« ANR PML » : différence entre les versions

De Wiki du LAMA (UMR 5127)
Aller à la navigation Aller à la recherche
 
(534 versions intermédiaires par 15 utilisateurs non affichées)
Ligne 1 : Ligne 1 :
URL of PML project: <tt>http://lama.univ-savoie.fr/tracpml</tt>
==Context and positionning of the proposal==


==Context and positioning of the proposal==
''Présentation générale du problème qu’il est proposé de traiter dans le projet et du cadre de travail Préciser plus particulièrement le : positionnement du projet par rapport au contexte : vis-à-vis des projets et recherches antérieurs, concurrents ou complémentaires, des brevets et standards… positionnement du projet aux niveaux européen et international, éventuels enjeux sociétaux, économiques, environnementaux, ….''


Programming languages are evolving rapidly since FORTRAN which is only fifty years old. These languages include more and more sophistacated concepts like "object oriented feature", "type inference", "modules" ... This richness and complexity makes it more and more difficult to
Ever since FORTRAN appeared fifty years ago, programming languages have been evolving rapidly. These languages now include more and more sophisticated concepts like "objects", "type inference", "modules"... However, this richness is also what makes it more and more complex to train programmers and makes it difficult for them to keep up with the innovations and changes in programming languages.
form programmers and makes it difficult for them to follow this evolution.


Another orthogonal phenomenon is the emergence of formal methods used in conjunction with various programming languages to test, check or prove software. This introduces another layer to languages in order to write specifications, and sometimes yet another one for proofs. Learning a programming language together with the associated specification/proof languages can take an important effort.
The aim of this project is to build a very powerfull language with no loss of expressive power compared to state of the art language, but based on a very small number of simple features. This is now possible thanks to recent progress both in semantic of programming language
and the apparition of new algorithm for type inference bases on constraints solving or contraints checking.


Projects such as [http://www.cs.utexas.edu/users/moore/acl2/ ACL2], the successor of [http://www.cs.utexas.edu/users/boyer/ftp/nqthm the Boyer-Moore theorem prover] uses a rather simple language (namely LISP) both as a programming language and specification language, allowing to keep a unity in the system. Unfortunately, LISP is somewhat limited both as a programming language (no good treatment of sum types, no module system) and a specification language (very limited quantification). Moreover, LISP has no compile-time type-checking, which has proved very useful to detect bugs and automatically assert properties.
Moreover, our language will allow for proof of the algorithm inside the language itself and not using external tool.


The aim of the present project is to build a very powerful language (with no loss of expressive power compared to state of the art languages) based on a very small number of simple features. We think this will be possible thanks to recent progress both in the semantics of programming languages and the apparition of new algorithms for type inference based on constraint-solving. In fact, we propose in [RAF10b] an innovative concept derived from the later to enable this: constraint-checking.
TO BE CONTINUED AND IMPROVED

Moreover, the language will be used not only as a programming language and a specification language (like in ACL2), but also as the proof language. This is natural for an ML-like language because pattern-matching is a natural and powerful way to make a proof by case analysis. This also means that our tool will consist of relatively few (unified) features, yet powerful.

The idea of a new language arose from the discovery of a new typing algorithm [RAF10b] whose implementation gave birth to a first implementation of PML (Proved ML) by Christophe Raffalli. This implementation is already available from [http://www.lama.univ-savoie.fr/~pml the web page of the language]. However, turning PML into a real tool requires a lot of research and implementation work and this is why we request the help of the ANR. Some of the goals are highlighted in the next sections.


'''PML approach to mathematics and program certification is unique''' Existing provers or certification tools feature a base programming language, and a logical layer on top of it (be it to write mathematical statements, specifications, or proofs). PML is very different in spirit: every statement, including sophisticated mathematical ones, is reduced to a statement asserting that a program fragment does not raise any error.

PML has no dedicated proof language, but the user can still write proofs! Existing programming languages supporting specifications use one or more of the following two alternatives: automated proofs (ACL2, Why) or proof obligations, that the user can prove using a specific language (Coq extraction, Focalize, Why). Several systems provide both possibilities, manual proofs being used only when automation fails. PML is again very different: it introduces a new instruction, written with a "scissors symbol" <tt>'''8<'''</tt> to express that the corresponding position in the program is ''dead'', meaning that it can not be reached during evaluation. This condition is checked by a terminating variant of the Knuth-Bendix completion algorithm. This is rather simple and therefore easier to trust than modern decision procedures. However, it only solves trivial cases: to write complex proofs, the user just uses the same syntax as for programs to do case analysis or induction (i.e., recursive definitions). This means that the user does not need learn a specific proof language and hopefully implies that PML is easier to learn and probably more adapted to industry that previous solutions.

The logic of PML is just the equational theory of its programming language; and we use variants of Knuth-Bendix completion as a proof-checker. The first experiments with the current implementation are promising. However, adapting the Knuth-Bendix procedure to the context of ML is a complex and new research problem. A lot more work is needed, for instance to handle proofs in arithmetic which occur quite often. Here is an example of a proof in arithmetic, checked in the current version of PML. This is not completely satisfactory (hard to write), but shows the use of the language for both proofs and programs and the use of recursive functions for inductive proofs:

val rec mul_associative x y z |- (x * y) * z == x * (y * z)
proof match x with
Z[] -> 8< (* trivial case handled automatically by Knuth-Bendix *)
| S[x'] ->
let _ = mul_associative x' y z in (* There is a syntactic sugar for that... *)
(* this adds the fact that (x'*y) * z == x' * (y*z) to the environment *)
let _ = mul_right_distributive y (x' * y) z in
(* this adds the fact that (y + x'*y) * z == y*z + (x'*y)*z *)
(* the environment now contains enough information for Knuth Bendix to handle the rest:
* - x*(y*z) == y*z + x'*(y*z) : by definition
* - x*y == y + x'*y : by definition
* and so (x*y)*z == (y + x'*z)*z
* - (x'*y) * z == x' * (y*z) : by the recursive call to mul_associative
* - (y + x'*y) * z == y*z + (x'*y)*z : by the call to mul_right_distributive *)
8<

Moreover, this style of proof is declarative and relatively readable (like Mizar proofs) while concise at the same time. This is very important when you want to maintain large developments.
'''PML is different from the other modern programming languages''' because its design focuses on a few powerful concepts. One consequence is that it is more difficult for a compiler to produce efficient code. In particular, since PML unifies several notions of products (modules, tuples and records), there is no simple way to choose the internal representation of a product, especially with implicit subtyping. Writing a good compiler for PML will thus require more complex and original optimization schemes (probably driven by typing) than for languages like OCaml or Haskell. A Polish student (Wojciech Matyjewicz) is just starting a PhD on this very topic.

Here is a simple example, accepted by the current version of PML, demonstrating product types, sum types and subtyping. We define ternary trees as an extension of binary trees with an implicit subtyping
relation (all functions accepting binary_trees will accept ternary trees, by ignoring the <tt>middle_son</tt>):

type rec binary_tree (A) =
[ Nil[] | Node[A with left_son : binary_tree(A); right_son : binary_tree(A)] ; ]
type rec ternary_tree(A) =
binary_tree({ A with middle_son : ternary_tree(A) ;})


'''PML requires a termination criterion''' because a proof by induction will just be a normal recursive program. Such a program has to be well-founded in order to correspond to a valid proof. A subset of Haskell can now use the Aprove tool to establish termination for simple programs. However, we want the test to be fully integrated with the language, and be compatible with very modular programs. At the moment, these goals seem difficult to achieve with Aprove or other external termination checkers. A first termination criterion based on Lee, Jones & Ben-Amram's "size-change termination principle" was implemented by Pierre Hyvernat [Hyv10b]. While this test is quite powerful, it is necessarily incomplete, and quite some work is required to make termination proofs of complex programs tractable.


==Scientific and technical description==
==Scientific and technical description==
Ligne 17 : Ligne 60 :
===Background, state of the art===
===Background, state of the art===


====Programming language====
''Présenter un état de l’art national et international dressant l’état des connaissances sur le sujet et décrivant le contexte et les enjeux scientifiques dans lequel se situe le projet. Faire apparaître d’éventuels résultats préliminaires.

''
The ML programming language, created by Robin Milner <em>et al</em> in the 80's has two major distinctive features:
* Algebraic data-types and pattern matching: data types are basically all constructed using fixpoint, Cartesian product (product types) and disjoint union (sum types).
* Static type inference: the type of every piece of code is automatically inferred using Hindley-Milner algorithm (HM). By construction, once compiled, an ML program can not crash (no segmentation fault). More precisely, when we do not use unsafe features of the language (like interface with unsafe libraries written in C), if an ML program produces a segmentation fault, then there is a bug in the type-checker or the compiler.

Recent progress in type inference algorithm uses constraint solving. This means that the type system can be described in first-order predicate logic in such a way that a type inference problem is a formula written in a decidable fragment of first-order predicate logic (often the purely existential fragment). Hence, any constraint solver can be turned into a type-checker for ML. These approach is known as HM(X) (see [SOW97]).

There are two problems with this approach:
* The complexity of constraint solving can be too high for practical use, especially when using a general purpose constraint solver. To our knowledge, there are currently no mainstream implementation of ML based on HM(X).
* HM(X) does not completely solve the problem of subtyping. The language to express the types constructed by the constraint solver is the same as the language of types used by programmers. With constraints <math>\alpha \subseteq \beta</math> and <math>\alpha \subseteq \gamma</math> for three types <math>\alpha</math>, <math>\beta</math> and <math>\gamma</math>, the most natural solution is <math>\alpha = \beta \cap \gamma</math>. This implies that intersection needs to be part of the language for types. This means that constraints such as <math>\beta \cap \gamma \subseteq \delta</math> may also appear and they are problematic to deal with. Similar reasoning shows that constraints of the form <math>\beta \cap \gamma \subseteq \beta' \cup \gamma'</math> may appear, increasing the complexity of constraint solving by an exponential factor.

PML's approach is to replace type-inference by ''constraint <u>checking</u>'' rather than constraint solving: we only check that the constraints are satisfiable in some model. Type-checking in the current implementation of PML can be seen as a black box ensuring that nothing can go wrong during execution. Moreover, since we do not need to write solutions for the constraints, the language for types can be relatively simple. In fact, the types written by the programmer aren't even the actual type constraints that are checked: they are syntactic sugar for the partial identity on the intended type (giving for free nice feature like higher-order parametric types, that is types with parameters which may be themselves types with parameters). In other words, the expression <tt>x:nat</tt> is a synonym for <tt>(id_nat x)</tt> where
val rec id_nat x = match x with
Z[] -> Z[]
| S[x'] -> S[id_nat x']
is defined internally by PML. The constraints generated by <tt>x:nat</tt> mean exactly that <tt>x</tt> is of type <tt>nat</tt>...

With this approach, we loose type-inference and the ability to display types in error messages. Nevertheless, PML error reporting is quite helpful because, in case of problems, it displays three positions in the code and an error message like this <tt>error at position 1, label "id" projected at position 2 do not appear in the value constructed at position 3</tt>. This kind of error message is in fact of bounded length and often more useful than OCaml or SML messages. We can understand this as showing three points in the ''slice'' of the error, as introduced by Joe Wells in [HW04].


====Proof assistant====

Proof assistants have evolved rapidly since Automath in the 70th. Two main trends coexist: automated proof assistants such as ACL2, PVS and ''safe'' ones such as Coq, Isabelle, PhoX, Lego, HOL, Matita, <em>etc.</em> The former incorporate very sophisticated automated deduction strategies, with no ''certificate'' for the validity of the proof, while the later require all proofs to be done in a specific framework (like natural deduction or type theory) allowing for a simple check of the proof. The gap between the two approaches tend to be reduced by the emergence of complex tactics (for Coq or Isabelle mainly) which build proofs for the user. For instance Zenon is an advanced automated first-order theorem prover that outputs a Coq proof.

The common defect of all these proof assistants is that a proof can not be written nor understood without running the proof assistant. Some proof assistants such as Mizar or Alf do not follow exactly the above scheme: Mizar has a declarative style for proof which is (in theory) readable by a human and checked by a limited checker (This proof style has been adapted to Coq and Isabelle). Unfortunately, there is no formal description of the Mizar proof checker. Alf on the other hand is based on proof theory and requires the user to basically write the complete proof tree just leaving out a few details. The logic is very well formalized and simple, but writing proof is tedious and not similar to the usual practice of informal mathematics.

This picture of the world of proof assistants shows that some fundamental work is needed. In the current version of PML, the logic is just an equational theory of the underlying programming language. This is easily described formally. The proof engine is, like in Mizar, a limited automated checker inspired by the Knuth-Bendix completion algorithm (KB). The completion algorithm used in PML had to be adapted to the higher-order constructs of ML-like languages and restricted to ensure termination and an acceptable complexity. The current limitation is probably too strong: it is limited to closed terms and cannot use universal theorems automatically (as in the first example of section 1, where one has to give explicitly the argument to use distributivity).

Nevertheless, preliminary examples in the current version shows that the approach is worth trying: proofs are concise and readable once you know the language. A very encouraging point is that all examples where written without interface. This really means that proofs are readable without the help of a computer.


===Rationale highlighting the originality and novelty of the proposal===
===Rationale highlighting the originality and novelty of the proposal===


The final objective of our project would be a full PML compiler, bootstrapped and completely proved with itself (full bootstrap). This does not exist for any language and is far too ambitious for a four years project. More realistically, we plan to produce a compiler for PML, written in PML, but not proved in PML yet.
''Décrire les objectifs scientifiques/techniques du projet. Présenter les avancées scientifiques attendues. Préciser l’originalité et le caractère ambitieux du projet. Détailler les verrous scientifiques et techniques à lever par la réalisation du projet. Décrire éventuellement le ou les produits finaux développés à l’issue du projet montrant le caractère innovant du projet. Présenter les résultats escomptés en proposant si possible des critères de réussite et d’évaluation adaptés au type de projet, permettant d’évaluer les résultats en fin de projet. Le cas échéant, démontrer l'articulation entre les disciplines scientifiques et le caractère interdisciplinaire du projet.
''


We also want to develop proof-checking in such a way as to allow very elegant proofs, supporting the feasibility of a full bootstrap by various examples, some of them being near to industrial application, some others being algorithms coming from implementation of programming languages.
==Scientific and technical programme, project management==


We have focused the existing development on the quality of the language both for proofs and programs. By quality, we mean easy to understand and write (and therefore, easy to learn). We think that using the programming language as a proof language could make formal methods more attractive to the industry without the defect of systems like PVS and ACL2 where the automated tactics replace the need for a proof language, but are sometimes hard to control and use. For instance, finding the right ''lemmas'' to make a proof possible in ACL2 is quite difficult.
===Scientific programme, specific aims of the proposal===


'''Comparison with other proof systems devoted to programming.''' Many other proof systems have been used or specifically developed
''Présentez le programme scientifique, la méthodologie et la structuration du projet. Justifiez la décomposition en tâches du programme de travail en cohérence avec les objectifs poursuivis. Les tâches représentent les grandes phases du projet. Elles sont en nombre limité. Présenter les liens entre les différentes tâches (si possible, utilisez un diagramme ou un organigramme technique).
to allow the production of certified code: extraction in Coq, Why with its automated prover Who from the Proval project, Focalize, PVS, ATS, ... None of these system uses the programming language as a proof language. They all have a dedicated language for proofs and even if some of them like Focalize or Coq extraction using a Mizar style mode for proof, have readable proofs, learning the proof language is never trivial. Other systems like PVS, ATS, Why using Who rely on automated deduction. In those cases, the behavior of the automated prover is always hard to predict.
''

Another selling point is that the logic and programming language are fully integrated. This is not a two level systems like most systems (but not all, ACL2 for instance is fully integrated). In PML, the statements of theorems and their proofs are expressions at the same level than programs. This means that a program can contain specifications that contains themselves program definitions in their statement or proof and so on. This is generally not possible (even in ACL2) and makes it possible to write modules with their specifications.

