JP2009116643A - Device, method and program for controlling inspection time - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To previously detect that a program inspection is not completed within an inspection time limit allocated to the program to be inspected before the inspection time limit elapses, thereby terminating the inspection at the time when detected. <P>SOLUTION: A device for controlling an inspection time includes: a shortest search depth computation unit 32 for computing the shortest search depth that is required for transiting a state from an initial state of the program to a specification-satisfying state, which indicates that a program inspection specification is satisfied, among search depths for representing the number of times executing a program execution statement; an achievability inspection unit 13 for executing an inspection to check the possibility of transiting the state to the specification-satisfying state for every search depth to thereby output an inspection time according to the depth required for an inspection at each of search depth; and an estimated inspection time computation unit 41 for computing a specification-achieving estimation time everytime the achievability inspection unit completes inspection about each search depth. The achievability inspection unit terminates the inspection on the way, when the rest of the inspection time limits exceeds the specification-achieving estimation time, among the inspection time limits with respect to the program inspection. <P>COPYRIGHT: (C)2009,JPO&INPIT

Description

The present invention relates to program verification, and more particularly to program verification of a model checking method.

  As a software verification method, a model checking method applying a formal method is used. The model checking method is a method for checking whether or not there is a state set that proves a specification represented by a calculation tree logic (CTL) in the state transition of the Kripke structure.

A conventional model checking method will be described. The conventional model checking apparatus of FIG. 1 performs model checking (hereinafter referred to as inspection) for verifying that the inspection target program 1 satisfies the inspection specification 2 within the range of the inspection time limit 3. FIG. 2 shows an example of the inspection target program 1. FIG. 3 shows an example of the inspection specification 2.
Referring to the inspection target program 1 in FIG. 2 and the inspection specification 2 in FIG. 3, the inspection specification 2 is such that when the main function receives x as an argument in the verification program 1 as an arbitrary value that can be taken as an INT range, “L9 assert function may be executed.” The inspection target program 1, the inspection specification 2, and the inspection time limit 3 are input from the outside by a conventional method.

[Description of configuration of conventional device]
A configuration of a conventional model checking apparatus will be described. FIG. 1 shows the configuration of a conventional model checking apparatus. The model checking apparatus in FIG. 1 includes an inspection processing unit 10 and a storage device 20.
The inspection processing unit 10 and the storage device 20 are realized by a computer as shown in FIG. Referring to FIG. 4, the inspection processing unit 10 and the storage device 20 each include a processing unit 100, a storage unit 200, an input unit 300, an output unit 400, and a communication unit 500. Each part is electrically connected. The processing unit 100 is an MPU (Micro Processing Unit) or the like, the storage unit 200 is a RAM (Random Access Memory) or ROM (Read Only Memory), the input unit 300 is a keyboard, a mouse, or the like, and the output unit 400 is a liquid crystal display or the like. The communication unit 500 is realized by a LAN (Local Area Network) port or the like. The inspection processing unit 10 and the storage device 20 are connected via the communication unit 500. Alternatively, the inspection processing unit 10 and the storage device 20 are realized in one computer. Each function of the conventional model inspection apparatus is based on the inspection target program 1, the inspection specification 2, and the inspection time limit 3, and the processing program stored in the RAM or ROM of the storage unit 200 is stored in the MPU of the processing unit 100 or the like. It is realized by executing.

(Description of inspection processing unit)
First, the inspection processing unit 10 will be described. The inspection processing unit 10 includes a symbol model creation unit 11, an inspection control unit 12, a reachability inspection unit 13, and an inspection result output unit 14.

  First, the symbol model creation unit 11 will be described. The symbol model creation unit 11 creates a symbol model having a Kripke structure from the inspection target program 1 and the inspection specification 2. The symbol model creation unit 11 creates a symbol model by a conventional technique as described in Non-Patent Document 1. The symbol model creation unit 11 stores the created symbol model in the symbol model storage unit 22 of the storage device 20.

  FIG. 5 shows an example of a symbol model configured by the Kripke structure created by the symbol model creation unit 11 based on the inspection target program 1 of FIG. 2 and the inspection specification 2 of FIG. A symbolic model configured with a Kripke structure is a reach of a finite set V of states, a transition relation R between states, a set V0 of initial states, and a specification satisfaction state (hereinafter, an arrival state) satisfying the specifications of the inspection specification 2. The state set I can be defined as in Equation 1 in FIG. A state set V when the inspection target program 1 in FIG. 3 is converted into a symbol model can be expressed as Equation 2 in FIG. In Equation 2, the previous term on the right side represents a set of labels in program 1. In Equation 2, the next term represents an argument x in the program. The transition relation R between the states is pc representing the label position before transition, d representing the value of the argument x before transition, pc ′ representing the label position after transition by execution of the program execution statement, and execution of the program execution statement As d which represents the value of the argument x after the transition according to, it can be expressed by Equation 3 in FIG. The set I in the initial state can be expressed by Equation 4 in FIG. The set I of the arrival states of the inspection specification 2 can be expressed by Equation 5 in FIG.

  Next, the inspection control unit 12 will be described. The inspection control unit 12 reads the symbol model stored in the symbol model storage unit 22 by the symbol model creation unit 11 and instructs the reachability inspection unit 13 to execute the inspection of the inspection target program 1 within the inspection time limit 3. . The inspection control unit 12 inputs the inspection time limit 3 from the outside.

  Next, the reachability inspection unit 13 will be described. The reachability inspection unit 13 executes an inspection within the inspection time limit 3 as to whether or not the inspection target program 1 satisfies the inspection specification 2 in accordance with an instruction from the inspection control unit 12.

  FIG. 6 is a state transition diagram showing a symbol model of the Kripke structure represented by Equations 1 to 5 in FIG. FIG. 6 will be described. A square represents each state in the inspection target program 1. Arrows represent transitions between the states. In the box, a set of the label of the program execution statement of the program 1 to be checked and the argument x in each state is shown. The transition indicated by the arrow is generated by executing the program execution statement of the inspection target program 1. The transition represents a transition from a state representing a label and argument x value pair before execution of the program execution statement to a state representing a label and argument x value pair changed after execution of the program execution statement.

  With reference to FIG. 6, the transition between the states in a test | inspection is demonstrated. As an example, a transition from a state where the label (hereinafter, L) is 0 and the argument x is 0 in the initial state group set V0 will be described. As shown in FIG. 2, L0 performs processing for setting the argument x. Therefore, when L0 of the program execution statement is executed, the state transitions from (L0,0) to (L1,0). (L1, 0) means that the argument x is 0 in L1. As shown in FIG. 2, L1 performs a process of determining whether or not the argument x is 0. Since the argument x is 0, when the program execution statement L1 is executed, the state transitions from (L1,0) to (L6,0). Next, referring to FIG. 2, L6 performs a process of adding 3 to the argument x. Therefore, when the program execution statement L6 is executed, the state transitions from (L6, 0) to (L6, 3). As a result of executing the state transition by executing the program execution statement in this way, if the transition to the arrival state set I “L9 assert function is executed” indicated by the inspection specification 2 in FIG. It can be proved that the program 1 satisfies the inspection specification 2.

