Position paper: the science of deep specification

Appel, Andrew W.; Beringer, Lennart; Chlipala, Adam; Pierce, Benjamin C.; Shao, Zhong; Weirich, Stephanie; Zdancewic, Steve

doi:10.1098/rsta.2016.0331

Cited by 28 publications

(25 citation statements)

References 70 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Appel et al [12] proposed that a key building principle for deep specifications is vertical compositionality, which means that higher specification levels are related provably correct to n lower specification levels. This allows proving properties at the higher specification level that hold at the lower specification levels.…”

Section: Future Workmentioning

confidence: 99%

Declarative GUIs

Adelsberger

Setzer

Walkingshaw

2018

Proceedings of the 20th International Symposium on Principles and Practice of Declarative Programming

View full text Add to dashboard Cite

Section: Future Workmentioning

confidence: 99%

Declarative GUIs

Adelsberger

Setzer

Walkingshaw

2018

Proceedings of the 20th International Symposium on Principles and Practice of Declarative Programming

View full text Add to dashboard Cite

“…The advent of large-scale mechanized proofs constitutes one of the major success stories of the past decades. Projects such as SEL4 [3], CompCert [22] and DeepSpec [7] show that proof assistants (in particular Coq [1]) have now achieved a maturity level such that they can be used for industrial applications.…”

Section: B Formal Proofs Of Analysis Techniques For Real-time Systemsmentioning

confidence: 99%

A Generic Coq Proof of Typical Worst-Case Analysis

Fradet

Lesourd

Monin

et al. 2018

2018 IEEE Real-Time Systems Symposium (RTSS)

View full text Add to dashboard Cite

This paper presents a generic proof of Typical Worst-Case Analysis (TWCA), an analysis technique for weaklyhard real-time uniprocessor systems. TWCA was originally introduced for systems with fixed priority preemptive (FPP) schedulers and has since been extended to fixed-priority nonpreemptive (FPNP) and earliest-deadline-first (EDF) schedulers. Our generic analysis is based on an abstract model that characterizes the exact properties needed to make TWCA applicable to any system model. Our results are formalized and checked using the Coq proof assistant along with the Prosa schedulability analysis library. Our experience with formalizing real-time systems analyses shows that this is not only a way to increase confidence in our claimed results: The discipline required to obtain machine checked proofs helps understanding the exact assumptions required by a given analysis, its key intermediate steps and how this analysis can be generalized. Index Terms-formal proofs, weakly-hard real-time systems, Coq, deadline miss models.

show abstract

“…As any other piece of software, the CoqTL execution engine is subject to unpredictable changes because of bug fixes, performance improvements or the addition of new features. As we witnessed during the lifetime of other transformation engines [2,25,34,38], this can also lead to several forks of the engine with significant differences in semantics 1 . Subsequent versions of transformation engines typically provide some guarantees of backward compatibility, so that users do not have to rewrite their MTs to exploit the features of the new version.…”

Section: Introductionmentioning

confidence: 98%

Certifying a rule-based model transformation engine for proof preservation

Cheng

Tisi

Hotonnier

2020

Proceedings of the 23rd ACM/IEEE International Conference on Model Driven Engineering Languages and Systems

View full text Add to dashboard Cite

Executable engines for relational model-transformation languages evolve continuously because of language extension, performance improvement and bug fixes. While new versions generally change the engine semantics, end-users expect to get backward-compatibility guarantees, so that existing transformations do not need to be adapted at every engine update. The CoqTL model-transformation language allows users to define model transformations, theorems on their behavior and machinechecked proofs of these theorems in Coq. Backward-compatibility for CoqTL involves also the preservation of these proofs. However, proof preservation is challenging, as proofs are easily broken even by small refactorings of the code they verify. In this paper we present the solution we designed for the evolution of CoqTL, and by extension, of rule-based transformation engines. We provide a deep specification of the transformation engine, including a set of theorems that must hold against the engine implementation. Then, at each milestone in the engine development, we certify the new version of the engine against this specification, by providing proofs of the impacted theorems. The certification formally guarantees end-users that all the proofs they write using the provided theorems will be preserved through engine updates. We illustrate the structure of the deep specification theorems, we produce a machine-checked certification of three versions of CoqTL against it, and we show examples of user theorems that leverage this specification and are thus preserved through the updates. CCS CONCEPTS • Theory of computation → Logic; • Software and its engineering → Software notations and tools.

show abstract

Position paper: the science of deep specification

Cited by 28 publications

References 70 publications

Declarative GUIs

Declarative GUIs

A Generic Coq Proof of Typical Worst-Case Analysis

Certifying a rule-based model transformation engine for proof preservation

Contact Info

Product

Resources

About