Section: New Software and Platforms

LDDL

Coq proofs of circuit transformations for fault-tolerance

Keywords: Fault-tolerance - Transformation - Coq - Semantics

Functional Description: We have been developing a Coq-based framework to formally verify the functional and fault-tolerance properties of circuit transformations. Circuits are described at the gate level using LDDL, a Low-level Dependent Description Language inspired from muFP. Our combinator language, equipped with dependent types, ensures that circuits are well-formed by construction (gates correctly plugged, no dangling wires, no combinational loops, . . . ). Faults like Single-Event Upsets (SEUs) (i.e., bit-flips in flipflops) and SETs (i.e., glitches propagating in the combinational circuit) and fault-models like "at most 1 SEU or SET within n clock cycles" are described in the operational semantics of LDDL. Fault-tolerance techniques are described as transformations of LDDL circuits.

The framework has been used to prove the correctness of three fault-tolerance techniques: TMR, TTR and DTR. The size of specifications and proofs for the common part (LDDL syntax and semantics, libraries) is 5000 lines of Coq (excluding comments and blank lines), 700 for TMR, 3500 for TTR and 7000 for DTR.

• Authors: Pascal Fradet and Dmitry Burlyaev

• Contact: Pascal Fradet

• URL: https://team.inria.fr/spades/fthwproofs/