290 likes | 537 Views
Mechanical Verification of Timed Automata. Myla Archer and Constance Heitmeyer Presented by Rasa Bonyadlou 24 October 2002. Overview. The main work on the paper Background Definition of GRC Timed automata Time executions and reach ability Invariants and simulation mapping PVS
E N D
Mechanical Verification of Timed Automata Myla Archer and Constance Heitmeyer Presented by Rasa Bonyadlou 24 October 2002
Overview • The main work on the paper • Background • Definition of GRC • Timed automata • Time executions and reach ability • Invariants and simulation mapping • PVS • Three theories underlie the timed automata model • Template for defending timed automata model in PVS • Hand proof and PVS proof • Conclusion and critics • References
The main work on the paper • The paper reports the results of a case study on the feasibility of developing and applying mechanical methods, based on PVS to prove propositions about real-time systems. • How a mechanical proof system can support formal reasoning about real time systems using a specific mathematical model.
Background • Definition of Generalized Railroad Crossing • Timed automata • Time executions and reach ability • Invariants and simulation mapping • PVS
The GRC Problem (1) • A benchmark for comparing formal methods. • The system to be developed operates a gate at a railroad crossing. • The railroad crossing I lines in a region of R, IR • A sensor system determines when each train enters and exits region R. • Gate function: g(t) [0,90] • Sequence of occupancy intervals {λi}: each occupancy interval is a maximum time interval during which one or more trains are in I .
The GRC problem (2) • Develop a system to operate the crossing gate that satisfies the following two properties : • Safety property : the gate is down during all occupancy intervals. • t € Ui λi g(t)=0 • Utility property :gate is up when no train is in I. • t Ui[I- 1, I+ 2] g(t)=90 • Where 1 and 2 two positive constants. • I is the time of ith entry of a train into the crossing when no other train is in the crossing and I is the first time that no train is in the crossing
The timed automata model • States (A) is a (finite or infinite) sets of states • Start (A) States (A) is a nonempty (finite or infinite) set of start states. • A mapping from states (A) to R+(nonnegative numbers) • Acts (A) is a set of actions (events), which include special time passage actions ν(Δt), where, Δt is a R+, and non-time-passage actions, classified as input and output actions. • Steps (A):states (A) acts(A) states(A) is a partial function that defines the possible steps (transitions)
Timed execution and reachability • A trajectory is either a single state or a continuous series of states connected by time passage events. • A timed execution fragment is a finite or infinite alternating sequence α=ω0π1ω1π2ω2where each ωj is a trajectory and each πjis a non-time-passage action that “connects” the final state ѕ of the preceding trajectory ωj-1with the initial state S`of the following trajectory ωj. • A state of timed automata is define to be reachable, if it is the final state of the final trajectory in some infinite timed execution of the automata.
Invariant and simulation mapping • An invariant of a timed automaton is any property that is true if any set of states that contain all the reachable states. • A simulation mapping relates the states of one timed automata A to the states of another timed automata B, in such a way that the actions and their timings in admissible time executions correspond. • The time execution is admissible if the total amount of time passage is infinity.
PVS • A verification system • The system consists of specification language, a parser, a type checker and proof checker. • The PVS prover consists of a collection of interference steps that can be used to reduce a proof goal to simpler subgoals. • PVS specification language consists of higher-order logic with the type system, so the number of semantic errors in specification can caught by the type checker.
The main work on the paper • Background • Definition of GRC • Timed automata • Time executions and reach ability • Invariants and simulation mapping • PVS • Three theories underlie the timed automata model • Template for defending timed automata model in PVS • Hand proof and PVS proof • Conclusion and critics • References
Underlying Theories • Specifying timed automata in PVS is to use a template that defines a set of underlying theories and provide a standard framework and standard names and definitions for each specification. • Three underlying theories shared by timed automata : machine, states and time-thy.
Purpose :defines the meaning of mathematical induction in the context of the timed automata model. Parameters : states, actions, enabled, trans, start. The body: of the theory describes six predicates used to define the induction principle: Inv, reachable-hidden, reachable, base, inductstep, inductthm Theory machine
purpose: define a standard record structure and standard temporal information for the states of an automaton. Parameters: actions, MMT states, time, fin-pred (that is true if its argument, a time value is, finite. The body is defining the record structure of a state. The theory states
Purpose: the theory time-thy contains the definition of the standard arithmetic operations and predicates for time values . The theory time-thy
Introduction • Background • Three theories underlie the timed automata mode • Template for defending timed automata model in PVS • Hand proof and PVS proof • Conclusion and critics • References
This template imports appropriate instantiations of the fixed theories time-thy, states and machine. The template is instantiated by filling in the missing parts and adding any desired and definition. A timed automata model template
Instantiating the template • We use template for specify in PVS the timed automaton Trains, a component of the timed automata solution of the GRC problem. • Trains: the timed automata trains has no input actions, three output actions: enter R(r), enter I (r), exit (r) For each train R and the time passage action ν(Δt)
The states Component describes where the train is. Each train's state includes a current time component now, and first and last component for each action. s denotes the state before the event occurs and s' the state afterwards. An event cannot happen before its first time, and time cannot pass beyond any last time. States and transition of trains
Introduction • Background • Three theories underlie the timed automata mode • Template for defending timed automata model in PVS • Hand proof and PVS proof • Conclusion and critics • References
Proof of induction principle • A systematic method for translating hand proof to the PVS proof maps short proof steps to particular PVS rules or strategies. • Examples: • Definition : EXPAND • “Let…” or “chose…” :SOKOLEM • Apply a quantified formula: INST • To set up an induction : INDUCT
Proof of induction principle • The parts of hand proof require the knowledge of human when translating to the PVS proof, are those associate with “induction” • Corresponding exactly what to prove by induction • Establishing that inductive assertion in enough to obtain the proof.
Summary of results • Using template specification • Patterns in timed automaton model proofs • Patterns in using PVS
Using template specification • Using the template to crate the formal specification of a mathematical model reduces the required effort: • The basic theories and lemmas already specified so the amount that remains to be specified for a particular model is reduced. • The existence of conventions regarding names, types and definitions of the missing parts eliminates many decisions required in specifying a particular model, the specified needs only to fill in the missing parts.
Patterns in timed automaton proofs • In proof analyzing in the timed automat domain the approach is • Create the small step proofs, optimize them and find patterns that can translate into PVS strategies. • When a hand proof doesn’t supply enough details, we should apply heuristic strategy to turn to the PVS strategy
Patterns in using PVS • The approach to PVS proofs timed automata is to follow a hand proof as closely as possible. • To keep track of correspondence between a hand proof and PVS proof, inserting comments in the PVS is can be helpful .
Conclusion and critics • An automatic theorem prover can be feasible for software developers. • PVS strategy reduce the human interaction with the theorem prover in obtaining a proof. • Less explanation and less examples
References • C.Heitmeyer and N.Lynch. The generalized Railroad Crossing: A case study in formal verification of the real-time • C.L. Heitmeyer, R. D. Jeffords, and B. G. Labaw. A benchmark for comparing different approaches for specifying and verifying real-time systems. • R. Alur and D. L. Dill. A theory of timed automata