CN112269734B - Synchronous language program automatic verification method based on satisfiability solving - Google Patents

Synchronous language program automatic verification method based on satisfiability solving Download PDF

Info

Publication number
CN112269734B
CN112269734B CN202011103235.5A CN202011103235A CN112269734B CN 112269734 B CN112269734 B CN 112269734B CN 202011103235 A CN202011103235 A CN 202011103235A CN 112269734 B CN112269734 B CN 112269734B
Authority
CN
China
Prior art keywords
node
language program
synchronous language
formula
equation
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202011103235.5A
Other languages
Chinese (zh)
Other versions
CN112269734A (en
Inventor
陈哲
孙毅
冉丹
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nanjing University of Aeronautics and Astronautics
Original Assignee
Nanjing University of Aeronautics and Astronautics
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nanjing University of Aeronautics and Astronautics filed Critical Nanjing University of Aeronautics and Astronautics
Priority to CN202011103235.5A priority Critical patent/CN112269734B/en
Publication of CN112269734A publication Critical patent/CN112269734A/en
Application granted granted Critical
Publication of CN112269734B publication Critical patent/CN112269734B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/36Preventing errors by testing or debugging software
    • G06F11/3604Software analysis for verifying properties of programs
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/36Preventing errors by testing or debugging software
    • G06F11/3668Software testing
    • G06F11/3672Test management
    • G06F11/3684Test management for test design, e.g. generating new test cases
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/36Preventing errors by testing or debugging software
    • G06F11/3668Software testing
    • G06F11/3672Test management
    • G06F11/3688Test management for test execution, e.g. scheduling of test suites

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Quality & Reliability (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Software Systems (AREA)
  • Devices For Executing Special Programs (AREA)

Abstract

The invention discloses a satisfiability-solving-based synchronous language program automatic verification method, which comprises the steps of internally connecting enumerated values, user-defined types and constants in a synchronous language program into nodes of the synchronous language program, recursively internally connecting all called nodes in a main node of the synchronous language program to obtain the synchronous language program containing a single node, then reducing the memory depth of the program to 1 by introducing a new local data stream, finally expressing the synchronous language program containing the single node and the security attribute thereof as a proposition logic formula, and verifying whether the synchronous language program meets the security attribute to be verified by using a satisfiability model theory solver. The method supports direct verification of large-scale complex synchronous language programs, and can improve verification capability and efficiency and ensure reliability and safety of the programs.

