CN110532167A - A kind of state machine model timing property verification method based on model conversion - Google Patents

A kind of state machine model timing property verification method based on model conversion Download PDF

Info

Publication number
CN110532167A
CN110532167A CN201910606311.5A CN201910606311A CN110532167A CN 110532167 A CN110532167 A CN 110532167A CN 201910606311 A CN201910606311 A CN 201910606311A CN 110532167 A CN110532167 A CN 110532167A
Authority
CN
China
Prior art keywords
model
scade
state machine
state
symbol table
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201910606311.5A
Other languages
Chinese (zh)
Other versions
CN110532167B (en
Inventor
黄滟鸿
史建琦
张继
郭欣
施健
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
SHANGHAI FORMAL TECH INFORMATION TECHNOLOGY Co.,Ltd.
Original Assignee
Shanghai Fenglei Information Technology Co Ltd
East China Normal University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shanghai Fenglei Information Technology Co Ltd, East China Normal University filed Critical Shanghai Fenglei Information Technology Co Ltd
Priority to CN201910606311.5A priority Critical patent/CN110532167B/en
Publication of CN110532167A publication Critical patent/CN110532167A/en
Application granted granted Critical
Publication of CN110532167B publication Critical patent/CN110532167B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/36Preventing errors by testing or debugging software
    • G06F11/3604Software analysis for verifying properties of programs
    • G06F11/3608Software analysis for verifying properties of programs using formal methods, e.g. model checking, abstract interpretation

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • Quality & Reliability (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Debugging And Monitoring (AREA)

Abstract

This application discloses a kind of state machine model timing property verification method based on model conversion, comprising: model analyzing step parses SCADE text model, obtains syntax tree example;Symbol table container step loads syntax tree example, obtains symbol table example;Model conversion step, according to transformation rules by symbol table instance transfer be NuSMV model;Pattern checking step, according to the timing property of LTL formula and CTL formula verifying NuSMV model.By the application development environment SCADE text model for parsing high security, SCADE text model is converted into NuSMV model, according to the timing property of LTL formula and CTL formula verifying NuSMV model, to realize the timing property of verifying SCADE text model, this limitation for breaching the verifying of SCADE model property, further increases the safety and reliability of software systems.The timing sequence specification of timing associated safety demand can be described by introducing for SCADE Formal Verification, so as to verify the timing property of model.

Description

A kind of state machine model timing property verification method based on model conversion
Technical field
This application involves field of embedded software more particularly to a kind of state machine model timing properties based on model conversion Verification method.
Background technique
The concern software security in field of safety is all concerned all the time, although the development efficiency of software application obtains It is promoted, but the safety and reliability for the software systems that remain unchanged to guarantee.After all in these fields, mistake occurs for software will band Carrying out serious economic loss even can threat to life.Traditional software verification is emulated to the software systems developed Simulation, and then find mistake and correct in time.But safety-critical application development environment (Safety-Critical Application Development Environment, SCADE) provide Formal Verification component, design verification program (Design Verifier, DV), it is first patterned modeling to demand for security, then by being based on satisfiability The pattern checking proof of algorithm model of (Satisfiability, SAT) whether meet demand.But as SCADE is widely applied And the diversity of system requirements, especially when being related to the relevant property of timing, the ability to express of DV not enough describes those Demand.
In summary, it is desirable to provide a kind of timing property for being able to verify that SCADE text model, to improve software systems Safety and reliability method.
Summary of the invention
In order to solve the above problem, present applicant proposes a kind of state machine model timing property authentication based on model conversion Method is converted to SCADE text model by parsing the application development environment SCADE text model of high security NuSMV model, according to the timing property of LTL formula and CTL formula verifying NuSMV model, to realize verifying SCADE text mould The timing property of type.
Specifically, the invention proposes the state machine model timing property verification methods based on model conversion, comprising:
Model analyzing step parses the application development environment SCADE text model of high security, obtains syntax tree reality Example;
Symbol table container step loads syntax tree example, obtains symbol table example;
Model conversion step, according to transformation rules by symbol table instance transfer be Symbolic Model Checking device NuSMV mould Type;
Pattern checking step verifies NuSMV model according to linear time temporal logic LTL formula and calculation idea CTL formula Timing property.
Preferably, the model analyzing step the realization process includes:
It is stated according to the grammatical and semantic of SCADE text model, it, will using another language identification tool ANTLR format The statement of SCADE grammatical and semantic is write as corresponding ANTLR file, and the ANTLR file describes the grammatical and semantic sound of SCADE language It is bright;
SCADE text model is monitored, is obtained using corresponding Java monitor according to the statement in ANTLR file To syntax tree information;
According to syntax tree information generative grammar tree example.
Preferably, the symbol table container step the realization process includes:
Define stratification structure symbol table and sub-state machine structure symbol table;
According to hierarchical structure symbol table and sub-state machine structure symbol table, syntax tree example is loaded, is accorded with Number table example.
Preferably, the pattern checking step the realization process includes:
According to the timing property of LTL formula and CTL formula verifying NuSMV model;
If the timing property currently verified is met, the verifying of next timing property is carried out;
If the timing property currently verified is unmet, counter-example information is exported, stops the verifying of timing property.
Preferably, after the verifying for stopping timing property, further includes:
Model debugging step modifies SCADE system development environment according to the counter-example information, generates new SCADE text Model verifies timing property.
Preferably, the LTL formula is determined according to the timing safety demand of the natural language description of SCADE text model.
Preferably, the CTL formula is determined according to the timing safety demand of the natural language description of SCADE text model.
Preferably, grammatical and semantic statement include: Program Semantics, statement semanteme, type declarations, Constant declarations semanteme, Self-defining operation tally used in ancient times as credentials or a warrant point statement semanteme, equation and expression formula statement and SCADE state machine are semantic.
The advantages of the application, is: the application development environment SCADE text model by parsing high security, will SCADE text model is converted to NuSMV model, and the timing property of NuSMV model is verified according to LTL formula and CTL formula, from And realize the timing property of verifying SCADE text model, this limitation of SCADE model property verifying is breached, is further mentioned The safety and reliability of high software systems.
Detailed description of the invention
By reading the following detailed description of the preferred embodiment, various other advantages and benefits are common for this field Technical staff will become clear.Attached drawing is only used for showing the purpose of preferred implementations, and is not considered as to the application Limitation.And throughout the drawings, identical component is indicated with same reference symbol.In the accompanying drawings:
The step of Fig. 1 is a kind of state machine model timing property verification method based on model conversion provided by the present application is shown It is intended to;
Fig. 2 is a kind of satellite control of state machine model timing property verification method based on model conversion provided by the present application The schematic diagram of the SCADE state machine model of the subsystem of system processed;
Fig. 3 is a kind of signal of state machine model timing Property Verification system based on model conversion provided by the present application Figure;
Fig. 4 is that a kind of structure of state machine model timing Property Verification system based on model conversion provided by the present application is shown It is intended to;
Fig. 5 is a kind of conversion rule of state machine model timing property verification method based on model conversion provided by the present application The exemplary schematic diagram of stratification SCADE state machine then;
Fig. 6 is a kind of conversion rule of state machine model timing property verification method based on model conversion provided by the present application The schematic diagram that state B and state machine SM2 are activated in emulation then;
Fig. 7 is a kind of conversion rule of state machine model timing property verification method based on model conversion provided by the present application The structural schematic diagram of NuSMV object module middle-levelization state machine then;
Fig. 8 is a kind of conversion rule of state machine model timing property verification method based on model conversion provided by the present application The transfer figure of state S then;
Fig. 9 is a kind of conversion rule of state machine model timing property verification method based on model conversion provided by the present application State transfer relationship schematic diagram then;
Figure 10 is a kind of conversion of state machine model timing property verification method based on model conversion provided by the present application The schematic diagram of the SCADE variable monitoring mechanism of rule.
Specific embodiment
The illustrative embodiments of the disclosure are more fully described below with reference to accompanying drawings.Although showing this public affairs in attached drawing The illustrative embodiments opened, it being understood, however, that may be realized in various forms the disclosure without the reality that should be illustrated here The mode of applying is limited.It is to be able to thoroughly understand the disclosure on the contrary, providing these embodiments, and can be by this public affairs The range opened is fully disclosed to those skilled in the art.
According to presently filed embodiment, a kind of state machine model timing property authentication based on model conversion is proposed Method, as shown in Figure 1, comprising:
S101, model analyzing step parse the application development environment (Safety-Critical of high security Application Development Environment, SCADE) text model, obtain syntax tree example;
S102, symbol table container step load syntax tree example, obtain symbol table example;
S103, model conversion step, according to transformation rules by symbol table instance transfer be Symbolic Model Checking device (New Symbolic Model Verifier, NuSMV) model;
S104, pattern checking step, according to linear time temporal logic (Linear Temporal Logic, LTL) formula and The timing property of calculation idea (Compute Tree Logic, CTL) formula verifying NuSMV model.
The SCADE text model that model analyzing step, symbol table container step and model conversion step are used to input turns Change a kind of input model of model checker into, i.e., Symbolic Model Checking device (New Symbolic Model Verifier, NuSMV) model, and the input by the model of generation (NuSMV model) as pattern checking step.
Pattern checking step is used to verify the timing safety demand and property of the corresponding states machine system in NuSMV model.
Model analyzing step the realization process includes:
It is stated according to the grammatical and semantic of SCADE text model, uses another language identification tool (ANother Tool For Language Recognition, ANTLR) format, write the statement of SCADE grammatical and semantic as corresponding ANTLR file, institute State the grammatical and semantic statement that ANTLR file describes SCADE language;
SCADE text model is monitored, is obtained using corresponding Java monitor according to the statement in ANTLR file To syntax tree information;
According to syntax tree information generative grammar tree example.
The parsing interface that SCADE language syntax is generated by ANTLR tool, by these interfaces come implementation model syntax tree Generation, to obtain the information in SCADE state machine model, the information will (Java be monitored as syntax tree monitor below Device) input.
Application programming interface (Application Programming when being run by using ANTLR Interface, API), different Java monitor types is realized to obtain the various information (syntax tree information) on syntax tree.
Monitor include: operator node monitor, data type monitor, expression formula monitor, equation monitor, from Defining operation tally used in ancient times as credentials or a warrant point monitor, constant monitor and state machine transfer relationship monitor etc..
By the way that these monitors are applied in combination by the information preservation on syntax tree into corresponding set, on these syntax trees Information be used for generative grammar tree example.
Symbol table container step the realization process includes:
Define stratification structure symbol table and sub-state machine structure symbol table;
According to hierarchical structure symbol table and sub-state machine structure symbol table, syntax tree example is loaded, is accorded with Number table example.
User is as needed, is defined to hierarchical structure symbol table.
User is as needed, is defined to sub- state machine architecture symbol table.
Hierarchical structure symbol table (SCADE hierarchical structure symbol table) is used to describe the knot of SCADE stratification state machine Structure, the structure describe variables collection in SCADE state machine model, sub-state machine set, the operation used in state machine The User-Defined Functions functional node set that operator set and state machine call, defines the data knot of these set Structure.
Sub-state machine structure symbol table (SCADE sub-state machine structure symbol table) is for describing sub-state machine structure, sub- shape State machine structure describe include: the stateful set of this sub-state machine, original state, sub-state machine and state relation letter Transition relationship between number, state and the event behavior operation in state;Meanwhile sub-state machine structure symbol table defines The data structure of SCADE sub-state machine structure.
The syntax tree information for using Java monitor to obtain is loaded into symbol table example.
Transformation rule is based on two class mechanism, is stratification state machine architecture transformation mechanism and variable monitoring mechanism respectively.Layer Secondaryization state machine architecture transformation mechanism helps conversion process by trigger parameter rule to be introduced, finally in NuSMV target The hierarchical structure of SCADE state machine is constructed in model, while also definition status shifts transformation rule, so that each height State machine can a module in enough NuSMV models indicate, and the relationship of sub-state machine has been further stated in module.Become The behavior event that monitoring mechanism is used in Controlling model state is measured, specific event operation is possessed in SCADE state, these operations pair The function in reality system is answered, the variate-value in model is changed;Variable monitoring mechanism determines these behaviour using monitoring parameter Whether execute, to carry out the variation of these variables of indirect operation.Based on these transformation rules, by symbol table instance transfer At NuSMV model.
The NuSMV model obtained after conversion includes: sub-state machine module, variable monitoring module, custom function section Point module and top state machine module (main module).
Each of sub-state machine module module corresponds to a sub-state machine in SCADE state machine, comprising: sub- shape State, state transfer relationship, trigger parameter, monitoring parameter assignment and the sub- shape that sub-state machine is possessed that state machine is included The instantiation of state machine.
Each variable monitoring module passes through the assignment operation that monitoring parameter controls corresponding output variable;SCADE If using custom data stream function node in model, these modules can be generated in target NuSMV model;Top Layer state machine module represents the state machine of top in SCADE state machine, be responsible for model variable and parameter declaration, sub-state machine The work such as instantiation, variable and parameter initialization, function node instantiation.Top state machine module has and only one, dominates The target NuSMV model entirely generated.
SCADE state machine includes SCADE sub-state machine.
SCADE text model is a kind of form for indicating SCADE state machine.
Pattern checking step the realization process includes:
According to the timing property of LTL formula and CTL formula verifying NuSMV model;
If the timing property currently verified is met, the verifying of next timing property is carried out;
If the timing property currently verified is unmet, counter-example information is exported, stops the verifying of timing property.
After the verifying for stopping timing property, further includes:
Model debugging step modifies SCADE system development environment according to the counter-example information, generates new SCADE text Model verifies timing property.
Pattern checking step is used to execute the verification process of SCADE state machine model, i.e. the timing property of NuSMV model is tested Card.
User designs SCADE state machine model by the state machine model in SCADE system development environment, and needs are tested The system sequence security requirement of card is first understood with natural language description.It will be derived from designed SCADE state machine model Input of the SCADE text model as model conversion module, while the demand of natural language description is used into such as LTL or CTL Temporal logic expression formula specification redescribe;SCADE text model obtains NuSMV object module by model conversion module, The model and timing property expression formula (are pacified using the timing that the temporal logic expression formula specification of such as LTL or CTL are redescribed Full property demand) it is input in model checker NuSMV together and starts to execute verification process;Verification result is shown in visualization control On platform, if timing property is met, the verifying for carrying out next timing property exports counter-example if cannot be met, For customer analysis, to be used to debug SCADE master mould, circulate operation is all satisfied until all timing property.Pass through introducing Timing sequence specification describes (timing property expression formula), SCADE exploitation environment is connected with model checker NuSMV, to test Demonstrate,prove the timing associated safety demand and property of SCADE model.
Timing sequence specification describes the timing safety demand for describing system.
LTL formula is determined according to the timing safety demand of the natural language description of SCADE text model.
CTL formula is determined according to the timing safety demand of the natural language description of SCADE text model.
Grammatical and semantic statement includes: Program Semantics, statement semanteme, type declarations (type declarations are semantic), Constant declarations language Justice, self-defining operation tally used in ancient times as credentials or a warrant point statement semanteme, equation and expression formula statement (equation and expression formula are semantic) and SCADE state machine language Justice etc..
