Formal Verification of Automatic Circuit Transformations for - - PowerPoint PPT Presentation
Formal Verification of Automatic Circuit Transformations for Fault-Tolerance Dmitry Burlyaev Pascal Fradet 09/30/15, Austin, TX, USA @ FMCAD'15 Outline For a given (fault-tolerance) transformation T , we want to prove a property of the form
09/30/15, Austin, TX, USA @ FMCAD'15
For a given (fault-tolerance) transformation T , we want to prove a property of the form ∀C : circuit, ∀i : inputs, ∀o : outputs, C i − → o ⇒ T [ [C] ] i
faulty
− →
For a given (fault-tolerance) transformation T , we want to prove a property of the form ∀C : circuit, ∀i : inputs, ∀o : outputs, C i − → o ⇒ T [ [C] ] i
faulty
− →
1/28
For a given (fault-tolerance) transformation T , we want to prove a property of the form ∀C : circuit, ∀i : inputs, ∀o : outputs, C i − → o ⇒ T [ [C] ] i
faulty
− →
◮ Circuit transformations on syntax 1/28
For a given (fault-tolerance) transformation T , we want to prove a property of the form ∀C : circuit, ∀i : inputs, ∀o : outputs, C i − → o ⇒ T [ [C] ] i
faulty
− →
◮ Circuit transformations on syntax ◮ Semantics of circuits 1/28
For a given (fault-tolerance) transformation T , we want to prove a property of the form ∀C : circuit, ∀i : inputs, ∀o : outputs, C i − → o ⇒ T [ [C] ] i
faulty
− →
◮ Circuit transformations on syntax ◮ Semantics of circuits ◮ Fault-models described in semantics:
bit-flip (SEU), glitch (SET), ...
1/28
For a given (fault-tolerance) transformation T , we want to prove a property of the form ∀C : circuit, ∀i : inputs, ∀o : outputs, C i − → o ⇒ T [ [C] ] i
faulty
− →
◮ Circuit transformations on syntax ◮ Semantics of circuits ◮ Fault-models described in semantics:
bit-flip (SEU), glitch (SET), ...
◮ Case study: our fault-tolerance solution
required full confidence
1/28
◮ Gate level HDL ◮ as simple as possible 2/28
◮ Gate level HDL ◮ as simple as possible
A combinator language (inspired from Sheeran’s µFP, Ruby, . . . )
2/28
◮ Gate level HDL ◮ as simple as possible
A combinator language (inspired from Sheeran’s µFP, Ruby, . . . ) Gate ::=
not | and | or
logic
id
| swap | fork | rsh | lsh wiring
2/28
◮ Gate level HDL ◮ as simple as possible
A combinator language (inspired from Sheeran’s µFP, Ruby, . . . ) Gate ::=
not | and | or
logic
id
| swap | fork | rsh | lsh wiring
2/28
◮ Gate level HDL ◮ as simple as possible
A combinator language (inspired from Sheeran’s µFP, Ruby, . . . ) Gate ::=
not | and | or
logic
id
| swap | fork | rsh | lsh wiring
2/28
◮ Gate level HDL ◮ as simple as possible
A combinator language (inspired from Sheeran’s µFP, Ruby, . . . ) Gate ::=
not | and | or
logic
id
| swap | fork | rsh | lsh wiring
2/28
◮ Gate level HDL ◮ as simple as possible
A combinator language (inspired from Sheeran’s µFP, Ruby, . . . ) Gate ::=
not | and | or
logic
id
| swap | fork | rsh | lsh wiring
2/28
◮ Gate level HDL ◮ as simple as possible
A combinator language (inspired from Sheeran’s µFP, Ruby, . . . ) Gate ::=
not | and | or
logic
id
| swap | fork | rsh | lsh wiring
2/28
◮ Gate level HDL ◮ as simple as possible
A combinator language (inspired from Sheeran’s µFP, Ruby, . . . ) Gate ::=
not | and | or
logic
id
| swap | fork | rsh | lsh wiring
2/28
◮ Gate level HDL ◮ as simple as possible
A combinator language (inspired from Sheeran’s µFP, Ruby, . . . ) Gate ::=
not | and | or
logic
id
| swap | fork | rsh | lsh wiring
2/28
◮ Gate level HDL ◮ as simple as possible
A combinator language (inspired from Sheeran’s µFP, Ruby, . . . ) Gate ::=
not | and | or
logic
id
| swap | fork | rsh | lsh wiring
2/28
◮ Gate level HDL ◮ as simple as possible
A combinator language (inspired from Sheeran’s µFP, Ruby, . . . ) Gate ::=
not | and | or
logic
id
| swap | fork | rsh | lsh wiring
3/28
C ::= Gate | C1 -
]C1, C2[ ] | b −C
◮ Gate level HDL ◮ as simple as possible
A combinator language (inspired from Sheeran’s µFP, Ruby, . . . ) Gate ::=
not | and | or
logic
id
| swap | fork | rsh | lsh wiring
3/28
C ::= Gate | C1 -
]C1, C2[ ] | b −C
C1 C2
◮ Gate level HDL ◮ as simple as possible
A combinator language (inspired from Sheeran’s µFP, Ruby, . . . ) Gate ::=
not | and | or
logic
id
| swap | fork | rsh | lsh wiring
3/28
C ::= Gate | C1 -
]C1, C2[ ] | b −C
C1 C2
◮ Gate level HDL ◮ as simple as possible
A combinator language (inspired from Sheeran’s µFP, Ruby, . . . ) Gate ::=
not | and | or
logic
id
| swap | fork | rsh | lsh wiring
3/28
C ::= Gate | C1 -
]C1, C2[ ] | b −C
C
x
◮ Gate level HDL ◮ as simple as possible
A combinator language (inspired from Sheeran’s µFP, Ruby, . . . ) Gate ::=
not | and | or
logic
id
| swap | fork | rsh | lsh wiring
3/28
C ::= Gate | C1 -
]C1, C2[ ] | b −C
SWAP
x x
x −(swap)
Bus B := ω | (B1 ∗ B2) Gates
not : Gate ω ω and, or : Gate (ω ∗ ω) ω
Plugs ...
swap :
∀α β, Plug (α ∗ β) (β ∗ α) ...
4/28
Circuits C ::= ... | C1 -
: ∀α β γ, Circ α β → Circ β γ → Circ α γ ... | [ ]C1, C2[ ] : ∀α β γ δ, Circ α γ → Circ β δ → Circ (α ∗ β) (γ ∗ δ) ...
5/28
◮ Correct circuits by construction
◮ correctly connected (typing) ◮ all loops contain a cell (Loop operator)
6/28
◮ Correct circuits by construction
◮ correctly connected (typing) ◮ all loops contain a cell (Loop operator)
◮ No variables
◮ Simpler semantics (no environment)
6/28
◮ Correct circuits by construction
◮ correctly connected (typing) ◮ all loops contain a cell (Loop operator)
◮ No variables
◮ Simpler semantics (no environment)
◮ We represent the state (FF values) by circuit itself
◮ e.g., ( false −swap) true → ( true −swap)
6/28
A predicate: step C a b C′ C - an original circuit; a - an input b - an output; C′ - resulting state after a cycle
Gates & Plugs
❏G❑a = b step G a b G
Seq
step C1 a b C′
1
step C2 b c C′
2
step (C1 -
1 -
2)
Par
step C1 a c C′
1
step C2 b d C′
2
step [ ]C1, C2[ ] (a, b) (c, d) [ ]C′
1, C′ 2[
]
Loop
step C (a, b2s x) (b, s) C′ s2b s y step x −C a b y −C′
7/28
A predicate: step C a b C′ C - an original circuit; a - an input b - an output; C′ - resulting state after a cycle
Gates & Plugs
❏G❑a = b step G a b G
Seq
step C1 a b C′
1
step C2 b c C′
2
step (C1 -
1 -
2)
Par
step C1 a c C′
1
step C2 b d C′
2
step [ ]C1, C2[ ] (a, b) (c, d) [ ]C′
1, C′ 2[
]
Loop
step C (a, b2s x) (b, s) C′ s2b s y step x −C a b y −C′
8/28
A predicate: step C a b C′ C - an original circuit; a - an input b - an output; C′ - resulting state after a cycle
Gates & Plugs
❏G❑a = b step G a b G
Seq
step C1 a b C′
1
step C2 b c C′
2
step (C1 -
1 -
2)
Par
step C1 a c C′
1
step C2 b d C′
2
step [ ]C1, C2[ ] (a, b) (c, d) [ ]C′
1, C′ 2[
]
Loop
step C (a, b2s x) (b, s) C′ s2b s y step x −C a b y −C′
9/28
As a predicate from Stream to Stream eval : Circ α β → Stream α → Stream β
Eval
step C i o C′ eval C′ is os eval C (i : is) (o : os) If C applied to input i → output o and C′ and if C′ applied to infinite stream is → stream os ⇒ evaluation of C with stream (i : is) → stream (o : os).
