The *Toccata* team (http://

The general objective of the Toccata project is to promote formal
specification and computer-assisted proof in the development of
software that requires high assurance in terms of safety and
correctness with respect to its intended behavior.
Such safety-critical software appears in many application domains like
transportation (e.g., aviation, aerospace, railway, and more and more in cars),
communication (e.g., internet, smartphones), health devices, etc. The
number of tasks performed by software is quickly increasing, together
with the number of lines of code involved. Given the need of high
assurance of safety in the functional behavior of such applications,
the need for automated (i.e., computer-assisted) methods and
techniques to bring guarantee of safety became a major challenge. In
the past and at present, the most widely used approach to check safety
of software is to apply heavy test campaigns, which take a
large part of the costs of software development. Yet they cannot
ensure that all the bugs are caught, and remaining bugs may have
catastrophic causes (e.g., the Heartbleed bug in OpenSSL library
discovered in 2014 https://

Generally speaking, software verification approaches pursue three goals: (1) verification should be sound, in the sense that no bugs should be missed, (2) verification should not produce false alarms, or as few as possible, (3) it should be as automatic as possible. Reaching all three goals at the same time is a challenge. A large class of approaches emphasizes goals (2) and (3): testing, run-time verification, symbolic execution, model checking, etc. Static analysis, such as abstract interpretation, emphasizes goals (1) and (3). Deductive verification emphasizes (1) and (2). The Toccata project is mainly interested in exploring the deductive verification approach, although we also consider the other ones in some cases.

In the past decade, there have been significant progress made in the
domain of deductive program verification. They are emphasized by some
success stories of application of these techniques on industrial-scale
software. For example, the *Atelier B* system was used to develop
part of the embedded software of the Paris metro line
14 and other railway-related systems; a
formally proved C compiler was developed using the Coq proof
assistant ; the L4-verified project developed a
formally verified micro-kernel with high security guarantees, using
analysis tools on top of the Isabelle/HOL proof
assistant . A bug in the JDK implementation of
TimSort was discovered using the KeY
environment and a fixed version was
proved sound. Another sign of recent progress is the emergence of
deductive verification competitions (e.g.,
VerifyThis ). Finally, recent trends in the
industrial practice for development of critical software is to require
more and more guarantees of safety, e.g., the new DO-178C standard for
developing avionics software adds to the former DO-178B the use of
formal models and formal methods. It also emphasizes the need for
certification of the analysis tools involved in the process.

There are two main families of approaches for deductive
verification. Methods in the first family build on top of mathematical
proof assistants (e.g., Coq, Isabelle) in which both the model and the
program are encoded; the proof that the program meets its
specification is typically conducted in an interactive way using the
underlying proof construction engine. Methods from the second family
proceed by the design of standalone tools taking as input a program in
a particular programming language (e.g., C, Java) specified with a
dedicated annotation language (e.g., ACSL ,
JML ) and automatically producing a set of
mathematical formulas (the *verification conditions*) which are
typically proved using automatic provers (e.g., Z3 ,
Alt-Ergo , CVC4 ).

The first family of approaches usually offers a higher level of assurance than the second, but also demands more work to perform the proofs (because of their interactive nature) and makes them less easy to adopt by industry. Moreover, they generally do not allow to directly analyze a program written in a mainstream programming language like Java or C. The second kind of approaches has benefited in the past years from the tremendous progress made in SAT and SMT solving techniques, allowing more impact on industrial practices, but suffers from a lower level of trust: in all parts of the proof chain (the model of the input programming language, the VC generator, the back-end automatic prover), potential errors may appear, compromising the guarantee offered. Moreover, while these approaches are applied to mainstream languages, they usually support only a subset of their features.

One of our original skills is the ability to conduct proofs by using automatic provers and proof assistants at the same time, depending on the difficulty of the program, and specifically the difficulty of each particular verification condition. We thus believe that we are in a good position to propose a bridge between the two families of approaches of deductive verification presented above. Establishing this bridge is one of the goals of the Toccata project: we want to provide methods and tools for deductive program verification that can offer both a high amount of proof automation and a high guarantee of validity. Indeed, an axis of research of Toccata is the development of languages, methods and tools that are themselves formally proved correct.

In industrial applications, numerical calculations are very common (e.g. control software in transportation). Typically they involve floating-point numbers. Some of the members of Toccata have an internationally recognized expertise on deductive program verification involving floating-point computations. Our past work includes a new approach for proving behavioral properties of numerical C programs using Frama-C/Jessie , various examples of applications of that approach , the use of the Gappa solver for proving numerical algorithms , an approach to take architectures and compilers into account when dealing with floating-point programs , . We also contributed to the Handbook of Floating-Point Arithmetic . A representative case study is the analysis and the proof of both the method error and the rounding error of a numerical analysis program solving the one-dimension acoustic wave equation . Our experience led us to a conclusion that verification of numerical programs can benefit a lot from combining automatic and interactive theorem proving , , . Verification of numerical programs is another main axis of Toccata.

Our scientific programme detailed below is structured into four axes:

Foundations and spreading of deductive program verification;

Reasoning on mutable memory in program verification;

Verification of Computer Arithmetic;

Spreading Formal Proofs.

Let us conclude with more general considerations about our agenda of the next four years: we want to keep on

with general audience actions;

industrial transfer, in particular through an extension of the perimeter of the ProofInUse joint lab.

Permanent researchers: S. Conchon, J.-C. Filliâtre, C. Marché, G. Melquiond, A. Paskevich

This axis covers the central theme of the team: deductive verification, from the point of view of its foundations but also our will to spread its use in software development. The general motto we want to defend is “deductive verification for the masses”. A non-exhaustive list of subjects we want to address is as follows.

The verification of general-purpose algorithms and data structures: the challenge is to discover adequate invariants to obtain a proof, in the most automatic way as possible, in the continuation of the current VOCaL project and the various case studies presented in Axis 4 below.

Uniform approaches to obtain correct-by-construction programs and libraries, in particular by automatic extraction of executable code (in OCaml, C, CakeML, etc.) from verified programs, and including innovative general methods like advanced ghost code, ghost monitoring, etc.

Automated reasoning dedicated to deductive verification, so as to improve proof automation; improved combination of interactive provers and fully automated ones, proof by reflection.

