Jean-François Monin

• PhD
• Professor (Full) at Grenoble Alpes University

Van Breugel et al. [Theor. Comput. Sci. 333(1–2):171–197, 2005] have given an elegant testing framework that can characterise probabilistic bisimulation, but its completeness proof is highly involved. Deng and Feng [Inf. Comput. 257:58–64, 2017] have simplified that result for finite-state processes. The crucial part in the latter work is an algori...

In the context of computer assisted verification of schedulability analyses, very expressive task models are useful to factorize the correctness proofs of as many analyses as possible. The digraph task model seems a good candidate due to its powerful expressivity. Alas, its ability to capture dependencies between arrival and execution times of jobs...

This chapter presents the SimSoC virtual prototyping framework, a full system simulation framework, based on SystemC and Transaction Level Modeling. SimSoC takes as input a binary executable file, which can be a full operating system, and simulates the behavior of the target hardware on the host system. It is using internally dynamic binary transla...

We sincerely thank the researchers who contributed to this special issue for their inspiring work, as well as the anonymous reviewers for their diligent assistance. In addition, we would like to express our appreciation for the editorial board members of this journal, who provided valuable help and support throughout the preparation of this special...

This book constitutes the refereed proceedings of the First International Symposium on Dependable Software Engineering: Theories, Tools, and Applications, SETTA 2015, held in Nanjing, China, in November 2015. The 20 full papers presented together with 3 invited talks were carefully reviewed and selected from 60 submissions.The papers are organized...

When reasoning on formulas involving large-size inductively defined relations, such as the semantics of a real programming language, many steps require the inversion of a hypothesis. The built-in “inversion” tactic of Coq can then be used, but it suffers from severe controllability, maintenance and efficiency issues, which makes it unusable in prac...

Data centric languages, such as recursive rule based languages, have been proposed to program distributed applications over networks. They greatly simplify the code, while still admitting efficient distributed execution, including on sensor networks. From previous work [1], we know that they also provide a promising approach to another tough issue...

The simulation of Systems-on-Chip (SoC) is nowadays a hot topic because, beyond providing many debugging facilities, it allows the development of dedicated software before the hardware is available. Low-consumption CPUs such as ARM play a central role in SoC. However, the effectiveness of simulation depends on the faithfulness of the simulator. To...

For validating low level embedded software, engineers use simulators that take the real binary as input. Like the real hardware, these full-system simulators are organized as a set of components. The main component is the CPU simulator (ISS), because it is the usual bottleneck for the simulation speed, and its development is a long and repetitive t...

Data centric languages, such as recursive rule based languages, have been proposed to program distributed applications over networks. They simplify greatly the code, while still admitting efficient distributed execution. We show that they also provide a promising approach to the verification of distributed protocols, thanks to their data centric or...

Declarative languages, such as recursive rule based languages, have been proposed to program distributed applications over networks. It has been shown that they simplify greatly the code, while still offering efficient distributed execution. In this report, we show that moreover they provide a promising approach to the verification of distributed p...

The simulation of Systems-on-Chip (SoC) is nowadays a hot topic because, beyond providing many debugging facilities, it allows the development of dedicated software before the hardware is available. Low-consumption CPUs such as ARM play a central role in SoC. However, the effectiveness of simulation depends on the faithfulness of the simu-lator. To...

We show how an inductive hypothesis can be inverted with small proof terms, using just dependent elimination with a diagonal predicate. The technique works without any auxiliary type such as True, False, eq. It can also be used to discriminate, in some sense, the constructors of an inductive type of sort Prop in Coq.

Declarative languages, such as recursive rule based languages, have been proposed to program distributed applications over networks.It has been shown that they simplify greatly the code, while still offering efficient distributed execution. In this paper, we show that moreover they provide a promising approach to the verification of distributed pro...

Introduction to Coq Analysis of the text A specification for case 1 A specification for case 2 Experimenting with the specification Running an example Rephrasing the text Conclusion

We report a four-years experiment in teaching reasoning to undergraduate students, ranging from weak to gifted, using Gentzen-Prawitz's style natural deduction. We argue that this pedagogical approach is a good alternative to the use of Boolean algebra for teaching reasoning, especially for computer scientists and formal methods practionners.

Abstract Population protocols are an elegant model,recently in- troduced,for distributed algorithms,running,in large and unreliable networks,of tiny mobile,agents. Correctness proofs of such protocols involve subtle arguments,on infinit e sequences,of events. We propose,a general formalization of self-stabilizing population protocols with the Coq p...

We introduce a new execution model for implementing FDTs based on the reactive approach. In this model, called the PAM, systems are divided into several reactive entities communicating by an activation mechanism. This paper introduces the PAM approach and shows how different communication mechanisms such as asynchronous fifo in ESTELLE or multiple...

We study a normalization function in an algebra of terms quotiented by an associa- tive, commutative and involutive operator (logical xor). This study is motivated by the formal verification of cryptographic systems, where a normalization function for xor-terms turns out to play a key role. Such a function is easy to define using general recursion....

We provide a proof that the elegant trick of Olivier Danvy for expressing printf-like functions without dependent types is correct, where formats are encoded by functional expressions in continuation-passing style. Our proof is formalized in the Calculus of Inductive Constructions. We stress a methodological point: when one proves equalities betwee...

The ABR conformance protocol is a real-time program that controls dataflow rates on ATM networks. A crucial part of this protocol is the dynamical computation of the expected rate of data cells. We present here a modelling of the corresponding program with its environment, using the notion of (parametric) timed automata. A fundamental property of t...

