2025Activity report​​​‌Project-TeamTOCCATA

7.1.1 Alt-Ergo

• Name:
  Automated​​ theorem prover for software​​​‌ verification
• Keywords:
  Software Verification,‌ Automated theorem proving
• Functional‌​‌ Description:
  Alt-Ergo is an​​ automatic solver of formulas​​​‌ based on SMT technology.‌ It is especially designed‌​‌ to prove mathematical formulas​​ generated by program verification​​​‌ tools, such as Frama-C‌ for C programs, or‌​‌ SPARK for Ada code.​​​‌ Initially developed in Toccata​ research team, Alt-Ergo's distribution​‌ and support are provided​​ by OCamlPro since September​​​‌ 2013.
• URL:
  https://­alt-ergo.­ocamlpro.­com/
• Contact:​
  Claude Marche
• Participant:
  5​‌ anonymous participants
• Partner:
  OCamlPro​​

7.1.2 CoqInterval

• Name:
  Interval​​​‌ package for Coq
• Keywords:​
  Interval arithmetic, Coq
• Functional​‌ Description:

  CoqInterval is a​​ library for the proof​​​‌ assistant Coq.

  It provides​ several tactics for proving​‌ theorems on enclosures of​​ real-valued expressions. The proofs​​​‌ are performed by an​ interval kernel which relies​‌ on a computable formalization​​ of floating-point arithmetic in​​​‌ Coq.

  The Marelle team​ developed a formalization of​‌ rigorous polynomial approximation using​​ Taylor models in Coq.​​​‌ In 2014, this library​ has been included in​‌ CoqInterval.

• URL:
  https://­coqinterval.­gitlabpages.­inria.­fr/
• Publications:​​
  hal-04859533, hal-04702129,​​​‌ hal-04515714, hal-04114233,​ hal-03168208, tel-02194683,​‌ hal-01630143, hal-01289616,​​ hal-00180138, hal-01086460,​​​‌ hal-00797913
• Contact:
  Guillaume Melquiond​
• Participant:
  12 anonymous participants​‌

7.1.3 Coquelicot

• Name:
  The​​ Coquelicot library for real​​​‌ analysis in Coq
• Keywords:​
  Coq, Real analysis
• Functional​‌ Description:
  Coquelicot is library​​ aimed for supporting real​​​‌ analysis in the Coq​ proof assistant. It is​‌ designed with three principles​​ in mind. The first​​​‌ is the user-friendliness, achieved​ by implementing methods of​‌ automation, but also by​​ avoiding dependent types in​​​‌ order to ease the​ stating and readability of​‌ theorems. This latter part​​ was achieved by defining​​​‌ total function for basic​ operators, such as limits​‌ or integrals. The second​​ principle is the comprehensiveness​​​‌ of the library. By​ experimenting on several applications,​‌ we ensured that the​​ available theorems are enough​​​‌ to cover most cases.​ We also wanted to​‌ be able to extend​​ our library towards more​​​‌ generic settings, such as​ complex analysis or Euclidean​‌ spaces. The third principle​​ is for the Coquelicot​​​‌ library to be a​ conservative extension of the​‌ Coq standard library, so​​ that it can be​​​‌ easily combined with existing​ developments based on the​‌ standard library.
• URL:
  http://­coquelicot.­saclay.­inria.­fr/​​
• Publications:
  tel-01228517, hal-00860648​​​‌, hal-00712938, hal-00880212​, hal-01169321, hal-00642206​‌
• Contact:
  Guillaume Melquiond
• Participant:​​
  3 anonymous participants

7.1.4​​​‌ Cubicle

• Name:
  The Cubicle​ model checker modulo theories​‌
• Keywords:
  Model Checking, Software​​ Verification
• Functional Description:
  Cubicle​​​‌ is an open source​ model checker for verifying​‌ safety properties of array-based​​ systems, which corresponds to​​​‌ a syntactically restricted class​ of parametrized transition systems​‌ with states represented as​​ arrays indexed by an​​​‌ arbitrary number of processes.​ Cache coherence protocols and​‌ mutual exclusion algorithms are​​ typical examples of such​​​‌ systems.
• URL:
  https://­github.­com/­cubicle-model-checker/­cubicle
• Contact:​
  Sylvain Conchon
• Participant:
  2​‌ anonymous participants

7.1.5 Flocq​​

• Name:
  The Flocq formalization​​​‌ of floating-point arithmetic for​ the Coq proof assistant​‌
• Keyword:
  Floating-point
• Functional Description:​​

  The Flocq library for​​​‌ the Coq proof assistant​ is a comprehensive formalization​‌ of floating-point arithmetic: core​​ definitions, axiomatic and computational​​​‌ rounding operations, high-level properties.​ It provides a framework​‌ for developers to formally​​ verify numerical applications.

  Flocq​​​‌ is currently used by​ the CompCert verified compiler​‌ to support floating-point computations.​​

• URL:
  https://­flocq.­gitlabpages.­inria.­fr/
• Publications:
  hal-04114233​​​‌, hal-03233227, hal-01632617​, hal-00862689, hal-01091189​‌, hal-01091186, hal-00743090​​, inria-00534854
• Contact:
  Guillaume​​ Melquiond
• Participant:
  3 anonymous​​​‌ participants

7.1.6 Gappa

• Name:‌
  The Gappa tool for‌​‌ automated proofs of arithmetic​​ properties
• Keywords:
  Floating-point, Arithmetic​​​‌ code, Software Verification, Constraint‌ solving
• Functional Description:
  Gappa‌​‌ is a tool intended​​ to help formally verifying​​​‌ numerical programs dealing with‌ floating-point or fixed-point arithmetic.‌​‌ It has been used​​ to write robust floating-point​​​‌ filters for CGAL and‌ it is used to‌​‌ verify elementary functions in​​ CRlibm. While Gappa is​​​‌ intended to be used‌ directly, it can also‌​‌ act as a backend​​ prover for the Why3​​​‌ software verification plateform or‌ as an automatic tactic‌​‌ for the Coq proof​​ assistant.
• URL:
  https://­gappa.­gitlabpages.­inria.­fr/
• Publications:​​​‌
  hal-03233227, tel-02194683,‌ inria-00070739, inria-00344518,‌​‌ inria-00070330, tel-01094485,​​ inria-00071232, inria-00432726,​​​‌ ensl-00379167, ensl-00200830,‌ hal-01110666, hal-01110669,‌​‌ hal-01632617
• Contact:
  Guillaume Melquiond​​
• Participant:
  2 anonymous participants​​​‌

7.1.7 Why3

• Name:
  The‌ Why3 environment for deductive‌​‌ verification
• Keywords:
  Formal methods,​​ Trusted software, Software Verification,​​​‌ Deductive program verification
• Functional‌ Description:
  Why3 is an‌​‌ environment for deductive program​​ verification. It provides a​​​‌ rich language for specification‌ and programming, called WhyML,‌​‌ and relies on external​​ theorem provers, both automated​​​‌ and interactive, to discharge‌ verification conditions. Why3 comes‌​‌ with a standard library​​ of logical theories (integer​​​‌ and real arithmetic, Boolean‌ operations, sets and maps,‌​‌ etc.) and basic programming​​ data structures (arrays, queues,​​​‌ hash tables, etc.). A‌ user can write WhyML‌​‌ programs directly and get​​ correct-by-construction OCaml programs through​​​‌ an automated extraction mechanism.‌ WhyML is also used‌​‌ as an intermediate language​​ for the verification of​​​‌ C, Java, or Ada‌ programs.
• URL:
  https://­www.­why3.­org/
• Contact:‌​‌
  Claude Marche
• Participant:
  7​​ anonymous participants
• Partners:
  CNRS,​​​‌ Université Paris-Sud

7.1.8 Rocq‌

• Name:
  The Rocq Prover‌​‌
• Keyword:
  Proof assistant
• Scientific​​ Description:
  Rocq is an​​​‌ interactive proof assistant based‌ on the Calculus of‌​‌ (Co-)Inductive Constructions, extended with​​ universe polymorphism. This type​​​‌ theory features inductive and‌ co-inductive families, an impredicative‌​‌ sort and a hierarchy​​ of predicative universes, making​​​‌ it a very expressive‌ logic. The calculus allows‌​‌ to formalize both general​​ mathematics and computer programs,​​​‌ ranging from theories of‌ finite structures to abstract‌​‌ algebra and categories to​​ programming language metatheory and​​​‌ compiler verification. Rocq is‌ organised as a (relatively‌​‌ small) kernel including efficient​​ conversion tests on which​​​‌ are built a set‌ of higher-level layers: a‌​‌ powerful proof engine and​​ unification algorithm, various tactics/decision​​​‌ procedures, a transactional document‌ model and, at the‌​‌ very top an integrated​​ development environment (IDE).
• Functional​​​‌ Description:
  The Rocq Prover‌ provides both a dependently-typed‌​‌ functional programming language and​​ a logical formalism, which,​​​‌ altogether, support the formalisation‌ of mathematical theories and‌​‌ the specification and certification​​ of properties of programs.​​​‌ The Rocq Prover also‌ provides a large and‌​‌ extensible set of automatic​​ or semi-automatic proof methods.​​​‌ Rocq's programs are extractible‌ to OCaml, Haskell, Scheme,‌​‌ ...
• Release Contributions:
  An​​ overview of the new​​​‌ features and changes, along‌ with the full list‌​‌ of contributors is available​​ at https://rocq-prover.org/releases/9.1.0
• News of​​​‌ the Year:

  The Rocq‌ Prover was renamed at‌​‌ the beginning of 2025​​​‌ (see https://rocq-prover.org/about#Name for details​ on the name change).​‌

  Its current version is​​ Rocq 9.1, which integrates​​​‌ changes to the Rocq​ kernel, performance improvements, and​‌ a few new features.​​ See the detailed changes​​​‌ at https://rocq-prover.org/releases/9.1.0 for an​ overview, along with the​‌ full list of contributors.​​

• URL:
  http://­rocq-prover.­org/
• Contact:
  Matthieu​​​‌ Sozeau
• Participants:
  Yves Bertot,​ Frédéric Besson, Tej Chajed,​‌ Cyril Cohen, Pierre Corbineau,​​ Pierre Courtieu, Maxime Dénès,​​​‌ Jim Fehrle, Julien Forest,​ Emilio Jesús Gallego Arias,​‌ Gaëtan Gilbert, Georges Gonthier,​​ Benjamin Grégoire, Jason Gross,​​​‌ Hugo Herbelin, Vincent Laporte,​ Olivier Laurent, Assia Mahboubi,​‌ Kenji Maillard, Erik Martin​​ Dorel, Guillaume Melquiond, Pierre-Marie​​​‌ Pedrot, Clément Pit-Claudel, Kazuhiko​ Sakaguchi, Vincent Semeria, Michael​‌ Soegtrop, Arnaud Spiwack, Matthieu​​ Sozeau, Enrico Tassi, Laurent​​​‌ Théry, Anton Trunov, Li-Yao​ Xia, Theo Zimmermann

7.1.9​‌ creusot

• Name:
  Creusot
• Keywords:​​
  Rust, Specification language, Deductive​​​‌ program verification
• Functional Description:​

  Creusot is a tool​‌ for deductive verification of​​ Rust code. It allows​​​‌ you to annotate your​ code with specifications, invariants​‌ and assertions and then​​ verify them formally and​​​‌ automatically, proving, mathematically, that​ your code satisfies your​‌ specifications.

  Creusot works by​​ translating Rust code to​​​‌ WhyML, the verification and​ specification language of Why3.​‌ Users can then leverage​​ the full power of​​​‌ Why3 to (semi)-automatically discharge​ the verification conditions.

• Release​‌ Contributions:
  This is the​​ version 0.8.0, providing the​​​‌ main process to go​ from a Rust program​‌ annotated with Pearlite specifications​​ to a set of​​​‌ verifications conditions to be​ discharged by external SMT​‌ solvers.
• URL:
  https://­github.­com/­creusot-rs/­creusot
• Publications:​​
  hal-03737878, hal-03526634,​​​‌ hal-02962804
• Contact:
  Jacques-Henri Jourdan​
• Participant:
  3 anonymous participants​‌
• Partners:
  Université Paris-Saclay, CNRS​​

7.1.10 rocq-num-analysis

• Name:
  Numerical​​​‌ analysis Rocq library
• Keywords:​
  Formal methods, Rocq, Numerical​‌ analysis, Finite element modelling​​
• Scientific Description:
  These Coq/Rocq​​​‌ developments are based on​ the Coquelicot library for​‌ real analysis, and on​​ parts of the Mathematical​​​‌ Components library. They are​ based on classical logic.​‌ Version 2.1 includes the​​ formalization and proof of:​​​‌ (1) results about subsets,​ functions, homogeneous binary relations,​‌ and finite families, (2)​​ results in algebra about​​​‌ commutative monoids and groups,​ rings, vector and affine​‌ spaces, including functions to​​ a given algrebraic structure,​​​‌ iterated operations (sum, linear​ combination, and barycenter), morphisms,​‌ algebraic substructures, and the​​ specific case of finite​​​‌ dimension with the dimension​ and the incomplete basis​‌ theorems, (3) the Lax-Milgram​​ theorem, including results from​​​‌ linear algebra, geometry, functional​ analysis and Hilbert spaces,​‌ (4) the Lebesgue integral,​​ including large parts of​​​‌ the measure theory,the building​ of the Lebesgue measure​‌ on real numbers, integration​​ of nonnegative measurable functions​​​‌ with the Beppo Levi​ (monotone convergence) theorem, Fatou's​‌ lemma, the Tonelli theorem,​​ and the Bochner integral​​​‌ with the dominated convergence​ theorem, (5) simplicial Lagrange​‌ finite elements in any​​ dimension and of any​​​‌ degre of approximation.
• Functional​ Description:
  Formal developments and​‌ proofs in Rocq of​​ numerical analysis problems. The​​​‌ current long-term goal is​ to formally prove parts​‌ of a C++ library​​ implementing the Finite Element​​​‌ Method.
• News of the​ Year:
  Several parts of​‌ the formalization in Coq/Rocq​​ of simplicial Lagrange finite​​ elements have been generalized,​​​‌ and the building of‌ the FE is now‌​‌ almost exclusively based on​​ affine properties involving barycenters.​​​‌ Opam packages (v2.0, 17/06/2025)‌ are provided for each‌​‌ part of the library:​​ subset, algebra, lebesgue, lax-milgram,​​​‌ and fem. A paper‌ about the formalization of‌​‌ simplicial Lagrange finite elements​​ is submitted. The version​​​‌ 2.1 of the Opam‌ packages (24/11/2025) provides many‌​‌ modifications and new results​​ about binary relations and​​​‌ orders. A paper about‌ the formalization of monomial‌​‌ and graded orders is​​ submitted.
• URL:
  https://­lipn.­univ-paris13.­fr/­rocq-num-analysis/
• Publications:​​​‌
  hal-01344090, hal-01391578,‌ hal-03105815, hal-03471095,‌​‌ hal-03516749, hal-03889276,​​ hal-04713897, tel-04884651,​​​‌ hal-05128954, hal-05396788
• Contact:‌
  Sylvie Boldo
• Participants:
  Sylvie‌​‌ Boldo, François Clement, Micaela​​ Mayero, Vincent Martin, 4​​​‌ anonymous participants
• Partners:
  LIPN‌ (Laboratoire d'Informatique de l'Université‌​‌ Paris Nord), UTC

7.1.11​​ Capla

• Keywords:
  Compilation, Programming​​​‌ language
• Functional Description:

  Capla‌ is a safe domain-specific‌​‌ programming language dedicated to​​ low-level computer algebra libraries.​​​‌ It aims at improving‌ the confidence in libraries‌​‌ such as GMP or​​ BLAS by supplying an​​​‌ appropriate way of writing‌ them while guaranteeing memory‌​‌ and temporal safety of​​ the generated code.

  Capla’s​​​‌ compiler is mostly written‌ in Coq and uses‌​‌ the CompCert compiler as​​ a backend. The language’s​​​‌ semantics has been formalized‌ in Coq and the‌​‌ compiler’s correctness (correspondence between​​ the behavior of source​​​‌ and generated programs) has‌ been proved in Coq‌​‌ as well as the​​ safety of the language.​​​‌

• Publications:
  hal-04485670, hal-04859452‌
• Contact:
  Guillaume Melquiond
• Participant:‌​‌
  2 anonymous participants

Toccata's Gallery​​​‌ of Verified Programs

• Contributors:‌
  Ali Ayad, Andrei Paskevich,‌​‌ Asma Tafat, Benedikt Becker,​​ Christine Paulin-Mohring, Claire Dross,​​​‌ Claude Marché, Cláudio Belo‌ Lourenço, Clément Fumex, François‌​‌ Bobot, Guillaume Melquiond, Jean-Christophe​​ Filliâtre, Josué Moreau, Leon​​​‌ Gondelman, Léo Andrès, Martin‌ Clochard, Mário Pereira, Nicolas‌​‌ Jeannerod, Paul Bonnot, Paul​​ Patault, Quentin Garchery, Ran​​​‌ Chen, Raphaël Rieu-Helft, Romain‌ Bardou, Sylvain Dailler, Sylvie‌​‌ Boldo, Thi Minh Tuyen​​ Nguyen, Xavier Denis, Yannick​​​‌ Moy, Yuto Takei
• Description:‌
  This data set is‌​‌ a collection of programs​​ formally verified, performed by​​​‌ tools developed in our‌ team. The programs range‌​‌ from simple representative code,​​ as good examples for​​​‌ teaching, to large case‌ studies. These also include‌​‌ solutions to the successive​​ VerifyThis challenges that appeared​​​‌ during the recent years.‌
• Project link:
  Toccata Gallery‌​‌
• Publications:
  45, see​​ also all references given​​​‌ inside the data set‌ itself
• Contact:
  Claude Marché,‌​‌ Jean-Christophe Filliâtre
• Release contributions:​​
  The current version on​​​‌ the web is synchronised‌ with Why3 version 1.8‌​‌ released in December 2024​​

Improving‌ Verification Condition Generation

Filliâtre,‌​‌ Paskevich and Patault introduce​​ Coma, a formally defined​​​‌ intermediate verification language. Specification‌ annotations in Coma take‌​‌ the form of assertions​​ mixed with the executable​​​‌ program code. A special‌ programming construct representing the‌​‌ abstraction barrier is used​​​‌ to separate, inside a​ subroutine, the “interface” part​‌ of the code, which​​ is verified at every​​​‌ call site, from the​ “implementation” part, which is​‌ verified only once, at​​ the definition site. In​​​‌ comparison with traditional contract-based​ specification, this offers the​‌ user an additional degree​​ of freedom, as they​​​‌ can provide separate specification​ (or none at all)​‌ for different execution paths.​​ They define a verification​​​‌ condition generator for Coma​ and prove its correctness.​‌ For programs where specification​​ is given in a​​​‌ traditional way, with abstraction​ barriers at the function​‌ entries and exits, the​​ verification conditions are similar​​​‌ to the ones produced​ by a classical weakest-precondition​‌ calculus. For programs where​​ abstraction barriers are placed​​​‌ in the middle of​ a function definition, the​‌ user-written specification is seamlessly​​ completed with the verification​​​‌ conditions generated for the​ exposed part of the​‌ code. In addition, their​​ procedure can factorise selected​​​‌ sub-goals on the fly,​ which leads to more​‌ compact verification conditions. They​​ illustrate the use of​​​‌ Coma on two non-trivial​ examples, which have been​‌ formalised and verified using​​ their implementation: a second-order​​​‌ regular expression engine and​ a sorting algorithm written​‌ in unstructured assembly code.​​ An article presenting this​​​‌ work was presented at​ the ESOP Conference in​‌ 2025 17. An​​ extended version is submitted​​​‌ for a journal-after publication​ in TOPLAS.

Paul Patault​‌ made a presentation of​​ Coma at the Dafny​​​‌ workshop affiliated with POPL​ 2026 26. He​‌ is currently working on​​ a Rocq formalization of​​​‌ the Coma language and​ its VC generator.

Automated​‌ Reasoning on Inductive Predicates​​

Filliâtre, Paskevich and Saudubray​​​‌ 66, 22 worked​ on an extension of​‌ the Why3 tool to​​ allow proofs by induction​​​‌ on instances of inductive​ predicates, i.e. on finitely​‌ constructed derivations. It consists​​ of a new matching​​​‌ construction to analyse the​ form of such a​‌ derivation, on the one​​ hand, and a new​​​‌ notion of variant to​ justify the termination of​‌ a recursive function that​​ proceeds according to the​​​‌ size of a derivation,​ on the other hand.​‌ They show how this​​ extension can be implemented​​​‌ conservatively, with almost nothing​ changed in the verification​‌ condition generator of Why3.​​ They illustrate the robustness​​​‌ of this contribution by​ translating from Coq to​‌ Why3 a non-trivial proof​​ containing a large number​​​‌ of reasoning steps by​ induction on inductive predicates.​‌

Cross-Language Symbolic Execution

One​​ key problem in the​​​‌ field of software security​ is to expose software​‌ vulnerabilities effectively. Traditional testing​​ methods have shown inadequacy​​​‌ in terms of path​ coverage and bug detection,​‌ due to their reliance​​ on concrete input values.​​​‌ Hui and Andrès 16​ proposed the idea of​‌ combining symbolic execution with​​ run-time annotation checking. By​​​‌ using symbolic input values​ instead of concrete ones,​‌ the specified program properties​​ can be checked on​​​‌ all the corner cases.​ They introduce two implementations​‌ of symbolic run-time annotation​​ checkers: one for C,​​​‌ using the ANSI/ISO C​ Specification Language, and one​‌ for WebAssembly, using the​​ Weasel specification language designed​​ by them. Their approach​​​‌ combines the ease of‌ use and the expressiveness‌​‌ of runtime annotation checking,​​ as well as the​​​‌ power of program analysis.‌

Reasoning with Memory Separation​​

Filliâtre and Paskevich proposed​​​‌ a technique for specifying‌ and proving imperative programs‌​‌ manipulating pointer-based recursive data​​ structures, which is better​​​‌ suited for first-order automated‌ provers. The idea is‌​‌ to map recursive data​​ structures, such as linked​​​‌ lists or trees, onto‌ flat integer-indexed sequences, in‌​‌ such a way that​​ separation and frame properties​​​‌ can be expressed using‌ only simple arithmetic relations.‌​‌ This approach is illustrated​​ with two examples: an​​​‌ original variant of list‌ reversal and Morris's algorithm‌​‌ for constant-space traversal of​​ a binary tree. This​​​‌ work was presented at‌ iFM 2025 13.‌​‌

Verification of Rust programs​​

One of the major​​​‌ success of Toccata during‌ the last years is‌​‌ represented by the results​​ obtained concerning the verification​​​‌ of Rust programs. Rust‌ is a fairly recent‌​‌ programming language for system​​ programming, bringing static guarantees​​​‌ of memory safety through‌ a strong ownership policy.‌​‌ This feature opens promising​​ advances for deductive verification​​​‌ of Rust code. The‌ project underlying the PhD‌​‌ thesis of Denis 61​​, supervised by J.-H.​​​‌ Jourdan and C. Marché,‌ is to propose techniques‌​‌ for the verification of​​ Rust program, using a​​​‌ translation to a purely-functional‌ language. The challenge of‌​‌ this translation is the​​ handling of mutable borrows:​​​‌ pointers which control of‌ aliasing in a region‌​‌ of memory. To overcome​​ this, we used a​​​‌ technique inspired by prophecy‌ variables to predict the‌​‌ final values of borrows​​ 62. This method​​​‌ is implemented in a‌ standalone tool called Creusot‌​‌ 63. The specification​​ language of Creusot features​​​‌ the notion of prophecy‌ mentioned above, which is‌​‌ central for the specification​​ of behaviour of programs​​​‌ performing memory mutation. However,‌ so far, this prophecy-based‌​‌ encoding has only been​​ described in the idealised​​​‌ setting of a core‌ calculus.