10/28
SET(1, K)::”at most 1 glitch within K clock cycles” Signal := 0 | 1 | ✒
◮ Evaluation with glitches is non deterministic
◮ not deterministically latched (as true or false) by cells ◮ can be be logically masked (e.g., and(0, ✒) = 0, . . .)
A predicate: stepg C a b C′ C - an original circuit; a - an input b - an output; C′ - possibly corrupted state after a cycle with a glitch at any wire
11/28
Gates
stepg G a ✒ G
SeqL
stepg C1 a b C′
1
step C2 b c C′
2
stepg (C1 -
1 -
2)
SeqR
step C1 a b C′
1
stepg C2 b c C′
2
stepg (C1 -
1 -
2)
LoopC
stepg C (a, b2s x) (b, s) C′ s2b s y stepg x −C a b y −C′
LoopM
step C (a, ✒) (b, s) C′ s2b s y stepg x −C a b y −C′
12/28
Gates
stepg G a ✒ G
SeqL
stepg C1 a b C′
1
step C2 b c C′
2
stepg (C1 -
1 -
2)
SeqR
step C1 a b C′
1
stepg C2 b c C′
2
stepg (C1 -
1 -
2)
LoopC
stepg C (a, b2s x) (b, s) C′ s2b s y stepg x −C a b y −C′
LoopM
step C (a, ✒) (b, s) C′ s2b s y stepg x −C a b y −C′
12/28
Gates
stepg G a ✒ G
SeqL
stepg C1 a b C′
1
step C2 b c C′
2
stepg (C1 -
1 -
2)
SeqR
step C1 a b C′
1
stepg C2 b c C′
2
stepg (C1 -
1 -
2)
LoopC
stepg C (a, b2s x) (b, s) C′ s2b s y stepg x −C a b y −C′
LoopM
step C (a, ✒) (b, s) C′ s2b s y stepg x −C a b y −C′
12/28
Gates
stepg G a ✒ G
SeqL
stepg C1 a b C′
1
step C2 b c C′
2
stepg (C1 -
1 -
2)
SeqR
step C1 a b C′
1
stepg C2 b c C′
2
stepg (C1 -
1 -
2)
LoopC
stepg C (a, b2s x) (b, s) C′ s2b s y stepg x −C a b y −C′
LoopM
step C (a, ✒) (b, s) C′ s2b s y stepg x −C a b y −C′
12/28
SET(1, K)::”at most 1 glitch within K clock cycles” As a predicate from Stream to Stream with a counter
SetG
stepg C i o C′ setk eval (K − 1) C′ is os setk eval 0 C (i : is) (o : os)
SetN
step C i o C′ setk eval (n − 1) C′ is os setk eval n C (i : is) (o : os)
13/28
SET(1, K)::”at most 1 glitch within K clock cycles” As a predicate from Stream to Stream with a counter
SetG
stepg C i o C′ setk eval (K − 1) C′ is os setk eval 0 C (i : is) (o : os)
SetN
step C i o C′ setk eval (n − 1) C′ is os setk eval n C (i : is) (o : os)
13/28
14/28
*in FPGA’15
Q FF
init:C
D Q Q FF
init:C
D Q Q FF
init:C
D Q V
1 C 1 C
Q FF
init:C
D Q Q FF
init:C
D Q
y ctr1 ctr2 x
V
d1 d2 d3 v1 v2 keep1 keep2 m1 m2
15/28
Q FF
init:C
D Q Q FF
init:C
D Q Q FF
init:C
D Q V
1 C 1 C
Q FF
init:C
D Q Q FF
init:C
D Q
y ctr1 ctr2 x
V
d1 d2 d3 v1 v2 keep1 keep2 m1 m2 a1
15/28
Q FF
init:C
D Q Q FF
init:C
D Q Q FF
init:C
D Q V
