## Project-Team Proval Proof of programs

### BibTeX

@MISC{Île-de-france_project-teamproval,

author = {Saclay Île-de-france},

title = {Project-Team Proval Proof of programs},

year = {}

}

### OpenURL

### Abstract

c t i v it y e p o r t 2009 Table of contents

### Citations

762 | publications by the team in recent years - Major |

713 | The esterel synchronous programming language: Design, semantics, implementation
- Berry, Gonthier
- 1992
(Show Context)
Citation Context ..., Louis Mandel, Florence Plateau, Marc Pouzet. The goal is to propose high-level languages for the development of critical embedded systems with both high temporal requirements and safety [59], [84], =-=[60]-=-, [64]. Our research activities concern the extension of synchronous languages with richer abstraction mechanisms (e.g., higher-order, functionality, dedicated type systems such as the clock calculus)... |

346 | Ownership types for flexible alias protection
- Clarke, Potter, et al.
- 1998
(Show Context)
Citation Context ...se, inspired on one hand by memory-management techniques based on regions [107], [109] and on permissions [83], and on the other hand techniques to guarantee invariant preservation based on ownership =-=[64]-=-, [49]. The resulting language and type system allows to guarantee invariant preservation by static typing, whereas former approaches required theorem proving [49] or dynamic checking [48]. This is re... |

225 | Termination of term rewriting using dependency pairs
- Arts, Giesl
(Show Context)
Citation Context ... is well-founded. Such a proof (for RPO for instance) is part of Coccinelle as a generic property. Coccinelle also contains as generic theorems some powerful criteria of termination: dependency pairs =-=[56]-=-, the main modularity theorem for termination presented in the thesis of Urbain [101] as well as innermost termination, dependency pairs for it and its equivalence with standard termination in some sp... |

200 | Verification of objectoriented programs with invariants
- Barnett, DeLine, et al.
(Show Context)
Citation Context ...e new ARC CeProMi is the support of structure invariants in reasoning on pointer programs. It is one direction of research of R. Bardou PhD thesis. A first proposal is to reuse the Boogie methodology =-=[58]-=- for class invariants in Object Oriented programs, based on an ownership relation between objects. One challenge was to combine this approach with the component-as-array memory modeling of Jessie, and... |

133 | The synchronous languages 12 years later
- Benveniste, Caspi, et al.
- 2003
(Show Context)
Citation Context ...onard Gérard, Louis Mandel, Florence Plateau, Marc Pouzet. The goal is to propose high-level languages for the development of critical embedded systems with both high temporal requirements and safety =-=[59]-=-, [84], [60], [64]. Our research activities concern the extension of synchronous languages with richer abstraction mechanisms (e.g., higher-order, functionality, dedicated type systems such as the clo... |

69 | The Krakatoa tool for certification of Java/JavaCard programs annotated with JML annotations
- Marché, Paulin-Mohring, et al.
(Show Context)
Citation Context ...we tackle programs written in “real” programming languages. We first considered Java source code annotated with JML (Java Modeling Language). This method was implemented in a new tool called Krakatoa =-=[10]-=-. The approach is based on a translation from annotated Java programs into the specific language of Why, we then can reuse Why’s VCG mechanism and choose between different provers for establishing the... |

65 |
Multi-prover verification of C programs
- Filliâtre, Marché
- 2004
(Show Context)
Citation Context ...Cs. From 2003, we followed the same approach for programs written in ANSI C, in collaboration with Gemalto company and Dassault Aviation company, and started the development of a tool called Caduceus =-=[7]-=-. 3.2.1. The Why platform Figure 1. Overview of the platform architecture We develop a platform combining several of our own tools and other ones. The tool playing the central role in our platform is ... |

61 | Synchronous Kahn Networks
- Caspi, Pouzet
- 1996
(Show Context)
Citation Context ...s Mandel, Florence Plateau, Marc Pouzet. The goal is to propose high-level languages for the development of critical embedded systems with both high temporal requirements and safety [59], [84], [60], =-=[64]-=-. Our research activities concern the extension of synchronous languages with richer abstraction mechanisms (e.g., higher-order, functionality, dedicated type systems such as the clock calculus), the ... |

