Abstract. Formal verification of numerical programs is notoriously difficult. On the one hand, there exist automatic tools specialized in floatingpoint arithmetic, such as Gappa, but they target very restrictive logics. On the other hand, there are interactive theorem provers based on the LCF approach, such as Coq, that handle a general-purpose logic but that lack proof automation for floating-point properties. To alleviate these issues, we have implemented a mechanism for calling Gappa from a Coq interactive proof. This paper presents this combination and shows on several examples how this approach offers a significant speedup in the process of verifying floating-point programs. 1

c t i v it y e p o r t 2009 Table of contents

Abstract. Numerical programs may require a high level of guarantee. This can be achieved by applying formal methods, such as machinechecked proofs. But these tools handle mathematical theorems while we are interested in C code. To achieve this high level of con dence on C programs, we use a chain of tools: Frama-C, its Jessie plugin, Why and Coq. This requires the C program to be annotated: this means that each function must be precisely speci ed, and we will prove the correctness of the program by proving both that it meets its speci cations and that it does not fail. Examples will be given to illustrate the features of this approach. 1