1 C 1 C
Q FF
init:C
D Q Q FF
init:C
D Q
y ctr1 ctr2 x
V
d1 d2 d3 v1 v2 keep1 keep2 m1 m2 a1 a2
15/28
Q FF
init:C
D Q Q FF
init:C
D Q Q FF
init:C
D Q V
1 C 1 C
Q FF
init:C
D Q Q FF
init:C
D Q
y ctr1 ctr2 x
V
d1 d2 d3 v1 v2 keep1 keep2 m1 m2 a2 a1 a3
15/28
Q FF
init:C
D Q Q FF
init:C
D Q Q FF
init:C
D Q V
1
C
1
C
Q FF
init:C
D Q Q FF
init:C
D Q
y ctr1 ctr2 x
V
d1 d2 d3 v1 v2 keep1 keep2 m1 m2 a2 a1 a3 b1 =1 =1 a3 a2 a a a
15/28
Q FF
init:C
D Q Q FF
init:C
D Q Q FF
init:C
D Q V
1 C 1 C
Q FF
init:C
D Q Q FF
init:C
D Q
y ctr1 ctr2 x
V
d1 d2 d3 v1 v2 keep1 keep2 m1 m2 a3 a2 b1 b2 =0 =0 b1 a3 a a a a a
15/28
Q FF
init:C
D Q Q FF
init:C
D Q Q FF
init:C
D Q V
1 C 1 C
Q FF
init:C
D Q Q FF
init:C
D Q
y ctr1 ctr2 x
V
d1 d2 d3 v1 v2 keep1 keep2 m1 m2 b1 a3 b2 b3 =0 =0 b2 b1 a a a a a
15/28
Q FF
init:C
D Q Q FF
init:C
D Q Q FF
init:C
D Q V
1 C 1 C
Q FF
init:C
D Q Q FF
init:C
D Q
y ctr1 ctr2 x
V
d1 d2 d3 v1 v2 keep1 keep2 m1 m2 b2 b1 b3 c1 =1 =1 b3 b2 b b b
15/28
Q FF
init:C
D Q Q FF
init:C
D Q Q FF
init:C
D Q V
1 C 1 C
Q FF
init:C
D Q Q FF
init:C
D Q
y ctr1 ctr2 x
V
d1 d2 d3 v1 v2 keep1 keep2 m1 m2 b3 b2 c1 c2 =0 =0 c1 b3 b b b
b b
15/28
Q FF
init:C
D Q Q FF
init:C
D Q Q FF
init:C
D Q V
1 C 1 C
Q FF
init:C
D Q Q FF
init:C
D Q
y ctr1 ctr2 x
V
d1 d2 d3 v1 v2 keep1 keep2 m1 m2 c1 b3 c2 c3 =0 =0 c1 c1 b b b
b b
15/28
Q FF
init:C
D Q Q FF
init:C
D Q Q FF
init:C
D Q V
1
C
1
C
Q FF
init:C
D Q Q FF
init:C
D Q
y ctr1 ctr2 x
V
d1 d2 d3 v1 v2 keep1 keep2 m1 m2 c2 c1 c3 d1 =1 =1 c3 c2 c c c
15/28
◮ only double-time redundancy for error detection ◮ micro checkpointing-rollback ◮ speed-up mode (switching-off time-redundancy) ◮ input/output buffers (input/output transparency) ◮ tolerance to at most one SET in 10 clock cycles ◮ 1.9-2.5 smaller than TMR
(with double throughput loss)
16/28
17/28
Original circuit
Sequential Part Combinational Part
clk
CI CO PI SO SI
si so
ini:C2
FF D Q
PO
so
1) Memory Cell ← Memory Block 2) Control Block Introduction 3) Input stream upsampling x2 4) Input/Output Buffers Insertion
17/28
Original circuit Transformed DTR circuit
Sequential Part Combinational Part
clk
CI CO PI SO SI
si so
ini:C2
FF D Q
PO
so
SequentialRPart
clk
CombinationalRPartR
ini:C2
ControlRBlock save
rollBack s ini:C2
MemoryRBlock
si so fail save rollBack si so s r f r rB rB subst subst
InputR Buffers
rB
OutputR Buffers
save rB s
ci co pi po so si
rollBack r subst subst
