JP2010140084A - Device for inspection model generation, device for model inspection, and method for inspection model generation - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a device for inspection model generation, generating a state transition model capable of reducing the occurrence of state explosion when executing model inspection. <P>SOLUTION: The device for inspection model generation is provided with: a model input part 20 for inputting a state transition model; a preliminary list generation part 21 for generating a preliminary transition list associating transitions for every event; a contraction list generation part 22 for retrieving a preliminarily transition list, for summarizing different events as one event group when transitions caused by the events are the same, and for generating a contraction transition list associating the summarized event group with the transitions caused by the events belonging to the event group; and a code conversion part 23 for converting model codes for inspection from the contraction transition list, and for generating model codes for inspection whose number of transition is smaller than that in the case of directly converting the model codes for inspection from the preliminary list. <P>COPYRIGHT: (C)2010,JPO&INPIT

Description

  The present invention relates to an inspection model generation device, a model inspection device, and an inspection model generation method, and in particular, an inspection model generation device represented as a state transition model, and a model inspection device that inspects a generated inspection model And an inspection model generation method.

  Today, as software has become more complex, it is becoming easier for errors to be introduced not only in the software itself, but also in the system specifications that form the basis of software creation. In addition, as system specifications become more complex, it is becoming difficult for human hands to verify system specifications. Errors that have no experience or knowledge are difficult to detect, and errors that are discovered in subsequent processes are costly to remove. For this reason, a system for comprehensively verifying system specification errors without human assistance as much as possible and removing errors at an early stage has become indispensable.

  A method called model checking is a method for proving the correctness of specifications by expressing system specifications in a state transition model and describing verification conditions in a logical expression and verifying whether the state transition model satisfies the logical expression. Known (Patent Documents 1, 2, etc.).

Moreover, although the state transition model can be represented as a state transition table, Patent Document 2 summarizes the pre-transition states in which all the input, output, and post-transition states are the same in the state transition table, There has been disclosed a technique for reducing the trouble of creating a state transition table by entering this as a group in a state transition table.
JP 2007-11605 A Japanese Patent Laid-Open No. 03-19086

  In model checking, a system specification described as a state transition model and a check expression described in a temporal logic formula are input to a model checking device, and the operation of the state transition model (ie, system specification) is expressed by a check formula. Examine comprehensively whether the verification condition is satisfied. When an operation (state, event, etc.) that does not satisfy the verification condition is detected, the operation is output as a “counterexample” from the model checking apparatus. When a counterexample is detected, a series of operations immediately before reaching the counterexample is also output as log data. By analyzing counter examples and log data output from the model checking device, it is possible to efficiently find and repair system specification errors.

  In general, in model checking, it is determined whether or not a check condition is satisfied by exhaustively searching for combinations of state transitions. For this reason, when the system specification is mechanically replaced with a state transition model, the combination of state transitions at the time of inspection becomes enormous, and an event called state explosion may occur and a situation may occur where the inspection does not converge.

  The present invention has been made in view of the above circumstances, and an inspection model generation device, a model inspection device, and an inspection model generation method capable of generating a state transition model capable of reducing the occurrence of a state explosion during model inspection The purpose is to provide.

  In order to solve the above problem, an inspection model generation device according to the present invention includes a model input unit that inputs a state transition model including at least a transition defined by a pre-transition state and a post-transition state, and an event that causes the transition; The preliminary transition list that associates the transition for each event is generated from the input state transition model, and the preliminary transition list is searched, and even if the event is different, the transition caused by the event When the two events are the same, the different events are aggregated as one event group, and a reduced transition list that associates the aggregated event group with transitions caused by events belonging to the event group is generated from the preliminary transition list. A contracted list generation unit that performs the test By conversion to de, characterized by comprising a code converting unit that generates less the testing model code of the number of transitions than to convert a test model cord directly from the preliminary list.

  In the model checking apparatus according to the present invention, the state transition model including at least the transition defined by the pre-transition state and the post-transition state, and the event that causes the transition, and the check condition are expressed by a temporal logic formula. An input unit for inputting a check expression, a preliminary transition list for associating the transition for each event, a preliminary list generation unit for generating the input from the state transition model, and the preliminary transition list are searched for different events. However, if the transitions caused by the event are the same, the different events are aggregated as one event group, and the reduced transition list associating the aggregated event group with the transitions caused by the events belonging to the event group Is generated from the preliminary transition list, and the contracted transition list is generated. A code conversion unit for generating the test model code having a smaller number of transitions than converting the test model code directly from the preliminary list by converting the test model code to the test model code, and a state in the test model code Inspecting whether or not a transition satisfies the inspection condition based on the inspection formula, and when a state transition that does not satisfy the inspection condition is detected in the state transition, the state transition is output as counterexample data. And a model checking unit that outputs a transition sequence leading to the state transition as log data.