Example is verified as to carry out timing property to satellite control system model.The satellite control system is a son control system System, for control satellite each different working modes switching, cover satellite with the separation process of rocket and separate after The course of work of satellite.
As shown in Fig. 2, being the SCADE state machine model of the subsystem, there are two sub-state machine SM1 and SM2 for it, respectively The operating mode of rear satellite is separated for describing satellite and the rocket separation process with the satellite and the rocket.Therefore, SM1 is gathered around there are two state, i.e., does not separate State (BeforeDepart) with separate rear state (AfterDepart);SM2 is gathered around there are three state, has respectively represented speed resistance Buddhist nun's mode (Initial), standby mode (Wait) and flywheel control model (WheelControl).Each sub-state machine State all can for system export an operating mode signal, for judging which operating mode is control system be under.Satellite A satellite and the rocket separation signal can be received at the beginning, state after separating is entered according to satellite and the rocket separation signal, and rate of activation damps mould Formula.A time signal can be monitored under speed damping mode, which continues after describing the separation that environmental monitoring is arrived Time, time signal is more than that satellite can be made to enter standby mode after one section of specified value.A section can be activated into standby mode Clap counter, which is used to record be switched to the operating mode after duration, it is just formal after meeting certain condition Into satellite flywheel control model.Flywheel control model is most of satellite longtime runnings and the mode for carrying out vocational work, is somebody's turn to do Mode also possesses a beat count device, until standby mode is continued back at after the corresponding time, to save the satellite energy.
Need to export the corresponding SCADE text model of the system, and the timing safety to be verified with natural language description Property demand.
For verifying following property: after satellite and the rocket separation, satellite control system enters standby mode, then using 5 Time quantum enters the start-up operation of flywheel control model, returns to standby mode using 10 time quantums.
Following form can be described as with corresponding temporal logic expression formula:
G ((SM_SM1.state=AfterDepart&SM_SM1.Sub_SM2.state=Initial&X SM_ SM1.Sub_SM2.state=Wait) -> (G [1,6] SM_SM1.Sub_SM2.state=Wait& G [7,17] SM_ SM1.Sub_SM2.state=WheelControl))
The SCADE text model is obtained into NuSMV object module by model conversion module, the NuSMV target that will be obtained Model and above-mentioned timing property expression formula are input in model checker NuSMV together and execute verification process, can verify the mould The timing property of type, to modify model according to feedback result.
According to presently filed embodiment, it is also proposed that a kind of state machine model timing Property Verification system based on model conversion System, as shown in Figure 3, comprising:
Model analyzing module 101 is obtained for parsing the application development environment SCADE text model of high security Syntax tree example;
Symbol table container module 102 obtains symbol table example for loading syntax tree example;
Model conversion module 103 is used to according to transformation rules be Symbolic Model Checking device by symbol table instance transfer NuSMV model;
Pattern checking module 104, for being verified according to linear time temporal logic LTL formula and calculation idea CTL formula The timing property of NuSMV model.
Model analyzing module includes grammar design unit, syntax tree Traversal Unit language and syntax tree generation unit;
Grammar design unit uses another language identification work for stating according to the grammatical and semantic of SCADE text model Have ANTLR format, is write the statement of SCADE grammatical and semantic as corresponding ANTLR file, the ANTLR file describes SCADE language The grammatical and semantic of speech is stated;
Syntax tree Traversal Unit, for according to the statement in ANTLR file, using corresponding Java monitor, to SCADE Text model is monitored, and syntax tree information is obtained;
Syntax tree generation unit, for according to syntax tree information generative grammar tree example.
Symbol table container module includes hierarchical structure symbol table definition unit, sub-state machine structure symbol table definition unit With syntax tree information load units;
Hierarchical structure symbol table definition unit, for defining stratification structure symbol table;
Sub-state machine structure symbol table definition unit, for defining sub-state machine structure symbol table;
Syntax tree information load units are used for according to hierarchical structure symbol table and sub-state machine structure symbol table, to language Method tree example is loaded, and obtains symbol table example.
Pattern checking module is specifically used for:
According to the timing property of LTL formula and CTL formula verifying NuSMV model;
If the timing property currently verified is met, the verifying of next timing property is carried out;
If the timing property currently verified is unmet, counter-example information is exported, stops the verifying of timing property.
LTL formula is determined according to the timing safety demand of the natural language description of SCADE text model.
CTL formula is determined according to the timing safety demand of the natural language description of SCADE text model.
Grammatical and semantic statement includes: Program Semantics, statement semanteme, type declarations, Constant declarations semanteme, self-defining operation symbol Node statement semanteme, equation and expression formula statement and SCADE state machine semanteme etc..
In order to better understand, workflow of the invention will be illustrated below.
As shown in figure 4, SCADE text model derived from SCADE software is first input into model analyzing module, in model analyzing In module, the SCADE text model of input is obtained by grammar design unit, syntax tree Traversal Unit and syntax tree generation unit Input to syntax tree example, as symbol table container module.
Syntax tree example includes the structure and syntax tree information of syntax tree (by monitoring obtained syntax tree information).
The hierarchical structure symbol table and sub-state machine structure symbol table of SCADE are defined in symbol table container module, To store the information in syntax tree in a kind of new form.Symbol table container module will by syntax tree information load units Syntax tree example loads, so that an intermediate structure is converted into, that is, a symbol table example, as model conversion mould The input of block.
The symbol table example is ultimately converted to object module by the transformation rules in model conversion module, i.e., NuSMV model.
The natural language demand property of SCADE text model is rewritten as LTL and CTL formula by user, is input to model inspection It looks into module.Pattern checking module is by the NuSMV model of input and is rewritten as the natural language demand property of LTL and CTL formula Together, model property verifying is carried out.
User debugs first SCADE model according to obtained counter-example, repeatedly, until all properties can be expired Foot.
Transformation rule is specific as follows.
The transformation rule for being transformed into NuSMV input model from SCADE state machine (symbol table example) is based on STP method, is It can be suitable for SCADE state machine, hierarchical structure and state machine feature to SCADE redefine conversion rule Then, and improve its monitoring variable mechanism, thus create SCADE state machine to NuSMV input model transfer framework.
As shown in figure 5, being the SCADE state machine in a control node (Node), which has the knot of stratification Structure.State machine SM1 is there are two state A and B, and state machine SM2 gathers around that there are two state C and D, and SM2 is the sub- shape of state B State machine.When state jump condition g1 meets, state A can be transferred to state B;Therefore g1, the g2 in figure ... represent state Between jump condition.There is specific arithmetic operation in the state of SCADE, and under each period, each state machine has And only one state is in activation.