DTR DTR
fail
1) Memory Cell ← Memory Block 2) Control Block Introduction 3) Input stream upsampling x2 4) Input/Output Buffers Insertion [TO PROVE]: output correctness with SET(1, 10)
18/28
Q r D E Q Q r' D E Q Q m D Q Q m' D Q save
1 C 1C
si so rollBack ≠ fail
sA sB siA siB sC sD dA dB dC dA' dB' mu
muxA muxB EQ
19/28
b D Q
1 C
ci b' D Q pi rB
20/28
Q
Q Q
D Q
1C 1C
co poA rollBack ≠ fail
cA cB
muxA muxB Q
D Q Q p D Q Q p' D Q
1C
subst poB poC muxC
cC
1C
save muxD sub EQ
21/28
DTR transformation is expressed
For any glitch at any wire, the I/O behavior stays the same & correct eval C0 i o ∧ set10 eval dtr(C0) (upsampl i) oo ⇒
◮ upsampl:: DTR input stream is the original stream i
with twice repeated bits
◮ outDTR:: correctness property of DTR outputs 22/28
C3 C4 C0 C0 C2 C3 C1
'
T T
a a
1 2 3 4
C2 C1
b b
C0 C1 C2 C3 C4
a b
T T T T
'
T
'
T
'
T
c c c d d d
Dtrs0 (ibs0 a) (obs0 o o′) C0 C1 CT
1
⇒ step C1 b t1 C2 ⇒ step CT
1 b t′ 1 C′T 1
⇒ t′
1 = (o, o, o′)∧
Dtrs1 (ibs1 b a) (obs1 t1 o) C0 C1 C2 C′T
1 23/28
Dtrs0
C3 C4 C0 C0 C2 C3 C1
'
T T
a a
1 2 3 4
C2 C1
b b
C0 C1 C2 C3 C4
a b
T T T T
'
T
'
T
'
T
c c c d d d
Dtrs0 (ibs0 a) (obs0 o o′) C0 C1 CT
1
⇒ step C1 b t1 C2 ⇒ step CT
1 b t′ 1 C′T 1
⇒ t′
1 = (o, o, o′)∧
Dtrs1 (ibs1 b a) (obs1 t1 o) C0 C1 C2 C′T
1 23/28
C3 C4 C0 C0 C2 C3
Dtrs1
C1
'
T T
a a
1 2 3 4
C2 C1
b b
C0 C1 C2 C3 C4
a b
T T T T
'
T
'
T
'
T
c c c d d d
Dtrs0 (ibs0 a) (obs0 o o′) C0 C1 CT
1
⇒ step C1 b t1 C2 ⇒ step CT
1 b t′ 1 C′T 1
⇒ t′
1 = (o, o, o′)∧
Dtrs1 (ibs1 b a) (obs1 t1 o) C0 C1 C2 C′T
1 23/28
Dtrs0
C3 C4 C0 C0 C2 C3
Dtrs1
C1
'
T T
a a
1 2 3 4
C2 C1
b b
C0 C1 C2 C3 C4
a b
T T T T
'
T
'
T
'
T
c c c d d d
Dtrs0 (ibs0 a) (obs0 o o′) C0 C1 CT
1
⇒ step C1 b t1 C2 ⇒ step CT
1 b t′ 1 C′T 1
⇒ t′
1 = (o, o, o′)∧
Dtrs1 (ibs1 b a) (obs1 t1 o) C0 C1 C2 C′T
1 23/28
Lemma:
C3 C4 C0 C0 C2 C3
Dtrs1
C1
'
T T
a a
1 2 3 4
C2 C1
b b
C0 C1 C2 C3 C4
a b
T T T T
'
T
'
T
'
T
c c c d d d
Dtrs1(ibs1 b a) (obs1 t1 o) C0 C1 C2 C′T
1
⇒ step C1 b t1 C2 ⇒ step C′T
1 b t′′ 1 CT 2
⇒ t′′
1 = (o, o, o)∧
Dtrs0 (ibs0 b) (obs0 t1 o) C1 C2 CT
2 23/28
C3 C4 C0 C0 C2 C3
Dtrs1
C1
'
T T
a a
1 2 3 4
C2 C1
Dtrs0
b b
C0 C1 C2 C3 C4
a b
T T T T
'
T
'
T
'
T
c c c d d d
Dtrs1(ibs1 b a) (obs1 t1 o) C0 C1 C2 C′T
1
⇒ step C1 b t1 C2 ⇒ step C′T
1 b t′′ 1 CT 2
⇒ t′′
1 = (o, o, o)∧
Dtrs0 (ibs0 b) (obs0 t1 o) C1 C2 CT
2 23/28
C3 C4 C0 C0 C2 C3
Dtrs1
C1
'
