Verification of an Autonomous Reliable Wingman using CCL

We present a system of two aircraft, one human-piloted and one autonomous, that must coordinate to achieve tasks. The vehicles communicate over two data channels, one high rate link for state data transfer and one low rate link for command messages. We analyze the operation of the system when the high rate link fails and the aircraft must use the low rate link to execute a safe "lost wingman" procedure to increase separation and re-acquire contact. In particular, the protocol is encoded in CCL, the Computation and Control Language, and analyzed using temporal logic. A portion of the verified code is then used to command the unmanned aircraft, while on the human-piloted craft the protocol takes the form of detailed flight procedures. An overview of the implementation for a June, 2004 flight test is also presented

On Temporal and Separation Logics

International audienceThere exist many success stories about the introduction of logics designed for the formal verification of computer systems. Obviously, the introduction of temporal logics to computer science has been a major step in the development of model-checking techniques. More recently, separation logics extend Hoare logic for reasoning about programs with dynamic data structures, leading to many contributions on theory, tools and applications. In this talk, we illustrate how several features of separation logics, for instance the key concept of separation, are related to similar notions in temporal logics. We provide formal correspondences (when possible) and present an overview of related works from the literature. This is also the opportunity to present bridges between well-known temporal logics and more recent separation logics

Verified Subtyping with Traits and Mixins

Traits allow decomposing programs into smaller parts and mixins are a form of composition that resemble multiple inheritance. Unfortunately, in the presence of traits, programming languages like Scala give up on subtyping relation between objects. In this paper, we present a method to check subtyping between objects based on entailment in separation logic. We implement our method as a domain specific language in Scala and apply it on the Scala standard library. We have verified that 67% of mixins used in the Scala standard library do indeed conform to subtyping between the traits that are used to build them.Comment: In Proceedings FSFMA 2014, arXiv:1407.195

Constructive reverse mathematics : Habilitationsschrift

We give a comprehensive treatment of the area known as constructive reverse mathematics, which aims to classify, over intuitionistic logic, various theorems in intuitionistic, constructive recursive, and classical mathematics. Our work provides an overview of many known results, but also many new results, and new proofs of known results. We cover omniscience principles, Markov’s principle, Brouwer’s fan theorem(s), recursive principles, Ishihara’s boundedness principle BD-N, as well as minor principles, and separation techniques.Diese Arbeit beschäftigt sich mit dem Gebiet der „konstruktiven reversen Mathematik“ („constructive reverse mathematics“), dessen Ziel es ist verschiedene Aussagen aus der intuitionistischen, der rekursiven und der klassischen Mathematik über intuitionistischer Logik zu klassifizieren. Es wird ein Überblick über bekannte Ergebnisse, aber auch viele neue Resultate und neue Beweise gegeben. Unter anderem werden „Allwissenheits“-Prinzipien, Markov’s Prinzip, die Brouwer’schen Fächersätze, Aussagen aus der rekursiven Mathematik und Ishiharas Beschränktheitsprinzip BD-N behandelt

Permission-Based Separation Logic for Multithreaded Java Programs

This paper motivates and presents a program logic for reasoning about multithreaded Java-like programs with concurrency primitives such as dynamic thread creation, thread joining and reentrant object monitors. The logic is based on concurrent separation logic. It is the first detailed adaptation of concurrent separation logic to a multithreaded Java-like language. The program logic associates a unique static access permission with each heap location, ensuring exclusive write accesses and ruling out data races. Concurrent reads are supported through fractional permissions. Permissions can be transferred between threads upon thread starting, thread joining, initial monitor entrancies and final monitor exits.\ud This paper presents the basic principles to reason about thread creation and thread joining. It finishes with an outlook how this logic will evolve into a full-fledged verification technique for Java (and possibly other multithreaded languages)

Digital implementation of the cellular sensor-computers

Two different kinds of cellular sensor-processor architectures are used nowadays in various applications. The first is the traditional sensor-processor architecture, where the sensor and the processor arrays are mapped into each other. The second is the foveal architecture, in which a small active fovea is navigating in a large sensor array. This second architecture is introduced and compared here. Both of these architectures can be implemented with analog and digital processor arrays. The efficiency of the different implementation types, depending on the used CMOS technology, is analyzed. It turned out, that the finer the technology is, the better to use digital implementation rather than analog