  The inspection model generation method according to the present invention inputs a state transition model including at least a transition defined by a pre-transition state and a post-transition state and an event that causes the transition, and associates the transition for each event. A preliminary transition list is generated from the input state transition model, the preliminary transition list is searched, and even when different events occur, if the transition caused by the event is the same, the different events are grouped into one event group. A reduced transition list that associates the event group thus aggregated with transitions caused by events belonging to the event group is generated from the preliminary transition list, and converted from the reduced transition list to a model code for inspection To convert the model code for inspection directly from the preliminary list. It generates less the test model code for the number of transitions than, and comprising the steps.

  According to the inspection model generation device, the model inspection device, and the inspection model generation method according to the present invention, it is possible to generate a state transition model that can reduce the occurrence of a state explosion during model inspection, thereby improving the efficiency of model inspection. Can be improved.

  Embodiments of an inspection model generation device, a model inspection device, and an inspection model generation method according to the present invention will be described with reference to the accompanying drawings.

(1) First Embodiment FIG. 1 is a diagram schematically showing an operation concept of a general model checking apparatus. The system specification can be expressed as a state transition model, and can be expressed by a state that the system can take, an event that causes a state transition, and a guard condition. The state transition model can be described as model data in a predetermined model description language, and this model data is input to the model checking apparatus as a check target.

  On the other hand, an inspection condition for determining whether or not the system specification satisfies a predetermined inspection condition is input to the model checking apparatus as an inspection formula described in a predetermined language.

  In the model checking device, it is determined whether or not the checking formula is satisfied for all combinations of state transitions that the model data can take. When a state that does not satisfy the check expression is found, the state is output from the model checking device as a counter example. Also, the process to reach that state is output as log data. Counterexamples and log data are the test results of the model checking device.

  As described above, in model checking, it is determined whether or not a check condition is satisfied by exhaustively searching for a combination of state transitions. For this reason, when the system specification is mechanically replaced with a state transition model, the number of combinations of state transitions at the time of inspection becomes enormous, and an event called state explosion occurs and the inspection does not converge.

  The model checking apparatus 1 according to the present embodiment is configured to reduce the occurrence of such a state explosion. More specifically, the inspection model generation device 2 included in the model inspection device 1 analyzes the input state transition inspection model (preliminary transition list described later), and determines the state transition determined to be redundant from the viewpoint of inspection. The contract is converted into a model with a small number of transitions (contracted transition list described later). Then, model explosion is performed on a model with a reduced number of transitions to reduce the occurrence of state explosion.

  FIG. 2 is a block diagram illustrating a configuration example of the model checking device 1 and the checking model generation device 2 according to the present embodiment.

  The model checking device 1 includes a checking model generation device 2, a checking expression input unit 10, a model checking unit 11, and the like.

  The inspection model generation apparatus 2 includes a model input unit 20, a preliminary list generation unit 21, a contracted list generation unit 22, a code conversion unit 23, and the like.

  Of the model checking apparatus 1 configured as described above, the operation of the check model generating apparatus 2 will be described based on the flowchart shown in FIG.

  In step ST1, a state transition model, variables used for inspection, and the like are input. The state transition model input here is a state transition specification, and the expression form of the state transition specification is not particularly limited. For example, in addition to a state transition table that expresses state transitions in the form of a table, an operation specification that can be expressed by state transitions, such as a state transition diagram in which the state before transition and the state after transition are clearly indicated by a path with arrows, etc. Can be input in any language or format.

  The variable used for inspection is a variable that is assigned to a state or event used during inspection or a variable that is directly related to state transition among variables appearing in the state transition specification. The variable directly related to the state transition is, for example, a variable assigned to the flag when it is necessary to check the flag at the time of transition.

  The state transition model, variables used for inspection, and the like are input from the model input unit 20 of the inspection model generation device 2. The model input unit 20 is a user interface of a computer, for example, and is an apparatus including input / output devices such as a keyboard and a display device.

  In step ST2, a preliminary transition list representing a state transition before contraction is generated from the input state transition model and variables used for inspection. The preliminary transition list is generated by the preliminary list generation unit 21 of the inspection model generation device 2.

  The preliminary transition list is a list that associates an event and a transition (a pair of a normal state before the transition and a state after the transition) that is generated by the event for each event.

  FIG. 4A is a diagram showing an example of a preliminary transition list expressed in the form of a state transition table. In the top row of the preliminary transition list, the state before transition appearing in the state transition model is arranged. In the example of FIG. 4A, four states S1, S2, S3, and S4 are arranged.

  On the other hand, events that cause transitions in the state transition model are arranged in the leftmost column of the preliminary transition list. In the example of FIG. 4A, four events E1, E2, E3, E4, and E5 are arranged.

  The post-transition state is arranged in the central cell of the preliminary transition list. In addition, the hatched cells indicate that no state transition occurs.

  Now, if the transition from the state Sn to the state Sm is described as (Sn → Sm), the preliminary transition list illustrated in FIG. 4A is (S1 → S4), (S2 → S3) depending on the event E1. ) And three transitions (S4 → S2) occur.

  Similarly, two transitions of (S2 → S1) and (S3 → S1) occur by the event E2, two transitions of (S2 → S1) and (S3 → S1) occur by the event E3, and (S1 This indicates that two transitions of (S4) and (S4 → S2) occur, and three transitions of (S2 → S1), (S3 → S1), and (S4 → S2) occur due to the event E5.

  In this way, the preliminary transition list generated in step ST2 is input to the contracted list generating unit 22 of the inspection model generating device 2, and a contracted transition list is generated from the preliminary transition list. FIG. 4B is a diagram illustrating a contracted transition list corresponding to the example of the preliminary transition list in FIG.

  As can be seen by comparing FIG. 4A and FIG. 4B, in the contracted transition list, when there are a plurality of events that cause the same transition, these events are aggregated and grouped. For example, since the same transition (S2 → S1) and the same transition (S3 → S1) occur due to the events E2, E3, and E5, the events E2, E3, and E5 are combined into one event group (E2, E3, E5). Aggregated. Similarly, since the same transition (S1 → S4) and the same transition (S4 → S2) occur due to the event E1 and the event E4, the event E1 and the event E4 are aggregated into one event group (E1, E4).

  On the other hand, since the event that causes the transition (S2 → S3) is only E1, the event E1 corresponding to the transition (S2 → S3) remains associated with only the transition (S2 → S3). Similarly, since only the event that causes the transition (S4 → S2) is E5, only the event E5 and the transition (S4 → S2) corresponding to the transition (S4 → S2) are left in association with each other.

  Steps ST3 to ST9 of the flowchart (FIG. 4) show a specific example of a procedure for generating a reduced transition list from the preliminary transition list.

  In step ST3, the number of transition matches is compared for each event. For example, first, the number of transition matches is compared between the event E1 and the event E2. As described above, the transitions caused by the event E1 are (S1 → S4), (S2 → S3), and (S4 → S2), and the transitions caused by the event E2 are (S2 → S1) and (S3 → S1). Therefore, the number of transition matches between event E1 and event E2 is zero (NO in step ST4).

  Therefore, the process returns to step ST3 via step ST8, and the number of transition matches is compared between the event E1 and the next event E3. Also in this case, since there is no matching transition, the number of transition matches is further compared between the event E1 and the next event E4.

  Transitions caused by the event E4 are (S1 → S4) and (S4 → S2). These two transitions are both transitions caused by the event E1, and the number of transition matches between the event E1 and the event E4 is 2 (1 or more) (YES in step ST4), and the process proceeds to step ST5.

  In step ST5, it is determined whether or not all transitions match between event E1 and event E2. In this example, the transitions that occur at event E1 are (S1 → S4), (S2 → S3), and (S4 → S2), and the transitions that occur at event E4 are (S1 → S4) and (S4 → S2). ), All transitions do not match (NO in step ST5). Therefore, the process proceeds to step ST7.

  In step ST7, events with matching transitions are aggregated as an event group, and events that do not match leave only the transitions that do not match in association with each other.

  In this example, regarding the two transitions of transition (S1 → S4) and transition (S4 → S2), event E1 and event E4 match, and events E1 and E4 are aggregated as event groups (E1 and E4). (Step ST6).

