## PVS based verification tools

We have built a number of tools and techniques which support the verification of UML models with the help of the interactive theorem prover PVS. The PVS tool itself has been developed by SRI and is freely available (see http://pvs.csl.sri.com). In the context of the Omega project, we have developed the following:

A translation from XMI to PVS, using the intermediate SUML format

A translation of a subset of OCL to PVS, also via SUML

A set of general PVS theories that define the semantics of the Omega kernel language

The TLPVS framework which provides a set of theories and strategies on top of PVS to enable the proof of temporal logic properties.

A set of PVS theories that allows compositional verification.

The main idea is that users of the PVS-based tools start by importing an XMI file of a concrete UML model. Via the intermediate SUML format, the XMI file is translated into a representation of the UML model in the typed higher-order logic of PVS (point 1). This model may include OCL specifications (as comments), which are translated separately into PVS (point 2). Alternatively, the user may express specifications directly in the specification language of PVS. The generated PVS files representing the concrete model are imported by general PVS theories that define the semantics of UML models (point 3). This defines the set of all runs of the UML model and the user can start proving properties about these runs using the PVS proof checker, which requires experienced users. To obtain a more convenient framework for the proof of properties expressed in Temporal Logic, the TLPVS package has been developed (point 4). It includes powerful strategies that reduce the amount of user interaction. Moreover, scalability is addressed by means of generic theories that allow compositional verification of a component-based design (point 5).

The five ingredients of our approach are explained in more detail below.

1) XMI to PVS

We have implemented a tool that translates a subset of UML, in the XMI format, to the input language of the theorem prover PVS. To simplify the implementation of our tools, we defined an intermediate format called SUML (simple UML). Our current implementation translates two XMI dialects, namely of Rhapsody and ArgoUML, to SUML. There is also a translator from SUML to PVS. The tools are available at http://homepages.cwi.nl/~jacob/uml2pvs.html

2) OCL to PVS

The OCL tool implements a translation of a subset of OCL constraints into the input language of the theorem prover PVS via the SUML format. In order to avoid implementing a three-valued logic within the framework of PVS, we have defined a sound translation of OCL into a two-valued logic. The OCL tool is available at http://www.informatik.uni-kiel.de/~mky/omega/suml.html

3) Semantics of the Omega kernel language

The semantics of the Omega kernel language has been implemented in the typed logic of the interactive theorem prover PVS. We have defined the meaning of basic class diagrams where the behaviour of objects is described by state machines. These reactive objects may communicate by means of asynchronous signals and synchronous operation calls. Explicit timing has been realized via local clocks and an urgency predicate on transitions. The PVS theories are available on http://www.cs.ru.nl/~hooman/STTTpvs.html

4) TLPVS

TLPVS is a PVS implementation of a linear temporal logic verification system that has been further developed in Omega. The system includes a set of theories defining a temporal logic, a number of proof rules for proving soundness and response properties, and strategies, which aid in conducting the proofs. In addition to implementing a framework for existing rules, we have derived new methods, which are particularly useful in a deductive LTL system. Special attention has been paid to the verification of systems with unbounded number of processes. TLPVS is available at http://www.wisdom.weizmann.ac.il/~verify/tlpvs/

5) Compositional verification

We have defined a general PVS framework to support compositional verification. The focus is on the level of components, concentrating on parallel composition and hiding. To be able to formalize intermediate stages during the top-down design of a system, we have constructed a framework where specifications and programming constructs can be mixed freely. Compositional proof rules for parallel composition and hiding have been formulated in PVS and the tool has also been used to prove the soundness of these rules.

A translation from XMI to PVS, using the intermediate SUML format

A translation of a subset of OCL to PVS, also via SUML

A set of general PVS theories that define the semantics of the Omega kernel language

The TLPVS framework which provides a set of theories and strategies on top of PVS to enable the proof of temporal logic properties.

A set of PVS theories that allows compositional verification.

The main idea is that users of the PVS-based tools start by importing an XMI file of a concrete UML model. Via the intermediate SUML format, the XMI file is translated into a representation of the UML model in the typed higher-order logic of PVS (point 1). This model may include OCL specifications (as comments), which are translated separately into PVS (point 2). Alternatively, the user may express specifications directly in the specification language of PVS. The generated PVS files representing the concrete model are imported by general PVS theories that define the semantics of UML models (point 3). This defines the set of all runs of the UML model and the user can start proving properties about these runs using the PVS proof checker, which requires experienced users. To obtain a more convenient framework for the proof of properties expressed in Temporal Logic, the TLPVS package has been developed (point 4). It includes powerful strategies that reduce the amount of user interaction. Moreover, scalability is addressed by means of generic theories that allow compositional verification of a component-based design (point 5).

The five ingredients of our approach are explained in more detail below.

1) XMI to PVS

We have implemented a tool that translates a subset of UML, in the XMI format, to the input language of the theorem prover PVS. To simplify the implementation of our tools, we defined an intermediate format called SUML (simple UML). Our current implementation translates two XMI dialects, namely of Rhapsody and ArgoUML, to SUML. There is also a translator from SUML to PVS. The tools are available at http://homepages.cwi.nl/~jacob/uml2pvs.html

2) OCL to PVS

The OCL tool implements a translation of a subset of OCL constraints into the input language of the theorem prover PVS via the SUML format. In order to avoid implementing a three-valued logic within the framework of PVS, we have defined a sound translation of OCL into a two-valued logic. The OCL tool is available at http://www.informatik.uni-kiel.de/~mky/omega/suml.html

3) Semantics of the Omega kernel language

The semantics of the Omega kernel language has been implemented in the typed logic of the interactive theorem prover PVS. We have defined the meaning of basic class diagrams where the behaviour of objects is described by state machines. These reactive objects may communicate by means of asynchronous signals and synchronous operation calls. Explicit timing has been realized via local clocks and an urgency predicate on transitions. The PVS theories are available on http://www.cs.ru.nl/~hooman/STTTpvs.html

4) TLPVS

TLPVS is a PVS implementation of a linear temporal logic verification system that has been further developed in Omega. The system includes a set of theories defining a temporal logic, a number of proof rules for proving soundness and response properties, and strategies, which aid in conducting the proofs. In addition to implementing a framework for existing rules, we have derived new methods, which are particularly useful in a deductive LTL system. Special attention has been paid to the verification of systems with unbounded number of processes. TLPVS is available at http://www.wisdom.weizmann.ac.il/~verify/tlpvs/

5) Compositional verification

We have defined a general PVS framework to support compositional verification. The focus is on the level of components, concentrating on parallel composition and hiding. To be able to formalize intermediate stages during the top-down design of a system, we have constructed a framework where specifications and programming constructs can be mixed freely. Compositional proof rules for parallel composition and hiding have been formulated in PVS and the tool has also been used to prove the soundness of these rules.