Results 1  10
of
17
A Coiterative Characterization of Synchronous Stream Functions
, 1997
"... This paper presents an attempt to characterize synchronous stream functions within the framework of coiteration and to use this characterization in building a compiler for (higher order and recursive) synchronous dataflow programs. First lengthpreserving functions are considered and we show that ..."
Abstract

Cited by 19 (4 self)
 Add to MetaCart
This paper presents an attempt to characterize synchronous stream functions within the framework of coiteration and to use this characterization in building a compiler for (higher order and recursive) synchronous dataflow programs. First lengthpreserving functions are considered and we show that streams equipped with such functions form a Cartesianclosed category. Then this point of view is extended toward non lengthpreserving ones and we stress the use of "empty" values in handling this case. Finally, the implementation we did of this material in a synchronous stream package built on top of an MLlike language is briefly described.
A methodology for proving control systems with Lustre and PVS
, 1999
"... In this paper, we intend to show how to use the synchronous dataflow language Lustre, combined with the PVS proof system in deriving provablycorrect (distributed) control programs. We hopefully illustrate, based on a railway emergency braking system example, the features of our approach  asynchr ..."
Abstract

Cited by 9 (1 self)
 Add to MetaCart
In this paper, we intend to show how to use the synchronous dataflow language Lustre, combined with the PVS proof system in deriving provablycorrect (distributed) control programs. We hopefully illustrate, based on a railway emergency braking system example, the features of our approach  asynchronous periodic programs with nearly the same period, communicating by sampling  equational reasoning which leaves to the Lustre compiler the task of scheduling computations  no distinction between control programs and physical environments which are sampled in the same way. This allows us to provide "elementary " proofs based on difference equations instead of differential ones which require more involved PVS formalization. 1 Introduction Control systems form an important class of critical computer systems: it is in this domain that some of the most critical applications can be found, for instance in civil aircrafts, ground transportation, nuclear power etc. Thus, a lot of activity ha...
Coinductive Axiomatization of a Synchronous Language
 In Proceedings of Theorem Proving in Higher Order Logics (TPHOLs'98), number 1479 in LNCS
, 1998
"... Over the last decade, the increasing demand for the validation of safety critical systems lead to the development of domainspecific programming languages (e.g. synchronous languages) and automatic verification tools (e.g. model checkers). Conventionally, the verification of a reactive system is imp ..."
Abstract

Cited by 9 (4 self)
 Add to MetaCart
Over the last decade, the increasing demand for the validation of safety critical systems lead to the development of domainspecific programming languages (e.g. synchronous languages) and automatic verification tools (e.g. model checkers). Conventionally, the verification of a reactive system is implemented by specifying a discrete model of the system (i.e. a finitestate machine) and then checking this model against temporal properties (e.g. using an automatabased tool). We investigate the use of a theorem prover, Coq, for the specification of infinite state systems and for the verification of coinductive properties.
A Framework for Verifying DataCentric Protocols
"... Abstract. Data centric languages, such as recursive rule based languages, have been proposed to program distributed applications over networks. They simplify greatly the code, which is orders of magnitude shorter, much more declarative, while still admitting efficient distributed execution. We show ..."
Abstract

Cited by 4 (3 self)
 Add to MetaCart
Abstract. Data centric languages, such as recursive rule based languages, have been proposed to program distributed applications over networks. They simplify greatly the code, which is orders of magnitude shorter, much more declarative, while still admitting efficient distributed execution. We show that they also provide a promising approach to the verification of distributed protocols, thanks to their data centric orientation, which allows to explicitly handle global structures, such as the topology of the network, routing tables, trees, etc, as well as their properties. We consider a framework using an original formalization in the Coq proof assistant of a distributed computation model based on message passing with either synchronous or asynchronous behavior. The declarative rules of the Netlog language for specifying distributed protocols, as well as the virtual machines for evaluating these rules, are encoded in Coq as well. We consider as a case study tree protocols, and show how this framework enables us to formally verify them in both the asynchronous and synchronous setting. 1
Verifying Selfstabilizing Population Protocols with Coq
"... Population protocols are an elegant model recently introduced for distributed algorithms running in large and unreliable networks of tiny mobile agents. Correctness proofs of such protocols involve subtle arguments on infinite sequences of events. We propose a general formalization of selfstabilizi ..."
Abstract

