CN110532167B - State machine model time sequence property verification method based on model conversion - Google Patents
State machine model time sequence property verification method based on model conversion Download PDFInfo
- Publication number
- CN110532167B CN110532167B CN201910606311.5A CN201910606311A CN110532167B CN 110532167 B CN110532167 B CN 110532167B CN 201910606311 A CN201910606311 A CN 201910606311A CN 110532167 B CN110532167 B CN 110532167B
- Authority
- CN
- China
- Prior art keywords
- model
- scade
- state machine
- state
- time sequence
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/36—Preventing errors by testing or debugging software
- G06F11/3604—Software analysis for verifying properties of programs
- G06F11/3608—Software analysis for verifying properties of programs using formal methods, e.g. model checking, abstract interpretation
Abstract
The application discloses a method for verifying time sequence properties of a state machine model based on model conversion, which comprises the following steps: analyzing the SCADE text model to obtain a syntax tree example; a symbol table container step, loading syntax tree examples to obtain symbol table examples; a model conversion step, namely converting the symbol table instance into a NuSMV model according to a model conversion rule; and a model checking step, namely verifying the time sequence property of the NuSMV model according to the LTL formula and the CTL formula. The SCADE text model of the high-security application program development environment is analyzed, the SCADE text model is converted into the NuSMV model, and the time sequence property of the NuSMV model is verified according to the LTL formula and the CTL formula, so that the time sequence property of the SCADE text model is verified, the limit of the property verification of the SCADE model is broken through, and the security and the reliability of a software system are further improved. By introducing timing specifications for SCADE formal verification that can describe timing-related security requirements, the timing properties of the model can be verified.
Description
Technical Field
The application relates to the field of embedded software, in particular to a method for verifying time sequence properties of a state machine model based on model conversion.
Background
The security of the software in the security critical field is always concerned, and although the development efficiency of the software application is improved, the security and the reliability of the software system are still ensured. After all, in these fields, software errors cause serious economic loss and even life-threatening problems. The traditional software verification technology is to perform simulation on a developed software system so as to find errors and correct the errors in time. However, the Safety-Critical Application Development Environment (SCADE) provides a formal verification component, and a Design Verifier (DV) first graphically models Safety requirements and then verifies whether the model meets the requirements through a Satisfiability (SAT) -based model checking algorithm. However, with the wide spread of SCADE applications and the diversity of system requirements, especially when timing-related properties are involved, the expression capacity of DV has not been sufficient to describe those requirements.
In view of the foregoing, it is desirable to provide a method for verifying the timing property of the SCADE text model, so as to improve the security and reliability of the software system.
Disclosure of Invention
In order to solve the problems, the application provides a method for verifying the time sequence property of a state machine model based on model conversion, which comprises the steps of analyzing an SCADE text model of a high-security application development environment, converting the SCADE text model into a NuSMV model, and verifying the time sequence property of the NuSMV model according to an LTL formula and a CTL formula, so that the time sequence property of the SCADE text model is verified.
Specifically, the invention provides a state machine model time sequence property verification method based on model conversion, which comprises the following steps:
analyzing a SCADE text model of the high-security application development environment to obtain a syntax tree example;
a symbol table container step, loading syntax tree examples to obtain symbol table examples;
a model conversion step, namely converting the symbol table instance into a symbol model verifier (NuSMV) model according to a model conversion rule;
and a model checking step, namely verifying the time sequence property of the NuSMV model according to a linear time sequence logic LTL formula and a computational tree logic CTL formula.
Preferably, the implementation process of the model parsing step includes:
writing the SCADE syntax semantic declaration into a corresponding ANTLR file by using another language recognition tool ANTLR format according to the syntax semantic declaration of the SCADE text model, wherein the ANTLR file describes the syntax semantic declaration of the SCADE language;
monitoring the SCADE text model by using a corresponding Java monitor according to the statement in the ANTLR file to obtain syntax tree information;
and generating a syntax tree instance according to the syntax tree information.
Preferably, the implementation procedure of the symbol table container step includes:
defining a hierarchical structure symbol table and a sub-state machine structure symbol table;
and loading the syntax tree examples according to the hierarchical structure symbol table and the sub-state machine structure symbol table to obtain the symbol table examples.
Preferably, the model checking step is implemented by:
verifying the time sequence property of the NuSMV model according to the LTL formula and the CTL formula;
if the current verified time sequence property is met, verifying the next time sequence property;
and if the currently verified time sequence property is not met, outputting counter example information and stopping verification of the time sequence property.
Preferably, after stopping the verification of the timing property, the method further comprises:
and model debugging, namely modifying the development environment of the SCADE system according to the counter example information, generating a new SCADE text model and verifying the time sequence property.
Preferably, the LTL formula is determined according to the timing safety requirements of the natural language description of the SCADE text model.
Preferably, the CTL formula is determined according to the timing safety requirements of the natural language description of the SCADE text model.
Preferably, the syntax semantic declaration includes: program semantics, declaration semantics, type declarations, constant declaration semantics, custom operator node declaration semantics, equation and expression declarations, and SCADE state machine semantics.
The application has the advantages that: the SCADE text model of the high-security application program development environment is analyzed, the SCADE text model is converted into the NuSMV model, and the time sequence property of the NuSMV model is verified according to the LTL formula and the CTL formula, so that the time sequence property of the SCADE text model is verified, the limit of the property verification of the SCADE model is broken through, and the security and the reliability of a software system are further improved.
Drawings
Various other advantages and benefits will become apparent to those of ordinary skill in the art upon reading the following detailed description of the preferred embodiments. The drawings are only for purposes of illustrating preferred embodiments and are not to be construed as limiting the application. Also, like reference numerals are used to denote like parts throughout the drawings. In the drawings:
FIG. 1 is a schematic diagram illustrating steps of a method for verifying time-series properties of a state machine model based on model transformation according to the present application;
FIG. 2 is a schematic diagram of a SCADE state machine model of a subsystem of a satellite control system of a state machine model timing property verification method based on model transformation provided herein;
FIG. 3 is a schematic diagram of a state machine model timing property verification system based on model transformation provided herein;
FIG. 4 is a schematic structural diagram of a model-transformation-based state machine model timing property verification system provided by the present application;
FIG. 5 is a schematic diagram of an example of a hierarchical SCADE state machine based on the transformation rules of a model transformation-based state machine model timing property verification method provided by the present application;
FIG. 6 is a schematic diagram of state B and state machine SM2 being activated in the simulation of the transition rule of the model transition-based state machine model timing property verification method provided in the present application;
fig. 7 is a schematic structural diagram of a hierarchical state machine in a NuSMV target model of a transformation rule of a state machine model time sequence property verification method based on model transformation according to the present application;
FIG. 8 is a transition diagram of state S of a transformation rule of a state machine model time-series property verification method based on model transformation provided herein;
FIG. 9 is a state transition relationship diagram illustrating a transformation rule of a model transformation-based method for verifying time-series properties of a state machine model according to the present application;
FIG. 10 is a schematic diagram of a SCADE variable monitoring mechanism based on the transformation rules of the state machine model time-sequence property verification method of model transformation provided by the application.
Detailed Description
Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.
According to an embodiment of the present application, a method for verifying a time-series property of a state machine model based on model transformation is provided, as shown in fig. 1, including:
s101, a model analyzing step, namely analyzing a high-security Application Development Environment (SCADE) text model to obtain a syntax tree example;
s102, a symbol table container step, namely loading a syntax tree instance to obtain a symbol table instance;
s103, a Model conversion step, namely converting the symbol table instance into a symbol Model Verifier (NuSMV) Model according to a Model conversion rule;
s104, a model checking step, namely verifying the time sequence property of the NuSMV model according to a Linear Temporal Logic (LTL) formula and a Computational Tree Logic (CTL) formula.
The Model parsing step, the symbol table container step and the Model conversion step are used for converting the input SCADE text Model into an input Model of a Model checker, namely a Symbolic Model Verifier (NuSMV) Model, and taking the generated Model (NuSMV Model) as an input of the Model checking step.
The model checking step is used to verify the timing security requirements and properties of the corresponding state machine system in the NuSMV model.
The realization process of the model analysis step comprises the following steps:
writing the SCADE syntax semantic declaration into a corresponding ANTLR file by using ANother Language identification Tool (ANTLR) format according to the syntax semantic declaration of the SCADE text model, wherein the ANTLR file describes the syntax semantic declaration of the SCADE Language;
monitoring the SCADE text model by using a corresponding Java monitor according to the statement in the ANTLR file to obtain syntax tree information;
and generating a syntax tree instance according to the syntax tree information.
The analysis interfaces of the SCADE language grammar are generated through an ANTLR tool, and the generation of the model grammar tree is realized through the interfaces, so that the information in the SCADE state machine model is obtained and is used as the input of a following grammar tree monitor (Java monitor).
Various information (syntax tree information) on the syntax tree is acquired by implementing different Java listener types by using an Application Programming Interface (API) at the time of ANTLR runtime.
The listener includes: operator node listeners, data type listeners, expression listeners, equation listeners, custom operator node listeners, constant listeners, and state machine transition relationship listeners, among others.
The combined use of these listeners saves the information on the syntax trees, which is used to generate syntax tree instances, into the corresponding sets.
The implementation process of the symbol table container step comprises the following steps:
defining a hierarchical structure symbol table and a sub-state machine structure symbol table;
and loading the syntax tree examples according to the hierarchical structure symbol table and the sub-state machine structure symbol table to obtain the symbol table examples.
And defining the hierarchical structure symbol table by a user according to the requirement.
And the user defines the sub-state machine structure symbol table according to the requirement.
A hierarchical structure symbol table (SCADE hierarchical structure symbol table) is used for describing the structure of a SCADE hierarchical state machine, the structure describes a variable set, a sub-state machine set, an operation operator set used in the state machine and a user-defined function node set called by the state machine in a SCADE state machine model, and data structures of the sets are defined.
The sub-state machine structure symbol table (SCADE sub-state machine structure symbol table) is used for describing a sub-state machine structure, and the sub-state machine structure description comprises the following components: the method comprises the steps of collecting all states of the sub-state machine, starting the states, functions of the sub-state machine and the state relation, transition relation among the states and event behavior operation in the states; meanwhile, the symbol table of the sub-state machine structure defines the data structure of the SCADE sub-state machine structure.
Syntax tree information obtained using a Java listener is loaded into the symbol table instance.