Improved feedback in case of proof failures: based on generation of counterexamples, or symbolic execution, or possibly randomized techniques à la quickcheck.

Reduction of the trusted computing base in our toolchains: production of certificates from automatic proofs, for goal transformations (like those done by Why3), and from the generation of VCs

A significant part of the work achieved in this axis is related to the Why3 toolbox and its ecosystem, displayed on Figure . The boxes in red background correspond to the tools we develop in the Toccata team.

Permanent researchers: J.-C. Filliâtre, C. Marché, G. Melquiond, A. Paskevich

This axis concerns specifically the techniques for reasoning on programs where aliasing is the central issue. It covers the methods based on type-based alias analysis and related memory models, on specific program logics such as separation logics, and extended model-checking. It concerns the application on analysis of C or C++ codes, on Ada codes involving pointers, but also concurrent programs in general. The main topics planned are:

The study of advanced type systems dedicated to verification, for controlling aliasing, and their use for obtaining easier-to-prove verification conditions. Modern typing system in the style of Rust, involving ownership and borrowing, will be considered.

The design of front-ends of Why3 for the proofs of programs where aliasing cannot be fully controlled statically, via adequate memory models, aiming in particular at extraction to C; and also for concurrent programs.

The continuation of fruitful work on concurrent parameterized systems, and its corresponding specific SMT-based model-checking.

Concurrent programming on weak memory models, on one hand as an
extension of parameterized systems above, but also in the specific
context of OCaml multicore (http://

In particular in the context of the ProofInUse joint lab, design methods for Ada, C, C++ or Java using memory models involving fine-grain analysis of pointers. Rust programs could be considered as well.

Permanent researchers: S. Boldo, C. Marché, G. Melquiond

We of course want to keep this axis which is a major originality of Toccata. The main topics of the next 4 years will be:

Fundamental studies concerning formalization of floating-point computations, algorithms, and error analysis. Related to numerical integration, we will develop the relationships between mathematical stability and floating-point stability of numerical schemes.

A significant effort dedicated to verification of numerical programs written in C, Ada, C++. This involves combining specifications in real numbers and computation in floating-point, and underlying automated reasoning techniques with floating-point numbers and real numbers. A new approach we have in mind concerns some variant of symbolic execution of both code and specifications involving real numbers.

We have not yet studied embedded systems. Our approach is first to tackle numerical filters. This requires more results on fixed-point arithmetic and a careful study of overflows.

Also a specific focus on arbitrary precision integer arithmetic, in the continuation of the ongoing PhD thesis of R. Rieu-Helft.

Permanent researchers: S. Boldo, S. Conchon, J.-C. Filliâtre, C. Marché, G. Melquiond, A. Paskevich

This axis covers applications in general. The applications we currently have in mind are:

Hybrid Systems, i.e., systems mixing discrete and continuous transitions. This theme covers many aspects such as general techniques for formally reasoning of differential equations, and extending SMT-based reasoning. The challenge is to support both abstract mathematical reasoning and concrete program execution (e.g., using floating-point representation). Hybrid systems will be a common effort with other members of the future laboratory joint with LSV of ENS Cachan.

Applied mathematics, in the continuation of the current efforts towards verification of Finite Element Method. It has only been studied in the mathematical point of view during this period. We plan to also consider their floating-point behavior and a demanding application is that of molecular simulation exhibited in the new EMC2 project. The challenge here is both in the mathematics to be formalized, in the numerical errors that have never been studied (and that may be huge in specific cases), and in the size of the programs, which requires that our tools scale.

Continuation of our work on analysis of shell scripts. The challenge is to be able to analyze a large number of scripts (more than 30,000 in the corpus of Debian packages installation scripts) in an automatic manner. An approach that will be considered is some form of symbolic execution.

Explore proof tools for mathematics, in particular automated reasoning for real analysis (application: formalization of the weak Goldbach conjecture), and in number theory.

Obtain and distribute verified OCaml libraries, as expected outcome of the VOCaL project.

Formalization of abstract interpretation and WP calculi: in the continuation of the former project Verasco, and an ongoing project proposal joint with CEA List. The difficulty of achieving full verification of such tools will be mitigated by use of certificate techniques.

The application domains we target involve safety-critical software, that is where a high-level guarantee of soundness of functional execution of the software is wanted. Currently our industrial collaborations or impact mainly belong to the domain of transportation: aerospace, aviation, railway, automotive.

Development of the control software of Airbus planes historically includes advanced usage of formal methods. A first aspect is the usage of the CompCert verified compiler for compiling C source code. Our work in cooperation with Gallium team for the safe compilation of floating-point arithmetic operations is directly in application in this context. A second aspect is the usage of the Frama-C environment for static analysis to verify the C source code. In this context, both our tools Why3 and Alt-Ergo are indirectly used to verify C code.

In the former ANR
project BWare, we investigated the use of Why3 and Alt-Ergo as an
alternative back-end for checking proof obligations generated by
*Atelier B*, whose main applications are railroad-related
https://

Through the creation of the ProofInUse joint lab
(https://

The impact of ProofInUse can also be measured in term of job
creation: the first two ProofInUse engineers, D. Hauzar and
C. Fumex, employed initially on Inria temporary positions, have now
been hired on permanent positions in AdaCore company. It is also
interesting to notice that this effort allowed AdaCore company to
get new customers, in particular the domains of application of
deductive formal verification went beyond the historical domain of
aerospace: application in automotive
(https://

The current plans for
continuation of the ProofInUse joint lab
(https://

Generally speaking, we believe that our increasing industrial impact is a representative success for our general goal of spreading deductive verification methods to a larger audience, and we are firmly engaged into continuing such kind of actions in the future.

Martin Clochard has been awarded the GDR GPL 2018 prize
(http://

Martin Clochard is currently a postdoc at ETH Zurich.

Jean-Christophe Filliâtre receives the 2019 CAV Award, jointly with Rustan Leino (Amazon Web Services), for the design and development of reusable intermediate verification languages which significantly simplified and accelerated the building of automated deductive verifiers. Jean-Christophe is the initial designer of the Why environment for automated deductive verification, and a leading developer of its successor Why3.

