CN110532167A - A kind of state machine model timing property verification method based on model conversion - Google Patents
A kind of state machine model timing property verification method based on model conversion Download PDFInfo
- Publication number
- CN110532167A CN110532167A CN201910606311.5A CN201910606311A CN110532167A CN 110532167 A CN110532167 A CN 110532167A CN 201910606311 A CN201910606311 A CN 201910606311A CN 110532167 A CN110532167 A CN 110532167A
- Authority
- CN
- China
- Prior art keywords
- model
- scade
- state machine
- state
- symbol table
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/36—Preventing errors by testing or debugging software
- G06F11/3604—Software analysis for verifying properties of programs
- G06F11/3608—Software analysis for verifying properties of programs using formal methods, e.g. model checking, abstract interpretation
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- Computer Hardware Design (AREA)
- Quality & Reliability (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Debugging And Monitoring (AREA)
Abstract
This application discloses a kind of state machine model timing property verification method based on model conversion, comprising: model analyzing step parses SCADE text model, obtains syntax tree example;Symbol table container step loads syntax tree example, obtains symbol table example;Model conversion step, according to transformation rules by symbol table instance transfer be NuSMV model;Pattern checking step, according to the timing property of LTL formula and CTL formula verifying NuSMV model.By the application development environment SCADE text model for parsing high security, SCADE text model is converted into NuSMV model, according to the timing property of LTL formula and CTL formula verifying NuSMV model, to realize the timing property of verifying SCADE text model, this limitation for breaching the verifying of SCADE model property, further increases the safety and reliability of software systems.The timing sequence specification of timing associated safety demand can be described by introducing for SCADE Formal Verification, so as to verify the timing property of model.
Description
Technical field
This application involves field of embedded software more particularly to a kind of state machine model timing properties based on model conversion
Verification method.
Background technique
The concern software security in field of safety is all concerned all the time, although the development efficiency of software application obtains
It is promoted, but the safety and reliability for the software systems that remain unchanged to guarantee.After all in these fields, mistake occurs for software will band
Carrying out serious economic loss even can threat to life.Traditional software verification is emulated to the software systems developed
Simulation, and then find mistake and correct in time.But safety-critical application development environment (Safety-Critical
Application Development Environment, SCADE) provide Formal Verification component, design verification program
(Design Verifier, DV), it is first patterned modeling to demand for security, then by being based on satisfiability
The pattern checking proof of algorithm model of (Satisfiability, SAT) whether meet demand.But as SCADE is widely applied
And the diversity of system requirements, especially when being related to the relevant property of timing, the ability to express of DV not enough describes those
Demand.
In summary, it is desirable to provide a kind of timing property for being able to verify that SCADE text model, to improve software systems
Safety and reliability method.
Summary of the invention
In order to solve the above problem, present applicant proposes a kind of state machine model timing property authentication based on model conversion
Method is converted to SCADE text model by parsing the application development environment SCADE text model of high security
NuSMV model, according to the timing property of LTL formula and CTL formula verifying NuSMV model, to realize verifying SCADE text mould
The timing property of type.
Specifically, the invention proposes the state machine model timing property verification methods based on model conversion, comprising:
Model analyzing step parses the application development environment SCADE text model of high security, obtains syntax tree reality
Example;
Symbol table container step loads syntax tree example, obtains symbol table example;
Model conversion step, according to transformation rules by symbol table instance transfer be Symbolic Model Checking device NuSMV mould
Type;
Pattern checking step verifies NuSMV model according to linear time temporal logic LTL formula and calculation idea CTL formula
Timing property.
Preferably, the model analyzing step the realization process includes:
It is stated according to the grammatical and semantic of SCADE text model, it, will using another language identification tool ANTLR format
The statement of SCADE grammatical and semantic is write as corresponding ANTLR file, and the ANTLR file describes the grammatical and semantic sound of SCADE language
It is bright;
SCADE text model is monitored, is obtained using corresponding Java monitor according to the statement in ANTLR file
To syntax tree information;
According to syntax tree information generative grammar tree example.
Preferably, the symbol table container step the realization process includes:
Define stratification structure symbol table and sub-state machine structure symbol table;
According to hierarchical structure symbol table and sub-state machine structure symbol table, syntax tree example is loaded, is accorded with
Number table example.
Preferably, the pattern checking step the realization process includes:
According to the timing property of LTL formula and CTL formula verifying NuSMV model;
If the timing property currently verified is met, the verifying of next timing property is carried out;
If the timing property currently verified is unmet, counter-example information is exported, stops the verifying of timing property.
Preferably, after the verifying for stopping timing property, further includes:
Model debugging step modifies SCADE system development environment according to the counter-example information, generates new SCADE text
Model verifies timing property.
Preferably, the LTL formula is determined according to the timing safety demand of the natural language description of SCADE text model.
Preferably, the CTL formula is determined according to the timing safety demand of the natural language description of SCADE text model.
Preferably, grammatical and semantic statement include: Program Semantics, statement semanteme, type declarations, Constant declarations semanteme,
Self-defining operation tally used in ancient times as credentials or a warrant point statement semanteme, equation and expression formula statement and SCADE state machine are semantic.
The advantages of the application, is: the application development environment SCADE text model by parsing high security, will
SCADE text model is converted to NuSMV model, and the timing property of NuSMV model is verified according to LTL formula and CTL formula, from
And realize the timing property of verifying SCADE text model, this limitation of SCADE model property verifying is breached, is further mentioned
The safety and reliability of high software systems.
