CN103646194A - Credible sorting method of synchronous data flow procedures based on formal verification - Google Patents

Credible sorting method of synchronous data flow procedures based on formal verification Download PDF

Info

Publication number
CN103646194A
CN103646194A CN201310631729.4A CN201310631729A CN103646194A CN 103646194 A CN103646194 A CN 103646194A CN 201310631729 A CN201310631729 A CN 201310631729A CN 103646194 A CN103646194 A CN 103646194A
Authority
CN
China
Prior art keywords
program
lustre
node
topological sorting
sorting
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201310631729.4A
Other languages
Chinese (zh)
Other versions
CN103646194B (en
Inventor
张雁
杨晨
任保华
张智慧
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China General Nuclear Power Corp
China Techenergy Co Ltd
Original Assignee
China General Nuclear Power Corp
China Techenergy Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China General Nuclear Power Corp, China Techenergy Co Ltd filed Critical China General Nuclear Power Corp
Priority to CN201310631729.4A priority Critical patent/CN103646194B/en
Publication of CN103646194A publication Critical patent/CN103646194A/en
Application granted granted Critical
Publication of CN103646194B publication Critical patent/CN103646194B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/36Preventing errors by testing or debugging software
    • G06F11/3604Software analysis for verifying properties of programs
    • G06F11/3608Software analysis for verifying properties of programs using formal methods, e.g. model checking, abstract interpretation

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • Quality & Reliability (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Stored Programmes (AREA)

Abstract

The invention discloses a credible sorting method of synchronous data flow procedures based on formal verification. The credible sorting method comprises a Lustre parallel program and a serial C program obtained after sorting of the Lustre parallel program. For any two Lustre programs meeting the requirement for topological sorting, execution semantic equivalence of a Lustre program before topological sorting and a Lustre program after topological sorting is proved, and a C program after sorting and the Lustre program before sorting are equivalent in semantic execution. The credible sorting method of synchronous data flow procedures based on formal verification is developed and achieved based on a formalized language and with a 'vertex topological sorting algorithm with the in-degree as zero' as the theoretical basis. By means of the provement that any two programs meeting the topological sorting property are equivalent in serial semantic execution, during formal verification, all the situations in the process that a parallel language is converted into a serial language, each situation is proved, the program after sorting meets the topological sorting property, so that correctness of a scheme is ensured, and safety and reliability of a whole software system are improved.

Description

A kind of credible sort method of the synchrodata string routine based on Formal Verification
Technical field
The present invention relates to computer safety field, be specifically related to for the security of compiler and utilize the credible sort method of the synchrodata string routine of Formal Verification.
Background technology
Along with computer technology, be applied to more and more the Safety-Critical Systems (SCS, Safety-Critical System) such as Aero-Space, nuclear power, high-speed railway, also more and more higher to the security requirement of kernel software in its system.A bit mistake in Safety-Critical System all may cause huge disaster, how for a basic secured software environment of Safety-Critical System structure is the matter of utmost importance that need to face, especially to basic kernel softwares such as operating system, compilers.
The credibility of compiler is subject to the attention of academia and industry member very early, from the initiative work of McCarthy and Painter, how to improve the focus that compiler correctness and reliability are computer science research fields always; But unanimously make slow progress, limited in the application of industry member.What have breakthrough most is the Compcert compiler of the people such as Xavier Leroy based on the research and development of Coq lemma proof instrument, it is that a complete type of service method has proved the behavior of executable code of generation and the C compiler that the semanteme of source program keeps completely, has obtained the extensive approval of industry.
China's rapid economic development, grows to even greater heights to the needs of the energy, especially the demand to new forms of energy.Therefore nuclear power station will welcome fast development in China.Lustre is a kind of synchronous data flow language, is mainly used in the industrial automation of nuclear power, the contour credible requirement of Aero-Space.
Lustre program need to be converted to the language under respective environment, as Lustre is converted to C code.This conversion is compiled into C code with internationally famous instrument SCADE by Lustre at present mostly.Scade is so far the most ripe Lustre compiler, and the safe level that it has passed through a plurality of industrial standards authenticates, and its code generator KCG has obtained civil aviation software production permit.When causality analysis, it only checks in static semantic aspect, by modularization and independent compilation and more define the problem that dependence solves causality analysis rigorously.It forbids that the input dependence of node is in the output of node, thereby each node can be compiled separately.Although SCADE instrument is by the authentication of a plurality of safe level industrial standards, it is to guarantee its security by large scale test, does not pass through strict Formal Verification.Because test cannot be accomplished to cover completely, therefore hiding mistake compile error is difficult to be found in the compiler of invalidated.On the other hand, SCADE is the software product that commercial company releases, and correlation technique details is not open, is difficult to recognize for promoting the reliability of software which is doing skilled work aspect with credible.
This external checking aspect to compiler, also has the following mode at present: the subset Clight that CompCert project has realized C is to the translation process of compilation, and proves that with interactive theorem prover each step carries out equivalence in corresponding semanteme.Compare common verification technique, Formal Verification can carry out abstract and proof to the logic of software in the aspect of mathematics, therefore possesses higher security, although Compcert project utilizes formal Verification Techniques to verify parton module, but its realization is the conversion that serial language (C language) arrives serial language (assembly language), and be not suitable for parallel language (Lustre language) to the conversion of serial language (C language).Mike Gemunde etc. carries out causality analysis by the mode of pattern checking to Lustre program.He has set up a formal causality analysis definition and can guard the cause and effect circulation in check system promptly.The mode of pattern checking still has limitation with respect to the Formal Verification based on semantic.The method of the use Formal Verifications such as A.Bertails has completed the checking to the type checking of Lustre program and clock calculation, prepares to start causality analysis work and follow-up translation, does not up to the present also complete.Although they prepare to carry out causality analysis by the mode of Formal Verification, checking still rests on syntactic level, in the aspect of semantic execution, do not verify, and follow-up translation to C does not yet complete.
For effectively improving the reliability of compiler, in system, the reliability of each link can not be ignored, and the program of synchronous data flow language is converted to the important component part that serial C programmer is L2C compiler.This function is in order to guarantee that the function that two programs are carried out is identical, to guarantee the correct logic of program.
Summary of the invention
For solve in prior art when Lustre program is converted to C programmer cannot the security of certifying compilation device problem, the invention provides a kind of credible sort method of synchrodata string routine of Formal Verification.Concrete scheme is as follows: a kind of credible sort method of the synchrodata string routine based on Formal Verification, and comprise Lustre concurrent program and by the serial c program obtaining after the sequence of Lustre concurrent program, it is characterized in that, comprise the steps:
Step 1, utilize morphology grammatical analysis instrument to analyze source Lustre program, obtain the abstract syntax tree of this Lustre program, the verification tool Coq of utilization based on formalization method carries out type analysis and static semantic inspection to gained abstract syntax tree, obtains meeting the abstract syntax tree Lustre-W of well-typed condition;
Step 2, the clock period of all variablees in Lustre-W is normalized, makes the clock period of all variablees be unified in normal period;
Step 3, the Lustre-W after normalization is carried out generating serial c program after causality analysis and topological sorting, translation;
Step 4, to any two the Lustre programs that meet topological sorting, prove that Lustre program before its topological sorting and the Lustre program after topological sorting carry out semantic equivalence, proof procedure is as follows:
(1) in model Lustre concurrent program, store the global context of node title and the local environment of variable in each node function performance period of storage, the title of simultaneously guaranteeing node in global context do not repeat with local environment in equation lvalue ID for empty;
(2) set up a proving program C identical and identical with the local environment of proving program B with the global context of proving program A;
(3) utilize in proving program A and proving program C node name mode one to one, can obtain the result that both carry out rear semantic equivalence;
(4) take proving program C as basis, only there to be the diacritical mode refinement of a step to go out middle proving program C1, C2, C3 ... Cn, wherein proving program Cn and proving program B only have a step difference, after contrasting two programs and carrying out, the value of its local environments can obtain both semantic execution result whether of equal value, more counter pushing away until be verified semantic execution conclusion whether of equal value between program C and proving program B successively;
(5), in conjunction with the result of (3) and (4), obtain Lustre program before topological sorting and the conclusion of the execution of the Lustre program after topological sorting semantic equivalence;
Step 5, to obtain Lustre program and its c program generating thus after causality analysis and topological sorting be semantically proof of equal value carrying out.
Preferred: in the Coq of step 1 static semantic checks, by analyzing in node list not Existence dependency ring, can prove that node list is same arrangement mutually before and after topological sorting, its proof procedure comprises the steps:
(1) in the Lustre program before and after first proved topological sorting, the node name of " in-degree is zero " is all same arrangement;
(2) then prove that the node name in the Lustre program before and after topological sorting with dependence is all same arrangement;
(3) finally prove before the global context of the node list after above-mentioned two kinds of structures are merged together and local environment and topological sorting it is an arrangement mutually.
Preferred: the normalized in described step 2 refers to, by the clock period of all different lengths, by the wherein the fastest clock period, is that unit splits, and then presses in line period and divides all variablees.
Preferred: in (4) of described step 4, described proving program Cn and proving program B only have a step difference to comprise Four types:
(1) this distinctive points is main node;
(2) this distinctive points is not main node;
(3) when distinctive points is main node, two main node of execution are unequal, i.e. the equation list of two host nodes is mutually a sequence, but other information are identical;
(4) when distinctive points is main node, two the residing host node of main node positions are different, and the global context of two host nodes is also different;
For above-mentioned difference, again to its abbreviation, make final distinctive points unification be: two equatioies that do not rely on mutually under different main node.