Cited by 4 (4 self)
 Add to MetaCart
Population protocols are an elegant model recently introduced for distributed algorithms running in large and unreliable networks of tiny mobile agents. Correctness proofs of such protocols involve subtle arguments on infinite sequences of events. We propose a general formalization of selfstabilizing population protocols with the Coq proof assistant. It is used in reasoning about a concrete protocol for leader election in complete graphs. The protocol is formally proved to be correct for networks of arbitrarily large size. To this end we develop an appropriate theory of infinite sequences, including results for reasoning on abstractions. In addition, we provide a constructive correctness proof for a leader election protocol in directed rings. An advantage of using a constructive setting is that we get more informative proofs on the scenarios that converge to the desired configurations. 1.
A Comparison of the Coq and HOL Proof Systems for Specifying Hardware
, 1997
"... Coq and HOL are proof systems based upon versions of higher order logic, which broadly follow the LCF theorem proving paradigm. However, Coq is based on a constructive logic, whereas HOL is based on classical higherorder logic. Both systems have been advocated for the specification and verification ..."
Abstract

Cited by 3 (2 self)
 Add to MetaCart
Coq and HOL are proof systems based upon versions of higher order logic, which broadly follow the LCF theorem proving paradigm. However, Coq is based on a constructive logic, whereas HOL is based on classical higherorder logic. Both systems have been advocated for the specification and verification of hardware. In this paper we describe a detailed comparison of the two approaches for specifying the structure and behaviour of hardware using these systems. The example used is the Fairisle 4 by 4 switching fabric : a real ATM network chip. We discuss the advantages and disadvantages of both the underlying logics and their particular implementations as embodied in the two proof systems. Different styles were used in the two specifications. We therefore also compare these two styles and note the extent to which their choice was determined by the logic, its implementation or personal choice of the specifier. 1 Introduction There currently exist a wide range of proof systems based on diffe...
The Circuit That Was Too Lazy to Fail
 in ‘Proceedings of the Glasgow Functional Programming Workshop
, 1997
"... This paper describes a translation of a relational hardware description language into a functional language in such a way that the user does not have to decide the direction of the data flow in the functional language. This approach relies on laziness, making the translation hard to analyse. The use ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
This paper describes a translation of a relational hardware description language into a functional language in such a way that the user does not have to decide the direction of the data flow in the functional language. This approach relies on laziness, making the translation hard to analyse. The use of a theorem prover that supports reasoning about laziness and undefined elements allows the investigation of the validity of the translation.
Temporal Logic in Coq
, 1998
"... The aim of this work is to implement temporal logic in the Coq proof assistant system. This implementation uses the logical language of Coq as metalanguage for temporal logic representation. The work starts with a crash introduction to Coq devoted to introduce the Coq system. The implementation of ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
The aim of this work is to implement temporal logic in the Coq proof assistant system. This implementation uses the logical language of Coq as metalanguage for temporal logic representation. The work starts with a crash introduction to Coq devoted to introduce the Coq system. The implementation of linear temporal logic and two branching temporal logics is discussed. In both linear and branching temporal logic soundness verification of proposed axiomatizations is made. Some application examples are shown. 1 Acknowledgments To Prof. Am'ilcar Sernadas, whitout whom this work would not have been possible, for his ideas and guidance. To Carlos for his guidance, constant help, presence and friendship. To Jaime and Paulo for their suggestions. To Sara and Alexandra for their good humor, support and fellowship. To all section 84. This work was partially supported by the PRAXIS XXI Program and FCT, as well as by PRAXIS XXI Projects 2/2.1/MAT/262/94 SitCalc, PCEX/P/MAT/46/96 ACL plus 2/2.1/TI...
Hardware Verification using coinduction in COQ
 In Proceedings of the International Conference on Theorem Proving in HigherOrder Logics
, 1999
"... . This paper presents a toolbox implemented in Coq and dedicated to the specification and verification of synchronous sequential devices. The use of Coq coinductive types underpins our methodology and leads to elegant and uniform descriptions of the circuits and their behaviours as well as clea ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
. This paper presents a toolbox implemented in Coq and dedicated to the specification and verification of synchronous sequential devices. The use of Coq coinductive types underpins our methodology and leads to elegant and uniform descriptions of the circuits and their behaviours as well as clear and short proofs. An application to a non trivial circuit is given as an illustration. 1 Introduction Coinduction is a powerful tool for dealing with infinite structures. It is especially well suited to prove properties about circuits where one has to cope with infinitely long temporal sequences. This work presents a general methodology to specifying and proving synchronous sequential circuits in the Calculus of Inductive Constructions (enriched with Coinductive types) implemented in the Coq proof assistant [1]. It is a continuation of [5], where we made heavy use of dependent types. We go deeply into this direction, introducing dependent types systematically whenever this leads to m...