TAME: Using PVS strategies for special-purpose theorem proving

TAME (Timed Automata Modeling Environment), an interface to the theorem proving system PVS, is designed for proving properties of three classes of automata: I/O automata, Lynch–Vaandrager timed automata, and SCR automata. TAME provides templates for specifying these automata, a set of auxiliary theories, and a set of specialized PVS strategies that rely on these theories and on the structure of automata defined using the templates. Use of the TAME strategies simplifies the process of proving automaton properties, particularly state and transition invariants. TAME provides two types of strategies: strategies for “automatic” proof and strategies designed to implement “natural” proof steps, i.e., proof steps that mimic the high-level steps in typical natural language proofs. TAME's “natural” proof steps can be used both to mechanically check hand proofs in a straightforward way and to create proof scripts that can be understood without executing them in the PVS proof checker. Several new PVS features can be used to obtain better control and efficiency in user-defined strategies such as those used in TAME. This paper describes the TAME strategies, their use, and how their implementation exploits the structure of specifications and various PVS features. It also describes several features, currently unsupported in PVS, that would either allow additional “natural” proof steps in TAME or allow existing TAME proof steps to be improved. Lessons learned from TAME relevant to the development of similar specialized interfaces to PVS or other theorem provers are discussed.

[1]  FeketeAlan,et al.  Specifying and using a partitionable group communication service , 2001 .

[2]  Constance L. Heitmeyer,et al.  Automatic generation of state invariants from requirements specifications , 1998, SIGSOFT '98/FSE-6.

[3]  Nancy A. Lynch,et al.  Specifying and using a partitionable group communication service , 1997, PODC '97.

[4]  Frits W. Vaandrager,et al.  Verification of a Leader Election Protocol: Formal Methods Applied to IEEE 1394 , 2000, Formal Methods Syst. Des..

[5]  Angelo Morzenti,et al.  Providing automated support to deductive analysis of time critical systems , 1997 .

[6]  Nancy A. Lynch,et al.  Forward and Backward Simulations, II: Timing-Based Systems , 1996, Inf. Comput..

[7]  Richard J. Boulton,et al.  An Interface between Clam and HOL , 1998, TPHOLs.

[8]  Myla Archer Tools for Simplifying Proofs of Properties of Timed Automata: The TAME Template, Theories, and Strategies. , 1999 .

[9]  Leslie Lamport,et al.  How to Write a Proof , 1995 .

[10]  L HeitmeyerConstance,et al.  Automated consistency checking of requirements specifications , 1996 .

[11]  John W. Brackett,et al.  The Core method for real-time requirements , 1992, IEEE Software.

[12]  Robyn R. Lutz,et al.  Applying the SCR* Requirements Toolset to DS-1 Fault Protection , 1997 .

[13]  Elvinia Riccobene,et al.  Applying TAME to I/O Automata: A User's Perspective , 2000 .

[14]  Constance L. Heitmeyer,et al.  Automated consistency checking of requirements specifications , 1996, TSEM.

[15]  Nancy A. LynchMIT The Ioa Language and Toolset: Support for Mathematics-based Distributed Programming , 1998 .

[16]  Myla Archer,et al.  SCR: a practical approach to building a high assurance COMSEC system , 1999, Proceedings 15th Annual Computer Security Applications Conference (ACSAC'99).

[17]  Victor Luchangco,et al.  Using simulation techniques to prove timing properties , 1995 .

[18]  Nancy A. Lynch,et al.  The generalized railroad crossing: a case study in formal verification of real-time systems , 1994, 1994 Proceedings Real-Time Systems Symposium.

[19]  Steve Sims,et al.  TAME: A PVS Interface to Simplify Proofs for Automata Models , 1998 .

[20]  Constance L. Heitmeyer,et al.  SCR: a toolset for specifying and analyzing requirements , 1995, COMPASS '95 Proceedings of the Tenth Annual Conference on Computer Assurance Systems Integrity, Software Safety and Process Security'.

[21]  P ? ? ? ? ? ? ? % ? ? ? ? , 1991 .

[22]  Steven P. Miller Specifying the mode logic of a flight guidance system in CoRE and SCR , 1998, FMSP '98.

[23]  Olaf Müller,et al.  A verification environment for I-O-automata based on formalized meta-theory , 1998 .

[24]  Myla Archer,et al.  Verifying Hybrid Systems Modeled as Timed Automata: A Case Study , 1997, HART.

[25]  Nancy A. Lynch,et al.  Proving Safety Properties of the Steam Boiler Controller , 1995, Formal Methods for Industrial Applications.

[26]  Constance L. Heitmeyer,et al.  SCR*: A Toolset for Specifying and Analyzing Software Requirements , 1998, CAV.

[27]  Alan Bundy The Use of Proof Plans for Normalization , 1991, Automated Reasoning: Essays in Honor of Woody Bledsoe.

[28]  Sara Kalvala,et al.  Annotations in formal specifications and proofs , 1994, Formal Methods Syst. Des..

[29]  Nancy A. Lynch,et al.  An introduction to input/output automata , 1989 .

[30]  Nancy A. Lynch,et al.  Forward and backward simulations, part II: timing-based systems , 1993 .

[31]  Natarajan Shankar,et al.  Towards a Duration Calculus Proof Assistant in PVS , 1994, FTRTFT.

[32]  David Lorge Parnas,et al.  Assessment of safety-critical software in nuclear power plants , 1991 .

[33]  Steve Easterbrook,et al.  Formal methods for verification and validation of partial specifications: A case study , 1998, J. Syst. Softw..

[34]  Myla Archer,et al.  Mechanical verification of timed automata: a case study , 1996, Proceedings Real-Time Technology and Applications.

[35]  Dieter Hutter Annotated reasoning , 2004, Annals of Mathematics and Artificial Intelligence.

[36]  Judi Romijn,et al.  Tackling the RPC-Memory Specification Problem with I/O Automata , 1994, Formal Systems Specification.

[37]  Nancy A. Lynch,et al.  Correctness of vehicle control systems-a case study , 1996, 17th IEEE Real-Time Systems Symposium.

[38]  Myla Archer,et al.  Applying formal methods to an information security device: An experience report , 1999, Proceedings 4th IEEE International Symposium on High-Assurance Systems Engineering.

[39]  Pertti Kellomaki,et al.  Mechanical Verification of Invariant Properties of DisCo Specifications , 1997 .

[40]  Elvinia Riccobene,et al.  Using TAME to prove invariants of automata models: Two case studies , 2000, FMSP '00.

[41]  Myla Archer,et al.  Human-Style Theorem Proving Using PVS , 1997, TPHOLs.

[42]  N. S. Barnett,et al.  Private communication , 1969 .

[43]  Egon Börger,et al.  Formal methods for industrial applications : specifying and programming the steam boiler control , 1996 .

[44]  Myla Archer,et al.  Using Abstraction and Model Checking to Detect Safety Violations in Requirements Specifications , 1998, IEEE Trans. Software Eng..

[45]  Henny B. Sipma,et al.  Deductive Verification of Real-Time Systems Using STeP , 1997, ARTS.

[46]  David Lorge Parnas,et al.  Software Requirements for the A-7E Aircraft. , 1992 .

[47]  Alan Bundy,et al.  Proof Planning Methods as Schemas , 1999 .