JP2023157310A - Model checking device and model checking method - Google Patents

Abstract

To efficiently perform model checking of an information processing system achieved by linking multiple services.SOLUTION: A model checking device stores a component composition definition in which the specifications of an orchestrator that links services are prescribed in a predetermined prescribed format, post-synthesis verification properties prescribing the requirements for the orchestrator specifications in the predetermined prescribed format, and a formal specification prescribing the specifications of multiple services in the predetermined prescribed format. Based on the post-synthesis verification properties, a partial specification extraction criteria is generated, which is a standard for extracting partial specifications, which are formal specifications of services used for validating orchestrator specifications. Based on the partial specification extraction criteria, the partial specification of the service used to verify the component composition definition is extracted from the formal specification of the service. Based on the extracted partial specifications, a verification code as a code for verifying the component composition definition is generated. The component composition definition is verified by inputting the verification code to a model checking tool.SELECTED DRAWING: Figure 5

Description

The present invention relates to a model checking device and a model checking method.

Patent Document 1 describes a program verification generation device that verifies whether a component satisfies the required specifications of a program. The program verification generation device stores components that describe verification information and implementation for verifying operations, and program specifications that describe identification information about components necessary for a certain program and specifications that the program should satisfy. selects a component based on the identification information of the selected component, verifies whether the selected component satisfies the program specifications using the verification information of the selected component, and executes the program if the selected component is verified to satisfy the program specifications. A program is generated by combining the implementations of the selected components using the specifications.

Patent Document 2 describes a combination service inspection system that, when a new service model is developed by combining multiple developed service models, inspects whether the new service model is designed in accordance with required specifications. . Obtain an inspection code for inspecting a second service model from a database in which inspection codes for inspecting a plurality of developed first service models are recorded, and obtain and obtain inspection conditions for the second service model. The test condition is converted into a test condition code, and based on the obtained test code and test condition code, it is checked whether the second service model matches the test condition.

Patent Document 3 describes an inspection device for a design model that describes software processing functions based on a specification model that describes product specifications. In testing a specification model represented by transitions of multiple functional blocks, the inspection device verifies whether each of the multiple functional blocks satisfies its target value, and identifies functional blocks that have state transitions that do not satisfy the target value. If extracted, the target value is reset according to the state transition, and the target values of other functional blocks are reset according to the target values of the specification model. Further, the inspection device determines that the specification model satisfies the target value when other functional blocks satisfy the reset target value under a constraint that causes the extracted functional block to violate the target value.

Japanese Patent Application Publication No. 2004-326366 JP2009-98770A International Publication No. 2011/096037

In recent years, microservice architecture (hereinafter referred to as "MSA") has been attracting attention for the purpose of speeding up the development of information processing systems. In MSA, information processing systems are developed as a combination of fine-grained, independently deployable services. This limits the scope of impact during maintenance or specification changes, allowing for faster releases and modifications.

In the development of an information processing system using MSA, processing for requests from users and the like is realized as distributed processing by cooperation of a plurality of services. However, distributed processing needs to be designed in such a way that requirements such as data integrity are guaranteed in the event of a failure in individual services or communications, and compared to system development based on monolithic architecture (monolith). Therefore, the design difficulty is high.

As a technology that supports the design of distributed processing systems such as information processing systems using MSA, systems are expressed as formal specifications (hereinafter referred to as "formal specifications") from a specific viewpoint, and given requirements (hereinafter referred to as "formal specifications") are There is model checking, which is a technique for comprehensively verifying whether the above formal specifications satisfy the above-mentioned formal specifications.

When model checking is performed on an information processing system using MSA, first, the verification properties of the formal specifications of the service are verified for each service. Next, by composing the formal specifications of each service, a formal specification of an orchestrator that coordinates the services is generated, and verification properties specific to the orchestrator are verified based on the formal specification.

However, when performing verification using the above method, the formal specifications of components unrelated to the verification properties are included in the formal specifications of the orchestrator after synthesis, resulting in an enlarged search space during verification and an increase in verification time. There is a problem. In addition, if a service is updated frequently, if all formal specifications are simply synthesized each time there is an update, the synthesized formal specification will contain formal specifications that are unrelated to the orchestrator's verification properties. This results in unnecessary re-synthesis/re-verification.

The program verification generation device described in Patent Document 1 describes verification information and implementation for verifying operations in a component, selects a component based on identification information of a program specification, and uses the verification information of the selected component. Then, it is verified whether the verification information of the component satisfies the specifications of the program to be generated. However, this document does not describe a mechanism for suppressing expansion of the search space during verification or unnecessary resynthesis/re-verification.

Furthermore, the service inspection system described in Patent Document 2 acquires a test code for testing a second service model (a new service model) from a database in which test codes for a plurality of developed first service models are recorded. The test condition of the second service model is acquired and converted into a test condition code, and based on the test code and the test condition code, it is checked whether the second service model matches the test condition. However, this document does not describe a mechanism for suppressing enlargement of the search space during verification or unnecessary resynthesis/reverification due to the reasons described above.

Furthermore, in the inspection device described in Patent Document 3, when the extracted functional block satisfies the reset target value under a constraint that causes a violation of the target value, the specification model is set to the target value. It is determined that the following is satisfied. However, this document does not describe a mechanism for suppressing enlargement of the search space during verification or unnecessary re-synthesis/re-verification due to the above-mentioned reasons.

The present invention has been made in view of this background, and provides a model testing device and a model testing method that can efficiently perform model testing of an information processing system realized by cooperation of multiple services. The purpose is to provide.

One aspect of the present invention to achieve the above object is a model checking device that performs model checking on a model of an information processing system realized by cooperation of a plurality of services, the information processing device having a processor and a storage device. a component synthesis definition that describes the specifications of an orchestrator that coordinates the services in a predetermined description format; a post-synthesis verification property that describes the requirements for the specifications of the orchestrator in a predetermined description format; a formal specification in which specifications of each of a plurality of services are described in a predetermined description format, and a partial specification that is a formal specification of the service used to verify the specification of the orchestrator based on the post-synthesis verification property. Generate a partial specification extraction standard that is information that serves as a standard for extraction, extract the partial specification of the service used for verifying the component composition definition based on the partial specification extraction standard, and apply the partial specification to the extracted partial specification. A verification code, which is a code for verifying the component composition definition, is generated based on the verification code, and the verification code is input into a model checking tool to verify the component composition definition.

Other problems disclosed in the present application and methods for solving the problems will be made clear by the detailed description section and the drawings.

According to the present invention, model testing of an information processing system realized by cooperation of a plurality of services can be efficiently performed.

FIG. 2 is a diagram illustrating an example of model testing. FIG. 3 is a diagram illustrating an example of model checking of a model based on MSA. FIG. 2 is a diagram illustrating an example of model testing performed by a model testing device. FIG. 2 is a diagram illustrating an example of model testing performed by a model testing device. FIG. 2 is a diagram illustrating an example of model testing performed by a model testing device. FIG. 2 is a diagram showing an example of main functions included in the model checking device. It is a system flow diagram explaining an example of the function of a model checking device. 3 is a flowchart illustrating an example of model checking processing. 12 is a flowchart illustrating an example of a process for determining whether verification is necessary for updated components. This is an example of a past extraction partial specification. This is an example of a partial specification for synthesis. 12 is a flowchart illustrating an example of a partial specification extraction process for a component that has not been updated. 12 is a flowchart illustrating an example of a process for determining whether or not to perform other model testing. FIG. 7 is a diagram illustrating an example of a process for determining whether or not other model testing is necessary. This is an example of an information processing device used in the configuration of a model checking device.

Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings as appropriate. In the following description, various data may be explained using expressions such as "information" and "table," but various data may be expressed or managed using methods other than the illustrated data structure. Furthermore, in the following explanation, the letter "S" added in front of the reference numeral means a processing step.

Hereinafter, a model checking device 100 according to an embodiment of the present invention will be described. The model checking device 100 performs model checking on an information processing system (hereinafter referred to as a "model") derived from hardware and software design to check whether the requirements from users etc. are met. Verify whether or not.

Model checking is a technique for verifying whether a model satisfies requests from users and the like. In model checking, model design and requirements are described using a model description language, which is a language with strict mathematical meanings, and it is comprehensively verified whether the specifications of the target model satisfy the requirements.

Examples of tools for model checking (hereinafter referred to as "model checking tools") include "TLA+," which is used to verify the design of distributed processing systems such as the coordination of services (microservices) such as cloud environments. There is "SPIN (Simple Promela INterpreter)". Hereinafter, the specifications of a model written in a predetermined model description language will be referred to as "formal specifications", and the requirements for the model from users etc. described in predetermined verification formulas (logical formulas) will be referred to as "verification properties". .

FIG. 1 is a diagram illustrating model checking. As shown in the figure, in model checking, a model specification is expressed by a formal specification 32 written in a predetermined model description language, and whether a verification property 31 is satisfied in a state space 33 listing possible states of the formal specification 32? Comprehensively verify whether or not.

In model checking of a model using a microservice architecture (hereinafter referred to as "MSA"), first, the verification properties of the formal specifications of each independently developed service are individually verified. Next, the formal specifications of each service are synthesized based on the specifications of the orchestrator that links the services (hereinafter referred to as "component composition definition"), and a verification code (hereinafter referred to as "synthesized verification code"). ), and it is verified whether the synthesized verification code satisfies the verification properties (hereinafter referred to as "post-synthesis verification properties") regarding the specifications of the orchestrator.

FIG. 2 is an example of model checking using "TLA+" for a model based on MSA. In this example, the model (the business realized by the orchestrator) is an information processing system that performs "inter-account fund transfer." In addition, the post-synthesis verification property is ``eventually, the total balance of all accounts will match the total initial balance of the system (= no balance will be lost or increased during the transaction process)''. In addition, as shown in the figure as part composition definition, the example model has two parts called "Withdraw" and "Deposit".
Includes two services. In this example, the formal specifications of the service "Withdraw" and the formal specifications of the service "Deposit" are obtained, and a synthesized verification code is generated by synthesizing them.

In the example shown in Figure 2, the synthesized verification code is generated by simply combining the components of each service (including formal specifications (hereinafter referred to as "software components")), so the Software components (including formal specifications) that are unrelated to the verification properties are included in the synthesized verification code, and the verification target (hereinafter referred to as "search space") becomes enlarged. For example, if the model is "inter-account fund transfer" and the post-synthesis verification property is "balance does not become negative", then "recording transaction details" is unrelated to the above-mentioned post-synthesis verification property. , the search space becomes enlarged due to the variables used in the transaction details and the values (number of states) that the variables can take.

