Advertisement

Automated Software Engineering

, Volume 9, Issue 3, pp 201–232 | Cite as

Proving Invariants of I/O Automata with TAME

  • Myla Archer
  • Constance Heitmeyer
  • Elvinia Riccobene
Article

Abstract

This paper describes a specialized interface to PVS called TAME (Timed Automata Modeling Environment) which provides automated support for proving properties of I/O automata. A major goal of TAME is to allow a software developer to use PVS to specify and prove properties of an I/O automaton efficiently and without first becoming a PVS expert. To accomplish this goal, TAME provides a template that the user completes to specify an I/O automaton and a set of proof steps natural for humans to use for proving properties of automata. Each proof step is implemented by a PVS strategy and possibly some auxiliary theories that support that strategy. We have used the results of two recent formal methods studies as a basis for two case studies to evaluate TAME. In the first formal methods study, Romijn used I/O automata to specify and verify memory and remote procedure call components of a concurrent system. In the second formal methods study, Devillers et al. specified a tree identify protocol (TIP), part of the IEEE 1394 bus protocol, and provided hand proofs of TIP properties. Devillers also used PVS to specify TIP and to check proofs of TIP properties. In our first case study, the third author, a new TAME user with no previous PVS experience, used TAME to create PVS specifications of the I/O automata formulated by Romijn and Devillers et al. and to check their hand proofs. In our second case study, the TAME approach to verification was compared with an alternate approach by Devillers which uses PVS directly.

software engineering software requirements analysis formal methods proof checking verification theorem proving 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Alborghetti, A., Gargantini, A., and Morzenti, A. 1997. Providing automated support to deductive analysis of time critical systems. In Proc. 6th European Software Engineering Conference (ESEC/FSE'97), volume 1301 of Lect. Notes in Comp. Sci., pp. 211–226. Springer-Verlag.Google Scholar
  2. Archer, M. 2000. TAME: Using PVS strategies for special-purpose theorem proving. Annals of Mathematics and Artificial Intelligence, 29(1–4):139–181.Google Scholar
  3. Archer, M. 2002. Proving correctness of the basic TESLA multicast stream authentication protocol with TAME. In Informal Proceedings of the Workshop on Issues in the Theory of Security (WITS'02), Portland, OR.Google Scholar
  4. Archer, M. and Heitmeyer, C. 1996. Mechanical verification of timed automata: A case study. In Proc. 1996 IEEE Real-Time Technology and Applications Symp.(RTAS'96), pp. 192–203. IEEE Computer Society Press.Google Scholar
  5. Archer, M. and Heitmeyer, C. 1997a. Human-style theorem proving using PVS. In E.L. Gunter and A. Felty, editors, Theorem Proving in Higher Order Logics (TPHOLs'97), volume 1275 of Lect. Notes in Comp. Sci., pp. 33–48. Springer-Verlag.Google Scholar
  6. Archer, M. and Heitmeyer, C. 1997b. Verifying hybrid systems modeled as timed automata: A case study. In Hybrid and Real-Time Systems (HART'97), volume 1201 of Lect. Notes in Comp. Sci., pp. 171–185. Springer-Verlag.Google Scholar
  7. Archer, M., Heitmeyer, C., and Riccobene, E. 2000. Using TAME to prove invariants of automata models: Case studies. In Proc. 2000 ACM SIGSOFT Workshop on Formal Methods in Software Practice (FMSP'00).Google Scholar
  8. Archer, M., Heitmeyer, C., and Sims, S. 1998. TAME: A PVS interface to simplify proofs for automata models. In Proc. User Interfaces for Theorem Provers 1998 (UITP '98), Eindhoven, Netherlands.Google Scholar
  9. Butler, R.W. 1996. An introduction to requirements capture using PVS: Specification of a simple autopilot, NASA Technical Memorandum 110255, NASA Langley Research Center.Google Scholar
  10. Butler, R.W., Caldwell, J.L., Carreño, V.A., Holloway, C.M., Miner, P.S., and Di Vito, B.L. 1995. NASA Langley's research and technology-transfer program in formal methods. In Proc. 10th Annual Conf. on Computer Assurance (COMPASS'95), Gaithersburg, MD, pp. 135–149. IEEE Computer Society Press.Google Scholar
  11. Clarke, E.M., Emerson, E.A., and Sistla, A.P. 1986. Automatic verification of finite-state concurrent systems using temporal logic specifications. ACM Trans. Program. Lang. Syst., 8:244–263.Google Scholar
  12. Crow, J. and Di Vito, B.L. 1996. Formalizing space shuttle software requirements. In Proc. First ACM Workshop on Formal Methods in Software Practice (FMSP'96), San Diego, CA, pp. 40–48.Google Scholar
  13. Crow, J. and Di Vito, B.L. 1998. Formalizing space shuttle software requirements: Four case studies. ACM Transactions on Software Engineering and Methodology, 7(3):296–332.Google Scholar
  14. Devillers, M. 1997. Verification of a tree-identify protocol. Available at URL http://www.cs.kun.nl/~marcod/1394.html.Google Scholar
  15. Devillers, M. 1999. Private communication.Google Scholar
  16. Devillers, M., Griffioen, D., Romijn, J., and Vaandrager, F. 2000.Verification of a leader election protocol—Formal methods applied to IEEE 1394. Formal Methods in System Design, 16(3):307–320.Google Scholar
  17. Easterbrook, S. and Callahan, J. 1997. Formal methods for V & V of partial specifications. In Proc. 3rd Intern. Symposium on Requirements Engineering (RE '97), Annapolis, MD.Google Scholar
  18. Fekete, A., Lynch, N., and Shvartsman, A. 1997. Specifying and using a partitionable group communication service. In Proc. Sixteenth Ann. ACM Symp. on Principles of Distributed Computing (PODC'97), Santa Barbara, CA, pp. 53–62.Google Scholar
  19. Gargantini, A. and Morzenti, A. 2001. Automated deductive requirements analysis of critical systems. ACM Transactions on Software Engineering and Methodology (TOSEM), 10(3):255–307.Google Scholar
  20. Garland, S.J. and Lynch, N.A. 1998. The IOA language and toolset: Support for designing, analyzing, and building distributed systems. Draft. MIT Laboratory for Computer Science.Google Scholar
  21. Heitmeyer, C., Kirby, J., Labaw, B., Archer, M., and Bharadwaj, R. 1998. Using abstraction and model checking to detect safety violations in requirements specifications. IEEE Trans. on Softw. Eng., 24(11):927–948.Google Scholar
  22. Kellomaki, P. 1997. Mechanical verification of invariant properties of DisCo specifications. Ph.D. Thesis, Tampere University of Technology, Finland.Google Scholar
  23. Lamport, L. 1993. How to write a proof. Technical Report, Digital Equipment Corp., System Research Center, Research Report 94.Google Scholar
  24. Lincoln, P. 1998. Private communication.Google Scholar
  25. Luchangco, V. 1995. Using simulation techniques to prove timing properties. Master's thesis, Massachusetts Institute of Technology.Google Scholar
  26. Lynch, N. and Tuttle, M. 1989. An introduction to input/output automata. CWI-Quarterly, 2(3):219–246. Centrum voor Wiskunde en Informatica, Amsterdam, The Netherlands.Google Scholar
  27. Lynch, N. and Vaandrager, F. 1995. Forward and backward simulations—Part I: Untimed systems. Information and Computation, 121(2):214–233.Google Scholar
  28. Lynch, N. and Vaandrager, F. 1996. Forward and backward simulations—Part II: Timing-based systems. Information and Computation, 128(1):1–25.Google Scholar
  29. Miller, S. 1998. The industrial use of formal methods: Was Darwin right? In Proc. 2nd IEEE Workshop on Industrial-Strength Formal Specification Techniques, Boca Raton, FL, pp. 74–82.Google Scholar
  30. Miller, S. and Srivas, M. 1995. Formal verification of the AAMP5 microprocessor: A case study in the industrial use of formal methods. In Proc.Workshop on Industrial-Strength Formal Specification Techniques, Boca Raton, FL.Google Scholar
  31. Müller, O. 1998. A verification environment for I/O automata based on formalized meta-theory. Ph.D. Thesis, Technische Universität München.Google Scholar
  32. Owre, S., Shankar, N., Rushby, J.M., and Stringer-Calvert, D.W.J. 1999. PVS System Guide. Menlo Park, CA, Computer Science Laboratory, SRI International.Google Scholar
  33. Romijn, J. 1996. Tackling the RPC-Memory specification problem with I/O automata. In M. Broy, S. Merz, and K. Spies, editors, Formal Systems Specification—The RPC-Memory Specification Case, volume 1169 of Lect. Notes in Comp. Sci., pp. 437–476. Springer-Verlag. Addendum. (URL http://www.cs.kun.nl/~judi/papers/dagstuhlproofs.ps.gz).Google Scholar
  34. Rudnicki, P. and Trybulec, A. 1996. A note on “How to Write a Proof”. Technical Report, University of Alberta, Number TR96–08.Google Scholar
  35. Skakkebaek, J. and Shankar, N. 1994. Towards a duration calculus proof assistant in PVS. In Third Intern. School and Symp. on Formal Techniques in Real Time and Fault Tolerant Systems, volume 863 of. Lect. Notes in Comp. Sci., Springer-Verlag.Google Scholar

Copyright information

© Kluwer Academic Publishers 2002

Authors and Affiliations

  • Myla Archer
    • 1
  • Constance Heitmeyer
    • 1
  • Elvinia Riccobene
    • 2
  1. 1.Naval Research Laboratory, Code 5546WashingtonUSA
  2. 2.Dipartimento di Matematica e InformaticaUniversità di CataniaCataniaItaly

Personalised recommendations