Section: Software

A model of Signal in Coq

Participant : Jean-Pierre Talpin.

The verification of a reactive system is usually done by elaborating a discrete model of the system specified in a dedicated formalism and then by checking a property against the model. The use of formal proof systems enables to prove hybrid properties about infinite state systems : the correctness and the completeness of a reactive system. To this aim, the Espresso project-team has developed a complete model of the Signal design language in Coq [40] . More precisely, we have defined a translation scheme of the trace semantics of Signal to the logical framework of Coq. We have conducted several case studies to demonstrate the applicability of the approach to resolve sophisticated verification problems: a complete model and proof of the well-known steam-boiler problem [37] , the correctness of an implementation of a Signal protocol for loosely timed-triggered architectures [36] . Such a proof, of course, cannot always be done automatically: it requires human-interaction to direct the proof strategy. The prover can nonetheless automate its most tedious and mechanical parts. In general, formal proofs of programs are difficult and time-consuming. In the particular case of modeling a reactive system using Signal, experience however shows that this difficulty is significantly reduced thanks to the combined declarative style of programming and a relational style of modeling.