One of the key idea for this project is that any ML-like programming language has all the features needed for a proof language: case analysis via pattern matching and exception handling, induction, calling previously defined program/theorems. This means that it is natural to explore this direction.

'''Comparison with other programming languages'''. Another key idea in PML is to develop the language and its proof-checker together. This has a great impact on the design of PML. Let's illustrate this with a concrete example: exception handling. In ML, there is a construct
try P with e -> R
but, this is not sufficient to do case analysis on the fact that a program <tt>P</tt> raises or not an exception. In particular, <tt>R</tt> can be the proof just in case <tt>P</tt> raises an exception. However there is no place holder for the normal case (without exception). This is why we had to introduce a
let try x = P in Q with e -> R
where <tt>Q</tt> is evaluated only when <tt>P</tt> reduces to a value.

A great number of decisions on the language design comes from the interaction between the development of the programming language and its proof-checker. Another key feature of PML, which makes the project original even as a programming language compared to many other projects of programming language research (GALLIUM, Haskell, Scala, ...) is the use of constraint checking. This choice arises from the fact that we want a language as small as possible, because a proof-checker is complex and therefore, we want to fully unify all sorts of Cartesian product including modules, records, tuples and variant with multiple argument. This is already achieved in the current implementation of PML and to my knowledge, no ML like language have a unique but still powerful notion of Cartesian product.

All the systems previously mentioned allow to prove programs in limited subsets of existing languages like ML or Haskell. The prover has to find ways to deal with those languages' defects rather than improve them...

==Scientific and technical program, project management==

===Specific aims of the proposal===

As said in the previous section, the final objective would be to have a fully bootstrapped PML language: this would mean that PML is entirely written and proved in PML. This would be too ambitious at first, and we chose to focus here on the design of the language plus a proof of concept, that is compilation and proof of various examples, searching to do our best on the following points:

* Natural way of writing programs (Task 1)
* Efficiency of the code generated by the compiler, despite the heavily use of subtyping (Task 3)
* Readable and short proofs (Task 1, Task 4)
* Efficiency of type-checking and compilation (Task 2 and 6)
* Efficiency of proof-checking (Task 4 and 6)
* All of the above points need testing, and we created a transverse fifth task for that.


===Project management===
===Project management===


We plan to have one 3 days workshop per year with all the members of the project, invited speakers and interested outsiders. We think these meetings are fundamental to keep the project running, inform everybody of the project progress and problems. We already have the agreement of some people to participate in such meetings: Joe Wells, Assia Mahbouby, Andreas Abel, ...
''Préciser les aspects organisationnels du projet et les modalités de coordination (si possible individualisation d’une tâche coordination : cf. tâche 0 du document de soumission A).
We plan to have one 3 days meetings per year with all the members of the project, invited speakers and interested outsiders. We think these meetings are fundamental to keep the project running, inform everybody of the project progress and problems.
''


We will also organize two project meetings per year, just to keep track of progress, share idea and organize the above workshops and other invitations.
===Detailed description of the work organised by tasks===


We want also to organize visits of one or two members of the project to visit researchers on similar topic (typically a member of the project could visit one of the invited speaker of our workshop). Members of the project should also travel to conference on the subject like POPL, LICS, CSL, TYPES or the recently created CPP (first conference in 2011).
''Pour chacune d’entre elle, décrire : son responsable et les partenaires impliqués (si possible, sous forme graphique), ses objectifs, le programme détaillé des travaux1, la description des méthodes, des choix techniques et des solutions envisagés, les risques et les solutions de repli envisagées, les indicateurs de succès associés aux objectifs et les livrables, les contributions des partenaires (le « qui fait quoi »).''


===Detailed description of the work organized by tasks===
====Task 1====


====Task 2====
====Task 1 - theoretical work, design of the language ====

Coordinator: Christophe Raffalli

Participants: Pierre Hyvernat, Alexandre Miquel, Tom Hirschowitz

'''1.a - Correctness of the constraint checking algorithm''' (delivered
09/2012): [RAF10b] already cover the correctness without polymorphism. A draft version of
the correctness proof with polymorphism does exist but needs more work. The
main open problem here is the interaction with the termination-check. The current work
proves that when constraints are checked, the program can only loop via recursive definitions.
Then, we would like to prove that the program is terminating if recursive definitions are accepted by the
termination checker. However, this is non trivial.

This being a central piece of PML, it should be also one
of the first tests for PML in task 5. We could also prove this part of PML in
Coq (in fact 2 provers proving themselves and each other correct is a much
stronger warranty than one prover proving itself).


'''1.b - Consistency of proof-checking''' (beginning 09/2011, delivered before 09/2013 for the core of the language): This is essential for clearly defining the logic of PML and prove its consistency. This should not be too hard for the core of the language. However, this proof has to be extended to take into account all future extensions of the language and could be seen as a ''permanent task''.

'''1.c - Adaptation of uniqueness typing to the context of constraint checking''' (beginning 09/2012, delivered 01/2014): The current version of PML is a pure functional programming language, with no imperative feature. This is problematic, because input/output is necessary for real programs and affectations are required for efficiency especially when using large arrays. We plan to adapt the approach of the [http://clean.cs.ru.nl/ Clean language] [AGR92], [AcP95], [AcP97], [VPA07]. In Clean, all programs can be analyzed as purely functional programs, but the type system can check that some data are not used any more and reuse the place in memory for other data (allowing affectation). For instance, in such a context writing in a file <tt>f</tt> can be written as <tt>let f' = write f str in ...</tt>, but the compiler must check that <tt>f</tt> will not be used anymore implying the equivalence between the standard imperative semantics of writing to file and the purely functional semantics used by proofs.



'''1.d - Private, abstract and existential types.''' (beginning 09/2011, delivered
09/2012 for private type, beginning 09/2012, delivered
09/2013 for existential types and beginning 09/2013, delivered 09/2015 for abstract
types)
Abstract data types hide the definition of a data type and allow the user of
a library to be sure that his code will continue to work even if the internal
representation of data are changed. In the context of constraint-checking in
PML, adding abstract data types seems to be a challenging task. Moreover,
abstract data-types are a form of existential quantification over types and
could raise some consistency issues. We hope to find a way to incorporate
abstract types in PML without loosing coherence.
A first step would be private data types. They are a very simple yet very powerful mechanism for easily
ensuring invariants on all values of a data type. This mechanism is as
follows: the compiler simply checks that the constructors of a data type are
not used for constructing values. Values are constructed by using construction
functions, like with abstract data types. However, unlike with abstract data
types, constructors can still be used as patterns for defining functions by
pattern-matching. Hence, a library on a private data type is not closed but
can be extended easily. Private data types are therefore an important and very
useful feature for defining data structures with complex invariants and
proving their correctness more easily. They have been implemented in OCaml by
Pierre Weis and are described in Frédéric Blanqui, Thérèse Hardin and Pierre
Weis' ESOP'07 paper [BHW07].

A second step would be existential types, which are very similar to abstract types,
but with no free name for the abstract type. On a logical level, they do imply an existential quantification over types
which has to be limited to ensure consistency. However existential types do not require the type to have a free name, which corresponds in logic to a definite description operator (similar to Hilbert's epsilon operator), and this, being connected to the axiom of choice (over types), may be really problematic for consistency. Some work related to this exists in the phd thesis of F. Ruyer, a former student of C. Raffalli [Ruy06].

====Task 2 - termination====

Coordinator: Pierre Hyvernat

Participants: Christophe Raffalli, Andreas Abel, Frederic Blanqui

Remark: this is an essential task, running during the 4 years. There will always be some embarrassing examples that do not work, but could work... both for the core and auxiliary criterion (see below for the distinction) meaning that this research field will remain open forever.

Even if it might be counter-intuitive at first, it is often necessary to write programs whose execution can be infinite. For example, any kind of "server", or almost any interactive program might have infinite executions. Even in purely mathematical setting, it can be interesting to have intermediary non-terminating functions. Consider a function outputting the stream of prime numbers : even if this function is non-terminating, we might use it in a terminating manner in a proof by requesting the ''n'' first prime numbers.

Since PML uses full recursion (keyword <tt>rec</tt>), writing such programs is easy. On the other hand, the notion of "terminating", or "well-founded" recursive function isn't part of the core of PML: such programs are just special cases of recursive programs. The user will have to specify which functions are in fact terminating and might have to prove it himself when PML cannot infer termination automatically.

Proofs of specifications are just PML programs, and those cannot be allowed to run infinitely. More precisely, even if proof will never be run at all (no computational content), they are required to be well-founded. The consistency of PML relies on this. In order to relieve the user from proving that all proofs are in fact terminating, PML should offer a way to check automatically that (some) functions are terminating. Because the halting problem is undecidable, it is hopeless to do that in all generality, but this is seldom necessary: many proofs terminate for obvious reasons. PML should only work for most of the functions, most of the time (rather than work for all the functions, all the time...)

Technically speaking, PML can infer an error called <tt>Loop</tt> when it encounters a program which, it thinks, may not terminate. Such an error cannot be captured: this is an error rather than an exception. The property we need to guarantee is that if PML doesn't infer the error <tt>Loop</tt> possible, then the program in question does indeed terminate. If the error <tt>Loop</tt> is possible for a terminating function, the user can still provide PML with a proof that this error is never raised. PML current syntax for that is <tt>[p proof ... ]</tt> where <tt>p</tt> is a term and <tt>...</tt> is a proof that <tt>p</tt> doesn't raise any exception nor error (this is the desired property for proofs).

'''2.a - Core termination criterion''' (delivered 09/2010)

This first test is now part of PML. Since primitive recursive function isn't enough in practice, even for proofs, a subtler and more powerful termination criterion has been implemented. This is an extension of the "size change principle" of Lee, Jones and Ben-Amram [LJ01]. This test successfully checks termination for primitive recursion, lexicographic ordering and permutation of arguments and thus covers most simple practical cases. The implementation is quite similar to the original size-change principle, but the proof of correctness is surprisingly more difficult: see [Hyv10b].


'''2.b - Improvement of the core termination criterion''' (beginning 09/2011, never ending)

The size-change principle is simple and powerful, but many cases occurring in practice aren't tagged as terminating. We plan to adapt to PML a termination criterion based on the technique of type-based termination, which allow for recursive calls through size preserving functions such as <tt>List.map</tt>. There are several possibilities, ranging from simple systems such as the one developed by Abel (RAIRO'04) [Abel04], Barthe et al (MSCS'04) [Bar04] or Blanqui (RTA'04, CSL'05) [Bla04, Bla05c], to the very rich system of Blanqui and Riba (LPAR'06) [BlR06]. In the latter, given for each function some formula in Presburger arithmetic describing how the size of the output is related to the size of the inputs (the correctness of which can be checked automatically), the termination follows from the fact that recursive calls are done on strictly decreasing arguments, using for instance lexicographic or multiset comparisons together with linear combinations of the arguments. Intermediate systems, such as the one of Barthe, Grégoire and Riba (CSL'08) [BGR08] which is powerful but with a lower complexity than Presburger arithmetic, have also to be considered.

This development looks rather orthogonal to the implemented criterion and might require small modification of other parts of PML in order to get the appropriate information. On a different level, slight extensions should be added to the existing criterion to enhance its complexity on some specific examples that are recognized as termination, but not in a reasonable time.

This core termination needs to reach an acceptable compromise between power and simplicity. In particular, the most complex developments may not find their way into the core termination criteria, but rather be used in the next task...

'''2.c - Use of external provers''' (beginning 09/2011, never ending)

In order to circumvent the limitations of the core termination criterion, we propose to use external powerful termination provers like [http://aprove.informatik.rwth-aachen.de/ Aprove] or [http://colo6-c703.uibk.ac.at/ttt2/ TTT2] that implement and combine many other termination techniques. To this end, we can define translations from PML programs to one or more of the possible formats currently used in the [http://termination-portal.org/wiki/Termination_Competition annual international competition on termination] and in particular: first-order rewrite systems (TRS), dependency pair problems (DP problem), higher-order rewrite systems (HOTRS) or Haskell programs. In particular, we could reuse some of the techniques used for converting Haskell programs into first-order DP problems in [Gie06].

But to which extent can we trust the results of these provers? Hopefully, now, many termination provers provide certificates in a format called [http://cl-informatik.uibk.ac.at/software/cpf/ CPF] that can be checked by certified, dedicated tools like [http://cl-informatik.uibk.ac.at/software/ceta/ CeTA], [http://color.inria.fr/ Rainbow] or [http://a3pat.ensiie.fr/ CiME3].

The most pragmatic route is simply to trust those tools and concentrate on proving that the translation from (restricted) PML code to the input language is indeed correct. Of course, the ideal solution would be to be able to translate the external certificates into an equivalent PML program whose termination can be infered by the core criterion. The complexity of tools like [http://aprove.informatik.rwth-aachen.de/ Aprove] makes it look very difficult and it is probably hopeless to do that in a general manner.

'''2.d - Modularity and termination''' (beginning 09/2013, never ending)

The core termination prover does not use the definition of functions to prove their termination, but only information gathered from the typing constraints. When using external prover, for large development, one also would like to avoid sending a large piece of code to the external prover.

Function such as <tt>map</tt> preserves the length of list. But the notion of length does not appear explcitely in the definition of <tt>map</tt>. This means that the current core termination prover often can not prove termination of a function that use <tt>map</tt>. It also means that you need to give the definition of <tt>map</tt> to an external tool.

We would like to automatically compute some concise information about the size differences between input and output of program. This means that we would like to infer (when possible) a notion of ''size'' from the definition of a function.

'''Remark''': The halting problem is undecidable, the available external tools for checking termination are always evolving (new systems are developped, old systems are changed or abandonned). This implies that this task will in fact never end and we will always try to improve the termination checker.

====Task 3 - compilation ====

Coordinator: Christophe Raffalli

Participants: Pierre Hyvernat, Wojciech Matyjewicz, Tom Hirschowitz

'''3.a - A first compiler using LLVM''' (beginning 12/2010, delivered 1/2012) LLVM is a compiler infrastructure providing many tools: compilation strategy, virtual instruction set, compiler infrastructure, tools to write high level virtual machines, etc. LLVM is very attractive, because it is rather simple to use (it even has an OCaml interface) and can compile for a bytecode interpreter, can be used as a JIT compiler or a standard compiler. Moreover, it support a lot of platforms. It also provide some optimizations, which is important. We think that writing a compiler, with no optimization, for PML using LLVM should not be too hard (this is important that this task be easy, because this is not really research ...)

A polish phd student Wojciech Matyjewicz has started to work on this in December. He visited the LAMA during one week to start the project. It is important to note that he is a first year phd in Poland and the first year there is equivalent to our Master 2. Which means that Wojciech Matyjewicz is a potential candidate.

Then, we would like to improve our compiler in various direction. We mention here the ones that are innovative in this domain (we should also consider more standard optimization, but we do not mention them specifically).

'''3.b - Representation of cartesian product and disjoint sum''' (beginning 12/2010, delivered 1/2012 for product) PML allows only one kind of cartesian product which in general (because of multiple inheritance and implicit subtyping) must be represented as a table (hash-table or maps based on binary search trees). These can impact performance. We plan to generate extra constraints for each occurrence of a constructor of a cartesian product in a program. Then, solving this constraint in a way that maximize speed (or size) should allow for a representation of cartesian product that is more efficient than using, for instance, OCaml. The same kind of optimization (with a different optimization criterion) should be done for sum types and the implementation of pattern matching. This optimization should be included in the first compiler because the implantation with tables is too costly for a temporary solution.

'''3.c - Unboxing''' (depends on some parts of 3.b, beginning 1/2012, delivered 1/2013) In general, 32 bits integer and floating point number are boxed (that is represented by a pointer). This allows a more elegant language. This can lead to major impact on performance especially when arrays are involved. We think that constraint-checking is a good framework to propagate type information and allow efficient unboxing. Nevertheless, doing enough unboxing to try to match the performance of low level languages like C is very hard. We hope that we can reuse some of the work of task 3.b, because unboxing can be seen also as the optimization of the representation of a cartesian product with only one field.

'''3.d - compilation of affectation (reference and arrays) and IO''' (depend upon 1.c, beginning 09/2012, delivered 03/2014) After adapting uniqueness typing to PML (task 1.c), we will be able to compile affectation and IO imperatively as in any imperative programming language.

'''3.e - Garbage collection''' (beginning 01/2014, delivered 09/2014) For simplicity reasons, the first compiler will simply use Boehm's garbage collector. This garbage collector is relatively efficient and simple to use. However, Boehm's GC isn't optimized for the kind of allocations used in a functional language. Moreover, having a multithreaded GC could prove useful in moder environment. We thus plan to replace Boehm's GC by a dedicated GC tuned for our purposes.

Writing a GC that is both efficient and correct is not easy, and this sub-task is rather orthogonal to the PML language, which explains why it only comes later during the project. Nevertheless, we feel it is necessary to go through the trouble if we want to be as efficient (or even better, more efficient) than existing functional languages...

====Task 4 - Automated reasoning====

Coordinator: Frédéric Blanqui

Participants: Frédéric Blanqui, Christophe Raffalli

The kernel of the proof engine will be based on completion techniques. Knuth-Bendix completion tries to transform a set of unoriented equations into a set of (inter-reduced and) convergent, that is, terminating and confluent, set of rewrite rules. It can therefore be used for proving that some equality is the equational consequence of some equational theory. Indeed, when an equational theory can be completed into a convergent rewrite system, two terms are equivalent in this equational theory if their normal form in the convergent rewrite systems are equal.

'''4.a - Adaptation of the Knuth-Bendix completion algorithm to PML''' (already started, delivered 09/2015) As explained just before, Knuth-Bendix completion is based on rewriting. However, in PML, programs are not rewriting systems. We therefore need to adapt Knuth-Bendix completion. We need both generalization, to use the notion of constructor present in ML and take care of the higher-order nature of ML (even if we can not hope much here).
As said above, something is already implemented, but it is trivial because completely restricted to closed terms. A first version should be able at least to rewrite a closed term modulo some simple equational (and universal) theory. An important point here is to ensure termination
of this algorithm and even a low complexity. The price to pay, will be incompleteness. A lot of care should also be devoted to the correctness of the implementation, because like for task 3.a, the consistency of PML relies on it.

This task in one of the major task for PML and a first version already exists, but is non terminating in presence of equalities between functions: if we have an equation like ''f = f o f'', PML may use this equation has a definition of ''f'' and loop. For dealing with these cases, we are considering a fix which involves some notions similar to those of ''geometry of interaction''. Another particular and very important case of universal equation that we should take into account is associativity and commutativity. It is indeed very important to ease proofs on integers (addition and multiplication are associative and commutative). To this end, we could reuse the [http://cime.lri.fr CiME] library.

Note that this work could benefit to other projects and tools, like [http://moca.inria.fr/ Moca], a generator of construction functions for private data types with algebraic invariants, also based on completion, or Europa, a proof assistant based on the lambda-pi-calculus modulo rewriting developed by Gilles Dowek and [http://www.lix.polytechnique.fr/Labo/Mathieu.Boespflug/ Mathieu Boespflug]. Indeed, currently, Moca generates OCaml code without guarantee on its correctness. Using PML instead, Moca could also generate a proof of the correctness of the generated construction functions.
Then, later, when trying to prove the correctness of a function defined on this private date type, one can use the invariants satisfied by the values of the private data type as assumptions, since these invariants are satisfied by construction.

'''4.b - Use of external provers''' (beginning 03/2012, delivered 09/2015) Like for termination proofs, in order to increase the proving capacities of PML, we will provide a translation of PML proof goals into the [http://www.cs.miami.edu/~tptp/ TPTP standard format] of the CASC competition in order to be able to use external provers too, and in particular provers based on completion like [http://www.waldmeister.org/ Waldmeister], [http://cime.lri.fr/ CiME] or [http://cl-informatik.uibk.ac.at/mkbtt/ mkbTT] but not only. And possibly some certifying provers like [http://focal.inria.fr/zenon/ Zenon] based on tableaux or [http://alt-ergo.lri.fr/ Alter-Ego] based on SMT (SAT solver modulo theory).

'''Same remark than for termination''': The problem is undecidable, the available external tools for automated reasonning are always evolving (new systems are developped, old systems are changed or abandonned). This implies that this task will in fact never end and we will always try to improve the automated reasonning.

====Task 5 - validation (transverse task) ====

Coordinator: Christophe Raffalli

Participants: Pierre Hyvernat, Christophe Mouilleron, Tom Hirschowitz.

The validation requires to write numerous examples to check that we fulfill our main goal, which is that all programs (with or without proof) are written in the best possible way. This work being research, we think that it is important that any piece of code written in PML that does not look ''right'' is carefully examined to check that this is not due to a defect in language design.

Christophe Mouilleron and Erik Martin-Dorel started to work on the axiomatization of computer arithmetics within an ongoing PEPS project. This is a good test for PML and moreover a requirement
because we want PML to be a real programming language and therefore the limited arithmetic of processors (32 and 64 bits integer and floating point number) must be supported by PML. However, proving software using them is not trivial at all and Christophe Mouilleron member of the Arénaire team in ENS Lyon is a specialist in this domain.

Tom Hirschowitz and Christophe Raffalli already started (and almost finished) a proof in PML that
categories, functors and natural transformations form a 2-category (this development is available in the example directory in the current version of PML). We plan to continue such abstract developments and we think that they could lead to interesting perspectives about the modularity of PML.

More general code, including a standard library and some significant mathematics should be developed (there is already around 10.000 lines of PML code in the current distribution). Moreover, we started to port Pierce et al.'s course, in Coq, on software foundations (http://www.cis.upenn.edu/~bcpierce/sf/), to PML. The first three files are translated and there remain a dozen of files of around 2500 lines to translate. This is a major work, but would provide a very good test for PML, and a good tutorial.

This task should deliver at least 100.000 lines of PML code to have
a sufficient corpus to say in which respect we fulfilled our goals.

==== Task 6 - Optimization of PML (transverse task) ====

Coordinator: C. Raffalli

Participants: All (anyone could optimize the part of PML he was involved in).

Some of the choice in the design of PML involve rather complex algorithm. Notably, this is the case of the constraint checking algorithm and completion procedure. The first implementation is not trivial but not optimized either. And very often, we have discoverd and will continue to discover that PML is too slow. This goal of this transversal task is to ensure that PML is usable.

Currently, some optimisations were already added. For instance, PML uses a sat solver for various
tasks: completeness and usefulness of cases in pattern matching and dealing with negative
hypothesis (like <tt>x</tt> is not equal to <tt>S[x]</tt>) in the completion procedure. Improving the sat solver using J.C. Filliâtre work [] and simplifying the formula before giving them to the sat solver were a major improvement.

A lot of other optimisations are planned:
* The graph used to encode the typing constraints should probably be reduced (that is we should compute its transitive reduction).
* The completion procedure stores a set of terms of the language and we need a fast way to recover the set of all term using a given sub-term. The current implementation is too naive.
* ...


=== Planning of tasks, deliverables and milestones ===
=== Planning of tasks, deliverables and milestones ===




The following diagram represents the summary of the tasks and subtasks, together with the intended planning:
''Présenter sous forme graphique un échéancier des différentes tâches et leurs dépendances (par exemple, utiliser un diagramme de Gantt). Présenter un tableau synthétique de l'ensemble des livrables du projet (numéro de tâche, date, intitulé, responsable).''

[[Image:pml-gantt.png]]


==Data management, data sharing, intellectual property and results exploitation==
==Data management, data sharing, intellectual property and results exploitation==


Results in each of the tasks will be published in journals (APAL, TCS, ...) and international conferences as usual (LICS, TLCA, CSL, CIE, ...).
''Présenter les stratégies de valorisation des résultats : la communication scientifique; la communication auprès du grand public, le cas échéant; la valorisation des résultats attendus; les retombées scientifiques et techniques, éventuellement les retombées industrielles, économiques … la place du projet dans la stratégie industrielle des entreprises partenaires du projet autres retombées (normalisation, information des pouvoirs publics, ...) pour les bases de données, indiquer les modes de stockage et de maintenance ainsi que les communautés bénéficiaires.''


PML language is already distributed as open source software under the Cecill-B license. We think that for such a research platform, this is the only possible way to ensure that people will try it. As soon as a first compiler is available, we plan to produce easy-to-install packages, at least for some well-known Linux distributions (Debian and its derivatives seem a good choice).
''Présenter les grandes lignes des modes de protection et d’exploitation des résultats. Pour les projets partenariaux organismes de recherche/entreprises, les partenaires devront conclure, sous l’égide du coordinateur du projet, un accord de consortium dans un délai de un an si le projet est retenu pour financement. Pour les projets académiques, l’accord de consortium n’est pas obligatoire mais fortement conseillé.''


==Consortium organisation and description==
==Consortium organization and description==


===Relevance and complementarity of the partners within the consortium===
===Relevance of the partner for the project===


This project involve only one partner, the LAMA (UMR 5127), where the coordinator of the project already developed the proof assistant PhoX. The main characteristic of PhoX is to be rather simple to use due to a set of tactics which is limited (less than 20 for the principal ones), but powerful. Moreover, tactics are extensible by ''incorporating theorems'' inside the tactics.
''Décrire brièvement chaque partenaire et fournir ici les éléments permettant d’apprécier la qualification des partenaires dans le projet (le « pourquoi qui fait quoi »). Il peut s’agir de réalisations passées, d’indicateurs (publications, brevets), de l’intérêt du partenaire pour le projet… (il ne s’agit pas de fournir ici le C.V. du responsable scientifique de chaque partenaire). Fournir en annexe 7.2 une présentation plus détaillée des partenaires, de leur savoir- faire et de leurs apports et attentes dans le projet. Montrer la complémentarité et la valeur ajoutée des coopérations entre les différents partenaires. L’interdisciplinarité et l’ouverture à diverses collaborations seront à justifier en accord avec les orientations du projet. (une page maximum)''


Clearly, this means that efficiency was the main goal of PhoX. Unfortunately, like all tactical theorem prover, PhoX proofs are not readable. After a few attempts with a Mizar-like mode for PhoX, Christophe Raffalli decided to move to a new theorem prover, starting from scratch.
===Qualification of the project coordinator===


Pierre Hyvernat is also in Chambery and the second developer of PML (he wrote the current termination checker). Tom Hirshowitz has some prior experience in his phd about the compilation of functional languages. At ENS Lyon, which is very near to Chambéry, Alexandre Miquel is a specialist of consistency proof for logical framework. Therefore, Chambery is the very natural partner for this project.
''Fournir les éléments permettant de juger la capacité du coordinateur à coordonner le projet.''


===Qualification of the project coordinator and members===


The coordinator and various members of the project comes from various horizon (see section 7), but they have a common background around the use and development of programming language and/or formal methods. We think that this variety, the small number of members, should allow for good communication and should be very fruitful.
===Contribution and qualification od each project participant===


We think, that compared with the development of PML by Christophe Raffalli alone, such a team should speed up the development of PML approximately by a factor 3, making it possible to deliver a very innovative and useful tool at the end of the project. The lack of support for such a team would certainly limit the tool to an experimental toy with many development only partially (or even not at all) integrated in the project.
''Pour chacune des personnes dont l’implication dans le projet est supérieure à 25% de son temps sur la totalité du projet, une biographie d’une page maximum sera placée en annexe 7.2 du présent document qui comportera :

Nom, prénom, âge, cursus, situation actuelle
Christophe Raffalli will also ask for delegations during the project to be able to spend even more time on it.
Autres expériences professionnelles
Liste des cinq publications (ou brevets) les plus significatives des cinq dernières années, nombre de publications dans les revues internationales ou actes de congrès à comité de lecture.
Prix, distinctions
Si besoin, pour chacune des personnes, leur implication dans d'autres projets (Contrats publics et privés effectués ou en cours sur les trois dernières années) sera présentée selon le modèle fourni en annexe 7.3. On précisera l'implication dans des projets européens ou dans d’autres types de projets nationaux ou internationaux. Expliciter l’articulation entre les travaux proposés et les travaux antérieurs ou déjà en cours.''


==Scientific justification of requested budget==
==Scientific justification of requested budget==


''On présentera ici pour chaque partenaire, la justification scientifique et technique des moyens demandés dans le document de soumission A. Ces moyens sont synthétisés à l’échelle du projet dans la fiche «Tableaux récapitulatifs » dans ce document de soumission A.


====Meetings (total 9720€ per year)====
Chaque partenaire justifiera les moyens qu’il demande en distinguant les différents postes de dépenses selon le canevas suivant :.''
Two meetings and one workshop per year, 3 days each, for 7 people. Each meeting costs
1 train ticket in France, 3 days and 2 nights:
3*7*(100 + 3*20 + 2*80) = 6720€.


For the workshop, we have to invite 2 to 3 guests. Some may come from foreign country and we estimate the cost
(Une section par partenaire)
to 3000€ per year. Which mean a total of 9720€ per year.

====Visits (total 10000€)====

We think that this is very important for this project to interact with other project.
For instance, Andreas Abel came to visit Chambéry in 2010 for two weeks financed by our PEPS
project and during this time induced an important bootstrap to the implementation of the termination checker
[Hyv10b] and contributed a non trivial example with a proved implantation of left-leaning red-black trees.

We want to continue such interaction. Andreas Abel already agreed as well as Joe Wells for discusion about error reporting and , Assia Mahboubi for complex proofs involving the reflexion principle. Many other discussion would be profitable about PML runtime (with multithreading ?), interaction with external tools (termination checker or automated theorem prover),
uniqueness typing (meeting with people already using such technics), ...

We plan around 4 short visits of one or two weeks from people outside the project to Chambéry and the same amount for short visit in the other direction. This means around 12 weeks per year with 8 travels for a cost of 500€ per week (x12) plus in average (depending if we use plane or train) the same amount for each travel (x8), with a total of 10000€ per year.

====Conferences (total 9600€ per year)====
The members of the ANR will submit papers to international conferences and
journals and attend to specialized workshop. We have 2.5 person/year on the project with means
around 3 international conferences or workshop per year (estimated cost 2000€) and one national conference or workshop per year (estimated cost 1200€)

====Master internships (total 1500€ per year)====
We plan to host around four master internships in good conditions (possibly
followed by PhD studentships not financed by the ANR): one per year with a total cost of
6000€ (1500€ each: 300€ for travel and 200€ per month for an accommodation at
the CROUS).

====Computers (total 2000€ per year)====
We consider that the ANR project has to participate in the renewal of the
computers of its participants. The lifetime of a computer being 4 years and
the total number of month for permanent members of the project being 112, we
think that we should pay for 4 computers with an average value of 2000€ each
(we need powerful computers and laptops, because automated reasoning requires
a lot of computations and memory).

====Human resources financed by the ANR (1 PhD student, 2 two years postdocs and 4 month of invited professor)====
This project involves many tasks and 7 members. However, all members
apart from the coordinator and Pierre Hyvernat can only devote 2-3 month per year to this project
(they are involved in other ongoing research). Although this is far from
negligible, we think that we will need more human power: we estimate that 1
PhD and 2 postdocs are reasonable.

We also consider that one year post-doc are not sufficient, because the time need to
understand the existing code base is long and the student has both to write code and
publish its result. Moreover, the code produced by the student will not be an experimental
code to support its publication, but code which should remain in the project and be maintened by
other member of the project. In one year, this seems impossible to achieve.

Moreover, as mentioned in the section about visits, we would like to have 1 month per year of invited professor.

This would give a total 88 months (4 month invited, 36 for the PhD and 48 for the 2 postdocs)
To be compared with the total of 104/112 month not payed by the ANR. We consider that this is a good balance.

The total cost is 308589€.

====Human resources not financed by the ANR====
{| border="1"

|-
! Name
! month/year
! percentage
|-
| Christophe Raffalli
| 10
| 85%
|-
| Frédéric Blanqui
| 4
| 25%
|-
| Emmanuel Chailloux
| 2
| 15%
|-
| Tom Hirshowitz
| 2
| 15%
|-
| Pierre Hyvernat
| 6
| 50%
|-
| Alexandre Miquel
| 2
| 15%
|-
| Christophe Mouilleron
| 0/2
| 0/15%
|-
| '''Total per year'''
| 26/28
|
|-
| '''Total for 4 year'''
| 104/112
|
|}

Remark: the situation of Christophe Mouilleron is unknown next year. If it is possible he will
continue is work on PML started with the PEPS for around 2 month per year. But if it is not possible,
or if he is selected for the post-doc position, then we should not count it. We used the worst case
on the website.

The total cost is 350333€, ignoring Christophe Mouilleron.


==Annexes==
==Annexes==


===CV, Resume of all project members===
===References===


==== Christophe Raffalli (project coordinator) ====
===CV, Resume===

Age 41, MCF at the LAMA (UMR 5127) since September 1997.

After his PhD in Paris VII (defended in February 1994), Christophe Raffalli spent 1 and a half year at the LFCS in Edinburgh, 2 years at Chalmers university in Göteborg (post-doc of the TYPES European project) and 1 year as ATER in Créteil University.

Research administration: For ten years, the LAMA was sub-site of the Paris VII site inside the TYPES project which was renewed several times and Christophe Raffalli was the coordinator for this sub-site. Currently the project is not financed by the E.U. Nevertheless, Christophe Raffalli is in charge of the organization of the next TYPES meeting in Aussois in May 2009.

His research interests include:

* theory and implementation of proof assistants,
* proof theory,
* implementation of programming languages (especially type-systems).


'''Selected publications'''

* [Raf10b] ''Realizability for programming languages'' (submitted, available as hal-00474043)

* [Raf08a] ''PML and strong normalization'' conference at the Types workshop, April 2008, Turino, Italy

* [Raf07b] ''PML: a new proof assistant'' conference at the Types workshop, may 2007, Cividale del Friuli (Udine), Italy

* [Raf06a] ''Realizability of the axiom of choice in HOL (An analysis of Krivines's work)'' with Frédéric Ruyer in Fundamenta Informaticae (2006)

* [Raf05a] ''PhoX'' with Paul Rozière in The seventeen provers of the World, Freek Wiedijk (editor) LNAI 3600 pages 67-71

* [Raf03b] ''System ST'' Schedae Informatica, proceedings of the Chambery-Krawow-Lyon Workshop, Vol. 12, pages 97-112 (June 2003)

* [Raf02c] ''Getting results from programs extracted from classical proofs'', TCS 2004, volume 323, pages 49-70

* [Raf02b] ''System ST, beta-reduction and completeness'', presented at LICS 2003, publication IEEE, pages 21-32

* [Raf02a] ''Computer Assisted Teaching in Mathematics'', with René David, to appear in the proceedings of the Workshop on 35 years of Automath (April 2002, Edingurgh)

* [Raf01d] ''System ST, towards a Type System for Extraction and Proof of Programs'', Archive for Pure and Applied Logic, 2003, volume 122, pages 107-130

* [Raf01c] ''Apprentissage du raisonnement assité par ordinateur'', avec René David, Quadrature numéro 45, printemps 2002, pages 25-36). Version courte parue dans la gazette de la SMF, avril 2002, numéro 92, pages 48-56

==== Frederic Blanqui (INRIA, Rocquencourt) ====

Age 38, permanent full-time researcher at [http://www.inria.fr INRIA].

Frederic Blanqui is expert in the following areas:
* type theory,
* rewriting theory,
* termination,
* functional programming,
* proof assistants,
* and formal certification of program properties.

Since September 2008, he is INRIA researcher at [http://liama.ia.ac.cn LIAMA], the Sino-French Laboratory in Computer Science, Automation and Applied Mathematics.

Between 2003 and 2008, he was INRIA researcher at [http://www.loria.fr LORIA], Nancy, in the Protheo research team led by Pr Claude Kirchner, focusing on the use of rewriting techniques for programming, as well as specifying and proving program properties.

Since 2004, he is leading the [http://color.inria.fr CoLoR] project which aims at providing tools for automatically certifying the termination of programs. Since 2007, CoLoR is the best certification back-end in the international [http://termination-portal.org/wiki/Termination_Competition competition on certified termination provers].

In 2007 and 2008, he led the INRIA [http://quotient.loria.fr/ Quotient] project which aims at extending the [http://caml.inria.fr OCaml] programming language with types whose values automatically satisfy equational invariants using the [http://moca.inria.fr Moca] tool.

He supervised 2 master thesis and 3 PhD students on the extension of type theory with decision procedures, the termination of typed higher-order rule-based programs, and the certification of termination proofs.

He did his PhD with Pr Jean-Pierre Jouannaud at University Paris Sud between October 1998 and September 2001 on the combination of type theory and rewriting theory.

Between October 2001 and August 2002, he worked on the certification of cryptographic protocols with Pr Larry Paulson at Cambridge, UK.

Between September 2002 and September 2003, he worked at Ecole Polytechnique in the [http://coq.inria.fr Coq] development team on the extension of the proof assistant Coq with rewriting.

More details on his activities and publications can be found on his [http://www-rocq.inria.fr/~blanqui/ web page] and in his [http://www-rocq.inria.fr/~blanqui/divers/cv.pdf CV].


'''Selected publications'''

International journals with reading committee: 7

International conferences with reading committee: 15

Other publications (thesis, workshops, invited papers, reports, etc.): 15

Prizes: 2001 [http://www.specif.org/ SPECIF] Award for his PhD thesis by the French national society of teachers and researchers in computer science; and 2001 Kleene Award for the best young researcher paper at the IEEE Symposium on Logic in Computer Science ([http://www2.informatik.hu-berlin.de/lics/ LICS]).


Five most significant publications in the last 5 years:

* [Bla11] F. Blanqui and A. Koprowski. ''CoLoR: a Coq library on well-founded rewrite relations and its application to the automated verification of termination certificates''. To appear in Mathematical Structures in Computer Science.

* [BRK10] F. Blanqui, C. Riba and C. Kirchner. ''On the confluence of lambda-calculus with conditional rewriting''. Theoretical Computer Science 411(37), p. 3301-3327.

* [BR09] F. Blanqui and C. Roux. ''On the relation between sized-types based termination and semantic labelling''. CSL'09. LNCS 5771.

* [BJS08] F. Blanqui, J.-P. Jouannaud and P.-Y. Strub. ''From formal proofs to mathematical proofs: a safe, incremental way for building in first-order decision procedures''. TCS'08. IFIP 273.

* [BHW07] F. Blanqui, Thérèse Hardin and Pierre Weis. ''On the Implementation of Construction Functions for Non-free Concrete Data Types''. ESOP 2007: 95-109.

==== Emmanuel Chailloux (LIP6, Paris) ====


Age 51, full professor at the University
Pierre et Marie Curie ([http://www.upmc.fr UPMC - Paris 6]) in Paris France,
and since October 2006 researcher at the
[http://www.lip6.fr LIP6] computer science laboratory (UMR 7606),
in the "Algorithms, Programs and Resolution" team ([http://www-apr.lip6.fr APR]).

His research work is related to design and implementation of programming languages :
* semantics,
* types systems,
* runtime implementation,
* multicores.
Most of the recent publications relate to safety-critical software development.


'''Recent publications'''


[VWC-2011] Vaugon B., Wang P., Chailloux E. '' Les microcontrôleurs
PIC programmés en Objective Caml''. Journées des Langages Applicatifs
(JFLA'2011), janvier 2011.

[WJC-2010] Wang P., Jonquet A., Chailloux E. ''Non-Intrusive
Structural Coverage for Objective Caml''. 5th Workshop on Bytecode
Semantics, Verification, Analysis and Transformation (Bytecode), 2010.

[PAMCCWMC-2009] Pagano B., Andrieu O., Moniot T., Canou B., Chailloux
E., Wang P., Manoury P., Colaço J.-L. ''Experience Report: Using
Objective Caml to develop safety-critical embedded tool in a
certificaiton framework''. International Conference of Functional
Programming (ICFP'09), 2009.

[CBC-2008] Canou B., Balat V., Chailloux E. ''O'Browser : Objective
Caml on browsers''. The 2008 ACM SIGPLAN Workshop on ML, 2008.

[CRV-2008] Chailloux E., Ravet V., Verlaguet J. ''HIRONDML: Fair
Threads Migrations for Objective Caml''. Parallel Processing Letters
18, 1 2008, 55--69.

[PACCCMW-2008] Pagano B., Andrieu O., Canou B., Chailloux E., Colaço J.-L., Moniot T., Wang P.
''Certified development tools implementation in objective caml.''
International Symposium on Practical Aspects of Declarative Languages (PADL 08), 2008.

[CRV-2008] Chailloux E., Ravet V., Verlaguet J. ''Hirondml: Fair
Threads Migrations for Objective Caml''. Parallel Processing Letters
18, 1 (2008) 55-69

[HMC-2007] Henry G., Mauny M., Chailloux E. ''Typer la désérialisation
sans sérialiser les types''. Technique et Science Informatiques 26, 9
(2007) 1067-1090.

[CM-2006] Chailloux E., Mauny M. ''Programmation fonctionnelle''.
Encyclopédie de l'informatique et des systèmes d'information (2006)
1016--1027.

==== Tom Hirschowitz (LAMA, Chambéry) ====

34 ans, CR CNRS (informatique) , LAMA

* 2007 CR CNRS au LAMA (UMR 5127) à Chambéry
* 2004-2007 CR CNRS au LIP (UMR5668) à Lyon
* 2003-2004 ATER, équipe Plume, LIP, ENS Lyon
* 2000-2003 Doctorat (dir.: X. Leroy, INRIA Rocquencourt, projet Cristal)
* 1999-2000 DEA à Paris 7
* 1996-2000 Ecole Nationale des Ponts et Chaussées

''10 publications dans des revues et conférences internationales''

''publications choisies''

# T. Hirschowitz, X. Leroy, and J. B. Wells. Compilation of extended recursion in call-by-value functional languages, PPDP 2003. Version journal dans Higher-Order and Symbolic Computation 22-1. 2009.
# R. Garner, T. Hirschowitz, and A. Pardon. Variable Binding, Symmetric Monoidal Closed Theories and Bigraphs. CONCUR'09. 2009.
# A. Hirschowitz, M. Hirschowitz, T. Hirschowitz. Contraction-free Proofs and Finitary Games for Linear Logic. MFPS, 2009.
# A. Hirschowitz, M. Hirschowitz, T. Hirschowitz. A Theory for Game Theories. FSTTCS, 2007.
# T. Hirschowitz, X. Leroy. Mixin Modules in a Call-by-Value Setting, ESOP, 2002, journal version in ACM Transactions on Programming Languages and Systems, 2005.

==== Pierre Hyvernat (LAMA, Chambéry) ====

Age 30, "maître de conférences" at the Université de Savoie (in Chambéry) since September 2006, member of the [http://www.lama.univ-savoie.fr LAMA].

He obtained his PhD thesis in December 2005, under the supervision of Thierry Coquand (Chalmers, Göteborg, Sweden) and Thomas Ehrhard (at the time, IML, Luminy, Marseille, France)

His research interests relevant to PML include
* denotational semantics,
* type theory and constructive mathematics.


'''Selected publications'''

* [Hyv10b] ''The Size-Change Termination Principle for Constructor Based Languages'' (hal-00547440, submitted)

* [HHy06] with P. Hancock: ''Programming Interfaces and Basic Topology''. "Annals of Pure and Applied Logic", volume 137, January 2006,

* [Hyv05] ''Synchronous Games, Simulations and lambda-calculus'', proceedings of the "GaLoP" workshop, ETAPS 2005. (journal version submitted to Annals of Pure and Applied Logic),

* [Hyv04] ''Predicate Transformers and Linear Logic: yet another Denotational Model'', Lecture Notes in Computer Science, vol. 3210, September 2004.

==== Alexandre Miquel (PPS, Paris 7) ====

Age 37, "maître de conférences" at the Université Paris-Diderot (Paris 7) since September 2003, member of [http://www.pps.jussieu.fr/ PPS]. Currently CNRS research associate ("délégation") in the Plume team at the LIP (ENS Lyon) since September 2008.

He obtained his PhD thesis in December 2001, under the supervision of Hugo Herbelin (INRIA/LIX) in the Coq team (now TypiCal).

From October 2001 to August 2002 he was postdoc in the Chalmers Institute of Technology (Göetborg, Sweden) under the supervision of Thierry Coquand, and from September 2002 to August 2003 he was "ATER" at the LRI (Orsay).

He is a specialist of the models of type theory (especially the calculus of constructions) and of the correspondence between set theory and type theory. His research interests also include:
* logic, proof-theory, rewriting,
* denotational semantics (set- and domain-theoretic),
* realizability in classical logic.


'''Selected publications'''

His most significant publications are:

* [Miq07] ''Classical program extraction in the calculus of constructions'' (CSL'07),

* [Miq06] with A. Arbiser and A. Ríos. ''A lambda-calculus with constructors'' (RTA'06),

* [Miq04] ''Lambda-Z: Zermelo's Set Theory as a PTS with 4 Sorts'' (TYPES'04),

* [Miq03] ''A Strongly Normalising Curry-Howard Correspondence for IZF Set Theory'' (CSL'03),

* [Miq00] ''A Model for Impredicative Type Systems with Universes, Intersection Types and Subtyping'' (LICS'00).

==== Christophe Mouilleron (LIP, ENS de Lyon) ====

Age 26, PhD student in the Arenaire team at the LIP (ENS de Lyon) since September 2008. He works under the supervision of Claude-Pierre Jeannerod (INRIA/LIP) and Gilles Villard (CNRS/LIP).

His research interests relevant to PML include :
* computer arithmetic,
* code generation,
* formal proof of numerical properties in programs.


'''Publications'''

* [MouRev10] C. Mouilleron and G. Revy. ''Automatic Generation of Fast and Certified Code for Polynomial Evaluation.'' (submitted, available as ensl-00531721)

* [JeaMou10] C.-P. Jeannerod and C. Mouilleron. ''Computing Specified Generators of Structured Matrix Inverses.'' (ISSAC'10)

* [BJJK+10] C. Bertin, C.-P. Jeannerod, J. Jourdan-Lu, H. Knochel, C. Monat, C. Mouilleron, J.-M. Muller, and G. Revy. ''Techniques and tools for implementing IEEE 754 floating-point arithmetic on VLIW integer processors.'' (PASCO'10)

* [LTdD+10] V. Lefèvre, P. Théveny, F. de Dinechin, C.-P. Jeannerod, C. Mouilleron, D. Pfannholzer, and N. Revol. ''LEMA : Towards a Language for Reliable Arithmetic.'' (PLMMS'10)

===Relevant publications by non participants to the project ===

Here are some publication or resources of interest for the project:

'''Laguage design and theory:'''
* [SOW97] Martin Sulzmann, Martin Odersky, Martin Wehr, ''Type inference with constrained types'', TAPOS, 1997.
* [HW04] Christian Haack and J. B. Wells, ''Type error slicing in implicitly typed higher-order languages'', Sci. Comput. Programming, 50:189-224, 2004.
* [Ruy06] Frédéric Ruyer, ''Preuves, types et sous-type'', phd 2006 directed by C. Raffalli.

'''Termination:'''
* [LJ01] Lee, Jones, et al. ''The size-change principle for program termination'' - ACM SIGPLAN Notices - 2001
* [Abel04] Andreas Abel, ''Termination Checking with Types'' ,Special Issue: Fixed Points in Computer Science (FICS'03 and RAIR'04)
* [Bar04] G. Barthe, M. J. Frade and E. Giménez, L. Pinto and T. Uustalu, ''Type-Based Termination of Recursive Definitions'', 2004, Mathematical Structures in Computer Science.
* [Gie06] J. Giesl, S. Swiderski, P. Schneider-Kamp, and R. Thiemann ''Automated Termination Analysis for Haskell: From Term Rewriting to Programming Languages'', Proceedings of the 17th International Conference on Rewriting Techniques and Applications (RTA-06), Lecture Notes in Computer Science 4098.

'''the Clean language:'''
* [AGR92] Peter Achten, John van Groningen and Rinus Plasmeijer (1992). ''High-level specification of I/O in functional languages'', Proc. of the Glasgow workshop on Functional programming, ed. J. Launchbury and P. Sansom, Ayr, Scotland, Springer-Verlag, Workshops in Computing, pp. 1-17.
* [AcP95] Peter Achten and Rinus Plasmeijer (1995). ''The Ins and Outs of CONCURRENT CLEAN I/O'', Journal of Functional Programming, 5, 1, pp. 81-110.
* [AcP97] Peter Achten and Rinus Plasmeijer (1997). ''Interactive Functional Objects in CLEAN'', Proc. of the 1997 Workshop on the Implementation of Functional Languages (IFL'97), ed. K. Hammond Davie, T., and Clack, C., St.Andrews, Scotland,
* [VPA07] Edsko de Vries, Rinus Plasmeijer, and David M. Abrahamson, ''Uniqueness Typing Simplified, by Edsko de Vries'',
* [http://clean.cs.ru.nl/download/Clean20/doc/CleanRep2.0.pdf the language report] by Rinus Plasmeijer and Marko van Eekelen,
* [http://clean.cs.ru.nl/ the language homepage].


===Involvement of project participants to other grants, contracts, etc …===
===Involvement of project participants to other grants, contracts, etc …===

* Emmanuel Chailloux is member of the ANR PWD ("Programmation du Web Diffus"), whose leader is Manuel Serrano (Inria), and the FUI [http://opengpu.net/ OpenGPU project].
* Tom Hishowitz is involved in the ANR PiCoq the ANR proposals RÉCRÉ and CATHRE.
* Pierre Hyvernat is involved in the ANR proposal RÉCRÉ.
* Alexandre Miquel is involved in the ANR proposal RÉCRÉ.
* Christophe Raffalli is involved in the ANR proposal RÉCRÉ.

Remark: the interaction with PML and RÉCRÉ is natural because the proof technics used for ensuring some of the properties of the language PML is realizability which is one of the théma of the ANR proposal RÉCRÉ.

Dernière version du 13 janvier 2011 à 11:35

URL of PML project: http://lama.univ-savoie.fr/tracpml

Context and positioning of the proposal

Ever since FORTRAN appeared fifty years ago, programming languages have been evolving rapidly. These languages now include more and more sophisticated concepts like "objects", "type inference", "modules"... However, this richness is also what makes it more and more complex to train programmers and makes it difficult for them to keep up with the innovations and changes in programming languages.

Another orthogonal phenomenon is the emergence of formal methods used in conjunction with various programming languages to test, check or prove software. This introduces another layer to languages in order to write specifications, and sometimes yet another one for proofs. Learning a programming language together with the associated specification/proof languages can take an important effort.

Projects such as ACL2, the successor of the Boyer-Moore theorem prover uses a rather simple language (namely LISP) both as a programming language and specification language, allowing to keep a unity in the system. Unfortunately, LISP is somewhat limited both as a programming language (no good treatment of sum types, no module system) and a specification language (very limited quantification). Moreover, LISP has no compile-time type-checking, which has proved very useful to detect bugs and automatically assert properties.

The aim of the present project is to build a very powerful language (with no loss of expressive power compared to state of the art languages) based on a very small number of simple features. We think this will be possible thanks to recent progress both in the semantics of programming languages and the apparition of new algorithms for type inference based on constraint-solving. In fact, we propose in [RAF10b] an innovative concept derived from the later to enable this: constraint-checking.

Moreover, the language will be used not only as a programming language and a specification language (like in ACL2), but also as the proof language. This is natural for an ML-like language because pattern-matching is a natural and powerful way to make a proof by case analysis. This also means that our tool will consist of relatively few (unified) features, yet powerful.

The idea of a new language arose from the discovery of a new typing algorithm [RAF10b] whose implementation gave birth to a first implementation of PML (Proved ML) by Christophe Raffalli. This implementation is already available from the web page of the language. However, turning PML into a real tool requires a lot of research and implementation work and this is why we request the help of the ANR. Some of the goals are highlighted in the next sections.


PML approach to mathematics and program certification is unique Existing provers or certification tools feature a base programming language, and a logical layer on top of it (be it to write mathematical statements, specifications, or proofs). PML is very different in spirit: every statement, including sophisticated mathematical ones, is reduced to a statement asserting that a program fragment does not raise any error.

PML has no dedicated proof language, but the user can still write proofs! Existing programming languages supporting specifications use one or more of the following two alternatives: automated proofs (ACL2, Why) or proof obligations, that the user can prove using a specific language (Coq extraction, Focalize, Why). Several systems provide both possibilities, manual proofs being used only when automation fails. PML is again very different: it introduces a new instruction, written with a "scissors symbol" 8< to express that the corresponding position in the program is dead, meaning that it can not be reached during evaluation. This condition is checked by a terminating variant of the Knuth-Bendix completion algorithm. This is rather simple and therefore easier to trust than modern decision procedures. However, it only solves trivial cases: to write complex proofs, the user just uses the same syntax as for programs to do case analysis or induction (i.e., recursive definitions). This means that the user does not need learn a specific proof language and hopefully implies that PML is easier to learn and probably more adapted to industry that previous solutions.

The logic of PML is just the equational theory of its programming language; and we use variants of Knuth-Bendix completion as a proof-checker. The first experiments with the current implementation are promising. However, adapting the Knuth-Bendix procedure to the context of ML is a complex and new research problem. A lot more work is needed, for instance to handle proofs in arithmetic which occur quite often. Here is an example of a proof in arithmetic, checked in the current version of PML. This is not completely satisfactory (hard to write), but shows the use of the language for both proofs and programs and the use of recursive functions for inductive proofs:

 val rec mul_associative x y z |- (x * y) * z == x * (y * z)
   proof match x with
     Z[] -> 8< (* trivial case handled automatically by Knuth-Bendix *)

   | S[x'] ->
     let _ = mul_associative x' y z in (* There is a syntactic sugar for that... *)
       (* this adds the fact that (x'*y) * z == x' * (y*z) to the environment *)

     let _ = mul_right_distributive y (x' * y) z in
       (* this adds the fact that (y + x'*y) * z == y*z + (x'*y)*z *)

       (* the environment now contains enough information for Knuth Bendix to handle the rest:
        *    - x*(y*z)  ==  y*z + x'*(y*z)  : by definition
        *    - x*y == y + x'*y : by definition
        *      and so (x*y)*z == (y + x'*z)*z
        *    - (x'*y) * z == x' * (y*z)  :  by the recursive call to mul_associative
        *    - (y + x'*y) * z == y*z + (x'*y)*z : by the call to mul_right_distributive  *)
     8<

Moreover, this style of proof is declarative and relatively readable (like Mizar proofs) while concise at the same time. This is very important when you want to maintain large developments.

PML is different from the other modern programming languages because its design focuses on a few powerful concepts. One consequence is that it is more difficult for a compiler to produce efficient code. In particular, since PML unifies several notions of products (modules, tuples and records), there is no simple way to choose the internal representation of a product, especially with implicit subtyping. Writing a good compiler for PML will thus require more complex and original optimization schemes (probably driven by typing) than for languages like OCaml or Haskell. A Polish student (Wojciech Matyjewicz) is just starting a PhD on this very topic.

Here is a simple example, accepted by the current version of PML, demonstrating product types, sum types and subtyping. We define ternary trees as an extension of binary trees with an implicit subtyping relation (all functions accepting binary_trees will accept ternary trees, by ignoring the middle_son):

type rec binary_tree (A) =
  [ Nil[] | Node[A with left_son : binary_tree(A); right_son : binary_tree(A)] ; ]
type rec ternary_tree(A) =
  binary_tree({ A with middle_son : ternary_tree(A) ;})


PML requires a termination criterion because a proof by induction will just be a normal recursive program. Such a program has to be well-founded in order to correspond to a valid proof. A subset of Haskell can now use the Aprove tool to establish termination for simple programs. However, we want the test to be fully integrated with the language, and be compatible with very modular programs. At the moment, these goals seem difficult to achieve with Aprove or other external termination checkers. A first termination criterion based on Lee, Jones & Ben-Amram's "size-change termination principle" was implemented by Pierre Hyvernat [Hyv10b]. While this test is quite powerful, it is necessarily incomplete, and quite some work is required to make termination proofs of complex programs tractable.

Scientific and technical description

Background, state of the art

Programming language

The ML programming language, created by Robin Milner et al in the 80's has two major distinctive features:

  • Algebraic data-types and pattern matching: data types are basically all constructed using fixpoint, Cartesian product (product types) and disjoint union (sum types).
  • Static type inference: the type of every piece of code is automatically inferred using Hindley-Milner algorithm (HM). By construction, once compiled, an ML program can not crash (no segmentation fault). More precisely, when we do not use unsafe features of the language (like interface with unsafe libraries written in C), if an ML program produces a segmentation fault, then there is a bug in the type-checker or the compiler.

Recent progress in type inference algorithm uses constraint solving. This means that the type system can be described in first-order predicate logic in such a way that a type inference problem is a formula written in a decidable fragment of first-order predicate logic (often the purely existential fragment). Hence, any constraint solver can be turned into a type-checker for ML. These approach is known as HM(X) (see [SOW97]).

There are two problems with this approach:

  • The complexity of constraint solving can be too high for practical use, especially when using a general purpose constraint solver. To our knowledge, there are currently no mainstream implementation of ML based on HM(X).
  • HM(X) does not completely solve the problem of subtyping. The language to express the types constructed by the constraint solver is the same as the language of types used by programmers. With constraints and for three types , and , the most natural solution is . This implies that intersection needs to be part of the language for types. This means that constraints such as may also appear and they are problematic to deal with. Similar reasoning shows that constraints of the form may appear, increasing the complexity of constraint solving by an exponential factor.

PML's approach is to replace type-inference by constraint checking rather than constraint solving: we only check that the constraints are satisfiable in some model. Type-checking in the current implementation of PML can be seen as a black box ensuring that nothing can go wrong during execution. Moreover, since we do not need to write solutions for the constraints, the language for types can be relatively simple. In fact, the types written by the programmer aren't even the actual type constraints that are checked: they are syntactic sugar for the partial identity on the intended type (giving for free nice feature like higher-order parametric types, that is types with parameters which may be themselves types with parameters). In other words, the expression x:nat is a synonym for (id_nat x) where

 val rec id_nat x = match x with
     Z[] -> Z[]
   | S[x'] -> S[id_nat x']

is defined internally by PML. The constraints generated by x:nat mean exactly that x is of type nat...

With this approach, we loose type-inference and the ability to display types in error messages. Nevertheless, PML error reporting is quite helpful because, in case of problems, it displays three positions in the code and an error message like this error at position 1, label "id" projected at position 2 do not appear in the value constructed at position 3. This kind of error message is in fact of bounded length and often more useful than OCaml or SML messages. We can understand this as showing three points in the slice of the error, as introduced by Joe Wells in [HW04].


Proof assistant

Proof assistants have evolved rapidly since Automath in the 70th. Two main trends coexist: automated proof assistants such as ACL2, PVS and safe ones such as Coq, Isabelle, PhoX, Lego, HOL, Matita, etc. The former incorporate very sophisticated automated deduction strategies, with no certificate for the validity of the proof, while the later require all proofs to be done in a specific framework (like natural deduction or type theory) allowing for a simple check of the proof. The gap between the two approaches tend to be reduced by the emergence of complex tactics (for Coq or Isabelle mainly) which build proofs for the user. For instance Zenon is an advanced automated first-order theorem prover that outputs a Coq proof.

The common defect of all these proof assistants is that a proof can not be written nor understood without running the proof assistant. Some proof assistants such as Mizar or Alf do not follow exactly the above scheme: Mizar has a declarative style for proof which is (in theory) readable by a human and checked by a limited checker (This proof style has been adapted to Coq and Isabelle). Unfortunately, there is no formal description of the Mizar proof checker. Alf on the other hand is based on proof theory and requires the user to basically write the complete proof tree just leaving out a few details. The logic is very well formalized and simple, but writing proof is tedious and not similar to the usual practice of informal mathematics.

This picture of the world of proof assistants shows that some fundamental work is needed. In the current version of PML, the logic is just an equational theory of the underlying programming language. This is easily described formally. The proof engine is, like in Mizar, a limited automated checker inspired by the Knuth-Bendix completion algorithm (KB). The completion algorithm used in PML had to be adapted to the higher-order constructs of ML-like languages and restricted to ensure termination and an acceptable complexity. The current limitation is probably too strong: it is limited to closed terms and cannot use universal theorems automatically (as in the first example of section 1, where one has to give explicitly the argument to use distributivity).

Nevertheless, preliminary examples in the current version shows that the approach is worth trying: proofs are concise and readable once you know the language. A very encouraging point is that all examples where written without interface. This really means that proofs are readable without the help of a computer.

Rationale highlighting the originality and novelty of the proposal

The final objective of our project would be a full PML compiler, bootstrapped and completely proved with itself (full bootstrap). This does not exist for any language and is far too ambitious for a four years project. More realistically, we plan to produce a compiler for PML, written in PML, but not proved in PML yet.

We also want to develop proof-checking in such a way as to allow very elegant proofs, supporting the feasibility of a full bootstrap by various examples, some of them being near to industrial application, some others being algorithms coming from implementation of programming languages.

We have focused the existing development on the quality of the language both for proofs and programs. By quality, we mean easy to understand and write (and therefore, easy to learn). We think that using the programming language as a proof language could make formal methods more attractive to the industry without the defect of systems like PVS and ACL2 where the automated tactics replace the need for a proof language, but are sometimes hard to control and use. For instance, finding the right lemmas to make a proof possible in ACL2 is quite difficult.

Comparison with other proof systems devoted to programming. Many other proof systems have been used or specifically developed to allow the production of certified code: extraction in Coq, Why with its automated prover Who from the Proval project, Focalize, PVS, ATS, ... None of these system uses the programming language as a proof language. They all have a dedicated language for proofs and even if some of them like Focalize or Coq extraction using a Mizar style mode for proof, have readable proofs, learning the proof language is never trivial. Other systems like PVS, ATS, Why using Who rely on automated deduction. In those cases, the behavior of the automated prover is always hard to predict.

Another selling point is that the logic and programming language are fully integrated. This is not a two level systems like most systems (but not all, ACL2 for instance is fully integrated). In PML, the statements of theorems and their proofs are expressions at the same level than programs. This means that a program can contain specifications that contains themselves program definitions in their statement or proof and so on. This is generally not possible (even in ACL2) and makes it possible to write modules with their specifications.

One of the key idea for this project is that any ML-like programming language has all the features needed for a proof language: case analysis via pattern matching and exception handling, induction, calling previously defined program/theorems. This means that it is natural to explore this direction.

Comparison with other programming languages. Another key idea in PML is to develop the language and its proof-checker together. This has a great impact on the design of PML. Let's illustrate this with a concrete example: exception handling. In ML, there is a construct

 try P with e -> R

but, this is not sufficient to do case analysis on the fact that a program P raises or not an exception. In particular, R can be the proof just in case P raises an exception. However there is no place holder for the normal case (without exception). This is why we had to introduce a

 let try x = P in Q with e -> R

where Q is evaluated only when P reduces to a value.

A great number of decisions on the language design comes from the interaction between the development of the programming language and its proof-checker. Another key feature of PML, which makes the project original even as a programming language compared to many other projects of programming language research (GALLIUM, Haskell, Scala, ...) is the use of constraint checking. This choice arises from the fact that we want a language as small as possible, because a proof-checker is complex and therefore, we want to fully unify all sorts of Cartesian product including modules, records, tuples and variant with multiple argument. This is already achieved in the current implementation of PML and to my knowledge, no ML like language have a unique but still powerful notion of Cartesian product.

All the systems previously mentioned allow to prove programs in limited subsets of existing languages like ML or Haskell. The prover has to find ways to deal with those languages' defects rather than improve them...

Scientific and technical program, project management

Specific aims of the proposal

As said in the previous section, the final objective would be to have a fully bootstrapped PML language: this would mean that PML is entirely written and proved in PML. This would be too ambitious at first, and we chose to focus here on the design of the language plus a proof of concept, that is compilation and proof of various examples, searching to do our best on the following points:

  • Natural way of writing programs (Task 1)
  • Efficiency of the code generated by the compiler, despite the heavily use of subtyping (Task 3)
  • Readable and short proofs (Task 1, Task 4)
  • Efficiency of type-checking and compilation (Task 2 and 6)
  • Efficiency of proof-checking (Task 4 and 6)
  • All of the above points need testing, and we created a transverse fifth task for that.

Project management

We plan to have one 3 days workshop per year with all the members of the project, invited speakers and interested outsiders. We think these meetings are fundamental to keep the project running, inform everybody of the project progress and problems. We already have the agreement of some people to participate in such meetings: Joe Wells, Assia Mahbouby, Andreas Abel, ... We plan to have one 3 days meetings per year with all the members of the project, invited speakers and interested outsiders. We think these meetings are fundamental to keep the project running, inform everybody of the project progress and problems.

We will also organize two project meetings per year, just to keep track of progress, share idea and organize the above workshops and other invitations.

We want also to organize visits of one or two members of the project to visit researchers on similar topic (typically a member of the project could visit one of the invited speaker of our workshop). Members of the project should also travel to conference on the subject like POPL, LICS, CSL, TYPES or the recently created CPP (first conference in 2011).

Detailed description of the work organized by tasks

Task 1 - theoretical work, design of the language

Coordinator: Christophe Raffalli

Participants: Pierre Hyvernat, Alexandre Miquel, Tom Hirschowitz

1.a - Correctness of the constraint checking algorithm (delivered 09/2012): [RAF10b] already cover the correctness without polymorphism. A draft version of the correctness proof with polymorphism does exist but needs more work. The main open problem here is the interaction with the termination-check. The current work proves that when constraints are checked, the program can only loop via recursive definitions. Then, we would like to prove that the program is terminating if recursive definitions are accepted by the termination checker. However, this is non trivial.

This being a central piece of PML, it should be also one of the first tests for PML in task 5. We could also prove this part of PML in Coq (in fact 2 provers proving themselves and each other correct is a much stronger warranty than one prover proving itself).


1.b - Consistency of proof-checking (beginning 09/2011, delivered before 09/2013 for the core of the language): This is essential for clearly defining the logic of PML and prove its consistency. This should not be too hard for the core of the language. However, this proof has to be extended to take into account all future extensions of the language and could be seen as a permanent task.

1.c - Adaptation of uniqueness typing to the context of constraint checking (beginning 09/2012, delivered 01/2014): The current version of PML is a pure functional programming language, with no imperative feature. This is problematic, because input/output is necessary for real programs and affectations are required for efficiency especially when using large arrays. We plan to adapt the approach of the Clean language [AGR92], [AcP95], [AcP97], [VPA07]. In Clean, all programs can be analyzed as purely functional programs, but the type system can check that some data are not used any more and reuse the place in memory for other data (allowing affectation). For instance, in such a context writing in a file f can be written as let f' = write f str in ..., but the compiler must check that f will not be used anymore implying the equivalence between the standard imperative semantics of writing to file and the purely functional semantics used by proofs.


1.d - Private, abstract and existential types. (beginning 09/2011, delivered 09/2012 for private type, beginning 09/2012, delivered 09/2013 for existential types and beginning 09/2013, delivered 09/2015 for abstract types)

Abstract data types hide the definition of a data type and allow the user of a library to be sure that his code will continue to work even if the internal representation of data are changed. In the context of constraint-checking in PML, adding abstract data types seems to be a challenging task. Moreover, abstract data-types are a form of existential quantification over types and could raise some consistency issues. We hope to find a way to incorporate abstract types in PML without loosing coherence.

A first step would be private data types. They are a very simple yet very powerful mechanism for easily ensuring invariants on all values of a data type. This mechanism is as follows: the compiler simply checks that the constructors of a data type are not used for constructing values. Values are constructed by using construction functions, like with abstract data types. However, unlike with abstract data types, constructors can still be used as patterns for defining functions by pattern-matching. Hence, a library on a private data type is not closed but can be extended easily. Private data types are therefore an important and very useful feature for defining data structures with complex invariants and proving their correctness more easily. They have been implemented in OCaml by Pierre Weis and are described in Frédéric Blanqui, Thérèse Hardin and Pierre Weis' ESOP'07 paper [BHW07].

A second step would be existential types, which are very similar to abstract types, but with no free name for the abstract type. On a logical level, they do imply an existential quantification over types which has to be limited to ensure consistency. However existential types do not require the type to have a free name, which corresponds in logic to a definite description operator (similar to Hilbert's epsilon operator), and this, being connected to the axiom of choice (over types), may be really problematic for consistency. Some work related to this exists in the phd thesis of F. Ruyer, a former student of C. Raffalli [Ruy06].

Task 2 - termination

Coordinator: Pierre Hyvernat

Participants: Christophe Raffalli, Andreas Abel, Frederic Blanqui

Remark: this is an essential task, running during the 4 years. There will always be some embarrassing examples that do not work, but could work... both for the core and auxiliary criterion (see below for the distinction) meaning that this research field will remain open forever.

Even if it might be counter-intuitive at first, it is often necessary to write programs whose execution can be infinite. For example, any kind of "server", or almost any interactive program might have infinite executions. Even in purely mathematical setting, it can be interesting to have intermediary non-terminating functions. Consider a function outputting the stream of prime numbers : even if this function is non-terminating, we might use it in a terminating manner in a proof by requesting the n first prime numbers.

Since PML uses full recursion (keyword rec), writing such programs is easy. On the other hand, the notion of "terminating", or "well-founded" recursive function isn't part of the core of PML: such programs are just special cases of recursive programs. The user will have to specify which functions are in fact terminating and might have to prove it himself when PML cannot infer termination automatically.

Proofs of specifications are just PML programs, and those cannot be allowed to run infinitely. More precisely, even if proof will never be run at all (no computational content), they are required to be well-founded. The consistency of PML relies on this. In order to relieve the user from proving that all proofs are in fact terminating, PML should offer a way to check automatically that (some) functions are terminating. Because the halting problem is undecidable, it is hopeless to do that in all generality, but this is seldom necessary: many proofs terminate for obvious reasons. PML should only work for most of the functions, most of the time (rather than work for all the functions, all the time...)

Technically speaking, PML can infer an error called Loop when it encounters a program which, it thinks, may not terminate. Such an error cannot be captured: this is an error rather than an exception. The property we need to guarantee is that if PML doesn't infer the error Loop possible, then the program in question does indeed terminate. If the error Loop is possible for a terminating function, the user can still provide PML with a proof that this error is never raised. PML current syntax for that is [p proof ... ] where p is a term and ... is a proof that p doesn't raise any exception nor error (this is the desired property for proofs).

2.a - Core termination criterion (delivered 09/2010)

This first test is now part of PML. Since primitive recursive function isn't enough in practice, even for proofs, a subtler and more powerful termination criterion has been implemented. This is an extension of the "size change principle" of Lee, Jones and Ben-Amram [LJ01]. This test successfully checks termination for primitive recursion, lexicographic ordering and permutation of arguments and thus covers most simple practical cases. The implementation is quite similar to the original size-change principle, but the proof of correctness is surprisingly more difficult: see [Hyv10b].


2.b - Improvement of the core termination criterion (beginning 09/2011, never ending)

The size-change principle is simple and powerful, but many cases occurring in practice aren't tagged as terminating. We plan to adapt to PML a termination criterion based on the technique of type-based termination, which allow for recursive calls through size preserving functions such as List.map. There are several possibilities, ranging from simple systems such as the one developed by Abel (RAIRO'04) [Abel04], Barthe et al (MSCS'04) [Bar04] or Blanqui (RTA'04, CSL'05) [Bla04, Bla05c], to the very rich system of Blanqui and Riba (LPAR'06) [BlR06]. In the latter, given for each function some formula in Presburger arithmetic describing how the size of the output is related to the size of the inputs (the correctness of which can be checked automatically), the termination follows from the fact that recursive calls are done on strictly decreasing arguments, using for instance lexicographic or multiset comparisons together with linear combinations of the arguments. Intermediate systems, such as the one of Barthe, Grégoire and Riba (CSL'08) [BGR08] which is powerful but with a lower complexity than Presburger arithmetic, have also to be considered.

This development looks rather orthogonal to the implemented criterion and might require small modification of other parts of PML in order to get the appropriate information. On a different level, slight extensions should be added to the existing criterion to enhance its complexity on some specific examples that are recognized as termination, but not in a reasonable time.

This core termination needs to reach an acceptable compromise between power and simplicity. In particular, the most complex developments may not find their way into the core termination criteria, but rather be used in the next task...

2.c - Use of external provers (beginning 09/2011, never ending)

In order to circumvent the limitations of the core termination criterion, we propose to use external powerful termination provers like Aprove or TTT2 that implement and combine many other termination techniques. To this end, we can define translations from PML programs to one or more of the possible formats currently used in the annual international competition on termination and in particular: first-order rewrite systems (TRS), dependency pair problems (DP problem), higher-order rewrite systems (HOTRS) or Haskell programs. In particular, we could reuse some of the techniques used for converting Haskell programs into first-order DP problems in [Gie06].

But to which extent can we trust the results of these provers? Hopefully, now, many termination provers provide certificates in a format called CPF that can be checked by certified, dedicated tools like CeTA, Rainbow or CiME3.

The most pragmatic route is simply to trust those tools and concentrate on proving that the translation from (restricted) PML code to the input language is indeed correct. Of course, the ideal solution would be to be able to translate the external certificates into an equivalent PML program whose termination can be infered by the core criterion. The complexity of tools like Aprove makes it look very difficult and it is probably hopeless to do that in a general manner.

2.d - Modularity and termination (beginning 09/2013, never ending)

The core termination prover does not use the definition of functions to prove their termination, but only information gathered from the typing constraints. When using external prover, for large development, one also would like to avoid sending a large piece of code to the external prover.

Function such as map preserves the length of list. But the notion of length does not appear explcitely in the definition of map. This means that the current core termination prover often can not prove termination of a function that use map. It also means that you need to give the definition of map to an external tool.

We would like to automatically compute some concise information about the size differences between input and output of program. This means that we would like to infer (when possible) a notion of size from the definition of a function.

Remark: The halting problem is undecidable, the available external tools for checking termination are always evolving (new systems are developped, old systems are changed or abandonned). This implies that this task will in fact never end and we will always try to improve the termination checker.

Task 3 - compilation

Coordinator: Christophe Raffalli

Participants: Pierre Hyvernat, Wojciech Matyjewicz, Tom Hirschowitz

3.a - A first compiler using LLVM (beginning 12/2010, delivered 1/2012) LLVM is a compiler infrastructure providing many tools: compilation strategy, virtual instruction set, compiler infrastructure, tools to write high level virtual machines, etc. LLVM is very attractive, because it is rather simple to use (it even has an OCaml interface) and can compile for a bytecode interpreter, can be used as a JIT compiler or a standard compiler. Moreover, it support a lot of platforms. It also provide some optimizations, which is important. We think that writing a compiler, with no optimization, for PML using LLVM should not be too hard (this is important that this task be easy, because this is not really research ...)

A polish phd student Wojciech Matyjewicz has started to work on this in December. He visited the LAMA during one week to start the project. It is important to note that he is a first year phd in Poland and the first year there is equivalent to our Master 2. Which means that Wojciech Matyjewicz is a potential candidate.

Then, we would like to improve our compiler in various direction. We mention here the ones that are innovative in this domain (we should also consider more standard optimization, but we do not mention them specifically).

3.b - Representation of cartesian product and disjoint sum (beginning 12/2010, delivered 1/2012 for product) PML allows only one kind of cartesian product which in general (because of multiple inheritance and implicit subtyping) must be represented as a table (hash-table or maps based on binary search trees). These can impact performance. We plan to generate extra constraints for each occurrence of a constructor of a cartesian product in a program. Then, solving this constraint in a way that maximize speed (or size) should allow for a representation of cartesian product that is more efficient than using, for instance, OCaml. The same kind of optimization (with a different optimization criterion) should be done for sum types and the implementation of pattern matching. This optimization should be included in the first compiler because the implantation with tables is too costly for a temporary solution.

3.c - Unboxing (depends on some parts of 3.b, beginning 1/2012, delivered 1/2013) In general, 32 bits integer and floating point number are boxed (that is represented by a pointer). This allows a more elegant language. This can lead to major impact on performance especially when arrays are involved. We think that constraint-checking is a good framework to propagate type information and allow efficient unboxing. Nevertheless, doing enough unboxing to try to match the performance of low level languages like C is very hard. We hope that we can reuse some of the work of task 3.b, because unboxing can be seen also as the optimization of the representation of a cartesian product with only one field.

3.d - compilation of affectation (reference and arrays) and IO (depend upon 1.c, beginning 09/2012, delivered 03/2014) After adapting uniqueness typing to PML (task 1.c), we will be able to compile affectation and IO imperatively as in any imperative programming language.

3.e - Garbage collection (beginning 01/2014, delivered 09/2014) For simplicity reasons, the first compiler will simply use Boehm's garbage collector. This garbage collector is relatively efficient and simple to use. However, Boehm's GC isn't optimized for the kind of allocations used in a functional language. Moreover, having a multithreaded GC could prove useful in moder environment. We thus plan to replace Boehm's GC by a dedicated GC tuned for our purposes.

Writing a GC that is both efficient and correct is not easy, and this sub-task is rather orthogonal to the PML language, which explains why it only comes later during the project. Nevertheless, we feel it is necessary to go through the trouble if we want to be as efficient (or even better, more efficient) than existing functional languages...

Task 4 - Automated reasoning

Coordinator: Frédéric Blanqui

Participants: Frédéric Blanqui, Christophe Raffalli

The kernel of the proof engine will be based on completion techniques. Knuth-Bendix completion tries to transform a set of unoriented equations into a set of (inter-reduced and) convergent, that is, terminating and confluent, set of rewrite rules. It can therefore be used for proving that some equality is the equational consequence of some equational theory. Indeed, when an equational theory can be completed into a convergent rewrite system, two terms are equivalent in this equational theory if their normal form in the convergent rewrite systems are equal.

4.a - Adaptation of the Knuth-Bendix completion algorithm to PML (already started, delivered 09/2015) As explained just before, Knuth-Bendix completion is based on rewriting. However, in PML, programs are not rewriting systems. We therefore need to adapt Knuth-Bendix completion. We need both generalization, to use the notion of constructor present in ML and take care of the higher-order nature of ML (even if we can not hope much here). As said above, something is already implemented, but it is trivial because completely restricted to closed terms. A first version should be able at least to rewrite a closed term modulo some simple equational (and universal) theory. An important point here is to ensure termination of this algorithm and even a low complexity. The price to pay, will be incompleteness. A lot of care should also be devoted to the correctness of the implementation, because like for task 3.a, the consistency of PML relies on it.

This task in one of the major task for PML and a first version already exists, but is non terminating in presence of equalities between functions: if we have an equation like f = f o f, PML may use this equation has a definition of f and loop. For dealing with these cases, we are considering a fix which involves some notions similar to those of geometry of interaction. Another particular and very important case of universal equation that we should take into account is associativity and commutativity. It is indeed very important to ease proofs on integers (addition and multiplication are associative and commutative). To this end, we could reuse the CiME library.

Note that this work could benefit to other projects and tools, like Moca, a generator of construction functions for private data types with algebraic invariants, also based on completion, or Europa, a proof assistant based on the lambda-pi-calculus modulo rewriting developed by Gilles Dowek and Mathieu Boespflug. Indeed, currently, Moca generates OCaml code without guarantee on its correctness. Using PML instead, Moca could also generate a proof of the correctness of the generated construction functions. Then, later, when trying to prove the correctness of a function defined on this private date type, one can use the invariants satisfied by the values of the private data type as assumptions, since these invariants are satisfied by construction.

4.b - Use of external provers (beginning 03/2012, delivered 09/2015) Like for termination proofs, in order to increase the proving capacities of PML, we will provide a translation of PML proof goals into the TPTP standard format of the CASC competition in order to be able to use external provers too, and in particular provers based on completion like Waldmeister, CiME or mkbTT but not only. And possibly some certifying provers like Zenon based on tableaux or Alter-Ego based on SMT (SAT solver modulo theory).

Same remark than for termination: The problem is undecidable, the available external tools for automated reasonning are always evolving (new systems are developped, old systems are changed or abandonned). This implies that this task will in fact never end and we will always try to improve the automated reasonning.

Task 5 - validation (transverse task)

Coordinator: Christophe Raffalli

Participants: Pierre Hyvernat, Christophe Mouilleron, Tom Hirschowitz.

The validation requires to write numerous examples to check that we fulfill our main goal, which is that all programs (with or without proof) are written in the best possible way. This work being research, we think that it is important that any piece of code written in PML that does not look right is carefully examined to check that this is not due to a defect in language design.

Christophe Mouilleron and Erik Martin-Dorel started to work on the axiomatization of computer arithmetics within an ongoing PEPS project. This is a good test for PML and moreover a requirement because we want PML to be a real programming language and therefore the limited arithmetic of processors (32 and 64 bits integer and floating point number) must be supported by PML. However, proving software using them is not trivial at all and Christophe Mouilleron member of the Arénaire team in ENS Lyon is a specialist in this domain.

Tom Hirschowitz and Christophe Raffalli already started (and almost finished) a proof in PML that categories, functors and natural transformations form a 2-category (this development is available in the example directory in the current version of PML). We plan to continue such abstract developments and we think that they could lead to interesting perspectives about the modularity of PML.

More general code, including a standard library and some significant mathematics should be developed (there is already around 10.000 lines of PML code in the current distribution). Moreover, we started to port Pierce et al.'s course, in Coq, on software foundations (http://www.cis.upenn.edu/~bcpierce/sf/), to PML. The first three files are translated and there remain a dozen of files of around 2500 lines to translate. This is a major work, but would provide a very good test for PML, and a good tutorial.

This task should deliver at least 100.000 lines of PML code to have a sufficient corpus to say in which respect we fulfilled our goals.

Task 6 - Optimization of PML (transverse task)

Coordinator: C. Raffalli

Participants: All (anyone could optimize the part of PML he was involved in).

Some of the choice in the design of PML involve rather complex algorithm. Notably, this is the case of the constraint checking algorithm and completion procedure. The first implementation is not trivial but not optimized either. And very often, we have discoverd and will continue to discover that PML is too slow. This goal of this transversal task is to ensure that PML is usable.

Currently, some optimisations were already added. For instance, PML uses a sat solver for various tasks: completeness and usefulness of cases in pattern matching and dealing with negative hypothesis (like x is not equal to S[x]) in the completion procedure. Improving the sat solver using J.C. Filliâtre work [] and simplifying the formula before giving them to the sat solver were a major improvement.

A lot of other optimisations are planned:

  • The graph used to encode the typing constraints should probably be reduced (that is we should compute its transitive reduction).
  • The completion procedure stores a set of terms of the language and we need a fast way to recover the set of all term using a given sub-term. The current implementation is too naive.
  • ...

Planning of tasks, deliverables and milestones

The following diagram represents the summary of the tasks and subtasks, together with the intended planning:

Pml-gantt.png

Data management, data sharing, intellectual property and results exploitation

Results in each of the tasks will be published in journals (APAL, TCS, ...) and international conferences as usual (LICS, TLCA, CSL, CIE, ...).

PML language is already distributed as open source software under the Cecill-B license. We think that for such a research platform, this is the only possible way to ensure that people will try it. As soon as a first compiler is available, we plan to produce easy-to-install packages, at least for some well-known Linux distributions (Debian and its derivatives seem a good choice).

Consortium organization and description

Relevance of the partner for the project

This project involve only one partner, the LAMA (UMR 5127), where the coordinator of the project already developed the proof assistant PhoX. The main characteristic of PhoX is to be rather simple to use due to a set of tactics which is limited (less than 20 for the principal ones), but powerful. Moreover, tactics are extensible by incorporating theorems inside the tactics.

Clearly, this means that efficiency was the main goal of PhoX. Unfortunately, like all tactical theorem prover, PhoX proofs are not readable. After a few attempts with a Mizar-like mode for PhoX, Christophe Raffalli decided to move to a new theorem prover, starting from scratch.

Pierre Hyvernat is also in Chambery and the second developer of PML (he wrote the current termination checker). Tom Hirshowitz has some prior experience in his phd about the compilation of functional languages. At ENS Lyon, which is very near to Chambéry, Alexandre Miquel is a specialist of consistency proof for logical framework. Therefore, Chambery is the very natural partner for this project.

Qualification of the project coordinator and members

The coordinator and various members of the project comes from various horizon (see section 7), but they have a common background around the use and development of programming language and/or formal methods. We think that this variety, the small number of members, should allow for good communication and should be very fruitful.

We think, that compared with the development of PML by Christophe Raffalli alone, such a team should speed up the development of PML approximately by a factor 3, making it possible to deliver a very innovative and useful tool at the end of the project. The lack of support for such a team would certainly limit the tool to an experimental toy with many development only partially (or even not at all) integrated in the project.

Christophe Raffalli will also ask for delegations during the project to be able to spend even more time on it.

Scientific justification of requested budget

Meetings (total 9720€ per year)

Two meetings and one workshop per year, 3 days each, for 7 people. Each meeting costs 1 train ticket in France, 3 days and 2 nights: 3*7*(100 + 3*20 + 2*80) = 6720€.

For the workshop, we have to invite 2 to 3 guests. Some may come from foreign country and we estimate the cost to 3000€ per year. Which mean a total of 9720€ per year.

Visits (total 10000€)

We think that this is very important for this project to interact with other project. For instance, Andreas Abel came to visit Chambéry in 2010 for two weeks financed by our PEPS project and during this time induced an important bootstrap to the implementation of the termination checker [Hyv10b] and contributed a non trivial example with a proved implantation of left-leaning red-black trees.

We want to continue such interaction. Andreas Abel already agreed as well as Joe Wells for discusion about error reporting and , Assia Mahboubi for complex proofs involving the reflexion principle. Many other discussion would be profitable about PML runtime (with multithreading ?), interaction with external tools (termination checker or automated theorem prover), uniqueness typing (meeting with people already using such technics), ...

We plan around 4 short visits of one or two weeks from people outside the project to Chambéry and the same amount for short visit in the other direction. This means around 12 weeks per year with 8 travels for a cost of 500€ per week (x12) plus in average (depending if we use plane or train) the same amount for each travel (x8), with a total of 10000€ per year.

Conferences (total 9600€ per year)

The members of the ANR will submit papers to international conferences and journals and attend to specialized workshop. We have 2.5 person/year on the project with means around 3 international conferences or workshop per year (estimated cost 2000€) and one national conference or workshop per year (estimated cost 1200€)

Master internships (total 1500€ per year)

We plan to host around four master internships in good conditions (possibly followed by PhD studentships not financed by the ANR): one per year with a total cost of 6000€ (1500€ each: 300€ for travel and 200€ per month for an accommodation at the CROUS).

Computers (total 2000€ per year)

We consider that the ANR project has to participate in the renewal of the computers of its participants. The lifetime of a computer being 4 years and the total number of month for permanent members of the project being 112, we think that we should pay for 4 computers with an average value of 2000€ each (we need powerful computers and laptops, because automated reasoning requires a lot of computations and memory).

Human resources financed by the ANR (1 PhD student, 2 two years postdocs and 4 month of invited professor)

This project involves many tasks and 7 members. However, all members apart from the coordinator and Pierre Hyvernat can only devote 2-3 month per year to this project (they are involved in other ongoing research). Although this is far from negligible, we think that we will need more human power: we estimate that 1 PhD and 2 postdocs are reasonable.

We also consider that one year post-doc are not sufficient, because the time need to understand the existing code base is long and the student has both to write code and publish its result. Moreover, the code produced by the student will not be an experimental code to support its publication, but code which should remain in the project and be maintened by other member of the project. In one year, this seems impossible to achieve.

Moreover, as mentioned in the section about visits, we would like to have 1 month per year of invited professor.

This would give a total 88 months (4 month invited, 36 for the PhD and 48 for the 2 postdocs) To be compared with the total of 104/112 month not payed by the ANR. We consider that this is a good balance.

The total cost is 308589€.

Human resources not financed by the ANR

Name month/year percentage
Christophe Raffalli 10 85%
Frédéric Blanqui 4 25%
Emmanuel Chailloux 2 15%
Tom Hirshowitz 2 15%
Pierre Hyvernat 6 50%
Alexandre Miquel 2 15%
Christophe Mouilleron 0/2 0/15%
Total per year 26/28
Total for 4 year 104/112

Remark: the situation of Christophe Mouilleron is unknown next year. If it is possible he will continue is work on PML started with the PEPS for around 2 month per year. But if it is not possible, or if he is selected for the post-doc position, then we should not count it. We used the worst case on the website.

The total cost is 350333€, ignoring Christophe Mouilleron.

Annexes

CV, Resume of all project members

Christophe Raffalli (project coordinator)

Age 41, MCF at the LAMA (UMR 5127) since September 1997.

After his PhD in Paris VII (defended in February 1994), Christophe Raffalli spent 1 and a half year at the LFCS in Edinburgh, 2 years at Chalmers university in Göteborg (post-doc of the TYPES European project) and 1 year as ATER in Créteil University.

Research administration: For ten years, the LAMA was sub-site of the Paris VII site inside the TYPES project which was renewed several times and Christophe Raffalli was the coordinator for this sub-site. Currently the project is not financed by the E.U. Nevertheless, Christophe Raffalli is in charge of the organization of the next TYPES meeting in Aussois in May 2009.

His research interests include:

  • theory and implementation of proof assistants,
  • proof theory,
  • implementation of programming languages (especially type-systems).