The characteristics of SCADE stratification state machine possesses StateChart, thus it is similar with STP method, and we are conversion rule Then introduce trigger the parameter active and default of two Boolean types.The two trigger parameters can help target mould Type constructs the hierarchical structure in SCADE state machine, thus correctly with NuSMV model language be depicted come.
As shown in fig. 6, being the case where emulating lower state machine, lines overstriking represents state and is currently in the state of being activated, It is state B that the state of being activated is currently in figure.State transfer in SCADE state machine occurs on the same layer, if target The state jump condition that state is B meets, then state machine can activate the transfer, and the state B of SM1 is also activated, at the same time shape State C in state machine SM2 is also activated.I.e. in SCADE stratification state machine, when parent status activation, sub-state machine just meeting It is activated.And it will go wrong when such structure directly being turned to NuSMV input model: all moulds in NuSMV program Block (MODULE) can all be initialized when at the beginning, and be constantly in state of activation later.It obviously cannot be directly with this The mode of sample is converted, and when corresponding MODULE should not be activated in certain periods, target NuSMV model is necessary It explicitly points out in some way, to prevent from causing incorrect operation to variable in NuSMV model, this is also why to need to draw Enter active trigger parameter, conflicting when SCADE state machine starts with NuSMV model is handled by it, marks correspondence MODULE whether can be considered as activation.
In transfer framework, each sub-state machine can finally be converted into a MODULE of NuSMV.Assuming that state machine SsubIt is the sub-state machine of state S, whether the state machine where active represents state S is activation, and SM_active is enabled to represent Sub-state machine SsubWhether activate, as shown in the rule 1 of table 1, its value is determined by the expression formula on the right side of assignment, that is, works as shape The parent status of state S activates, and when current state is in S, then SsubState machine is also activated.
Table 1
The trigger parameter active of rule 1: sub-state machine Ssub
SM_active:=(state=S) &active;
Each state machine has the original state of own, certain sub- state that trigger parameter active is able to tell that us Whether machine module is triggered.And two different transfers may occur for a state, respectively,
(1) default transfer (defaulttransition): when state machine is triggered, its original state can be first It is first activated, we are referred to as default transfer.
(2) conventional transfer (regulartransition): the transfer that the state machine occurs between layer state where it, We they be referred to as conventional transfer.
In SCADE, it is assumed that some sub-state machine is activated and performs conventional transfer, after several periods, the sub- state For the parent status of machine because of transition condition variation generating state migration, this means that parent status can become inactive shape from state of activation State.And when the parent status of the sub-state machine is activated next time, sub-state machine needs to occur default transfer, i.e. sub-state machine Original state will be activated.And when SCADE state machine is transformed into NuSMV input model by us, only active trigger The MODULE that parameter not can guarantee sub-state machine still will do it default transfer, and this is why it is necessary to have introduce another touching Send out device parameter default.It is true (True) by the way that parameter default is arranged, object module ensures that enters sub- state every time Default transfer can occur when machine, activate original state.
Enabling S is current state, P1,...,PnIt is the preceding after (predecessors) of state S.As state P1,...,PnIn When having a jump condition to state S to meet, trigger parameter default need to be set as true (True).At the same time, only It is just significant when the state machine at the place of state S is active.As shown in the rule 2 of table 2, assignment statement must be with touching It sends out device active conjunction (&).Assuming that Def_S represents the sub-state machine S under S statesubTrigger default parameter, then It is False that we, which initialize the parameter, first, represents SsubState machine also no initializtion;Then the transformation rule more than using To define Def_S:
Table 2
In addition to this, there are one special circumstances, that is, the state machine of top.Institute in SCADE state machine model Stateful machine is all the sub-state machine of the state machine of top, such as SM1 is then the sub- state of top state machine SM in Fig. 5 Machine.This state machine corresponds to the main module (MODULEmain) in NuSMV object module.The state machine of top is actually Trigger parameter default can not be needed, because what it was always activated.Therefore we select to incite somebody to action in first time quantum Default is set as True, and then time quantum afterwards is set as False, this ensures that the state machine of top Default transfer only most taking place, and only last for a cycle.According to the rule 3 of table 3, we can be final Its parameter default is defined in main module in NuSMV program:
Table 3
The level in NuSMV object module can be standardized out by the transformation rule of trigger parameter active and defalt Change state machine architecture.Assuming that S is a state of a sub-state machine SMi, SMj is the sub-state machine of state S, and the son The stateful s1 of state machine SMj ..., sn.In NuSMV object module, hierarchical structure such as Fig. 7 institute of sub-state machine SMi and SMj Show, parameter active represents whether SMi is active in SMi;Since SMj is the sub-state machine of state S, SMj_ Active represents whether sub-state machine SMj activates.The structure combines rule 1 and rule 2.
Transfer relationship between SCADE stratification state machine existence, in Fig. 5, sub-state machine SM1 there are two State A and B, when jump condition g1 meets, the transfer of state A to state B will occur.And so on, when g3 meets, son It will occur in state machine SM2 from state C to the transfer of state D.Each sub-state machine is in the object module of NuSMV with mould The form of block (MODULE) occurs, and the state name in the sub-state machine of SCADE all can be in the enumerated variable in respective modules It states, and is gathered around there are two trigger parameter active and default in state.Parameter active indicates whether the module is true Positive actuation, default represent the initial transfer whether defaulted.Therefore, only when trigger parameter active is When True, the state name variable state in the module is just visible.
The characteristics of according to SCADE state machine, it is understood that state transfer occurs over just in the state machine of same level.Such as figure Shown in 8, S in sub-state machine1,...,SnThe dbjective state of state S, they pass through respectively jump condition guard (S, S1),...,guard(S,Sn) carry out state transfer.By the next keyword of NuSMV, the conversion rule of conventional sense transfer are defined Then 4, as shown in table 4.
Table 4
Therefrom we it can also be seen that, when some period generating state transfer when, state name can change;If all correspondences All do not meet in the jump condition of particular state, then next state remains itself.The feelings of this and the transfer of SCADE state Shape is consistent, and when SCADE state machine does not shift, the operation of place state can execute again.These are built upon Place state machine is under conditions of activation, it is therefore desirable to which trigger parameter active is done conjunction with them.
And original state is activated using node transition rule 5 below when default transfer will occur for sub-state machine, such as table 5 It is shown.
Table 5
Rule 5: the state transfer under default transfer case
Next (state) :=next (active) &next (default): S0;
Reaction equation system makes a response according to the input of environment, is output to particular device and updates the sensed values of former environment, And SCADE model determines how system responds.Therefore necessarily possess in the control system of SCADE design and output variable is produced The raw operation and behavior influenced.In figure 5 it is possible to find to have carried out numerical operations to input variable x in state A, and will It has been output in output variable o.This behavior that should have also demonstrate,proved in SCADE state will be updated and change the value of statement variable.In In NuSMV object module, in the main module (MODULE main) for the model that the environment input in SCADE can be defined on NuSMV, And these inputs are claimed as global variable, it makes a response and operates according to environment input in each sub-state machine module, Update the value of global variable.