At first glance, algebraic specification techniques may seem to have less relevance to industrial applications than other methods. They are, however, worth studying because they benefit from extensive theoretical research and have had a great influence on other specification techniques, and more importantly, on computer science in general, notably...

The table example that we used in previous chapters can be qualified as functional: looking from the outside, we can view it as a function that returns an answer when it is called. We don’t have any concerns or get distracted by its internal computation and internal workings. In contrast, we can hardly understand systems which constantly react to t...

This chapter introduces the relationship between typing, logic, and specification. In fact, a type can be viewed as a kind of specification. This analogy can be carried to a fair extent, at least in the framework of the constructive approach to logic, already mentioned on page 42. From this perspective, intuitionistic logic turns out to have better...

Mathematical logic has spread out in a variety of ways- model theory, proof theory, set theory, computability-according to Barwise’s classification [Bar77]. To this taxonomy we can add type theory, which has become more important since the time of Barwise’s overview.

In the table example, we would like to consider the search criterion P as a parameter. This is not possible in the framework of a formal method based on first-order logic, at least not in a satisfactory manner: P may be encoded in the form of a set, but in the framework of B, for example, only certain finite sets are allowed; Z is more flexible, bu...

Set theory has a strong influence on formal methods. A straightforward reason for this is that the specification languages considered in the last chapter rely directly upon set theory. More significantly, set theory has strong links with logic: as a metalanguage.1 it provides a semantics for logic via the concept of a model ; as an interesting cons...

A new problem is always tackled, at the outset, via both intuition and empirical methods. The design of software systems is no exception. The first step is to determine the objects to be realized. We then have to describe it. Most of the time, one employs the usual means of expression to this effect: our mother tongue, explanatory diagrams Subseque...

In the propositional case, a formula P has only a finite number of interpretations: there are exactly 2n of them, where n is the number of atomic propositions used in P. The truth table method makes it easy to determine whether P is satisfied, is a tautology, or is a logical consequence of a finite set of propositions. This is a semantic technique:...

Logic provides a syntax for expressing properties. A “meaning” of these expressions and their compositions is defined by the concepts of an interpretation and of a model. We begin by introducing the most simple of these expressions, called propositions. We then present the general case of formulas, which are expressions that depend on the value of...

The techniques to be discussed in this chapter are aimed at reasoning about algorithms. We first introduce the traditional notation for annotating a program with assertions. This yields a special kind of proposition and we give the logical rules which govern them — specifically, Hoare logic. Finally, we show another interpretation of these rules, d...

This chapter is devoted to formal methods based on set theory. In set theory, a system is modeled using sets which are either considered to be primitive sets (for instance, sets of individuals, of books, of keyboards, etc.) or constructed by means of combinations of primitive subsets using set-theoretic operations. Specific languages can be disting...

After a long gestation period, formal methods for software development have reached a maturity level sufficient for use in a range of real applications such as railway or aircraft transportation systems, telecommunications or energy. The fundamental ideas of formal methods have been known for a long time: they emerged with the first computers and h...

This chapter is an attempt to provide a formal specification which is as faithful as possible to the informal one and consistent. The powerful type system of Coq is used to make our specification both very abstract and eventually executable. This ensures that an implementation can be found. Indeed, we construct mathematical structures or functions...

Conformance control for ATM cells is based on a real-time reactive algorithm which delivers a value depending on inputs from the network. This value must always fit with a well defined theoretical value. We present here the correctness proof of the algorithm standardized for the ATM transfer capability called ABR. The proof turned out to produce a...

Conformance control for ATM cells is based on a real-time reactive algorithm which delivers a value depending on inputs from the network. This value must always agree with a well defined theoretical value. We present here the correctness proof of the algorithm standardized for the ATM transfer capability called ABR. The proof turned out a key argum...

This paper presents the techniques used for proving, in the framework of type theory, the correctness of an algorithm recently standardized at ITU-T that handles time explicitly. The structure of the proof and its formalization in Coq are described, as well as the main tools which have been developed: an abstract model of “real-time” that makes no...

Program extraction is a well known technique for developing correct functional programs from a constructive proof of their specification. This paper shows how to deal with exceptions in such a framework. We propose a modular (and impredicative) formalization in the calculus of constructions and we illustrate the technique on three examples.

This paper is about exceptions handling using classical techniques of program extraction. We propose an impredicative formalization in the calculus of constructions and we illustrate the technique on two examples. The first one, though simple, allows us to experiment various techniques. The second one is an adaptation of a bigger algorithm previous...

The development of a simulator, called Veda, is described. Veda is a software tool to help designers in protocol modeling and validation. It is oriented towards the rapid prototyping of distributed algorithms. Algorithms are described using an ISO (International Organisation for Standardization) formal description technique, called Estelle. The dev...

Disponible dans les fichiers attachés à ce document

We present our experience in developing a system called Véda in which Prolog was used for writing a real-size compiler. We give the main techniques used for increasing the performances of the compiler up to a usable level, and for keeping some flexibility to Véda. Finally we give a few hints about performances.

Inductive characterizations of words containing the same number of 'a' and 'b' can easily be given. However, formally proving the completeness of some of them turns out to be trickier than one may expect. We discuss and compare two Coq developments relating such balanced words to their inductive characterizations. One is based on auxiliary inductiv...

The design and debugging of Systems-on-Chip using a hardware implementation is difficult and requires heavy ma-terial. Simulation is an interesting alternative approach, which is both more flexible and less expensive. SimSoC [1] is a fast instruction set simulator for various ARM, PowerPC, and RISC-based architectures. However, speed involves trick...