Description

Synchronous language program automatic verification method based on satisfiability solving
Technical Field
The invention relates to the field of computer software, in particular to a satisfiability-solving-based automatic verification method for a synchronous language program.
Background
The embedded system software in the safety critical fields of aviation, aerospace, nuclear energy, traffic and the like is mostly developed and realized by using a synchronous data stream language (short for synchronous language), such as SCADE, Esterel, Lustre, Signal and other languages. Synchronous languageA declarative language, whose underlying data abstraction is the data flow. A synchronization language program is composed of one or more nodes, similar to the functions in C/C + +. Each node has zero or more input and local data streams and one or more output data streams. A data stream is a sequence of values and synchronous languages only support boolean, integer and real data streams. General sequence (x) for data stream1,x2,x3,..) denotes x in parentheses1,x2,x3Representing the values of this data stream at 1 st, 2 nd, and 3 rd clocks, respectively. In synchronous language programs, any variable or expression represents a data stream composed of values on multiple clocks, e.g. variable x represents the data stream (x)1,x2,x3,...)。
Common operators in sync languages include: the method comprises the following steps of arithmetic characters (+, -,/, div, mod), boolean operators (and, or, not), relational operators (>, <), conditional characters (if-then-else), and timing operators, wherein the timing operators mainly comprise the following characters:
(1) pre (X) indicates that a new data stream is formed with the value of expression X on the previous clock. For example, if the integer variable X has a value sequence of X ═ X (X)1,x2,x3,...,xn,..), then the value sequence for pre (x) is pre (x) (nil, x)1,x2,...,xn-1,..), where nil represents a null value.
(2)X->Y denotes the use of expressions X and Y to form a new data stream having the same value as X at the 1 st clock and the same value as Y at the remaining clocks. For example, if X ═ X (X)1,x2,x3,...,xn,..) and Y ═ Y (Y)1,y2,y3,...,yn,..) are two expressions of the same type and the same clock, then X->Y is an expression of the same type and the same clock as X and Y, and X->Y=(x1,y2,y3,...,yn,...). That is, X->Y is always equal to Y. In synchronization words such as SCADEThere is also a similar operator fby, fby (Y, n, X) is an expression of the same type and same clock as X and Y, where n is a static integer, and fby (Y, n, X) is X->pre(X->pre(...pre(X->pre(Y))...))。
(3) while represents the conditions for executing the next statement, similar to if statements in the C/C + + language. If X is an expression and B is a Boolean expression and they have the same clock, then X where B is an expression and its clock is determined by B, its value is the value of X corresponding to B being true. For example, B ═ t (false, true, false, true), X ═ X (X ═ X1,x2,x3,x4,x5,x6,x7) Then X hen B ═ X (, X)2,,x4,,,x7)。
(4) Current (X) indicates that the current value of expression X is maintained. For example, assuming that Y ═ current (x where b), then Y ═ nil, x2,x2,x4,x4,x7) Where nil represents a null value.
It is very important to ensure the reliability and security of the embedded system software in the security critical domain, and therefore, these software must be strictly verified. Because the software is large in scale and complex in function, it is basically infeasible to verify the software manually, and therefore an automatic verification technology must be adopted to improve the efficiency and accuracy of verification. However, the existing automatic verification tools for synchronous language programs do not keep up with the latest development trend of software automatic verification technology, but adopt verification technology based on program translation or verification technology based on propositional logic satisfiability solving, which results in that the tools have some defects in verification capability, usability and verification efficiency.
In particular, the disadvantages of the prior art include the following two points:
first, automatic verification tools based on program translation have poor verification capabilities and usability. Such automatic verification tools translate the sync language program into a formal specification language (e.g., the input language of NuSMV or SPIN) that is specific to the general verification tool, and then perform security attribute verification on the translated specification, but do not perform direct verification on the sync language program. Because the semantics and the expression capabilities of the source language and the target language are different, some structures in the source language cannot be accurately translated into structures in the target language, so that the automatic verification tool does not support some language structures in the source language, the verification capability of the tool is limited, and the usability is poor. The current trend in the field of automated verification is to design proprietary automated verification tools for programming languages so that verification algorithms can be optimized for specific language constructs, thereby improving tool usability and performance.
Secondly, the verification efficiency of the automatic verification tool based on the propositional logic satisfiability solving technology is low, and the propositional logic satisfiability solver can only judge whether a propositional logic formula is satisfiable or not and cannot support important language structures in a program, such as linear operation of integers and real numbers, unexplained function symbols, arrays and the like. However, algorithms designed to be compatible with these language structures have poor general performance, resulting in low verification efficiency, and thus cannot perform automatic verification of security attributes of large-scale complex software systems. The development trend in the field of automatic verification at present is to adopt a satisfiability model theory (SMT for short) to judge the satisfiability of a first-order logic formula under a combined background theory. Satisfiability modulo theory solvers can determine the satisfiability of propositional logic with constraints, such as linear operations of integers and real numbers, unexplained functional symbols, arrays, etc., in one or more specific background theories. Compared with proposition logic satisfiability solving technology, the satisfiability model theory has stronger expression capability, can well describe various language structures in an actual program, and has a high-efficiency satisfiability judgment algorithm, so the method is widely applied to the fields of automatic generation of test cases, program defect detection, program analysis and verification and the like.
Disclosure of Invention
Aiming at the problems, the invention provides a synchronous language program automatic verification method based on satisfiability solving.
In order to realize the aim of the invention, the invention provides a synchronous language program automatic verification method based on satisfiability solving, which comprises the following steps:
s 1: the enumeration value, the user-defined type and the constant in the synchronous language program are linked into the node of the synchronous language program;
s 2: recursively inlining all called nodes in a main node of the synchronous language program to obtain a synchronous language program containing a single node N;
s 3: reducing the memory depth of the program to 1 by introducing a new local data stream;
s 4: expressing the synchronous language program containing the single node N as a propositional logic formula N (N) on the nth clock, and expressing the security attribute P of the synchronous language program as a propositional logic formula P (N);
s 5: and constructing a verification formula based on the propositional logic formula N (n) and P (n), and verifying whether the verification formula is established by utilizing satisfiability mode theory.
Further, the inline operation in step s1 is implemented using the mapping data structure, and the keys in all mapping data structures in the synchronization language program are replaced with their corresponding values in the mapping by traversing the synchronization language program.
Further, the specific process of step s2 includes:
a. renaming the identifier:
adding unique prefixes 'nodal-i-' to identifiers of an input stream, an output stream and a local stream of a called node for renaming, wherein the nodal is the identifier of the called node, and i is an integer and is greater than or equal to 0;
b. the called node is connected in the interior:
and the called node after the identifier is renamed is connected into a calling node in an inline mode, and the calling node N is set as: n ═ a ═ y ═ t [ f (a)) ], where a is a set of other equations in N that do not contain the equation y ═ t [ f (a)) ], where u denotes union operations, y and t denote the data flow on the left of the equation and the expression on the right of the equation, respectively, and where t contains a call f (a) to node f, and where after inlining a new node is obtained: n ═ a ═ y ═ t [ f (a))/O ' ] } { I ' ═ a }, u, B ', I ' and O ' are respectively a set of equations, an input stream set and an output stream set in the called node f after identifier renaming, t [ f (a))/O ' ] denotes that f (a) is replaced by O ' in the expression t, { I ' ═ a } denotes a set of equations where the input stream set I ' and parameter a in the called node f are equal, L ' is set as a set of local streams in the called node f, and simultaneously the data streams I ', O ', L ' in the called node f are all set as local streams in the calling node N;
c. and (c) repeating the steps a and b, and repeatedly rewriting the main node until no node calling expression exists in the main node, so that the synchronous language program containing the single node N is obtained.
Further, the specific process of step s3 includes:
first, assume that the set of data flows V ═ x in the single node N1,x2,...,xp,y1,y2,...,yqIn which x1~xpFor the input data stream, y1~yqA data stream y in the single node N being a partial data stream or an output data stream1~yqValue y at the nth clock1(n)~yq(n) the set of equations Δ (n) is expressed as:
Figure GDA0003505521120000041
wherein, yi(n) denotes the data stream yiValue at nth clock, V (n) represents the value of data stream in V at nth clock, t1~tqRepresenting the expression to the right of the corresponding equation, d is the maximum memory depth of the pre operator in N, assuming data flow yiAnd a data stream xjThere is an equation y containing d pre operatorsi=pre(pre(...(pre(xj) ) d) then d-1 new partial data streams y are introducedixj1,...,yixj(d-1)Replacing the original equation with yi=pre(yixj1) And increasing equation yixj1=pre(yixj2),...,yixj(d-1)=pre(xj) When the maximum memory depth of the pre operator in the equation is reduced from d to 1, the equation set of the single node N becomes the following form:
Figure GDA0003505521120000042
wherein y isq+1~ymIs a newly added local data stream, tq+1~tmThe expression on the right of the corresponding equation is expressed, the value V (N) of the data flow in the single node N at the nth clock is called the transient structure, y in Δ' (N)iThe value of (N) is a function of the instantaneous structure on the nth and N-1 clock, so that the single node N is a constrained system based on the instantaneous structure.
Further, the specific process of step s4 includes:
and respectively representing the synchronous language program containing the single node N and the security attribute P thereof as propositional logic formulas N (N) and P (N) on the nth clock, wherein the propositional logic formula N (N) is a formula obtained by connecting equations in the delta' (N) by using a conjunction operator, and the propositional logic formula P (N) is an expression obtained by replacing variable identifiers in the security attribute P by values of the variables on the nth clock.
Further, the specific process of step s5 includes:
in the first step, two verification formulas are constructed by using the formulas N (n) and P (n):