In NuSMV, each module can read the value of global variable in main module, however NuSMV does not support these Sub-state machine module updates a global variable simultaneously.Monitor-type mechanism (monitor- in STP method Likemechanism) model can be enable to read and write monitored variable.Monitor-type mechanism means in StateChart Event or conditional-variable Var, always possess a corresponding module and be called Set_Var, this module can pass through monitoring ginseng Number carrys out the value of manipulating variable Var.
But has a problem in that the event and conditional-variable in STP method have all been abstracted into the variable of Boolean type, and in SCADE Data type of a variable can be more complicated.And in SCADE, the event behavior in state jump condition and state is all extremely to have The data flow operations of body.Such as in SCADE state machine, a state S, which will use some arithmetic operation symbols, to be come to specific Variable responds.
In order to solve STP method for the deficiency of SCADE state machine, this paper presents the variable prisons towards SCADE model The mechanism of control, to establish a communication mechanism for sub-state machine and global variable.SCADE variable monitoring mechanism is first by STP Two class variable monitoring parameter set in methodmAnd resetmIt refines as set(var,s)And reset(var,s), secondary design SCADE Variable monitoring module finally proposes assignment rule of the two class variable monitoring parameters in each sub-state machine.
Since in SCADE, event behavior and jump condition are all the expression formulas containing input, output variable, and are inputted Variable is determined by environment again, therefore only needs to be monitored output variable.These monitoring parameters can all be stated as global variable In the main module of NuSMV object module.
Definition is enabled there are an operation behavior in a state s, which updates output in SCADE state machine The value of variable var, then have:
Variable monitoring parameter set(var,s)It is the parameter of a Boolean type, indicates when status is s, in the state Whether the behavior operation of variation var needs to be performed;
Variable monitoring parameter reset(var,s)It is the parameter of a Boolean type, indicates to turn when the state that dbjective state is s When moving generation, whether the behavior operation of variation var needs to be performed in dbjective state s.
We also need the transformation rule of defined variable monitoring module.If some output variable Var, the monitoring to the variable Module is named into Set_Var.This generic module is responsible for changing the value of variable V ar according to the value of monitoring parameter, when corresponding prison When control parameter is True, then the assignment operation to variable V ar can be executed.Enable v1,...,vi,...,vnFor in SCADE state machine All variables, state s1,...,smIn all exist to output variable viOperation, the rule 6 in table 6 is exactly about variable vi Monitoring module transformation rule.Wherein set_vi_s1,...,reset_vi_smRepresent relevant monitoring parameter set(var,s) And reset(var,s).Specifically in particular state skIn, to variable viAssignment operation expression formula by set_action (sk) and reset_action(sk) indicate.These assignment operations are data flow operations in the status, we can directly turn them Change corresponding expression formula into.Transformation rule also supports this kind of assignment operation to call other user-defined function nodes, therefore such as If fruit needs, the function name function called must be stated1,...,functionk
Table 6
By the above rule, and the trigger parameter active and default that introduce before, we are had been able to The structure of SCADE stratification state machine is set up on the model of NuSMV.But only when variable monitoring parameter is in correct Value, entire stratification state machine can be operated correctly.These monitoring parameters are just like the switch of state behavior.When one of them Switch is opened, then the variable of this switch control will be updated.Therefore we need dynamically to control these switches, Exactly these monitoring parameters are controlled in the corresponding module of each sub-state machine.
Monitoring parameter set(var,s)Assignment rule, as shown in Fig. 9 (a), enable current initial state be s, T1,...,TmIt is The successor states of state s, guard (s, Ti) represent from state s to T1Jump condition, wherein i ∈ { 1 ..., m }.In SCADE In state machine, if all jump conditions of state s all do not meet, then next state remains state s, and in the next period Operation in execution state.Therefore, as shown in 7 rule 7 of table, the state machine where state s is constantly in activation, then if it All jump conditions when all not meeting, set is set(var,s)Value be True, be otherwise False.Wherein set_var_s is equivalent In set(var,s)
Table 7
Monitoring parameter reset(var,s)Assignment rule, as shown in Fig. 9 (b), state s is state P1,...,PnTarget-like State, from state PjJump condition to state s is denoted as guard (Pj, s), wherein j ∈ { 1 ..., n }.As guard (Pj, s) in When one of jump condition meets, system can reach state s, then monitoring parameter reset(var,s)It will be set.Table 8 is advised Then 8 are reset(var,s)Assignment rule, it should be noted that if dbjective state s is the original state of some sub-state machine, It so also obtains and sets True for the monitoring parameter.Wherein reset_var_s is equal to reset(var,s)
Table 8
SCADE variable monitoring mechanism after refining can pass through monitoring parameter taking come indirect operation output variable Value.It as shown in Figure 10, is the schematic diagram of SCADE parameter monitoring mechanism, which can establish sub-state machine module and output becomes Measure the communication between monitoring module.It also mentions before, the environmental variance of system has corresponded to input variable, and input variable will affect In state in the value and jump condition of its dependent variable expression formula value, make each state machine carry out state transition with this.So Each sub-state machine SMi just can read variable afterwards, and then change the value of monitoring parameter.And monitoring parameter then can determine this not Operation under the execution particular state to some output variable, if monitoring parameter is True, variable monitoring module then can Update the value of corresponding output variable.Here it is the mechanism how to change by monitoring parameter the value of each variable.So Circulation, is built into the variable monitoring mechanism of SCADE.
Main module (MODULE main) in NuSMV object module is exactly the state machine for describing SCADE top , only one state of this state machine, and always activate.Main module mainly handles some variable declarations, including input Variable, output variable, state variable, monitoring variable etc.;In addition to this it also needs to handle some instantiations, including sub-state machine module Instantiation, the instantiation of variable monitoring module, the instantiation of user's User- defined Node function module, and to monitoring variable Initialization.
It, will by parsing the application development environment SCADE text model of high security in the present processes SCADE text model is converted to NuSMV model, according to the timing property of LTL formula and CTL formula verifying NuSMV model, thus The timing property for realizing verifying SCADE text model breaches this limitation of SCADE model property verifying, further increases The safety and reliability of software systems.By the way that timing associated safety demand can be described for the introducing of SCADE Formal Verification Timing sequence specification, so as to verify the timing property of model.SCADE state machine model is automatically switched to by providing The transformation mechanism of NuSMV model, and the structure of stratification state machine is described, it can support the demand of verifying stratification state machine Property.The present processes can be used to debug and modify the design defect of SCADE state machine model, especially be unsatisfactory in system In timing properties, system development costs can be further decreased, improve system reliability.
The preferable specific embodiment of the above, only the application, but the protection scope of the application is not limited thereto, Within the technical scope of the present application, any changes or substitutions that can be easily thought of by anyone skilled in the art, Should all it cover within the scope of protection of this application.Therefore, the protection scope of the application should be with the protection model of the claim Subject to enclosing.