Golfouse, Jourdan and‌​‌ Guéneau, in collaboration with​​ Xavier Denis and Dominic​​​‌ Stolz 35 show how‌ one might "scale" this‌​‌ technique up to the​​ setting of a realistic​​​‌ verification tool. After describing‌ why doing so is‌​‌ non-trivial, they show how​​ to integrate this encoding​​​‌ with two common features‌ of deductive verification systems:‌​‌ ghost code and type​​ invariants. Additionally, they provide​​​‌ concrete implementation strategies for‌ key aspects of the‌​‌ encoding that were unspecified​​ but turn out to​​​‌ be crucial when considering‌ realistic programs. They implemented‌​‌ this work as an​​ extension of Creusot.

The​​​‌ type system of Rust‌ enforces the "shared xor‌​‌ mutable" principle, which forbids​​ mutation of shared memory.​​​‌ This principle eases verification‌ in Rust, but certain‌​‌ programs require circumventing it​​ with the mechanism of​​​‌ interior mutability. Thus, supporting‌ interior mutability in a‌​‌ deductive verification tool is​​​‌ difficult. The Verus tool​ demonstrated the use of​‌ ghost resources to that​​ end. So far, this​​​‌ mechanism has only been​ applied to Verus in​‌ order to verify primarily​​ system code. Arnaud Golfouse,​​​‌ Armaël Guéneau and Jacques-Henri​ Jourdan extended the deductive​‌ verification tool Creusot with​​ support for linear ghost​​​‌ resources. They show how​ Creusot's full support for​‌ mutable borrows enables better​​ specifications for primitives of​​​‌ linear ghost code. They​ apply this methodology to​‌ the verification of two​​ data structures using sharing​​​‌ and mutation: union-find and​ persistent arrays 14.​‌ Later on, Golfouse and​​ Patault formalised and verified​​​‌ a Rust code implementing​ a tree traversal with​‌ in-place mutation (algorithm due​​ to Morris), again using​​​‌ the ghost ownership feature​ 15.

Inference of​‌ Specifications for Closures

In​​ many programs, closures allow​​​‌ to express data transformations​ in a concise way.​‌ But when a verification​​ tool is used, they​​​‌ must be accompanied by​ specifications that are often​‌ longer than their body.​​ This is a particularly​​​‌ unpleasant problem, since these​ closures are often simple​‌ and their specification is​​ redundant. Patault, Golfouse and​​​‌ Denis 18 presented a​ mechanism for inferring the​‌ specification of closures for​​ the formal verification of​​​‌ Rust programs. They propose​ the use of the​‌ intermediate verification language Coma​​ as a back-end for​​​‌ the deductive verification tool​ Creusot. Their design is​‌ able to manage the​​ internal mutable state of​​​‌ a closure and to​ infer its specification. They​‌ use this mechanism to​​ verify in an ergonomic​​​‌ and modular way a​ series of Rust programs​‌ using higher-order functions.

Safe​​ Libraries for Computer Algebra​​​‌

Low-level libraries used in​ computer algebra systems, such​‌ as GMP, BLAS/LAPACK, etc.,​​ are usually written in​​​‌ C, Fortran, and Assembly,​ and make heavy use​‌ of arrays and pointers.​​ Melquiond and Moreau 75​​​‌, 21, 27​ have designed Capla, a​‌ programming language dedicated to​​ writing such libraries. This​​​‌ language, halfway between C​ and Rust, is designed​‌ to be safe and​​ to ease the deductive​​​‌ verification of programs, while​ being low-level enough to​‌ be suitable for this​​ kind of computationally intensive​​​‌ applications. They have also​ written a compiler for​‌ this language, based on​​ CompCert. The safety of​​​‌ the language has been​ formally proved using the​‌ Rocq proof assistant, and​​ so has the property​​​‌ of semantics preservation for​ the compiler.

Reasoning​ about Floating-Point Programs

Numerical​‌ programs make use of​​ the floating-point representation of​​​‌ numbers to perform computations​ that ideally should be​‌ done on mathematical real​​ numbers. The floating-point representation​​​‌ induces approximations on the​ computations ultimately performed. We​‌ have a long tradition​​ of study of subtle​​​‌ algorithms involving such numerical​ computations. A set of​‌ numerical programs that we​​ studied is related to​​​‌ the combination of exponential​ and logarithm functions, that​‌ is, the log-sum-exp function​​ known in the context​​ of Machine Learning 76​​​‌, for which Bonnot‌ et al. 54 provide‌​‌ certified bounds on its​​ accuracy. This work is​​​‌ extended this year to‌ another function of the‌​‌ same shape, yet more​​ complex, involving exponential of​​​‌ squares of differences, and‌ summation of logarithms 32‌​‌.

Boyer, Faissole, and​​ Melquiond 55 have patented​​​‌ a method and system‌ to transform a program,‌​‌ which includes mathematical functions​​ applied to floating-point variables​​​‌ (and thus suffers from‌ numerical approximations and rounding‌​‌ errors), in order to​​ achieve a specified global​​​‌ accuracy.

Bonnot, Boyer, Faissole,‌ and Marché 52 propose‌​‌ to bound the error​​ between the computed result​​​‌ and the ideal computation‌ by a formula involving‌​‌ the assumed precision of​​ the input of the​​​‌ programs, together with the‌ accuracy properties of the‌​‌ auxiliary mathematical functions that​​ are called as basic​​​‌ blocks. Obtaining such an‌ accuracy property needs a‌​‌ high expertise in floating-point​​ computer arithmetic. The proposed​​​‌ methodology is able to‌ automatically generate such form‌​‌ of accuracy formulas from​​ a given input program.​​​‌ Moreover the generated formulas‌ are certified correct with‌​‌ a high level of​​ confidence, thanks to the​​​‌ automated construction of formal‌ proofs of their validity.‌​‌ The methodology is implemented​​ and experimented on several​​​‌ examples involving approximations of‌ elementary functions such as‌​‌ sine, cosine, exponential and​​ logarithm.

Writing a formal​​​‌ proof offers the highest‌ possible confidence in the‌​‌ correctness of a mathematical​​ library. This comes at​​​‌ a large cost though,‌ since formal proofs require‌​‌ taking into account all​​ the details, even the​​​‌ seemingly insignificant ones, which‌ makes them tedious to‌​‌ write. Faissole, Geneau and​​ Melquiond 65, 20​​​‌ propose a methodology and‌ some dedicated automation, and‌​‌ apply them to the​​ use case of a​​​‌ faithful binary64 approximation of‌ exponential. The peculiarity of‌​‌ this use case is​​ that the target of​​​‌ the formal verification is‌ not a simple modelling‌​‌ of an external code,​​ it is an actual​​​‌ floating-point function defined in‌ the logic of the‌​‌ Rocq proof assistant, which​​ is thus usable inside​​​‌ proofs once its correctness‌ has been fully verified.‌​‌ This function presents all​​ the attributes of a​​​‌ state-of-the-art implementation: bit-level manipulations,‌ large tables of constants,‌​‌ obscure floating-point transformations, exceptional​​ values, etc. This function​​​‌ has been integrated into‌ the proof strategies of‌​‌ the CoqInterval library, bringing​​ a 20x speedup with​​​‌ respect to the previous‌ implementation.

Given a program‌​‌ with floating-point computations, there​​ are many analysis tools,​​​‌ available to obtain an‌ upper bound on the‌​‌ rounding error. We aim​​ to evaluate the tightness​​​‌ of this rounding bound‌ by exhibiting input values‌​‌ for the program where​​ the rounding error is​​​‌ close to this bound‌ (called "pathological cases"). Boldo,‌​‌ Hamelin, Hilaire and Piriou​​ 23 proposed an automatic​​​‌ method for generating pathological‌ cases based on delta‌​‌ debugging and guided by​​ Gappa. We have implemented​​​‌ this method and applied‌ it to numerous examples‌​‌ from FPBench and publications.​​

The square root function​​​‌ and its variants are‌ already hardware accelerated in‌​‌ most processors, including Kalray's​​​‌ where one square root​ function can be computed​‌ per cycle in the​​ core. O. Desrentes 25​​​‌ worked on a new​ accelerator-specific way of implementing​‌ the family of square​​ root functions, using a​​​‌ mix of hardware and​ software accelerations. Hence a​‌ method to accelerate the​​ reciprocal square root, the​​​‌ square root and the​ reciprocal function using one​‌ hardware operator based on​​ multipartite tables, and software​​​‌ refinements as needed to​ fit the required accuracy​‌ target.

Formalization of Mathematics​​ for Numerical Analysis

In​​​‌ her PhD thesis 77​ defended in 2024, Houda​‌ Mouhcine presented results about​​ the definition of finite​​​‌ elements and of the​ Lagrange simplicial finite elements,​‌ with the proof of​​ their fundamental property called​​​‌ unisolvence. All the​ developments are distributed as​‌ part of the Coq-Num-Analysis​​ library. The corresponding journal​​​‌ paper is currently under​ review 31, 30​‌.

Moreover, this work​​ lead to a comprehensive​​​‌ Rocq formalization of specific​ orders (namely monomial and​‌ graded) 28, 29​​, for the formalization​​​‌ of both monomials in​ dimension $d$ and Lagrange​‌ nodes that are evenly​​ distributed on a simplex.​​​‌

Programmable Logic Controllers

Programmable​ Logic Controllers are industrial​‌ digital computers used as​​ automation controllers in manufacturing​​​‌ processes. The Ladder language​ is a programming language​‌ used to develop software​​ for such controllers. A​​​‌ long-term collaboration with MERCE​ as for goal the​‌ verification that a given​​ Ladder program conforms to​​​‌ an expected behaviour expressed​ by a timing chart,​‌ describing a scenario of​​ execution. This method relies​​​‌ on a modelling of​ Ladder programs in WhyML,​‌ the language of the​​ Why3 environment for deductive​​​‌ program verification. This year,​ this work was extended​‌ to proving the conformity​​ of a Ladder program​​​‌ with respect to a​ State Transition Diagram 34​‌. Unlike timing charts,​​ such a diagram can​​​‌ describe the complete set​ of expected execution scenarios.​‌

Validation of Railway Data​​

In collaboration with B.​​​‌ Boyer from MERCE, N.​ Canva, M. Manighetti and​‌ C. Marché 33 presented​​ the design, the formalisation​​​‌ and the implementation of​ a prototype software tool​‌ that checks whether a​​ given constraint is valid​​​‌ on a given database​ representing a railway network.​‌ The underlying constraint language​​ is able to express​​​‌ topological properties of the​ railway network. The semantics​‌ of constraints is formally​​ defined and the implementation​​​‌ of the checker is​ formally proved to conform​‌ to that specification. The​​ code is extracted to​​​‌ OCaml and compiled into​ an executable program, linked​‌ together with extra non​​ verified code to import​​​‌ data from files. It​ is experimented on significantly​‌ complex examples, showing that​​ the efficiency of the​​​‌ checker is satisfactory. Additionally,​ when a constraint is​‌ not checked valid, a​​ counterexample is provided to​​​‌ exemplify why. Experimental results​ regarding counterexamples are satisfactory​‌ as well. This work​​ will be presented at​​ the next Dafny conference​​​‌ in January 2026 24‌.

Teaching Mathematics with‌​‌ Rocq

As part of​​ the LiberAbaci défi, we​​​‌ work on how to‌ use Rocq for teaching‌​‌ mathematics. In the past​​ year we worked on​​​‌ worksheets in Rocq for‌ students to learn about‌​‌ divisibility and binomials. These​​ basic topics are a​​​‌ good case study as‌ they are widely taught‌​‌ in the early academic​​ years (or before in​​​‌ France). Boldo et al.‌ 11 present technical and‌​‌ pedagogical choices, together with​​ the numerous exercises they​​​‌ developed. As expected, it‌ requires additional Rocq material‌​‌ such as other lemmas​​ and dedicated tactics. The​​​‌ worksheets are freely available‌ and flexible in several‌​‌ ways.

Verifying Mathematics on​​ a Large Scale

While​​​‌ the word problem for‌ monoids is undecidable in‌​‌ general, having a decision​​ procedure for some finitely​​​‌ presented monoid of interest‌ has numerous applications. As‌​‌ part of the ERC​​ Fresco project, Hivert and​​​‌ Melquiond have designed a‌ toolbox for the Rocq‌​‌ proof assistant that can​​ be used to verify​​​‌ the decidability of the‌ word problem for a‌​‌ given monoid and, in​​ some cases, to produce​​​‌ the corresponding decision procedure.‌ As this verification can‌​‌ be computationally intensive, the​​ toolbox heavily relies on​​​‌ proofs by reflection guided‌ by an external oracle.‌​‌ This approach has been​​ successfully used on several​​​‌ large presentations from the‌ literature, as well as‌​‌ on a database of​​ one million 1-relation monoids.​​​‌ The huge size of‌ this database forced some‌​‌ unusual considerations onto the​​ Rocq formalization, so that​​​‌ the formal proofs could‌ be checked in a‌​‌ reasonable amount of time​​ 12.

Combinatorics and​​​‌ Data Structures.

J.-C. Filliâtre‌ introduces an efficient data‌​‌ structure to implement small​​ multisets, with an application​​​‌ to the enumeration of‌ anagrams. This work has‌​‌ been successfully submitted to​​ JFLA 2026 19 and​​​‌ will be presented in‌ January 2026 at the‌​‌ conference.

In collaboration with​​ V. Pilaud and L.​​​‌ Schwob, F. Hivert prove‌ that the excedance relation‌​‌ on permutations defined by​​ N. Bergeron and L.​​​‌ Gagnon actually extends to‌ a congruence of the‌​‌ lattice on alternating sign​​ matrices. Motivated by this​​​‌ example, they study 71‌ all lattice congruences of‌​‌ the lattice on alternating​​ sign matrices whose quotient​​​‌ is isomorphic to the‌ Stanley lattice on Dyck‌​‌ paths, which they call​​ Catalan congruences. They prove​​​‌ that the maxima of‌ the congruence classes are‌​‌ always covexillary permutations (and​​ all covexillary permutations appear​​​‌ this way), and that‌ the minimal permutations in‌​‌ each class are always​​ precisely the 321-avoiding permutations.​​​‌ Finally, they show that‌ any choice of representative‌​‌ permutations in each congruence​​ class yield a basis​​​‌ of the Temperley–Lieb algebra‌ with parameter 2, vastly‌​‌ generalising the bases arising​​ from the excedance relation.​​​‌

10.1.1 H2020​​​‌ projects

10.2.1‌ ANR NuSCAP

Participants: Guillaume‌​‌ Melquiond [contact], Sylvie​​ Boldo.

The last​​​‌ twenty years have seen‌ the advent of computer-aided‌​‌ proofs in mathematics and​​ this trend is getting​​​‌ more and more important.‌ They request various levels‌​‌ of numerical safety, from​​ fast and stable computations​​​‌ to formal proofs of‌ the computations. Hovewer, the‌​‌ necessary tools and routines​​ are usually ad hoc,​​​‌ sometimes unavailable, or inexistent.‌ On a complementary perspective,‌​‌ numerical safety is also​​ critical for complex guidance​​​‌ and control algorithms, in‌ the context of increased‌​‌ satellite autonomy. We plan​​ to design a whole​​​‌ set of theorems, algorithms‌ and software developments, that‌​‌ will allow one to​​ study a computational problem​​​‌ on all (or any)‌ of the desired levels‌​‌ of numerical rigor. Key​​ developments include fast and​​​‌ certified spectral methods and‌ polynomial arithmetic, with subsequent‌​‌ formal verifications. There will​​ be a strong feedback​​​‌ between the development of‌ our tools and the‌​‌ applications that motivate it.​​

The project led by​​​‌ École Normale Supérieure de‌ Lyon (LIP) has started‌​‌ in February 2021 and​​ lasts for 4 years.​​​‌ Partners: Inria (teams Aric,‌ Galinette, Lfant, Marelle, Toccata),‌​‌ École Polytechnique (LIX), Sorbonne​​​‌ Université (LIP6), Université Sorbonne​ Paris Nord (LIPN), CNRS​‌ (LAAS).