The conversion rules are based on two types of mechanisms, namely a hierarchical state machine structure conversion mechanism and a variable monitoring mechanism. The hierarchical state machine structure conversion mechanism helps the conversion process by introducing trigger parameter rules, finally constructs the hierarchical structure of the SCADE state machine in the NuSMV target model, and also defines the state transition conversion rules, so that each sub-state machine can be represented by one module in the NuSMV model, and the relationship of the sub-state machines is also stated in the module. The variable monitoring mechanism is used for controlling behavior events in a model state, and the SCADE state has specific event operations which correspond to functions in a real system and change variable values in the model; the variable monitoring mechanism uses monitoring parameters to determine whether these operations are performed, thereby indirectly manipulating the changes in these variables. Based on these model conversion rules, the symbol table instance is converted into a NuSMV model.
The NuSMV model obtained after conversion comprises: the system comprises a sub state machine module, a variable monitoring module, a self-defined function node module and a top state machine module (a main module).
Each of the sub-state machine modules corresponds to one of the SCADE state machines, comprising: the state contained by the sub-state machine, the state transition relationship, the trigger parameter, the monitoring parameter assignment, and the instantiation of the sub-state machine owned by the sub-state machine.
Each variable monitoring module controls the assignment operation of the corresponding output variable through monitoring parameters; if the user-defined data flow function nodes are used in the SCADE model, the modules are generated in the target NuSMV model; the top-level state machine module represents the state machine at the top level in the SCADE state machine and is responsible for the work of model variable and parameter declaration, sub-state machine instantiation, variable and parameter initialization, function node instantiation and the like. There is only one top-level state machine module, which dominates the whole generated target NuSMV model.
The SCADE state machine comprises a SCADE sub-state machine.
The SCADE text model is a form of representing a SCADE state machine.
The model checking step is realized by the following steps:
verifying the time sequence property of the NuSMV model according to the LTL formula and the CTL formula;
if the current verified time sequence property is met, verifying the next time sequence property;
and if the currently verified time sequence property is not met, outputting counter example information and stopping verification of the time sequence property.
After stopping the verification of the timing property, the method further comprises the following steps:
and model debugging, namely modifying the development environment of the SCADE system according to the counter example information, generating a new SCADE text model and verifying the time sequence property.
The model checking step is used for performing a verification process of the SCADE state machine model, namely the verification of the time sequence property of the NuSMV model.
A user designs the SCADE state machine model through the state machine model in the SCADE system development environment, and the system time sequence safety requirement needing to be verified is clearly described in a natural language. Taking an SCADE text model derived from a designed SCADE state machine model as the input of a model conversion module, and simultaneously re-describing the requirements described by a natural language by using a temporal logic expression specification such as LTL or CTL; the SCADE text model obtains a NuSMV target model through a model conversion module, and inputs the model and a time sequence property expression (a time sequence safety requirement described again by using a temporal logic expression specification such as LTL or CTL) into a model checker NuSMV to start a verification process; and displaying a verification result on the visual console, if the time sequence property is met, verifying the next time sequence property, and if the time sequence property is not met, outputting a counter example for a user to analyze so as to debug the SCADE original model, and performing cyclic operation until all the time sequence properties are met. The SCADE development environment is linked to a model checker numv by introducing a timing specification description (timing property expression) to verify the timing related security requirements and properties of the SCADE model.
The timing specification describes timing security requirements for describing the system.
The LTL formula is determined according to the timing security requirements of the natural language description of the SCADE text model.
The CTL formula is determined from the timing security requirements of the natural language description of the SCADE text model.
The syntax semantic declaration includes: program semantics, declaration semantics, type declarations (type declaration semantics), constant declaration semantics, custom operator node declaration semantics, equation and expression declarations (equation and expression semantics), SCADE state machine semantics, and the like.
The time sequence property verification of the satellite control system model is taken as an example. The satellite control system is a sub-control system and is used for controlling the switching of different working modes of the satellite, and covering the separation process of the satellite and the rocket and the working process of the separated satellite.
As shown in fig. 2, the subsystem is a SCADE state machine model, and it has two sub-state machines SM1 and SM2, which are used to describe the satellite operation mode after the satellite and arrow separation process and the satellite and arrow separation process, respectively. Thus, SM1 has two states, an unseparated state (beforepart) and a separated state (after part); SM2 has three states, representing speed damping mode (Initial), Wait mode (Wait), and flywheel control mode (WheelControl). The state of each sub-state machine outputs a working mode signal for the system, and the working mode signal is used for judging which working mode the control system is in. The satellite receives a satellite-rocket separation signal at first, enters a separated state according to the satellite-rocket separation signal, and activates a speed damping mode. In the velocity damping mode, a time signal is monitored that describes the duration of the separation of the environmental monitoring, and a time signal exceeding a specified value causes the satellite to enter the waiting mode. Entering the waiting mode activates a beat counter which is used for recording the duration time after the working mode is switched, and when a certain condition is met, the satellite flywheel control mode is formally entered. The flywheel control mode is a mode for most satellites to run for a long time and perform business work, and the flywheel control mode also has a beat counter and continues to return to a waiting mode after corresponding time, so that the energy of the satellites is saved.
The corresponding SCADE text model of the system needs to be derived, and the timing safety requirement to be verified is described by a natural language.
Take as an example the verification of the following properties: after the satellite and the arrow are separated, the satellite control system enters a waiting mode, then enters a flywheel control mode for working after 5 time units, and returns to the waiting mode after 10 time units.
It can be described in the following form with the corresponding temporal logic expression:
G((SM_SM1.state=AfterDepart&SM_SM1.Sub_SM2.state=Initial&X SM_SM1.Sub_SM2.state=Wait)->(G[1,6]SM_SM1.Sub_SM2.state=Wait&G[7,17]SM_SM1.Sub_SM2.state=WheelControl))
the obtained NuSMV target model and the time sequence property expression are input into a model checker NuSMV together to execute a verification process, so that the time sequence property of the model can be verified, and the model is modified according to a feedback result.
According to an embodiment of the present application, there is also provided a state machine model time-series property verification system based on model transformation, as shown in fig. 3, including:
the model analysis module 101 is used for analyzing a high-security SCADE text model of the application development environment to obtain a syntax tree instance;
a symbol table container module 102, configured to load a syntax tree instance to obtain a symbol table instance;
the model conversion module 103 is used for converting the symbol table instance into a symbol model verifier (NuSMV) model according to a model conversion rule;
and the model checking module 104 is used for verifying the time sequence property of the NuSMV model according to a linear time sequence logic LTL formula and a computational tree logic CTL formula.
The model analysis module comprises a grammar design unit, a grammar tree traversal unit language and a grammar tree generation unit;
the grammar design unit is used for writing the SCADE grammar semantic statement into a corresponding ANTLR file by using another language recognition tool ANTLR format according to the grammar semantic statement of the SCADE text model, and the ANTLR file describes the grammar semantic statement of the SCADE language;
the syntax tree traversal unit is used for monitoring the SCADE text model by using a corresponding Java monitor according to the statement in the ANTLR file to obtain syntax tree information;
and the syntax tree generating unit is used for generating the syntax tree example according to the syntax tree information.
The symbol table container module comprises a hierarchical structure symbol table defining unit, a sub-state machine structure symbol table defining unit and a syntax tree information loading unit;
the hierarchical structure symbol table definition unit is used for defining a hierarchical structure symbol table;
the sub-state machine structure symbol table defining unit is used for defining a sub-state machine structure symbol table;
and the syntax tree information loading unit is used for loading syntax tree examples according to the hierarchical structure symbol table and the sub-state machine structure symbol table to obtain the symbol table examples.
The model checking module is specifically configured to:
verifying the time sequence property of the NuSMV model according to the LTL formula and the CTL formula;
if the current verified time sequence property is met, verifying the next time sequence property;
and if the currently verified time sequence property is not met, outputting counter example information and stopping verification of the time sequence property.
The LTL formula is determined according to the timing security requirements of the natural language description of the SCADE text model.
The CTL formula is determined from the timing security requirements of the natural language description of the SCADE text model.
The syntax semantic declaration includes: program semantics, declaration semantics, type declarations, constant declaration semantics, custom operator node declaration semantics, equation and expression declarations, SCADE state machine semantics, and the like.
For a better understanding, the workflow of the present invention will be described below.
As shown in fig. 4, the SCADE text model derived from the SCADE software is first input to the model parsing module, and in the model parsing module, the input SCADE text model obtains a syntax tree instance through the syntax design unit, the syntax tree traversal unit, and the syntax tree generation unit, and the syntax tree instance is used as the input of the symbol table container module.
The syntax tree instance includes the structure of the syntax tree and syntax tree information (syntax tree information obtained by listening).
The symbol table container module defines a hierarchical structure symbol table of SCADE and a sub-state machine structure symbol table for storing information in a syntax tree in a new form. The symbol table container module loads syntax tree instances through the syntax tree information loading unit to convert into an intermediate structure, i.e., a symbol table instance, as an input of the model conversion module.
The symbol table instance is finally converted into a target model, namely a NuSMV model, through a model conversion rule in a model conversion module.
The user rewrites the nature of the natural language requirements of the SCADE text model into LTL and CTL formulas, and inputs the LTL and CTL formulas into the model checking module. The model checking module verifies the model property by combining the input NuSMV model with the natural language requirement property rewritten into LTL and CTL formulas.
The user debugs the meta-SCADE model according to the resulting counter-example, and so on until all properties can be satisfied.
The conversion rule is specifically as follows.
The conversion rules for converting from SCADE state machine (symbol table example) to NuSMV input model are based on STP method, in order to make it suitable for SCADE state machine, the conversion rules are redefined for the hierarchical structure and state machine characteristics of SCADE, and its monitoring variable mechanism is improved, so as to create the conversion frame from SCADE state machine to NuSMV input model.
As shown in fig. 5, it is a SCADE state machine in a control Node (Node), and the state machine has a hierarchical structure. The state machine SM1 has two states a and B, while the state machine SM2 has two states C and D, and SM2 is a sub-state machine for state B. When state transition condition g1 is satisfied, state A will transition to state B; thus g1, g 2.. in the figure represent transition conditions between states. There are specific arithmetic operations in the states of SCADE, and at each cycle, there is one and only one state of each state machine that is active.
The SCADE hierarchical state machine has the characteristics of StateChart, so that two Boolean trigger parameters active and default are introduced into the conversion rule similarly to the STP method. These two trigger parameters can help the target model build the hierarchy in the SCADE state machine and thus be correctly described in the NuSMV model language.
