Embed Size (px)
Citation preview
1
Mechanical Verification of Timed Automata
Myla Archer and Constance Heitmeyer
Presented by
Rasa Bonyadlou
24 October 2002
2
Overview• The main work on the paper• Background
– Definition of GRC
– Timed automata
– Time executions and reach ability
– Invariants and simulation mapping
– PVS
• Three theories underlie the timed automata model• Template for defending timed automata model in PVS• Hand proof and PVS proof • Conclusion and critics • References
3
The main work on the paper
• The paper reports the results of a case study on the feasibility of developing and applying mechanical methods, based on PVS to prove propositions about real-time systems.
• How a mechanical proof system can support formal reasoning about real time systems using a specific mathematical model.
4
Background
• Definition of Generalized Railroad Crossing
• Timed automata
• Time executions and reach ability
• Invariants and simulation mapping
• PVS
5
The GRC Problem (1)• A benchmark for comparing formal methods.
• The system to be developed operates a gate at a railroad crossing.
• The railroad crossing I lines in a region of R, IR
• A sensor system determines when each train enters and exits region R.
• Gate function: g(t) [0,90]
• Sequence of occupancy intervals {λi}: each occupancy interval is a maximum time interval during which one or more trains are in I .
6
The GRC problem (2)
• Develop a system to operate the crossing gate that satisfies the following two properties :
• Safety property : the gate is down during all occupancy intervals.– t € Ui λi g(t)=0
• Utility property :gate is up when no train is in I.– t Ui[I- 1, I+ 2] g(t)=90– Where 1 and 2 two positive constants. I is the time of ith entry of a train into the crossing when no
other train is in the crossing and I is the first time that no train is in the crossing
7
The timed automata model• States (A) is a (finite or infinite) sets of states• Start (A) States (A) is a nonempty (finite or infinite)
set of start states.• A mapping from states (A) to R+(nonnegative numbers)• Acts (A) is a set of actions (events), which include
special time passage actions ν(Δt), where, Δt is a R+, and non-time-passage actions, classified as input and output actions.
• Steps (A):states (A) acts(A) states(A) is a partial function that defines the possible steps (transitions)
8
Timed execution and reachability
• A trajectory is either a single state or a continuous series of states connected by time passage events.
• A timed execution fragment is a finite or infinite alternating sequence α=ω0π1ω1π2ω2 where each ωj is a trajectory and each πj is a non-time-passage action that “connects” the final state ѕ of the preceding trajectory ωj-1with the initial state S`of the following trajectory ωj.
• A state of timed automata is define to be reachable, if it is the final state of the final trajectory in some infinite timed execution of the automata.
9
Invariant and simulation mapping
• An invariant of a timed automaton is any property that is true if any set of states that contain all the reachable states.
• A simulation mapping relates the states of one timed automata A to the states of another timed automata B, in such a way that the actions and their timings in admissible time executions correspond.
• The time execution is admissible if the total amount of time passage is infinity.
10
PVS
• A verification system
• The system consists of specification language, a parser, a type checker and proof checker.
• The PVS prover consists of a collection of interference steps that can be used to reduce a proof goal to simpler subgoals.
• PVS specification language consists of higher-order logic with the type system, so the number of semantic errors in specification can caught by the type checker.
11
• The main work on the paper• Background
– Definition of GRC
– Timed automata
– Time executions and reach ability
– Invariants and simulation mapping
– PVS
• Three theories underlie the timed automata model• Template for defending timed automata model in PVS• Hand proof and PVS proof • Conclusion and critics • References
12
Underlying Theories
• Specifying timed automata in PVS is to use a template that defines a set of underlying theories and provide a standard framework and standard names and definitions for each specification.
• Three underlying theories shared by timed automata : machine, states and time-thy.
13
Theory machine • Purpose :defines the
meaning of mathematical induction in the context of the timed automata model.
• Parameters : states, actions, enabled, trans, start.
• The body: of the theory describes six predicates used to define the induction principle: Inv, reachable-hidden, reachable, base, inductstep, inductthm
14
The theory states
• purpose: define a standard record structure and standard temporal information for the states of an automaton.
• Parameters: actions, MMT states, time, fin-pred (that is true if its argument, a time value is, finite.
• The body is defining the record structure of a state.
15
The theory time-thy
• Purpose: the theory time-thy contains the definition of the standard arithmetic operations and predicates for time values .
16
• Introduction
• Background
• Three theories underlie the timed automata mode
• Template for defending timed automata model in PVS
• Hand proof and PVS proof
• Conclusion and critics
• References
17
A timed automata model template
• This template imports appropriate instantiations of the fixed theories time-thy, states and machine.
• The template is instantiated by filling in the missing parts and adding any desired and definition.
18
Instantiating the template
• We use template for specify in PVS the timed automaton Trains, a component of the timed automata solution of the GRC problem.
• Trains: the timed automata trains has no input actions, three output actions:
enter R(r), enter I (r), exit (r)
For each train R and the time passage action ν(Δt)
19
States and transition of trains
• The states Component describes where the train is.
• Each train's state includes a current time component now, and first and last component for each action.
• s denotes the state before the event occurs and s' the state afterwards.
• An event cannot happen before its first time, and time cannot pass beyond any last time.
20
• Introduction
• Background
• Three theories underlie the timed automata mode
• Template for defending timed automata model in PVS
• Hand proof and PVS proof
• Conclusion and critics
• References
21
Proof of induction principle
• A systematic method for translating hand proof to the PVS proof maps short proof steps to particular PVS rules or strategies.
• Examples:• Definition : EXPAND• “Let…” or “chose…” :SOKOLEM• Apply a quantified formula: INST• To set up an induction : INDUCT
22
Proof of induction principle
23
Proof of induction principle
• The parts of hand proof require the knowledge of human when translating to the PVS proof, are those associate with “induction”– Corresponding exactly what to prove by
induction– Establishing that inductive assertion in enough
to obtain the proof.
24
Summary of results
• Using template specification
• Patterns in timed automaton model proofs
• Patterns in using PVS
25
Using template specification
• Using the template to crate the formal specification of a mathematical model reduces the required effort:– The basic theories and lemmas already specified so the
amount that remains to be specified for a particular model is reduced.
– The existence of conventions regarding names, types and definitions of the missing parts eliminates many decisions required in specifying a particular model, the specified needs only to fill in the missing parts.
26
Patterns in timed automaton proofs
• In proof analyzing in the timed automat domain the approach is– Create the small step proofs, optimize them and find patterns
that can translate into PVS strategies. – When a hand proof doesn’t supply enough details, we should
apply heuristic strategy to turn to the PVS strategy
27
Patterns in using PVS
• The approach to PVS proofs timed automata is to follow a hand proof as closely as possible.
• To keep track of correspondence between a hand proof and PVS proof, inserting comments in the PVS is can be helpful .
28
Conclusion and critics
• An automatic theorem prover can be feasible for software developers.
• PVS strategy reduce the human interaction with the theorem
prover in obtaining a proof. • Less explanation and less examples
29
References
• C.Heitmeyer and N.Lynch. The generalized Railroad Crossing: A case study in formal verification of the real-time
• C.L. Heitmeyer, R. D. Jeffords, and B. G. Labaw. A benchmark for comparing different approaches for specifying and verifying real-time systems.
• R. Alur and D. L. Dill. A theory of timed automata
