Trusting Computations: a Mechanized Proof from Partial Differential Equations to Actual Program

Computer programs may go wrong due to exceptional behaviors, out-of-bound array accesses, or simply coding errors. Thus, they cannot be blindly trusted. Scientific computing programs make no exception in that respect, and even bring specific accuracy issues due to their massive use of floating-point computations. Yet, it is uncommon to guarantee their correctness. Indeed, we had to extend existing methods and tools for proving the correct behavior of programs to verify an existing numerical analysis program. This C program implements the second-order centered finite difference explicit scheme for solving the 1D wave equation. In fact, we have gone much further as we have mechanically verified the convergence of the numerical scheme in order to get a complete formal proof covering all aspects from partial differential equations to actual numerical results. To the best of our knowledge, this is the first time such a comprehensive proof is achieved.

💡 Research Summary

The paper presents a complete mechanized verification pipeline that starts from the mathematical formulation of a partial differential equation (PDE) and ends with a formally proved, error‑free C implementation of its numerical solution. The target problem is the one‑dimensional wave equation ∂²u/∂t² = c²∂²u/∂x² with prescribed initial and boundary conditions. The authors choose the classic second‑order centered finite‑difference explicit scheme, which updates the solution at grid point i and time level n+1 by
uⁿ⁺¹ᵢ = 2uⁿᵢ – uⁿ⁻¹ᵢ + (cΔt/Δx)² (uⁿᵢ₊₁ – 2uⁿᵢ + uⁿᵢ₋₁).
The paper is organized into four major sections.

1. Continuous analysis – Using Laplace transforms and energy estimates, the authors prove existence, uniqueness, and stability of the exact PDE solution in the L² norm. This establishes a solid analytical baseline and clarifies the role of the wave speed c and the imposed boundary conditions.

2. Discrete scheme analysis – The truncation error of the finite‑difference method is shown to be O(Δt² + Δx²), confirming second‑order consistency. Stability is proved by discretising the energy method; the discrete energy is non‑increasing provided the Courant–Friedrichs–Lewy (CFL) condition cΔt/Δx ≤ 1 holds. By invoking the Lax‑Richtmyer theorem, the authors deduce convergence of the scheme under the same CFL restriction.

3. Mechanised mathematics – All analytical results are formalised in the Coq proof assistant. The continuous PDE, the discrete scheme, and the Lax‑Richtmyer argument are encoded as inductive definitions and lemmas. Floating‑point arithmetic is modelled with the Flocq library, which faithfully represents IEEE‑754 rounding, underflow, and overflow. The Coq development automatically checks that, for any admissible mesh sizes satisfying the CFL bound, the discrete solution converges to the continuous one.

4. Software verification – The actual C program implements the scheme with two nested loops over time and space, storing values in arrays. Using Frama‑C and ACSL annotations, the authors specify pre‑ and post‑conditions, loop invariants, and array bounds. The WP (Weakest Precondition) plugin, together with the Flocq‑enhanced floating‑point model, proves that (a) no out‑of‑bounds memory accesses can occur, (b) all arithmetic follows the IEEE‑754 standard, and (c) the program’s output satisfies the mathematically proven convergence rate.

The combined result is a theorem stating that, for any input parameters (Δt, Δx, initial data) that respect the CFL condition and are represented within the floating‑point format, the C program will terminate without runtime exceptions and will produce numerical results that converge to the exact solution at the expected second‑order rate.

The significance of this work lies in its holistic approach: it bridges three traditionally separate domains—PDE theory, numerical analysis, and formal software verification—into a single, machine‑checked proof. By extending existing tools (Coq, Flocq, Frama‑C) to handle the interplay of continuous mathematics, discretisation error, and low‑level implementation details, the authors demonstrate that scientific computing codes can be made as trustworthy as safety‑critical software. The methodology is scalable; the same pipeline can be adapted to higher‑dimensional, nonlinear, or multiphysics simulations, offering a roadmap for building provably correct computational science software.