Furthermore, if a service is updated frequently, if all formal specifications are simply synthesized each time there is an update, the synthesized formal specification will contain formal specifications unrelated to the orchestrator's verification properties. Unnecessary resynthesis and reverification may occur. For example, if the model is "Inter-account fund transfer" and the post-synthesis verification property is "balance does not become negative", if "fee addition processing" is added, re-verification is required because account balance manipulation is involved. is necessary. However, for example, if "information to output details" is added and the "obtain past statements" process is updated, there is no need to resynthesize or reverify as it is not related to account balance operations, but even in that case, resynthesis or reverification is not necessary. Synthesis and re-verification will be performed.

Therefore, the model checking device 100 of this embodiment focuses on information on verification properties (variables and events of logical expressions) specific to formal verification among the post-synthesis verification properties, and extracts formal specification extraction criteria (hereinafter referred to as "partial (referred to as "specification extraction criteria"). Then, the model checking device 100 extracts the formal specifications (hereinafter referred to as
This is called a "partial specification." ) and synthesize the extracted partial specifications to generate a synthesized verification code, thereby reducing the size of the synthesized verification code and suppressing the enlargement of the search space.

An example is shown in FIG. In this example, the model checking device 100 generates a partial specification extraction criterion focusing on "variables: accounts, total" based on the post-synthesis verification property "EventuallyConsistentAccount == []<>(Sum(accounts) = total)". ing. In addition, the model checking device 100 extracts "Withdraw service" and "Deposit service" as partial specifications from the formal specifications of each service using the generated partial specification extraction criteria, and synthesizes them based on the component composition definition. Generates synthesized verification code.

Furthermore, when a service is updated, the model checking device 100 re-extracts the partial specifications of the updated service, compares the re-extracted partial specifications with previously extracted partial specifications, and determines if there is a difference between the two. By including only the relevant partial specifications in the synthesized verification code, unnecessary verification at the time of updating the service is suppressed.

Examples of this case are shown in FIGS. 4A and 4B. Figure 4A shows the updated service "Withdraw service specification ver. 2", the partial specification "Withdraw service ver. 1 partial specification" extracted in the past (before update), and the partial specification "Withdraw service ver. This is a case where there are no differences regarding "ver.2 partial specifications". In this case, the model checking device 100 does not include the partial specification "Withdraw service ver. 2 partial specification" extracted after the update in the synthesized verification code. On the other hand, FIG. 4B shows the updated service "Withdraw service specification ver. 2" with the partial specification "Withdraw service ver. 1 partial specification" extracted in the past (before update) and the partial specification extracted after the update " This is a case where there are differences regarding the "Withdraw Service ver.2 Partial Specifications". In this case, the model checking device 100 includes the partial specification "Withdraw service ver. 2 partial specification" extracted after the update in the synthesized verification code.

In addition, after re-extracting the partial specification at the time of service update, the model checking device 100 performs the following operations on other component composition definitions that refer to the partial specification before the update, if there is a difference between the partial specification before and after the update. Missing verification is prevented by notifying that a partial specification has been updated and that re-verification is required for the partial specification.

<Detailed configuration>
FIG. 5 shows a block diagram showing the main functions of the model checking device 100, and FIG. 6 shows a system flow diagram explaining the functions of the model checking device 100. As shown in these figures, the model checking device 100 includes a storage unit 110, an information acquisition management unit 130, an updated parts extraction unit 135, an unupdated parts extraction unit 140, a partial specification extraction standard generation unit 145, and an updated parts verification unit. It includes the following functions: a necessity determination section 150, a non-update component partial specification extraction section 155, a verification code generation section 160, a model test execution section 165, and an other model test execution necessity determination section 170.

Among the above functions, the storage unit 110 includes a component synthesis definition 111, a post-synthesis verification property 112, a software component group 113, an updated component group 114, a non-updated component group 115, a past extracted partial specification 118, a partial specification extraction standard 116, Each information (data) of the synthesis partial specification 117, the synthesized verification code 119, and the verification result 120 is stored.

Among these, the component composition definition 111 is the component composition definition described above, and includes a description of the formal specifications of an orchestrator that realizes business by coordinating services. The component synthesis definition 111 also specifies that software components that are independently developed for each service of a model that is a target of model checking (hereinafter referred to as "target model") have been updated after the previous model check. includes information indicating whether or not there is an update (hereinafter referred to as "update information"). The component composition definition 111 also includes component composition definitions of the target model and other models other than the target model.

The post-synthesis verification property 112 is the post-synthesis verification property described above, and includes a description of the verification property specific to the orchestrator.

The software component group 113 includes information regarding software components that realize services of the target model and models other than the target model (software entities (codes, etc.), service format specifications before and after software component updates, etc.). Information regarding software components in the software component group 113 is managed by being identified by a software component identifier (hereinafter referred to as "component ID").

The updated parts group 114 includes information about software components that have been extracted from the software parts group 113 by the updated parts extraction unit 135 and are updated after the previous model check.

The unupdated parts group 115 includes information about software parts that have not been updated after the previous model check, which is extracted from the unupdated parts extraction unit 140 from the software parts group 113.

The partial specification extraction criterion 116 is a formal specification (partial It includes criteria (extraction conditions; hereinafter referred to as "partial specification extraction criteria") used when extracting specifications).

The synthesis partial specification 117 is a partial specification (partial specification ( (hereinafter referred to as "synthesis partial specifications").

The past extracted partial specifications 118 include partial specifications (hereinafter referred to as "past extracted partial specifications") extracted in the past by the updated component verification necessity determination section 150 or the unupdated component partial specifications extraction section 155.

The synthesized verification code 119 includes a synthesized verification code generated by the verification code generation unit 160 based on the synthesis partial specification 117.

The verification result 120 includes information regarding the result of the model checking execution unit 165 verifying whether the synthesized verification code 119 satisfies the post-synthesis verification property 112 by model checking.

The information acquisition management unit 130 acquires various types of information (component synthesis definition 111, post-synthesis verification properties 112, software component group 113, etc.) necessary for model checking via a user interface, communication network, etc., and uses the acquired information to The information is managed in the storage unit 110.

The updated component extraction unit 135 identifies software components that have been updated after the previous model check based on the update presence information of the component synthesis definition 111, and extracts information (including format specifications) of the identified software components. It is extracted from the software component group 113. The extracted information is stored in the storage unit 110 as an updated parts group 114.

The unupdated component extraction unit 140 identifies software components that have not been updated since the previous model check based on the update presence information of the component synthesis definition 111, and extracts information (including format specifications) on the identified software components. is extracted from the software component group 113. The extracted information is stored in the storage unit 110 as an unupdated parts group 115.

The partial specification extraction criterion generation unit 145 generates partial specification extraction criteria based on the post-synthesis verification property 112. The generated partial specification extraction criteria are stored in the storage unit 110 as partial specification extraction criteria 116.

The updated component verification necessity determination unit 150 extracts the formal specification used for generating the synthesized verification code from the updated component group 114 as a partial specification based on the partial specification extraction criteria 116 . The extracted partial specifications are stored in the storage unit 110 as a synthesis partial specification 117 and a past extracted partial specification 118.

The unupdated component partial specification extraction unit 155 extracts the formal specification used for generating the synthesized verification code from the unupdated component group 115 as a partial specification based on the partial specification extraction criteria 116 . The extracted partial specifications are stored in the storage unit 110 as a synthesis partial specification 117 and a past extracted partial specification 118.

The verification code generation unit 160 refers to the component synthesis definition 111 and generates a synthesized verification code based on the synthesis partial specification 117. The generated synthesized verification code is stored in the storage unit 110 as a synthesized verification code 119.

The model checking execution unit 165 performs a model check on the target model by providing the synthesized verification code 119 to the model checking tool, and outputs the result as a verification result 120.

The other model test execution necessity determination unit 170 acquires the partial specification before update for the software component of the partial specification that the updated component verification necessity determination unit 150 has determined needs to be updated, and targets the acquired partial specification before update. Determine whether it is included in the component composition definition of a model other than the model. As a result of the determination, if the obtained partial specification before update is included in the component composition definition of another model, the other model checking execution necessity determination unit 170 determines that re-verification is necessary for the other model. Outputs the information shown.

FIG. 7 is a flowchart illustrating a process (hereinafter referred to as "model testing process S700") performed by the model testing apparatus 100 having the above configuration when testing a target model. The model checking process S700 will be described below with reference to the same figure. Note that at the start of the model checking process S700, the storage unit 110 stores information necessary for executing the model checking process S700 (component synthesis definition 111, post-synthesis verification property 122, software component group 113, etc.). shall be.

As shown in the figure, first, the updated component extraction unit 135 identifies software components that have been updated after the previous model check based on the update presence information of the component synthesis definition 111, and identifies the identified software components. information (including format specifications) is extracted from the software component group 113. The extracted information is stored in the storage unit 110 as the updated parts group 114 (S711).

Subsequently, the unupdated component extraction unit 140 identifies software components that have not been updated since the previous model check based on the update presence/absence information of the component synthesis definition 111, and extracts the information (format specification) of the identified software components. ) are extracted from the software component group 113. The extracted information is stored in the storage unit 110 as the unupdated parts group 115 (S712).

Subsequently, the partial specification extraction criteria generation unit 145 generates partial specification extraction criteria based on the post-synthesis verification property 112. The generated partial specification extraction criteria are stored in the storage unit 110 as the partial specification extraction criteria 116 (S713).

Next, the updated component verification necessity determination unit 150 extracts the partial specifications used for generating the synthesized verification code from the updated parts group 114 based on the partial specification extraction criteria 116 (hereinafter referred to as "updated parts"). (referred to as "Verification necessity determination process S714").

FIG. 8 is a flowchart illustrating the details of the updated component verification necessity determination process S714. The verification necessity determination process S714 for updated components will be described below with reference to FIG.

First, the updated component verification necessity determining unit 150 selects one software component from the updated component group 114 (S811).

Subsequently, the updated component verification necessity determining unit 150 extracts partial specifications from the selected software component based on the partial specification extraction criteria 116 (S812).

Next, the updated component verification necessity determination unit 150 extracts past data that matches the selected software component with the component ID (component ID 1181 described later) and partial specification extraction criteria (partial specification extraction criterion 1182 described later). It is determined whether it exists in the partial specification 118 (S813).

