Publications 2016
BackBooks / Journals / Conferences / PhD theses / Misc. / Reports
Books and book chapters
Journals
[4]  Sylvie Boldo, Catherine Lelay, and Guillaume Melquiond. Formalization of real analysis: A survey of proof assistants and libraries. Mathematical Structures in Computer Science, 2016. [ bib  full text on HAL ] 
[3] 
Claire Dross, Sylvain Conchon, Johannes Kanig, and Andrei Paskevich.
Adding decision procedures to SMT solvers using axioms with
triggers.
Journal of Automated Reasoning, 56(4):387457, 2016.
[ bib 
full text on HAL ]
SMT solvers are efficient tools to decide the satisfiability of ground formulas, including a number of builtin theories such as congruence, linear arithmetic, arrays, and bitvectors. Adding a theory to that list requires delving into the implementation details of a given SMT solver, and is done mainly by the developers of the solver itself. For many useful theories, one can alternatively provide a firstorder axiomatization. However, in the presence of quantifiers, SMT solvers are incomplete and exhibit unpredictable behavior. Consequently, this approach can not provide us with a complete and terminating treatment of the theory of interest. In this paper, we propose a framework to solve this problem, based on the notion of instantiation patterns, also known as triggers. Triggers are annotations that suggest instances which are more likely to be useful in proof search. They are implemented in all SMT solvers that handle firstorder logic and are included in the SMTLIB format. In our framework, the user provides a theory axiomatization with triggers, along with a proof of completeness and termination properties of this axiomatization, and obtains a sound, complete, and terminating solver for her theory in return. We describe and prove a corresponding extension of the traditional Abstract DPLL Modulo Theory framework. Implementing this mechanism in a given SMT solver requires a onetime development effort. We believe that this effort is not greater than that of adding a single decision procedure to the same SMT solver. We have implemented the proposed extension in the AltErgo prover and we discuss some implementation details in the paper. To show that our framework can handle complex theories, we prove completeness and termination of a featurerich axiomatization of doublylinked lists. Our tests show that our approach results in a better performance of the solver on goals that stem from the verification of programs manipulating doublylinked lists.

[2] 
JeanChristophe Filliâtre, Léon Gondelman, and Andrei Paskevich.
The spirit of ghost code.
Formal Methods in System Design, 48(3):152174, 2016.
[ bib 
DOI ]
In the context of deductive program verification, ghost code is part of the program that is added for the purpose of specification. Ghost code must not interfere with regular code, in the sense that it can be erased without observable difference in the program outcome. In particular, ghost data cannot participate in regular computations and ghost code cannot mutate regular data or diverge. The idea exists in the folklore since the early notion of auxiliary variables and is implemented in many stateoftheart program verification tools. However, a rigorous definition and treatment of ghost code is surprisingly subtle and few formalizations exist. Keywords: Why3 
[1] 
Érik MartinDorel and Guillaume Melquiond.
Proving tight bounds on univariate expressions with elementary
functions in Coq.
Journal of Automated Reasoning, 2016.
[ bib 
DOI 
full text on HAL ]
Keywords: Coq proof assistant ; formal proof ; decision procedure ; interval arithmetic ; floatingpoint arithmetic ; nonlinear arithmetic 
Conferences
[11]  Nikolai Kosmatov, Claude Marché, Yannick Moy, and Julien Signoles. Static versus dynamic verification in Why3, FramaC and SPARK 2014. In 7th International Symposium on Leveraging Applications of Formal Methods, Verification and Validation, Lecture Notes in Computer Science. Springer, October 2016. [ bib  full text on HAL ] 
[10]  Assia Mahboubi, Guillaume Melquiond, and Thomas SibutPinote. Formally Verified Approximations of Definite Integrals. In Jasmin Christian Blanchette and Stephan Merz, editors, Interactive Theorem Proving, volume 9807 of Lecture Notes in Computer Science, Nancy, France, August 2016. [ bib  DOI  full text on HAL  .pdf ] 
[9]  JeanChristophe Filliâtre and Mário Pereira. Producing all ideals of a forest, formally (verification pearl). In Sandrine Blazy and Marsha Chechik, editors, 8th Working Conference on Verified Software: Theories, Tools and Experiments (VSTTE), Lecture Notes in Computer Science, Toronto, Canada, July 2016. Springer. [ bib  full text on HAL ] 
[8]  Martin Clochard, Léon Gondelman, and Mário Pereira. The Matrix reproved. In Sandrine Blazy and Marsha Chechik, editors, 8th Working Conference on Verified Software: Theories, Tools and Experiments (VSTTE), Lecture Notes in Computer Science, Toronto, Canada, July 2016. Springer. [ bib  full text on HAL ] 
[7]  Sylvie Boldo. Computing a correct and tight rounding error bound using roundingtonearest. In 9th International Workshop on Numerical Software Verification, Toronto, Canada, July 2016. [ bib  full text on HAL  .pdf ] 
[6]  Sylvie Boldo. Iterators: where folds fail. In Workshop on HighConsequence Control Verification, Toronto, Canada, July 2016. [ bib  full text on HAL  .pdf ] 
[5] 
JeanChristophe Filliâtre and Mário Pereira.
A modular way to reason about iteration.
In 8th NASA Formal Methods Symposium, volume 9690 of
Lecture Notes in Computer Science, Minneapolis, MN, USA, June 2016.
Springer.
[ bib 
full text on HAL ]
In this paper we present an approach to specify programs performing iterations. The idea is to specify iteration in terms of the nite sequence of the elements enumerated so far, and only those. In particular, we are able to deal with nondeterministic and possibly innite iteration. We show how to cope with the issue of an iteration no longer being consistent with mutable data. We validate our proposal using the deductive verication tool Why3 and two iteration paradigms, namely cursors and higherorder iterators. For each paradigm, we verify several implementations of iterators and client code. This is done in a modular way, i.e., the client code only relies on the specication of the iteration.

[4]  Clément Fumex, Claire Dross, Jens Gerlach, and Claude Marché. Specification and proof of highlevel functional properties of bitlevel programs. In 8th NASA Formal Methods Symposium, volume 9690 of Lecture Notes in Computer Science, Minneapolis, MN, USA, June 2016. Springer. [ bib  full text on HAL ] 
[3]  JeanChristophe Filliâtre and Mário Pereira. Itérer avec confiance. In Vingtseptièmes Journées Francophones des Langages Applicatifs, SaintMalo, France, January 2016. [ bib  full text on HAL ] 
[2]  David Hauzar, Claude Marché, and Yannick Moy. Counterexamples from proof failures in SPARK. In Software Engineering and Formal Methods, 2016. [ bib  full text on HAL ] 
[1]  Arthur Charguéraud. HigherOrder Representation Predicates in Separation Logic. In Proceedings of the 5th ACM SIGPLAN Conference on Certified Programs and Proofs, Saint Petersburg, Florida, United States, January 2016. [ bib  full text on HAL ] 
PhD theses
Misc.
Reports
[3]  Ran Chen, Martin Clochard, and Claude Marché. A formal proof of a unix path resolution algorithm. Research Report RR8987, Inria Saclay IledeFrance, December 2016. [ bib  full text on HAL ] 
[2]  David Hauzar, Claude Marché, and Yannick Moy. Counterexamples from proof failures in the SPARK program verifier. Research Report RR8854, Inria Saclay IledeFrance, February 2016. [ bib  full text on HAL ] 
[1] 
JeanChristophe Filliâtre, Léon Gondelman, and Andrei Paskevich.
A pragmatic type system for deductive verification.
Technical report, Université Paris Sud, 2016.
[ bib 
full text on HAL ]
In the context of deductive verication, it is customary today to handle programs with pointers using either separation logic, dynamic frames, or explicit memory models. Yet we can observe that in numerous programs, a large amount of code ts within the scope of Hoare logic, provided we can statically control aliasing. When this is the case, the code correctness can be reduced to simpler verication conditions which do not require any explicit memory model. This makes verication conditions more amenable both to automated theorem proving and to manual inspection and debugging. In this paper, we devise a method of such static aliasing control for a programming language featuring nested data structures with mutable components. Our solution is based on a type system with singleton regions and eects, which we prove to be sound.

Back
Books / Journals / Conferences / PhD theses / Misc. / Reports
This page was generated by bibtex2html.