  An inspection method performed by the reachability inspection unit 13 will be described. The reachability checking unit 13 checks whether or not the reachable state set I of the test specification 2 is included in each state that can be reached by n transitions from the initial state set V0. Here, “each state that can be reached by n transitions from the initial state set V0” is called a search depth n. When a program execution statement is executed, a state transition occurs. For example, when a program execution statement is executed three times, three state transitions from the initial state occur. Each state in this case can be said to be the search depth 3. The state that can be reached by the state transition changes depending on what argument is taken when each program execution statement of the inspection target program 1 is executed. The reachability check unit 13 checks whether or not the reachable state set I is included in each state that can be reached from the initial state set V0 at the search depth n.

At the start of inspection, the reachability inspection unit 13 reads the symbol model stored in the symbol model storage unit 22 by the symbol model creation unit 11. The reachability inspection unit 13 starts the inspection with the search depth set to 0 as an initial state.
When the reachability checking unit 13 proves that the reachable state set I of the test specification 2 is included in the state that can be reached by the transition of the search depth n from the initial state V0, the test target program 1 Records that the inspection specification 2 is satisfied in the inspection result 5 and outputs it to the inspection result output unit 14.
On the other hand, the reachability checking unit 13 does not include the arrival state set I of the inspection specification 2 in the state that can be reached by the transition of the search depth n from the initial state V0, and newly arrives at the search depth n. When there is no other possible state, the reachability checking unit 13 increases the search depth to n + 1 and continues the check. In this manner, the reachability inspection unit 13 repeats the inspection by increasing the search depth by 1 until the inspection specification 2 is proved. Such an inspection performed by the reachability inspection unit 13 is a conventional property verification technique and is described in Patent Literature 1 and Non-Patent Literature 2.

  In addition, the reachability inspection unit 13 measures the elapsed inspection time since the start of the inspection. When the inspection elapsed time has passed the inspection limit time 3 before the inspection is completed, the reachability inspection unit 13 ends the inspection when the inspection elapsed time has passed the inspection limitation time 3. In this case, the reachability 13 records in the inspection result 5 that the inspection has not been completed within the inspection time limit 3 and outputs it to the inspection result output unit 14.

  Next, the inspection result output unit 14 will be described. The inspection result output unit 14 outputs the inspection result 5 input from the reachability inspection unit 13 to the external device as the inspection result.

(Description of storage device)
Next, the storage device 20 will be described. The storage device 20 includes a symbol model storage unit 22.

  The symbol model storage unit 22 will be described. The symbol model storage unit 22 stores the symbol model output by the symbol model creation unit 11.

  The above is the description of the configuration of the conventional model checking apparatus.

[Description of Operation Method of Conventional Device]
Next, an operation method of the conventional model checking apparatus will be described with reference to FIG. FIG. 7 shows an operation method of the conventional model checking apparatus.

(Step A01)
The symbol model creation unit 11 of the inspection processing unit 10 inputs the inspection target program 1 and the inspection specification 2 from the outside. The symbol model creation unit 11 creates a symbol model based on the inspection target program 1 and the inspection specification 2. The symbol model creation unit 11 stores the created symbol model in the symbol model storage unit 22 of the storage device 20.

(Step A02)
The inspection control unit 12 of the inspection processing unit 10 inputs the inspection time limit 3 from the outside. The inspection control unit 12 reads a symbol model from the symbol model storage unit 22 of the storage device 20. The inspection control unit 12 instructs the reachability inspection unit 13 to execute the inspection so that the inspection whether the inspection target program 1 satisfies the inspection specification 2 is executed in the inspection time limit 3.

(Step A03)
The reachability inspection unit 13 sets the search depth n = 0 as an initial state at the start of the inspection inspection in accordance with the inspection execution instruction from the inspection control unit 12.

(Step A04)
The reachability checking unit 13 checks whether or not the arrival state set I of the inspection specification 2 is included in each state that can be reached by the state transition of the search depth n from the initial state set V0. In addition, the reachability inspection unit 13 starts measuring the elapsed time of the inspection simultaneously with the start of the inspection. The reachability inspection unit 13 ends the inspection when the elapsed time from the start of the inspection reaches the inspection limit time 3.

(Step A05)
The reachability check unit 13 determines whether or not the reachable state set I is included in all the states that can be reached by the state transition of the search depth n from the initial state set V0. When the arrival state set I is included, the process proceeds to step A06. If the arrival state set I is not included, the process proceeds to step A07.

(Step A06)
When the arrival state set I is included at the search depth n, the reachability checking unit 13 records that the inspection target program 1 satisfies the inspection specification 2 in the inspection result 5 and outputs it to the inspection result output unit 14 To do. The inspection result output unit 14 inputs the inspection result 5 and outputs the inspection result 5 to the outside. The reachability inspection unit 13 notifies the inspection control unit 12 of the completion of the inspection of the inspection target program 1 and completes the inspection.

(Step A07)
When the arrival state set I is not included in the search depth n, the reachability check unit 13 continues the inspection. The reachability check unit 13 sets the search depth n = n + 1 and returns to Step A04.

  The above is the description of the operation method in the conventional symbol model checking apparatus. In this way, the reachability checking unit 13 repeats the inspection while starting from the search depth 0 times and increasing n to determine whether the arrival state set I can be reached at the search depth n.

  The above is the description of the conventional model checking apparatus.

The conventional model checking method has a problem that the length of the checking time cannot be grasped. This is because the search depth necessary for proof of the inspection specification is unknown at the time of starting the inspection. If the inspection is not actually performed, the inspection time cannot be grasped because it is unclear whether the inspection specification can be proved by repeating the inspection to what search depth.
Further, the conventional model checking method has a problem that the checking time becomes very long. Due to the problem of state explosion where the number of states increases exponentially as the search depth increases, the situation can be such that the inspection itself is not completed.
For this reason, in the conventional model inspection method, a time limit is set in advance, and if the inspection is not completed within the time limit, the inspection is halfway when the elapsed time from the start of the inspection reaches the time limit. The method of ending is taken.
However, even if such a method requires a huge amount of time, there is a problem that it is impossible to determine whether or not the inspection is completed other than continuing the inspection up to the upper limit of the time limit. Exists. In other words, it is understood that the verification is not completed only after the time limit is actually used up over an enormous amount of time, even though the test is likely to take an enormous amount of time. Patent Document 2 and Patent Document 3 disclose examples of controlling the inspection time in the model inspection method.
JP 2003-030270 A JP 2004-005674 A JP-A-10-063537 “Investigation of verification tools using abstraction” Yoshinori Tanabe, Toshinori Takai, Koichi Takahashi Technical Report PS-2003-007, 2003 “Formal Verification Method Based on Logical Function Processing” Hiromi Hiraishi, Kiyoji Hamaguchi, Information Processing Vol. 35 (8), 1994

  The object of the present invention is to detect that the inspection of the program is not completed within the inspection time limit assigned to the program to be inspected before the inspection time limit elapses, and end the inspection at the time of detection. It is to provide an inspection time control device capable of performing the above.

  The inspection time control device of the present invention changes the state from the initial state of the program to the specification satisfaction state indicating that the inspection specification of the program is satisfied, out of the search depth indicating the number of times the execution statement of the program to be inspected is executed. In the program, the shortest search depth calculation unit that calculates the shortest search depth required to perform a check to determine whether it is possible to change the state to the specification satisfaction state for each search depth, and to check each search depth A reachability inspection unit that outputs the inspection time according to depth required for each and a specification that is the expected time required to complete the inspection to the shortest search depth every time the reachability inspection unit completes the inspection for each search depth An expected inspection time calculation unit for calculating the expected arrival time is provided, and the reachability inspection unit provides the remaining remaining inspection time limit of the inspection time limit for the program inspection. If the estimated arrival time exceeds ends prematurely inspection.

The inspection time control method of the present invention includes:
Calculates the shortest search depth required to change the state from the initial state of the program to the specification satisfaction state indicating that the inspection specification of the program is satisfied, among the search depths indicating the number of times the executable statement of the program to be inspected is executed The shortest search depth calculation step,
In the program, an inspection execution step for executing an inspection of whether it is possible to change the state to the specification satisfaction state for each search depth;
An inspection time output step by depth for outputting the inspection time by depth required for the inspection at each of the search depths;
Each time the reachability inspection unit completes the inspection for each search depth, an expected time calculation step of calculating a specification arrival time that is an expected time required to complete the inspection to the shortest search depth;
The reachability inspection unit includes an inspection end step for ending the inspection halfway when the specification arrival expected time exceeds the remaining remaining inspection time limit of the inspection time limit for the inspection of the program.

  The program of the present invention realizes the above-described inspection time control method by a computer.

  According to the present invention, it is detected that the inspection of the program is not completed within the inspection time limit assigned to the program to be inspected before the inspection time limit elapses, and the inspection is terminated at the time of detection. Therefore, it is possible to prevent the state where the inspection of the program is not completed even if the inspection time limit is used up, and the inspection time can be made more efficient.

  An embodiment as the best mode for carrying out an inspection time control apparatus according to the present invention will be described below with reference to the accompanying drawings.

FIG. 8 shows an inspection time control apparatus according to this embodiment of the present invention. The model checking time control device in FIG. 8 performs model checking (hereinafter referred to as checking) for verifying that the checking target program 1 satisfies the checking specification 2 within the range of the checking time limit 3.
In the description of this embodiment, the inspection target program 1 and the inspection specification 2 are the same as those of the conventional model inspection apparatus. FIG. 2 shows an example of the inspection target program 1. FIG. 3 shows an example of the inspection specification 2. Similar to the description of the conventional model checking apparatus, referring to the inspection target program 1 in FIG. 2 and the inspection specification 2 in FIG. 3, the inspection specification 2 is an arbitrary value that the main function can take as an INT range in the verification program 1. When x consisting of a value is received as an argument, it indicates that “the L9 assert function may be executed”. The inspection target program 1, the inspection specification 2, and the inspection time limit 3 are input from an external device to the constituent parts of the model inspection time control device.

[Description of configuration]
The configuration of the model time control device of this embodiment will be described with reference to FIG. The model checking time control apparatus according to this embodiment includes an checking processing unit 10, a storage device 20, a depth calculating unit 30, and a time calculating unit 40. The inspection processing unit 10, the storage device 20, the depth calculation unit 30, and the time calculation unit 40 are realized by a conventional computer as shown in FIG. The inspection processing unit 10, the storage device 20, the depth calculation unit 30, and the time calculation unit 40 each include a processing unit 100, a storage unit 200, an input unit 300, an output unit 400, and a communication unit 500. The processing unit 100 is an MPU (Micro Processing Unit) or the like, the storage unit 200 is a RAM (Random Access Memory) or ROM (Read Only Memory), the input unit 300 is a keyboard, a mouse, or the like, and the output unit 400 is a liquid crystal display or the like. The communication unit 500 is realized by a LAN (Local Area Netword) port or the like. Each function of the model inspection time control device of the present invention is for processing stored in the RAM, ROM, or the like of the storage unit 200 based on the inspection target program 1, inspection specification 2, and inspection time limit 3 input from the outside. The program is realized by the MPU or the like of the processing unit 100 executing the program. Each part of the inspection processing unit 10, the storage device 20, the depth calculation unit 30, and the time calculation unit 40 is connected by wired communication technology or wireless communication technology. These may be directly connected or may be connected via a network. These are realized by conventional data communication technology. Moreover, each part of the test | inspection process part 10, the memory | storage device 20, the depth calculation part 30, and the time calculation part 40 may be implement | achieved in one computer.

(Description of inspection processing unit)
First, the inspection processing unit 10 will be described. The inspection processing unit 10 includes a symbol model creation unit 11, an inspection control unit 12, a reachability inspection unit 13, and an inspection result output unit 14.

  First, the symbol model creation unit 11 will be described. The symbol model creation unit 11 creates a symbol model having a Kripke structure from the inspection target program 1 and the inspection specification 2. The symbol model creation unit 11 creates a symbol model by a conventional technique as described in Non-Patent Document 1. The symbol model creation unit 11 stores the created symbol model in the symbol model storage unit 22 of the storage device 20. FIG. 5 shows an example of a symbol model configured by the Kripke structure created by the symbol model creation unit 11 based on the inspection target program 1 of FIG. 2 and the inspection specification 2 of FIG. The description of the example of the symbol model configured with the Kripke structure shown in FIG. 5 is the same as the description of the conventional model checking apparatus described above, and will be omitted.

Next, the inspection control unit 12 will be described. The inspection control unit 12 reads the symbol model stored in the symbol model storage unit 22 by the symbol model creation unit 11 and instructs the reachability inspection unit 13 to execute the inspection of the inspection target program 1 within the inspection time limit 3. . The inspection control unit 12 inputs the inspection time limit 3 from the outside.
In addition, when the expected examination time calculation unit 41 of the time calculation unit 40 determines that the examination is not completed within the examination time limit 3 and the expected examination time calculation unit 41 outputs a test completion failure notification described later, The control unit 12 inputs a test completion failure notification and issues a test end command to the reachability test unit 13. In this case, the reachability inspection unit 13 receives the inspection end order and ends the inspection.

  Next, the reachability inspection unit 13 will be described. The reachability inspection unit 13 executes an inspection within the inspection time limit 3 as to whether or not the inspection target program 1 satisfies the inspection specification 2 in accordance with an instruction from the inspection control unit 12. FIG. 6 is a state transition diagram showing a symbol model of the Kripke structure represented by Equations 1 to 5 in FIG. The explanation about FIG. 6, the explanation about the transition between the states by executing the program execution statement, and the explanation about the inspection method of the reachability checking unit 13 are the same as the explanation of the conventional model checking apparatus described above. I will omit it. The inspection performed by the reachability inspection unit 13 is a conventional property verification technique and is described in Patent Literature 1 and Non-Patent Literature 2.

As a result of the inspection, an arrival state set, which is a set of specification satisfaction states (hereinafter referred to as arrival states) satisfying the specification of the inspection specification 2 to a state that can be reached from the initial state set V0 by the state transition of the search depth n. When I is included, the reachability inspection unit 13 records that the inspection target program 1 satisfies the inspection specification 2 in the inspection result 5 and outputs it to the inspection result output unit 14.
On the other hand, the arrival state set I of the inspection specification 2 is not included in the state that can be reached by the state transition of the search depth n from the initial state set V0, and the state that can be newly reached by the state transition of the search depth n. If there is no other, the reachability check unit 13 increases the search depth to n + 1 and continues the check.
Further, when the inspection end command is received from the inspection control unit 12, the reachability inspection unit 13 ends the inspection when the inspection end command is received. In this case, the reachability inspection unit 13 outputs the inspection result 5 in which the inspection is ended by the inspection end instruction to the inspection result output unit 14.

The reachability inspection unit 13 measures an elapsed time from the start of the inspection. If the elapsed time from the start of the inspection reaches the inspection limit time 3 before the inspection is completed, the reachability inspection unit 13 ends the inspection at that time. The reachability inspection unit 13 outputs to the inspection result output unit 14 the inspection result 5 that records that the inspection has been completed because the inspection time limit 3 has been used up.
Furthermore, in this embodiment, the reachability inspection unit 13 measures the search time required for the inspection for each search depth n. Each time the inspection process at the search depth n is completed, the reachability inspection unit 13 associates the search time required for the inspection at the search depth n with the search depth n to the search time storage unit 24 of the storage device 20. save.

  Next, the inspection result output unit 14 will be described. The inspection result output unit 14 outputs the inspection result 5 input from the reachability inspection unit 13 to the external device as the inspection result. The format of the inspection result 5 is not particularly limited in the present embodiment. These are realized by technology using conventional data formats.

(Description of depth calculation unit)
Next, the depth calculation unit 30 will be described. The depth calculation unit 30 includes a state transition model creation unit 31 and a shortest search depth calculation unit 32.

  First, the state transition model creation unit 31 will be described. The state transition model creation unit 31 reads the inspection target program 1 and the inspection specification 2 and creates a state transition model represented by a control flow graph. The process in which the state transition model creation unit 31 creates the state transition model from the inspection target program 1 is performed by a conventional technique for creating a control flow graph from a program generally used by a compiler or the like. The state transition model creation unit 31 stores the created state transition model in the state transition model storage unit 21 of the storage device 20.

  Next, the shortest search depth calculation unit 32 will be described. The shortest search depth calculation unit 32 calculates the shortest search depth N from the state transition model created by the state transition model creation unit 31. The shortest search depth calculation unit 32 reads a state transition model from the state transition model storage unit 21. The shortest search depth calculation unit 32 obtains the number of state transitions of the shortest path from the initial state to the arrival state indicated by the inspection specification 2 as an effective graph ignoring the condition branch condition on the state transition model. The shortest search depth N means the minimum search depth required to reach the arrival state required by the inspection specification 2 from the initial state set V0. The shortest search depth calculation unit 32 calculates the shortest path in the effective graph by a conventional technique such as the Dijkstra method. The shortest search depth calculation unit 32 stores the calculated shortest search depth N in the shortest search depth storage unit 23 of the storage device 20.

  The calculation method of the shortest search depth N in a present Example is demonstrated using FIG. FIG. 10 shows a state transition model created by the state transition model creation unit 31 from the inspection target program 1 and the inspection specification 2 of FIG. Squares shown in FIG. 10 are states that can be taken in the inspection target program 1. Each state represents a label (L0 to L9) position of each program execution statement of the inspection target program 1. Moreover, the arrow from the state to the state shown in FIG. 10 represents the state transition from the state to the state. A state transition from state to state occurs by executing a program execution statement in the inspection target program 1. By executing the program execution statement, a state transition is made from the state of the label position before the execution of the program execution statement to the state of the label position after the execution of the program execution statement. The IF statement in the inspection target program 1 is represented as a transition condition in transition. “Assert function may be executed” in the inspection specification 2 means that “there is a path from the start state L0 to the state L9”.

Next, in FIG. 10, calculation of the minimum number of program executions required for state transition from the initial state (L0 in FIG. 10) to the arrival state (L9 in FIG. 10) indicated by the inspection specification 2 of the inspection target program 1 is performed. explain. The shortest search depth calculation unit 32 finds the shortest path from the program start position L0 to L9, which is the arrival state indicated by the inspection specification 2, as an effective graph ignoring the condition of the branch condition. This shortest path is the minimum number of state transitions required to reach the arrival state indicated by the inspection specification 2 from the initial state in the inspection target program 1, and the execution of the minimum necessary program execution statement in the inspection target program 1 Is the number of times. Whatever the conditional branch in each state of the inspection target program 1, it is not possible to reach the arrival state indicated by the inspection specification 2 from the initial state with the number of state transitions smaller than the number of state transitions. Similarly, it is not possible to reach the arrival state indicated by the inspection specification 2 from the initial state with the number of executions of the program execution statement smaller than the number of executions. The number of state transitions, which is the number of executions of this program execution statement, is the shortest search depth N.
In FIG. 10, when considered as an effective graph ignoring the condition of the branch condition, the shortest path from L0 in the initial state to L9 in the arrival state indicated by the inspection specification 2 transitions from L0 to L1, L6, L7, L8, and L9. It becomes a route to do. This shortest path transitions between states five times. Thereby, the shortest search depth N from the initial state to the arrival state indicated by the inspection specification 2 in the inspection object program 1 is “N = 5”.

(Explanation of time calculator)
Next, the time calculation unit 40 will be described. The time calculation unit 40 includes an expected examination time calculation unit 41.

The expected inspection time calculation unit 41 will be described. The expected inspection time calculation unit 41 determines whether the inspection up to the shortest search depth N is completed within the inspection time limit 3.
Hereinafter, a determination method performed by the expected inspection time calculation unit 41 will be described. First, the expected inspection time calculation unit 41 calculates the expected specification arrival time each time the reachability inspection unit 13 completes the inspection at the search depth n. The specification arrival expected time is the remaining time that is expected to be required for the inspection from the search depth n + 1 to the shortest search depth N when the reachability inspection unit 13 completes the inspection of the search depth n. The expected examination time calculation unit 41 is based on the search time for each search depth stored in the search time storage unit 24 of the storage device 20 and the shortest search depth N stored in the shortest search depth storage unit 23 of the storage device 20. Then, the expected specification arrival time is calculated.

  Next, the expected inspection time calculation unit 41 calculates the remaining inspection time limit 3 (hereinafter, “remaining inspection time limit”) obtained by subtracting the elapsed time from the start of the inspection to the present time from the inspection time limit 3. The elapsed time from the start of the inspection to the present time is obtained by accumulating the search time for each search depth from the initial inspection state where the search depth n = 0 to the present when the search of the search depth n is completed. The expected examination time calculation unit 41 sums up the search times for each search depth stored in the search time storage unit 24 of the storage device 20, and obtains the elapsed time from the start of the examination to the present. The remaining inspection time limit is calculated by subtracting the elapsed time from the inspection time limit 3.

Next, the expected inspection time calculation unit 41 determines whether or not the expected arrival time exceeds the remaining inspection time limit. The predicted inspection time calculation unit 41 subtracts the specification arrival predicted time from the remaining inspection time limit. The expected inspection time calculation unit 41 subtracts the specification arrival prediction time from the remaining inspection time limit. If the result is greater than 0, the specification arrival expected time does not exceed the remaining inspection time limit, and the inspection is completed within the inspection time limit 3. Judge that. On the other hand, if the result of subtracting the specification arrival prediction time from the remaining inspection time limit is 0 or less, the expected inspection time calculation unit 41 exceeds the remaining inspection time limit and the inspection is within the inspection time limit 3 Is determined not to be completed.
When the predicted inspection time calculation unit 41 determines that the inspection is not completed within the inspection time limit 3, the predicted inspection time calculation unit 41 outputs an inspection completion failure notification to the inspection control unit 12. The inspection control unit 12 receives the notification of the completion of the inspection and instructs the reachability inspection unit 13 to end the inspection. On the other hand, when the expected inspection time calculation unit 41 determines that the inspection is completed within the inspection time limit 3, the inspection is not output and the inspection is continued.
Note that the method of calculating the specification arrival prediction time, the method of determining whether or not the inspection is completed within the inspection limit time 3, and the method of instructing to end or continue the inspection are not limited to this. For example, when the expected inspection time calculation unit 41 determines that the inspection is completed within the inspection time limit 3, the inspection inspection unit 12 outputs an inspection continuation instruction, and the inspection control unit 12 inspects the reachability inspection unit 13 according to the inspection continuation instruction. May be ordered to continue. In addition, the predicted inspection time calculation unit 41 may execute only the calculation of the specification arrival predicted time, and the inspection control unit 12 may determine whether to end or continue the inspection.

  Expression 6 in FIG. 11 is a calculation expression for the expected inspection time calculation 41 in this embodiment to calculate the specification arrival expected time. In model checking, as the search depth increases, the search time increases exponentially (reference document: Patent Document 2). The analogy of the search time for each search depth that increases exponentially can be calculated by the exponential approximation method. However, the exponential approximation method has a large error at a stage where the search depth n is small, and there is a possibility that it may be erroneously determined to time out until the inspection of the inspection target program 1 that can complete the inspection within the time limit. is there. Therefore, in the embodiment, an erroneous determination is made by calculating the expected specification arrival time using Equation 6 of FIG. 11 based on the increase rate of the search time that is the difference between the search depth n and the search depth n−1. prevent. The calculation formula for the specification arrival prediction time is not limited to this example. Using other calculation formulas such as a method of calculating based on the search time for each search depth, a method of calculating based on the difference between the search time at the search depth n and the search time at the search depth n−1, etc. It is also possible to calculate.

  FIG. 12 shows the remaining search depths using Expression 6 in FIG. 11 at each stage of the search depth n = 1 to 8 when the shortest search depth N = 15 in a certain inspection target program 1 and inspection specification 2. The example which calculated every prediction search time is represented. A value obtained by summing up the expected search times for the remaining search depths is a specification arrival prediction time, which is necessary for completing the reachability check of the shortest search depth N = 15 including the arrival state set I indicated by the check specification 2. Remaining time.

  The items in FIG. 12 will be described. “Search depth n” indicates each search depth. “Search time at search depth n” indicates the search time actually required for inspection at each search time. Referring to FIG. 12, in the inspection target program 1, 13 seconds when the search depth n = 1, 22 seconds when the search depth n = 2, 32 seconds when the search depth n = 3, and when the search depth n = 4 It can be confirmed that the search time of 41 seconds was required. The search time at the search depth n is a time saved in the search time storage unit 24 by the reachability inspection unit 13 every time inspection for each search depth is completed. “Elapsed time to search depth n” is the time elapsed from the start of inspection (search depth n = 0 because of the initial state) until the completion of inspection of search depth n. “Elapsed time to search depth n” indicates the total search time for each search depth. Referring to FIG. 12, it can be confirmed that 638 seconds were required from the start of the inspection to the completion of the inspection at the search depth 6. This is the accumulated time of the search time at each search depth from the search depth 0 to the search depth 5. The “expected search time for each search depth predicted at the search depth n” is the shortest from the search depth n + 1 using the equation 6 in FIG. 11 when the expected inspection time calculation unit 41 completes the inspection at a certain search depth n. The result of calculating the expected search time at each search depth up to the search depth N = 15 is shown. Referring to FIG. 12, assuming that the inspection at the search depth n = 4 is currently completed, the expected inspection time calculation unit 41 performs a search time of 50 seconds at the search depth n = 5 and 59 seconds at the search depth n = 6. It can be confirmed that it is expected to require. The “specification expected arrival time” is the expected search time for each search depth from the search depth n + 1 to the shortest search depth N = 15 calculated by the expected inspection time calculation unit 41 when the inspection at each search depth n is completed. Is the cumulative total. Referring to FIG. 12, the expected inspection time calculation unit 41 can confirm that the expected specification arrival time at the time when the inspection at the search depth n = 4 is completed is expected to be 1045 seconds.

  With reference to FIG. 12, the example of the determination method by the estimated examination time calculation part 41 is demonstrated. In the example of the inspection shown in FIG. 12, it is assumed that the inspection time limit 3 is 10,000 seconds. From FIG. 12, when the reachability inspection unit 13 completes the inspection at the search depth n = 5, the expected inspection time calculation unit 41 sets the expected specification arrival time up to the shortest search depth N = 15 to 5,675 seconds. Calculated. Next, the expected inspection time calculation unit 41 calculates the remaining inspection time limit by subtracting the elapsed time from the inspection time limit 3 to the present time. The expected inspection time calculation unit 41 calculates the remaining inspection time limit as “10,000 seconds−234 = 9,766 seconds” from FIG. 12. Next, the expected inspection time calculation unit 41 subtracts the expected specification arrival time from the remaining inspection time limit, and determines whether the expected specification arrival time has exceeded the remaining inspection time limit. As shown in FIG. 12, the expected inspection time calculation unit 41 is “9,766 seconds−5675 seconds = 4,091 seconds”, and at this point in time, the expected specification arrival time does not yet exceed the remaining inspection limit time. Therefore, the reachability inspection unit 13 continues the inspection with the search depth n = n + 1 (in this case, the search depth 6).

  Further, the inspection is continued, and the reachability inspection unit 13 completes the inspection at the search depth 6. From FIG. 12, the reachability check unit 13 requires 404 seconds to check the search depth n = 6. The expected inspection time calculation unit 41 calculates the specification arrival expected time using Expression 6 in FIG. From FIG. 12, the expected inspection time calculation unit 41, when the reachability inspection unit 13 completes the inspection with the search depth n = 6, sets the expected specification arrival time up to the shortest search depth N = 15 to 16,326 seconds. Calculated. Next, the expected inspection time calculation unit 41 calculates the remaining inspection time limit by subtracting the time obtained by subtracting the elapsed time from the inspection time limit 3 to the present time. The expected inspection time calculation unit 41 calculates the remaining inspection time limit as “10,000 seconds−638 seconds = 9,362 seconds”. Next, the expected inspection time calculation unit 41 subtracts the expected specification arrival time from the remaining inspection time limit, and determines whether the expected specification arrival time has exceeded the remaining inspection time limit. As shown in FIG. 12, the predicted inspection time calculation unit 41 determines that the expected specification arrival time exceeds the remaining inspection limit time because “9,362 seconds−16,326 seconds = −6,964 seconds”. Thereby, the expected examination time calculation unit 41 determines that the examination is not completed within the examination time limit 3 at this time. Along with the determination result, the expected inspection time calculation unit 41 outputs an inspection completion failure notification to the inspection control unit 12. In addition, the calculation method for determining whether the expected arrival time exceeds the remaining inspection limit time by the expected inspection time calculation unit 41 is not limited to this example.

  FIG. 13 is a graph of FIG. In FIG. 13, the vertical axis represents the search time, and the horizontal axis represents the search depth. “A” indicates the actual search time for each search depth n. Referring to “A”, it can be confirmed that the actual search time increases exponentially as the search depth n increases. “B” represents the expected search time at each remaining search depth calculated at the search depth n = 7. Similarly, “C” indicates the estimated search time at each remaining search depth, calculated at search depth n = 6, “D” at search depth n = 4, and “E” at search depth n = 2. ing. The predicted examination time calculation unit 41 can confirm that the predicted search time is calculated to be shorter than the actual search time of “A” at each search depth n from “B” to “D”. By using Equation 6 in FIG. 11, it is possible to prevent an inspection that is completed within the time limit from being erroneously determined as an inspection that is not completed within the time limit.

(Description of storage device)
Next, the storage device 20 will be described. The storage device 20 includes a state transition model storage unit 21, a symbol model storage unit 22, a shortest search depth storage unit 23, and a search time storage unit 24.

  First, the state transition model storage unit 21 will be described. The state transition model storage unit 21 stores the state transition model output by the state transition model creation unit 31 of the depth calculation unit 30. The state transition model storage unit 21 outputs a state transition model in response to a request from the shortest depth calculation unit 32.

  Next, the symbol model storage unit 22 will be described. The symbol model storage unit 22 stores the symbol model output from the symbol model creation unit 11 of the inspection processing unit 10. The symbol model storage unit 22 outputs a symbol model in response to a request from the inspection control unit 12.

  Next, the shortest search depth storage unit 23 will be described. The shortest search depth storage unit 23 stores the shortest search depth N output from the shortest search depth calculation unit 32 of the depth calculation unit 30. The shortest search depth storage unit 23 outputs the shortest search depth N in response to a request from the predicted examination time calculation unit 41.

  Next, the search time storage unit 24 will be described. The search time storage unit 24 stores the search time at the search depth n output from the reachability test unit 13 of the test processing unit 10 in association with the search depth n. The search time storage unit 24 outputs the search time at the search depth n in response to a request from the expected examination time calculation unit 41.

The above is the description of the configuration in this embodiment.
The state transition model creation unit 31 creates a state transition model based on the inspection target program 1 and the inspection specification 2. The shortest search depth calculation unit 32 calculates the shortest search depth N based on the state transition model. By calculating the shortest search depth N, it is possible to determine to what search depth the inspection is completed by performing the inspection.
Further, the reachability checking unit 13 outputs the search time for each search depth every time the search depth n is completed. The expected inspection time calculation unit 41 calculates the expected arrival time based on the search time for each search depth. The predicted inspection time calculation unit 41 can calculate an appropriate specification arrival predicted time using Equation 6 in FIG.
In addition, the expected inspection time calculation unit 41 calculates the elapsed time from the start of the inspection by adding the search times for each search depth. The expected inspection time calculation unit 41 subtracts the elapsed time from the start of the inspection from the inspection time limit 3 to obtain the remaining inspection time limit. The predicted inspection time calculation unit 41 can easily determine whether or not the inspection can be completed within the inspection time limit 3 by subtracting the specification arrival prediction time from the remaining inspection time limit.
As a result, if it is determined that the inspection is not completed within the inspection time limit 3, it is possible to end the inspection at that time, and it is found that the inspection is not completed only after the inspection time limit 3 has elapsed. It becomes possible to prevent the state.

[Description of operation]
Next, the operation in this embodiment of the present invention will be described with reference to FIG. FIG. 14 shows an operation method in this embodiment of the present invention. In FIG. 14, Step A01 to Step A07 are the same as the operation method of the conventional model checking apparatus described above. Steps B01 to B08 are operation methods unique to this embodiment.

(Step B01)
The state model creation unit 31 of the depth calculation unit 30 reads the inspection target program 1 and the inspection specification 2 and creates a state transition model. The state model creation unit 31 stores the created state transition model in the state transition model storage unit 21 of the storage device 20. The state model creation command may be input from the outside or from the inspection control unit 12. In this embodiment, there is no particular limitation on the operation subject and the operation method that output the state model creation command.

(Step B02)
The shortest search depth calculation unit 32 of the depth calculation unit 30 reads the state transition model from the state transition model storage unit 21 of the storage device 20. The shortest search depth calculation unit 32 obtains the shortest search depth N from the initial state to the arrival state indicated by the inspection specification 2 in the state transition model. The shortest search depth calculation unit 32 stores the obtained shortest search depth N in the shortest search depth storage unit 23 of the storage device 20.

(Step A01)
The symbol model creation unit 11 of the inspection processing unit 10 inputs the inspection target program 1 and the inspection specification 2 from the outside. The symbol model creation unit 11 creates a symbol model based on the inspection target program 1 and the inspection specification 2. The symbol model creation unit 11 stores the created symbol model in the symbol model storage unit 22 of the storage device 20. The symbol model creation command may be input from the outside or from the inspection control unit 12. In this embodiment, there is no particular limitation on the operation subject and the operation method for outputting the symbol model creation command.

(Step A02)
The inspection control unit 12 of the inspection processing unit 10 inputs the inspection time limit 3 from the outside. The inspection control unit 12 reads a symbol model from the symbol model storage unit 22 of the storage device 20. The inspection control unit 12 instructs the reachability inspection unit 13 to execute the inspection so that the inspection whether the inspection target program 1 satisfies the inspection specification 2 is executed in the inspection time limit 3. In this embodiment, it is assumed that an inspection start command to the inspection control unit 12 is input from the outside. In this embodiment, there is no particular limitation on the operation subject and operation method for outputting the inspection start command.

