1 Mechanical Verification of Timed Automata Myla Archer and Constance Heitmeyer Presented by Rasa Bonyadlou 24 October 2002

2 Overview The main work on the paper Background –Definition of GRC –Timed automata –Time executions and reach ability –Invariants and simulation mapping –PVS Three theories underlie the timed automata model Template for defending timed automata model in PVS Hand proof and PVS proof Conclusion and critics References

3 The main work on the paper The paper reports the results of a case study on the feasibility of developing and applying mechanical methods, based on PVS to prove propositions about real-time systems. How a mechanical proof system can support formal reasoning about real time systems using a specific mathematical model.

4 Background Definition of Generalized Railroad Crossing Timed automata Time executions and reach ability Invariants and simulation mapping PVS

5 The GRC Problem (1) A benchmark for comparing formal methods. The system to be developed operates a gate at a railroad crossing. The railroad crossing I lines in a region of R, I  R A sensor system determines when each train enters and exits region R. Gate function: g(t)  [0,90] Sequence of occupancy intervals {λ i }: each occupancy interval is a maximum time interval during which one or more trains are in I.

6 The GRC problem (2) Develop a system to operate the crossing gate that satisfies the following two properties : Safety property : the gate is down during all occupancy intervals. –t € U i λ i  g(t)=0 Utility property :gate is up when no train is in I. –t  U i [  I -  1, I +  2 ]  g(t)=90 –Where  1 and  2 two positive constants. –  I is the time of i th entry of a train into the crossing when no other train is in the crossing and I is the first time that no train is in the crossing

7 The timed automata model States (A) is a (finite or infinite) sets of states Start (A)  States (A) is a nonempty (finite or infinite) set of start states. A mapping from states (A) to R + ( nonnegative numbers ) Acts (A) is a set of actions (events), which include special time passage actions ν(Δt), where, Δt is a R +, and non-time-passage actions, classified as input and output actions. Steps (A):states (A)  acts(A)  states(A) is a partial function that defines the possible steps (transitions)

8 Timed execution and reachability A trajectory is either a single state or a continuous series of states connected by time passage events. A timed execution fragment is a finite or infinite alternating sequence α=ω 0 π 1 ω 1 π 2 ω 2 where each ω j is a trajectory and each π j is a non-time-passage action that “connects” the final state ѕ of the preceding trajectory ω j-1 with the initial state S`of the following trajectory ω j. A state of timed automata is define to be reachable, if it is the final state of the final trajectory in some infinite timed execution of the automata.

9 Invariant and simulation mapping An invariant of a timed automaton is any property that is true if any set of states that contain all the reachable states. A simulation mapping relates the states of one timed automata A to the states of another timed automata B, in such a way that the actions and their timings in admissible time executions correspond. The time execution is admissible if the total amount of time passage is infinity.

10 PVS A verification system The system consists of specification language, a parser, a type checker and proof checker. The PVS prover consists of a collection of interference steps that can be used to reduce a proof goal to simpler subgoals. PVS specification language consists of higher-order logic with the type system, so the number of semantic errors in specification can caught by the type checker.

11 The main work on the paper Background –Definition of GRC –Timed automata –Time executions and reach ability –Invariants and simulation mapping –PVS Three theories underlie the timed automata model Template for defending timed automata model in PVS Hand proof and PVS proof Conclusion and critics References

12 Underlying Theories Specifying timed automata in PVS is to use a template that defines a set of underlying theories and provide a standard framework and standard names and definitions for each specification. Three underlying theories shared by timed automata : machine, states and time-thy.

13 Theory machine Purpose :defines the meaning of mathematical induction in the context of the timed automata model. Parameters : states, actions, enabled, trans, start. The body: of the theory describes six predicates used to define the induction principle: Inv, reachable- hidden, reachable, base, inductstep, inductthm

14 The theory states purpose: define a standard record structure and standard temporal information for the states of an automaton. Parameters: actions, MMT states, time, fin-pred (that is true if its argument, a time value is, finite. The body is defining the record structure of a state.

15 The theory time-thy Purpose: the theory time- thy contains the definition of the standard arithmetic operations and predicates for time values.

16 Introduction Background Three theories underlie the timed automata mode Template for defending timed automata model in PVS Hand proof and PVS proof Conclusion and critics References

17 A timed automata model template This template imports appropriate instantiations of the fixed theories time-thy, states and machine. The template is instantiated by filling in the missing parts and adding any desired and definition.

18 Instantiating the template We use template for specify in PVS the timed automaton Trains, a component of the timed automata solution of the GRC problem. Trains: the timed automata trains has no input actions, three output actions: enter R(r), enter I (r), exit (r) For each train R and the time passage action ν(Δt)

19 States and transition of trains The states Component describes where the train is. Each train's state includes a current time component now, and first and last component for each action. s denotes the state before the event occurs and s' the state afterwards. An event cannot happen before its first time, and time cannot pass beyond any last time.

20 Introduction Background Three theories underlie the timed automata mode Template for defending timed automata model in PVS Hand proof and PVS proof Conclusion and critics References

21 Proof of induction principle A systematic method for translating hand proof to the PVS proof maps short proof steps to particular PVS rules or strategies. Examples: Definition : EXPAND “Let…” or “chose…” : SOKOLEM Apply a quantified formula: INST To set up an induction : INDUCT

22 Proof of induction principle

23 Proof of induction principle The parts of hand proof require the knowledge of human when translating to the PVS proof, are those associate with “induction” – Corresponding exactly what to prove by induction –Establishing that inductive assertion in enough to obtain the proof.

24 Summary of results Using template specification Patterns in timed automaton model proofs Patterns in using PVS

25 Using template specification Using the template to crate the formal specification of a mathematical model reduces the required effort: –The basic theories and lemmas already specified so the amount that remains to be specified for a particular model is reduced. –The existence of conventions regarding names, types and definitions of the missing parts eliminates many decisions required in specifying a particular model, the specified needs only to fill in the missing parts.

26 Patterns in timed automaton proofs In proof analyzing in the timed automat domain the approach is –Create the small step proofs, optimize them and find patterns that can translate into PVS strategies. –When a hand proof doesn’t supply enough details, we should apply heuristic strategy to turn to the PVS strategy

27 Patterns in using PVS The approach to PVS proofs timed automata is to follow a hand proof as closely as possible. To keep track of correspondence between a hand proof and PVS proof, inserting comments in the PVS is can be helpful.

28 Conclusion and critics An automatic theorem prover can be feasible for software developers. PVS strategy reduce the human interaction with the theorem prover in obtaining a proof. Less explanation and less examples

29 References C.Heitmeyer and N.Lynch. The generalized Railroad Crossing: A case study in formal verification of the real-time C.L. Heitmeyer, R. D. Jeffords, and B. G. Labaw. A benchmark for comparing different approaches for specifying and verifying real-time systems. R. Alur and D. L. Dill. A theory of timed automata