1 / 29

Mechanical Verification of Timed Automata

Mechanical Verification of Timed Automata. Myla Archer and Constance Heitmeyer Presented by Rasa Bonyadlou 24 October 2002. Overview. The main work on the paper Background Definition of GRC Timed automata Time executions and reach ability Invariants and simulation mapping PVS

jamal
Download Presentation

Mechanical Verification of Timed Automata

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Mechanical Verification of Timed Automata Myla Archer and Constance Heitmeyer Presented by Rasa Bonyadlou 24 October 2002

  2. Overview • The main work on the paper • Background • Definition of GRC • Timed automata • Time executions and reach ability • Invariants and simulation mapping • PVS • Three theories underlie the timed automata model • Template for defending timed automata model in PVS • Hand proof and PVS proof • Conclusion and critics • References

  3. The main work on the paper • The paper reports the results of a case study on the feasibility of developing and applying mechanical methods, based on PVS to prove propositions about real-time systems. • How a mechanical proof system can support formal reasoning about real time systems using a specific mathematical model.

  4. Background • Definition of Generalized Railroad Crossing • Timed automata • Time executions and reach ability • Invariants and simulation mapping • PVS

  5. The GRC Problem (1) • A benchmark for comparing formal methods. • The system to be developed operates a gate at a railroad crossing. • The railroad crossing I lines in a region of R, IR • A sensor system determines when each train enters and exits region R. • Gate function: g(t)  [0,90] • Sequence of occupancy intervals {λi}: each occupancy interval is a maximum time interval during which one or more trains are in I .

  6. The GRC problem (2) • Develop a system to operate the crossing gate that satisfies the following two properties : • Safety property : the gate is down during all occupancy intervals. • t € Ui λi  g(t)=0 • Utility property :gate is up when no train is in I. • t Ui[I- 1, I+ 2]  g(t)=90 • Where 1 and 2 two positive constants. • I is the time of ith entry of a train into the crossing when no other train is in the crossing and I is the first time that no train is in the crossing

  7. The timed automata model • States (A) is a (finite or infinite) sets of states • Start (A)  States (A) is a nonempty (finite or infinite) set of start states. • A mapping from states (A) to R+(nonnegative numbers) • Acts (A) is a set of actions (events), which include special time passage actions ν(Δt), where, Δt is a R+, and non-time-passage actions, classified as input and output actions. • Steps (A):states (A)  acts(A) states(A) is a partial function that defines the possible steps (transitions)

  8. Timed execution and reachability • A trajectory is either a single state or a continuous series of states connected by time passage events. • A timed execution fragment is a finite or infinite alternating sequence α=ω0π1ω1π2ω2where each ωj is a trajectory and each πjis a non-time-passage action that “connects” the final state ѕ of the preceding trajectory ωj-1with the initial state S`of the following trajectory ωj. • A state of timed automata is define to be reachable, if it is the final state of the final trajectory in some infinite timed execution of the automata.

  9. Invariant and simulation mapping • An invariant of a timed automaton is any property that is true if any set of states that contain all the reachable states. • A simulation mapping relates the states of one timed automata A to the states of another timed automata B, in such a way that the actions and their timings in admissible time executions correspond. • The time execution is admissible if the total amount of time passage is infinity.

  10. PVS • A verification system • The system consists of specification language, a parser, a type checker and proof checker. • The PVS prover consists of a collection of interference steps that can be used to reduce a proof goal to simpler subgoals. • PVS specification language consists of higher-order logic with the type system, so the number of semantic errors in specification can caught by the type checker.

  11. The main work on the paper • Background • Definition of GRC • Timed automata • Time executions and reach ability • Invariants and simulation mapping • PVS • Three theories underlie the timed automata model • Template for defending timed automata model in PVS • Hand proof and PVS proof • Conclusion and critics • References

  12. Underlying Theories • Specifying timed automata in PVS is to use a template that defines a set of underlying theories and provide a standard framework and standard names and definitions for each specification. • Three underlying theories shared by timed automata : machine, states and time-thy.

  13. Purpose :defines the meaning of mathematical induction in the context of the timed automata model. Parameters : states, actions, enabled, trans, start. The body: of the theory describes six predicates used to define the induction principle: Inv, reachable-hidden, reachable, base, inductstep, inductthm Theory machine

  14. purpose: define a standard record structure and standard temporal information for the states of an automaton. Parameters: actions, MMT states, time, fin-pred (that is true if its argument, a time value is, finite. The body is defining the record structure of a state. The theory states

  15. Purpose: the theory time-thy contains the definition of the standard arithmetic operations and predicates for time values . The theory time-thy

  16. Introduction • Background • Three theories underlie the timed automata mode • Template for defending timed automata model in PVS • Hand proof and PVS proof • Conclusion and critics • References

  17. This template imports appropriate instantiations of the fixed theories time-thy, states and machine. The template is instantiated by filling in the missing parts and adding any desired and definition. A timed automata model template

  18. Instantiating the template • We use template for specify in PVS the timed automaton Trains, a component of the timed automata solution of the GRC problem. • Trains: the timed automata trains has no input actions, three output actions: enter R(r), enter I (r), exit (r) For each train R and the time passage action ν(Δt)

  19. The states Component describes where the train is. Each train's state includes a current time component now, and first and last component for each action. s denotes the state before the event occurs and s' the state afterwards. An event cannot happen before its first time, and time cannot pass beyond any last time. States and transition of trains

  20. Introduction • Background • Three theories underlie the timed automata mode • Template for defending timed automata model in PVS • Hand proof and PVS proof • Conclusion and critics • References

  21. Proof of induction principle • A systematic method for translating hand proof to the PVS proof maps short proof steps to particular PVS rules or strategies. • Examples: • Definition : EXPAND • “Let…” or “chose…” :SOKOLEM • Apply a quantified formula: INST • To set up an induction : INDUCT

  22. Proof of induction principle

  23. Proof of induction principle • The parts of hand proof require the knowledge of human when translating to the PVS proof, are those associate with “induction” • Corresponding exactly what to prove by induction • Establishing that inductive assertion in enough to obtain the proof.

  24. Summary of results • Using template specification • Patterns in timed automaton model proofs • Patterns in using PVS

  25. Using template specification • Using the template to crate the formal specification of a mathematical model reduces the required effort: • The basic theories and lemmas already specified so the amount that remains to be specified for a particular model is reduced. • The existence of conventions regarding names, types and definitions of the missing parts eliminates many decisions required in specifying a particular model, the specified needs only to fill in the missing parts.

  26. Patterns in timed automaton proofs • In proof analyzing in the timed automat domain the approach is • Create the small step proofs, optimize them and find patterns that can translate into PVS strategies. • When a hand proof doesn’t supply enough details, we should apply heuristic strategy to turn to the PVS strategy

  27. Patterns in using PVS • The approach to PVS proofs timed automata is to follow a hand proof as closely as possible. • To keep track of correspondence between a hand proof and PVS proof, inserting comments in the PVS is can be helpful .

  28. Conclusion and critics • An automatic theorem prover can be feasible for software developers. • PVS strategy reduce the human interaction with the theorem prover in obtaining a proof. • Less explanation and less examples

  29. References • C.Heitmeyer and N.Lynch. The generalized Railroad Crossing: A case study in formal verification of the real-time • C.L. Heitmeyer, R. D. Jeffords, and B. G. Labaw. A benchmark for comparing different approaches for specifying and verifying real-time systems. • R. Alur and D. L. Dill. A theory of timed automata

More Related