As shown in fig. 6, which is the case of the state machine under simulation, the bold line represents that the state is currently activated, and the state B is shown in the figure. The state transitions in the SCADE state machine occur on the same layer, and if the state transition condition targeting state B is satisfied, the state machine will activate the transition, state B of SM1 will also be activated, and state C in state machine SM2 will also be activated. That is, in a SCADE hierarchical state machine, when a parent state is active, its child state machine is activated. A problem arises when directly turning such a structure to the NuSMV input model: all MODULEs (MODULEs) in the NuSMV program are initially initialized and are thereafter active. It is clear that it is not straightforward to make a transition in such a way that when the corresponding MODULE should not be activated in certain cycles, the target NuSMV model must be specified in some way to prevent incorrect operation of variables in the NuSMV model, which is why it is necessary to introduce active trigger parameters by which to handle conflicts when the SCADE state machine is started with the NuSMV model, marking whether the corresponding MODULE can be considered activated.
In the conversion framework, each sub-state machine is finally converted to a MODULE of NuSMV. Hypothetical state machine SsubIs the sub-state machine of the state S, active represents whether the state machine where the state S is located is active or not, and SM _ active represents the sub-state machine SsubWhether active, as shown in rule 1 of Table 1, its value is determined by the expression to the right of the evaluation symbol, i.e., when the parent state of state S is active and the current state is at S, then S issubThe state machine is also activated.
TABLE 1
| Rule 1: trigger parameter active of sub-state machine Ssub |
| SM_active:=(state=S)&active; |
Each state machine has its own initial state, and the trigger parameter active can tell us whether a certain sub-state machine module is triggered. While a state may undergo two different transitions, respectively,
(1) default transfer (default transfer): when the state machine is triggered, its initial state will be activated first, which we call the default transition.
(2) Regular transfer (regular transfer): transitions of the state machine between the layer states in which it is located, we call them regular transitions.
In SCADE, assuming that a child state machine is activated and performs a normal transition, after a period, the parent state of the child state machine undergoes state transition due to transition condition change, which means that the parent state changes from an activated state to an inactivated state. When the parent state of the child state machine is next activated, the child state machine needs to have a default transition, i.e., the initial state of the child state machine is to be activated. When we convert the SCADE state machine to the NuSMV input model, only the active trigger parameter still cannot guarantee that the MODULE of the sub-state machine will make the default transition, which is why another trigger parameter default needs to be introduced. By setting the parameter default to True (True), the target model ensures that the default transition occurs each time a child state machine is entered, activating the initial state.
Let S be the current state, P1,...,PnIs a predecessor to state S (predictors). When state P1,...,PnWhen one of the transition conditions to state S is satisfied, the trigger parameter default is set to True (True). At the same time, it makes sense only if the state machine of state S is active. As shown in rule 2 of Table 2, the assignment statement must be conjunctive with the trigger active(s) ((&). Suppose Def _ S represents the sub-state machine S in the S statesubThe default parameter, then we first initialize the parameter to False, representing SsubThe state machine has not yet been initialized; then the above transformation rules are applied to define Def _ S:
TABLE 2
In addition to this, there is a special case, namely the topmost state machine. All state machines in the SCADE state machine model are sub-state machines of the topmost state machine, e.g., SM1 in fig. 5 is a sub-state machine of the topmost state machine SM. This state machine corresponds to the master module (modelemail) in the NuSMV target model. The topmost state machine may not actually need the trigger parameter default because it is always active. Therefore, we choose to set default to True for the first time unit and then False for the later time units, which ensures that the default transition of the top-most state machine occurs only at the very beginning and lasts for only one cycle. According to rule 3 of table 3, we can define its parameter default in the master module in the final numv program:
TABLE 3
The hierarchical state machine structure in the NuSMV target model can be standardized through the conversion rule of the trigger parameters active and default. Suppose S is a state of a sub-state machine SMi, SMj is a sub-state machine of state S, and the sub-state machine SMj has a state S1. In the NuSMV target model, the hierarchical structure of the sub-state machines SMi and SMj is shown in fig. 7, where the parameter active in SMi represents whether SMi is in an active state; since SMj is a sub-state machine of state S, SMj _ active represents whether or not the sub-state machine SMj is active. The structure combines rules 1 and 2.
In the transition relationship between the SCADE hierarchical state machine existence states, in FIG. 5, there are two states A and B in the sub-state machine SM1, and when the transition condition g1 is satisfied, the transition from state A to state B occurs. By analogy, a transition from state C to state D in the sub-state machine SM2 occurs when g3 is satisfied. Each sub-state machine appears in the target model of the NuSMV in the form of a MODULE (MODULE), and the state names in the sub-state machines of the SCADE are all declared in the enumerated variable state in the corresponding MODULE, and have two trigger parameters active and default. The parameter active indicates whether the module is really activated, and default represents whether the default initial transition occurs. Therefore, the state name variable state in the module is visible only when the trigger parameter active is True.
According to the characteristics of the SCADE state machine, the state transition is only known to occur in the state machine at the same level. As shown in fig. 8, S in the sub-state machine1,...,SnIs the target state of state S, which passes the transition condition guard (S, S), respectively1),...,guard(S,Sn) A state transition is performed. The conversion rule 4 for the conventional state transition is defined by the next key of NuSMV, as shown in table 4.
TABLE 4
It can also be seen that when a state transition occurs in a certain period, the state name changes; if all of the transition conditions corresponding to a particular state are not met, then the next state is still itself. This is consistent with the SCADE state transition situation, where operations in the state are performed again when the SCADE state machine does not transition. These are all established in the condition that the state machine in which they are located is active, and therefore it is necessary to merge the trigger parameters active with them.
And the initial state is activated when the child state machine is about to make a default transition, using the following state transition rule 5, as shown in table 5.
TABLE 5
| Rule 5: state transition in case of default transition |
| next(state):=next(active)&next(default):S0; |
The reactive system responds according to the input of the environment, outputs to a specific device and updates the sensing value of the original environment, and the SCADE model determines how the system responds. Therefore, the control system designed by SCADE necessarily has operations and behaviors which affect output variables. In fig. 5, it can be seen that the input variable x is operated on numerically in the state a and is output to the output variable o. This should also prove that behavior in the SCADE state will update and change the value of the declaration variable. In the NuSMV target model, the environment inputs in SCADE are defined in the MODULE main (MODULE main) of the NuSMV model and declared as global variables, and the values of the global variables are updated in each sub-state machine MODULE in response to and operation on the environment inputs.
In NuSMV, each module can read the value of a global variable in the master module, however, NuSMV does not support these sub-state machine modules to update a global variable at the same time. A monitor-like mechanism (monitor-likemechanism) in the STP method may enable a model to read and write monitored variables. The supervised mechanism means that for an event or condition variable Var in StateChart, there is always a corresponding module called Set _ Var which is able to manipulate the value of the variable Var by monitoring the parameters.
However, the problem is that the events and condition variables in the STP method are abstracted into boolean type variables, whereas the data types of variables in the SCADE are more complex. And in SCADE, the state transition condition and the event behavior in the state are very specific data flow operations. For example, in a SCADE state machine, a state S may respond to a particular variable using a number of operation operators.
In order to solve the defects of the STP method on the SCADE state machine, a variable monitoring mechanism facing to the SCADE model is provided, so that a communication mechanism is established between a sub-state machine and a global variable. The SCADE variable monitoring mechanism firstly monitors two types of variable monitoring parameters set in the STP methodmAnd resetmRefinement to set(var,s)And reset(var,s)Secondly, an SCADE variable monitoring module is designed, and finally, assignment rules of two types of variable monitoring parameters in each sub-state machine are provided.
In the SCADE, event behaviors and branch conditions are expressions containing input variables and output variables, and the input variables are determined by the environment, so that only the output variables need to be monitored. These monitoring parameters are all declared as global variables in the master module of the NuSMV target model.
By definition, in a SCADE state machine, let an operation behavior exist in a state s, which updates the value of the output variable var, then there is:
variable monitoring parameter set(var,s)Is a boolean parameter that indicates whether or not the behavior operation affecting the variable var in the state needs to be executed when the state is s;
variable monitoring parameter reset(var,s)Is a boolean type parameter that indicates whether behavior operations in the target state s that affect the variable var need to be performed when a state transition occurs that targets state s.
We also need to define the conversion rules of the variable monitoring module. Let a certain output variable Var, the monitoring module for this variable is named Set _ Var. Such modules are responsible for changing the value of the variable Var according to the value of the monitoring parameter, and when the corresponding monitoring parameter is True, the module can perform assignment operation on the variable Var. Let v1,...,vi,...,vnFor all variables, state s, in the SCADE state machine1,...,smIn all there is a pair output variable viRule 6 in Table 6 is for variable viThe conversion rule of the monitoring module. Wherein set _ vi_s1,...,reset_vi_smRepresents the relevant monitoring parameter set(var,s)And reset(var,s). In particular in a particular state skIn for variable viThe expression of the evaluation operation of (a) is set _ action(s)k) And reset _ action(s)k) And (4) showing. These valuation operations are dataflow operations in state that we can directly translate into corresponding expressions. The transformation rules also support such assignment operations to invoke other user-defined function nodes, and thus the function name function of the invocation must also be declared, if necessary1,...,functionk。
TABLE 6
By the above rules, and the trigger parameters active and default introduced before, we can build the structure of the SCADE hierarchical state machine on the model of the numv. But only if the variable monitoring parameter is at the correct value, the entire hierarchical state machine can operate correctly. These monitored parameters behave like switches for status. When one of the switches is open, the variable controlled by that switch is updated. Therefore, it is necessary to dynamically control the switches, i.e. control the monitoring parameters in the corresponding module of each sub-state machine.
Monitoring parameter set(var,s)The assignment rule of (2) is as shown in FIG. 9(a), let the current initial state be s, T1,...,TmIs a successor to the state s, guard (s, T)i) Representing states s to T1Wherein i ∈ { 1.,. m }. In the SCADE state machine, if all the transition conditions of the state s are not satisfied, the next state is still the state s, and the operation in the state is performed in the next cycle. Thus, as shown in rule 7 of Table 7, the state machine in which state s is always active, sets are set if all its transition conditions are not met(var,s)Is True, otherwise is False. Where set _ var _ s is equivalent to set(var,s)。
TABLE 7
Monitoring parameter reset(var,s)The state s is the state P, as shown in FIG. 9(b)1,...,PnTarget state of (2), slave state PjThe transition condition to state s is denoted as guard (P)jS) where j ∈ {1,..., n }. When guard (P)jS) is satisfied, the system reaches state s, and then monitors parameter reset(var,s)It is set. TABLE 8 rule 8 is reset(var,s)It should be noted that if the target state s is the initial state of a sub-state machine, the monitoring parameter must also be set to True. Where reset _ var _ s is equivalent to reset(var,s)。
TABLE 8
The refined SCADE variable monitoring mechanism can indirectly control the value of the output variable through monitoring parameters. As shown in fig. 10, is a schematic diagram of a SCADE parameter monitoring mechanism that is capable of establishing communication between a sub-state machine module and an output variable monitoring module. It is also mentioned above that the environment variables of the system correspond to input variables that affect the values of other variables in the state and the values of expressions in the transition conditions, thereby enabling state transitions of the respective state machines. Each sub-state machine SMi will then read the variable and change the value of the monitored parameter. And the monitoring parameter can determine that the operation on a certain output variable in a specific state should not be executed, and if the monitoring parameter is True, the variable monitoring module can update the value of the corresponding output variable. This is how the mechanism changes the value of each variable by monitoring the parameters. And circulating in this way to construct a variable monitoring mechanism of SCADE.
The MODULE (MODULE main) in the NuSMV object model is used to describe the state machine at the top of the SCADE, which has only one state and is always active. The main module mainly processes some variable statements including input variables, output variables, state variables, monitoring variables and the like; besides, some instantiations are processed, including instantiations of the sub-state machine module, the variable monitoring module, the user-defined node function module, and initialization of the monitoring variable.
In the method, the SCADE text model of the high-security application program development environment is analyzed, the SCADE text model is converted into the NuSMV model, and the time sequence property of the NuSMV model is verified according to the LTL formula and the CTL formula, so that the time sequence property of the SCADE text model is verified, the limit of the property verification of the SCADE model is broken through, and the security and the reliability of a software system are further improved. By introducing timing specifications for SCADE formal verification that can describe timing-related security requirements, the timing properties of the model can be verified. Verification of the required nature of the hierarchical state machine can be supported by providing a translation mechanism that automatically translates the SCADE state machine model to the NuSMV model, and describing the structure of the hierarchical state machine. The method can be used for debugging and modifying the design defects of the SCADE state machine model, and particularly can further reduce the system development cost and improve the system reliability on the aspect that the system does not meet the time sequence property.
The above description is only for the preferred embodiment of the present application, but the scope of the present application is not limited thereto, and any changes or substitutions that can be easily conceived by those skilled in the art within the technical scope of the present application should be covered within the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
Claims (7)
1. A method for verifying the time sequence property of a state machine model based on model conversion is characterized by comprising the following steps:
analyzing a SCADE text model of the high-security application development environment to obtain a syntax tree example; the realization process of the model analysis step comprises the following steps: writing the SCADE syntax semantic declaration into a corresponding ANTLR file by using another language recognition tool ANTLR format according to the syntax semantic declaration of the SCADE text model, wherein the ANTLR file describes the syntax semantic declaration of the SCADE language; monitoring the SCADE text model by using a corresponding Java monitor according to the statement in the ANTLR file to obtain syntax tree information; generating a syntax tree instance according to the syntax tree information;
a symbol table container step, loading syntax tree examples to obtain symbol table examples;
a model conversion step, namely converting the symbol table instance into a symbol model verifier (NuSMV) model according to a model conversion rule; the model conversion rule introduces two Boolean trigger parameters active and default;
a model checking step, verifying the time sequence property of the NuSMV model according to a linear time sequence logic LTL formula and a computational tree logic CTL formula, wherein,
the model conversion rule is based on two types of mechanisms, namely a hierarchical state machine structure conversion mechanism and a variable monitoring mechanism; the hierarchical state machine structure conversion mechanism helps the conversion process by introducing a trigger parameter rule, finally constructs a hierarchical structure of the SCADE state machine in the NuSMV target model, and simultaneously defines a state transition conversion rule, so that each sub-state machine can be represented by one module in the NuSMV model, and the relationship of the sub-state machines is also stated in the module; the variable monitoring mechanism is used for controlling behavior events in a model state, and the SCADE state has specific event operations which correspond to functions in a real system and change variable values in the model; the variable monitoring mechanism uses monitoring parameters to determine whether these operations are performed, thereby indirectly manipulating the changes in these variables.
2. The method of claim 1, wherein the symbol table container step is implemented by:
defining a hierarchical structure symbol table and a sub-state machine structure symbol table;
and loading the syntax tree examples according to the hierarchical structure symbol table and the sub-state machine structure symbol table to obtain the symbol table examples.
3. The method of claim 1, wherein the model checking step is implemented by:
verifying the time sequence property of the NuSMV model according to the LTL formula and the CTL formula;
if the current verified time sequence property is met, verifying the next time sequence property;
and if the currently verified time sequence property is not met, outputting counter example information and stopping verification of the time sequence property.
4. The method of claim 3, wherein after stopping the verification of the timing property, further comprising:
and model debugging, namely modifying the development environment of the SCADE system according to the counter example information, generating a new SCADE text model and verifying the time sequence property.
5. The method of claim 1, wherein the LTL formula is determined according to timing security requirements of a natural language description of a SCADE text model.
6. The method of claim 1, wherein the CTL formula is determined according to timing security requirements of a natural language description of a SCADE text model.
7. The method of claim 1, wherein the syntactic semantic declarations include: program semantics, declaration semantics, type declarations, constant declaration semantics, custom operator node declaration semantics, equation and expression declarations, and SCADE state machine semantics.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910606311.5A CN110532167B (en) | 2019-07-05 | 2019-07-05 | State machine model time sequence property verification method based on model conversion |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910606311.5A CN110532167B (en) | 2019-07-05 | 2019-07-05 | State machine model time sequence property verification method based on model conversion |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110532167A CN110532167A (en) | 2019-12-03 |
| CN110532167B true CN110532167B (en) | 2021-05-04 |
Family
ID=68659877
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910606311.5A Active CN110532167B (en) | 2019-07-05 | 2019-07-05 | State machine model time sequence property verification method based on model conversion |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110532167B (en) |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112269734B (en) * | 2020-10-15 | 2022-04-26 | 南京航空航天大学 | Synchronous language program automatic verification method based on satisfiability solving |
| CN112667215B (en) * | 2020-12-11 | 2022-02-25 | 中山大学 | Automatic repairing method for formalized requirement specification |
| CN114356294B (en) * | 2021-12-21 | 2023-07-14 | 华东师范大学 | FQLTL language-based instance generation method and system |
| CN115410402A (en) * | 2022-08-08 | 2022-11-29 | 上海丰蕾信息科技有限公司 | Traffic signal time sequence logic verification method and device and electronic equipment |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104298921A (en) * | 2013-07-15 | 2015-01-21 | 深圳市腾讯计算机系统有限公司 | Animation source file security vulnerability checking method and animation source file security vulnerability checking device |
| CN104915514A (en) * | 2015-06-25 | 2015-09-16 | 华东师范大学 | Time requirement modeling and verification method based on problem frame method |
| CN106598566A (en) * | 2016-11-03 | 2017-04-26 | 南京航空航天大学 | Avionics system oriented formalized modeling and verifying method based on requirements |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7698668B2 (en) * | 2006-10-10 | 2010-04-13 | Honeywell International Inc. | Automatic translation of simulink models into the input language of a model checker |
| CN102591713B (en) * | 2011-12-31 | 2013-12-18 | 浙江大学 | Scheduling system of software functional module based on finite-state machine |
-
2019
- 2019-07-05 CN CN201910606311.5A patent/CN110532167B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104298921A (en) * | 2013-07-15 | 2015-01-21 | 深圳市腾讯计算机系统有限公司 | Animation source file security vulnerability checking method and animation source file security vulnerability checking device |
| CN104915514A (en) * | 2015-06-25 | 2015-09-16 | 华东师范大学 | Time requirement modeling and verification method based on problem frame method |
| CN106598566A (en) * | 2016-11-03 | 2017-04-26 | 南京航空航天大学 | Avionics system oriented formalized modeling and verifying method based on requirements |
Non-Patent Citations (2)
| Title |
|---|
| 仵志鹏等.面向AltaRica模型的嵌入式系统安全性验证方法.《计算机科学与探索》.2017,第11卷(第1期),第25-31页. * |
| 面向AltaRica模型的嵌入式系统安全性验证方法;仵志鹏等;《计算机科学与探索》;20170503;第11卷(第1期);第25-31页 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN110532167A (en) | 2019-12-03 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110532167B (en) | State machine model time sequence property verification method based on model conversion | |
| Adiego et al. | Applying model checking to industrial-sized PLC programs | |
| Lee et al. | Leveraging synchronous language principles for heterogeneous modeling and design of embedded systems | |
| Hamon et al. | An operational semantics for Stateflow | |
| US8364456B2 (en) | Conditionally executed states | |
| Balasubramanian et al. | Polyglot: modeling and analysis for multiple statechart formalisms | |
| Barnat et al. | Tool chain to support automated formal verification of avionics simulink designs | |
| Jiang et al. | From stateflow simulation to verified implementation: A verification approach and a real-time train controller design | |
| Sun et al. | Design synthesis from interaction and state-based specifications | |
| Patil et al. | Formal modelling and verification of IEC61499 function blocks with abstract state machines and SMV-execution semantics | |
| Iliasov et al. | Developing mode-rich satellite software by refinement in Event-B | |
| Harel et al. | An initial wise development environment for behavioral models | |
| CN110347405A (en) | A kind of formalization verification method of schedule scheduler module | |
| Buckl et al. | FTOS: Model-driven development of fault-tolerant automation systems | |
| Liakh et al. | Formal model of IEC 61499 execution trace in FBME IDE | |
| CN110532166B (en) | State machine model time sequence property verification system based on model conversion | |
| Drozdov et al. | Formal verification of cyber-physical automation systems modelled with timed block diagrams | |
| Kaestner et al. | Analyze this! sound static analysis for integration verification of large-scale automotive software | |
| Nair et al. | A static code analysis tool for control system software | |
| Laibinis et al. | Refinement of fault tolerant control systems in B | |
| Tolvanen et al. | Metamodeling for medical devices: Code generation, model-debugging and run-time synchronization | |
| Garoche et al. | Hierarchical state machines as modular horn clauses | |
| Ge et al. | Formal development process of safety-critical embedded human machine interface systems | |
| Bouquet et al. | Checking JML specifications with B machines | |
| Carpanzano et al. | Automated formal verification for flexible manufacturing systems |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20210806 Address after: Room 801, no.6, Lane 600, Yunling West Road, Putuo District, Shanghai 200062 Patentee after: SHANGHAI FORMAL TECH INFORMATION TECHNOLOGY Co.,Ltd. Address before: 200062 No. 3663, Putuo District, Shanghai, Zhongshan North Road Patentee before: EAST CHINA NORMAL University Patentee before: SHANGHAI FORMAL TECH INFORMATION TECHNOLOGY Co.,Ltd. |
|
| TR01 | Transfer of patent right |