Section: New Software and Platforms

LDDL: Coq proofs of circuit transformations for fault-tolerance

Functional Description

We have been developing a Coq -based framework to formally verify the functional and fault-tolerance properties of circuit transformations. Circuits are described at the gate level using LDDL, a Low-level Dependent Description Language inspired from $\mu$FP [87] . Our combinator language, equipped with dependent types, ensures that circuits are well-formed by construction (gates correctly plugged, no dangling wires, no combinational loops, ...). Faults like Single-Event Upsets (SEUs) (i.e., bit-flips in flipflops) and SETs (i.e., glitches propagating in the combinational circuit) and fault-models like “at most 1 SEU or SET within $n$ clock cycles” are described in the operational semantics of LDDL. Fault-tolerance techniques are described as transformations of LDDL circuits.

The framework has been used to prove the correctness of three fault-tolerance techniques: TMR, TTR and DTR (see Section  7.3.3 ). The size of specifications and proofs for the common part (LDDL syntax and semantics, libraries) is 5000 lines of Coq (excluding comments and blank lines), 700 for TMR, 3500 for TTR and 7000 for DTR.

• Authors: Dmitry Burlyaev and Pascal Fradet.

• Contact: Pascal Fradet.

• URL: https://team.inria.fr/spades/fthwproofs