Section: New Results
Automated Reasoning
 A Why3 Framework for Reflection Proofs and its Application to GMP's Algorithms

Earlier works using Why3 showed that automatically verifying the algorithms of the arbitraryprecision integer library GMP exceeds the current capabilities of automatic solvers. To complete this verification, numerous cut indications had to be supplied by the user, slowing the project to a crawl. G. Melquiond and R. RieuHelf extended Why3 with a framework for proofs by reflection, with minimal impact on the trusted computing base. This framework makes it easy to write dedicated decision procedures that make full use of Why3's imperative features and are formally verified. This approach opens the way to efficiently tackling the further verification of GMP's algorithms [20], [27].
 Expressive and extensible automated reasoning tactics for Coq

Proof assistants based on Type Theory, such as Coq, allow implementing effective automatic tactics based on computational reasoning (e.g. lia for linear integer arithmetic, or ring for ring theory). Unfortunately, these are usually limited to one particular domain. In contrast, SMTCoq is a modular and extensible tool, using external provers, which generalizes these computational approaches to combine multiple theories. It relies on a highlevel interface, which offers a greater expressiveness, at the cost of more complex automation. Q. Garchery, in collaboration with C. Keller and V .Blot, designed two improvements to increase expressiveness of SMTCoq without impeding its modularity and its efficiency: the first adds some support for universally quantified hypotheses, while the second generalizes the support for integer arithmetic to the different representations of natural numbers and integers in Coq. This work will be presented in the next JFLA [30]
 Nonlinear Arithmetic Reasoning for ControlCommand Software

Stateoftheart (semi)decision procedures for nonlinear real arithmetic address polynomial inequalities by mean of symbolic methods, such as quantifier elimination, or numerical approaches such as interval arithmetic. Although (some of) these methods offer nice completeness properties, their high complexity remains a limit, despite the impressive efficiency of modern implementations. This appears to be an obstacle to the use of SMT solvers when verifying, for instance, functional properties of controlcommand programs. Using offtheshelf convex optimization solvers is known to constitute an appealing alternative. However, these solvers only deliver approximate solutions, which means they do not readily provide the soundness expected for applications such as software verification. S. Conchon, together with P. Roux and M. Iguernelala [21], investigated aposteriori validation methods and their integration in the SMT framework. Although their early prototype, implemented in the AltErgo SMT solver, often does not prove competitive with state of the art solvers, it already gives some interesting results, particularly on controlcommand programs.
 Lightweight Interactive Proving for Automated Program Verification

Deductive verification approach allows establishing the strongest possible formal guarantees on critical software. The downside is the cost in terms of human effort required to design adequate formal specifications and to successfully discharge the required proof obligations. To popularize deductive verification in an industrial software development environment, it is essential to provide means to progressively transition from simple and automated approaches to deductive verification. The SPARK environment, for development of critical software written in Ada, goes towards this goal by providing automated tools for formally proving that some code fulfills the requirements expressed in Ada contracts.
In a program verifier that makes use of automatic provers to discharge the proof obligations, a need for some additional user interaction with proof tasks shows up: either to help analyzing the reason of a proof failure or, ultimately, to discharge the verification conditions that are outofreach of stateoftheart automatic provers. Adding interactive proof features in SPARK appears to be complicated by the fact that the proof toolchain makes use of the independent, intermediate verification tool Why3, which is generic enough to accept multiple frontends for different input languages. S. Dailler, C. Marché and Y. Moy proposed an approach to extend Why3 with interactive proof features and also with a generic clientserver infrastructure allowing integration of proof interaction into an external, frontend graphical user interface such as the one of SPARK. This was presented at the FIDE symposium [18].