FIG. 9 shows an example of the past extraction partial specification 118. As shown in the figure, the illustrated past extracted partial specification 118 is composed of one or more records having each item of a part ID 1181, a partial specification extraction criterion 1182, and a partial specification 1183. One record of the past extracted partial specifications 118 corresponds to one partial specification. Among the above items, the component ID 1181 stores a software component identifier (hereinafter referred to as "component ID"). The partial specification extraction standard 1182 stores the partial specification extraction standard used to extract the partial specification. The partial specification 1183 stores the contents of the partial specification.

Returning to FIG. 8, if data whose component ID and partial specification extraction criteria match the selected software component exists in the past extracted partial specifications 118 (S813: YES), the process advances to S814. On the other hand, if there is no data in the past extracted partial specifications 118 whose component ID and partial specification extraction criteria match those of the currently selected software component (S813: NO), the process proceeds to S816.

In S814, the updated component verification necessity determining unit 150 determines whether there is a difference between the partial specification extracted in S812 and the partial specification of the past extracted partial specification 118 that matched in S813. If there is no difference (S814: NO), the process advances to S815. On the other hand, if there is a difference (S814: YES), the process advances to S816.

In S815, the update component verification necessity determination unit 150 stores the partial specification extracted in S812 in the synthesis partial specification 117 as "no verification required." After that, the process advances to S817.

FIG. 10 shows an example of the synthesis partial specification 117. As shown in the figure, the illustrated partial specification for synthesis 117 is composed of one or more records having each item of a component synthesis definition 1171, a partial specification 1172, and a verification necessity 1173. One record of the synthesis partial specification 117 corresponds to one partial specification.

Among the above items, the component composition definition 1171 stores an identifier (service name, etc.) of the component composition definition. A partial specification is stored in the partial specification 1172. The verification necessity 1173 stores information indicating whether verification of the partial specification is necessary (“verification required” or “verification not required”).

Returning to FIG. 8, in S816, the updated component verification necessity determining unit 150 stores the partial specification extracted in S812 in the synthesis partial specification 117 as “verification required”. In addition, the updated component verification necessity determining unit 150 newly stores the partial specification in the past extracted partial specification 118. After that, the process advances to S817.

In S817, the updated component verification necessity determination unit 150 determines whether all software components of the updated component group 114 have been selected in S811. If the updated component verification necessity determining unit 150 determines that all software components have not been selected (S817: NO), the process returns to S811. On the other hand, if the update component verification necessity determination unit 150 determines that all software components have been selected (S817: YES), the update component verification necessity determination process S714 ends and the process of FIG. Proceed to S715.

Returning to FIG. 7, in S715, the model checking device 100 determines whether there is a record in which “verification required” is stored in the verification necessity 1173 of the synthesis partial specification 117. If there is a record in which “verification required” is stored in the verification necessity 1173 of the synthesis partial specification 117 (S715: YES), the model checking device 100 performs a process ( Hereinafter, it will be referred to as "partial specification extraction process S716 for non-updated parts"). On the other hand, if there is no record in which “verification required” is stored in the verification necessity 1173 of the synthesis partial specification 117 (S715: NO), the model checking process S700 ends.

FIG. 11 is a flowchart illustrating details of the partial specification extraction process S716 for parts that will not be updated. Hereinafter, the partial specification extraction process S716 for parts that will not be updated will be explained with reference to the same figure.

First, the non-updated component partial specification extraction unit 155 selects one software component from the non-updated component group 115 (S1111).

Subsequently, the non-updated component partial specification extraction unit 155 determines whether data whose component ID and partial specification extraction criteria match those of the currently selected software component exists in the past extracted partial specifications 118 (S1112). If the non-updated component partial specification extraction unit 155 determines that data whose component ID and partial specification extraction criteria match those of the currently selected software component exists in the past extracted partial specifications 118 (S1112: YES), the process proceeds to S1113. . On the other hand, if the non-updated component partial specification extraction unit 155 determines that there is no data in the past extracted partial specifications 118 that matches the currently selected software component and the component ID and partial specification extraction criteria 116 (S1112: NO), process The process advances to S1114.

In S1113, the non-updated component partial specification extraction unit 155 stores the partial specification of the data of the past extracted partial specification 118 that matched in S1112 in the synthesis partial specification 117 as "no verification required." After that, the process advances to S1116.

In S1114, the unupdated component partial specification extraction unit 155 extracts partial specifications from the software component selected in S1111 based on the partial specification extraction criteria 116.

Subsequently, the unupdated component partial specification extraction unit 155 stores the partial specification of the selected software component extracted in S1114 in the synthesis partial specification 117 as "Verification Required". Further, the non-updated component partial specification extraction unit 155 newly stores the partial specification in the past extracted partial specification 118 (S1115). After that, the process advances to S1116.

In S1116, the non-updated component partial specification extraction unit 155 determines whether all software components of the non-updated component group 115 have been selected in S1111. If the updated component verification necessity determining unit 150 determines that not all software components have been selected (S1116: NO), the process returns to S1111. On the other hand, if the update component verification necessity determination unit 150 determines that all software components have been selected (S1116: YES), the partial specification extraction process S716 for the non-update component ends, and the process in S717 in FIG. Proceed to.

Returning to FIG. 7, next, the verification code generation unit 160 generates the synthesized verification code 119 based on the synthesis partial specification 117 with reference to the component synthesis definition 111 (S717). The verification code generation unit 160 generates the synthesized verification code 119 so that all the partial specifications stored in the synthesis partial specification 117 are subject to model checking by the model checking tool. That is, if there is even one partial specification in which “verification required” is stored in the verification necessity 1173 of the partial specification for synthesis 117 (S715: YES), the verification code generation unit 160 generates the partial specification for synthesis 117. The synthesized verification code 119 is generated so that all the partial specifications (regardless of the contents of the verification necessity 1173) stored in the database are subjected to model checking by the model checking tool (S717).

Next, the model checking execution unit 165 performs a model check on the target model by inputting the synthesized verification code 119 into the model checking tool, and outputs the result as the verification result 120 (S718). Note that the contents of the verification result 120 are provided to the user via, for example, a user interface.

Subsequently, the other model test execution necessity determination unit 170 executes a process (hereinafter referred to as "other model test execution necessity determination process S719") for determining whether re-verification is necessary for other models. .

FIG. 12 is a flowchart illustrating details of the other model test execution necessity determination process S719. Further, FIG. 13 is a diagram illustrating an example of the other model test execution necessity determination process S719. The other model test execution necessity determination process S719 will be described below with reference to these figures.

First, the other model test execution necessity determination unit 170 extracts from the synthesis partial specification 117 the partial specification that the updated component verification necessity determination unit 150 has determined as “verification required” (the verification necessity 1173 indicates “verification required”). One of the stored partial specifications is selected (S1211 in FIG. 12).

Next, the other model test execution necessity determination unit 170 obtains the partial specification before update from the past extracted partial specification 118 for the software component of the currently selected partial specification (S1212 in FIG. 12, S1311 in FIG. 13).

Next, the other model inspection execution necessity determining unit 170 refers to the component composition definition 111 and determines whether the obtained partial specification before update is included in the component composition definition of a model other than the target model. (S1213 in FIG. 12, S1312 in FIG. 13). If the acquired partial specification before update is not included in the component composition definition of a model other than the target model (S1213: NO in FIG. 12), the process advances to S1215. On the other hand, if the acquired partial specification before update is included in the component composition definition of a model other than the target model (S1213: YES in FIG. 12), the other model check execution necessity determination unit 170 Information indicating that the model requires re-verification is output (for example, presented to the user via the user interface) (S1214 in FIG. 12, S1313 in FIG. 13).

In S1215, the other model checking execution necessity determining unit 170 determines whether all partial specifications for which verification is required have been selected from the synthesis partial specifications 117. If the other model test execution necessity determining unit 170 determines that there is an unselected partial specification from the synthesis partial specifications 117 (S1215: NO), the process returns to S1211. On the other hand, if the other model checking execution necessity determining unit 170 determines that all partial specifications for which verification is required have been selected from the synthesis partial specifications 117 (S1215: YES), the process returns to FIG. , the model checking process S700 ends.

As explained above, the model checking device 100 of this embodiment focuses on the information on the verification properties (variables and events of logical formulas) specific to formal verification among the post-synthesis verification properties, and determines the partial specification extraction criteria. A partial specification, which is a formal specification used for verification after synthesis, is extracted from the formal specification of each service based on the partial specification extraction criteria, and the extracted partial specifications are synthesized to generate a synthesized verification code. Therefore, it is possible to reduce the size of the synthesized verification code and prevent the search space from becoming enlarged.

Furthermore, when a service is updated, the model checking device 100 re-extracts the partial specifications of the updated service, compares the re-extracted partial specifications with previously extracted partial specifications, and determines if there is a difference between the two. Only generates and verifies synthesized verification code. Specifically, if the partial specification that matches the updated partial specification of the updated service (updated part) does not exist in the past extracted partial specifications (S816 in FIG. 8), the model checking device 100 Alternatively, if the partial specification of a service that is not subject to update (part without update) does not exist in the past extracted partial specifications (S1115 in FIG. 11), that is, the partial specification is marked as "verification required" in the synthesis partial specification. If even one exists (S715: YES), a synthesized verification code is generated (S717), and the component synthesis definition is verified (S718). On the other hand, the model checking device 100 determines that there is a partial specification in the past extracted partial specifications that matches the updated partial specification of the service targeted for update (updated part) (S815 in FIG. 8), and If there is a partial specification of a software component that is not the target (part without update) in the past extracted partial specifications (S1113 in Figure 11), that is, there is no partial specification that is "required verification" in the partial specification for synthesis. If it does not exist (S715: NO), the synthesized verification code is not generated and the component synthesis definition is not verified. Therefore, when updating a service, if there is no partial specification that is "required verification" in the synthesis partial specifications, it is possible to prevent unnecessary resynthesis and reverification. I can do it.

In addition, after re-extracting the partial specifications at the time of service update, the model checking device 100 detects that if there is a difference between the partial specifications before and after the update, that is, there is one partial specification that is deemed to be “verification required” in the synthesis partial specifications. However, if it exists (S715: YES), other component composition definitions that refer to the partial specification before update will be notified that the partial specification has been updated and that re-verification is required for the partial specification. (S719), it is possible to reliably prevent verification omissions.

In this way, according to the model checking device 100 of this embodiment, model checking of an information processing system realized by cooperation of a plurality of services can be efficiently performed.

FIG. 14 shows a configuration example of an information processing device that constitutes the model checking device 100. The illustrated information processing device 10 includes a processor 11 , a main storage device 12 , an auxiliary storage device 13 , an input device 14 , an output device 15 , and a communication device 16 . Note that the illustrated information processing apparatus 10 is based on virtual information provided using virtualization technology, process space separation technology, etc., such as a virtual server provided by a cloud system, in whole or in part. It may also be realized using processing resources. Further, all or part of the functions provided by the information processing device 10 may be realized by, for example, a service provided by a cloud system via an API (Application Program Interface) or the like. Furthermore, the model checking device 100 may be configured using a plurality of information processing devices 10 that are communicably connected.

In the figure, the processor 11 includes, for example, a CPU (Central Processing Unit), an M
PU (Micro Processing Unit), GPU (Graphics Processing Unit), FPGA (Field Programmable Gate Array), ASIC (Application Specific Integrated Circuit)
), AI (Artificial Intelligence) chips, etc.

The main storage device 12 is a device that stores programs and data, and is, for example, a ROM (Read
RAM (Random Access Memory), nonvolatile memory (NVRAM (Non Volatile RAM)), etc.

The auxiliary storage device 13 is, for example, an SSD (Solid State Drive), a hard disk drive, an optical storage device (CD (Compact Disc), DVD (Digital Versatile Disc), etc.), a storage system, an IC card, an SD card, or an optical recording device. These are a reading/writing device for a recording medium such as a medium, a storage area of a cloud server, etc. Programs and data can be read into the auxiliary storage device 13 via a recording medium reading device or a communication device 16. Programs and data stored in the auxiliary storage device 13 are read into the main storage device 12 at any time.

The input device 14 is an interface that accepts input from the outside, and includes, for example, a keyboard, a mouse, a touch panel, a card reader, a pen-input tablet, a voice input device, and the like.

The output device 15 is an interface that outputs various information such as processing progress and processing results. The output device 15 is, for example, a display device that visualizes the above various information (liquid crystal monitor, LCD (Liquid Crystal Display), graphic card, etc.), a device that converts the above various information into audio (sound output device (speaker, etc.)) , a device (printing device, etc.) that converts the above various information into characters. Note that, for example, a configuration may be adopted in which the information processing device 10 inputs and outputs information to and from other devices via the communication device 16.

The input device 14 and the output device 15 constitute a user interface that receives information from and presents information to the user.

The communication device 16 is a device that realizes communication with other devices. The communication device 16 is a wired or wireless communication interface that realizes communication with other devices via a communication medium such as a communication network, and includes, for example, an NIC (Network Interface Card), a wireless communication module, Such as a USB module.

For example, an operating system, a file system, a DBMS (DataBase Management System) (relational database, NoSQL, etc.), a KVS (Key-Value Store), etc. may be installed in the information processing device 10.

Each function provided in the model checking device 100 is executed by the processor 11 reading and executing a program stored in the main storage device 12, or by the hardware (FPGA, ASIC, AI chip, etc.) that constitutes the model checking device 100. etc.). The model checking device 100 stores the various types of information (data) described above, for example, as tables in a database or files managed by a file system.

Although one embodiment of the present invention has been described above, it goes without saying that the present invention is not limited to the above-described embodiment and can be modified in various ways without departing from the gist thereof. For example, the above embodiments have been described in detail to explain the present invention in an easy-to-understand manner, and the present invention is not necessarily limited to having all the configurations described. Furthermore, it is possible to add, delete, or replace some of the configurations of the above embodiments with other configurations.

For example, the information extracted or generated in each step of the model checking process S700 shown in FIG. parts group, partial specification extraction criteria, partial specifications for synthesis, past extracted partial specifications, synthesized verification code, verification results, etc.) are presented on the user interface, allowing the user to visually understand the process of model checking processing S700. You can do it like this. Further, in each step, editing of the above various information may be accepted from the user via the user interface.

Further, each of the above-mentioned configurations, functional units, processing units, processing means, etc. may be partially or entirely realized by hardware, for example, by designing an integrated circuit. Furthermore, each of the above configurations, functions, etc. may be realized by software by a processor interpreting and executing a program for realizing each function. Information such as programs, tables, files, etc. that realize each function is stored in memory, hard disks, storage devices such as SSDs (Solid State Drives), and I/O.
It can be placed on a recording medium such as a C card, an SD card, or a DVD.

Furthermore, the arrangement of the various functional units, various processing units, and various databases of each information processing device described above is only an example. The layout of the various functional units, the various processing units, and the various databases can be changed to an optimal layout from the viewpoint of the performance, processing efficiency, communication efficiency, etc. of the hardware and software included in these devices.

Furthermore, the configuration of the database (schema, etc.) that stores the various data described above can be flexibly changed from the viewpoints of efficient resource utilization, improvement in processing efficiency, improvement in access efficiency, improvement in search efficiency, etc.

100 Model checking device, 110 Storage unit, 111 Parts synthesis definition, 112 Post-synthesis verification properties, 113 Software parts group, 114 Parts group with updates, 115 Parts group without updates, 116 Partial specification extraction criteria, 117 Partial specifications for synthesis, 118 Past extracted partial specifications, 119 Synthesized verification code, 120 Verification results, 130 Information acquisition management section, 135 Updated parts extraction section, 140 No-updated parts extraction section, 145 Partial specification extraction standard generation section, 150 Updated parts verification required Rejection determination unit, 155 Unupdated component partial specification extraction unit, 160 Verification code generation unit, 165 Model check execution unit, 170 Other model check execution necessity determination unit

Claims (10)

A model checking device that performs model checking on an information processing system realized by cooperation of multiple services,
Constructed using an information processing device having a processor and a storage device,
a component composition definition that describes the specifications of an orchestrator that coordinates the services in a predetermined description format;
post-synthesis verification properties that describe requirements for the specifications of the orchestrator in a predetermined description format;
a format specification that describes the specifications of each of the plurality of services in a predetermined description format;
remember,
Based on the post-synthesis verification property, generate partial specification extraction criteria that is information serving as a reference for extracting a partial specification that is a formal specification of the service used to verify the specification of the orchestrator;
extracting the partial specification of the service used for verification of the component composition definition from the formal specification of the service based on the partial specification extraction criteria;
Generating a verification code that is a code for verifying the component composition definition based on the extracted partial specification,
verifying the component composition definition by inputting the verification code into a model checking tool;
Model checking equipment. The model checking device according to claim 1,
generating the partial specification extraction criteria based on variables or events used in the description of logic in the post-synthesis verification property;
Model checking equipment. The model checking device according to claim 1,
storing the partial specifications extracted in the past from the formal specifications of the service based on the partial specification extraction criteria as past extracted partial specifications;
When the service is updated, based on the partial specification extraction criteria, the updated partial specifications of the service that was the target of the update and the partial specifications of the service that was not the target of the update are extracted. extract,
If the partial specification that matches the updated partial specification of the service that is the target of the update does not exist in the past extracted partial specifications, or the partial specification of the service that is not the target of the update is If it does not exist in the past extracted partial specifications, generate the verification code and perform the verification of the component synthesis definition;
The partial specification that matches the updated partial specification of the service that is the target of the update is present in the past extracted partial specifications, and the partial specification of the service that is not the target of the update is the If it exists in the past extracted partial specifications, the verification code is not generated and the verification of the component composition definition is not performed;
Model checking equipment. The model checking device according to claim 3,
a plurality of component composition definitions in which the orchestrator is different;
the partial specifications extracted for the plurality of component composition definitions based on the partial specification extraction criteria;
remember,
If the partial specification that matches the updated partial specification of the service that is the target of the update does not exist in the past extracted partial specifications, or the partial specification of the service that is not the target of the update is If it does not exist in the past extracted partial specifications, extracting another component composition definition that includes the partial specifications before the update;
outputting information indicating that re-verification is required for the extracted other component composition definition;
Model checking equipment. The model checking device according to claim 1,
The information processing system is configured by a micro service architecture (MSA), and the service is a micro service.
Model checking equipment. The model checking device according to claim 1,
each of the model to be inspected, the formal specification of the service, the component composition definition, the post-synthesis verification property, the partial specification extraction criteria, the partial specification, the verification code, and the verification result of the component composition definition; providing a user interface that presents at least one of the information to the user or accepts editing of the information;
Model checking equipment. A model checking device configured using an information processing device having a processor and a storage device that performs model checking on an information processing system realized by cooperation of multiple services,
a component composition definition that describes the specifications of an orchestrator that coordinates the services in a predetermined description format;
post-synthesis verification properties that describe requirements for the specifications of the orchestrator in a predetermined description format;
a format specification that describes the specifications of each of the plurality of services in a predetermined description format;
step of memorizing,
Based on the post-synthesis verification property, generating partial specification extraction criteria that is information serving as a reference for extracting a partial specification that is a formal specification of the service used to verify the specification of the orchestrator;
extracting the partial specification of the service to be used for verifying the component composition definition from the formal specification of the service based on the partial specification extraction criteria;
generating a verification code that is a code for verifying the component composition definition based on the extracted partial specification; and
verifying the component composition definition by inputting the verification code into a model verification tool;
A model checking method that performs 8. The model checking method according to claim 7,
a step in which the model checking device generates the partial specification extraction criteria based on variables or events used in the description of logic in the post-synthesis verification property;
A model checking method that further executes . 8. The model checking method according to claim 7,
The model checking device includes:
storing the partial specifications extracted in the past from the formal specifications of the service based on the partial specification extraction criteria as past extracted partial specifications;
When the service is updated, based on the partial specification extraction criteria, the updated partial specifications of the service that was the target of the update and the partial specifications of the service that was not the target of the update are extracted. step of extracting,
If the partial specification that matches the updated partial specification of the service that is the target of the update does not exist in the past extracted partial specifications, or the partial specification of the service that is not the target of the update is If it does not exist in the past extracted partial specifications, generating the verification code and performing the verification of the component synthesis definition;
The partial specification that matches the updated partial specification of the service that is the target of the update is present in the past extracted partial specifications, and the partial specification of the service that is not the target of the update is the If it exists in the past extracted partial specifications, not generating the verification code and not performing the verification of the component synthesis definition;
A model checking method that further executes . The model checking method according to claim 9,
The model checking device includes:
a plurality of component composition definitions in which the orchestrator is different;
the partial specifications extracted for the plurality of component composition definitions based on the partial specification extraction criteria;
step of memorizing,
If the partial specification that matches the updated partial specification of the service that is the target of the update does not exist in the past extracted partial specifications, or the partial specification of the service that is not the target of the update is extracting another component composition definition including the partial specification before the update if it does not exist in the past extracted partial specification; and
outputting information indicating that re-verification is required for the extracted other component composition definition;
A model checking method that further executes .

Images