  On the other hand, regarding the transition of the event E1 (S2 → S3), the event E1 and the event E4 do not coincide with each other, so the event E1 in which only the transition (S2 → S3) is associated is left.

  Subsequently, the number of matching transitions is compared between this event E1 and the next event E5. However, since there is no matching transition, the processing proceeds to the next event comparison without aggregating the events.

  In the next event comparison, event E2 and event E3, event E2 and event E4, and event E2 and event E5 are sequentially compared.

  Between the event E2 and the event E3, the number of matches of the transitions (S2 → S1) and (S3 → S1) caused by the event E2 and the transitions (S2 → S1) and (S3 → S1) caused by the event E3 is 2. Yes (YES in step ST4), and all transitions match (YES in step ST5). Therefore, the event E2 and the event E3 are aggregated as an event group (E2, E3) with respect to the transitions (S2 → S1) and (S3 → S1).

  There is no matching transition between event E2 and event E4. On the other hand, all transitions ((S2 → S1), (S3 → S1)) match between the event E2 and the event E5, and the event E2 and the event E5 are aggregated as an event group (E2, E5). can do. Furthermore, since all transitions ((S2 → S1), (S3 → S1)) match between the event group (E2, E3) and the event group (E2, E5), these three Events E2, E3, E5 are aggregated as one event group (E2, E3, E5).

  Such processing is repeated until all event comparisons are completed (step ST8). As a result, when there are a plurality of events that cause the same transition, these events are grouped and aggregated, and a reduced transition list (FIG. 4B) with a reduced number of transitions is generated (step ST9). ).

  A comparison between the preliminary transition list (FIG. 4A) and the contracted transition list (FIG. 4B) shows that the number of transitions is greatly reduced from 12 to 6.

  The generated reduced transition list is output to the code conversion unit 23 of the inspection model generation device 2. The code conversion unit 23 converts the reduced transition list into a model checking description language (reduced checking model code) using a known checking model description language conversion tool (step ST10).

  Further, the contracted transition list may be output as a contracted state transition table to a display device provided in the model checking apparatus 1, an external printer, or the like.

  The reduced model code for inspection is input to the model checking unit 11 of the model checking apparatus 1. On the other hand, an inspection expression for inspecting whether or not the inspection model code satisfies a predetermined inspection condition is input from the inspection expression input unit 10 of the model inspection apparatus 1 and further input to the model inspection unit 11. The model checking unit 11 checks whether or not the state transition in the contracted test model code satisfies the check condition based on the check expression, and detects a state transition that does not satisfy the check condition in the state transition Outputs the state transition as counterexample data, and outputs the transition sequence leading to the state transition as log data.

  FIG. 5A shows the state transition model before contraction corresponding to the preliminary transition list in the form of a state transition diagram, and the transition directions of the states S1, S2, S3, and S4 have arrows. Each event E1 to E5 that is indicated by a path and causes a transition is attached to each path.

  On the other hand, FIG. 5B represents the state transition model after contraction corresponding to the contraction transition list in the form of a state transition diagram. One path corresponds to each of the aggregated event groups (E1, E4) and (E2, E3, E5), and the number of paths (that is, the number of transitions) is 12 from FIG. 5A. It has decreased to 6.

  In the state transition model before contraction shown in FIG. 5A, a plurality of paths having different events are assigned to the same transition (for example, transition (S3 → S1)), whereas FIG. In the state transition model after reduction shown in (b), for the same transition (for example, transition (S3 → S1)), an aggregated event group (for example, event group (E2, E3, E5)) One path is assigned.

  In general, in model checking, it does not make much sense to check the same transition with different paths. As the number of paths to be checked increases, the amount of data required for checking and the time required for checking become longer.

  FIGS. 6A and 6B are examples in which the number of states when model checking is performed on the state transition model is indicated by an appropriate checking model code.

  In the model code for inspection before contraction (FIG. 6A), for example, the event E2, the event E3, and the event E5 are divided into cases, and all state transitions that can occur in each event are comprehensively covered. I will inspect it. Therefore, if the number of branches (that is, the number of events) increases, the number of states to be checked will increase rapidly, and in some cases, a state explosion event will occur, making it impossible to execute model checking. Sometimes it becomes.

  On the other hand, in the contracted model code for inspection (FIG. 6B), for one event group (E2, E3, E5) in which event E2, event E3, and event E5 are aggregated, Since only the state transitions that can occur in the event group (E2, E3, E5) need to be inspected, the number of states to be inspected is greatly reduced, and as a result, the occurrence of state explosion can be suppressed. .

  Performing model checking on the contracted model code for checking has the advantage of improving the analysis efficiency of counterexamples obtained by model checking, in addition to the above-described advantage of suppressing state explosion.

  When model checking is performed on the model code for checking before contraction, counterexamples are output for each of event A, event B, and event C as illustrated in FIG. For this reason, even if it is the same counterexample with respect to the same transition, it is output as another counterexample. As a result, it takes a long time to output all counter examples. In addition, since the user confirms and analyzes each counterexample that is output, the time required for the analysis also increases.

  On the other hand, when model checking is performed on the reduced model code for checking, as illustrated in FIG. 7B, for one aggregated event group (A, B, C). Produces one counterexample. As a result, the time until the counterexample is output is shortened, and the analysis time of the counterexample is also shortened.

(2) Second Embodiment Although a state transition is caused by the occurrence of an event, some action may also be caused at the same time. The type of action is not particularly limited, but is roughly divided into an action that affects the state transition itself and an action that does not affect the action. Hereinafter, an action that affects state transition is referred to as a “designated action”, and an action that does not affect the action is referred to as a “non-designated action”.

  In the first embodiment, even if a plurality of different events have the same transition caused by the events, the reduced state transition model ( A reduced transition list).

  On the other hand, in the second embodiment, a contracted state transition model (contracted transition list) is generated in consideration of an action caused at the time of a state transition due to an event. Specifically, in the second embodiment, when (a) the transition caused by the event is the same as the designated action associated therewith, (b) the transition caused by the event is the same and the action associated with the transition Is a non-designated action, or (c) if the transition caused by the event is the same and the transition does not involve an action, a plurality of different events are aggregated as one event group and reduced. A contracted state transition model (contracted transition list) is generated.

  FIG. 8A is a diagram illustrating an example of a preliminary transition list generated in the second embodiment.

  In the preliminary transition list in the second embodiment, for each event, a transition that occurs in the event and an action associated with the transition are associated with each other. In the example of FIG. 8A, for each event, a transition that occurs in the event and an action that accompanies the transition are associated with each other by variables shown in the upper and lower squares.

  In addition, the variable of each action can identify the variable of the designated action that affects the transition and the variable of the non-designated action that does not affect the transition. In the example of FIG. 8A, B1, B2, and B3 correspond to designated actions, and A1, A2, and A3 correspond to non-designated actions. Although there are transitions that do not involve an action, in FIG. 8A, the transitions that do not involve an action are indicated by hatched lines in the lower row.

  On the other hand, FIG. 8B is a diagram showing a reduced transition list generated from this preliminary transition list. In the second embodiment, when a transition is accompanied by a designated action, focusing on both the transition and the designated action, events having the same both transition and designated action are aggregated with respect to the transition and the designated action, and one event group is collected. And

  On the other hand, when the transition is accompanied by a non-designated action or not accompanied by an action, attention is paid only to the transition, and events having the same transition are aggregated with respect to the transition to form one event group.

  In the preliminary transition list illustrated in FIG. 8A, the transition (S2 → S3) and the designated action B3 are the same between the event E3 and the event E6, and the transition (S3 → S1) without an action is the same. The same. Therefore, in the contracted transition list shown in FIG. 8B, the event E3 and the event E6 are integrated into one event group (E3, E6). However, since the transition (S4 → S2) and the designated action B2 in the event E6 do not exist in the event E3, the event E6 is left as it is for the transition (S4 → S2) and the designated action B2.

  In the preliminary transition list illustrated in FIG. 8A, the transition (S2 → S1) and the transition (S3 → S1) are both the same between the event E2 and the event E5. Therefore, in the contracted transition list shown in FIG. 8B, the event E2 and the event E5 are aggregated into one event group (E2, E5). In this case, since the actions associated with these transitions are all non-designated actions (A1, A2, A3), the identity is determined only by the transitions ignoring these non-designated actions. However, since the transition (S4 → S2) and the designated action B1 in the event E5 do not exist in the event E2, the event E5 associated only with the transition (S4 → S2) and the designated action B1 remains.

  Similarly, the transition (S1 → S4) and the transition (S4 → S2) are the same between the event E1 and the event E4. Therefore, in the contracted transition list shown in FIG. 8B, the event E1 and the event E4 are aggregated into one event group (E1, E4). However, also in this case, since the transition (S2 → S3) and the designated action B1 in the event E1 do not exist in the event E4, the event E1 in which only the transition (S2 → S3) and the designated action B1 are associated is left. Yes.

  As a result of such event aggregation, the number of state transitions in the reduced transition list is reduced from 16 to 9.

  FIG. 9 is a flowchart illustrating an operation example of the inspection model generation device 2 according to the second embodiment.

  In step ST21, a variable assigned to an action associated with the transition is input in addition to the state transition model, the state, and the event variable.

  In step ST22, a preliminary transition list corresponding to FIG. 8A is generated from the input state transition model and variables. In the preliminary transition list according to the second embodiment, the event, the transition, and the action are associated with each event. In addition, a designated action that affects transition and a non-designated action that does not affect the action are identified.

  Steps ST23 to ST29 are processes for generating a contracted transition list from the preliminary transition list, and the content of the basic process is the same as in the first embodiment (step ST3 to step ST9 in FIG. 3). Detailed description will be omitted. However, in the flowchart shown in FIG. 9, a transition with a designated action is expressed as “transition with an action”, and a transition with an unspecified action or a transition without an action is simply expressed as “transition”. In contrast to the first embodiment, which concentrates events focusing only on the identity of transitions, the second embodiment reduces the scale by taking into account the actions caused during state transitions due to events. A contracted state transition model (contracted transition list) is generated. Specifically, in the second embodiment, (a) when the transition caused by the event is the same as the designated action associated therewith (when the “transition with action” is the same), (b) the transition caused by the event Are the same and the action associated with the transition is a non-designated action (if the "transition" is the same), or (c) the transition caused by the event is the same and the transition does not involve an action (When “transitions” are the same), a plurality of different events are aggregated as one event group to generate a reduced state transition model (reduced transition list).

  In the inspection model generation device 2 according to the second embodiment, it is possible to generate the inspection model code that suppresses the state explosion as in the first embodiment and improves the efficiency of counterexample analysis, Even when a transition is accompanied by an action, it is possible to generate an inspection model code in which the influence of the action on the transition is considered.

  Note that the present invention is not limited to the above-described embodiments as they are, and can be embodied by modifying the constituent elements without departing from the scope of the invention in the implementation stage. In addition, various inventions can be formed by appropriately combining a plurality of components disclosed in the embodiment. For example, some components may be deleted from all the components shown in the embodiment. Furthermore, the constituent elements over different embodiments may be appropriately combined.

The figure which shows the general operation | movement concept of a model checker. The block diagram which shows the structural example of the test | inspection model production | generation apparatus which concerns on embodiment of this invention, and a model inspection apparatus. 5 is a flowchart showing an example of a procedure for generating a test model code according to the first embodiment. The figure which shows an example of the preliminary transition list in the 1st Embodiment, and a contraction transition list. The figure which shows an example of the state transition model before reduction and the state transition model after reduction as a state transition diagram. The figure which shows an example of the state transition model before contraction, and the state transition model after contraction as a model code for inspection. The figure which shows the output example of the counter example at the time of performing a model check with respect to the state transition model before reduction and after reduction. The figure which shows an example of the preliminary transition list | wrist and a contraction transition list | wrist in 2nd Embodiment. 9 is a flowchart illustrating an example of a procedure for generating an inspection model code according to the second embodiment.

Explanation of symbols

DESCRIPTION OF SYMBOLS 1 Model test | inspection apparatus 2 Test | inspection model production | generation apparatus 10 Check type | formula input part 11 Model check part 20 Model input part 21 Preliminary list production | generation part 22 Reduction list production | generation part 23 Code conversion part

Claims (9)

A model input unit for inputting a state transition model including at least a transition defined by a pre-transition state and a post-transition state, and an event that causes the transition; and
A preliminary list generation unit that generates a preliminary transition list that associates the transition for each event from the input state transition model;
When the preliminary transition list is searched and the transitions caused by the events are the same even if they are different events, the different events are aggregated as one event group, and the aggregated event group and the event group are aggregated. A reduced list generating unit that generates a reduced transition list that associates a transition caused by an event that belongs to the preliminary transition list; and
A code conversion unit that generates the test model code having a smaller number of transitions than converting the test model code directly from the preliminary list by converting the contracted transition list into the test model code;
An inspection model generation device characterized by comprising: The contracted list generation unit includes:
The preliminary transition list is sequentially compared for each event,
When all the transitions associated with the events to be compared match, the events to be compared are aggregated as one event group,
When a part of the transition matches, each event related to the matching transition is aggregated as one event group, and each event related to the transition that does not match is left without being aggregated.
The inspection model generation apparatus according to claim 1. The state transition model is
If there is an action to be executed with the transition, including that action,
The preliminary list generation unit includes:
For each event, generate the preliminary transition list associating the transition with the action,
The contracted list generation unit includes:
The actions are classified into designated actions that are designated as affecting state transitions and other non-designated actions. Even if they are different events, (a) the transition caused by the event and the accompanying actions If the specified actions are the same, (b) the transition caused by the event is the same, and the action associated with the transition is the non-designated action, or (c) the transition caused by the event Are the same and the transition does not involve the action, the different events are aggregated as one event group,
The inspection model generation apparatus according to claim 1. A state transition model including at least a transition defined by a pre-transition state and a post-transition state, and an event that causes the transition, and an input unit that inputs a check expression in which a check condition is expressed by a temporal logic formula;
A preliminary list generation unit that generates a preliminary transition list that associates the transition for each event from the input state transition model;
When the preliminary transition list is searched and the transitions caused by the events are the same even if they are different events, the different events are aggregated as one event group, and the aggregated event group and the event group are aggregated. A reduced list generating unit that generates a reduced transition list that associates a transition caused by an event that belongs to the preliminary transition list; and
A code conversion unit for generating the test model code having a smaller number of transitions than converting the test model code directly from the preliminary list by converting the contracted transition list into the test model code;
Inspecting whether or not the state transition in the inspection model code satisfies the inspection condition based on the inspection formula, and when detecting a state transition that does not satisfy the inspection condition in the state transition, the state transition Is output as counterexample data, and a model checking unit that outputs a transition sequence leading to the state transition as log data;
A model checking apparatus characterized by comprising: The contracted model generation unit includes:
The preliminary transition list is sequentially compared for each event,
When all the transitions associated with the events to be compared match, the events to be compared are aggregated as one event group,
When a part of the transition matches, each event related to the matching transition is aggregated as one event group, and each event related to the transition that does not match is left without being aggregated.
The model checking apparatus according to claim 4, wherein The state transition model is
If there is an action to be executed with the transition, including that action,
The preliminary list generation unit includes:
For each event, generate the preliminary transition list associating the transition with the action,
The contracted list generation unit includes:
The actions are classified into designated actions that are designated as affecting state transitions and other non-designated actions. Even if they are different events, (a) the transition caused by the event and the accompanying actions If the specified actions are the same, (b) the transition caused by the event is the same, and the action associated with the transition is the non-designated action, or (c) the transition caused by the event Are the same and the transition does not involve the action, the different events are aggregated as one event group,
The model checking apparatus according to claim 4, wherein Input a state transition model including at least the transition defined by the pre-transition state and the post-transition state, and the event that causes the transition,
A preliminary transition list that associates the transition for each event is generated from the input state transition model,
When the preliminary transition list is searched and the transitions caused by the events are the same even if they are different events, the different events are aggregated as one event group, and the aggregated event group and the event group are aggregated. Generating a reduced transition list that associates transitions caused by the event to which it belongs, from the preliminary transition list;
Generating the test model code having a smaller number of transitions than converting the test model code directly from the preliminary list by converting the contracted transition list into the test model code;
An inspection model generation method comprising steps. In the step of generating the reduced transition list,
The preliminary transition list is sequentially compared for each event,
When all the transitions associated with the events to be compared match, the events to be compared are aggregated as one event group,
When a part of the transition matches, each event related to the matching transition is aggregated as one event group, and each event related to the transition that does not match is left without being aggregated.
The inspection model generation method according to claim 7. The state transition model is
If there is an action to be executed with the transition, including that action,
In the step of generating the preliminary transition list,
For each event, generate the preliminary transition list associating the transition with the action,
In the step of generating the reduced transition list,
The actions are classified into designated actions that are designated as affecting state transitions and other non-designated actions. Even if they are different events, (a) the transition caused by the event and the accompanying actions If the specified actions are the same, (b) the transition caused by the event is the same, and the action associated with the transition is the non-designated action, or (c) the transition caused by the event Are the same and the transition does not involve the action, the different events are aggregated as one event group,
The inspection model generation method according to claim 7.

Images