Claims (8)

1. a kind of state machine model timing property verification method based on model conversion characterized by comprising
Model analyzing step parses the application development environment SCADE text model of high security, obtains syntax tree example;
Symbol table container step loads syntax tree example, obtains symbol table example;
Model conversion step, according to transformation rules by symbol table instance transfer be Symbolic Model Checking device NuSMV model;
Pattern checking step, according to linear time temporal logic LTL formula and calculation idea CTL formula verifying NuSMV model when Sequence matter.
2. the method as described in claim 1, which is characterized in that the model analyzing step the realization process includes:
It is stated according to the grammatical and semantic of SCADE text model, using another language identification tool ANTLR format, by SCADE language The statement of French justice is write as corresponding ANTLR file, and the ANTLR file describes the grammatical and semantic statement of SCADE language;
SCADE text model is monitored, language is obtained using corresponding Java monitor according to the statement in ANTLR file Method tree information;
According to syntax tree information generative grammar tree example.
3. the method as described in claim 1, which is characterized in that the symbol table container step the realization process includes:
Define stratification structure symbol table and sub-state machine structure symbol table;
According to hierarchical structure symbol table and sub-state machine structure symbol table, syntax tree example is loaded, symbol table is obtained Example.
4. the method as described in claim 1, which is characterized in that the pattern checking step the realization process includes:
According to the timing property of LTL formula and CTL formula verifying NuSMV model;
If the timing property currently verified is met, the verifying of next timing property is carried out;
If the timing property currently verified is unmet, counter-example information is exported, stops the verifying of timing property.
5. method as claimed in claim 4, which is characterized in that after the verifying for stopping timing property, further includes:
Model debugging step modifies SCADE system development environment according to the counter-example information, generates new SCADE text model, Verify timing property.
6. the method as described in claim 1, which is characterized in that the LTL formula is according to the natural language of SCADE text model The timing safety demand of description determines.
7. the method as described in claim 1, which is characterized in that the CTL formula is according to the natural language of SCADE text model The timing safety demand of description determines.
8. method as claimed in claim 3, which is characterized in that the grammatical and semantic statement includes: Program Semantics, statement language Justice, type declarations, Constant declarations are semantic, self-defining operation tally used in ancient times as credentials or a warrant point states semantic, equation and expression formula is stated and SCADE state Machine is semantic.
CN201910606311.5A 2019-07-05 2019-07-05 State machine model time sequence property verification method based on model conversion Active CN110532167B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910606311.5A CN110532167B (en) 2019-07-05 2019-07-05 State machine model time sequence property verification method based on model conversion

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910606311.5A CN110532167B (en) 2019-07-05 2019-07-05 State machine model time sequence property verification method based on model conversion

Publications (2)

Publication Number Publication Date
CN110532167A true CN110532167A (en) 2019-12-03
CN110532167B CN110532167B (en) 2021-05-04

Family

ID=68659877

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910606311.5A Active CN110532167B (en) 2019-07-05 2019-07-05 State machine model time sequence property verification method based on model conversion

Country Status (1)

Country Link
CN (1) CN110532167B (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112269734A (en) * 2020-10-15 2021-01-26 南京航空航天大学 Synchronous language program automatic verification method based on satisfiability solving
CN112667215A (en) * 2020-12-11 2021-04-16 中山大学 Automatic repairing method for formalized requirement specification
CN114356294A (en) * 2021-12-21 2022-04-15 华东师范大学 Instance generation method and system based on FQLTL language
CN115410402A (en) * 2022-08-08 2022-11-29 上海丰蕾信息科技有限公司 Traffic signal time sequence logic verification method and device and electronic equipment
CN115410402B (en) * 2022-08-08 2024-07-02 上海丰蕾信息科技有限公司 Traffic signal sequential logic verification method and device and electronic equipment

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080086705A1 (en) * 2006-10-10 2008-04-10 Honeywell International Inc. Automatic translation of simulink models into the input language of a model checker
CN102591713A (en) * 2011-12-31 2012-07-18 浙江大学 Scheduling system of software functional module based on finite-state machine
CN104298921A (en) * 2013-07-15 2015-01-21 深圳市腾讯计算机系统有限公司 Animation source file security vulnerability checking method and animation source file security vulnerability checking device
CN104915514A (en) * 2015-06-25 2015-09-16 华东师范大学 Time requirement modeling and verification method based on problem frame method
CN106598566A (en) * 2016-11-03 2017-04-26 南京航空航天大学 Avionics system oriented formalized modeling and verifying method based on requirements

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080086705A1 (en) * 2006-10-10 2008-04-10 Honeywell International Inc. Automatic translation of simulink models into the input language of a model checker
CN102591713A (en) * 2011-12-31 2012-07-18 浙江大学 Scheduling system of software functional module based on finite-state machine
CN104298921A (en) * 2013-07-15 2015-01-21 深圳市腾讯计算机系统有限公司 Animation source file security vulnerability checking method and animation source file security vulnerability checking device
CN104915514A (en) * 2015-06-25 2015-09-16 华东师范大学 Time requirement modeling and verification method based on problem frame method
CN106598566A (en) * 2016-11-03 2017-04-26 南京航空航天大学 Avionics system oriented formalized modeling and verifying method based on requirements

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
仵志鹏等: "面向AltaRica模型的嵌入式系统安全性验证方法", 《计算机科学与探索》 *
张刘毅: "基于抽象语法树和改进粒子群算法的代码同源性分析", 《中国优秀硕士学位论文全文数据库》 *

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112269734A (en) * 2020-10-15 2021-01-26 南京航空航天大学 Synchronous language program automatic verification method based on satisfiability solving
CN112269734B (en) * 2020-10-15 2022-04-26 南京航空航天大学 Synchronous language program automatic verification method based on satisfiability solving
CN112667215A (en) * 2020-12-11 2021-04-16 中山大学 Automatic repairing method for formalized requirement specification
CN112667215B (en) * 2020-12-11 2022-02-25 中山大学 Automatic repairing method for formalized requirement specification
CN114356294A (en) * 2021-12-21 2022-04-15 华东师范大学 Instance generation method and system based on FQLTL language
CN114356294B (en) * 2021-12-21 2023-07-14 华东师范大学 FQLTL language-based instance generation method and system
CN115410402A (en) * 2022-08-08 2022-11-29 上海丰蕾信息科技有限公司 Traffic signal time sequence logic verification method and device and electronic equipment
CN115410402B (en) * 2022-08-08 2024-07-02 上海丰蕾信息科技有限公司 Traffic signal sequential logic verification method and device and electronic equipment

Also Published As

Publication number Publication date
CN110532167B (en) 2021-05-04

Similar Documents

Publication Publication Date Title
Liu et al. Pat 3: An extensible architecture for building multi-domain model checkers
Thompson et al. Specification-based prototyping for embedded systems
CN1703703B (en) Device and method for checking railway logical software engines for commanding plants, particularly station plants
CN110532167A (en) A kind of state machine model timing property verification method based on model conversion
US7729894B1 (en) Test postcondition items for automated analysis and test generation
Iliasov et al. Developing mode-rich satellite software by refinement in Event-B
Van Mierlo et al. Domain-specific modelling for human–computer interaction
CN110532166A (en) A kind of state machine model timing Property Verification system based on model conversion
Moradi et al. Monitoring cyber-physical systems using a tiny twin to prevent cyber-attacks
Strasser et al. A research roadmap for model-driven design of embedded systems for automation components
Kim et al. Execution of natural language requirements using State Machines synthesised from Behavior Trees
Prähofer et al. Monaco—a domain-specific language solution for reactive process control programming with hierarchical components
Ge et al. Formal development process of safety-critical embedded human machine interface systems
Tolvanen et al. Metamodeling for medical devices: Code generation, model-debugging and run-time synchronization
Frey et al. “Safety automata”—A new specification language for the development of PLC safety applications
Khalgui et al. Reconfigurable Embedded Control Systems: Applications for Flexibility and Agility: Applications for Flexibility and Agility
Sarshogh Extending Event-B with discrete timing properties
Falcone et al. Runtime enforcement for IEC 61499 applications
Balasubramanian et al. Rapid property specification and checking for model-based formalisms
Brodsky et al. CoJava: a unified language for simulation and optimization
Dissaux et al. Combined real-time, safety and security model analysis
Kuang et al. An Automation Script Generation Technique for the Smart Home
Ahmad et al. An AADL-DEVS Framework for Cyber-Physical Systems Modeling and Simulation Supported with an Integrated OSATE and DEVS-Suite Tools
Fidge et al. Disciplined approach to real-time systems design
Angelov et al. Model-based design and verification of embedded software

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
TR01 Transfer of patent right
TR01 Transfer of patent right

Effective date of registration: 20210806

Address after: Room 801, no.6, Lane 600, Yunling West Road, Putuo District, Shanghai 200062

Patentee after: SHANGHAI FORMAL TECH INFORMATION TECHNOLOGY Co.,Ltd.

Address before: 200062 No. 3663, Putuo District, Shanghai, Zhongshan North Road

Patentee before: EAST CHINA NORMAL University

Patentee before: SHANGHAI FORMAL TECH INFORMATION TECHNOLOGY Co.,Ltd.