(Step A03)
The reachability inspection unit 13 sets the search depth n = 0 as an initial state at the start of the inspection inspection in accordance with the inspection execution instruction from the inspection control unit 12.

(Step A04)
The reachability checking unit 13 checks whether or not the arrival state set I of the inspection specification 2 is included in each state that can be reached by the state transition of the search depth n from the initial state set V0. In addition, the reachability inspection unit 13 starts measuring the elapsed time of the inspection simultaneously with the start of the inspection. The reachability inspection unit 13 ends the inspection when the elapsed time from the start of the inspection reaches the inspection limit time 3. Furthermore, the reachability inspection unit 13 measures the search time for each search depth n when the inspection is started.

(Step A05)
The reachability checking unit 13 determines whether or not the reachable state set I is included in the state transition from the initial state set V0 to the search depth n. If the reaching state set I is included in the search depth n, the process proceeds to step A06. If the reaching state set I is not included in the search depth n, the process proceeds to step B03.

(Step A06)
When the arrival state set I is included at the search depth n, the reachability checking unit 13 records that the inspection target program 1 satisfies the inspection specification 2 in the inspection result 5 and outputs it to the inspection result output unit 14 To do. The inspection result output unit 14 inputs the inspection result 5 and outputs the inspection result 5 to the outside. The reachability inspection unit 13 notifies the inspection control unit 12 of the completion of the inspection of the inspection target program 1 and completes the inspection.
Further, when it is determined that the inspection is not completed within the inspection time limit 3 and the inspection is terminated, the reachability inspection unit 13 displays the inspection result 5 in which the inspection is completed due to the notification of the completion of the inspection not being completed. 14 to output. The inspection result output unit 14 inputs the inspection result 5 and outputs the inspection result 5 to the outside. The reachability inspection unit 13 notifies the inspection control unit 12 of the completion of the inspection of the inspection target program 1 and completes the inspection.

(Step B03)
Each time the inspection at the search depth n is completed, the reachability inspection unit 13 saves the set of the time required for searching the search depth n and the search depth n in the search time storage unit 24 of the storage device 20.

(Step B04)
The expected examination time calculation unit 41 of the time calculation unit 40 stores the search time for each search depth n from the search depth n = 0 to the search depth n stored in the search time storage unit 24 of the storage device 20 and the shortest. The shortest search depth N stored in the search depth storage unit 23 is read, and the search time for each predicted depth at each search depth from the search depth n + 1 to the shortest search depth N is calculated based on Expression 6 in FIG. .

(Step B05)
The predicted inspection time calculation unit 41 calculates the specification arrival expected time by taking the sum of the search time by predicted depth at each search depth from the search depth n + 1 to the shortest search depth N.

(Step B06)
The expected inspection time calculation unit 41 calculates the elapsed time from the start of the inspection by summing the search times for each search depth from the search depth 0 to the search depth n. The expected inspection time calculation unit 41 calculates the remaining inspection time limit obtained by subtracting the elapsed time from the start of the inspection from the inspection time limit 3. The expected inspection time calculation unit 41 subtracts the expected specification arrival time from the remaining inspection time limit, and determines whether the expected specification arrival time exceeds the remaining inspection time limit. As a result of the determination, if the expected specification arrival time exceeds the remaining inspection time limit, the predicted inspection time calculation unit 41 determines that the inspection is not completed within the inspection time limit 3, and proceeds to step B07. If the specification arrival prediction time does not exceed the remaining inspection limit time, the inspection is continued, and the process proceeds to step A07.

(Step A07)
When the reach state set I is not included in the search depth n, the reachability check unit 13 sets the search depth n = n + 1 and returns to step A04 to continue the check.

(Step B07)
The expected inspection time calculation unit 41 determines that the inspection is not completed within the inspection time limit 3, and outputs an inspection completion failure notification to the inspection control unit 12 of the inspection processing unit 10. The inspection control unit 12 inputs the inspection completion failure notification output from the predicted inspection time calculation unit 41 and instructs the reachability inspection unit 13 to end the inspection. The reachability inspection unit 13 inputs an instruction to end the inspection from the inspection control unit 12 and ends the inspection. The predicted inspection time calculation unit 41 proceeds to step A06 in order to output the inspection result 5.

The above is the description of the operation method in this embodiment. Thus, every time the reachability inspection unit 13 completes the inspection at the search depth n, the expected inspection time calculation unit 41 determines whether or not the inspection is completed within the inspection time limit 3. Even without waiting until the inspection time limit 3 elapses, it is possible to detect that the inspection is not completed within the inspection time limit 3. As a result, the model inspection time control device does not need to continue the inspection until the inspection time limit 3 is used up, and therefore the inspection efficiency can be improved.
In addition, every time the reachability check unit 13 completes the inspection at the search depth n, the search time at the search depth n is stored in the search time storage unit 24, and the predicted inspection time calculation unit 41 is stored in the search time storage unit 24. Based on the difference between the saved search time of the search depth n and the search time of the search depth n-1, the expected arrival time of the specification is calculated. It is possible to prevent erroneous determination that the inspection is not completed within the time limit 3.

  The above is the description of this embodiment of the present invention. According to the present invention, it is possible to detect that the inspection of the inspection target program 1 is not completed at the inspection time limit 3 assigned to the inspection target program 1 before the inspection limit time elapses and to end the inspection. Therefore, it is possible to prevent a state in which the inspection of the inspection target program 1 is not completed even if the inspection time limit 3 is used up, and to increase the time required for the inspection.

It is a block diagram showing the structure of the conventional model inspection apparatus. It is a figure of the example of the test object program. It is a figure of the example of the inspection specification. It is a block diagram of each structure part in the conventional model inspection apparatus. It is a figure of the symbol model of Kripke structure created from inspection object program 1 and inspection specification 2. FIG. 6 is a state transition diagram created from the symbol model of the Kripke structure in FIG. 5. It is a flowchart of the operation | movement method in the conventional model check apparatus. It is a block diagram showing the structure of the model check time control apparatus of this invention. It is a block diagram of each component in the model check control device of the present invention. It is a state transition diagram showing the inspection target program 1 in a control flow graph. It is a figure showing the calculation formula of estimated search time in this invention. 12 is a table in which an expected search time and an expected specification arrival time are calculated for each search depth using the calculation formula of FIG. 11 in the present invention. It is a graph showing the relationship between search depth and search time in the present invention. It is a flowchart of the operation | movement method in the model check time control apparatus of this invention.

Explanation of symbols

DESCRIPTION OF SYMBOLS 1 Inspection object program 2 Inspection specification 3 Inspection time limit 5 Inspection result 10 Inspection processing part 11 Symbol model creation part 12 Inspection control part 13 Reachability inspection part 14 Inspection result output part 20 Storage device 21 State transition model storage part 22 Symbol model Storage unit 23 Shortest search depth storage unit 24 Search time storage unit 30 Depth calculation unit 31 State transition model creation unit 32 Shortest search depth calculation unit 40 Time calculation unit 41 Predictive examination time calculation unit 100 Processing unit 200 Storage unit 300 Input unit 400 Output 500 communication unit

Claims (19)

Among search depths representing the number of times the executable statement of the program to be examined is executed, the shortest search depth required to change the state from the initial state of the program to a specification satisfaction state indicating that the inspection specification of the program is satisfied A shortest search depth calculation unit for calculating
In the program, an inspection is performed to determine whether it is possible to change the state to the specification satisfaction state for each search depth, and the inspection time by depth required for the inspection at each of the search depths is output. Sex testing department;
Each time the reachability inspection unit completes the inspection for each search depth, it includes an expected inspection time calculation unit that calculates an expected arrival time for specifications that is an expected time required to complete the inspection up to the shortest search depth. ,
The reachability inspection unit is an inspection time control device that terminates the inspection halfway when the expected remaining time of the specification exceeds the remaining remaining inspection time limit of the inspection time limit for the inspection of the program. The inspection time control device according to claim 1,
The expected inspection time calculation unit calculates a search time for each expected depth that is expected to be required for the inspection for each of the search depths from which the inspection is to be performed, and totals the search time for each expected depth, Inspection time control device that calculates expected specification arrival time. The inspection time control device according to claim 2,
The predicted inspection time calculation unit is an inspection time control device that calculates the predicted depth-specific search time based on the depth-specific search time. The inspection time control device according to claim 2 or claim 3, wherein
When the reachability checking unit completes the inspection at the search depth n of the search depth, the expected inspection time calculation unit is configured to search the depth of search of the search depth n and the search depth of the search depth. The inspection time control apparatus which calculates the search time classified by said prediction depth based on the difference with the search time classified by n-1 depth. An inspection time control device according to any one of claims 2 to 4,
The predicted inspection time calculation unit calculates a search depth x for calculating the search time according to the predicted search depth, the search time g (x) according to the predicted depth of the search depth x, and the search time according to the depth f ( i)
g (x) = {f (n) -f (n-1)} * (xn) + f (n)
The inspection time control device which calculates the search time according to the expected depth based on the above. An inspection time control device according to any one of claims 1 to 5,
The expected inspection time calculation unit, when the reachability inspection unit completes the inspection at the search depth n, calculates the total time of the inspection times by depth from the search depth 0 to the search depth n. An inspection time control device for calculating the remaining inspection time limit by subtracting from the time. An inspection time control device according to any one of claims 1 to 6,
Based on the program and the inspection specification, further comprising a state transition model creating unit that creates a state transition model from the initial state of the program to the specification satisfaction state,
The shortest search depth calculation unit is an inspection time control device that calculates the shortest search depth based on the state transition model. The inspection time control device according to claim 7,
The shortest search depth calculation unit treats the state transition model as a directed graph that does not consider conditional branching in each state, and obtains the number of state transitions on the shortest path from the initial state to the specification satisfaction state. The inspection time control apparatus which calculates the said shortest search depth by. An inspection time control device according to any one of claims 1 to 8,
A storage device for storing the state transition model, the shortest search depth, and the search time by depth;
The shortest search depth calculation unit calculates the shortest search depth based on the state transition model stored in the storage device,
The expected inspection time calculation unit is an inspection time control device that calculates the expected specification arrival time based on the shortest search depth and the search time by depth stored in the storage device. Among search depths representing the number of times the executable statement of the program to be examined is executed, the shortest search depth required to change the state from the initial state of the program to a specification satisfaction state indicating that the inspection specification of the program is satisfied Shortest search depth calculation step for calculating
In the program, a test execution step for performing a test of whether or not it is possible to transition the state to the specification satisfaction state for each search depth;
An inspection time output step by depth for outputting an inspection time by depth required for the inspection at each of the search depths;
Each time the reachability inspection unit completes the inspection for each search depth, an expected time calculation step of calculating a specification arrival time that is an expected time required to complete the inspection to the shortest search depth;
The reachability inspection unit includes an inspection ending step for ending the inspection halfway when the remaining expected time limit for the inspection exceeds the remaining inspection time limit of the inspection time limit for the inspection of the program. An inspection time control method provided. The inspection time control method according to claim 10, wherein the expected time calculation step includes:
A depth-specific search time calculation step for predicting that the inspection is required for each of the search depths from which the inspection is to be performed;
An inspection time control method comprising: a search time by depth step for calculating the expected arrival time by adding the search times by expected depth. The inspection time control method according to claim 11, wherein the depth-specific search time calculation step includes:
An inspection time control method comprising: calculating the search time for each predicted depth based on the search time for each depth. The inspection time control method according to claim 11 or 12, wherein the search time calculation step for each depth includes:
When the reachability inspection unit completes the inspection at the search depth n of the search depths, the search time by the depth of the search depth n and the search time by the depth of the search depth n-1 of the search depths An inspection time control method including a step of calculating the search time for each predicted depth based on a difference between the search time and the expected depth. The inspection time control method according to any one of claims 11 to 13, wherein the search time calculation step for each depth includes:
As the search depth x for calculating the search time by the expected search depth, the search time by the expected depth of the search depth x, g (x), and the search time by depth f (i) at the search depth i,
g (x) = {f (n) -f (n-1)} * (xn) + f (n)
An inspection time control method including the step of calculating the search time for each predicted depth based on the above. The inspection time control device according to any one of claims 10 to 14, wherein the inspection end step includes:
When the reachability inspection unit completes the inspection at the search depth n, the remaining time is obtained by subtracting, from the inspection control time, the total time of the inspection times by depth from the search depth 0 to the search depth n. An inspection time control method including a step of calculating an inspection time limit. The inspection time control method according to any one of claims 10 to 15, wherein the shortest search depth calculation step includes:
Creating a state transition model from the initial state of the program to the specification satisfaction state based on the program and the inspection specification;
An inspection time control method comprising: calculating the shortest search depth based on the state transition model. The inspection time control method according to claim 16, wherein the step of calculating the shortest search depth based on the state transition model includes:
Treat the state transition model as a directed graph that does not consider conditional branching in each state, and calculate the shortest search depth by obtaining the number of state transitions in the shortest path from the initial state to the specification satisfaction state An inspection time control method including steps. An inspection time control method according to any one of claims 10 to 17,
The shortest search depth calculation step includes:
Storing the state transition model in a storage device;
Calculating the shortest search depth based on the state transition model stored in the storage device;
Storing the shortest search depth in the storage device;
The inspection execution step includes:
Storing the search time by depth in the storage device;
The expected specification arrival time calculating step includes:
An inspection time control method, further comprising: calculating the expected specification arrival time based on the shortest search depth and the search time by depth stored in the storage device. A computer program for realizing the inspection time control method according to any one of claims 10 to 18.

Images