© 2012 IBM Corporation

Formal Verification for UML/SysML models

IBM Research Lab - Haifa

© 2012 IBM Corporation2

IBM

Content

� Formal verification v.s. testing

� Correctness properties

� Formal verification for Rhapsody models

© 2012 IBM Corporation3

IBM

Formal Verification

� Does the system obey its requirements ?

� Demonstrate the cases where the system fails

� Exhaustive search for bugs

� In the absence of requirements

– Try to violate universal rules that all systems should obey

Analysis

Desired Properties Model

© 2012 IBM Corporation4

IBM

From models to models

� A model of a system: UML / SysML

� Analysis model: finite state machine (mathematical)

Yes, these are huge!

FV algorithms analyze themwithout building them

© 2012 IBM Corporation5

IBM

Computations

� Verification amounts to analyzing computations looking for possible bad states

� Imagine a system that reacts to its inputs and changes states

Initial state

2 bits of input

Assuming n Boolean variables:

2n different states

© 2012 IBM Corporation6

IBM

Testing

� In testing we run the system on a single path through the computation tree

� Didn’t hit an error? We run again. And again. And again…

© 2012 IBM Corporation7

IBM

Formal Verification

� Formal verification uses mathematics rather than chance

© 2012 IBM Corporation8

IBM

Formal Verification

� Formal verification uses mathematics rather than chance

© 2012 IBM Corporation9

IBM

Formal Verification

� Formal verification uses mathematics rather than chance

© 2012 IBM Corporation10

IBM

Formal verification for UML/SysML

The user creates behavioral models

always (door_unlocked -> speed=0)

never (P1.critical & P2.critical)

Mutual exclusionObject: proc1State: crit_stObject: proc2State: updatingThe user defines correctness properties

PassFail+ sequence diagram

© 2012 IBM Corporation11

IBM

Correctness properties

� First rule: know what you want to verify!

� Second rule: Say it clearly

� Formal verification uses temporal specification languages

– Formally defined

– Powerful

– Not so easy to read / write

� Template properties hide the temporal language

– Easy to understand, easy to use

– Limited expressibility

© 2012 IBM Corporation12

IBM

Internal Non-Determinism

� Find scenarios in which there are two (or more) enabled transitions from the same state

� Model independent property

Non determinism

check for ND transitions

Can these two guards hold at the same time?

© 2012 IBM Corporation13

IBM

Out of Bounds

� Check that attributes cannot be assigned with out-of-bounds values

� Model independent property

Out-Of-Bounds

check attribute bounds

© 2012 IBM Corporation14

IBM

� The user specifies two distinct states in two

different objects

� The tool verifies that these states can never

be active at the same time

� Model specific property

Mutual Exclusion

© 2012 IBM Corporation15

IBM

Invariants

� An invariant is an expression that should hold at all times

� Invariant expressions can refer to states and attributes– a1a1a1a1 is an object name– state(a1)state(a1)state(a1)state(a1) is the current state of a1a1a1a1 (can be hierarchical)– a1.xa1.xa1.xa1.x is the attribute xxxx of a1a1a1a1

� Model specific property

Invariant

Invariant expression: (state(a1) = done) -> (a1.x > 0)

© 2012 IBM Corporation16

IBM

Dead Code

� Find states that cannot be reached

� Find transitions that cannot fire

� Model independent property

Dead States

check for dead states

© 2012 IBM Corporation17

IBM

Deadlock Freedom

� A deadlock is a situation in which no progress can be made regardless of what the

environment does.

– In other words, no transitions can ever be fired

� Model independent property

Deadlock

check for deadlocks

© 2012 IBM Corporation18

IBM

… and more

� Template properties can be added and customized on-demand

– Should be tailored to in-house design methodology of specific customer

� Verification methodology:

– Template properties used by engineers

– Temporal logic used by verification expert

� Correctness properties should be part of the model

© 2012 IBM Corporation19

IBM

The Model Verifier

� Verifying UML/SysML (behavioral) specifications– A subset defined for safety critical systems

Rhapsody

Formal Engine

Mathematical representation

of model and properties

Problematic scenarios /

Proofs

© 2012 IBM Corporation20

IBM

Contact information

� Ronen LevyEmerging Quality Technologies, ManagerE-mail: ronenl@il.ibm.com

� Karen YoravFV for UML project leaderE-mail: yorav@il.ibm.com