10.2.2 ANR GOSPEL​​

Participants: Jean-Christophe Filliâtre [contact]​​​‌, Andrei Paskevich,​ Armaël Guéneau, Paul​‌ Patault.

A specification​​ language extends a programming​​​‌ language by allowing code​ and specifications to be​‌ written in a single​​ document. Examples include SparkAda,​​​‌ JML, and ACSL, which​ extend Ada, Java, and​‌ C with syntax for​​ specifications.

By offering a​​​‌ specification language to programmers,​ one encourages them to​‌ document, test, and verify​​ their code as they​​​‌ write it, not as​ a separate step that​‌ is too easily postponed.​​ From a technical point​​​‌ of view, the presence​ of specifications makes it​‌ possible to test or​​ verify each module independently​​​‌ and is the key​ to scalability. From​‌ a pragmatic point of​​ view, embedding specifications in​​​‌ the code allows them​ to be automatically distributed​‌ (via a package management​​ system) to every programmer;​​​‌ this is the key​ to practical adoption.​‌

The GOSPEL project proposes​​ to develop Gospel,​​​‌ a specification language that​ extends the programming language​‌ OCaml; to develop an​​ ecosystem of tools based​​​‌ on Gospel; and to​ demonstrate and validate these​‌ tools via several case​​ studies.

The project led​​​‌ by Inria Paris has​ started in October 2022​‌ and lasts for 4​​ years. Partners: Inria Paris​​​‌ (team Cambium), Université Paris-Saclay​ (LMF), Tarides, Nomadic Labs.​‌

10.2.3 Project “SecurEval” of​​ PEPR Cybersécurité

Participants: Sylvain​​​‌ Conchon [contact].

The​ SecureVal project aims to​‌ design new tools, benefiting​​ from new digital technologies,​​​‌ to verify the absence​ of hardware and software​‌ vulnerabilities, and carry out​​ the proof of compliance​​​‌ required.

In order to​ deal effectively with modern​‌ digital systems, code analysis​​ techniques, which originated in​​​‌ the world of critical​ systems, must be overhauled​‌ to adapt to the​​ objectives of security assessments​​​‌ and to scale up​ to complex systems, combining​‌ dedicated functionalities and third-party​​ libraries. For example, the​​​‌ design of new fault​ models, the support of​‌ emerging languages, the visualization​​ of formal guarantees, the​​​‌ use of learning techniques​ to automate repetitive actions​‌ or optimize the extraction​​ of relevant information, or​​​‌ the development of approaches​ combining static and dynamic​‌ analyses.

The project is​​ led by CEA-List, it​​​‌ started in 2022 and​ lasts for 6 years.​‌

10.2.4 Project I-Demo “Décysif”​​

Participants: Andrei Paskevich,​​​‌ Armaël Guéneau, Claude​ Marché [contact], Jean-Christophe​‌ Filliâtre, Sylvain Conchon​​, Li-Yao Xia,​​​‌ Arnaud Golfouse, Maël​ Coulmance, Vincent Lafeychine​‌, Jacques-Henri Jourdan,​​ Paul Patault.

The​​​‌ Décysif project is a​ project started in december​‌ 2023, for 4 years.​​ Its general goal is​​​‌ the promotion of formal​ verification for critical systems​‌ regarding cybersecurity. This project​​ will fund our future​​​‌ research on Rust program​ verification, and it contains​‌ a workpackage dedicated towards​​ industrialization of the Creusot​​​‌ tool.

The project is​ led by TrustInSoft company,​‌ with AdaCore and OCamlPro​​ as other partners.

10.2.5​​​‌ Inria Project LiberAbaci

Participants:​ Sylvie Boldo [contact].​‌

The Défi Inria LiberAbaci​​ is a collaborative project​​ aimed at improving the​​​‌ accessibility of the Coq‌ interactive proof system for‌​‌ an audience of mathematics​​ students in the early​​​‌ academic years.

The head‌ is Yves Bertot and‌​‌ the involved teams are:​​ Cambium (Paris), Camus (Strasbourg),​​​‌ Gallinette (Nantes) PiCube (Paris),‌ Spades (Grenoble), Stamp (Sophia‌​‌ Antipolis), Toccata (Saclay), LIPN​​ (Villetaneuse).

11.1.1 Scientific events:‌ selection

11.1.2 Journal

11.1.3 Invited talks

• S.​​ Boldo, invited speaker at​​​‌ the inaugural session of‌ the maths-computer science master‌​‌ of Toulon, September 12,​​ 2025.
• S. Boldo, invited​​​‌ speaker at the Europroofnet‌ Symposium 2025 on Proof‌​‌ Libraries, September 16 2025,​​ Orsay.
• S. Boldo, invited​​​‌ speaker at the RAIM‌ 2025 “16th Rencontres de‌​‌ l'Arithmétique en Informatique Mathématique​​ – A Tribute to​​​‌ Jean-Michel Muller”, November 5‌ 2025, Lyon.
• J.-C. Filliâtre,‌​‌ invited speaker at Algorithmique​​ et programmation, May 5–9,​​​‌ 2025, Luminy.

11.1.4 Leadership‌ within the scientific community‌​‌

• S. Boldo, elected chair​​ of the ARITH working​​​‌ group of the GDR-IM‌ (a CNRS subgroup of‌​‌ computer science) with L.-S.​​ Didier (Université Toulon).
• S.​​​‌ Boldo, steering committee member‌ of the IEEE International‌​‌ Symposium on Computer Arithmetic.​​
• S. Boldo, elected board​​​‌ steering committee member of‌ the IEEE International Symposium‌​‌ on Computer Arithmetic, since​​ 2025.
• J.-C. Filliâtre, steering​​​‌ committee member of JFLA‌ (Journées Francophones des Langages‌​‌ Applicatifs).
• J.-C. Filliâtre, member​​ of IFIP WG 1.9/2.15​​​‌ Verified Software.
• G. Melquiond,‌ steering committee member of‌​‌ the IEEE International Symposium​​ on Computer Arithmetic.

11.1.5​​​‌ Scientific expertise

• S. Boldo‌ and J.-C. Filliâtre, (local)‌​‌ members of the LMF​​​‌ scientific council.
• S. Boldo,​ member of the ENSIIE​‌ scientific council.
• J.-C. Filliâtre,​​ member of the recruitment​​​‌ committee of an associate​ professor position at LIP6,​‌ Sorbonne Université.
• C. Marché,​​ grading the entrance examination​​​‌ at X/ENS (“option​ informatique”).
• F. Hivert,​‌ president of the recruitment​​ committee of an associate​​​‌ professor position at PolyTech,​ Université Paris-Saclay.
• C. Marché,​‌ A. Paskevich, members of​​ the recruitment committee of​​​‌ an associate professor position​ at PolyTech, Université Paris-Saclay.​‌
• G. Melquiond, member of​​ the recruitment committee of​​​‌ a professor position at​ École Normale Supérieure Paris-Saclay.​‌
• A. Paskevich, member of​​ the recruitment committee of​​​‌ an associate professor position​ at EPISEN, Université Paris-Est​‌ Créteil.

11.1.6 Research administration​​

• S. Boldo, president of​​​‌ the concours de l'agrégation​ d'informatique, 2022-2025.
• J.-C.​‌ Filliâtre, leader of the​​ Proof and Languages department​​​‌ of LMF.
• A. Guéneau,​ member of the Commission​‌ des Utilisateurs des Moyens​​ Informatiques of Inria Saclay.​​​‌
• A. Guéneau, member of​ the Commission de Développement​‌ Technologique of Inria Saclay.​​
• G. Melquiond, member of​​​‌ the Bureau du Comité​ des Projets of Inria​‌ Saclay.
• G. Melquiond, member​​ of the Commission Consultative​​​‌ de l'Université Paris-Saclay (section​ 27).
• G. Melquiond, member​‌ of the Conseil de​​ Politique Doctorale of Université​​​‌ Paris-Saclay.
• G. Melquiond, member​ of the doctoral school​‌ STIC of Université Paris-Saclay.​​
• G. Melquiond, member of​​​‌ the Mission Jeunes Chercheurs​ of Inria.
• G. Melquiond,​‌ member of the laboratory​​ council of LMF.
• G.​​​‌ Melquiond, leader of the​ team Computer Arithmetic of​‌ LMF.
• A. Paskevich, leader​​ of the team Program​​​‌ Verification of LMF.

11.2.1 Teaching​​​‌

• J.-C. Filliâtre, Langages de​ programmation et compilation,​‌ 25h, L3, École Normale​​ Supérieure, France.
• J.-C. Filliâtre,​​​‌ Les bases de l'algorithmique​ et de la programmation​‌, 15h, L3, École​​ Polytechnique, France.
• J.-C. Filliâtre,​​​‌ Compilation, 18h, M1,​ École Polytechnique, France.
• A.​‌ Guéneau, Programmation avancée,​​ 12h, L3, ENS Paris-Saclay,​​​‌ France.
• A. Paskevich, Vérification​ Déductive, 12h, M2,​‌ MPRI, Université Paris Cité,​​ France.
• A. Paskevich, Programmation​​​‌ système, 56h, BUT2,​ IUT d'Orsay, Université Paris-Saclay,​‌ France.

11.2.2 Supervision

• PhD:​​ J. Moreau, “Programming language​​​‌ and formally verified compiler​ for low-level numerical libraries”,​‌ since Oct. 2022, supervised​​ by G. Melquiond. Defended​​​‌ in Nov. 2025 27​.
• PhD in progress:​‌ P. Geneau de Lamarlière,​​ “Design of formally verified​​​‌ floating-point components”, since Sep.​ 2022, supervised by G.​‌ Melquiond.
• PhD in progress:​​ A. Golfouse, “Vérification de​​​‌ programme Rust avancée: invariants​ de types, code fantôme,​‌ possession fantôme et algèbre​​ de ressources, concurrence et​​​‌ aliasing”, since Oct. 2023,​ supervised by J.-H. Jourdan​‌ and A. Guéneau.
• PhD​​ in progress: P. Patault,​​​‌ “Conception et étude d'un​ langage de programmation adapté​‌ à la vérification déductive”,​​ since Oct. 2023, supervised​​​‌ by J.-C. Filliâtre and​ A. Paskevich.
• PhD in​‌ progress: D. Hamelin, “Implémentation​​ de calculs numériques en​​​‌ virgule fixe avec maîtrise​ de l’erreur d’arrondi.”, since​‌ Dec. 2024, supervised by​​ S. Boldo, T. Hilaire​​​‌ (Sorbonne University) and P.-Y.​ Piriou (EDF).
• PhD in​‌ progress: V. Lafeychine, “Prise​​ en compte des comportements​​ mémoire relâchés dans l'outil​​​‌ de vérification déductive pour‌ Rust Creusot”, since Sep.‌​‌ 2025, supervised by C.​​ Marché and J.-H. Jourdan​​​‌ (LMF).
• PhD in progress:‌ H. Saudubray, “Conception et‌​‌ unification des langages de​​ programmation, spécification et preuve​​​‌ dans le contexte de‌ la vérification déductive de‌​‌ programmes, au sein de​​ l'outil Why3”, since Oct.​​​‌ 2025, supervised by J.-C.‌ Filliâtre and A. Paskevich.‌​‌
• M2 internship: S.  Shrivastava,​​ “Automatisations en Rocq”, April-August​​​‌ 2025, supervised by S.‌ Boldo, F. Clément (Inria‌​‌ Paris), and M. Mayero​​ (Sorbonne Paris-Nord).
• M2 internship:​​​‌ V. Lafeychine, “Modèle sémantique‌ de Creusot : places,‌​‌ code fantôme, invariants de​​ type”, March-August 2025, supervised​​​‌ by J.-H. Jourdan and‌ A. Guéneau.

11.2.3 Juries‌​‌

• S. Boldo, president of​​ the PhD jury of​​​‌ Valentin Dardilhac, “Mécanismes de‌ votes et résolutions de‌​‌ systèmes d'inéquations à variables​​ réelles”, July 16, 2025,​​​‌ Université Paris-Saclay.
• S. Boldo,‌ president of the PhD‌​‌ jury of Sylvain Joube,​​ “Performance Portable pour le​​​‌ Calcul à Haut Débit”,‌ October 9, 2025, Université‌​‌ Paris-Saclay.
• S. Boldo, member​​ of the HDR jury​​​‌ of Pierre Roux, “Numerical‌ Computations and Proofs: from‌​‌ Proof-Assistants to Aerospace Applications”,​​ December 1, 2025, Toulouse.​​​‌
• S. Conchon, reviewer of‌ the PhD thesis of‌​‌ Hector Suzanne, “Reusable static​​ resource analyses for high​​​‌ level languages”, 2025, Sorbonne‌ université.
• S. Conchon, president‌​‌ of the PhD jury​​ of Hichem Rami Ait​​​‌ El Hara, “Theory of‌ sequences tailored for program‌​‌ verification”, 2025, Université Paris-Saclay.​​
• J.-C. Filliâtre, reviewer of​​​‌ the PhD thesis of‌ S. La Spina, Dec‌​‌ 16, 2025, Université Rennes.​​
• J.-C. Filliâtre, reviewer of​​​‌ the PhD thesis of‌ A. Reitz, Dec 5,‌​‌ 2025, Inria Paris.
• C.​​ Marché, president of the​​​‌ PhD jury of Yani‌ Ziani, “Vérification formelle de‌​‌ couches de confiance dans​​ les logiciels : application​​​‌ à la TPM Software‌ Stack”, October 9, 2025,‌​‌ Université d'Orléans.

11.3.1 Participation in Live​​​‌ events

• S. Boldo has‌ lead a session for‌​‌ ninth grade trainees (stagiaires​​ de 3ème) on December​​​‌ 19, 2025.
• J.-C. Filliâtre‌ has lead a session‌​‌ for ninth grade trainees​​ (stagiaires de 3ème) on​​​‌ December 17, 2025.

International peer-reviewed conferences

• 11​​​‌ inproceedingsS.Sylvie Boldo​, F.François Clément​‌, D.David Hamelin​​, M.Micaela Mayero​​​‌ and P.Pierre Rousselin​. Teaching Divisibility and​‌ Binomials with Coq.​​EPTCS13th International Workshop​​​‌ on Theorem proving components​ for Educational software -​‌ ThEdu 2024419Nancy,​​ France2025, 124​​​‌ - 139HALDOI​back to text
• 12​‌ inproceedingsR.Reinis Cirpons​​, F.Florent Hivert​​​‌, A.Assia Mahboubi​, G.Guillaume Melquiond​‌, J. D.James​​ D Mitchell and F.​​​‌Finn Smith. Certifying​ the Decidability of the​‌ Word Problem in Monoids​​ at Large.CPP​​​‌ 2026: Proceedings of the​ 15th ACM SIGPLAN International​‌ Conference on Certified Programs​​ and ProofsCPP 2026​​​‌ - 15th ACM SIGPLAN​ International Conference on Certified​‌ Programs and ProofsRennes,​​ FranceACMJanuary 2026​​​‌, 128-142HALDOI​back to text
• 13​‌ inproceedingsJ.-C.Jean-Christophe Filliâtre​​, A.Andrei Paskevich​​ and O.Olivier Danvy​​​‌. When Separation Arithmetic‌ is Enough.iFM‌​‌ 2025 - 20th International​​ Conference on Integrated Formal​​​‌ MethodsParis, FranceNovember‌ 2025HALback to‌​‌ text
• 14 inproceedingsA.​​Arnaud Golfouse, A.​​​‌Armaël Guéneau and J.-H.‌Jacques-Henri Jourdan. Using‌​‌ Ghost Ownership to Verify​​ Union-Find and Persistent Arrays​​​‌ in Rust.Proceedings‌ of the 15th ACM‌​‌ SIGPLAN International Conference on​​ Certified Programs and Proofs​​​‌ (CPP '26), January 12--13,‌ 2026, Rennes, FranceCPP‌​‌ 2026 - Certified Programs​​ and ProofsRennes, France​​​‌January 2026HALDOI‌back to text
• 15‌​‌ inproceedingsA.Arnaud Golfouse​​ and P.Paul Patault​​​‌. Boucler la boucle‌ du parcours de Morris‌​‌.JFLA 2026 –​​ 37es Journées Francophones des​​​‌ Langages ApplicatifsJFLA 2026‌ – 37es Journées Francophones‌​‌ des Langages ApplicatifsOberbronn,​​ Alsace, FranceJanuary 2026​​​‌HALDOIback to‌ text
• 16 inproceedingsZ.‌​‌Zhicheng Hui and L.​​Léo Andrès. Cross-Language​​​‌ Symbolic Runtime Annotation Checking‌.36es Journées Francophones‌​‌ des Langages Applicatifs (JFLA​​ 2025)Roiffé, FranceJanuary​​​‌ 2025HALback to‌ text
• 17 inproceedingsA.‌​‌Andrei Paskevich, P.​​Paul Patault and J.-C.​​​‌Jean-Christophe Filliâtre. Coma,‌ an Intermediate Verification Language‌​‌ with Explicit Abstraction Barriers​​ (extended version).ESOP​​​‌ 2025 - 34th European‌ Symposium on Programming15694‌​‌Hamilton, Ontario, CanadaMay​​ 2025, https://link.springer.com/book/10.1007/978-3-031-91118-7HAL​​​‌back to text
• 18‌ inproceedingsP.Paul Patault‌​‌, A.Arnaud Golfouse​​ and X.Xavier Denis​​​‌. Remonter les barrières‌ pour ouvrir une clôture:‌​‌ Inférence de spécification des​​ clôtures pour la preuve​​​‌ de programmes Rust avec‌ COMA.JFLA 2025‌​‌ - 36es Journées Francophones​​ des Langages ApplicatifsRoiffé,​​​‌ FranceJanuary 2025HAL‌back to text

National‌​‌ peer-reviewed Conferences

• 19 inproceedings​​J.-C.Jean-Christophe Filliâtre.​​​‌ Les anagrammes de ce‌ titre.https://inria.hal.science/JFLA2026/JFLA‌​‌ 2026Oberbronn, FranceJanuary​​ 2026HALback to​​​‌ text
• 20 inproceedingsP.‌Paul Geneau de Lamarlière‌​‌. Vérification de bout​​ en bout d'une fonction​​​‌ de bibliothèque mathématique.‌JFLA 2025 - 36es‌​‌ Journées Francophones des Langages​​ ApplicatifsRoiffé, FranceJanuary​​​‌ 2025HALback to‌ textback to text‌​‌
• 21 inproceedingsJ.Josué​​ Moreau. Des briques​​​‌ de calcul formel plus‌ solides avec Capla.‌​‌JFLA 2025 - 36es​​ Journées Francophones des Langages​​​‌ ApplicatifsRoiffé, FranceJanuary‌ 2025HALback to‌​‌ text
• 22 inproceedingsH.​​Henri Saudubray, J.-C.​​​‌Jean-Christophe Filliâtre and A.‌Andrei Paskevich. Faire‌​‌ chauffer Why3 avec de​​ l'induction.JFLA 2025​​​‌ - 36es Journées Francophones‌ des Langages ApplicatifsRoiffé,‌​‌ FranceJanuary 2025HAL​​back to text

Conferences​​​‌ without proceedings

• 23 inproceedings‌S.Sylvie Boldo,‌​‌ D.David Hamelin,​​ T.Thibault Hilaire and​​​‌ P.-Y.Pierre-Yves Piriou.‌ Generation of Pathological Cases‌​‌ for Rounding Errors.​​RAIM Meeting 2025: 16th​​​‌ Rencontres de l'Arithmétique en‌ Informatique Mathématique – A‌​‌ Tribute to Jean-Michel Muller​​Lyon, FranceNovember 2025​​​‌HALback to text‌
• 24 inproceedingsB.Benoît‌​‌ Boyer, N.Noé​​ Canva, M.Matteo​​​‌ Manighetti and C.Claude‌ Marché. A Correct-by-Construction‌​‌ Checker for Validation of​​​‌ Railway Data.Dafny​ 2026Rennes, FranceJanuary​‌ 2026HALback to​​ text
• 25 inproceedingsO.​​​‌Orégane Desrentes, F.​Florent de Dinechin and​‌ B.Benoît Dupont de​​ Dinechin. Reciprocal Square​​​‌ Root Accelerated Using Hardware​ and Software Techniques.​‌RAIM Meeting 2025: 16th​​ Rencontres de l'Arithmétique en​​​‌ Informatique Mathématique – A​ Tribute to Jean-Michel Muller​‌Lyon, FranceNovember 2025​​HALback to text​​​‌
• 26 inproceedingsP.Paul​ Patault. Explicit Abstraction​‌ Barrier for Autoactive Verification​​.Dafny 2026Rennes,​​​‌ FranceJanuary 2026HAL​DOIback to text​‌

Doctoral dissertations and habilitation​​ theses

• 27 thesisJ.​​​‌Josué Moreau. Programming​ language and formally verified​‌ compiler for low-level numerical​​ libraries.Université Paris-Saclay​​​‌November 2025HALback​ to textback to​‌ text

Reports & preprints​​

• 28 miscS.Sylvie​​​‌ Boldo, F.François​ Clément, V.Vincent​‌ Martin and M.Micaela​​ Mayero. A Rocq​​​‌ Formalization of Monomial and​ Graded Orders.December​‌ 2025HALback to​​ text
• 29 reportS.​​​‌Sylvie Boldo, F.​François Clément, V.​‌Vincent Martin and M.​​Micaela Mayero. A​​​‌ Rocq Formalization of Monomial​ and Graded Orders.​‌RR-9604INRIADecember 2025​​, 17HALback​​​‌ to text
• 30 misc​S.Sylvie Boldo,​‌ F.François Clément,​​ V.Vincent Martin,​​​‌ M.Micaela Mayero and​ H.Houda Mouhcine.​‌ A Rocq Formalization of​​ Simplicial Lagrange Finite Elements​​​‌.June 2025HAL​back to text
• 31​‌ reportS.Sylvie Boldo​​, F.François Clément​​​‌, V.Vincent Martin​, M.Micaela Mayero​‌ and H.Houda Mouhcine​​. A Rocq Formalization​​​‌ of Simplicial Lagrange Finite​ Elements.RR-9590INRIA​‌June 2025, 63​​HALback to text​​​‌
• 32 miscP.Paul​ Bonnot, B.Benoît​‌ Boyer, F.Florian​​ Faissole, C.Claude​​​‌ Marché and R.Raphaël​ Rieu-Helft. Formally Verified​‌ Roundoff Error Bounds on​​ LogSumExp-based Computations.March​​​‌ 2025HALback to​ text
• 33 reportB.​‌Benoît Boyer, N.​​Noé Canva, M.​​​‌Matteo Manighetti and C.​Claude Marché. Design​‌ of a Correct-by-Construction Checker​​ for Constraints on Railway-Oriented​​​‌ Databases.RR-9596Inria​ Saclay - Île de​‌ FranceSeptember 2025,​​ 46HALback to​​​‌ textback to text​
• 34 reportD.Denis​‌ Cousineau, H.Hiroaki​​ Inoue, C.Claude​​​‌ Marché, F.Florian​ Faissole and D.David​‌ Mentré. Conformity of​​ Ladder Programs against State​​​‌ Transition Diagrams.RR-9584​InriaMarch 2025,​‌ 31HALback to​​ text
• 35 miscX.​​​‌Xavier Denis, A.​Arnaud Golfouse, A.​‌Armaël Guéneau, J.-H.​​Jacques-Henri Jourdan and D.​​​‌Dominik Stolz. Using​ a Prophecy-Based Encoding of​‌ Rust Borrows in a​​ Realistic Verification Tool.​​​‌September 2025HALback​ to text

Other scientific​‌ publications

• 36 miscS.​​Sylvain Conchon, J.-C.​​​‌Jean-Christophe Filliâtre and U.​Urmila Nair. Learn​‌ Programming with OCaml. Algorithms​​ and Data Structures.​​​‌2025HALback to​ text