskevich (36h), M3101 “Principes des systèmes d'exploitation” (S3), A. Paskevich (58.5h), IUT d'Orsay, Université Paris-Sud, France.

S. Conchon supervised the M2 internship of Mattias Roux, who developed a new reachability algorithm for the Cubicle Model Checker.

A. Charguéraud supervised, with F. Pottier (Inria Paris) the M2 internship of Armaël Guéneau, who developed a formalization in Coq of the big-O notation, and put it to practice to establish big-O asymptotic bounds in CFML, in particular for a sequence data structure with logarithmic-time random access operations.

C. Paulin supervised with F. Hivert (LRI) the magistère of Mathematics internship of Olivier Stietel, who developed a proof in Coq of a result in combinatorics (a result of Frame, Robinson and Thrall counting the number of Young tableaux of a given shape) using a probabilistic method.

PhD: C. Lelay, “Repenser la bibliothèque réelle de Coq : vers une formalisation de l'analyse classique mieux adaptée”, Université Paris-Sud, June 15th 2015, supervised by S. Boldo and G. Melquiond .

PhD in progress: S. Dumbrava, “Towards data certification”, since Oct. 2012, supervised by V. Benzaken (LRI) and É. Contejean.

PhD in progress: L. Gondelmans, “Obtention de programmes corrects par raffinement dans un langage de haut niveau”, since Oct. 2013, supervised by J.-C. Filliâtre and A. Paskevich.

PhD in progress: M. Clochard, “A unique language for developing programs and prove them at the same time”, since Oct. 2013, supervised by C. Marché and A. Paskevich.

PhD in progress: D. Declerck, “Vérification par des techniques de test et model checking de programmes C11”, since Sep. 2014, supervised by F. Zaïdi (LRI) and S. Conchon.

PhD in progress: M. Roux, “Model Checking de systèmes paramétrés et temporisés”, since Sep. 2015, supervised by Sylvain Conchon.

PhD in progress: M. Pereira, “A Verified Graph Library. Tools and techniques for the verification of modular higher-order programs, with extraction”, since May 2015, supervised by J.-C. Filliâtre.

PhD in progress: A. Coquereau, “[ErgoFast] Amélioration de performances pour le solveur SMT Alt-Ergo : conception d'outils d'analyse, optimisations et structures de données efficaces pour OCaml”, since Sep. 2015, supervised by Sylvain Conchon, Fabrice Le Fessant et Michel Mauny.

S. Boldo: reviewer, PhD committee of O. Kupriianova, “Towards a Modern Floating-Point Environment”, Université Pierre et Marie Curie, France, December 2015.

A. Charguéraud: examiner, PhD committee of Lidia Sánchez Gil, “On the equivalence of operational and denotational semantics for parallel functional languages”, Universidad Complutense de Madrid, July 2015.

C. Marché: reviewer, PhD committee of A. Dieumegard, “Formal Guarantees for Safety Critical Code Generation: The Case of Highly Variable Languages”, Université Toulouse 3 Paul Sabatier, France, January 2015.

C. Marché: external reviewer of the PhD memoir of D. Larraz, “Automatic Program Analysis using Max-SMT”, Universitat Politecnica de Catalunya, Barcelona, Spain, April 2015.

C. Marché: president of the PhD committee of A. David, “Vers la synthèse de systèmes ouverts : tableaux pour les logiques temporelles multi-agents”, Université Évry Val d'Essonne, Évry, France, September 2015.

C. Marché: examiner, PhD committee of Z. Chihani, “Certification of First-order proofs in classical and intuitionistic logics”, École Polytechnique, Palaiseau, France, November 2015.

A. Charguéraud and S. Boldo contributed to the preparation of
the exercises of the *Concours Castor informatique*
http://*CM1* to *Terminale*)
to computer sciences. More than 345,000 teenagers played with the
interactive exercises in November 2015.

C. Marché, together with J. Kanig from AdaCore company, wrote an article in the ERCIM news journal to advertise on the work done in the ProofInUse joint laboratory for the popularization of formal methods in the development of safety-critical Ada programs.

S. Boldo, with T. Vieville (Mnemosyne team, Inria Bordeaux -
Sud-Ouest), F. Masseglia (Zenith team, Inria Sophia Antipolis -
Méditerranée and P. Bernhard (INRA) wrote a text about the
TIPE 2016 (personal work before the competitive entrance in
engineering schools). The topic was “Structures: organization,
complexity, dynamic”. This was published on the popularization
website http://

S. Boldo co-organized popularization talks for the administrative staff of Inria Saclay - Île-de-France. She gave a talk on January 29th about a scientific article and led a coding session (with Scratch) on February 12th with A. Imperiale (M3DISIM team).

S. Boldo co-organized the coming of teenagers from the collège Flemming in Orsay to the laboratory on May 28th and gave talks to several groups all day long.

S. Boldo co-organized the Inria Saclay - Île-de-France
*Fête de la science*. She created two stands (about
programming) and run one on October 9th.

S. Boldo gave a talk to the winners of the Mathematics Olympiads on June 10th in Rocquencourt.

S. Boldo gave a talk at the “Girls can code” week on August 27th, in Paris.

S. Boldo gave a talk to high school teenagers in Angers on October 12th.

S. Boldo gave a talk to “Classes Préparatoires” at l'Essouriau, Les Ulis on September 24th.

S. Boldo gave a talk at “Futur en Seine” a popularization festival in Paris and Paris area, in Orsay, on June 18th.

C. Paulin together with I. Glas from labex DigiCosme is
proposing an introduction to computer science (various activities
on programming, data representation, algorithms during 6 sessions
of 1 hour) as an extracurricular activity in schools for pupils in
*CM1-CM2*.

C. Paulin organised in 2015 the third edition of the Concours ISN of the Labex DigiCosme, supported by the Rectorat de l'Académie de Versailles. Selected projects developed by the high school pupils (Terminale) as part of their curricula in Computer Science are submitted to this contest. The best projects are selected and presented during a general event.

C. Paulin, I. Glas, and A. Paskevich run a stand (introduction to information technologies and programming) during the “Fête de la science” Île-de-France on October 9 and 10.