Preferred: in two ind equatioies according to wherein whether having call expression formula, the three kinds of situations below that are divided into prove respectively:
In (1) two equation, all there is no call expression formula;
In (2) two equatioies, there is one to have call expression formula;
(3) two equatioies have call expression formula.
The present invention take " in-degree be zero summit topological sorting algorithm " be theoretical foundation, based on Formal Languages, develop realization, finally by the method for Formal Verification, system model is verified.Formal Verification can carry out abstract and proof to the logic of software in the aspect of mathematics, therefore possesses higher security.It is proof of equal value that the present invention carries out in serial semantics by the program that meets topological sorting character to any two, when Formal Verification, considered that parallel language is changing into all situations in serial language process, and respectively every kind of situation is all proved, program after being sorted meets the character of topological sorting, thereby the correctness of assured plan, improves the safety and reliability of whole software systems.
Accompanying drawing explanation
Fig. 1 course of work schematic diagram of the present invention;
Fig. 2 proof procedure process flow diagram of the present invention;
Environmental structure schematic diagram in Fig. 3 the present invention;
Dependence schematic diagram between equation in Fig. 4 the present invention;
The schematic diagram of element and set in Fig. 5 the present invention;
The abbreviation schematic diagram of element and set in Fig. 6 the present invention;
Another abbreviation schematic diagram of element and set in Fig. 7 the present invention;
Another abbreviation schematic diagram of element and set in Fig. 8 the present invention;
Another abbreviation schematic diagram of element and set in Fig. 9 the present invention;
Another abbreviation schematic diagram of element and set in Figure 10 the present invention;
Another abbreviation schematic diagram of element and set in Figure 11 the present invention;
Proof schematic diagram is decomposed in Figure 12 topological sorting of the present invention;
Another schematic diagram of proof is decomposed in Figure 13 topological sorting of the present invention;
Another schematic diagram of proof is decomposed in Figure 14 topological sorting of the present invention;
Another schematic diagram of proof is decomposed in Figure 15 topological sorting of the present invention;
Another schematic diagram of proof is decomposed in Figure 16 topological sorting of the present invention.
Embodiment
Because Lustre is synchronous data flow language, to calculate in the unlimited cycle, there is clock calculation complicated and changeable and the tense computing of calculating historical flow data, its program and c program difference are too large, directly translated C, transfer process is very complicated, checking is got up also can be very difficult, the present invention is divided into multistep by whole transfer process and carries out, each step is only done the abbreviation of a type, and the result of its abbreviation is referred to as to intermediate language, keep separate between every step, be convenient to collaborative development and raise the efficiency, also simplified the difficulty of Formal Verification simultaneously.
As shown in Figure 1,101, the credible sort method of the synchrodata string routine based on Formal Verification of the present invention, comprise Lustre concurrent program and by the serial c program obtaining after the sequence of Lustre concurrent program;
As shown in Figure 2,102, utilize morphology grammatical analysis instrument to analyze source Lustre program, obtain the abstract syntax tree of this Lustre program, the verification tool Coq of utilization based on formalization method carries out type analysis and static semantic inspection to gained abstract syntax tree, obtains meeting the abstract syntax tree Lustre-W of well-typed condition;
Morphology grammatical analysis for Lustre language in the present invention adopts morphology grammatical analysis instrument Flex and the Bison of industry approval to analyze Lustre language, obtain the abstract syntax tree of Lustre language, because this step relatively simply and has in the prior art had hard and fast rule to retrain, therefore do not carry out again Formal Verification here.
The abstract syntax tree of Lustre program is divided into: programS, nodeS, equationS and tetra-levels of exprS; The corresponding program of difference, node, equation and expression formula; Wherein
ProgramS represents whole program, id tri-parts of type definition list, nodeS list and main node, consists of.When program is carried out, can locate the main node in nodeS list by the id of main node, and carry out main node.
NodeS is the program XM of Lustre program, is equivalent to the function of c program.NodeS mainly consists of node name, input parameter, output parameter, local variable and equationS list five parts.
EquationS is equation, lvalue list lhsl and expression formula exprS two parts, consists of.Each equation is the equal of to one or more lvalue assignment, and each variable at most by assignment once.
ExprS is expression formula, is divided into: expression list, call expression formula, unary operation expression formula, dual operation expression formula, tense operation expression, atomic expression and common expression formula.For simplifying the proof of sequence, before sorting, temporal expression formula to be processed, the subexpression that makes temporal expression formula can only be atomic expression.
The abstract syntax tree of Lustre program is structured in Formal Verification and developing instrument Coq, in prior art, with Formal Languages, has realized its formal description, does not repeat them here.
Syntax tree to generating carries out static check in Coq, and the content of inspection is divided into two parts, and the one, check the type in syntax tree, to obtain the abstract syntax tree Lustre-W of Well-typed, and prove whole process; The 2nd, check in follow-up translation proof, whether required character is met, and prove these character.
During Coq static semantic checks, by analyzing in node list not Existence dependency ring, prove that node list is same arrangement in topological sorting front and back mutually, its proof procedure comprises the steps:
(1) in the Lustre program before and after first proved topological sorting, the node name of " in-degree is zero " is all same arrangement;
(2) then prove that the node name in the Lustre program before and after topological sorting with dependence is all same arrangement;
(3) finally prove before the global context of the node list after above-mentioned two kinds of structures are merged together and local environment and topological sorting it is an arrangement mutually.
Concrete example is as follows:
Figure BDA0000426630980000061
This part mainly utilizes the fundamental property of the relevant Permutation of List data structure and map in Coq storehouse to prove, because the process of sequence is the nested of a plurality of steps, directly carry out proof by induction more difficult, and utilize the character of List can abbreviation the step of sequence, simplify proof.The only difficult point of proof procedure is that proof is to before and after the sequence of dependence being an arrangement, because can not directly do to conclude to dependence list, proves, needs first auxiliary parameter len to be done to elim and concludes, then dependence list l is concluded.
Theorem?toposort_depList_permutation:forall(len:nat)(l:list?dependT),
length?l<=len→
Permutation?l(toposort_depList?len?l).
Wherein, Permutation l is the related definition that in Coq storehouse, List database provides.
103, the clock period of all variablees in Lustre-W is normalized, makes the clock period of all variablees be unified in normal period;
Because Lustre language is synchronous data flow language, program is carried out in the infinite cycle.Each variable has a clock, is a unlimited clock stream in the infinite cycle.The value of clock in each cycle is VtrueL or VfalseL, and variable just has value when the value of clock is VtrueL.If the clock of this complexity is brought subsequent authentication step into, not only make follow-up semanteme become very complicated, also will make follow-up proof difficulty increase.The present invention first converts the Lustre-W program of carrying ordinary clock to only carry overall fundamental clock (each cycle clock is VtrueL) Lustre-K program through translation, effectively to simplify follow-up translation and checking work.Its concrete practice is, according to the length of clock 1 second, 2 seconds, 3 seconds ... finally take fundamental clock as standard, be generally the fastest clock as standard, as take 1 second as standard, and 2 seconds, 3 seconds ... be divided into corresponding a plurality of 1 second, after abbreviation, each cycle of global clock is VtureL, and in program, each cycle is carried out computing, therefore the program after clock normalization has not needed the concept of clock, can greatly simplify the difficulty of follow-up proof.
104, the Lustre-W after normalization is carried out generating serial c program after causality analysis and topological sorting, translation;
Lustre program is concurrent execution, so first will carry out causality analysis and topological sorting to well-typed Lustre-W before being translated c program, with by its serialization, finally more whole process is carried out to believable formal proof.The process of topological sorting refers to be carried out of equal value any two programs that meet topological sorting.And C language needs is a serial program for the dependence between variable by analysis, by the dependence between each node in Lustre program is analyzed, according to the standard of setting, size by dependence between different node sorts, wherein in-degree be zero the node without dependence be placed on program before.In the situation that meeting topological sorting contextual definition, without the node list of dependence, meet topological sorting relation; If the dependence of a node does not rely on self and follow-up all dependence lists, and follow-up dependence list meets topological sorting relation, so this node and have the relation that also meets topological sorting between the node list of dependence.
In proof procedure, in the first dependence list of proof through the program of causality analysis inspection, there is not ring, then prove that acyclic dependence list meets the definition of topological sorting.As shown in Figure 4, if the id list of the r value of dependence D1 is present in the id list of lvalue of dependence D2, illustrate that D1 relies on D2, the then relation of recursive definition topological sorting.In Fig. 4, whether have the independent path from dependence x to y, if x depends on first element in l, each element in l depends on again its follow-up element, and last element of l relies on again y, Existence dependency path; As long as have an element not rely on its follow-up element in whole piece path, Existence dependency path not.Independent path is mainly used for representing the paths in topological relation figure, has path, is exactly from x to y, to have in the drawings path l.Corresponding program code is as follows:
Figure BDA0000426630980000071
Acyclic definition, to any x in Fig. 4 and the random subset l' of l, does not exist an x by l', to arrive the independent path of x self.In topological relation figure, from arbitrfary point x, all can not get back to initial point x.
Definition?no_cycle(l:list?dependT):=
forall(x:dependT)(l':list?dependT),
In?x?l→incl?l'l→is_path?x?x?l'=false.
Directly the acyclic dependence list of proof meets the definition of topological sorting, and difficulty is larger, because these two definition are all more abstract, and is the dissimilar definition to the character of dependence graph.Therefore acyclic character need to be carried out to a step conversion, prove this step conversion, then the target after conversion is proved to last target as new prerequisite.Proof is below exactly the proposition that first step conversion will prove,, to acyclic and be empty dependence list l arbitrarily, must be divided into l1 and l2 two parts, and wherein l1 is not sky and does not rely on the arbitrary element in l; In l2, for arbitrary element x, the subset dependence list l' of the dependence y in Existence dependency relationship l1 and l2, by l', there is the dependence path of y in x.Be exactly in simple terms acyclic and for empty dependence list, can not be divided into two set arbitrarily, set is for sky and its element are all the leaf nodes not relying in the dependence graph of all elements; All elements in another set can find one to the independent path of first set.Code is as follows:
Although passed through partition, simplify, the proof of nocycle_infer is more complicated still, need to first carry out proof by induction, more further a minute situation discussion proves.First dependence list l is made to proof by induction, when l is sky, prerequisite contradiction can directly prove; When dependence list is the combination of an element a and a list l, l can be divided into l1 and two subsets of l2, and l1 and l2 meet the character that will demonstrate,prove, and the element in l1 does not rely on any element in l1 and l2, for the arbitrary element x in l2, there is the independent path of l1 in it; Will demonstrate,prove below and add and also meet character by element a.
As shown in Figure 5, for a minute situation discussion, can, according to the relation of element and a in set l1, l1 be divided into three subsets.All elements in subset la relies on a, but a disobeys the element in rascal collection la; A relies on all elements in subset lb, but all elements in subset lb does not rely on a; Element and a in subset lc do not rely on mutually.According to la, whether lb and lc are that sky can be divided into 7 kinds of situations and proves.
(1)if?la<>nil?and?lb=nil?and?lc=nil?then?exists(a::nil)(la++l2)。
As shown in Figure 6, only have la not for empty, lb and lc are empty, and element a forms new l1, and la and l2 form new l2.
(2)else?if?la=nil?and?lb<>nil?and?lc=nil?then?exists?lb(a::l2)。
As shown in Figure 7, only have lb not for empty, gather lb and form new l1, a and l2 form new l2.
(3)else?if?la=nil?and?lb=nil?and?lc<>nil
As shown in Figure 8, only has lc not for empty, situation more complicated.Need to judge whether element a relies on set l2, if element a does not rely on set l2, element a and set lc form new l1 again, and l2 forms new l2; If element a relies on set l2, gather lc and form new l1, element a and l2 form new l2.
(4)else?if?la<>nil?and?lb<>nil?and?lc=nil?then?exists?lb(a::la++l2)。
As shown in Figure 9, la and lb are not empty, gather lb and form new l1, and a, la and l2 form new l2.
(5)else?if?la=nil?and?lb<>nil?and?lc<>nil?then?exists(lb++lc)(a::l2)。
As shown in figure 10, lb and lc are not empty, gather lb and lc and form new l1, and a and l2 form new l2.
(6)else?if?la<>nil?and?lb=nil?and?lc<>nil?then。
As shown in figure 11, la and lc are not empty, and situation more complicated needs to judge whether element a relies on set l2 again, if element a does not rely on set l2, element a and set lc form new l1, and la and l2 form new l2; If element a relies on set l2, gather lc and form new l1, element a, la and l2 form new l2.
(7)else?if?la<>nil?and?lb<>nil?and?lc<>nil?then?exists(lb++lc)(a::la++l2)
When la, lb and lc are not empty situation, as shown in Figure 5, gather lb and lc and form new l1, a, la and l2 form new l2.
By concluding and the first step of minute situation discussion proof partition proof, just can utilize the conclusion of the first step to prove theorem below.As long as l is non-NULL, do not repeat and acyclic, that at least can find a leaf node that does not rely on any element from the topological relation figure of l.By this conclusion, can prove if l is non-NULL, does not repeat and acyclic dependence list, certainly can to scan in-degree be zero element to the first step of " in-degree be zero summit topological sorting algorithm ", be sure original list l to be split into l1 and two subsets of l2, l1 subset is not empty.
Figure BDA0000426630980000091
By the character of get_nodep_List_notnill, just can prove acyclic and unduplicated dependence list l again, through being greater than after the iterative sequencing of len time of its length, the new dependence list obtaining meets topological sorting relation.
Figure BDA0000426630980000092
Figure BDA0000426630980000101
Because the process of sequence is not to decline along with the length of dependence list is linear, single pass at least finds a leaf node, also may find a plurality ofly, therefore pass through at most the number of times of list length, just can complete topological sorting.At this moment the number of times len that we define sequence is as auxiliary parameter, and the process of sequence declines according to sequence number of times is linear, and this auxiliary parameter is natural number, and the value of bringing into is the possible maximum times of sequence.This proof is more special, can not prove by general conclusion mode.Need to first with elim strategy, to auxiliary parameter, conclude, when auxiliary parameter is 0, can directly prove; When auxiliary parameter is not 0, just can utilize the condition obtaining of concluding.In the second situation, again dependence list l is concluded with induction strategy, when l is sky, can directly prove; When l is the combination of a and new l, the l1 that the combination that utilizes the character of get_nodep_List_notnill just can obtain a and l obtains after get_nodep_List mono-step scanning is for empty.
(l1,l2)=get_nodep_List?idll(a::l)
Then with regard to utilizing, len is concluded to resulting condition prove, and construct the required prerequisite of this condition, just can complete the proof of toposorted_depList.
After final step also needs proof respectively the equation list in node listing and node to be sorted, its dependence list meets topological sorting character.First proof extracts the dependence list of node listing call relation and it is sorted, and the dependence list after sequence meets the character of topological sorting.
Theorem?nodes_toposorted:
is_nodes_toposorted
progT.(nodeBlockS)(toposort_nodes?progT.(nodeBlockS))).
Prove the arbitrary node in program, its equation list is carried out after topological relation extracts sorting, and the dependence list after sequence meets the character of topological sorting again.
Theorem?eqs_toposorted:
forall?node,In?node?progT.(nodeBlockS)→
is_eqs_toposorted(eqsOfNodeS?node)(toposort_eqs(eqsOfNodeS?node)).
The proof comparing class of these two theorems seemingly, because extracting, the dependence of acquiescence need to add sequence number, thus can not utilize map to simplify the process of extraction, but sequence number is just used in sequencer procedure, and after drained order proof its while meeting the character of topological sorting, do not need sequence number.Therefore can first prove the dependence list of obtaining through two kinds of modes, if a kind of character that meets topological sorting wherein, that another kind also must meet.The process of extraction can be converted to the plain mode that utilizes map, just can utilize the character of map to carry out abbreviation, thus two theorems above final certification.
105,, to any two the Lustre programs that meet topological sorting, prove that Lustre program and the Lustre program after topological sorting before its topological sorting carried out semantic equivalence;
Because Lustre is a kind of synchronous data flow language, there is complicated tense computing, therefore common method, be difficult to guarantee the correctness of sequence, we are by the character with Coq definition topological sorting, c program after proof sequence meets the character of topological sorting, and proves that it is of equal value that any two Lustre programs that meet topological sorting character are carried out in serial semantics, thus can prove through between the concurrent program of sequence and serial program in practical implementation the equivalence of semanteme.Proof procedure is as follows:
The local environment of 501, storing the global context of node title in model Lustre concurrent program and storing variable in each node function performance period, the title of simultaneously guaranteeing node in global context do not repeat with local environment in equation lvalue ID for empty; Set up an equation subenvironment being formed by lvalue ID;
When carrying out the definition of environment, can be based on following two character:
The sign id of character 1:node list does not repeat, and reads global context and can only find at most a corresponding node while guaranteeing to call node.This character reads the uniqueness of global context in the time of both can having guaranteed to call node, also can simplify the definition of global context.
Character 2: for any node, the lvalue id of its equation list is not empty and does not repeat.This character is extremely important, and first it guaranteed the fundamental property of Lustre program: for the equation in node, each lvalue id only by assignment once, by this fundamental property, all greatly simplified by sequence and proof; On the other hand, at structure, during local environment, be of great use again, first id of each equation lvalue of can usining locates equation environment as sign, thereby greatly simplifies definition and the proof of environment coupling.
Above-mentioned two character are that Coq will verify while syntax tree being carried out to static check in step 101, and these two character are also two conditions that Lustre program must meet when changing into grammer simultaneously.
The running environment of Lustre language is divided into two parts: global context and local environment.Global context is used for storing node list, need to read global context and call corresponding node according to node name when node calls.Local environment is for storing the value of each variable of each node in each cycle.Following institute's drop handle border is all global context and the local environment of operation while carrying out topological sorting.
Because the operation to global context is fairly simple, the one, initial phase reads whole node list, and the 2nd, execution node reads corresponding node while calling.Because the static check of Coq has guaranteed the name of all node and has not repeated, and by global constant's substitution syntax tree, this just can define global context in the simplest mode.The present invention's justice global context is the list of a node.During initialization, node list assignment that will executive routine is to global context.In the process of implementation, in the time of need to calling node, according to node name, in node list, search for again corresponding node and carry out, because there has been the character of a lot of List that proved in Coq storehouse, so directly adopt List to describe global context, can play the effect of simplifying proof.
According to the language feature of Lustre and the target that will prove.Semantic local environment definition is more difficult, language feature: the one, because Lustre is stream language, local environment need to be stored in node each variable in the value in each cycle, so local environment need to be take the cycle and is linear structure as axle; The 2nd, because node is the existence of call, each node may call again a plurality of sub-node when carrying out, so the local environment in each cycle is again tree structure.
Because the final goal that will prove is that any two Program Semantics that meet topological sorting are carried out of equal value.As: for any two Lustre program PorgA and the PorgB that meet topological sorting, the equation list of its each corresponding nodeX and nodeY is mutually one and arranges but order is different.This just makes the order of the sub-node that nodeX and nodeY will call is different.Thereby the node of every one deck of syntax tree of the ProgA of any period n and the local environment of ProgB is mutually all an arrangement.Make in this case the environment coupling of proof procedure describe very complicated, the complexity proving also increases a lot.Because the equation list ordering to each node be take equation as unit, and the static check of Coq has guaranteed that in node, the lvalue id of each equation is unduplicated.Therefore the present invention becomes double-deck tree construction the environment construction of each node, in node environment, increase equation environment, it is sign that each equation environment be take first lvalue id corresponding to equation, during Call in carrying out each equation, first search for corresponding equation subenvironment, look in order the environment of more corresponding sub-node, by such structure, PorgA and PorgB can be moved in identical environment, reduced greatly the complexity of proof.
For the storage of variable in each node, we use for reference the data structure PTree in CompCert, and the one, because PTree meets the requirement of local variable storage, guarantee not interfere with each other between different variablees, and read and write conveniently, can store complicated data message; The 2nd, because comprised the proof about the various fundamental propertys of PTree in CompCert, use it can reduce a lot of repetitive works.Fig. 3 is LsemT local environment schematic diagram, in node A, there are two equation eq1 and eq2, first id of the lvalue list that eqid1 is eq1, first id of the lvalue list that eqid2 is eq2, equation eq1 calls node B and node C, and equation eq2 calls node B twice.Wherein e represents local environment, and te is the list (representing with list PTree) of the home environment that node is corresponding, and eqenv is equation environment.An e is divided into te and eqenv list two parts; Eqenv is comprised of the list of an equation id sign and an e.The definition of foregoing in corresponding local environment Coq, first with the node of a local environment of PTree definition, for preserving the value of all variablees of node run duration in one-period;
Definition?localenvL:=PTree.t(valL*typeL).
By the mode of recurrence, by two-tier system, define whole local environment again.
Figure BDA0000426630980000121
502, set up a proving program C identical with the global context local environment identical and proving program B of proving program A;
In proof procedure, have need to pay attention at 2: the one, the disassembling of proof procedure, two program differences that meet topological sorting are too large, cannot directly prove, the present invention disassembles proof procedure into multistep, each step is only done and is changed a certain item in proof link, other are constant, so just a nonlinear problem are changed into the problem of a plurality of linearities; The 2nd, the definition of the environment coupling of each step, the core of proof is exactly both values of carrying out in semanteme of comparison, and these values are stored in local environment, so be finally the value of local environment after comparison program is carried out, so the definition of the environment of each step coupling is directly connected to the difficulty of the proof of this part.
As shown in figure 12, suppose P1(proving program A) and P3(proving program B) be two programs that meet topological sorting relation, due to the order of node list is different and each node in the order of equation also different, cannot directly prove that P1 and P3 carry out equivalence in semanteme.The present invention is first split as two steps proof procedure, increases a P2(proving program C), P2 also meets topological sorting relation, and the node list of P2 and P1 is a sequence, and the node order of P3 and P2 is identical, but the equation list of each node is an arrangement mutually.Thereby P1 is resolved into P1 to P2 to the semantic execution Proof Equivalence of P3, then by P2 the equivalence proof to P3.Because P1 is different to the just node order of P2, prove that relatively easily, difficult point is the proof to P3 at P2.
503, utilize in proving program A and proving program C node name mode one to one, can obtain the result that both carry out rear semantic equivalence;
According to the character of syntax tree, the node existing in P1 also exists and is same in P2, therefore can prove that both are of equal value.
504, take proving program C as basis, only there to be the diacritical mode refinement of a step to go out middle proving program C1, C2, C3 ... Cn, wherein proving program Cn and proving program B only have a step difference, after contrasting two programs and carrying out, the value of its local environments can obtain both semantic execution result whether of equal value, more counter pushing away until be verified semantic execution conclusion whether of equal value between program C and proving program B successively;
As shown in figure 13, P2 because the equation order in each node is different, directly proves that difficulty is larger to P3, and this is also most important part in proof procedure, and need to contact syntax and semantics proves.The present invention defines a program P (i), and P (i) is that front i the node of P2 adds that P3 removes the part of front i.Thereby P2 is transformed into P (i) to the equivalence proof of P (i+1) to the equivalence proof of P3.And P (i) is to only having (i+1) individual node different between P (i+1), other node are identical.Namely by P2 refinement step by step, between adjacent two programs of refinement, only have a step program different, between the program Cn of so final refinement and P3, also only have a step different, then both are proved, then counter pushing away proves that each step is different successively, can finally obtain the conclusion that P2 is identical with P3.As shown in Figure 3, N wherein represents node name, and eq represents equation.
For P (i), to different (i+1) individual node between P (i+1), comprise two kinds of situations: 1, this different node is main node; 2, this different node is not main node.For simplifying proof, by simplifying, the 2nd kind of situation is also converted into the proof situation that different node is main node.Although this is simple classification just, by the different situation of node that in node call relation tree, the different abbreviations of any one node are root node, thereby make the further abbreviation of proof procedure.Through the simplification of previous step, two of prove hold row equivalent program and also have 2 differences, and the one, the host node of carrying out is unequal, and the equation list of two host nodes carrying out is mutually a sequence, and other information of node are identical; Two is that the global context carried out of two programs is also different, because host node is different, therefore the node of host node correspondence position is not identical in global context.
At 2 different in the situation that, be difficult to directly proof equivalence, therefore need first one of them different condition to be reduced to identical condition, as shown in figure 14, the process of simplifying is exemplified below: in program process, global context gea is different with the Nmain in ged, and its equation list eql1 and eql2 are mutually sequences, and the host node Nmain of execution is also different; And the dependence list that the corresponding node listing of global context gea extracts meets topological sorting character.The global context gea abbreviation of now cannot a step directly program being carried out is to ged, but can first prove that host node Nmain1 carries out equivalence under gea and geb, then proves that Nmain2 carries out equivalence under gec and ged.Thereby proof is reduced to Nmain1 to be carried out of equal value at geb and Nmain2 under gec.Wherein the simplification of second step is relatively simple, because from a few environment the proof procedure of the environment ged more than gec to, if program can find a node in environment gec, that must find identical node in ged.The conversion relative complex of the first step, because from the proof procedure of gea to few environment geb of the environment more than, if can find a node in gea, differ and in few environment geb, find surely, in the process of proof, needing to add the dependence that node listing extracts is the condition that meets topological sorting character, and the node in host node Nmain1 and ge1 must not can call the node in ge2 like this.In the proof procedure of the first step, need this condition to join the every one deck in mutual conclusion, and can make the conversion that can circulate of condition in each layer.
Geb after conversion and the host node of gec are still different, need further to proof, carry out abbreviation, its global context are reduced to identical, make to only have in the process of implementation the host node that will carry out different.As shown in figure 15, can first prove that host node Nmain1 carries out under global context geb and ge1 of equal value, then it is of equal value to prove that host node Nmain2 carries out under global context ge1 and gec.Simplifying similarly with back, is also that the second step simplified is relatively simple, and the first step is comparatively complicated need to bring the character that node dependence list that global context geb extracts meets topological sorting into.
Through the abbreviation of twice above, program P (i) is identical with the global context that P (i+1) carries out, and only has main node different.Because the equation list in main node is an arrangement, its order is different, directly proof difficulty is still very large, because two programs all meet the character of topological sorting, the conclusion character of simultaneously utilize arranging can be converted into proof that in main node, any one does not rely on the equation eq of other equation lists eql, optional position in eql, whole program is carried out of equal value.As shown in figure 16, prove that the eq that does not rely on other equatioies inserts the diverse location program execution equivalence of equation list in N1.
For the different program P of main node (i) and P (i+1), because the equation in main node is an arrangement, its order is different, directly proves that difficulty is still very large.Because two programs all meet the relation of topological sorting, so the conclusion character of simultaneously utilizing arrangement can be converted into proof, and in main node, any one does not rely on the equation eq of other equation lists eql, optional position in eql, whole program is carried out of equal value, proves that the eq that does not rely on other equatioies inserts the diverse location program execution equivalence of equation list in N1.
Through above-mentioned a series of decomposition, that finally need proof is two mutual ind equation eq1 and eq2, and exchange sequence is carried out of equal value, and this is also the core of whole proof procedure, the difficult point of this proof is the existence of call expression formula, makes the subenvironment of local environment have multiple situation; Also has the existence of Pre tense computing.The lvalue of eq1 is lhs1, and expression formula is expr1; The lvalue of eq2 is lhs2, and expression formula is expr2.Namely to prove that following two kinds of modes carry out equivalence: first carry out expr1 value is assigned to lhs1 and writes environment, then carry out expr2 value is assigned to lhs2 and writes environment; First carry out expr2 value is assigned to lhs2 and writes environment, then carry out expr1 value is assigned to lhs1 and writes environment.Be whether lhs1 is not affected the value of expr2 computing by assignment; Whether lhs2 is not affected the value of expr1 computing by assignment.Can prove by a minute mode for situation discussion, first according to whether there being call expression formula can be divided into three kinds of situations in two expression formulas:
(1) in expr1 and expr2, all there is no call expression formula;
Owing to all there is no call in the expression formula of two equatioies, the subenvironment of two equatioies is all empty so.This situation, than being easier to proof, because the execution environment of two kinds of orders is identical, and does not change subenvironment in implementation.
(2) in expr1, there is call expression formula, in expr2, do not have, or in expr1, there is no call expression formula, in expr2, have.
Owing to there being call expression formula in expr1, so expr1 can change subenvironment after carrying out.Because in first cycle and later cycle implementation, environment is different: first periodic environment is all empty, implementation is the process of initialization context tree namely, cycle is below because environment tree constructs, each list of carrying out just to each node of tree increases by one, so need again in two kinds of situation: the proof in first cycle; The proof of subsequent cycle.
Similar for having in situation about having in expr2 and expr1, just order is with front a kind of contrary.Also be to be divided into two kinds of situation continued discussion according to the cycle.
(3) in expr1 and expr2, there is call expression formula;
The situation that has call in two expression formulas, two kinds of execution sequences can cause subenvironment to divide multiple situation.When carrying out call expression formula, can search for the list of equation subenvironment, if can find corresponding equation subenvironment, above, add a node, if can not find, can corresponding equation subenvironment of neotectonics.So whether can find according to two equation subenvironments corresponding to equation, can be divided into again four kinds of situations.Wherein first three kind situation is similar, and the 4th kind of situation is that two equation subenvironments corresponding to equation can find, need to be to its discussion of again classifying.Different according to the order of the middle eq1 of the equation subenvironment list equation subenvironment corresponding with eq2, prove in two kinds of situation.
The present invention considers after above-mentioned all situations, is proven result.
505,, in conjunction with the result of (3) and (4), obtain Lustre program before topological sorting and the conclusion of the execution of the Lustre program after topological sorting semantic equivalence.
106, obtaining thus Lustre program and its c program generating after causality analysis and topological sorting is semantically proof of equal value carrying out.
The above is only preferred embodiment of the present invention, not the present invention is done to any pro forma restriction, although the present invention with preferred embodiment openly as above, yet not in order to limit the present invention, any technician who is familiar with this patent is not departing within the scope of technical solution of the present invention, when can utilizing the technology contents of above-mentioned prompting to make a little change or being modified to the equivalent embodiment of equivalent variations, in every case be the content that does not depart from technical solution of the present invention, any simple modification of above embodiment being done according to technical spirit of the present invention, equivalent variations and modification, all still belong in the present invention program's scope.

Claims (5)

1. a credible sort method for the synchrodata string routine based on Formal Verification, comprises Lustre concurrent program and by the serial c program obtaining after the sequence of Lustre concurrent program, it is characterized in that, comprises the steps:
Step 1, utilize morphology grammatical analysis instrument to analyze source Lustre program, obtain the abstract syntax tree of this Lustre program, the verification tool Coq of utilization based on formalization method carries out type analysis and static semantic inspection to gained abstract syntax tree, obtains meeting the abstract syntax tree Lustre-W of well-typed condition;
Step 2, the clock period of all variablees in Lustre-W is normalized, makes the clock period of all variablees be unified in normal period;
Step 3, the Lustre-W after normalization is carried out generating serial c program after causality analysis and topological sorting, translation;
Step 4, to any two the Lustre programs that meet topological sorting, prove that Lustre program before its topological sorting and the Lustre program after topological sorting carry out semantic equivalence, proof procedure is as follows:
(1) in model Lustre concurrent program, store the global context of node title and the local environment of variable in each node function performance period of storage, the title of simultaneously guaranteeing node in global context do not repeat with local environment in equation lvalue ID for empty;
(2) set up a proving program C identical and identical with the local environment of proving program B with the global context of proving program A;
(3) utilize in proving program A and proving program C node name mode one to one, can obtain the result that both carry out rear semantic equivalence;
(4) take proving program C as basis, only there to be the diacritical mode refinement of a step to go out middle proving program C1, C2, C3 ... Cn, wherein proving program Cn and proving program B only have a step difference, after contrasting two programs and carrying out, the value of its local environments can obtain both semantic execution result whether of equal value, more counter pushing away until be verified semantic execution conclusion whether of equal value between program C and proving program B successively;
(5), in conjunction with the result of (3) and (4), obtain Lustre program before topological sorting and the conclusion of the execution of the Lustre program after topological sorting semantic equivalence;
Step 5, to obtain Lustre program and its c program generating thus after causality analysis and topological sorting be semantically proof of equal value carrying out.
2. credible sort method as claimed in claim 1, it is characterized in that, in the Coq of step 1 static semantic checks, by analyzing in node list not Existence dependency ring, can prove that node list is same arrangement mutually before and after topological sorting, its proof procedure comprises the steps:
(1) in the Lustre program before and after first proved topological sorting, the node name of " in-degree is zero " is all same arrangement;
(2) then prove that the node name in the Lustre program before and after topological sorting with dependence is all same arrangement;
(3) finally prove before the global context of the node list after above-mentioned two kinds of structures are merged together and local environment and topological sorting it is an arrangement mutually.
3. credible sort method as claimed in claim 1, it is characterized in that, normalized in described step 2 refers to, by the clock period of all different lengths, by the wherein the fastest clock period, is that unit splits, and then presses in line period and divides all variablees.
4. credible sort method as claimed in claim 1, is characterized in that, in (4) of described step 4, described proving program Cn and proving program B only have a step difference to comprise Four types:
(1) this distinctive points is main node;
(2) this distinctive points is not main node;
(3) when distinctive points is main node, two main node of execution are unequal, i.e. the equation list of two host nodes is mutually a sequence, but other information are identical;
(4) when distinctive points is main node, two the residing host node of main node positions are different, and the global context of two host nodes is also different;
For above-mentioned difference, again to its abbreviation, make final distinctive points unification be: two equatioies that do not rely on mutually under different main node.
5. credible sort method as claimed in claim 4, is characterized in that, whether two ind equatioies are according to wherein having call expression formula, and the three kinds of situations below that are divided into prove respectively:
In (1) two equation, all there is no call expression formula;
In (2) two equatioies, there is one to have call expression formula;
(3) two equatioies have call expression formula.
CN201310631729.4A 2013-11-29 2013-11-29 A kind of credible sort method of the synchrodata string routine based on Formal Verification Active CN103646194B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201310631729.4A CN103646194B (en) 2013-11-29 2013-11-29 A kind of credible sort method of the synchrodata string routine based on Formal Verification