58 | Verication of Non-Functional Programs using Interpretations in Type Theory
- Filliâtre
- 2003
(Show Context)
Citation Context ...Claude Marché, Yannick Moy, Aurélien Oudot, Christine Paulin-Mohring, Nicolas Rousset, Nicolas Stouls, Wendi Urribarrí. A foundation step of the project is the PhD thesis of Jean-Christophe Filliâtre =-=[5]-=- that proposes to establish soundness of a program with imperative features (assignments, while loops, but also exceptions and exception handlers) by means of a translation into an equivalent purely f... |

57 | Regional logic for local reasoning about global invariants
- Banerjee, Naumann, et al.
- 2008
(Show Context)
Citation Context ...n ownership [64], [49]. The resulting language and type system allows to guarantee invariant preservation by static typing, whereas former approaches required theorem proving [49] or dynamic checking =-=[48]-=-. This is reported in an article under submission [38]. F. Bobot started a PhD thesis on September 2008 on the combination of traditional separation logic and Burstall-Bornat memory models such as the... |

40 |
Mechanically proving termination using polynomial interpretations
- Contejean, Marché, et al.
- 2005
(Show Context)
Citation Context ...lt of ours is a criterion for checking termination modularly and incrementally [101], and further generalizations [94]. These criteria and methods have been implemented into the CiME2 rewrite toolbox =-=[4]-=-. Around 2002, several projects of development of termination tools arose in the world. We believe we have been pioneer in this growth, and indeed we organized in 2004 the first competition of such to... |

38 | First-class type classes
- Sozeau, Oury
- 2008
(Show Context)
Citation Context ...ls and applications is an important transversal activity for these four themes. 2.2. Highlights of the year In his thesis [13], Matthieu Sozeau developed two important tools (Program and type classes =-=[38]-=-) corresponding to a major improvement in using the Coq proof assistant as an environment for correct program construction. They are integrated in the new version of Coq V8.2 [46], [47]. These tools a... |

37 | A conservative extension of synchronous data-flow with state machines
- Colaço, Pagano, et al.
- 2005
(Show Context)
Citation Context ...It extends Lustre with features usually found in ML-languages such as typing and higher-order functions. It provides original features such as the arbitrary mix of data-flow and hierarchical automata =-=[2]-=- [69], various type-based static analysis [70], [71] and modular compilation into sequential code [65], [61][22]. ReactiveML is an extension of Objective Caml with synchronous concurrency (based on sy... |

30 | M.: N-synchronous kahn networks: a relaxed model of synchrony for real-time systems
- Cohen, Duranton, et al.
(Show Context)
Citation Context ... absence of buffer overflows and deadlocks during the execution. Clock verification is expressed as a type-inference problem with a sub-typing rule. The core of the model has been settled in [67] and =-=[68]-=-. Florence Plateau works since that time on this subject. We introduced a notion of abstractions for these clocks in 2008 as a mean to reason about sets of (non necessarily periodic) clocks [25]. 4. A... |

22 | Operational termination of membership equational programs: the order-sorted way - Lucas, Meseguer |

19 | Certification of automated termination proofs
- Contejean, Courtieu, et al.
- 2007
(Show Context)
Citation Context ...n of the CiME tool associated with a Coq library called Coccinelle developed by É. Contejean. A trace generator outputs a trace for Coq in the unified framework provided by the Coccinelle library [77]=-=[3]-=-. Coccinelle contains the corresponding modelling of terms algebras and rewriting statements, and also some generic theorems which are needed for establishing a rewriting property from a trace. For ex... |

19 | A Co-iterative Characterization of Synchronous Stream Functions
- Caspi, Pouzet
- 1998
(Show Context)
Citation Context ...ns. It provides original features such as the arbitrary mix of data-flow and hierarchical automata [2] [69], various type-based static analysis [70], [71] and modular compilation into sequential code =-=[65]-=-, [61][22]. ReactiveML is an extension of Objective Caml with synchronous concurrency (based on synchronous parallel composition and broadcast of signals). The goal is to provide a general model of de... |

18 | Functors for Proofs and Programs
- Filliâtre, Letouzey
- 2004
(Show Context)
Citation Context ...new extraction mechanism for the Coq system [89], [90], much more powerful than the old version and together with J.-C. Filliâtre used it to verify Ocaml finite sets libraries based on balanced trees =-=[6]-=-. This extraction mechanism is an original feature for the Coq system, and has been used by several teams around the world in order to get efficient certified code [87].4 Activity Report INRIA 2008 3... |

17 |
Clocks as first class abstract types
- Colao, Pouzet
- 2003
(Show Context)
Citation Context ... in ML-languages such as typing and higher-order functions. It provides original features such as the arbitrary mix of data-flow and hierarchical automata [2] [69], various type-based static analysis =-=[70]-=-, [71] and modular compilation into sequential code [65], [61][22]. ReactiveML is an extension of Objective Caml with synchronous concurrency (based on synchronous parallel composition and broadcast o... |

16 |
Formal verification of floating-point programs
- Boldo, Filliâtre
- 2007
(Show Context)
Citation Context ...d on a monadic interpretation of probabilistic programs as probability measures. A large Coq library has been developed and made publicly available. It contains an axiomatisation of the real interval =-=[0, 1]-=-, a definition of distributions and general rules for approximating the probability that a program satisfies a given property. 3.1.2.2. Floating-point programs Many industrial programs (weather foreca... |

15 | A hoare logic for call-by-value functional programs
- Régis-Gianas, Pottier
- 2008
(Show Context)
Citation Context ...ional programs which is implemented in the Pangolin system which generates proof obligations from pure functional programs annotated with specification. He presented his work at the MPC’08 conference =-=[37]-=-. 6.1.2. Randomized programs The work of C. Paulin and Ph. Audebaud from ÉNS Lyon for modeling probabilistic programs in Coq as probability measures will be published in a special issue of the journal... |

14 | A case study of c source code verification: the schorr-waite algorithm
- Hubert, Marché
- 2005
(Show Context)
Citation Context ... and Java Card transactions [55], [93]. To illustrate the effectiveness of the Caduceus tool, T. Hubert and C. Marché performed a full verification of a C implementation of the Schorr-Waite algorithm =-=[8]-=-, using Caduceus and Coq. This is an allocation-free graph-marking algorithm used in garbage collectors, which is considered as a benchmark for verification tools. Other case studies have been investi... |

13 |
Pitfalls of a full floating-point proof: Example on the formal proof of the veltkamp/dekker algorithms
- Boldo
- 2006
(Show Context)
Citation Context ...uld be provided to the user. We mean to guarantee for example that, for all or part of the possible inputs, the result obtained is correct (or near enough) and that no exceptional behavior will occur =-=[62]-=-. We now have a methodology to perform formal verification of floating-point C programs. It extends the Why platform with new annotations specific to floating-point arithmetic. This technique is very ... |

13 | Some Functions Computable with a Fused-mac
- Boldo, Muller
- 2005
(Show Context)
Citation Context ...arithmetic. The new 2008 standard has been approved in June and it is the official standard since August 2008. Both names appear in the author list; An article by S. Boldo appears in the bibliography =-=[63]-=-. G. Melquiond also participates in the meetings of the IEEE-1788 standardization committee on interval arithmetic. The “Technology Transfer and Innovation” INRIA department is funding his travel expe... |

13 | G.: Certification of bounds on expressions involving rounded operators
- Daumas, Melquiond
- 2009
(Show Context)
Citation Context ...nd generates a formal proof of its validity. This formal proof can be machine-checked by an independent tool like the Coq proof-checker, so as to reach a high level of confidence in the certification =-=[15]-=-. Since these mathematical expressions can contain rounding operators in addition to usual arithmetic operators, Gappa is especially well suited to prove properties that arise when certifying a numeri... |

12 | Proving bounds on real-valued functions with computations
- Melquiond
- 2008
(Show Context)
Citation Context ... the category for certified termination proofs. 6.3.4.2. Proofs of bounds on real-valued expressions G. Melquiond has built a library for automatically proving bounds on expressions in the Coq system =-=[35]-=-. This library performs automatic differentiation and interval arithmetic (with floating-point bounds). Its purpose is to help the user with the mathematical part of the certification of numerical pro... |

12 |
Automatic Modular Static Safety Checking for C Programs
- Moy
- 2009
(Show Context)
Citation Context ...program procedures independently, by a contextual analysis. Moy proposed to combine abstract interpretation, weakest precondition calculus and quantifier elimination. This is part of Moy’s PhD thesis =-=[11]-=-; submitted to a journal. Y. Moy worked on providing guarantees about the memory safety of real C programs used in embedded devices. This originated in a need expressed at France Télécom R&D that no a... |

12 | Combining Coq and Gappa for Certifying Floating-Point Programs
- Boldo, Filliâtre, et al.
- 2009
(Show Context)
Citation Context ...s done while in the Arénaire team (INRIA Rhône-Alpes). Gappa can also act as a backend for the Coq proof assistant in order to prove properties related to the certification of floating-point programs =-=[20]-=-. In 2009, the support of Gappa as an automated prover for the Why system has also been greatly improved. 5.10. The Interval package for Coq Participant: Guillaume Melquiond [contact].12 Activity Rep... |

10 |
C.: Proofs of randomized algorithms
- Audebaud, Paulin-Mohring
- 2009
(Show Context)
Citation Context ...work of C. Paulin and Ph. Audebaud from ÉNS Lyon for modeling probabilistic programs in Coq as probability measures will be published in a special issue of the journal Science of Computer Programming =-=[14]-=-. The corresponding Coq library [97] is based on a general theory of ordered sets and cpos. It contains highlevel theorems for analysing recursive programs. It is currently used in Verimag (Grenoble) ... |

10 | Reflecting proofs in first-order logic with equality
- Contejean, Corbineau
- 2005
(Show Context)
Citation Context ... set of axioms, based on ordered completion. In 2005, the former human readable proof traces have been replaced by Coq certificates, based on reified proof objects for a FOL logic modelled inside Coq =-=[76]-=-. É. Contejean and the CNAM participants of the A3PAT project, Pierre Courtieu, Julien Forest, Olivier Pons and Xavier Urbain are currently developing a new version of the CiME tool associated with a ... |

8 | Emulation of a FMA and correctlyrounded sums: proved algorithms using rounding to odd
- Boldo, Melquiond
- 2008
(Show Context)
Citation Context ...oft Research, now INRIA researcher in our team) on the properties of odd rounding. This has led them to a very original method to compute with correct rounding a FMA (Fused Multiply and Add) or a sum =-=[17]-=-. An established collaboration with M. Daumas (Université of Perpignan Via Domitia) and R.-C. Li (University of Texas at Arlington, USA) has been carried on about argument reductions [16]. This is the... |

8 |
CC(X): Semantic combination of congruence closure with solvable theories
- Conchon, Contejean, et al.
(Show Context)
Citation Context ...ariables. Concerning the prover itself, we fully formalized the core decision procedure CC(X) of Alt-Ergo in the Coq proof assistant. Moreover we provided a formal proof of soundness and completeness =-=[26]-=-. 6.3.3. Data structures S. Conchon and J.-C. Filliâtre generalized an idea present in the work described in [73], [72] and introduced the new notion of semi-persistence. A data structure is said to b... |

8 | Sufficient preconditions for modular assertion checking
- Moy
(Show Context)
Citation Context ...and post-conditions of sub-programs [12]. Moy proposed to combine abstract interpretation, weakest precondition calculus and quantifier elimination. This has been presented at the VMCAI’08 conference =-=[36]-=-. N. Rousset and Y. Moy implemented this new analyses in the Jessie tool. This implementation is roughly 3000 lines of Ocaml for the plugin part inside Jessie. It calls the external library APRON (htt... |

8 | Floats & Ropes: a case study for formal numerical program verification
- Boldo
- 2009
(Show Context)
Citation Context ...the program. An article describing this application and this technique has been published in the very selective conference ICALP (36th International Colloquium on Automata, Languages and Programming) =-=[19]-=-.Project-TeamProval 3 3. Scientific Foundations 3.1. Higher-Order Functional Languages Participants: Sylvie Boldo, Évelyne Contejean, Jean-Christophe Filliâtre, Guillaume Melquiond, Christine Paulin-... |

7 | C.: Formal Verification of Security Properties of Smart Card Embedded Source Code
- Andronick, Chetali, et al.
(Show Context)
Citation Context ... for experimental purpose. Other Java Card case studies have been conducted in collaboration with Gemalto by J. Andronick and N. Rousset, in particular on global properties and Java Card transactions =-=[55]-=-, [93]. To illustrate the effectiveness of the Caduceus tool, T. Hubert and C. Marché performed a full verification of a C implementation of the Schorr-Waite algorithm [8], using Caduceus and Coq. Thi... |

7 | A persistent union-find data structure
- Conchon, Filliâtre
- 2007
(Show Context)
Citation Context ...oof assistant. Moreover we provided a formal proof of soundness and completeness [26]. 6.3.3. Data structures S. Conchon and J.-C. Filliâtre generalized an idea present in the work described in [73], =-=[72]-=- and introduced the new notion of semi-persistence. A data structure is said to be semi-persistent where only ancestors of the most recent version can be accessed or updated. Making a data structure s... |

7 | Improving Coq Propositional Reasoning Using a Lazy CNF Conversion Scheme
- Lescuyer, Conchon
- 2009
(Show Context)
Citation Context ...formulas naturally arising in interactive proofs do not require a state-of-the-art SAT solver, the conversion to clausal form required by DPLL can strongly damage the performance of the procedure. In =-=[26]-=-, we have presented a reflexive DPLL algorithm formalized in Coq which outperforms the existing tactics. It is tightly coupled with a lazy CNF conversion scheme which, unlike Tseitin-style approaches,... |

6 | Kahan's algorithm for a correct discriminant computation at last formally proven
- Boldo
(Show Context)
Citation Context ...rograms and the author deferred their publication. S. Boldo has done a full formal proof of the program, including the fact that the main test in the program can be wrong due to floating-point errors =-=[15]-=-.Project-Team Proval 15 S. Boldo studied programs computing matrix transformations with M. Daumas (Université of Perpignan Via Domitia) and P. Giorgi (University of Montpellier 2). The annotations ar... |

6 |
Clock-directed modular code generation for synchronous data-flow languages
- Biernacki, Colaço, et al.
- 2008
(Show Context)
Citation Context ...vides original features such as the arbitrary mix of data-flow and hierarchical automata [2] [69], various type-based static analysis [70], [71] and modular compilation into sequential code [65], [61]=-=[22]-=-. ReactiveML is an extension of Objective Caml with synchronous concurrency (based on synchronous parallel composition and broadcast of signals). The goal is to provide a general model of deterministi... |

6 | Floating-point arithmetic in the Coq system
- Melquiond
(Show Context)
Citation Context ...ti-radix floating-point arithmetic in the Coq proof assistant. The novelty of this approach with respect to existing formalizations is that all the functions are computable by reduction in the system =-=[34]-=-. This opens the possibility to rely on numerical computations inside a formal proof.14 Activity Report INRIA 2008 6.1.4. A Generic Graph Library for Objective Caml S. Conchon, J.-C. Filliâtre and J.... |

6 | Type-based Initialization Analysis of a Synchronous Data-flow Language
- Colaço, Pouzet
- 2004
(Show Context)
Citation Context ...-languages such as typing and higher-order functions. It provides original features such as the arbitrary mix of data-flow and hierarchical automata [2] [69], various type-based static analysis [70], =-=[71]-=- and modular compilation into sequential code [65], [61][22]. ReactiveML is an extension of Objective Caml with synchronous concurrency (based on synchronous parallel composition and broadcast of sign... |

5 | A type system for the automatic distribution of higher-order synchronous dataflow programs
- Delaval, Girault, et al.
- 2008
(Show Context)
Citation Context ...duction of special annotations (or locations). Then, a dedicated type-system is used to check the coherence of annotations with respect to a description of the architecture. This work is published in =-=[29]-=-. 6.4.3. Alternative synchronous models The N-synchronous model introduced a way to compose streams which have almost the same clock and can be synchronized through the use of a finite buffer. This re... |

5 | Modular static scheduling of synchronous data-flow networks: an efficient symbolic representation
- Pouzet, Raymond
- 2009
(Show Context)
Citation Context ... search. In all the examples we have considered (the whole SCADE library and two industrial examples), the polynomial algorithm finds an optimal scheduling. This works has been presented at EMSOFT’09 =-=[28]-=- and was nominated among the three best papers. 6.6.2. Objects in Synchronous Block-diagrams In collaboration with Paul Caspi, Pascal Raymond (VERIMAG, Grenoble), Jean-Louis Colaço (Prover Technologie... |

5 | A constructive denotational semantics for Kahn networks in Coq
- Paulin-Mohring
- 2009
(Show Context)
Citation Context ...] has been written which uses the new mechanism of type classes in Coq designed by M. Sozeau and N. Oury and includes a few automated tactics. It is based on a general theory of ordered sets and cpos =-=[30]-=- and contains high-level theorems for analysing recursive programs. It is currently used in Verimag (Grenoble) and in the Marelle INRIA team (Sophia-Antipolis) as the basis for the CertiCrypt environm... |

5 | M.L.: Interpreting invariant composition in the B method using the spec# ownership relation: A way to explain and relax B restrictions
- Boulmé, Potet
- 2007
(Show Context)
Citation Context ...r’s internship [43], A. Tafat proposed a new refinement technique for object-oriented programs. The main idea was to combine the Spec# ownership system [49] with refinement techniques of the B method =-=[58]-=-. Furthermore, the approach allows to hide side-effects on private data of classes. An article currently submitted [42] has been written with C. Marché and S. Boulmé (VERIMAG, Grenoble). 6.4.5. Higher... |

4 |
Who: a verifier for effectful higher-order programs
- Kanig, Filliâtre
- 2009
(Show Context)
Citation Context ...an extension of the Why system in which one can specify higher order programs and obtain proof obligations, expressed in Higher-Order Logics. They also presented an implementation of this development =-=[25]-=-. A number of case studies have been realized using this tool, in particular a proof of an implementation of the Koda-Ruskey algorithm [90], a program which heavily relies on both side effects and hig... |

4 | Synchronization of periodic clocks
- Cohen, Duranton, et al.
- 2005
(Show Context)
Citation Context ... like the absence of buffer overflows and deadlocks during the execution. Clock verification is expressed as a type-inference problem with a sub-typing rule. The core of the model has been settled in =-=[65]-=- and [66]. Florence Plateau works since that time on this subject. We introduced a notion of abstractions for these clocks in 2008 as a mean to reason about sets of (non necessarily periodic) clocks [... |

3 |
ReactiveML : un langage fonctionnel pour la programmation réactive, in "Technique et
- MANDEL, POUZET
(Show Context)
Citation Context ...an extension of Objective Caml with reactive constructs [91]. During the period, an interactive toplevel has been proposed for the language [33] (with F. Plateau). A reference article is published in =-=[19]-=-. L. Mandel also continued a collaboration with L. Maranget (Moscova Team, INRIA Rocquencourt) with the development of the JoCaml language, which is an extension of OCaml with concurrency, based on th... |

3 |
Using smt solvers for deductive verification of c and java programs
- Filliâtre
(Show Context)
Citation Context ...008. He is member of the steering committee of the workshop on synchronous programming (SLAP) since 2006. 9.1.8. Invited Presentations J.-C. Filliâtre was invited speaker at SMT 2008 (Princeton, USA) =-=[20]-=-: Using SMT solvers for deductive verification of C and Java programs.Project-Team Proval 25 M. Pouzet was invited speaker at ISOR 2008 (Alger, Algeria, 2-6/2008): Synchrony and Clocks in Khan Proces... |