Detailed description of the invention
By reading the following detailed description of the preferred embodiment, various other advantages and benefits are common for this field
Technical staff will become clear.Attached drawing is only used for showing the purpose of preferred implementations, and is not considered as to the application
Limitation.And throughout the drawings, identical component is indicated with same reference symbol.In the accompanying drawings:
The step of Fig. 1 is a kind of state machine model timing property verification method based on model conversion provided by the present application is shown
It is intended to;
Fig. 2 is a kind of satellite control of state machine model timing property verification method based on model conversion provided by the present application
The schematic diagram of the SCADE state machine model of the subsystem of system processed;
Fig. 3 is a kind of signal of state machine model timing Property Verification system based on model conversion provided by the present application
Figure;
Fig. 4 is that a kind of structure of state machine model timing Property Verification system based on model conversion provided by the present application is shown
It is intended to;
Fig. 5 is a kind of conversion rule of state machine model timing property verification method based on model conversion provided by the present application
The exemplary schematic diagram of stratification SCADE state machine then;
Fig. 6 is a kind of conversion rule of state machine model timing property verification method based on model conversion provided by the present application
The schematic diagram that state B and state machine SM2 are activated in emulation then;
Fig. 7 is a kind of conversion rule of state machine model timing property verification method based on model conversion provided by the present application
The structural schematic diagram of NuSMV object module middle-levelization state machine then;
Fig. 8 is a kind of conversion rule of state machine model timing property verification method based on model conversion provided by the present application
The transfer figure of state S then;
Fig. 9 is a kind of conversion rule of state machine model timing property verification method based on model conversion provided by the present application
State transfer relationship schematic diagram then;
Figure 10 is a kind of conversion of state machine model timing property verification method based on model conversion provided by the present application
The schematic diagram of the SCADE variable monitoring mechanism of rule.
Specific embodiment
The illustrative embodiments of the disclosure are more fully described below with reference to accompanying drawings.Although showing this public affairs in attached drawing
The illustrative embodiments opened, it being understood, however, that may be realized in various forms the disclosure without the reality that should be illustrated here
The mode of applying is limited.It is to be able to thoroughly understand the disclosure on the contrary, providing these embodiments, and can be by this public affairs
The range opened is fully disclosed to those skilled in the art.
According to presently filed embodiment, a kind of state machine model timing property authentication based on model conversion is proposed
Method, as shown in Figure 1, comprising:
S101, model analyzing step parse the application development environment (Safety-Critical of high security
Application Development Environment, SCADE) text model, obtain syntax tree example;
S102, symbol table container step load syntax tree example, obtain symbol table example;
S103, model conversion step, according to transformation rules by symbol table instance transfer be Symbolic Model Checking device
(New Symbolic Model Verifier, NuSMV) model;
S104, pattern checking step, according to linear time temporal logic (Linear Temporal Logic, LTL) formula and
The timing property of calculation idea (Compute Tree Logic, CTL) formula verifying NuSMV model.
The SCADE text model that model analyzing step, symbol table container step and model conversion step are used to input turns
Change a kind of input model of model checker into, i.e., Symbolic Model Checking device (New Symbolic Model Verifier,
NuSMV) model, and the input by the model of generation (NuSMV model) as pattern checking step.
Pattern checking step is used to verify the timing safety demand and property of the corresponding states machine system in NuSMV model.
Model analyzing step the realization process includes:
It is stated according to the grammatical and semantic of SCADE text model, uses another language identification tool (ANother Tool
For Language Recognition, ANTLR) format, write the statement of SCADE grammatical and semantic as corresponding ANTLR file, institute
State the grammatical and semantic statement that ANTLR file describes SCADE language;
SCADE text model is monitored, is obtained using corresponding Java monitor according to the statement in ANTLR file
To syntax tree information;
According to syntax tree information generative grammar tree example.
The parsing interface that SCADE language syntax is generated by ANTLR tool, by these interfaces come implementation model syntax tree
Generation, to obtain the information in SCADE state machine model, the information will (Java be monitored as syntax tree monitor below
Device) input.
Application programming interface (Application Programming when being run by using ANTLR
Interface, API), different Java monitor types is realized to obtain the various information (syntax tree information) on syntax tree.
Monitor include: operator node monitor, data type monitor, expression formula monitor, equation monitor, from
Defining operation tally used in ancient times as credentials or a warrant point monitor, constant monitor and state machine transfer relationship monitor etc..
By the way that these monitors are applied in combination by the information preservation on syntax tree into corresponding set, on these syntax trees
Information be used for generative grammar tree example.
Symbol table container step the realization process includes:
Define stratification structure symbol table and sub-state machine structure symbol table;
According to hierarchical structure symbol table and sub-state machine structure symbol table, syntax tree example is loaded, is accorded with
Number table example.
User is as needed, is defined to hierarchical structure symbol table.
User is as needed, is defined to sub- state machine architecture symbol table.
Hierarchical structure symbol table (SCADE hierarchical structure symbol table) is used to describe the knot of SCADE stratification state machine
Structure, the structure describe variables collection in SCADE state machine model, sub-state machine set, the operation used in state machine
The User-Defined Functions functional node set that operator set and state machine call, defines the data knot of these set
Structure.
Sub-state machine structure symbol table (SCADE sub-state machine structure symbol table) is for describing sub-state machine structure, sub- shape
State machine structure describe include: the stateful set of this sub-state machine, original state, sub-state machine and state relation letter
Transition relationship between number, state and the event behavior operation in state;Meanwhile sub-state machine structure symbol table defines
The data structure of SCADE sub-state machine structure.
The syntax tree information for using Java monitor to obtain is loaded into symbol table example.
Transformation rule is based on two class mechanism, is stratification state machine architecture transformation mechanism and variable monitoring mechanism respectively.Layer
Secondaryization state machine architecture transformation mechanism helps conversion process by trigger parameter rule to be introduced, finally in NuSMV target
The hierarchical structure of SCADE state machine is constructed in model, while also definition status shifts transformation rule, so that each height
State machine can a module in enough NuSMV models indicate, and the relationship of sub-state machine has been further stated in module.Become
The behavior event that monitoring mechanism is used in Controlling model state is measured, specific event operation is possessed in SCADE state, these operations pair
The function in reality system is answered, the variate-value in model is changed;Variable monitoring mechanism determines these behaviour using monitoring parameter
Whether execute, to carry out the variation of these variables of indirect operation.Based on these transformation rules, by symbol table instance transfer
At NuSMV model.
The NuSMV model obtained after conversion includes: sub-state machine module, variable monitoring module, custom function section
Point module and top state machine module (main module).
Each of sub-state machine module module corresponds to a sub-state machine in SCADE state machine, comprising: sub- shape
State, state transfer relationship, trigger parameter, monitoring parameter assignment and the sub- shape that sub-state machine is possessed that state machine is included
The instantiation of state machine.
Each variable monitoring module passes through the assignment operation that monitoring parameter controls corresponding output variable;SCADE
If using custom data stream function node in model, these modules can be generated in target NuSMV model;Top
Layer state machine module represents the state machine of top in SCADE state machine, be responsible for model variable and parameter declaration, sub-state machine
The work such as instantiation, variable and parameter initialization, function node instantiation.Top state machine module has and only one, dominates
The target NuSMV model entirely generated.
SCADE state machine includes SCADE sub-state machine.
SCADE text model is a kind of form for indicating SCADE state machine.
Pattern checking step the realization process includes:
According to the timing property of LTL formula and CTL formula verifying NuSMV model;
If the timing property currently verified is met, the verifying of next timing property is carried out;
If the timing property currently verified is unmet, counter-example information is exported, stops the verifying of timing property.
After the verifying for stopping timing property, further includes:
Model debugging step modifies SCADE system development environment according to the counter-example information, generates new SCADE text
Model verifies timing property.
Pattern checking step is used to execute the verification process of SCADE state machine model, i.e. the timing property of NuSMV model is tested
Card.
User designs SCADE state machine model by the state machine model in SCADE system development environment, and needs are tested
The system sequence security requirement of card is first understood with natural language description.It will be derived from designed SCADE state machine model
Input of the SCADE text model as model conversion module, while the demand of natural language description is used into such as LTL or CTL
Temporal logic expression formula specification redescribe;SCADE text model obtains NuSMV object module by model conversion module,
The model and timing property expression formula (are pacified using the timing that the temporal logic expression formula specification of such as LTL or CTL are redescribed
Full property demand) it is input in model checker NuSMV together and starts to execute verification process;Verification result is shown in visualization control
On platform, if timing property is met, the verifying for carrying out next timing property exports counter-example if cannot be met,
For customer analysis, to be used to debug SCADE master mould, circulate operation is all satisfied until all timing property.Pass through introducing
Timing sequence specification describes (timing property expression formula), SCADE exploitation environment is connected with model checker NuSMV, to test
Demonstrate,prove the timing associated safety demand and property of SCADE model.
Timing sequence specification describes the timing safety demand for describing system.
LTL formula is determined according to the timing safety demand of the natural language description of SCADE text model.
CTL formula is determined according to the timing safety demand of the natural language description of SCADE text model.
Grammatical and semantic statement includes: Program Semantics, statement semanteme, type declarations (type declarations are semantic), Constant declarations language
Justice, self-defining operation tally used in ancient times as credentials or a warrant point statement semanteme, equation and expression formula statement (equation and expression formula are semantic) and SCADE state machine language
Justice etc..
Example is verified as to carry out timing property to satellite control system model.The satellite control system is a son control system
System, for control satellite each different working modes switching, cover satellite with the separation process of rocket and separate after
The course of work of satellite.
As shown in Fig. 2, being the SCADE state machine model of the subsystem, there are two sub-state machine SM1 and SM2 for it, respectively
The operating mode of rear satellite is separated for describing satellite and the rocket separation process with the satellite and the rocket.Therefore, SM1 is gathered around there are two state, i.e., does not separate
State (BeforeDepart) with separate rear state (AfterDepart);SM2 is gathered around there are three state, has respectively represented speed resistance
Buddhist nun's mode (Initial), standby mode (Wait) and flywheel control model (WheelControl).Each sub-state machine
State all can for system export an operating mode signal, for judging which operating mode is control system be under.Satellite
A satellite and the rocket separation signal can be received at the beginning, state after separating is entered according to satellite and the rocket separation signal, and rate of activation damps mould
Formula.A time signal can be monitored under speed damping mode, which continues after describing the separation that environmental monitoring is arrived
Time, time signal is more than that satellite can be made to enter standby mode after one section of specified value.A section can be activated into standby mode
Clap counter, which is used to record be switched to the operating mode after duration, it is just formal after meeting certain condition
Into satellite flywheel control model.Flywheel control model is most of satellite longtime runnings and the mode for carrying out vocational work, is somebody's turn to do
Mode also possesses a beat count device, until standby mode is continued back at after the corresponding time, to save the satellite energy.
Need to export the corresponding SCADE text model of the system, and the timing safety to be verified with natural language description
Property demand.
For verifying following property: after satellite and the rocket separation, satellite control system enters standby mode, then using 5
Time quantum enters the start-up operation of flywheel control model, returns to standby mode using 10 time quantums.
Following form can be described as with corresponding temporal logic expression formula:
G ((SM_SM1.state=AfterDepart&SM_SM1.Sub_SM2.state=Initial&X SM_
SM1.Sub_SM2.state=Wait) -> (G [1,6] SM_SM1.Sub_SM2.state=Wait& G [7,17] SM_
SM1.Sub_SM2.state=WheelControl))
The SCADE text model is obtained into NuSMV object module by model conversion module, the NuSMV target that will be obtained
Model and above-mentioned timing property expression formula are input in model checker NuSMV together and execute verification process, can verify the mould
The timing property of type, to modify model according to feedback result.
According to presently filed embodiment, it is also proposed that a kind of state machine model timing Property Verification system based on model conversion
System, as shown in Figure 3, comprising:
Model analyzing module 101 is obtained for parsing the application development environment SCADE text model of high security
Syntax tree example;
Symbol table container module 102 obtains symbol table example for loading syntax tree example;
Model conversion module 103 is used to according to transformation rules be Symbolic Model Checking device by symbol table instance transfer
NuSMV model;
Pattern checking module 104, for being verified according to linear time temporal logic LTL formula and calculation idea CTL formula
The timing property of NuSMV model.
Model analyzing module includes grammar design unit, syntax tree Traversal Unit language and syntax tree generation unit;
Grammar design unit uses another language identification work for stating according to the grammatical and semantic of SCADE text model
Have ANTLR format, is write the statement of SCADE grammatical and semantic as corresponding ANTLR file, the ANTLR file describes SCADE language
The grammatical and semantic of speech is stated;
Syntax tree Traversal Unit, for according to the statement in ANTLR file, using corresponding Java monitor, to SCADE
Text model is monitored, and syntax tree information is obtained;
Syntax tree generation unit, for according to syntax tree information generative grammar tree example.
Symbol table container module includes hierarchical structure symbol table definition unit, sub-state machine structure symbol table definition unit
With syntax tree information load units;
Hierarchical structure symbol table definition unit, for defining stratification structure symbol table;
Sub-state machine structure symbol table definition unit, for defining sub-state machine structure symbol table;
Syntax tree information load units are used for according to hierarchical structure symbol table and sub-state machine structure symbol table, to language
Method tree example is loaded, and obtains symbol table example.
Pattern checking module is specifically used for:
According to the timing property of LTL formula and CTL formula verifying NuSMV model;
If the timing property currently verified is met, the verifying of next timing property is carried out;
If the timing property currently verified is unmet, counter-example information is exported, stops the verifying of timing property.
LTL formula is determined according to the timing safety demand of the natural language description of SCADE text model.
CTL formula is determined according to the timing safety demand of the natural language description of SCADE text model.
Grammatical and semantic statement includes: Program Semantics, statement semanteme, type declarations, Constant declarations semanteme, self-defining operation symbol
Node statement semanteme, equation and expression formula statement and SCADE state machine semanteme etc..
In order to better understand, workflow of the invention will be illustrated below.
As shown in figure 4, SCADE text model derived from SCADE software is first input into model analyzing module, in model analyzing
In module, the SCADE text model of input is obtained by grammar design unit, syntax tree Traversal Unit and syntax tree generation unit
Input to syntax tree example, as symbol table container module.
Syntax tree example includes the structure and syntax tree information of syntax tree (by monitoring obtained syntax tree information).
The hierarchical structure symbol table and sub-state machine structure symbol table of SCADE are defined in symbol table container module,
To store the information in syntax tree in a kind of new form.Symbol table container module will by syntax tree information load units
Syntax tree example loads, so that an intermediate structure is converted into, that is, a symbol table example, as model conversion mould
The input of block.
The symbol table example is ultimately converted to object module by the transformation rules in model conversion module, i.e.,
NuSMV model.
The natural language demand property of SCADE text model is rewritten as LTL and CTL formula by user, is input to model inspection
It looks into module.Pattern checking module is by the NuSMV model of input and is rewritten as the natural language demand property of LTL and CTL formula
Together, model property verifying is carried out.
User debugs first SCADE model according to obtained counter-example, repeatedly, until all properties can be expired
Foot.
Transformation rule is specific as follows.
The transformation rule for being transformed into NuSMV input model from SCADE state machine (symbol table example) is based on STP method, is
It can be suitable for SCADE state machine, hierarchical structure and state machine feature to SCADE redefine conversion rule
Then, and improve its monitoring variable mechanism, thus create SCADE state machine to NuSMV input model transfer framework.
As shown in figure 5, being the SCADE state machine in a control node (Node), which has the knot of stratification
Structure.State machine SM1 is there are two state A and B, and state machine SM2 gathers around that there are two state C and D, and SM2 is the sub- shape of state B
State machine.When state jump condition g1 meets, state A can be transferred to state B;Therefore g1, the g2 in figure ... represent state
Between jump condition.There is specific arithmetic operation in the state of SCADE, and under each period, each state machine has
And only one state is in activation.
The characteristics of SCADE stratification state machine possesses StateChart, thus it is similar with STP method, and we are conversion rule
Then introduce trigger the parameter active and default of two Boolean types.The two trigger parameters can help target mould
Type constructs the hierarchical structure in SCADE state machine, thus correctly with NuSMV model language be depicted come.
As shown in fig. 6, being the case where emulating lower state machine, lines overstriking represents state and is currently in the state of being activated,
It is state B that the state of being activated is currently in figure.State transfer in SCADE state machine occurs on the same layer, if target
The state jump condition that state is B meets, then state machine can activate the transfer, and the state B of SM1 is also activated, at the same time shape
State C in state machine SM2 is also activated.I.e. in SCADE stratification state machine, when parent status activation, sub-state machine just meeting
It is activated.And it will go wrong when such structure directly being turned to NuSMV input model: all moulds in NuSMV program
Block (MODULE) can all be initialized when at the beginning, and be constantly in state of activation later.It obviously cannot be directly with this
The mode of sample is converted, and when corresponding MODULE should not be activated in certain periods, target NuSMV model is necessary
It explicitly points out in some way, to prevent from causing incorrect operation to variable in NuSMV model, this is also why to need to draw
Enter active trigger parameter, conflicting when SCADE state machine starts with NuSMV model is handled by it, marks correspondence
MODULE whether can be considered as activation.
In transfer framework, each sub-state machine can finally be converted into a MODULE of NuSMV.Assuming that state machine
SsubIt is the sub-state machine of state S, whether the state machine where active represents state S is activation, and SM_active is enabled to represent
Sub-state machine SsubWhether activate, as shown in the rule 1 of table 1, its value is determined by the expression formula on the right side of assignment, that is, works as shape
The parent status of state S activates, and when current state is in S, then SsubState machine is also activated.
Table 1
The trigger parameter active of rule 1: sub-state machine Ssub |
SM_active:=(state=S) &active; |
Each state machine has the original state of own, certain sub- state that trigger parameter active is able to tell that us
Whether machine module is triggered.And two different transfers may occur for a state, respectively,
(1) default transfer (defaulttransition): when state machine is triggered, its original state can be first
It is first activated, we are referred to as default transfer.
(2) conventional transfer (regulartransition): the transfer that the state machine occurs between layer state where it,
We they be referred to as conventional transfer.
In SCADE, it is assumed that some sub-state machine is activated and performs conventional transfer, after several periods, the sub- state
For the parent status of machine because of transition condition variation generating state migration, this means that parent status can become inactive shape from state of activation
State.And when the parent status of the sub-state machine is activated next time, sub-state machine needs to occur default transfer, i.e. sub-state machine
Original state will be activated.And when SCADE state machine is transformed into NuSMV input model by us, only active trigger
The MODULE that parameter not can guarantee sub-state machine still will do it default transfer, and this is why it is necessary to have introduce another touching
Send out device parameter default.It is true (True) by the way that parameter default is arranged, object module ensures that enters sub- state every time
Default transfer can occur when machine, activate original state.
Enabling S is current state, P1,...,PnIt is the preceding after (predecessors) of state S.As state P1,...,PnIn
When having a jump condition to state S to meet, trigger parameter default need to be set as true (True).At the same time, only
It is just significant when the state machine at the place of state S is active.As shown in the rule 2 of table 2, assignment statement must be with touching
It sends out device active conjunction (&).Assuming that Def_S represents the sub-state machine S under S statesubTrigger default parameter, then
It is False that we, which initialize the parameter, first, represents SsubState machine also no initializtion;Then the transformation rule more than using
To define Def_S:
Table 2
In addition to this, there are one special circumstances, that is, the state machine of top.Institute in SCADE state machine model
Stateful machine is all the sub-state machine of the state machine of top, such as SM1 is then the sub- state of top state machine SM in Fig. 5
Machine.This state machine corresponds to the main module (MODULEmain) in NuSMV object module.The state machine of top is actually
Trigger parameter default can not be needed, because what it was always activated.Therefore we select to incite somebody to action in first time quantum
Default is set as True, and then time quantum afterwards is set as False, this ensures that the state machine of top
Default transfer only most taking place, and only last for a cycle.According to the rule 3 of table 3, we can be final
Its parameter default is defined in main module in NuSMV program:
Table 3
The level in NuSMV object module can be standardized out by the transformation rule of trigger parameter active and defalt
Change state machine architecture.Assuming that S is a state of a sub-state machine SMi, SMj is the sub-state machine of state S, and the son
The stateful s1 of state machine SMj ..., sn.In NuSMV object module, hierarchical structure such as Fig. 7 institute of sub-state machine SMi and SMj
Show, parameter active represents whether SMi is active in SMi;Since SMj is the sub-state machine of state S, SMj_
Active represents whether sub-state machine SMj activates.The structure combines rule 1 and rule 2.
Transfer relationship between SCADE stratification state machine existence, in Fig. 5, sub-state machine SM1 there are two
State A and B, when jump condition g1 meets, the transfer of state A to state B will occur.And so on, when g3 meets, son
It will occur in state machine SM2 from state C to the transfer of state D.Each sub-state machine is in the object module of NuSMV with mould
The form of block (MODULE) occurs, and the state name in the sub-state machine of SCADE all can be in the enumerated variable in respective modules
It states, and is gathered around there are two trigger parameter active and default in state.Parameter active indicates whether the module is true
Positive actuation, default represent the initial transfer whether defaulted.Therefore, only when trigger parameter active is
When True, the state name variable state in the module is just visible.
The characteristics of according to SCADE state machine, it is understood that state transfer occurs over just in the state machine of same level.Such as figure
Shown in 8, S in sub-state machine1,...,SnThe dbjective state of state S, they pass through respectively jump condition guard (S,
S1),...,guard(S,Sn) carry out state transfer.By the next keyword of NuSMV, the conversion rule of conventional sense transfer are defined
Then 4, as shown in table 4.
Table 4
Therefrom we it can also be seen that, when some period generating state transfer when, state name can change;If all correspondences
All do not meet in the jump condition of particular state, then next state remains itself.The feelings of this and the transfer of SCADE state
Shape is consistent, and when SCADE state machine does not shift, the operation of place state can execute again.These are built upon
Place state machine is under conditions of activation, it is therefore desirable to which trigger parameter active is done conjunction with them.
And original state is activated using node transition rule 5 below when default transfer will occur for sub-state machine, such as table 5
It is shown.
Table 5
Rule 5: the state transfer under default transfer case |
Next (state) :=next (active) &next (default): S0; |
Reaction equation system makes a response according to the input of environment, is output to particular device and updates the sensed values of former environment,
And SCADE model determines how system responds.Therefore necessarily possess in the control system of SCADE design and output variable is produced
The raw operation and behavior influenced.In figure 5 it is possible to find to have carried out numerical operations to input variable x in state A, and will
It has been output in output variable o.This behavior that should have also demonstrate,proved in SCADE state will be updated and change the value of statement variable.In
In NuSMV object module, in the main module (MODULE main) for the model that the environment input in SCADE can be defined on NuSMV,
And these inputs are claimed as global variable, it makes a response and operates according to environment input in each sub-state machine module,
Update the value of global variable.