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201310631729.4A CN103646194B (en) 2013-11-29 2013-11-29 A kind of credible sort method of the synchrodata string routine based on Formal Verification

Publications (2)

Publication Number Publication Date
CN103646194A true CN103646194A (en) 2014-03-19
CN103646194B CN103646194B (en) 2016-04-06

Family

ID=50251407

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201310631729.4A Active CN103646194B (en) 2013-11-29 2013-11-29 A kind of credible sort method of the synchrodata string routine based on Formal Verification

Country Status (1)

Country Link
CN (1) CN103646194B (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108171016A (en) * 2017-11-30 2018-06-15 中国人民解放军国防科技大学 Linear assembly level configurable fault tolerance method, computer and computer program
CN112269734A (en) * 2020-10-15 2021-01-26 南京航空航天大学 Synchronous language program automatic verification method based on satisfiability solving
CN112306470A (en) * 2020-10-19 2021-02-02 南京航空航天大学 Method for simplifying, converting and automatically verifying complex synchronous language program
CN115964033A (en) * 2023-01-16 2023-04-14 北京计算机技术及应用研究所 Model-based visual software development tool implementation method
CN117311678A (en) * 2023-08-04 2023-12-29 四川大学 Equivalent embedding method for synthesizing program module sequencing group function of AI system
CN117311678B (en) * 2023-08-04 2024-06-04 四川大学 Equivalent embedding method for synthesizing program module sequencing group function of AI system

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100077101A1 (en) * 2008-09-12 2010-03-25 Institute Of Acoustics, Chinese Academy Of Sciences Storage network structure based on the Peterson graph and data read-write method thereof
CN102136003A (en) * 2011-03-25 2011-07-27 上海交通大学 Large-scale distributed storage system
CN102169448A (en) * 2011-03-18 2011-08-31 浪潮电子信息产业股份有限公司 Deployment method of cluster parallel computing environment
CN102404201A (en) * 2011-10-20 2012-04-04 浪潮电子信息产业股份有限公司 Method of realizing maximum bandwidth of Lustre concurrent file system
CN103077245A (en) * 2013-01-18 2013-05-01 浪潮电子信息产业股份有限公司 Method for expanding parallel file system by free hard disk space of cluster computing node

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100077101A1 (en) * 2008-09-12 2010-03-25 Institute Of Acoustics, Chinese Academy Of Sciences Storage network structure based on the Peterson graph and data read-write method thereof
CN102169448A (en) * 2011-03-18 2011-08-31 浪潮电子信息产业股份有限公司 Deployment method of cluster parallel computing environment
CN102136003A (en) * 2011-03-25 2011-07-27 上海交通大学 Large-scale distributed storage system
CN102404201A (en) * 2011-10-20 2012-04-04 浪潮电子信息产业股份有限公司 Method of realizing maximum bandwidth of Lustre concurrent file system
CN103077245A (en) * 2013-01-18 2013-05-01 浪潮电子信息产业股份有限公司 Method for expanding parallel file system by free hard disk space of cluster computing node

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108171016A (en) * 2017-11-30 2018-06-15 中国人民解放军国防科技大学 Linear assembly level configurable fault tolerance method, computer and computer program
CN108171016B (en) * 2017-11-30 2021-04-09 中国人民解放军国防科技大学 Linear assembly level configurable fault tolerance method, computer and computer program
CN112269734A (en) * 2020-10-15 2021-01-26 南京航空航天大学 Synchronous language program automatic verification method based on satisfiability solving
CN112306470A (en) * 2020-10-19 2021-02-02 南京航空航天大学 Method for simplifying, converting and automatically verifying complex synchronous language program
CN115964033A (en) * 2023-01-16 2023-04-14 北京计算机技术及应用研究所 Model-based visual software development tool implementation method
CN115964033B (en) * 2023-01-16 2023-09-26 北京计算机技术及应用研究所 Model-based visual software development tool implementation method
CN117311678A (en) * 2023-08-04 2023-12-29 四川大学 Equivalent embedding method for synthesizing program module sequencing group function of AI system
CN117311678B (en) * 2023-08-04 2024-06-04 四川大学 Equivalent embedding method for synthesizing program module sequencing group function of AI system

Also Published As

Publication number Publication date
CN103646194B (en) 2016-04-06

Similar Documents

Publication Publication Date Title
CN102339252B (en) Static state detecting system based on XML (Extensive Makeup Language) middle model and defect mode matching
Bi et al. Applying propositional logic to workflow verification
CN101697121A (en) Method for detecting code similarity based on semantic analysis of program source code
Hooimeijer et al. StrSolve: solving string constraints lazily
CN103646194B (en) A kind of credible sort method of the synchrodata string routine based on Formal Verification
CN106371887A (en) System and method for MSVL compiling
CN108319458A (en) It is a kind of based on graphically defend formula order calculation multitask Compilation Method
CN106648813B (en) Formalized compiling method for synchronous data stream program
Zhou et al. Formal component-based modeling and synthesis for PLC systems
Jose et al. Smt based false causal loop detection during code synthesis from polychronous specifications
CN103885810A (en) Gerber file compiler based on regular expressions
Fakih et al. LLM4PLC: Harnessing Large Language Models for Verifiable Programming of PLCs in Industrial Control Systems
Chukharev et al. FbSAT: Automatic inference of minimal finite-state models of function blocks using SAT solver
Lai et al. Defining and verifying behaviour of domain specific language with fUML
Altisen et al. Certification of an exact worst-case self-stabilization time
Bhullar et al. Exploration of UML diagrams based code generation methods
Choi et al. Stepwise structural verification of cyclic workflow models with acyclic decomposition and reduction of loops
Zhang An Approach for Extracting UML Diagram from Object-Oriented Program Based on J2X
Christensen et al. PyLSE: A pulse-transfer level language for superconductor electronics
CN109710538A (en) A kind of static detection method for state related defects in large scale system
Sun et al. A hierarchical CPN model automatically generating method aiming at multithreading program algorithm error detection
Qi et al. Formal Codesign and Implementation for Multifunction Vehicle Bus Circuits
Zhang et al. Constraint-based automatic symmetry detection
Saad et al. Data-flow based model analysis
Moutinho et al. Petri net based specification and verification of globally-asynchronous-locally-synchronous system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CB03 Change of inventor or designer information

Inventor after: Jiang Guojin

Inventor after: Sun Yongbin

Inventor after: Bai Tao

Inventor after: Zhang Yan

Inventor after: Yang Chen

Inventor after: Ren Baohua

Inventor after: Zhang Zhihui

Inventor after: Gao Chao

Inventor before: Zhang Yan

Inventor before: Yang Chen

Inventor before: Ren Baohua

Inventor before: Zhang Zhihui

CB03 Change of inventor or designer information