T T
a a
1 2 3 4
C2 C1
Dtrs0
b b
C0 C1 C2 C3 C4
a b
T T T T
'
T
'
T
'
T
c c c d d d
Dtrs1(ibs1 b a) (obs1 t1 o) C0 C1 C2 C′T
1
⇒ step C1 b t1 C2 ⇒ step C′T
1 b t′′ 1 CT 2
⇒ t′′
1 = (o, o, o)∧
Dtrs0 (ibs0 b) (obs0 t1 o) C1 C2 CT
2 23/28
Dtrs0
C3 C4 C0 C0 C2 C3
Dtrs1
C1
'
T T
a a
1 2 3 4
C2 C1
Dtrs0
b b
C0 C1 C2 C3 C4
a b
T T T T
'
T
'
T
'
T
c c c d d d
Dtrs1(ibs1 b a) (obs1 t1 o) C0 C1 C2 C′T
1
⇒ step C1 b t1 C2 ⇒ step C′T
1 b t′′ 1 CT 2
⇒ t′′
1 = (o, o, o)∧
Dtrs0 (ibs0 b) (obs0 t1 o) C1 C2 CT
2 23/28
stepg
Dtrs0
C5 C4 C0 C0 C2 C5 C1 C0 C1 C2 C3 C4
Dtr1rr'
C1
a a b b a b
1 2 3 5
step step step step
T T T T T
'
T
'
T
'
T
◮ 15 different corruption cases ◮ Dtr1rr′ describes one of the corruption cases ◮ Within 10 cycles returns to a correct state:
Dtrs0 → Dtr1rr′ → Dtr0r′ → Dtr1r′ → Dtrs0
24/28
stepg
Dtrs0
C5
Dtrs1 Dtrs0
C4 C0 C0 C2 C5 C1 C0 C1 C2 C3 C4
Dtr1rr'
C1
a a b b a b
1 2 3 5
step step step step
T T T T T
'
T
'
T
'
T
◮ 15 different corruption cases ◮ Dtr1rr′ describes one of the corruption cases ◮ Within 10 cycles returns to a correct state:
Dtrs0 → Dtr1rr′ → Dtr0r′ → Dtr1r′ → Dtrs0
24/28
stepg
C5
Dtrs1 Dtrs0
C4 C0 C0 C2 C5 C1 C0 C1 C2 C3 C4
Dtr1rr'
C1
a a b b a b
1 2 3 5
step step step step
T T T T T
'
T
'
T
'
T
Dtr0r'
Dtrs0 → Dtr1rr′ → Dtr0r′ → Dtr1r′ → Dtrs0 Dtr1rr′(ibs1 b a) (obs1 t1 o) C0 C1 C2 C′T
1
⇒ step C1 b t2 C2 ⇒ step C′T
1 b t′′ 2 CT 2
⇒ t′′
2 = (o, o, o)∧
Dtr0r′ (ibs0 b) (obs0 t2 t1) C1 C2 CT
2 24/28
25/28
◮ Automatic DTR transformation:
26/28
◮ Automatic DTR transformation:
◮ formalized on the syntax of lddl 26/28
◮ Automatic DTR transformation:
◮ formalized on the syntax of lddl ◮ formally proven in Coq proof assistant
26/28
◮ Automatic DTR transformation:
◮ formalized on the syntax of lddl ◮ formally proven in Coq proof assistant
◮ by simple inductions: ◮ on syntax ◮ on types ◮ on streams (co-induction) 26/28
◮ lddl language: syntax, semantics
27/28
◮ lddl language: syntax, semantics ◮ Coq benefits:
◮ dependent types → circuits well-formedness ◮ reflection replaces some proofs with
computation
27/28
◮ lddl language: syntax, semantics ◮ Coq benefits:
◮ dependent types → circuits well-formedness ◮ reflection replaces some proofs with
computation
◮ Future work:
◮ good to have better automation with tactics ◮ proof of other fault-tolerance techniques
27/28
dmitry.burlyaev @ inria.fr pascal.fradet @ inria.fr
28/28