N(0)∧N(1)∧...∧N(i)╞P(0)∧P(1)∧...∧P(i) (1)
N(n)∧N(n+1)∧...∧N(n+i+1)∧P(n)∧P(n+1)∧...∧P(n+i)╞P(n+i+1) (2)
wherein the symbol ╞ indicates that if the left formula is true, the right formula is also true, i is an arbitrary positive integer, and n indicates an integer variable;
and secondly, verifying whether the constructed verification formula is established:
and (3) exhausting all possible values of i from small to large, and proving whether the formula (1) and the formula (2) are established when i takes a certain value by using a satisfiability mode theory solver to realize the automatic verification of the synchronous language program.
Compared with the prior art, the invention has the following beneficial effects:
compared with the prior art, the method has stronger automatic verification function of the synchronous language program, plays very important roles in expanding the verification scale of the synchronous language program, improving the verification efficiency of the synchronous language program (reducing the consumption of time and space), ensuring the quality and the like, and has good social benefit. The invention realizes the direct verification of the synchronous language program, does not need to convert the synchronous language program into a formal protocol specific to a certain verification tool, solves the problem that the synchronous language program cannot be directly verified, improves the verification efficiency by utilizing the latest satisfiability solving technology and realizes the verification of large-scale complex software.
Drawings
FIG. 1 is a flow diagram of a method for automated verification of a synchronized language program based on satisfiability resolution, according to an embodiment.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the present application and are not intended to limit the present application.
Reference herein to "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment can be included in at least one embodiment of the application. The appearances of the phrase in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. It is explicitly and implicitly understood by one skilled in the art that the embodiments described herein can be combined with other embodiments.
Referring to fig. 1, the present embodiment uses the method provided by the present invention to implement automatic verification of a SCADE synchronization language program and its security attributes, where the synchronization language program implements a speed regulator, which can perform speed regulation by pressing up and down buttons. In the Control node, the speed threshold value margin is set to 10.5, and the initial value of the speed target value target is 60.0. The speed target value can be adjusted by pressing the up and down buttons: if the down button is pressed, the speed target value is reduced by 1.0; if the up button is pressed, the speed target value is increased by 1.0; otherwise the speed target value remains unchanged. And finally, calculating the decelerate and the accelerate of the output data stream representing the deceleration and acceleration control instruction by calling the Adjuster node. Comparing the actual speed actual with the target speed target in the Adjuster node, if the difference value between the actual speed and the target speed is larger than a threshold value margin, decelerating (true) and accelerating (true) if the difference value is smaller than the threshold value margin. The code is as follows:
Figure GDA0003505521120000061
the specific operation steps of this embodiment are as follows:
s 1: the enumerated values (enum values), user-defined types (user types), and constants (constants) in the sync language program are inlined into nodes (nodes) of the sync language program, where the nodes are similar to functions in the C/C + + language. Implementation of inline operations requires the use of a mapping data structure (i.e., a set of key-value pairs), where the key-value pairs of enumerated values, user-defined types, and constants are denoted as < enum _ value _ id, enum _ value >, < user _ type _ id, type >, and < constant _ id, constant _ value >, respectively. The value _ id represents an enumerated value identifier, the value _ represents an integer value corresponding to the enumerated value identifier, the user _ type _ id represents a user-defined type identifier, the type represents a type corresponding to the user-defined type identifier, the constant _ id represents a constant data stream identifier, and the constant _ value represents a constant value corresponding to the constant data stream identifier. By traversing the synchronization language program, all occurrences of a key in the mapping data structure in the program are replaced with its corresponding value in the mapping.
The following examples are given. Assume that an enumeration type in the synchronization language program is defined as type color ═ enum { red, green, blue }, where type is a key defined by the enumeration type, color is an identifier of the enumeration type, and red, green, and blue are identifiers of enumeration values. The step uses a mapping data structure to store key-value pairs of enumerated values, where the stored contents are<red,0>,<green,1>,<blue,2>}. Suppose there are three integer data streams y in a synchronous language program1、y2And y3And has the equation y1=red、y2Green and y3Blue. By traversing the sync language program, three equations are replaced with y1=0、y21 and y3=2。
S2: all called nodes are recursively linked in the master node of the synchronous language program to obtain a synchronous language program containing a single node. In the following, it is assumed that the master node has a body of N ═ a ═ y ═ t [ f (a) ], where f (a) is a call to another non-master node f, the parameter of the node call is a, t [ f (a)) ] is an expression containing the node call f (a), y ═ t [ f (a)) ] is an equation, and a denotes another set of equations in the master node that does not contain the node call. Assume that the set of equations in the called node f is B, the set of input streams is I, the set of output streams is O, and the set of local streams is L. The method mainly and repeatedly executes the following two substeps: identifier renaming and inlining the called node.
The identifiers are renamed. Identifier renaming in two nodes may occur when a called node is inline into a calling node, and furthermore, identifier renaming may occur when the same node is called multiple times, which may result in multiple inlines. To avoid identifier renaming in these cases, the identifiers of the input, output and local streams of the called node are renamed, and a unique prefix "noredename-i-" is added, wherein the noredename is the identifier of the called node, and the integer i ≧ 0 represents the (i +1) th call and the node is inline. In the following, assume that the set of equations in node f after identifier renaming is B ', the input stream set is I', the output stream set is O ', and the local stream set is L'.
In this example, the master node Control calls the node adjust only once, so that the identifiers of the input stream, the output stream and the local stream of the adjust node are renamed, a unique prefix "adjust-0-" is added, and the obtained input stream is: 0-actual of Adjuster, 0-target of Adjuster, 0-margin of Adjuster, and the output stream is: adjuster-0 to decelerate, and Adjuster-0 to accelerate.
The called node is inlined. And the called node after the identifier is renamed is internally linked into a calling node N ═ A ═ y ═ t [ f (a) ], so that a new node N ═ A ═ y ═ t [ f (a))/O '] } - [ I' ═ a }. U B 'is obtained, wherein t [ f (a))/O' ] represents that f (a) is replaced by O 'in an expression t, and { I' ═ a } represents an equation set in which an input stream set I 'in the called node f and a parameter a are equal, and meanwhile, all data streams I', O 'and L' in the called node f are used as local streams in the calling node N.
And repeating the above two substeps, and repeatedly rewriting the main node until no node in the main node calls the expression.
In this example, the sync language program containing a single node obtained by inlining the called node is as follows:
Figure GDA0003505521120000081
the following equation corresponds to the converted { y ═ t [ f (a)/O' ] } part:
decelerate,accelerate=(Adjuster~0~decelerate,Adjuster~0~accelerate);
the following three equations correspond to the transformed { I' ═ a } part:
Adjuster~0~actual=actual;
Adjuster~0~target=target;
Adjuster~0~margin=margin;
the following two equations correspond to the transformed part B':
Adjuster~0~decelerate=(Adjuster~0~actual-Adjuster~0~target)>Adjuster~0~margin;
Adjuster~0~accelerate=(Adjuster~0~actual-Adjuster~0~target)<(-Adjuster~0~margin);
tel
s 3: the memory depth of the program is reduced to 1 by introducing a new local data stream, i.e. the value of any data stream at the current clock depends on the value of itself or other data streams at the previous clock or on the value of other data streams at the current clock. Note that the last inline operation has resulted in a simultaneous language program containing a single node N, assuming that the data stream set in N is V ═ x1,x2,...,xp,y1,y2,...,yqIn which x1~xpIs an input data stream, y1~yqIs a local or output data stream. From data stream y in N1~yqValue y at the nth clock1(n)~yq(n) the set of equations Δ (n) is expressed as:
Figure GDA0003505521120000082
wherein, yi(n) denotes the data stream yiValue at nth clock, V (n) represents the value of data stream in V at nth clock, t1~tqAre expressions that may contain elements in V (N) to V (N-d) as sub-expressions, d being the maximum memory depth of the pre operator in N, i.e., the value of any data stream at the current clock depends only on the value of the data stream within the past d clocks. Suppose a data stream yiAnd a data stream xjThere is an equation y containing d pre operatorsi=pre(pre(...(pre(xj) ) d) then d-1 new partial data streams y are introducedixj1,...,yixj(d-1)And replacing the original equation with yi=pre(yixj1) And increasing equation yixj1=pre(yixj2),...,yixj(d-1)=pre(xj) The maximum memory depth of the pre operator in the equation is reduced from d to 1. Through this step, the set of equations for node N becomes the following form:
Figure GDA0003505521120000091
wherein y isq+1~ymIs a newly added local data stream, tq+1~tmIs an expression. We refer to the value V (N) of the data stream in node N on the nth clock as the transient structure, e.g., y in Δ' (N)iThe value of (N) is a function of the instantaneous structure on the nth and N-1 clock, so that node N is a constrained system based on the instantaneous structure.
At this time, the memory depth of the program is already 1.
s 4: the synchronous language program containing a single node N and the security attribute P thereof are expressed as propositional logic formulas N (N) and P (N) on the nth clock, wherein N (N) is an expression obtained by connecting equations in delta' (N) by using conjunction operators, and P (N) is an expression obtained by replacing variable identifiers in P by values of the variables on the nth clock.
In this example, the propositional logic formula of the synchronous language program on the nth clock is expressed as follows:
N(n):=(m(n)=10.5)∧(t(n)=ite(n=0,60.0,ite(d(n),t(n-1)-1.0,ite(u(n),t(n-1)+1.0,t(n-1)))))∧(dr(n)=adr(n))∧(ar(n)=aar(n))∧(aa(n)=a(n))∧(at(n)=t(n))∧(am(n)=m(n))∧(adr(n)=(aa(n)-at(n))>am(n))∧(aar(n)=(aa(n)-at(n))<-am(n))
wherein m, t, d, u, dr, ar, a, adr, aar, aa, at, am sequentially represent margin, target, down, up, decelerate, aceleratete, actual, Adjuster-0-decelerate, Adjuster-0-aceleratete, Adjuster-0-actute, Adjuster-0-target, Adjuster-0-margin, m (n) represents the value of data stream m on clock n, and similarly, ite represents if-then-else function.
In this example, the safety attribute to be verified is "this speed governor will always issue a deceleration control command", that is, P: (dr ═ true) Λ (ar ═ false) is always true. Therefore, the propositional logic formula of the security attribute on the nth clock is expressed as follows:
P(n)∶=(dr(n)=true)∧(ar(n)=false)
s 5: and verifying whether the synchronous language program meets the safety attribute to be verified by using a satisfiability model theory solver. The method mainly comprises the following two steps: constructing two verification formulas and proving whether the two formulas hold.
The first step is as follows: the following two verification formulas dependent on the integer i are constructed using formula n (n) representing a synchronization language program and formula p (n) representing a security attribute.
Equation 1: n (0) ^ N (1) ^ N (i) ╞ P (0) ^ P (1) ^ P (i)
Equation 2: n (N) Λ N (N +1) · Λ N (N + i +1) · Λ P (N) Λ P (N +1) · Λ P (N + i) ╞ P (N + i +1)
Where the notation ╞ indicates that if the left formula holds, the right formula holds, i is any positive integer, and n represents an integer variable. These two formulas constitute the basic case part and the inductive reasoning part of the mathematical induction method. Where equation 1 represents the basic case of the first i +1 clocks: if the program N satisfies the constraint from the 0 th clock to the ith clock, the property P is established from the 0 th clock to the ith clock. Equation 2 represents a generalized inference based on past i +1 clocks: if the program N satisfies the constraint from the nth clock to the (N + i +1) th clock, and the attribute P is true from the nth clock to the (N + i) th clock, the attribute P is also true at the (N + i +1) th clock. Thus, if it can be shown that these two equations hold for a certain i, it can be shown that the program N satisfies the property P on all clocks.
The second step is that: all possible values of i are exhausted from small to large, and a satisfiability mode theory solver is used for trying to prove whether the two verification formulas are established on a certain value of i or not. First, for the case where i is 1, an attempt is made to prove, using a satisfiability solver, whether the following two formulas hold: n (0) Λ N (1) ╞ P (0) Λ P (1) and N (N) Λ N (N +1) Λ N (N +2) Λ P (N +1) ╞ P (N + 2). If equation 1 does not hold, the program is explained to be beforeThe attribute is not satisfied within 2 clocks; if the formula 1 and the formula 2 are both established, the attribute is the invariant satisfied by the program; if equation 1 holds and equation 2 does not hold, we can't prove that the attribute is invariant if i is 1, so we next increase the value of i step by step and try again to prove whether two verification equations hold. If formula 1 does not hold for a certain value of i, the program does not meet the attribute on the ith clock, and the formula can be made
Figure GDA0003505521120000101
Generating an opposite example path in the established values; if both formula 1 and formula 2 hold for a certain value of i, it is stated that the attribute is an invariant satisfied by the program.
In this example, two verification formulas for the construction are as follows.
Equation 1:
(m(0)=10.5)∧(t(0)=60.0)∧(dr(0)=adr(0))∧(ar(0)=aar(0))∧(aa(0)=a(0))∧(at(0)=t(0))∧(am(0)=m(0))∧(adr(0)=(aa(0)-at(0))>am(0))∧(aar(0)=(aa(0)-at(0))<-am(0))∧...∧(m(i)=10.5)∧(t(i)=ite(i=0,60.0,ite(d(i),t(i-1)-1.0,ite(u(i),t(i-1)+1.0,t(i-1)))))∧(dr(i)=adr(i))∧(ar(i)=aar(i))∧(aa(i)=a(i))∧(at(i)=t(i))∧(am(i)=m(i))∧(adr(i)=(aa(i)-at(i))>am(i))∧(aar(i)=(aa(i)-at(i))<-am(i))╞P(0)∧...∧P(i)
equation 2:
(m(n)=10.5)∧(t(n)=ite(n=0,60.0,ite(d(n),t(n-1)-1.0,ite(u(n),t(n-1)+1.0,t(n-1)))))∧(dr(n)=adr(n))∧(ar(n)=aar(n))∧(aa(n)=a(n))∧(at(n)=t(n))∧(am(n)=m(n))∧(adr(n)=(aa(n)-at(n))>am(n))∧(aar(n)=(aa(n)-at(n))<-am(n))∧...∧(m(n+i+1)=10.5)∧(t(n+i+1)=ite(d(n+i+1),t(n+i)-1.0,ite(u(n+i+1),t(n+i)+1.0,t(n+i))))∧(dr(n+i+1)=adr(n+i+1))∧(ar(n+i+1)=aar(n+i+1))∧(aa(n+i+1)=a(n+i+1))∧(at(n+i+1)=t(n+i+1))∧(am(n+i+1)=m(n+i+1))∧(adr(n+i+1)=(aa(n+i+1)-at(n+i+1))>am(n+i+1))∧(aar(n+i+1)=(aa(n+i+1)-at(n+i+1))<-am(n+i+1))∧P(n)∧...∧P(n+i)╞P(n+i+1)
in this example, equation 1 does not hold: note that the value of adr (0) ═ aa (0) -at (0)) > am (0) is dr (0) ═ a (0) -t (0)) > m (0), and dr (0) ═ false is obtained by substituting values assuming that the actual speed a (0) when n equals 0 equals 70.0 and (70.0-60.0) > 10.5; since P (0) ═ dr (0) ═ true (ar (0) ═ false), that is, P (0) ═ false, the right side of the equation does not hold. The property P is therefore not an invariant.
Through the operation of all the steps, the automatic verification of the synchronous language program can be realized based on the satisfiability model theory solver.
The technical features of the above embodiments can be arbitrarily combined, and for the sake of brevity, all possible combinations of the technical features in the above embodiments are not described, but should be considered as the scope of the present specification as long as there is no contradiction between the combinations of the technical features.
It should be noted that the terms "first \ second \ third" referred to in the embodiments of the present application merely distinguish similar objects, and do not represent a specific ordering for the objects, and it should be understood that "first \ second \ third" may exchange a specific order or sequence when allowed. It should be understood that "first \ second \ third" distinct objects may be interchanged under appropriate circumstances such that the embodiments of the application described herein may be implemented in an order other than those illustrated or described herein.
The terms "comprising" and "having" and any variations thereof in the embodiments of the present application are intended to cover non-exclusive inclusions. For example, a process, method, apparatus, product, or device that comprises a list of steps or modules is not limited to the listed steps or modules but may alternatively include other steps or modules not listed or inherent to such process, method, product, or device.
The above-mentioned embodiments only express several embodiments of the present application, and the description thereof is more specific and detailed, but not construed as limiting the scope of the invention. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the concept of the present application, which falls within the scope of protection of the present application. Therefore, the protection scope of the present patent shall be subject to the appended claims.

Claims (4)

1. A synchronous language program automatic verification method based on satisfiability solving is characterized by comprising the following steps:
s 1: the enumeration value, the user-defined type and the constant in the synchronous language program are linked into the node of the synchronous language program;
s 2: recursively inlining all called nodes in a main node of the synchronous language program to obtain a synchronous language program containing a single node N;
s 3: reducing the memory depth of the program to 1 by introducing a new local data stream, wherein the method specifically comprises the following steps:
first, assume that the set of data flows V ═ x in the single node N1,x2,...,xp,y1,y2,...,yqIn which x1~xpFor the input data stream, y1~yqA data stream y in the single node N being a partial data stream or an output data stream1~yqValue y at the nth clock1(n)~yq(n) the set of equations Δ (n) is expressed as:
Figure FDA0003528135200000011
wherein, yi(n) denotes the data stream yiValue at nth clock, V (n) represents the value of data stream in V at nth clock, t1~tqRepresenting the expression to the right of the corresponding equation, d is the maximum memory depth of the pre operator in N, assuming data flow yiAnd a data stream xjThere is an equation y containing d pre operatorsi=pre(pre(…(pre(xj) In a) is prepared, d-1 new peptides are introducedPartial data stream y ofixj1,…,yixj(d-1)Replacing the original equation with yi=pre(yixj1) And increasing equation yixj1=pre(yixj2),…,yixj(d-1)=pre(xj) When the maximum memory depth of the pre operator in the equation is reduced from d to 1, the equation set of the single node N becomes the following form:
Figure FDA0003528135200000012
wherein y isq+1~ymIs a newly added local data stream, tq+1~tmThe expression on the right of the corresponding equation is expressed, the value V (N) of the data flow in the single node N at the nth clock is called the transient structure, y in Δ' (N)iThe value of (N) is a function of the instantaneous structure on the nth and N-1 clocks, so that the single node N is a constraint system based on the instantaneous structure;
s 4: the synchronous language program containing the single node N is expressed as a propositional logic formula N (N) on the nth clock, and the safety attribute P is expressed as a propositional logic formula P (N), and the specific method is as follows:
respectively representing a synchronous language program containing the single node N and a security attribute P thereof as propositional logic formulas N (N) and P (N) on the nth clock, wherein the propositional logic formula N (N) is a formula obtained by connecting equations in delta (N) by using a conjunction operator, and the propositional logic formula P (N) is an expression obtained by replacing variable identifiers in the security attribute P by values of the variables on the nth clock;
s 5: and constructing a verification formula based on the propositional logic formula N (n) and P (n), and verifying whether the verification formula is established by utilizing satisfiability mode theory.
2. The method for automatically verifying synchronous language program based on satisfiability solution according to claim 1,
the inline operation in said step s1 is implemented using the mapping data structure, and by traversing the synchronization language program, the keys in all mapping data structures in the synchronization language program are replaced with their corresponding values in the mapping.
3. The method for automatically verifying synchronous language program based on satisfiability solution according to claim 2, wherein the specific process of the step s2 includes:
a. renaming the identifier:
adding unique prefixes 'nodal-i-' to identifiers of an input stream, an output stream and a local stream of a called node for renaming, wherein the nodal is the identifier of the called node, and i is an integer and is greater than or equal to 0;
b. the called node is connected in the interior:
and the called node after the identifier is renamed is connected into a calling node in an inline mode, and the calling node N is set as: n ═ a ═ y ═ t [ f (a)) ], where a is a set of other equations in N that do not contain the equation y ═ t [ f (a)) ], where u denotes union operations, y and t denote the data flow on the left of the equation and the expression on the right of the equation, respectively, and where t contains a call f (a) to node f, and where after inlining a new node is obtained: n ═ a ═ y ═ t [ f (a))/O ' ] } { I ' ═ a }, u, B ', I ' and O ' are respectively a set of equations, an input stream set and an output stream set in the called node f after identifier renaming, t [ f (a))/O ' ] denotes that f (a) is replaced by O ' in the expression t, { I ' ═ a } denotes a set of equations where the input stream set I ' and parameter a in the called node f are equal, L ' is set as a set of local streams in the called node f, and simultaneously the data streams I ', O ', L ' in the called node f are all set as local streams in the calling node N;
c. and (c) repeating the steps a and b, and repeatedly rewriting the main node until no node calling expression exists in the main node, so that the synchronous language program containing the single node N is obtained.
4. The method for automatically verifying synchronous language program based on satisfiability solution according to claim 1, wherein the specific process of the step s5 includes:
in the first step, two verification formulas are constructed by using the formulas N (n) and P (n):
Figure FDA0003528135200000031
Figure FDA0003528135200000032
wherein, the symbol
Figure FDA0003528135200000033
The expression that if the formula on the left side is true, the formula on the right side is also true, i is an arbitrary positive integer, and n represents an integer variable;
and secondly, verifying whether the constructed verification formula is established:
and (3) exhausting all possible values of i from small to large, and proving whether the formula (1) and the formula (2) are established when i takes a certain value by using a satisfiability model theory solver, so as to realize the automatic verification of the synchronous language program.
CN202011103235.5A 2020-10-15 2020-10-15 Synchronous language program automatic verification method based on satisfiability solving Active CN112269734B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011103235.5A CN112269734B (en) 2020-10-15 2020-10-15 Synchronous language program automatic verification method based on satisfiability solving