In NuSMV, each module can read the value of global variable in main module, however NuSMV does not support these
Sub-state machine module updates a global variable simultaneously.Monitor-type mechanism (monitor- in STP method
Likemechanism) model can be enable to read and write monitored variable.Monitor-type mechanism means in StateChart
Event or conditional-variable Var, always possess a corresponding module and be called Set_Var, this module can pass through monitoring ginseng
Number carrys out the value of manipulating variable Var.
But has a problem in that the event and conditional-variable in STP method have all been abstracted into the variable of Boolean type, and in SCADE
Data type of a variable can be more complicated.And in SCADE, the event behavior in state jump condition and state is all extremely to have
The data flow operations of body.Such as in SCADE state machine, a state S, which will use some arithmetic operation symbols, to be come to specific
Variable responds.
In order to solve STP method for the deficiency of SCADE state machine, this paper presents the variable prisons towards SCADE model
The mechanism of control, to establish a communication mechanism for sub-state machine and global variable.SCADE variable monitoring mechanism is first by STP
Two class variable monitoring parameter set in methodmAnd resetmIt refines as set(var,s)And reset(var,s), secondary design SCADE
Variable monitoring module finally proposes assignment rule of the two class variable monitoring parameters in each sub-state machine.
Since in SCADE, event behavior and jump condition are all the expression formulas containing input, output variable, and are inputted
Variable is determined by environment again, therefore only needs to be monitored output variable.These monitoring parameters can all be stated as global variable
In the main module of NuSMV object module.
Definition is enabled there are an operation behavior in a state s, which updates output in SCADE state machine
The value of variable var, then have:
Variable monitoring parameter set(var,s)It is the parameter of a Boolean type, indicates when status is s, in the state
Whether the behavior operation of variation var needs to be performed;
Variable monitoring parameter reset(var,s)It is the parameter of a Boolean type, indicates to turn when the state that dbjective state is s
When moving generation, whether the behavior operation of variation var needs to be performed in dbjective state s.
We also need the transformation rule of defined variable monitoring module.If some output variable Var, the monitoring to the variable
Module is named into Set_Var.This generic module is responsible for changing the value of variable V ar according to the value of monitoring parameter, when corresponding prison
When control parameter is True, then the assignment operation to variable V ar can be executed.Enable v1,...,vi,...,vnFor in SCADE state machine
All variables, state s1,...,smIn all exist to output variable viOperation, the rule 6 in table 6 is exactly about variable vi
Monitoring module transformation rule.Wherein set_vi_s1,...,reset_vi_smRepresent relevant monitoring parameter set(var,s)
And reset(var,s).Specifically in particular state skIn, to variable viAssignment operation expression formula by set_action (sk) and
reset_action(sk) indicate.These assignment operations are data flow operations in the status, we can directly turn them
Change corresponding expression formula into.Transformation rule also supports this kind of assignment operation to call other user-defined function nodes, therefore such as
If fruit needs, the function name function called must be stated1,...,functionk。
Table 6
By the above rule, and the trigger parameter active and default that introduce before, we are had been able to
The structure of SCADE stratification state machine is set up on the model of NuSMV.But only when variable monitoring parameter is in correct
Value, entire stratification state machine can be operated correctly.These monitoring parameters are just like the switch of state behavior.When one of them
Switch is opened, then the variable of this switch control will be updated.Therefore we need dynamically to control these switches,
Exactly these monitoring parameters are controlled in the corresponding module of each sub-state machine.
Monitoring parameter set(var,s)Assignment rule, as shown in Fig. 9 (a), enable current initial state be s, T1,...,TmIt is
The successor states of state s, guard (s, Ti) represent from state s to T1Jump condition, wherein i ∈ { 1 ..., m }.In SCADE
In state machine, if all jump conditions of state s all do not meet, then next state remains state s, and in the next period
Operation in execution state.Therefore, as shown in 7 rule 7 of table, the state machine where state s is constantly in activation, then if it
All jump conditions when all not meeting, set is set(var,s)Value be True, be otherwise False.Wherein set_var_s is equivalent
In set(var,s)。
Table 7
Monitoring parameter reset(var,s)Assignment rule, as shown in Fig. 9 (b), state s is state P1,...,PnTarget-like
State, from state PjJump condition to state s is denoted as guard (Pj, s), wherein j ∈ { 1 ..., n }.As guard (Pj, s) in
When one of jump condition meets, system can reach state s, then monitoring parameter reset(var,s)It will be set.Table 8 is advised
Then 8 are reset(var,s)Assignment rule, it should be noted that if dbjective state s is the original state of some sub-state machine,
It so also obtains and sets True for the monitoring parameter.Wherein reset_var_s is equal to reset(var,s)。
Table 8
SCADE variable monitoring mechanism after refining can pass through monitoring parameter taking come indirect operation output variable
Value.It as shown in Figure 10, is the schematic diagram of SCADE parameter monitoring mechanism, which can establish sub-state machine module and output becomes
Measure the communication between monitoring module.It also mentions before, the environmental variance of system has corresponded to input variable, and input variable will affect
In state in the value and jump condition of its dependent variable expression formula value, make each state machine carry out state transition with this.So
Each sub-state machine SMi just can read variable afterwards, and then change the value of monitoring parameter.And monitoring parameter then can determine this not
Operation under the execution particular state to some output variable, if monitoring parameter is True, variable monitoring module then can
Update the value of corresponding output variable.Here it is the mechanism how to change by monitoring parameter the value of each variable.So
Circulation, is built into the variable monitoring mechanism of SCADE.
Main module (MODULE main) in NuSMV object module is exactly the state machine for describing SCADE top
, only one state of this state machine, and always activate.Main module mainly handles some variable declarations, including input
Variable, output variable, state variable, monitoring variable etc.;In addition to this it also needs to handle some instantiations, including sub-state machine module
Instantiation, the instantiation of variable monitoring module, the instantiation of user's User- defined Node function module, and to monitoring variable
Initialization.
It, will by parsing the application development environment SCADE text model of high security in the present processes
SCADE text model is converted to NuSMV model, according to the timing property of LTL formula and CTL formula verifying NuSMV model, thus
The timing property for realizing verifying SCADE text model breaches this limitation of SCADE model property verifying, further increases
The safety and reliability of software systems.By the way that timing associated safety demand can be described for the introducing of SCADE Formal Verification
Timing sequence specification, so as to verify the timing property of model.SCADE state machine model is automatically switched to by providing
The transformation mechanism of NuSMV model, and the structure of stratification state machine is described, it can support the demand of verifying stratification state machine
Property.The present processes can be used to debug and modify the design defect of SCADE state machine model, especially be unsatisfactory in system
In timing properties, system development costs can be further decreased, improve system reliability.
The preferable specific embodiment of the above, only the application, but the protection scope of the application is not limited thereto,
Within the technical scope of the present application, any changes or substitutions that can be easily thought of by anyone skilled in the art,
Should all it cover within the scope of protection of this application.Therefore, the protection scope of the application should be with the protection model of the claim
Subject to enclosing.
Claims (8)
1. a kind of state machine model timing property verification method based on model conversion characterized by comprising
Model analyzing step parses the application development environment SCADE text model of high security, obtains syntax tree example;
Symbol table container step loads syntax tree example, obtains symbol table example;
Model conversion step, according to transformation rules by symbol table instance transfer be Symbolic Model Checking device NuSMV model;
Pattern checking step, according to linear time temporal logic LTL formula and calculation idea CTL formula verifying NuSMV model when
Sequence matter.
2. the method as described in claim 1, which is characterized in that the model analyzing step the realization process includes:
It is stated according to the grammatical and semantic of SCADE text model, using another language identification tool ANTLR format, by SCADE language
The statement of French justice is write as corresponding ANTLR file, and the ANTLR file describes the grammatical and semantic statement of SCADE language;
SCADE text model is monitored, language is obtained using corresponding Java monitor according to the statement in ANTLR file
Method tree information;
According to syntax tree information generative grammar tree example.
3. the method as described in claim 1, which is characterized in that the symbol table container step the realization process includes:
Define stratification structure symbol table and sub-state machine structure symbol table;
According to hierarchical structure symbol table and sub-state machine structure symbol table, syntax tree example is loaded, symbol table is obtained
Example.
4. the method as described in claim 1, which is characterized in that the pattern checking step the realization process includes:
According to the timing property of LTL formula and CTL formula verifying NuSMV model;
If the timing property currently verified is met, the verifying of next timing property is carried out;
If the timing property currently verified is unmet, counter-example information is exported, stops the verifying of timing property.
5. method as claimed in claim 4, which is characterized in that after the verifying for stopping timing property, further includes:
Model debugging step modifies SCADE system development environment according to the counter-example information, generates new SCADE text model,
Verify timing property.
6. the method as described in claim 1, which is characterized in that the LTL formula is according to the natural language of SCADE text model
The timing safety demand of description determines.
7. the method as described in claim 1, which is characterized in that the CTL formula is according to the natural language of SCADE text model
The timing safety demand of description determines.
8. method as claimed in claim 3, which is characterized in that the grammatical and semantic statement includes: Program Semantics, statement language
Justice, type declarations, Constant declarations are semantic, self-defining operation tally used in ancient times as credentials or a warrant point states semantic, equation and expression formula is stated and SCADE state
Machine is semantic.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910606311.5A CN110532167B (en) | 2019-07-05 | 2019-07-05 | State machine model time sequence property verification method based on model conversion |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910606311.5A CN110532167B (en) | 2019-07-05 | 2019-07-05 | State machine model time sequence property verification method based on model conversion |
Publications (2)
Publication Number | Publication Date |
---|---|
CN110532167A true CN110532167A (en) | 2019-12-03 |
CN110532167B CN110532167B (en) | 2021-05-04 |
Family
ID=68659877
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201910606311.5A Active CN110532167B (en) | 2019-07-05 | 2019-07-05 | State machine model time sequence property verification method based on model conversion |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN110532167B (en) |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112269734A (en) * | 2020-10-15 | 2021-01-26 | 南京航空航天大学 | Synchronous language program automatic verification method based on satisfiability solving |
CN112667215A (en) * | 2020-12-11 | 2021-04-16 | 中山大学 | Automatic repairing method for formalized requirement specification |
CN114356294A (en) * | 2021-12-21 | 2022-04-15 | 华东师范大学 | Instance generation method and system based on FQLTL language |
CN115410402A (en) * | 2022-08-08 | 2022-11-29 | 上海丰蕾信息科技有限公司 | Traffic signal time sequence logic verification method and device and electronic equipment |
CN115410402B (en) * | 2022-08-08 | 2024-07-02 | 上海丰蕾信息科技有限公司 | Traffic signal sequential logic verification method and device and electronic equipment |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20080086705A1 (en) * | 2006-10-10 | 2008-04-10 | Honeywell International Inc. | Automatic translation of simulink models into the input language of a model checker |
CN102591713A (en) * | 2011-12-31 | 2012-07-18 | 浙江大学 | Scheduling system of software functional module based on finite-state machine |
CN104298921A (en) * | 2013-07-15 | 2015-01-21 | 深圳市腾讯计算机系统有限公司 | Animation source file security vulnerability checking method and animation source file security vulnerability checking device |
CN104915514A (en) * | 2015-06-25 | 2015-09-16 | 华东师范大学 | Time requirement modeling and verification method based on problem frame method |
CN106598566A (en) * | 2016-11-03 | 2017-04-26 | 南京航空航天大学 | Avionics system oriented formalized modeling and verifying method based on requirements |
-
2019
- 2019-07-05 CN CN201910606311.5A patent/CN110532167B/en active Active
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20080086705A1 (en) * | 2006-10-10 | 2008-04-10 | Honeywell International Inc. | Automatic translation of simulink models into the input language of a model checker |
CN102591713A (en) * | 2011-12-31 | 2012-07-18 | 浙江大学 | Scheduling system of software functional module based on finite-state machine |
CN104298921A (en) * | 2013-07-15 | 2015-01-21 | 深圳市腾讯计算机系统有限公司 | Animation source file security vulnerability checking method and animation source file security vulnerability checking device |
CN104915514A (en) * | 2015-06-25 | 2015-09-16 | 华东师范大学 | Time requirement modeling and verification method based on problem frame method |
CN106598566A (en) * | 2016-11-03 | 2017-04-26 | 南京航空航天大学 | Avionics system oriented formalized modeling and verifying method based on requirements |
Non-Patent Citations (2)
Title |
---|
仵志鹏等: "面向AltaRica模型的嵌入式系统安全性验证方法", 《计算机科学与探索》 * |
张刘毅: "基于抽象语法树和改进粒子群算法的代码同源性分析", 《中国优秀硕士学位论文全文数据库》 * |
Cited By (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112269734A (en) * | 2020-10-15 | 2021-01-26 | 南京航空航天大学 | Synchronous language program automatic verification method based on satisfiability solving |
CN112269734B (en) * | 2020-10-15 | 2022-04-26 | 南京航空航天大学 | Synchronous language program automatic verification method based on satisfiability solving |
CN112667215A (en) * | 2020-12-11 | 2021-04-16 | 中山大学 | Automatic repairing method for formalized requirement specification |
CN112667215B (en) * | 2020-12-11 | 2022-02-25 | 中山大学 | Automatic repairing method for formalized requirement specification |
CN114356294A (en) * | 2021-12-21 | 2022-04-15 | 华东师范大学 | Instance generation method and system based on FQLTL language |
CN114356294B (en) * | 2021-12-21 | 2023-07-14 | 华东师范大学 | FQLTL language-based instance generation method and system |
CN115410402A (en) * | 2022-08-08 | 2022-11-29 | 上海丰蕾信息科技有限公司 | Traffic signal time sequence logic verification method and device and electronic equipment |
CN115410402B (en) * | 2022-08-08 | 2024-07-02 | 上海丰蕾信息科技有限公司 | Traffic signal sequential logic verification method and device and electronic equipment |
Also Published As
Publication number | Publication date |
---|---|
CN110532167B (en) | 2021-05-04 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Liu et al. | Pat 3: An extensible architecture for building multi-domain model checkers | |
Thompson et al. | Specification-based prototyping for embedded systems | |
CN1703703B (en) | Device and method for checking railway logical software engines for commanding plants, particularly station plants | |
CN110532167A (en) | A kind of state machine model timing property verification method based on model conversion | |
US7729894B1 (en) | Test postcondition items for automated analysis and test generation | |
Iliasov et al. | Developing mode-rich satellite software by refinement in Event-B | |
Van Mierlo et al. | Domain-specific modelling for human–computer interaction | |
CN110532166A (en) | A kind of state machine model timing Property Verification system based on model conversion | |
Moradi et al. | Monitoring cyber-physical systems using a tiny twin to prevent cyber-attacks | |
Strasser et al. | A research roadmap for model-driven design of embedded systems for automation components | |
Kim et al. | Execution of natural language requirements using State Machines synthesised from Behavior Trees | |
Prähofer et al. | Monaco—a domain-specific language solution for reactive process control programming with hierarchical components | |
Ge et al. | Formal development process of safety-critical embedded human machine interface systems | |
Tolvanen et al. | Metamodeling for medical devices: Code generation, model-debugging and run-time synchronization | |
Frey et al. | “Safety automata”—A new specification language for the development of PLC safety applications | |
Khalgui et al. | Reconfigurable Embedded Control Systems: Applications for Flexibility and Agility: Applications for Flexibility and Agility | |
Sarshogh | Extending Event-B with discrete timing properties | |
Falcone et al. | Runtime enforcement for IEC 61499 applications | |
Balasubramanian et al. | Rapid property specification and checking for model-based formalisms | |
Brodsky et al. | CoJava: a unified language for simulation and optimization | |
Dissaux et al. | Combined real-time, safety and security model analysis | |
Kuang et al. | An Automation Script Generation Technique for the Smart Home | |
Ahmad et al. | An AADL-DEVS Framework for Cyber-Physical Systems Modeling and Simulation Supported with an Integrated OSATE and DEVS-Suite Tools | |
Fidge et al. | Disciplined approach to real-time systems design | |
Angelov et al. | Model-based design and verification of embedded software |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant | ||
TR01 | Transfer of patent right | ||
TR01 | Transfer of patent right |
Effective date of registration: 20210806 Address after: Room 801, no.6, Lane 600, Yunling West Road, Putuo District, Shanghai 200062 Patentee after: SHANGHAI FORMAL TECH INFORMATION TECHNOLOGY Co.,Ltd. Address before: 200062 No. 3663, Putuo District, Shanghai, Zhongshan North Road Patentee before: EAST CHINA NORMAL University Patentee before: SHANGHAI FORMAL TECH INFORMATION TECHNOLOGY Co.,Ltd. |