Archer, Myla M., Heitmeyer, Constance L., and Sims, Steve, "TAME: A PVS Interface to Simplify Proofs for Automata Models," Proc. UITP '98 , July 1998.  Home/Search   Document Details and Download   Summary   Related Articles   Check

....discrete time instance in the smallest window containing the continuous timer interval from the current sample time t to the sample at t timeout. The PVS theory developed in [9] is used to verify invariants for Fischer s mutual exclusion protocol and a railroad crossing example. Both [10] and [11] provide continuous time formalisms in PVS that attempt to insulate the user from the underlying theorem prover. A duration calculus (DC) proof assistant has been implemented on top of PVS in [10] to allow formal reason about real time systems using the DC s interval temporal logic. It is a highly ....

....proof assistant has been implemented on top of PVS in [10] to allow formal reason about real time systems using the DC s interval temporal logic. It is a highly expressive, continuous time setting capable of modelling complex timing requirements. The timed automata modelling environment (TAME) [11], has been designed to provide a human style theorem proving environment for invariants and other properties of timed automata specifications. A simpler discrete time setting will su#ce for our purposes. The presented method is a straightforward extension of the existing successful (untimed) ....

M. Archer, C. Heitmeyer, and S. Sims, "TAME: A PVS interface to simplify proofs for automata models," in User Interfaces for Theorem Provers, (Eindhoven, The Netherlands) , July 1998. Informal proceedings available at http://www.win.tue.nl/cs/ipa/ uitp/proceedings.html.

....will require computer tool support. So far, tool based work with I O automata has consisted mainly of using interactive theorem provers to verify invariant assertions and simulation relations (for example, Nip89, SAGG 93, PPG 96, Arc97] for I O automaton based designs. The TAME system [AHS98] provides a high level interface to the PVS theorem prover [ORR 96] for specifying and proving properties of a timed version of I O automata. Other tool support for I O automata includes the Spectrum programming language and simulator [Gol90] Using I O Automata for Developing Distributed ....

Archer, M. M., Heitmeyer, C. L., and Sims, S. TAME: A PVS interface to simplify proofs for automata models. In Workshop on User Interfaces for Theorem Provers, Eindhoven University of Technology, July 1998.

....the next state is function of the previous state and the actions occurred. In MMT automata, states can keep their value for entire time intervals or only for single instants. However in the same single instant the state can keep many values. Encoding in PVS: TAME. TAME [AH97a] AH96b, AHS98] AH96a] is an environment to model and verify timed automata using PVS. The user de nes the actions (with their preconditions and e ects) the state variables and the set of start states. Actions are implemented as data types. The principal goal of TAME is providing an automatic support for ....

Myla Archer, Constance Heitmeyer, and Steve Sims. TAME: A PVS interface to simplify proofs for automata models. In User Interfaces for Theorem Provers, Eindhoven, The Netherlands, July 1998. Informal proceedings available at urlhttp://www.win.tue.nl/cs/ipa/uitp/proceedings.html.

....to create a high quality SCR specification for CD and to prove that this specification satisfies a set of security properties and fails to satisfy one property. It illustrates how the SCR analysis techniques both complement and support one another, and how one particular technique, the TAME [1, 2] interface to the PVS [26] theorem prover can be used both to prove security properties and discover property violations. After reviewing the SCR method and the SCR toolset, Section 2 introduces PEIP and the COMSEC Device CD. Section 3 describes the translation of a prose requirements document ....

....of SCR requirements specifications [12, 13] Several additional tools have been integrated with SCR by means of translators that transform the internal representation of an SCR specification into the input languages of the tools. These tools include TAME (Timed Automata Modeling Environment) [1, 2], an interface to the theorem prover PVS [26] that simplifies using PVS to prove properties of automata models, a validity checker [4] that automatically checks whether a predicate over the variables of one or two states is a state or transition invariant of an SCR specification, and a test set ....

[Article contains additional citation context not shown here]

M. Archer, C. Heitmeyer, and S. Sims. TAME: A PVS interface to simplify proofs for automata models. In Proc. User Interfaces for Theorem Provers 1998 (UITP '98), Eindhoven, Netherlands, July 1998.

....and the database of keywords is lled. At this point, the de nition le is used as a script le to execute the functions while the de nition le is loaded, which is used to futher customise the library. 5 Related Work There are already some projects to improve the interface of PVS. TAME [2] is a layer on top of PVS for reasoning about timed automata and consists of a number of strategies to reduce the number of steps made in a typical PVS proof to the number of steps made in a hand made proof. With these additional strategies, the user of TAME will not be exposed to the low level ....

Myla Archer, Constance Heitmeyer, and Steve Sims. TAME: A PVS interface to simplify proofs for automata models. In Backhouse [4], pages 147-156. See also: http://www.win.tue.nl/cs/ipa/uitp/papers/Archer.ps.gz.

....of SCR requirements specifications [14, 12] Several additional tools have been recently integrated with SCR by automatically translating the internal representation of an SCR specification into the input languages of the tools. These tools include TAME (Timed Automata Modeling Environment) [1, 2], an interface to the theorem prover PVS [25] for proving properties of automata models, a validity checker [4] which uses an integrated set of decision procedures to automatically check whether a given 2 property is a state or transition invariant of an SCR specification, and a test set ....

....required in using PVS to specify these automata models and to prove state invariant properties for the models. TAME was originally designed to specify and reason about LynchVaandrager (LV) timed automata [21] but has been adapted to I O automata [20] and the automata model underlying SCR (see [2]) TAME provides more than twenty specialized strategies that implement proof steps mimicking the high level proof steps typically used by humans in proving invariant properties. Experience has shown that for automata models whose state variables have simple types (such as numerical, boolean, or ....

[Article contains additional citation context not shown here]

M. Archer, C. Heitmeyer, and S. Sims. TAME: A PVS interface to simplify proofs for automata models. In Proc. User Interfaces for Theorem Provers 1998 (UITP '98), Eindhoven, Netherlands, July 1998.

....they will require computer tool support. So far, tool based work with I O automata has consisted mainly of using interactive theorem provers to verify invariant assertions and simulation relations (e.g. Nip89, SAGG 93, PPG 96, Arc97] for I O automatonbased designs. The TAME system [AHS98] provides a high level interface to the PVS theorem prover [ORR 96] for specifying and proving properties of a timed ver Using I O Automata for Developing Distributed Systems 279 sion of I O automata. Other tool support for I O automata includes the Spectrum programming language and ....

Archer, M. M., Heitmeyer, C. L., and Sims, S. TAME: A PVS interface to simplify proofs for automata models. In Workshop on User Interfaces for Theorem Provers, Eindhoven University of Technology, July 1998.

....composition operator for timed automata in [9] we formulated and veri ed a proof principle for showing execution inclusion. This underlines the general advantages of fully formal tool supported veri cation, as for example also observed in [5, 6, 15, 17] Concerning related work, the TAME project [3] which uses PVS for establishing a framework for speci cation and veri cation with timed I O automata focuses on a standardized way to specify timed I O automata and specialized tactics for reasoning about them. These specialized tactics are parameterized over theorems that are generated ....

Myla M. Archer, Constance L. Heitmeyer, and Steve Sims. TAME: A PVS interface to simplify proofs for automata models. In Proceedings of UITP '98, July 1998.

.... derived from those used with Nqthm and ACL2, for developing robust proofs of machine code programs [93] Merriam and Harrison provide an examination of interface issues, and compare PVS with two other systems [94] while Archer and Heitmeyer describe using PVS to produce human style proofs [95,96]. Issues in introducing formal methods, including PVS, to students and engineers are discussed by Knight et al. [97] Applications PVS has been applied to classical topics in mathematical analysis [98] to the modeling of process calculi [99, 100] and transition systems [101, 102] to the ....

Myla Archer, Constance Heitmeyer, and Steve Sims. TAME: A PVS interface to simplify proofs for automata models. In User Interfaces for Theorem Provers, Eindhoven, The Netherlands, July 1998. Informal proceedings available at http: //www.win.tue.nl/cs/ipa/uitp/proceedings.html.

....GRC as informally presented in [6] Recognizing an inaccuracy in the meta theory used in [6] we formulated and veri ed a proof principle for showing execution inclusion. This underlines the general advantages of fully formal tool supported veri cation. Concerning related work, the TAME project [2] which uses PVS for establishing a framework for speci cation and veri cation with timed I O automata focuses on a standardized way to specify timed I O automata and specialized tactics for reasoning about them. Of the GRC only the invariance proofs have been carried out within that framework so ....

Myla M. Archer, Constance L. Heitmeyer, and Steve Sims. TAME: A PVS interface to simplify proofs for automata models. In Proceedings of UITP '98, July 1998.

....checks on certain examples involving numbers. Systems that largely automate induction proofs by employing decision procedures include the Stanford Temporal Prover (STeP) 11] Other tools that are built upon the interactive theorem prover PVS [30] include TAME (Timed Automata Modeling Environment) [3] and the tools of Graf et al. 21, 32] These tools are implemented as a set of special purpose PVS strategies. The tool InVeSt includes sophisticated algorithms for invariant generation and heuristics for invariant strengthening [5, 6] Also, if invariance cannot be established on a finite ....

....the consistency checker of the SCR Toolset [23] was unable to carry out certain checks, such as checks for unwanted nondeterminism called disjointness checks, especially on specifications containing expressions with numbers. We have also been using SPIN and SMV, and more recently TAME [3], to verify user formulated properties of SCR specifications. We compare Salsa with TAME PVS to gain an insight into how well the Salsa approach performs in relation to that of a state of the art theorem prover. We compare Salsa with model checkers for the following reason. During the course of ....

M. Archer, C. Heitmeyer, and S. Sims. TAME: A PVS interface to simplify proofs for automata models. In Proc. User Interfaces for Theorem Provers, Eindhoven, Netherlands, July 1998. Eindhoven University CS Technical Report.

....benefit of the three tools that we used to analyze the LCS specification is that applying these tools is relatively easy. Two other tools associated with the SCR toolset could also be used but applying them would require more effort. These tools are the model checker Spin [14] and the TAME tool [4], an interface to the theorem prover PVS. Because the LCS specification contains many numbers and large ranges of numbers (e.g. the light level can vary between 0 and 10,000) its state space is very large. Hence, a barrier to using a model checker is the state explosion problem. Running TAME ....

....with these techniques. However, we are developing approaches that reduce this overhead by using automatic abstraction methods to limit state explosion in model checking [5, 9] and by using the automatic generation of invariants [15] and more automatic, more natural theorem proving methods [3, 4, 16] to facilitate the use of mechanical theorem provers. Our application of the SCR simulator to the LCS specification proved to be especially valuable. Once the specification was entered into the SCR toolset, a user could run scenarios through the simulator to validate that the specification ....

M. Archer, C. Heitmeyer, and S. Sims. TAME: A PVS interface to simplify proofs for automata models. In Proc. User Interfaces for Theorem Provers, Eindhoven, Netherlands, July 1998. Eindhoven Univ. of Technology.

....certain properties. We agree with Butler et al. 8] when they state that: T]he formal methods researchers must be willing to adapt their methods to the problem domain rather than fight to change the existing methodologies to conform to their needs. TAME (Timed Automata Modeling Environment) [3, 5, 6, 2] is a specialized interface to PVS that is intended to re move, or at least reduce, the barriers to more general use of PVS in verifying automata models. It supports the creation of PVS descriptions of three different automata models: Lynch Vaandrager (LV) timed automata [23] I O automata [21] ....

....complex data types problematic for a model checker. Thus, for the verification of these and similar examples, theorem proving is necessary. TAME is intended to reduce the human effort associated with mechanical theorem proving using PVS. To achieve this, TAME provides an interface to PVS [3, 5, 6, 2]. This interface consists of a set of templates for specifying automata, a set of standard theories, and a set of standard PVS strategies. Below, we provide an overview of the templates, theories, and strategies, and how they are related. We also discuss the major goals which have guided the ....

[Article contains additional citation context not shown here]

Myla Archer, Constance Heitmeyer, and Steve Sims. TAME: A PVS interface to simplify proofs for automata models. In Proc. User Interfaces for Theorem Provers 1998 (UITP '98), Eindhoven, Netherlands, July 1998.

....has been done by researchers with highly detailed knowledge of a mechanical prover, such as PVS [23] The frequency of mechanical verification can be expected to increase if tools such as PVS are easier, and thus more cost effective, to use. The tool TAME (Timed Automata Modeling Environment) [3, 5, 4, 6] provides an interface that simplifies specifying and proving properties of LynchVaandrager (LV) timed automata [18] using PVS. TAME is designed to make mechanically supported formal methods (such as PVS) easier to use by simplifying the encoding of an automaton specification, by supporting proofs ....

....how TAME can be applied to I O automata to check Lamport style hand proofs. Originally designed to specify and verify properties of LV timed automata, TAME has been adapted to work with other automata models, including the (untimed) I O automata model and the automaton model that underlies SCR [6]. Previous proofs checked with TAME were natural language (but not Lamportstyle) hand proofs. Second, the paper describes the positive experience of a new user (the first author) who used TAME to check the Lamport style proofs of invariant properties for two applications: Romijn s solution of the ....

[Article contains additional citation context not shown here]

Myla Archer, Constance Heitmeyer, and Steve Sims. TAME: A PVS interface to simplify proofs for automata models. In Proc. User Interfaces for Theorem Provers 1998, Eindhoven, Netherlands, July 1998. Eindhoven Univ. of Technology.

....appropriate lemma when passed the name of a state component as an argument. 9 TAME: Recent Developments Since the publication of [1] our system for supporting the methods developed in this study was given the name TAME [2] Further developments regarding TAME have been reported in [5] 4] and [6]. TAME has now been applied with some success to multiple examples of timed and non timed automata, including the boiler controller in [21] see [5, 3] a vehicle control system from [36] a timed version of Fischer s algorithm from [23] the group communication service in [10, 9] and several ....

.... some success to multiple examples of timed and non timed automata, including the boiler controller in [21] see [5, 3] a vehicle control system from [36] a timed version of Fischer s algorithm from [23] the group communication service in [10, 9] and several examples of SCR specifications (see [6]) 13 For the boiler controller and vehicle control system, TAME was extended by expanding the template conventions to cover specifying nondeterministic transitions using Hilbert s choice operator ffl, extending the set of common theories to include a theory real thy containing facts about real ....

[Article contains additional citation context not shown here]

Myla Archer, Constance Heitmeyer, and Steve Sims. TAME: A PVS interface to simplify proofs for automata models. Submitted for publication.

.... [1] a simulator to symbolically execute the specification to ensure that it captures the users intent [2] and a model checker to detect violations of critical application properties [3, 4] The SCR method also provides a customized interface called TAME (Timed Automata Modeling Environment) [5] for verifying specifications using the mechanical theorem prover PVS (Prototype Verification System) 6] and a new tool for automatically generating invariants from SCR specifications [7] Such invariants are often useful in proving other properties. The improved specification that results from ....

....two changes to dramatically reduce the length of the test sequences produced by Spin. 3.2 Customized Interfaces One approach to improving the usability of a mechanical prover is to design a customized interface to the prover that solves a special class of problems. For example, the frontend TAME [5] that we have developed for PVS allows a user to specify and reason about state based models, such as the I O Automata Model [19] and the state machine model that underlies the SCR method [1] TAME facilitates user description of a state machine model by providing a template that the user ....

Myla Archer, Constance Heitmeyer, and Steve Sims. TAME: A PVS interface to simplify proofs for automata models. In Proc. User Interfaces for Theorem Provers, Eindhoven, Netherlands, July 1998. Eindhoven Univ. Tech. Rpt.

....properties in the property dictionary, SCR supports several analysis tools. Among these are the explicit state model checker Spin [9] which has been integrated into the toolset, and several tools which are partially integrated, including the TAME (Timed Automata Modeling Environment) interface [1] to PVS [14] and a validity checker [3] An additional SCR tool is a test case generator [4] which constructs sequences of system inputs and expected outputs for testing the conformance of an implementation with an SCR specification. Automatic code generation of Java and C source code from SCR ....

....PVS to specify, and to prove properties of, automata models. TAME was originally designed to specify and reason about Lynch Vaandrager (LV) timed automata [12] but has been recently adapted to two other automaton models, I O automata and the automata model that underlies SCR specifications (see [1]) TAME provides a template for specifying automata models, and approximately twenty specialized PVS strategies that mimic the high level proof steps typically used by humans in proving invariant properties. Experience has shown that for automata models whose state variables have simple types ....

[Article contains additional citation context not shown here]

M. Archer, C. Heitmeyer, and S. Sims. TAME: A PVS interface to simplify proofs for automata models. In Proc. User Interfaces for Theorem Provers 1998, Eindhoven, Netherlands, July 1998.

....model checking fails to reveal an error in a requirements specification or produces many spurious counterexamples, the user may use mechanical theorem proving to establish the property. We have in fact done this for a small SCR specification, using the mechanical prover in PVS. For details, see [1]. Invariant Generator. Recently, a prototype tool that automatically generates state invariants from SCR tables [10] was integrated into SCR . This tool has generated more than 20 interesting state invariants from the mode tables in a revised version of the A 7 requirements document. 4. Applying ....

M. Archer, C. Heitmeyer, and S. Sims. TAME: A PVS interface to simplify proofs for automata models. In Proc. User Interfaces for Theorem Provers, Eindhoven, Netherlands, July 1998. Eindhoven Univ. Tech. Report.

....approach to this problem is to build a prover front end that is designed to support specification and proofs of a special class of mathematical models. An example of such a front end is TAME, a natural user interface to PVS that is designed to specify and prove properties about automata models [2]. Although using a mechanical provers will still require mathematical maturity and theorem proving skills, making the prover more natural and convenient to use should encourage more widespread usage. 6 Conclusions It is my belief that software practitioners who are not formal methods experts ....

M. Archer, C. Heitmeyer, and S. Sims. "TAME: A PVS Interface to Simplify Proofs for Automata Models." Proc. User Interfaces for Theorem Provers 1998 (UITP 98), Eindhoven, Netherlands, July 13-15, 1998.

No context found.

Archer, Myla M., Heitmeyer, Constance L., and Sims, Steve, "TAME: A PVS Interface to Simplify Proofs for Automata Models," Proc. UITP '98 , July 1998.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC