Abstract
TAME (Timed Automata Modeling Environment), an interface to the theorem proving system PVS, is designed for proving properties of three classes of automata: I/O automata, Lynch–Vaandrager timed automata, and SCR automata. TAME provides templates for specifying these automata, a set of auxiliary theories, and a set of specialized PVS strategies that rely on these theories and on the structure of automata defined using the templates. Use of the TAME strategies simplifies the process of proving automaton properties, particularly state and transition invariants. TAME provides two types of strategies: strategies for “automatic” proof and strategies designed to implement “natural” proof steps, i.e., proof steps that mimic the high-level steps in typical natural language proofs. TAME's “natural” proof steps can be used both to mechanically check hand proofs in a straightforward way and to create proof scripts that can be understood without executing them in the PVS proof checker. Several new PVS features can be used to obtain better control and efficiency in user-defined strategies such as those used in TAME. This paper describes the TAME strategies, their use, and how their implementation exploits the structure of specifications and various PVS features. It also describes several features, currently unsupported in PVS, that would either allow additional “natural” proof steps in TAME or allow existing TAME proof steps to be improved. Lessons learned from TAME relevant to the development of similar specialized interfaces to PVS or other theorem provers are discussed.
Similar content being viewed by others
References
A. Alborghetti, A. Gargantini and A. Morzenti, Providing automated support to deductive analysis of time critical systems, in: Proc. 6th European Software Engineering Conference (ESEC/FSE'97), Lecture Notes in Computer Science (Springer, Berlin, 1997) pp. 211–226.
T.A. Alspaugh, S.R. Faulk, K.H. Britton, R.A. Parker, D.L. Parnas and J.E. Shore, Software requirements for the A7-E aircraft, Technical Report NRL-9194, Naval Research Laboratory, Washington, DC (1992).
M. Archer, Tools for simplifying proofs of properties of timed automata: The TAME template, theories, and strategies, Technical Report NRL/MR/5540-99-8359, NRL, Washington, DC (1999).
M. Archer and C. Heitmeyer, Mechanical verification of timed automata: A case study, in: Proc. 1996 IEEE Real-Time Technology and Applications Symp. (RTAS'96) (IEEE Computer Society Press, 1996) pp. 192–203.
M. Archer and C. Heitmeyer, Human-style theorem proving using PVS, in: Theorem Proving in Higher Order Logics (TPHOLs'97), eds. E.L. Gunter and A. Felty, Lecture Notes in Computer Science, Vol. 1275(Springer, Berlin, 1997) pp. 33–48.
M. Archer and C. Heitmeyer, Verifying hybrid systems modeled as timed automata: A case study, in: Hybrid and Real-Time Systems (HART'97), Lecture Notes in Computer Science, Vol. 1201(Springer, Berlin, 1997) pp. 171–185.
M. Archer, C. Heitmeyer and E. Riccobene, Using TAME to prove invariants of automata models: Case studies, in: Proc. 2000 ACM SIGSOFT Workshop on Formal Methods in Software Practice (FMSP'00) (August 2000).
M. Archer, C. Heitmeyer and S. Sims, TAME: A PVS interface to simplify proofs for automata models, in: Proc. User Interfaces for Theorem Provers 1998 (UITP' 98), Eindhoven, Netherlands (July 1998).
N. Bjorner, Z. Manna, H.B. Sipma and T.E. Uribe, Deductive verification of real-time systems using STeP, in: Proceedings of ARTS'97, Lecture Notes in Computer Science, Vol. 1231(Springer, Berlin, 1997) pp. 22–43.
R. Boulton, A. Bundy, K. Slind and M. Gordon, An interface between CLAM and HOL, in: Proceedings of the 11th International Conference on Theorem Proving in Higher Order Logics (TPHOLs'98), eds. J. Grundy and M. Newey, Lecture Notes in Computer Science, Vol. 1479(Springer, Berlin, 1998) pp. 67–86.
A. Bundy, The use of proof plans for normalization, in: Automated Reasoning: Essays in Honor of Woody Bledsoe, ed. R.S. Boyer, Automated Reasoning Series, Vol. 7(Kluwer, 1991) pp. 149–166.
T. Cant, K. Eastaughffe, J. Grundy, M. Ozols et al., Dove User Manual, Trusted Computer Systems Group, Defence Science and Technology Organisation, Salisbury, Australia (October 31, 1998).
O. Cheiner, Carnegie-Mellon University, Private communication (February 1999).
M. Devillers, Verification of a tree-identity protocol, http://www.cs.kun.nl/_marcod/ 1394.html (1997).
M. Devillers, D. Griffioen, J. Romijn and F. Vaandrager, Verification of a leader election protocol – formal methods applied to IEEE 1394, Formal Methods in System Design 16(3) (2000) 307–320.
S. Easterbrook and J. Callahan, Formal methods for verification and validation of partial specifications: A case study, J. Syst. Software (1997).
S.R. Faulk, J. Brackett, P.Ward and J. Kirby, Jr., The CoRE method for real-time requirements, IEEE Software 9(5) (1992) 22–33.
A. Fekete, N. Lynch and A. Shvartsman, Specifying and using a partitionable group communication service, in: Proc. Sixteenth Ann. ACM Symp. on Principles of Distributed Computing (PODC'97), Santa Barbara, CA (August 1997) pp. 53–62.
S.J. Garland and N.A. Lynch, The IOA language and toolset: Support for mathematics-based distributed programming, submitted for publication.
C. Heitmeyer, A. Bull, C. Gasarch and B. Labaw, SCR*: A toolset for specifying and analyzing requirements, in: Proc. 10th Annual Conf. on Computer Assurance (COMPASS'95, Gaithersburg, MD, June 1995(IEEE Computer Society Press, 1995).
C. Heitmeyer, J. Kirby, B. Labaw, M. Archer and R. Bharadwaj, Using abstraction and model checking to detect safety violations in requirements specifications, IEEE Trans. Software Engrg. 24(11) (1998) 927–948.
C. Heitmeyer, J. Kirby, B. Labaw and R. Bharadwaj, SCR*: A toolset for specifying and analyzing software requirements, in: 10th Intl. Conf. on Computer Aided Verification (CAV'98), Lecture Notes in Computer Science (Springer, Berlin, 1998) pp. 526–531.
C. Heitmeyer and N. Lynch, The Generalized Railroad Crossing: A case study in formal verification of real-time systems, in: Proc. of Real-Time Systems Symp., San Juan, Puerto Rico (December 1994).
C. Heitmeyer and N. Lynch, The Generalized Railroad Crossing: A case study in formal verification of real-time systems, Technical Report MIT/LCS/TM-51, Laboratory for Computer Science, MIT, Cambridge, MA (1994); also: Technical Report 7619, NRL,Washington, DC (1994).
C.L. Heitmeyer, R.D. Jeffords and B.G. Labaw, Automated consistency checking of requirements specifications, ACM Trans. Software Engrg. Method. 5(3) (1996) 231–261.
K. Heninger, D.L. Parnas, J.E. Shore and J.W. Kallander, Software requirements for the A-7E aircraft, Technical Report 3876, Naval Research Laboratory, Washington, DC (1978).
D. Hutter, Annotated reasoning, in: Proceedings of the FLoC'99Workshop on Strategies in Automated Deduction (STRATEGIES'99), eds. B. Gramlich, H. Kirchner and F. Pfenning, Trento, Italy (July 1999) pp. 37–50.
J. Kirby, Jr., M. Archer and C. Heitmeyer, Applying formal methods to an information security device: An experience report, in: Proc. 4th IEEE International Symposium on High Assurance Systems Engineering (HASE' 99) (IEEE Computer Society Press, 1999).
J. Kirby, Jr., M. Archer and C. Heitmeyer, SCR: A practical approach to building a high assurance COMSEC system, in: Proc. 15th Annual Computer Security Applications Conference (ACSAC' 99) (IEEE Computer Society Press, 1999).
R. Jeffords, Private communication, NRL (1998).
R. Jeffords and C. Heitmeyer, Automatic generation of state invariants from requirements specifications, in: Proc. 6th International Symposium on the Foundations of Software Engineering (FSE-6), Orlando, FL (November 1998).
S. Kalvala, Annotations in formal specifications and proofs, Formal Methods Syst. Design 5(1/2) (1994).
P. KelloMaki, Mechanical verification of invariant properties of DisCo specifications, Ph.D. thesis, Tampere University of Technology, Finland (November 1997).
L. Lamport, How to write a proof, Technical Report, Research Report 94, Digital Equipment Corp., System Research Center (February 1993).
G. Leeb and N. Lynch, Proving safety properties of the Steam Boiler Controller: Formal methods for industrial applications: A case study, in: Formal Methods for Industrial Applications: Specifying and Programming the Steam Boiler Control, eds. J.-R. Abrial et al., Lecture Notes in Computer Science, Vol. 1165(Springer, Berlin, 1996).
P. Lincoln, Private communication (July 1998).
V. Luchangco, Using simulation techniques to prove timing properties, Master's thesis, Massachusetts Institute of Technology (June 1995).
R.R. Lutz and H.-Y. Shaw, Applying the SCR* requirements toolset to DS-1 fault protection, Technical Report JPL-D15198, Jet Propulsion Laboratory, Pasadena, CA (December 1997).
N. Lynch and M. Tuttle, An introduction to Input/Output automata, CWI-Quarterly 2(3) (1989) 219–246.
N. Lynch and F. Vaandrager, Forward and backward simulations – Part II: Timing-based systems, Inform. Comput. 128(1) (1996) 1–25.
S. Miller, Specifying the mode logic of a flight guidance system in CoRE and SCR, in: Proc. 2nd Workshop on Formal Methods in Software Practice (FMSP'98) (1998).
O. Mueller, A verification environment for I/O automata based on formalized meta-theory, Ph.D. thesis, Technische Universitaet Muenchen (September 1998).
D.L. Parnas, G. Asmis and J. Madey, Assessment of safety-critical software in nuclear power plants, Nuclear Safety 32(2) (1991) 189–198.
E. Riccobene, M. Archer and C. Heitmeyer, Applying TAME to I/O automata: A user's perspective, Technical Report NRL/MR/5540-00-8448, NRL, Washington, DC (2000).
J. Richardson and A. Bundy, Proof planning methods as schemas, J. Symbolic Comput. 11(1999).
J. Romijn, Tackling the RPC-memory specification problem with I/O automata, Addendum, URL http://www.cwi.nl/_judi/papers/dagstuhl_proofs.ps.gz.
J. Romijn, Tackling the RPC-memory specification problem with I/O automata, in: Formal Systems Specification – The RPC-Memory Specification Case, eds. M. Broy, S. Merz and K. Spies, Lecture Notes in Computer Science, Vol. 1169(Springer, Berlin, 1996) pp. 437–476.
N. Shankar, S. Owre and J. Rushby, The PVS proof checker: A reference manual, Technical Report, Computer Science Laboratory, SRI Intl., Menlo Park, CA (1993).
J. Skakkebaek and N. Shankar, Towards a duration calculus proof assistant in PVS, in: Third Intern. School and Symp. on Formal Techniques in Real Time and Fault Tolerant Systems, Lecture Notes in Computer Science, Vol. 863(Springer, Berlin, 1994).
H.B. Weinberg, Correctness of vehicle control systems: A case study, Master's thesis, Massachusetts Institute of Technology (February 1996).
Author information
Authors and Affiliations
Rights and permissions
About this article
Cite this article
Archer, M. TAME: Using PVS strategies for special-purpose theorem proving. Annals of Mathematics and Artificial Intelligence 29, 139–181 (2000). https://doi.org/10.1023/A:1018913028597
Issue Date:
DOI: https://doi.org/10.1023/A:1018913028597