The CAV award is given anually at the CAV conference for fundamental
contributions to the field of Computer-Aided
Verification. http://

Claude Marché received the FIEEC CARNOT 2019 prize for applied
research for his collaboration with AdaCore. The award recognizes
his collaboration with AdaCore, a computer assisted proof
verification company, for applications in the development of
critical software for safety and security in the aeronautics, space,
air traffic control and rail transportation industries, autonomous
vehicles, finance or medical devices.
https://

*Automated theorem prover for software verification*

Keywords: Software Verification - Automated theorem proving

Functional Description: Alt-Ergo is an automatic solver of formulas based on SMT technology. It is especially designed to prove mathematical formulas generated by program verification tools, such as Frama-C for C programs, or SPARK for Ada code. Initially developed in Toccata research team, Alt-Ergo's distribution and support are provided by OCamlPro since September 2013.

Release Functional Description: the "SAT solving" part can now be delegated to an external plugin, new experimental SAT solver based on mini-SAT, provided as a plugin. This solver is, in general, more efficient on ground problems, heuristics simplification in the default SAT solver and in the matching (instantiation) module, re-implementation of internal literals representation, improvement of theories combination architecture, rewriting some parts of the formulas module, bugfixes in records and numbers modules, new option "-no-Ematching" to perform matching without equality reasoning (i.e. without considering "equivalence classes"). This option is very useful for benchmarks coming from Atelier-B, two new experimental options: "-save-used-context" and "-replay-used-context". When the goal is proved valid, the first option allows to save the names of useful axioms into a ".used" file. The second one is used to replay the proof using only the axioms listed in the corresponding ".used" file. Note that the replay may fail because of the absence of necessary ground terms generated by useless axioms (that are not included in .used file) during the initial run.

Participants: Alain Mebsout, Évelyne Contejean, Mohamed Iguernelala, Stéphane Lescuyer and Sylvain Conchon

Partner: OCamlPro

Contact: Sylvain Conchon

*Interval package for Coq*

Keywords: Interval arithmetic - Coq

Functional Description: CoqInterval is a library for the proof assistant Coq.

It provides several tactics for proving theorems on enclosures of real-valued expressions. The proofs are performed by an interval kernel which relies on a computable formalization of floating-point arithmetic in Coq.

The Marelle team developed a formalization of rigorous polynomial approximation using Taylor models in Coq. In 2014, this library has been included in CoqInterval.

Participants: Assia Mahboubi, Érik Martin-Dorel, Guillaume Melquiond, Jean-Michel Muller, Laurence Rideau, Laurent Théry, Micaela Mayero, Mioara Joldes, Nicolas Brisebarre and Thomas Sibut-Pinote

Contact: Guillaume Melquiond

Publications: Proving bounds on real-valued functions with computations - Floating-point arithmetic in the Coq system - Proving Tight Bounds on Univariate Expressions with Elementary Functions in Coq - Formally Verified Approximations of Definite Integrals - Formally Verified Approximations of Definite Integrals

*The Coquelicot library for real analysis in Coq*

Keywords: Coq - Real analysis

Functional Description: Coquelicot is library aimed for supporting real analysis in the Coq proof assistant. It is designed with three principles in mind. The first is the user-friendliness, achieved by implementing methods of automation, but also by avoiding dependent types in order to ease the stating and readability of theorems. This latter part was achieved by defining total function for basic operators, such as limits or integrals. The second principle is the comprehensiveness of the library. By experimenting on several applications, we ensured that the available theorems are enough to cover most cases. We also wanted to be able to extend our library towards more generic settings, such as complex analysis or Euclidean spaces. The third principle is for the Coquelicot library to be a conservative extension of the Coq standard library, so that it can be easily combined with existing developments based on the standard library.

Participants: Catherine Lelay, Guillaume Melquiond and Sylvie Boldo

Contact: Sylvie Boldo

*The Cubicle model checker modulo theories*

Keywords: Model Checking - Software Verification

Functional Description: Cubicle is an open source model checker for verifying safety properties of array-based systems, which corresponds to a syntactically restricted class of parametrized transition systems with states represented as arrays indexed by an arbitrary number of processes. Cache coherence protocols and mutual exclusion algorithms are typical examples of such systems.

Participants: Alain Mebsout and Sylvain Conchon

Contact: Sylvain Conchon

*The Flocq library for formalizing floating-point arithmetic in Coq*

Keywords: Floating-point - Arithmetic code - Coq

Functional Description: The Flocq library for the Coq proof assistant is a comprehensive formalization of floating-point arithmetic: core definitions, axiomatic and computational rounding operations, high-level properties. It provides a framework for developers to formally verify numerical applications.

Flocq is currently used by the CompCert verified compiler to support floating-point computations.

Participants: Guillaume Melquiond, Pierre Roux and Sylvie Boldo

Contact: Sylvie Boldo

Publications: Flocq: A Unified Library for Proving Floating-point Algorithms in Coq - A Formally-Verified C Compiler Supporting Floating-Point Arithmetic - Verified Compilation of Floating-Point Computations - Innocuous Double Rounding of Basic Arithmetic Operations - Formal Proofs of Rounding Error Bounds : With application to an automatic positive definiteness check - Computer Arithmetic and Formal Proofs : Verifying Floating-point Algorithms with the Coq System

*The Gappa tool for automated proofs of arithmetic properties*

Keywords: Floating-point - Arithmetic code - Software Verification - Constraint solving

Functional Description: Gappa is a tool intended to help formally verifying numerical programs dealing with floating-point or fixed-point arithmetic. It has been used to write robust floating-point filters for CGAL and it is used to verify elementary functions in CRlibm. While Gappa is intended to be used directly, it can also act as a backend prover for the Why3 software verification plateform or as an automatic tactic for the Coq proof assistant.

Participant: Guillaume Melquiond

Contact: Guillaume Melquiond

Publications: Generating formally certified bounds on values and round-off errors - Formal certification of arithmetic filters for geometric predicates - Assisted verification of elementary functions - From interval arithmetic to program verification - Formally Certified Floating-Point Filters For Homogeneous Geometric Predicates - Combining Coq and Gappa for Certifying Floating-Point Programs - Handbook of Floating-Point Arithmetic - Certifying the floating-point implementation of an elementary function using Gappa - Automations for verifying floating-point algorithms - Automating the verification of floating-point algorithms - Computer Arithmetic and Formal Proofs : Verifying Floating-point Algorithms with the Coq System

*The Why3 environment for deductive verification*

Keywords: Formal methods - Trusted software - Software Verification - Deductive program verification

Functional Description: Why3 is an environment for deductive program verification. It provides a rich language for specification and programming, called WhyML, and relies on external theorem provers, both automated and interactive, to discharge verification conditions. Why3 comes with a standard library of logical theories (integer and real arithmetic, Boolean operations, sets and maps, etc.) and basic programming data structures (arrays, queues, hash tables, etc.). A user can write WhyML programs directly and get correct-by-construction OCaml programs through an automated extraction mechanism. WhyML is also used as an intermediate language for the verification of C, Java, or Ada programs.

Participants: Andriy Paskevych, Claude Marché, François Bobot, Guillaume Melquiond, Jean-Christophe Filliâtre, Levs Gondelmans and Martin Clochard

Partners: CNRS - Université Paris-Sud

Contact: Claude Marché

URL: http://

*The Coq Proof Assistant*

Keywords: Proof - Certification - Formalisation

Scientific Description: Coq is an interactive proof assistant based on the Calculus of (Co-)Inductive Constructions, extended with universe polymorphism. This type theory features inductive and co-inductive families, an impredicative sort and a hierarchy of predicative universes, making it a very expressive logic. The calculus allows to formalize both general mathematics and computer programs, ranging from theories of finite structures to abstract algebra and categories to programming language metatheory and compiler verification. Coq is organised as a (relatively small) kernel including efficient conversion tests on which are built a set of higher-level layers: a powerful proof engine and unification algorithm, various tactics/decision procedures, a transactional document model and, at the very top an IDE.

Functional Description: Coq provides both a dependently-typed functional programming language and a logical formalism, which, altogether, support the formalisation of mathematical theories and the specification and certification of properties of programs. Coq also provides a large and extensible set of automatic or semi-automatic proof methods. Coq's programs are extractible to OCaml, Haskell, Scheme, ...

Release Functional Description: Coq version 8.10 contains two major new features: support for a native fixed-precision integer type and a new sort SProp of strict propositions. It is also the result of refinements and stabilization of previous features, deprecations or removals of deprecated features, cleanups of the internals of the system and API, and many documentation improvements. This release includes many user-visible changes, including deprecations that are documented in the next subsection, and new features that are documented in the reference manual.

Version 8.10 is the fifth release of Coq developed on a time-based development cycle. Its development spanned 6 months from the release of Coq 8.9. Vincent Laporte is the release manager and maintainer of this release. This release is the result of 2500 commits and 650 PRs merged, closing 150+ issues.

See the Zenodo citation for more information on this release: https://zenodo.org/record/3476303#.Xe54f5NKjOQ

News Of The Year: Coq 8.10.0 contains:

- some quality-of-life bug fixes, - a critical bug fix related to template polymorphism, - native 63-bit machine integers, - a new sort of definitionally proof-irrelevant propositions: SProp, - private universes for opaque polymorphic constants, - string notations and numeral notations, - a new simplex-based proof engine for the tactics lia, nia, lra and nra, - new introduction patterns for SSReflect, - a tactic to rewrite under binders: under, - easy input of non-ASCII symbols in CoqIDE, which now uses GTK3.

All details can be found in the user manual.

Participants: Yves Bertot, Frédéric Besson, Maxime Denes, Emilio Jesús Gallego Arias, Gaëtan Gilbert, Jason Gross, Hugo Herbelin, Assia Mahboubi, Érik Martin-Dorel, Guillaume Melquiond, Pierre-Marie Pédrot, Michael Soegtrop, Matthieu Sozeau, Enrico Tassi, Laurent Théry, Théo Zimmermann, Theo Winterhalter, Vincent Laporte, Arthur Charguéraud, Cyril Cohen, Christian Doczkal and Chantal Keller

Partners: CNRS - Université Paris-Sud - ENS Lyon - Université Paris-Diderot

Contact: Matthieu Sozeau

URL: http://

Earlier works using Why3 showed that automatically verifying the algorithms of the arbitrary-precision integer library GMP exceeds the current capabilities of automatic solvers. To complete this verification, numerous cut indications had to be supplied by the user, slowing the project to a crawl. G. Melquiond and R. Rieu-Helft extended Why3 with a framework for proofs by reflection, with minimal impact on the trusted computing base. This framework makes it easy to write dedicated decision procedures that make full use of Why3's imperative features and are formally verified. This approach opens the way to efficiently tackling the further verification of GMP's algorithms .

In the context of the ANR project “VOCaL” (see Sec. ), which aims at building a formally verified OCaml library of data structures and algorithms, a specification language for OCaml is designed and implemented. It is called GOSPEL, for Generic Ocaml SPEcification Language. During his post-doc in the Toccata team, from September 2018 to August 2019, C. Lourenço implemented a parser and type checker for GOSPEL. The work on the GOSPEL language has been presented at FM'19 . J.-C. Filliâtre was keynote speaker at iFM 2019 and he gave a talk on the on-going work in the VOCaL project, including GOSPEL .

VerifyThis 2018 took place on April 14 and 15, 2018 in Thessaloniki, Greece, as a satellite event of ETAPS 2018. It was the sixth edition in the VerifyThis annual competition series. Typical challenges in the VerifyThis competitions are small but intricate algorithms given in pseudo-code with an informal specification in natural language. Participants have to formalize the requirements, implement a solution, and formally verify the implementation for adherence to the specification. There are no restrictions on the programming language and verification technology used. The time frame to solve each challenge is limited to 90 minutes. Submissions are judged for correctness, completeness, and elegance. The focus includes the usability of the tools, their facilities for formalizing the properties and providing helpful output.

*VerifyThis 2018* consisted of three increasingly difficult
verification challenges,
selected to showcase various aspects of software verification.
Eleven teams (one or two participants) took part in the competition.
A full report on the VerifyThis 2018 event
provides
a presentation of the competing teams,
a description of the challenges,
a high-level overview of the solutions,
and the results of the competition.

Proof assistants based on Type Theory, such as Coq, allow the implementation of effective automatic tactics based on computational reflection. These are usually limited to a particular mathematical domain (such as linear arithmetic or ring theory). In contrast, SMTCoq is a modular and extensible tool, using external provers, which generalizes these computational approaches to combine the reasoning from multiple domains. For this, it is based on a high-level interface, which offers greater expressiveness, at the cost of more complex automation. Q. Garchery and his co-authors focused on two improvements: the ability to use quantified lemmas, and the ability to use multiple representations of the same data structure. They realized a new automatic tactic, based on SMTCoq, that is expressive while keeping the modularity and the efficiency of the latter. Such a tactic thus enable scalable, low-cost automation of new domains supported by state-of-the-art automatic provers.

In a context of formal
program verification, using automatic provers, the trusted code base
of verification environments is typically very broad. An environment
such as Why3 implements many complex procedures: generation of
verification conditions, logical transformations of proof tasks, and
interactions with external provers. Considering only the logical
transformations of Why3, their implementation already amounts to
more than 17,000 lines of OCaml code. In order to increase our
confidence in the correction of such a verification tool, Garchery,
Keller, Marché and Paskevich present
proposed a mechanism of certifying transformations, producing
certificates that can be validated by an external tool, according to
the *skeptical* approach. They explored two methods to validate
certificates: one based on a dedicated verifier developed in OCaml,
the other based on the universal proof checker Dedukti. A
specificity of their certificates is to be “small grains” and
composable, which makes the approach incremental, allowing to
gradually add new certifying transformations.

The Model Checking Modulo Theories (MCMT) framework is a powerful
model checking technique for verifying safety properties of
parameterized transition systems. In MCMT, logical formulas are used
to represent both transitions and sets of states and safety
properties are verified by an SMT-based backward reachability
analysis. To be fully automated, the class of formulas handled in
MCMT is restricted to cubes, i.e. existentially quantified
conjunction of literals. While being very expressive, cubes cannot
define properties with a global termination condition, usually
described by a universally quantified formula. In this work,
S. Conchon and M. Roux describe BRWP, an extension of the backward
reachability of MCMT for reasoning about validity properties
expressed as universal cubes, that is formulas of the form

C. Lourenço, together with Maria Frade and Jorge Sousa Pinto from Universidade do Minho, developed a minimal model of the functioning of program verification and property checking tools based on (i) the encoding of loops as non-iterating programs, either conservatively, making use of invariants and assume/assert commands, or in a bounded way; and (ii) the use of an intermediate single-assignment (SA) form. The model captures the basic workflow of tools like Boogie, Why3, or CBMC, building on a clear distinction between operational and axiomatic semantics. This allows one to consider separately the soundness of program annotation, loop encoding, translation into SA form, and verification condition (VC) generation, as well as appropriate notions of completeness for each of these processes. To the best of our knowledge, this is the first formalization of a bounded model checking of software technique, including soundness and completeness proofs using Hoare logic; they also give the first completeness proof of a deductive verification technique based on a conservative encoding of invariant-annotated loops with assume/assert in SA form, as well as the first soundness proof based on a program logic.

Symbolic execution amounts to representing sets of concrete program states as a logical formula relating the program variables, and interpreting sets of executions as a transformation of that formula. B. Becker and C. Marché formalised the correctness of a symbolic interpreter engine, expressed by an over-approximation property stating that symbolic execution covers all concrete executions, and an under-approximation property stating that no useless symbolic states are generated. This formalisation is tailored for automated verification, that is the automated discharge of verification conditions to SMT solvers. To achieve this level of automation, they appropriately annotated the code of the symbolic interpreter with an original use of both ghost data and ghost statements .

M. Clochard, C. Marché and A. Paskevich
proposed a new approach to deductive program verification based on
auxiliary programs called *ghost monitors*. This technique
is useful when the syntactic structure of the target program is
not well suited for verification, for example, when an essentially
recursive algorithm is implemented in an iterative fashion. This
new approach consists in implementing, specifying, and verifying
an auxiliary program that monitors the execution of the target
program, in such a way that the correctness of the monitor entails
the correctness of the target. The ghost monitor maintains the
necessary data and invariants to facilitate the proof. It can be
implemented and verified in any suitable framework, which does not
have to be related to the language of the target programs. This
technique is also applicable when one wants to establish
relational properties between two target programs written in
different languages and having different syntactic structure.

Ghost monitors can be used to specify and prove fine-grained
properties about the *infinite behaviors* of target programs.
Since this cannot be easily done using existing verification
frameworks, this work introduces a dedicated language for ghost
monitors, with an original construction to *catch* and handle
divergent executions. The soundness of the underlying program
logic is established using a particular flavor of transfinite
games. This language and its soundness are formalized and
mechanically checked.

Even though some programs only use integer operations, the best way to understand and verify them might be to view them as fixed-point arithmetic algorithm. This is the case of the function from the GMP library that computes the square root of a 64-bit integer. The C code is short but intricate, as it implements Newton's method and it relies on magic constants and intentional arithmetic overflows. G. Melquiond and R. Rieu-Helft have verified this algorithm using the Why3 tool and automated solvers such as Gappa .

S. Boldo, F. Faissole, and A. Chapoutot developed a new fine-grained analysis of round-off errors in explicit Runge-Kutta integration methods, taking into account exceptional behaviors, such as underflow and overflow . First steps towards the formalization has been done by F. Faissole .

In a setting where we have intervals for the values of
floating-point variables

The
2019 version of the IEEE 754 Standard for Floating-Point Arithmetic
recommends that new “augmented” operations should be provided for
the binary formats. These operations use a new “rounding
direction”: round to nearest *ties-to-zero*. S. Boldo,
C. Lauter, and J.-M. Muller show how they can be implemented using
the currently available operations, using round-to-nearest
*ties-to-even* with a partial formal proof of correctness
.

Several developments were made towards the efficency and accuracy of the implementation of LTI (linear time-invariant) numerical filters: a word-length optimization problem under accuracy constraints by T. Hilaire, H. Ouzia, and B. Lopez, and a tight worst-case error analysis by A. Volkova, T. Hilaire, and C. Lauter.

The CoqInterval library provides some tactics for computing and formally verifying numerical approximations of real-valued expressions inside the Coq system. In particular, it is able to compute reliable bounds on proper definite integrals . A. Mahboubi, G. Melquiond, and T. Sibut-Pinote extended these algorithms to also cover some improper integrals, e.g., those with an unbounded integration domain . This makes CoqInterval one of the very few tools able to produce reliable results for improper integrals, be they formally verified or not.

D. Gallois-Wong developed a Coq formalization of a generic representation of numerical filters, called SIF in order to encompass all other representations of filters, and prove useful theorems only once.

E. Neumann and F. Steinberg extended the framework for complexity of operators in analysis devised by Kawamura and Cook (2012) to allow for the treatment of a wider class of representations and applied it to the study of interval computation . A. Kawamura, F. Steinberg, and H. Thies put forward a complexity class of type-two linear-time .

F. Steinberg, L. Théry, and H. Thies give a number of formal proofs of theorems from the field of computable analysis. Results include that the algebraic operations and the efficient limit operator on the reals are computable, that certain countably infinite products are isomorphic to spaces of functions, compatibility of the enumeration representation of subsets of natural numbers with the abstract definition of the space of open subsets of the natural numbers, and that continuous realizability implies sequential continuity . F. Steinberg and H. Thies formalized proofs about Baire spaces and the isomorphy of the concrete and abstract spaces of open sets .

Several new results were produced in the context of the CoLiS project for the formal analysis of Debian packages. A first important step is the version 2 of the design of the CoLiS language done by B. Becker, C. Marché and other co-authors , that includes a modified formal syntax, a extended formal semantics, together with the design of concrete and symbolic interpreters. Those interpreters are specified and implemented in Why3, proved correct (following the initial approach for the concrete interpreter published in 2018 and the recent approach for symbolic interpretation mentioned above ), and finally extracted to OCaml code.

To make the extracted code effective, it must be linked together with a library that implements a solver for feature constraints , and also a library that formally specifies the behavior of basic UNIX utilities. The latter library is documented in details in a research report .

A third result is a large verification campaign running the CoLiS toolbox on all the packages of the current Debian distribution. The results of this campaign were reported in another article that will be presented at TACAS conference in 2020. The most visible side effect of this experiment is the discovery of bugs: more than 150 bugs report have been filled against various Debian packages.

J.-C. Filliâtre was invited speaker at JFLA 2019, as part of a session celebrating the 30 years of JFLA (a French-speaking national conference related to functional programming). He talked about 25 years of programming with OCaml . At JFLA 2020, J.-C. Filliâtre will give a talk related to the elimination of non-tail calls .

In May–July 2019, Léo Andrès (M1 student at Paris Sud) did a three month internship on the verification of the first algorithm of Parcoursup using Why3. Most of the expected properties, taken from the public description of Parcoursup's algorithms, have been verified. Léo Andrès's report (in French), is available on-line . In June-December 2019, Benedikt Becker worked on the verification of the Java source code of ParcourSup. The findings and lessons learnt are described in a report under preparation.

F. Faissole, G. Constantinides, and D. Thomas developed Coq formalizations in order to improve high-level synthesis for FPGAs .

We have two bilateral contracts which are closely related to a joint effort called the ProofInUse joint Laboratory. The objective of ProofInUse is to provide verification tools, based on mathematical proof, to industry users. These tools are aimed at replacing or complementing the existing test activities, whilst reducing costs.

This joint laboratory is a follow-up of the former “LabCom
ProofInUse” between Toccata and the SME AdaCore, funded by the ANR
programme “Laboratoires communs”, from April 2014 to March 2017
http://

This collaboration is a joint effort of the Inria project-team Toccata and the AdaCore company which provides development tools for the Ada programming language. It is funded by a 5-year bilateral contract from Jan 2019 to Dec 2023.

The SME AdaCore is a software publisher specializing in providing software development tools for critical systems. A previous successful collaboration between Toccata and AdaCore enabled Why3 technology to be put into the heart of the AdaCore-developed SPARK technology.

The objective of ProofInUse-AdaCore is to significantly increase the capabilities and performances of the Spark/Ada verification environment proposed by AdaCore. It aims at integration of verification techniques at the state-of-the-art of academic research, via the generic environment Why3 for deductive program verification developed by Toccata.

This bilateral contract is part of the ProofInUse effort. This collaboration joins efforts of the Inria project-team Toccata and the company Mitsubishi Electric R&D (MERCE) in Rennes. It is funded by a bilateral contract of 18 months from Nov 2019 to April 2021.

MERCE has strong and recognized skills in the field of formal methods. In the industrial context of the Mitsubishi Electric Group, MERCE has acquired knowledge of the specific needs of the development processes and meets the needs of the group in different areas of application by providing automatic verification and demonstration tools adapted to the problems encountered.

The objective of ProofInUse-MERCE is to significantly improve on-going MERCE tools regarding the verification of Programmable Logic Controllers and also regarding the verification of numerical C codes.

Jointly with the thesis of R. Rieu-Helft, supervised in collaboration with the TrustInSoft company, we established a 3-year bilateral collaboration contract, that started in October 2017. The aim is to design methods that make it possible to design an arbitrary-precision integer library that, while competitive with the state-of-the-art library GMP, is formally verified. Not only are GMP's algorithm especially intricate from an arithmetic point of view, but numerous tricks were also used to optimize them. We are using the Why3 programming language to implement the algorithms, we are developing reflection-based procedures to verify them, and we finally extract them as a C library that is binary-compatible with GMP .

F. Faissole

ELEFFAN is a Digicosme project funding the PhD of
F. Faissole. S. Boldo is the principal investigator. It began in 2016
for three years. https://

The ELEFFAN project aims at formally proving rounding error bounds of numerical schemes.

Partners: ENSTA Paristech (A. Chapoutot)

MILC is a DIM-RFSI project. It is a one-year project (2018–2019) that
aims at formalizing measure theory and Lebesgue integral in the
Coq proof assistant. https://

Partners: Université Paris 13 (M. Mayero, PI), Inria Paris, Inria Saclay

The CoLiS research project is funded by the programme “Société de
l'information et de la communication” of the ANR, for a period of
60 months, starting on October 1st,
2015. http://

The project aims at developing formal analysis and verification techniques and tools for scripts. These scripts are written in the POSIX or bash shell language. Our objective is to produce, at the end of the project, formal methods and tools allowing to analyze, test, and validate scripts. For this, the project will develop techniques and tools based on deductive verification and tree transducers stemming from the domain of XML documents.

Partners: Université Paris-Diderot, IRIF laboratory (formerly PPS & LIAFA), coordinator; Inria Lille, team LINKS

The Vocal research project is funded by the programme “Société de
l'information et de la communication” of the ANR, for a period of 60
months, starting on October 1st, 2015. See https://

The goal of the Vocal project is to develop the first formally verified library of efficient general-purpose data structures and algorithms. It targets the OCaml programming language, which allows for fairly efficient code and offers a simple programming model that eases reasoning about programs. The library will be readily available to implementers of safety-critical OCaml programs, such as Coq, Astrée, or Frama-C. It will provide the essential building blocks needed to significantly decrease the cost of developing safe software. The project intends to combine the strengths of three verification tools, namely Coq, Why3, and CFML. It will use Coq to obtain a common mathematical foundation for program specifications, as well as to verify purely functional components. It will use Why3 to verify a broad range of imperative programs with a high degree of proof automation. Finally, it will use CFML for formal reasoning about effectful higher-order functions and data structures making use of pointers and sharing.

Partners: team Gallium (Inria Paris-Rocquencourt), team DCS (Verimag), TrustInSoft, and OCamlPro.

LCHIP (Low Cost High Integrity Platform) is aimed at easing the
development of safety critical applications (up to SIL4) by
providing: (i) a complete IDE able to automatically generate and
prove bounded complexity software (ii) a low cost, safe execution
platform. The full support of DSLs and third party code generators
will enable a seamless deployment into existing development cycles.
LCHIP gathers scientific results obtained during the last 20 years
in formal methods, proof, refinement, code generation, etc. as well
as a unique return of experience on safety critical systems design.
http://

Partners: 2 technology providers (ClearSy, OcamlPro), in charge of building the architecture of the platform; 3 labs (IFSTTAR, LIP6, LRI), to improve LCHIP IDE features; 2 large companies (SNCF, RATP), representing public ordering parties, to check compliance with standard and industrial railway use-case.

The project lead by ClearSy has started in April 2016 and lasts 3 years. It is funded by BpiFrance as well as French regions.

Verification of PARameterized DIstributed systems. A parameterized
system specification is a specification for a whole class of
systems, parameterized by the number of entities and the properties
of the interaction, such as the communication model
(synchronous/asynchronous, order of delivery of message, application
ordering) or the fault model (crash failure, message loss). To
assist and automate verification without parameter instantiation,
PARDI uses two complementary approaches. First, a fully automatic
model checker modulo theories is considered. Then, to go beyond the
intrinsic limits of parameterized model checking, the project
advocates a collaborative approach between proof assistant and model
checker. http://

The proof lead by Toulouse INP/IRIT started in 2016 and lasts for 4 years. Partners: Université Pierre et Marie Curie (LIP6), Université Paris-Sud (LRI), Inria Nancy (team VERIDIS)

A new ERC Synergy Grant 2018 project, called Extreme-scale
Mathematically-based Computational Chemistry (EMC2) has just been
accepted. The PIs are É. Cancès, L. Grigori, Y. Maday and
J.-P. Piquemal. S. Boldo is part of the work package 3: validation and
certification of molecular simulation results.
https://

Program: COST (European Cooperation in Science and Technology).

Project acronym: EUTypes https://

Project title: The European research network on types for programming and verification

Duration: 2015-2019

Coordinator: Herman Geuvers, Radboud University Nijmegen, The Netherlands

Other partners: 36 members countries, see http://

Abstract: Types are pervasive in programming and information technology. A type defines a formal interface between software components, allowing the automatic verification of their connections, and greatly enhancing the robustness and reliability of computations and communications. In rich dependent type theories, the full functional specification of a program can be expressed as a type. Type systems have rapidly evolved over the past years, becoming more sophisticated, capturing new aspects of the behaviour of programs and the dynamics of their execution.

This COST Action will give a strong impetus to research on type theory and its many applications in computer science, by promoting (1) the synergy between theoretical computer scientists, logicians and mathematicians to develop new foundations for type theory, for example as based on the recent development of "homotopy type theory”, (2) the joint development of type theoretic tools as proof assistants and integrated programming environments, (3) the study of dependent types for programming and its deployment in software development, (4) the study of dependent types for verification and its deployment in software analysis and verification. The action will also tie together these different areas and promote cross-fertilisation.

Jorge Sousa Pinto, professor from Universidade do Minho (Braga,
Portugal, https://

J.-C. Filliâtre, scientific chair and co-organizer of EJCP
(École Jeunes Chercheurs en Programmation du GDR GPL) at
Strasbourg on June 24–28, 2019. 5 days / 8 lectures / 25 participants.
http://

S. Boldo, program co-chair of the 26th IEEE Symposium on Computer Arithmetic (ARITH 2019), Kyoto, Japan.

S. Boldo, 11th NASA Formal Methods Symposium (NFM 2019)

J.-C. Filliâtre, 10th International Conference on Interactive Theorem Proving (ITP 2019)

J.-C. Filliâtre, 9th ACM SIGPLAN International Conference on Certified Programs and Proofs (CPP 2020)

J.-C. Filliâtre, European Symposium on Programming (ESOP 2020)

G. Melquiond, 26th IEEE Symposium on Computer Arithmetic (ARITH 2019)

G. Melquiond, 10th International Conference on Interactive Theorem Proving (ITP 2019)

The members of the Toccata team have reviewed numerous papers for numerous international conferences.

G. Melquiond, member of the editorial board of *Reliable
Computing*.

J.-C. Filliâtre, member of the editorial board of *Journal
of Functional Programming*.

The members of the Toccata team have reviewed numerous papers for numerous international journals.

G. Melquiond, “Computer Arithmetic and Formal Proofs” , at the 30th Journées Francophones des Langages Applicatifs (JFLA 2019).

J.-C. Filliâtre, “Deductive Verification of OCaml Libraries” , at the 15th International Conference on integrated Formal Methods (iFM), December 2019, Bergen, Norway.

J.-C. Filliâtre, “Retour sur 25 ans de programmation avec OCaml” , at Journées Francophones des Langages Applicatifs (JFLA), January 2019, Les Rousses, France.

J.-C. Filliâtre, “The Why3 tool for deductive verification and verified OCaml libraries”, at Frama-C/Spark day 2019, Paris, France.

S. Boldo, elected chair of the ARITH working group of the GDR-IM (a CNRS subgroup of computer science) with J. Detrey (Inria Nancy) and now L.-S. Didier (Univ. Toulon).

J.-C. Filliâtre, chair of IFIP WG 1.9/2.15 verified Software.

G. Melquiond, member of the scientific commission of Inria-Saclay, in charge of selecting candidates for PhD grants, Post-doc grants, temporary leaves from universities (“délégations”).

S. Boldo, member of the program committee for selecting postdocs of the maths/computer science program of the Labex mathématique Hadamard.

S. Boldo has mentored for 1 year a female PhD student of University Paris-Saclay (from epidemiology).

J.-C. Filliâtre, grading the entrance examination at X/ENS
(*“option informatique”*).

C. Marché, member of DigiCosme committee for research and innovation (selection of projects for working groups, post-doc grants, doctoral missions, invited professors)

G. Melquiond, member of the committee for the monitoring of PhD
students (*“commission de suivi doctoral”*).

S Boldo, member of the CLFP (*“commission locale de
formation permanente”*).

S. Boldo, member of the (national) IES commission.

S. Boldo, member of the CDT commission of Saclay (*“commission de développement technologique”*).

S. Boldo, member of the STIC department commission of Univ. Paris-Sud.

S. Boldo, member of the executive commission for the Digicosme Labex.

S. Boldo, deputy scientific director (DSA) of Inria Saclay research center from January 1st, 2019

Master Parisien de Recherche en Informatique (MPRI)
https://

A. Lanco, *Unix et programmation Web*, 24h, L2,
Université Paris-Saclay, France.

G. Melquiond, *Programmation C++ avancée*, 12h, M2,
Université Paris-Saclay, France.

J.-C. Filliâtre, *Langages de programmation et
compilation*, 25h, L3, École Normale Supérieure, France.

J.-C. Filliâtre, *Les bases de l'algorithmique et de la
programmation*, 15h, L3, École Polytechnique, France.

J.-C. Filliâtre, *Compilation*, 18h, M1, École
Polytechnique, France.

S. Boldo was invited in the Xavier Leroy's course at Collège de France on Dec 19th.

HDR: G. Melquiond, “Formal Verification for Numerical Computations, and the Other Way Around” , Université Paris-Sud, Apr. 1st, 2019.

PhD: F. Faissole, “Formalisations d'analyses d'erreurs en analyse numérique et en arithmétique à virgule flottante”, Université Paris-Saclay & Université Paris-Sud, Dec 13th 2019, supervised by S. Boldo and A. Chapoutot. [Not yet on HAL]

PhD: A. Coquereau, “Amélioration de performances du solveur SMT Alt-Ergo grâce à l’intégration d’un solveur SAT efficace”, Université Paris-Saclay & Université Paris-Sud, Dec 16th 2019, supervised by S. Conchon, F. Le Fessant et M. Mauny. [Not yet on HAL]

PhD: M. Roux, “Extensions de l’algorithme d’atteignabilité arrière dans le cadre de la vérification de modèles modulo théories”, Université Paris-Saclay & Université Paris-Sud, Dec 19th 2019, supervised by Sylvain Conchon. [Not yet on HAL]

PhD in progress: R. Rieu-Helft, “Développement et vérification de bibliothèques d'arithmétique entière en précision arbitraire”, since Oct. 2017, supervised by G. Melquiond and P. Cuoq (TrustInSoft).

PhD in progress: D. Gallois-Wong, “Vérification formelle et filtres numériques”, since Oct. 2017, supervised by S. Boldo and T. Hilaire.

PhD in progress: Q. Garchery, “Certification de la génération et de la transformation d’obligations de preuve”, since Oct. 2018, supervised by C. Keller, C. Marché and A. Paskevich.

PhD in progress: A. Lanco, “Stratégies pour la réduction forte”, since Oct. 2019, supervised by T. Balabonski and G. Melquiond.

G. Turbiau has been a M1 trainee for 2 months, supervised by S. Boldo.

S. Boldo, member of the Inria CRCN recruiting juries, national one and at Rennes.

S. Boldo, president of the PhD defense of Clothilde Jeangoudoux, Sorbonne University, May 21st

S. Boldo, reviewer of the habilitation of Christoph Lauter, Sorbonne University, May 22nd

S. Boldo, reviewer of the PhD defence of Florent Bréhard, ENS Lyon, July 12th

S. Boldo, reviewer of PhD defence of Damien Rouhling, Université Côte d'Azur, Sept 30th

S. Boldo, president of the PhD defense of Yohan Chatelain, Université Paris-Saclay, Dec 12th

S. Boldo, president of the PhD defense of Armaël Guéneau, Université de Paris, Dec 16th

S. Boldo, member of the PhD defense of Antoine Kaszczyc, Université Paris-Nord, Dec 18th

J.-C. Filliâtre, reviewer of the PhD defense of Y. El Bakouny, “Scallina: On the Intersection of Scala and Gallina”, Université Saint-Joseph, Beirut, Lebanon, December 19, 2019.

J.-C. Filliâtre, president of the PhD defense of L. Blatter “Relational properties for specification and verification of C programs in Frama-C”, University Paris Saclay, September 26, 2019.

S. Boldo has been the scientific head for Saclay for the MECSI group for networking about computer science popularization inside Inria until October 2019.

She was also responsible (with A. Couvreur of the Grace team a,d M. Quet of the SCM) for the 2019 “Fête de la science” on October 10th and 11th 2019. Teenagers were welcomed on 8 activities ranging from unplugged activities with Duplo construction toys to programming, and from applied mathematics to theoretical computer science.

S. Conchon and J.-C. Filliâtre, together with K. Nguyen and T. Balabonski (members of the LRI team but not members of Toccata), wrote a book “Numérique et Sciences Informatiques, 30 leçons avec exercices corrigés” (Ellipses, August 2019) targeting the new Computer Science programme in the French high school system, which started in September 2019.

S. Boldo gave a talk and was involved in the organization of the “Rencontres des Jeunes mathématiciennes et Informaticiennes” organized in Saclay on Oct 21st and 22nd 2019. About 20 female teenagers were welcomed for two days with talks and exercises to discover research.

C. Marché presented an overview of the Why3 tool and its
ecosystem at the Paris Open Source Summit in Saint-Denis, Dec. 11,
2019, as part of a workshop “ATELIER Inria : OCaml, Coq, Why 3:
pour concevoir codes et infrastructures plus sûrs en C, Java,
Javascript, Ada”
https://

S. Boldo gave a talk at a high school in Sceaux on Feb 8th.

S. Boldo presented the floating-point arithmetic at IRIF to the members of the CODYS ANR on April 1st.