Selected publications

  • [Raf10b] Realizability for programming languages (submitted, available as hal-00474043)
  • [Raf08a] PML and strong normalization conference at the Types workshop, April 2008, Turino, Italy
  • [Raf07b] PML: a new proof assistant conference at the Types workshop, may 2007, Cividale del Friuli (Udine), Italy
  • [Raf06a] Realizability of the axiom of choice in HOL (An analysis of Krivines's work) with Frédéric Ruyer in Fundamenta Informaticae (2006)
  • [Raf05a] PhoX with Paul Rozière in The seventeen provers of the World, Freek Wiedijk (editor) LNAI 3600 pages 67-71
  • [Raf03b] System ST Schedae Informatica, proceedings of the Chambery-Krawow-Lyon Workshop, Vol. 12, pages 97-112 (June 2003)
  • [Raf02c] Getting results from programs extracted from classical proofs, TCS 2004, volume 323, pages 49-70
  • [Raf02b] System ST, beta-reduction and completeness, presented at LICS 2003, publication IEEE, pages 21-32
  • [Raf02a] Computer Assisted Teaching in Mathematics, with René David, to appear in the proceedings of the Workshop on 35 years of Automath (April 2002, Edingurgh)
  • [Raf01d] System ST, towards a Type System for Extraction and Proof of Programs, Archive for Pure and Applied Logic, 2003, volume 122, pages 107-130
  • [Raf01c] Apprentissage du raisonnement assité par ordinateur, avec René David, Quadrature numéro 45, printemps 2002, pages 25-36). Version courte parue dans la gazette de la SMF, avril 2002, numéro 92, pages 48-56

Frederic Blanqui (INRIA, Rocquencourt)

Age 38, permanent full-time researcher at INRIA.

Frederic Blanqui is expert in the following areas:

  • type theory,
  • rewriting theory,
  • termination,
  • functional programming,
  • proof assistants,
  • and formal certification of program properties.

Since September 2008, he is INRIA researcher at LIAMA, the Sino-French Laboratory in Computer Science, Automation and Applied Mathematics.

Between 2003 and 2008, he was INRIA researcher at LORIA, Nancy, in the Protheo research team led by Pr Claude Kirchner, focusing on the use of rewriting techniques for programming, as well as specifying and proving program properties.

Since 2004, he is leading the CoLoR project which aims at providing tools for automatically certifying the termination of programs. Since 2007, CoLoR is the best certification back-end in the international competition on certified termination provers.

In 2007 and 2008, he led the INRIA Quotient project which aims at extending the OCaml programming language with types whose values automatically satisfy equational invariants using the Moca tool.

He supervised 2 master thesis and 3 PhD students on the extension of type theory with decision procedures, the termination of typed higher-order rule-based programs, and the certification of termination proofs.

He did his PhD with Pr Jean-Pierre Jouannaud at University Paris Sud between October 1998 and September 2001 on the combination of type theory and rewriting theory.

Between October 2001 and August 2002, he worked on the certification of cryptographic protocols with Pr Larry Paulson at Cambridge, UK.

Between September 2002 and September 2003, he worked at Ecole Polytechnique in the Coq development team on the extension of the proof assistant Coq with rewriting.

More details on his activities and publications can be found on his web page and in his CV.


Selected publications

International journals with reading committee: 7

International conferences with reading committee: 15

Other publications (thesis, workshops, invited papers, reports, etc.): 15

Prizes: 2001 SPECIF Award for his PhD thesis by the French national society of teachers and researchers in computer science; and 2001 Kleene Award for the best young researcher paper at the IEEE Symposium on Logic in Computer Science (LICS).


Five most significant publications in the last 5 years:

  • [Bla11] F. Blanqui and A. Koprowski. CoLoR: a Coq library on well-founded rewrite relations and its application to the automated verification of termination certificates. To appear in Mathematical Structures in Computer Science.
  • [BRK10] F. Blanqui, C. Riba and C. Kirchner. On the confluence of lambda-calculus with conditional rewriting. Theoretical Computer Science 411(37), p. 3301-3327.
  • [BR09] F. Blanqui and C. Roux. On the relation between sized-types based termination and semantic labelling. CSL'09. LNCS 5771.
  • [BJS08] F. Blanqui, J.-P. Jouannaud and P.-Y. Strub. From formal proofs to mathematical proofs: a safe, incremental way for building in first-order decision procedures. TCS'08. IFIP 273.
  • [BHW07] F. Blanqui, Thérèse Hardin and Pierre Weis. On the Implementation of Construction Functions for Non-free Concrete Data Types. ESOP 2007: 95-109.

Emmanuel Chailloux (LIP6, Paris)

Age 51, full professor at the University Pierre et Marie Curie (UPMC - Paris 6) in Paris France, and since October 2006 researcher at the LIP6 computer science laboratory (UMR 7606), in the "Algorithms, Programs and Resolution" team (APR).

His research work is related to design and implementation of programming languages :

  • semantics,
  • types systems,
  • runtime implementation,
  • multicores.

Most of the recent publications relate to safety-critical software development.


Recent publications


[VWC-2011] Vaugon B., Wang P., Chailloux E. Les microcontrôleurs PIC programmés en Objective Caml. Journées des Langages Applicatifs (JFLA'2011), janvier 2011.

[WJC-2010] Wang P., Jonquet A., Chailloux E. Non-Intrusive Structural Coverage for Objective Caml. 5th Workshop on Bytecode Semantics, Verification, Analysis and Transformation (Bytecode), 2010.

[PAMCCWMC-2009] Pagano B., Andrieu O., Moniot T., Canou B., Chailloux E., Wang P., Manoury P., Colaço J.-L. Experience Report: Using Objective Caml to develop safety-critical embedded tool in a certificaiton framework. International Conference of Functional Programming (ICFP'09), 2009.

[CBC-2008] Canou B., Balat V., Chailloux E. O'Browser : Objective Caml on browsers. The 2008 ACM SIGPLAN Workshop on ML, 2008.

[CRV-2008] Chailloux E., Ravet V., Verlaguet J. HIRONDML: Fair Threads Migrations for Objective Caml. Parallel Processing Letters 18, 1 2008, 55--69.

[PACCCMW-2008] Pagano B., Andrieu O., Canou B., Chailloux E., Colaço J.-L., Moniot T., Wang P. Certified development tools implementation in objective caml. International Symposium on Practical Aspects of Declarative Languages (PADL 08), 2008.

[CRV-2008] Chailloux E., Ravet V., Verlaguet J. Hirondml: Fair Threads Migrations for Objective Caml. Parallel Processing Letters 18, 1 (2008) 55-69

[HMC-2007] Henry G., Mauny M., Chailloux E. Typer la désérialisation sans sérialiser les types. Technique et Science Informatiques 26, 9 (2007) 1067-1090.

[CM-2006] Chailloux E., Mauny M. Programmation fonctionnelle. Encyclopédie de l'informatique et des systèmes d'information (2006) 1016--1027.

Tom Hirschowitz (LAMA, Chambéry)

34 ans, CR CNRS (informatique) , LAMA

  • 2007 CR CNRS au LAMA (UMR 5127) à Chambéry
  • 2004-2007 CR CNRS au LIP (UMR5668) à Lyon
  • 2003-2004 ATER, équipe Plume, LIP, ENS Lyon
  • 2000-2003 Doctorat (dir.: X. Leroy, INRIA Rocquencourt, projet Cristal)
  • 1999-2000 DEA à Paris 7
  • 1996-2000 Ecole Nationale des Ponts et Chaussées

10 publications dans des revues et conférences internationales

publications choisies

  1. T. Hirschowitz, X. Leroy, and J. B. Wells. Compilation of extended recursion in call-by-value functional languages, PPDP 2003. Version journal dans Higher-Order and Symbolic Computation 22-1. 2009.
  2. R. Garner, T. Hirschowitz, and A. Pardon. Variable Binding, Symmetric Monoidal Closed Theories and Bigraphs. CONCUR'09. 2009.
  3. A. Hirschowitz, M. Hirschowitz, T. Hirschowitz. Contraction-free Proofs and Finitary Games for Linear Logic. MFPS, 2009.
  4. A. Hirschowitz, M. Hirschowitz, T. Hirschowitz. A Theory for Game Theories. FSTTCS, 2007.
  5. T. Hirschowitz, X. Leroy. Mixin Modules in a Call-by-Value Setting, ESOP, 2002, journal version in ACM Transactions on Programming Languages and Systems, 2005.

Pierre Hyvernat (LAMA, Chambéry)

Age 30, "maître de conférences" at the Université de Savoie (in Chambéry) since September 2006, member of the LAMA.

He obtained his PhD thesis in December 2005, under the supervision of Thierry Coquand (Chalmers, Göteborg, Sweden) and Thomas Ehrhard (at the time, IML, Luminy, Marseille, France)

His research interests relevant to PML include

  • denotational semantics,
  • type theory and constructive mathematics.


Selected publications

  • [Hyv10b] The Size-Change Termination Principle for Constructor Based Languages (hal-00547440, submitted)
  • [HHy06] with P. Hancock: Programming Interfaces and Basic Topology. "Annals of Pure and Applied Logic", volume 137, January 2006,
  • [Hyv05] Synchronous Games, Simulations and lambda-calculus, proceedings of the "GaLoP" workshop, ETAPS 2005. (journal version submitted to Annals of Pure and Applied Logic),
  • [Hyv04] Predicate Transformers and Linear Logic: yet another Denotational Model, Lecture Notes in Computer Science, vol. 3210, September 2004.

Alexandre Miquel (PPS, Paris 7)

Age 37, "maître de conférences" at the Université Paris-Diderot (Paris 7) since September 2003, member of PPS. Currently CNRS research associate ("délégation") in the Plume team at the LIP (ENS Lyon) since September 2008.

He obtained his PhD thesis in December 2001, under the supervision of Hugo Herbelin (INRIA/LIX) in the Coq team (now TypiCal).

From October 2001 to August 2002 he was postdoc in the Chalmers Institute of Technology (Göetborg, Sweden) under the supervision of Thierry Coquand, and from September 2002 to August 2003 he was "ATER" at the LRI (Orsay).

He is a specialist of the models of type theory (especially the calculus of constructions) and of the correspondence between set theory and type theory. His research interests also include:

  • logic, proof-theory, rewriting,
  • denotational semantics (set- and domain-theoretic),
  • realizability in classical logic.


Selected publications

His most significant publications are:

  • [Miq07] Classical program extraction in the calculus of constructions (CSL'07),
  • [Miq06] with A. Arbiser and A. Ríos. A lambda-calculus with constructors (RTA'06),
  • [Miq04] Lambda-Z: Zermelo's Set Theory as a PTS with 4 Sorts (TYPES'04),
  • [Miq03] A Strongly Normalising Curry-Howard Correspondence for IZF Set Theory (CSL'03),
  • [Miq00] A Model for Impredicative Type Systems with Universes, Intersection Types and Subtyping (LICS'00).

Christophe Mouilleron (LIP, ENS de Lyon)

Age 26, PhD student in the Arenaire team at the LIP (ENS de Lyon) since September 2008. He works under the supervision of Claude-Pierre Jeannerod (INRIA/LIP) and Gilles Villard (CNRS/LIP).

His research interests relevant to PML include :

  • computer arithmetic,
  • code generation,
  • formal proof of numerical properties in programs.


Publications

  • [MouRev10] C. Mouilleron and G. Revy. Automatic Generation of Fast and Certified Code for Polynomial Evaluation. (submitted, available as ensl-00531721)
  • [JeaMou10] C.-P. Jeannerod and C. Mouilleron. Computing Specified Generators of Structured Matrix Inverses. (ISSAC'10)
  • [BJJK+10] C. Bertin, C.-P. Jeannerod, J. Jourdan-Lu, H. Knochel, C. Monat, C. Mouilleron, J.-M. Muller, and G. Revy. Techniques and tools for implementing IEEE 754 floating-point arithmetic on VLIW integer processors. (PASCO'10)
  • [LTdD+10] V. Lefèvre, P. Théveny, F. de Dinechin, C.-P. Jeannerod, C. Mouilleron, D. Pfannholzer, and N. Revol. LEMA : Towards a Language for Reliable Arithmetic. (PLMMS'10)

Relevant publications by non participants to the project

Here are some publication or resources of interest for the project:

Laguage design and theory:

  • [SOW97] Martin Sulzmann, Martin Odersky, Martin Wehr, Type inference with constrained types, TAPOS, 1997.
  • [HW04] Christian Haack and J. B. Wells, Type error slicing in implicitly typed higher-order languages, Sci. Comput. Programming, 50:189-224, 2004.
  • [Ruy06] Frédéric Ruyer, Preuves, types et sous-type, phd 2006 directed by C. Raffalli.

Termination:

  • [LJ01] Lee, Jones, et al. The size-change principle for program termination - ACM SIGPLAN Notices - 2001
  • [Abel04] Andreas Abel, Termination Checking with Types ,Special Issue: Fixed Points in Computer Science (FICS'03 and RAIR'04)
  • [Bar04] G. Barthe, M. J. Frade and E. Giménez, L. Pinto and T. Uustalu, Type-Based Termination of Recursive Definitions, 2004, Mathematical Structures in Computer Science.
  • [Gie06] J. Giesl, S. Swiderski, P. Schneider-Kamp, and R. Thiemann Automated Termination Analysis for Haskell: From Term Rewriting to Programming Languages, Proceedings of the 17th International Conference on Rewriting Techniques and Applications (RTA-06), Lecture Notes in Computer Science 4098.

the Clean language:

  • [AGR92] Peter Achten, John van Groningen and Rinus Plasmeijer (1992). High-level specification of I/O in functional languages, Proc. of the Glasgow workshop on Functional programming, ed. J. Launchbury and P. Sansom, Ayr, Scotland, Springer-Verlag, Workshops in Computing, pp. 1-17.
  • [AcP95] Peter Achten and Rinus Plasmeijer (1995). The Ins and Outs of CONCURRENT CLEAN I/O, Journal of Functional Programming, 5, 1, pp. 81-110.
  • [AcP97] Peter Achten and Rinus Plasmeijer (1997). Interactive Functional Objects in CLEAN, Proc. of the 1997 Workshop on the Implementation of Functional Languages (IFL'97), ed. K. Hammond Davie, T., and Clack, C., St.Andrews, Scotland,
  • [VPA07] Edsko de Vries, Rinus Plasmeijer, and David M. Abrahamson, Uniqueness Typing Simplified, by Edsko de Vries,
  • the language report by Rinus Plasmeijer and Marko van Eekelen,
  • the language homepage.

Involvement of project participants to other grants, contracts, etc …

  • Emmanuel Chailloux is member of the ANR PWD ("Programmation du Web Diffus"), whose leader is Manuel Serrano (Inria), and the FUI OpenGPU project.
  • Tom Hishowitz is involved in the ANR PiCoq the ANR proposals RÉCRÉ and CATHRE.
  • Pierre Hyvernat is involved in the ANR proposal RÉCRÉ.
  • Alexandre Miquel is involved in the ANR proposal RÉCRÉ.
  • Christophe Raffalli is involved in the ANR proposal RÉCRÉ.

Remark: the interaction with PML and RÉCRÉ is natural because the proof technics used for ensuring some of the properties of the language PML is realizability which is one of the théma of the ANR proposal RÉCRÉ.