Formal Verification for UML/SysML models - IBM · 2013-04-22 · Formal verification for UML/SysML...
Transcript of Formal Verification for UML/SysML models - IBM · 2013-04-22 · Formal verification for UML/SysML...
© 2012 IBM Corporation
Formal Verification for UML/SysML models
IBM Research Lab - Haifa
© 2012 IBM Corporation2
IBM
Content
� Formal verification v.s. testing
� Correctness properties
� Formal verification for Rhapsody models
© 2012 IBM Corporation3
IBM
Formal Verification
� Does the system obey its requirements ?
� Demonstrate the cases where the system fails
� Exhaustive search for bugs
� In the absence of requirements
– Try to violate universal rules that all systems should obey
Analysis
Desired Properties Model
© 2012 IBM Corporation4
IBM
From models to models
� A model of a system: UML / SysML
� Analysis model: finite state machine (mathematical)
Yes, these are huge!
FV algorithms analyze themwithout building them
© 2012 IBM Corporation5
IBM
Computations
� Verification amounts to analyzing computations looking for possible bad states
� Imagine a system that reacts to its inputs and changes states
Initial state
2 bits of input
Assuming n Boolean variables:
2n different states
© 2012 IBM Corporation6
IBM
Testing
� In testing we run the system on a single path through the computation tree
� Didn’t hit an error? We run again. And again. And again…
© 2012 IBM Corporation7
IBM
Formal Verification
� Formal verification uses mathematics rather than chance
© 2012 IBM Corporation8
IBM
Formal Verification
� Formal verification uses mathematics rather than chance
© 2012 IBM Corporation9
IBM
Formal Verification
� Formal verification uses mathematics rather than chance
© 2012 IBM Corporation10
IBM
Formal verification for UML/SysML
The user creates behavioral models
always (door_unlocked -> speed=0)
never (P1.critical & P2.critical)
Mutual exclusionObject: proc1State: crit_stObject: proc2State: updatingThe user defines correctness properties
PassFail+ sequence diagram
© 2012 IBM Corporation11
IBM
Correctness properties
� First rule: know what you want to verify!
� Second rule: Say it clearly
� Formal verification uses temporal specification languages
– Formally defined
– Powerful
– Not so easy to read / write
� Template properties hide the temporal language
– Easy to understand, easy to use
– Limited expressibility
© 2012 IBM Corporation12
IBM
Internal Non-Determinism
� Find scenarios in which there are two (or more) enabled transitions from the same state
� Model independent property
Non determinism
check for ND transitions
Can these two guards hold at the same time?
© 2012 IBM Corporation13
IBM
Out of Bounds
� Check that attributes cannot be assigned with out-of-bounds values
� Model independent property
Out-Of-Bounds
check attribute bounds
© 2012 IBM Corporation14
IBM
� The user specifies two distinct states in two
different objects
� The tool verifies that these states can never
be active at the same time
� Model specific property
Mutual Exclusion
© 2012 IBM Corporation15
IBM
Invariants
� An invariant is an expression that should hold at all times
� Invariant expressions can refer to states and attributes– a1a1a1a1 is an object name– state(a1)state(a1)state(a1)state(a1) is the current state of a1a1a1a1 (can be hierarchical)– a1.xa1.xa1.xa1.x is the attribute xxxx of a1a1a1a1
� Model specific property
Invariant
Invariant expression: (state(a1) = done) -> (a1.x > 0)
© 2012 IBM Corporation16
IBM
Dead Code
� Find states that cannot be reached
� Find transitions that cannot fire
� Model independent property
Dead States
check for dead states
© 2012 IBM Corporation17
IBM
Deadlock Freedom
� A deadlock is a situation in which no progress can be made regardless of what the
environment does.
– In other words, no transitions can ever be fired
� Model independent property
Deadlock
check for deadlocks
© 2012 IBM Corporation18
IBM
… and more
� Template properties can be added and customized on-demand
– Should be tailored to in-house design methodology of specific customer
� Verification methodology:
– Template properties used by engineers
– Temporal logic used by verification expert
� Correctness properties should be part of the model
© 2012 IBM Corporation19
IBM
The Model Verifier
� Verifying UML/SysML (behavioral) specifications– A subset defined for safety critical systems
Rhapsody
Formal Engine
Mathematical representation
of model and properties
Problematic scenarios /
Proofs
© 2012 IBM Corporation20
IBM
Contact information
� Ronen LevyEmerging Quality Technologies, ManagerE-mail: [email protected]
� Karen YoravFV for UML project leaderE-mail: [email protected]