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011103235.5A CN112269734B (en) 2020-10-15 2020-10-15 Synchronous language program automatic verification method based on satisfiability solving

Publications (2)

Publication Number Publication Date
CN112269734A CN112269734A (en) 2021-01-26
CN112269734B true CN112269734B (en) 2022-04-26

Family

ID=74337984

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011103235.5A Active CN112269734B (en) 2020-10-15 2020-10-15 Synchronous language program automatic verification method based on satisfiability solving

Country Status (1)

Country Link
CN (1) CN112269734B (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7640536B1 (en) * 2005-09-27 2009-12-29 Rockwell Collins, Inc. Variable graph minimization for improved model-checking performance
US8041554B1 (en) * 2007-06-06 2011-10-18 Rockwell Collins, Inc. Method and system for the development of high-assurance microcode
CN106648813A (en) * 2016-09-19 2017-05-10 南京航空航天大学 Formalized compiling method for synchrony data flow program
WO2018007822A1 (en) * 2016-07-08 2018-01-11 Cocotec Limited An interoperable extensible system for the generation of verified software code
CN110532167A (en) * 2019-07-05 2019-12-03 华东师范大学 A kind of state machine model timing property verification method based on model conversion

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103646194B (en) * 2013-11-29 2016-04-06 北京广利核系统工程有限公司 A kind of credible sort method of the synchrodata string routine based on Formal Verification
CN108133005B (en) * 2017-12-22 2020-08-21 厦门理工学院 Environment model simulation method based on memory database, terminal equipment and storage medium

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7640536B1 (en) * 2005-09-27 2009-12-29 Rockwell Collins, Inc. Variable graph minimization for improved model-checking performance
US8041554B1 (en) * 2007-06-06 2011-10-18 Rockwell Collins, Inc. Method and system for the development of high-assurance microcode
WO2018007822A1 (en) * 2016-07-08 2018-01-11 Cocotec Limited An interoperable extensible system for the generation of verified software code
CN106648813A (en) * 2016-09-19 2017-05-10 南京航空航天大学 Formalized compiling method for synchrony data flow program
CN110532167A (en) * 2019-07-05 2019-12-03 华东师范大学 A kind of state machine model timing property verification method based on model conversion

Non-Patent Citations (7)

* Cited by examiner, † Cited by third party
Title
"An Open Alternative for SMT-Based Verification of Scade Models";Henning Basold等;《International Workshop on Formal Methods for Industrial Critical Systems》;20140911;第124-139页 *
"Generating property-directed potential invariants by quantifier elimination in a k-induction-based framework";Adrien Champion等;《Science of Computer Programming》;20141018;第103卷;第71-87页 *
"Improved Invariant Generation for Industrial Software Model Checking of Time Properties";Vassil Todorov等;《2019 IEEE 19th International Conference on Software Quality, Reliability and Security (QRS)》;20191003;第334-341页 *
"VERIFYING SAFETY PROPERTIES OF LUSTRE PROGRAMS: AN SMT-BASED APPROACH";George Edward Hagen;《The University of Iowa》;20081231;第1-155页 *
"一种同步语言多线程代码自动生成工具";杨志斌 等;《软件学报》;20190329;第30卷(第7期);第1980-2002页 *
"区域控制器的安全需求建模与自动验证";刘筱珊 等;《软件学报》;20200515;第31卷(第05期);第1374-1391页 *
"同步语言Lustre的编译前端的设计与实现";宋宇婷 等;《计算机技术与发展》;20191107;第30卷(第2期);第33-36页 *

Also Published As

Publication number Publication date
CN112269734A (en) 2021-01-26

Similar Documents

Publication Publication Date Title
Coudert et al. Verification of synchronous sequential machines based on symbolic execution
US6289502B1 (en) Model-based software design and validation
Brzozowski et al. On a ternary model of gate networks
Abel et al. MeMin: SAT-based exact minimization of incompletely specified Mealy machines
Ludwig et al. Properties first—correct-by-construction RTL design in system-level design flows
Fecher et al. UML 2.0 state machines: Complete formal semantics via core state machine
CN112269734B (en) Synchronous language program automatic verification method based on satisfiability solving
Prähofer et al. Monaco—a domain-specific language solution for reactive process control programming with hierarchical components
US7797677B1 (en) Using scripts for netlisting in a high-level modeling system
CN116089264A (en) Synchronous language program multi-attribute incremental model detection method
Burch et al. Symbolic model checking for sequential circuit verification
Chen et al. Automatic test transition paths generation approach from EFSM using state tree
Luo et al. Symbolic model checking for discrete real-time systems
Martin et al. Definition of the DISPEL Language
Toma et al. Combining several paradigms for circuit validation and verification
Billington Extensions to coloured Petri nets and their application to protocols
van Gastel et al. Inference of channel types in micro-architectural models of on-chip communication networks
Strehl Interval diagrams: Increasing efficiency of symbolic real-time verification
Mokadem et al. A new modality for almost everywhere properties in timed automata
Zhang et al. Constraint-based automatic symmetry detection
Chivilikhin et al. Counterexample-guided inference of controller logic from execution traces and temporal formulas
Habermehl et al. Automata-based verification of programs with tree updates
Kort et al. Hierarchical verification using an MDG-HOL hybrid tool
Anceau et al. CASSANDRE: a language to describe digital systems, application to logic design
Pena et al. Efficient Computation of Observer Projections using OP-Verifiers1

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant