JP2013065258A - Information processor, information processing method and information processing program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide an information processor, an information processing method and an information processing program that can detect a fault related to processing after a loop after bounding loop processing.SOLUTION: The information processor includes: an input module 111 for receiving an input of an inspection target program; and a loop bounding module 113 for generating a bounding program to specify a repeated operand of the loop included in the inspection target program as a threshold or less from the inspection target program. The loop bounding module 113 changes whether or not the bounding program is generated to perform the processing after the loop in the inspection target program depending on whether or not a value is set to a variable referred in the loop processing and the subsequent processing.

Description

  Some embodiments according to the present invention relate to an information processing apparatus, an information processing method, and an information processing program.

  Conventionally, whether or not a program to be inspected satisfies a property to be inspected (hereinafter also referred to as a property) by using a model checking method without executing the program to be inspected (static There is a way to check). This check is called software model checking or modern model checking.

  Among the inspection methods used in this software model inspection, the bounded model checking method efficiently searches the finite state transition space with the search range bounded by limiting the search depth. It is a technique to do. The software model check using the bounded model check method is described in Non-Patent Document 1, for example.

Edmund Clarke et al., “Behavioral Consistency of C and Verilog Programs Using Bounded Model Checking”, Processeds of DAC2003, p. 368-p. 371

  However, the software model check described in Non-Patent Document 1 has a problem in that a process after the loop may not be searched after the process in the loop is executed a predetermined number of times.

  Some aspects of the present invention have been made in view of the above-described problems. An information processing device and an information processing device that can detect a defect related to processing after a loop while the loop processing is bounded. It is an object to provide a method and an information processing program.

  An information processing apparatus according to the present invention generates a bounded program for setting the number of repeated operations of a loop included in an inspection target program to be equal to or less than a threshold value from input means for receiving an input of the inspection target program and the inspection target program Generating means for performing the processing after the loop in the program to be inspected according to whether or not a value referred to in the loop and thereafter is set in the loop. Change whether to use a bounded program.

  An information processing method according to the present invention includes an input step of reading an inspection target program from a storage medium, and a bounded number for making the number of repeated operations of a loop included in the inspection target program equal to or less than a threshold from the inspection target program. A generation step for generating a program, and the generation step includes a step after the loop in the inspection target program depending on whether or not a value to be set in the loop is set to a variable referred to after the loop. Whether or not to use a bounded program that performs the above process.

  An information processing program according to the present invention is an information processing program for causing a computer to execute an information processing method. The information processing method includes an input step of reading an inspection target program from a storage medium, and the inspection target program. A generation step for generating a bounded program for setting the number of iterations of the loop included in the inspection target program to be equal to or less than a threshold value, and the generation step includes a variable referred to in the loop or later in the loop. Depending on whether or not a value is set, whether or not a bounded program for performing the processing after the loop in the inspection target program is changed.

  According to the present invention, it is possible to provide an information processing apparatus, an information processing method, and an information processing program capable of detecting a defect related to processing after a loop after making the loop processing bounded.

It is a functional block diagram which shows schematic structure of the information processing apparatus in 1st Embodiment of this invention. It is a figure which shows the specific example of the program which the information processing apparatus shown in FIG. 1 can make into the test object. It is a figure which shows the example of the conversion rule for the information processing apparatus shown in FIG. 1 to perform a loop bounding process. It is a figure which shows the specific example of the bounded program produced | generated by the 1st loop bounding process from the test object program shown in FIG. It is a figure which shows the example of the conversion rule for the information processing apparatus shown in FIG. 1 to perform a loop bounding process. It is a figure which shows the specific example of the bounded program produced | generated by the 1st loop bounding process from the test object program shown in FIG. It is a figure which shows the specific example of the program which the information processing apparatus shown in FIG. 1 can make into the test object. It is a figure which shows the specific example of the bounded program produced | generated by the 2nd loop bounding process from the test object program shown in FIG. It is a figure which shows the specific example of the bounded program produced | generated by the 2nd loop bounding process from the test object program shown in FIG. 3 is a flowchart illustrating a processing flow of the information processing apparatus illustrated in FIG. 1. It is a figure which shows the specific example of loop position information. It is a figure which shows the specific example of a data dependence. It is a functional block diagram which shows schematic structure of the information processing apparatus in 2nd Embodiment of this invention. It is a flowchart which shows the flow of a process of the information processing apparatus shown in FIG.

  Embodiments of the present invention will be described below. In the following description and the description of the drawings to be referred to, the same or similar components are denoted by the same or similar reference numerals.

(First embodiment)
1 to 12 are diagrams for explaining a first embodiment of the present invention. FIG. 1 is a functional block diagram for explaining a schematic configuration of the information processing apparatus according to the first embodiment.

  The information processing apparatus 100 illustrated in FIG. 1 generates a bounded program in which a loop included in the inspection target program is bounded, so that the bounded model inspection can be suitably performed on the inspection target program. It is a device to do.

The information processing apparatus 100 includes, for example, an information processing unit 110 implemented by an arithmetic device such as a CPU (Central Processing Unit) and a file storage unit 120 implemented by a storage medium such as an HDD (Hard Disk Drive) or a memory. Including. The information processing unit 110 includes an input module 111, a loop bounding module 113, and an output module 115. Note that these modules may be implemented by software or hardware. That is, all the processes on the information processing unit 110 can be realized by a program executed by a computer.
The input module 111 is a module that receives an inspection target program by reading the inspection target program from the file storage unit 120.

  The loop bounding module 113 bounds the loop processing for the inspection target program read from the file storage unit 120. Hereinafter, a program generated by bounding the loop process to the inspection target program is referred to as a bounded program.

Here, the loop bounding module 113 can perform two bounding processes according to the reference relationship of the variables in the loop. Hereinafter, these two bounding processes are referred to as a first loop bounding process and a second loop bounding process. The first loop bounding process and the second loop bounding process will be described in detail later.
The output module 115 is a module that outputs the bounded program generated by the loop bounding module 113 to the file storage unit 120.

  In the following description, it is assumed that the target program for the bounded model check is written in the C language, but the application of the present invention is not limited to the program written in the C language.

  In the following, a program using a while statement will be described as an example of loop processing, but the application of the present invention is not limited to loop processing using a while statement. For example, loop processing using a for statement, do statement, and goto statement can be converted into an equivalent while statement in the sense that the values of variables before and after execution are the same. In addition, the present invention is applicable.

  In the following, it is assumed that the label whileM_break (M is a serial number starting from 1 assigned to the loop in the target function) is set immediately after the end of the loop, but the present invention is not limited to this.

Further, in the following, regarding the program to be inspected, a transformation (hereinafter also referred to as “loop expansion”) that expands the code of the loop processing a fixed number of times (a threshold number that can be arbitrarily specified), or a meta that represents the number of iterations in the loop processing A description will be given of an example in which conversion (hereinafter also referred to as “loop forced termination”) for inserting a code (an instruction statement) for examining a variable or its value is performed on a source code. A test target program to which the present invention is applied is described below. It is not limited to source code. For example, the present invention may be applied to an abstract syntax tree or control flow graph obtained by analyzing source code, or intermediate code or binary code obtained by compiling source code.
Hereinafter, the bounded model inspection will be described.

  There is a method of statically checking whether a program to be inspected satisfies a property (property) to be inspected using a model checking method (that is, without executing the program). This method is called software model checking or modern model checking. The model checking method represents a system or software to be checked (hereinafter, the system and software may be collectively referred to as a program) as a finite state transition system, and a finite state space on the system. This is a method for investigating whether or not a property expressed in temporal logic is established by performing an exhaustive search of (finite state space).

  In the model checking method, when the property is not satisfied, a state transition sequence (path information) from the initial state to the state where the property is not satisfied is output as a counter-example to the property.

  In particular, the bounded model checking method is a technique for efficiently searching a finite state transition space by limiting the search depth (ie, making the search range bounded). It is considered effective for detection. In software model checking using a bounded model checking method, for each variable appearing in the program to be checked, each combination of values of each variable is handled as a state.

  Hereinafter, an example in which the bounded model checking method is applied to a program static check will be described. An attempt is made to detect transitions (path information) of variable values satisfying C∧¬P ("∧" is a logical product and "¬" is negative) by a bounded model checking method. Here, the transition of the value of each variable appearing in the inspection target program is expressed as a constraint expression C (finite state transition system), and the fact that the inspection target program is in the correct state is expressed as a logical expression P (property).

  The detected path information is a counter example to the fact that the program to be inspected operates correctly (C⇒P (“⇒” is a logical implication))) (C∧¬P = ¬ (C⇒P)). When the inspection target program is executed along the path information shown as a counter example, a problem that the inspection target program is not in a correct state occurs.

In general, there can be an infinite number of program states and transitions, so under-approximation is required when transforming a program into a bounded (limited search depth) finite state transition system. . Among program expressions, loops in particular tend to exceed the specified search depth. Therefore, processing for making the loop bounded is necessary.
Hereinafter, the first loop bounding process will be described by taking as an example a case where loop expansion is performed using the source file 200a shown in FIG. 2 as an inspection target program.

  In the first loop bounding process, the loop is expanded by a fixed number of times designated by the user (hereinafter referred to as NMAX times) using the rules a and b in FIG. More specifically, rule a is expanded for the processing in the n-th loop where 0 ≦ n <NMAX, and rule b is expanded for the processing in the n-th loop where n = NMAX.

  In the assert statement of rule b, if the expression “! E” of assert (! E) is false (ie, e is true), the finite model checking tool uses the expression! A counterexample to e is output and the search after that state is not performed. Here, “!” Is a negative unary operator in a programming language such as C or Java (registered trademark).

  Since the expression e of rule b is the control expression of the original loop,! The counterexample to e shows that e is true, that is, the control expression can be true after expanding the loop NMAX times. In other words, this counterexample shows that the original loop contains more than NMAX iterations, i.e., the finite model checking tool can overlook defects that occur in repeated parts beyond NMAX. Hereinafter, the assert statement of rule b is referred to as a loop expansion assertion.

  The source file 400a in FIG. 4 is an example of a bounded program in which the source file 200a shown in FIG.

  Up to this point, the case where the loop is bounded by loop expansion has been described, but the conversion process (loop forced termination) that generates a bounded program so that the loop processing is forcibly terminated after a fixed number of executions of the loop body. Is also possible. The rule c in FIG. 5 shows a conversion rule used when this loop is forcibly terminated.

  In the rule c, a meta variable _nM that does not exist in the inspection target program is introduced. _NM is a meta variable indicating the number of executions of the loop. The initial value is 0, and the value is incremented by 1 at the head of the loop body. In rule c, when this _nM exceeds NMAX, assert (! E) is called as a loop expansion assertion similar to rule b in FIG.

  A source file 400b in FIG. 6 is an example of a bounded program converted (generated) so that the source file 200a shown in FIG. 2 is a program to be inspected, NMAX is 2 and the loop is forcibly terminated.

  As described above, in the first loop bounding process, the loops included in the inspection target program can be bounded using the rules a and b or the rule c. However, in the method of making the loop bounded by the first loop bounding processing (loop bounding method), the processing after executing the processing in the loop up to a fixed number of times (NMAX) is performed. There is a problem that it is not inspected by the tool. This point will be described below.

  The source file 200a sets 1 to the variable x (line 12), repeats the loop process related to the variables i and a 1024 times (line 13 to line 17), and x is 0 after the loop process ends. The assert statement is instructed to check the existence (line 19).

  When the source file 200a is actually executed, the value of x is 1 in the 19th line, so the expression x == 0 in the assert statement becomes false, and as a result, a warning of assert violation is output and the process stops.

  On the other hand, when the source file 400a of FIG. 4 and the source file 400b of FIG. 6 which are bounded programs by the first loop bounding process are inspected by the bounded model inspection, the loop body (original source file) 200a) is repeated a fixed number of times (here, twice), and then the loop expansion assertion becomes false (14_3 line of the source file 400a and 14c line of the source file 400b). Violation warning is output and stopped. As a result, since the process after the loop (the 19th line) is not searched, the assert violation of x == 0 is overlooked.

  In other words, in the inspection of the search target program using the bounded model checking method, the loop is repeated a fixed number of times to process the loop body in order to fit the program in the bounded finite state space by the first loop bounding process. When converted, if the fixed number is less than the original number of repetitions (1024 in the example of the source file 200a in FIG. 2), the subsequent processing is not inspected. Even in a loop expansion method that uses rules a and b to expand a loop body a fixed number of times to limit repetition, a meta variable that indicates the number of repetitions is inserted into the loop body using rule c, This problem occurs even in a method of forced loop termination that limits the repetition by comparing the value of a variable with a fixed number of times.

  Therefore, the loop bounding module 113 has a function of performing bounding (second loop bounding processing) so that processing after the loop can be searched according to the situation. Hereinafter, a case where the second loop bounding process is performed using the source file 200a shown in FIG. 2 as the inspection target program will be described as an example.

  In the loop expansion by the second loop bounding process, the loop is expanded NMAX times, which is a fixed number designated by the user, using the rule a and the rule b 'of FIG. More specifically, the rule a is used for the processing in the loop up to the nth time such that 0 ≦ n <NMAX, and the rule b ′ is used for the processing in the nth loop where n = NMAX. Expand.

  A source file 400c of FIG. 8 shows an example of a bounded program that is a result of performing the second loop bounding process with the source file 200a as the inspection target program and NMAX being 2.

  In the first loop bounding process, the process in the NMAX-th loop has been converted into an assertion (loop expansion assertion, line 14_3) using assert as shown in line 14_3 of FIG. . As a result, the source file 400a, which is the conversion result, does not transfer control to the process following the loop when the expression specified in assert is false, that is, the process (line 19) following the loop is not transferred. It was not searched by the bounded model checking method.

On the other hand, in the second loop bounding process, the process in the NMAX-th loop is converted into a goto statement (line 14_3) that transfers control to the label while1_break following the loop according to the rule b ′ (FIG. 8). Source file 400c).
As a result, the bounded program using the second loop bounding process can search for the process after the loop by the bounded model checking method.

  Up to this point, the case where the loop is bounded by loop expansion has been described, but the second loop bounding process is also converted to forcibly terminate the loop, as in the first loop bounding process. It is also possible to do. The rule c ′ in FIG. 5 shows the conversion rule.

  In the rule c ′, similarly to the rule c, a meta variable _nM that does not exist in the inspection target program is introduced. _NM is a meta variable indicating the number of executions of the loop. The initial value is 0, and the value is incremented by 1 at the head of the loop body. In the rule c ′, when this _nM exceeds NMAX, a goto statement for transferring control to the label “whileM_break” following the loop is called as in the rule b ′ in FIG. 3.

  The source file 400d in FIG. 9 is an example of a bounded program that is a result of conversion by forced loop termination with the source file 200a as the inspection target program and NMAX as 2 in the second loop bounding process.

  Since the rule c is used in the first loop bounding process, the NMAX-th loop process is converted to assertion (loop expansion assertion) using assert as shown in the 14th line of FIG. Thereby, in the source file 400b which is the conversion result, when the expression specified in assert is false, control is not transferred to the process following the loop, that is, the process (line 19) following the loop is not executed. It was not searched by the bounded model checking method.

  On the other hand, in the second loop bounding process, according to the rule c ′, the NMAX-th loop process is converted into a goto statement (line 14c) that transfers control to the label while1_break (line 18) following the loop (FIG. 9). Source file 400d).

  As described above, regardless of whether the loop is expanded or the loop is forcibly terminated, if the bounded program is generated by the second loop bounding process, the bounded model checking tool is moved after the loop. This process can also be searched.

  However, if the second loop bounding process is applied in all cases to uniformly search for a process after the loop, a new problem of generating a false alarm occurs. The problem will be described below.

  For example, when the program to be inspected described in the source file 200b in FIG. 7 is actually moved, the loop (line 14 to line 17) is repeated 1024 times, the value of variable i becomes 1024, and the loop is terminated. Therefore, the assertion i == 1024 in the processing after the loop (the 19th line) is true, and no assertion violation occurs.

  On the other hand, after the loop (14th to 17th lines) is repeated only twice and then the bounded program is performed so as to forcibly search for the process after the loop (19th line), the bounded program becomes In the source file 400a of FIG. 4, the 19th line is replaced with “assert (i == 1024)”. When this is executed, the value of the variable i is 2 in the 19th line, so the assertion i == 1024 is false. Therefore, a warning of assertion violation is output. As described above, there is no assertion violation in the original program to be inspected, so this warning is an error (false warning).

  The cause of the false alarm is that a variable whose value is referenced in a loop with a limited number of iterations (i in the example of FIG. 7) is referred to in the process after the loop, so that the variable is detected when the original loop ends. Has a different value.

In order to prevent such a false alarm, the loop bounding module 113 checks whether or not the value of the variable is set in the loop with respect to the variable whose value is referred to in the processing after the loop. It is determined whether the first loop bounding process is performed or the second loop bounding process for searching for a process after the loop is performed. This makes it possible to search for processing after the loop while preventing false warnings.
Hereinafter, the flow of processing of the information processing apparatus 100 will be described with reference to the flowchart of FIG.

  First, the information processing unit 110 receives a specification of a test target program and a test target function that are targets of bounded model checking from the user, and accordingly, the input module 111, the loop bounding module 113, and the output module 115 is used to execute a series of processes. Hereinafter, the description will be made assuming that the source file 200a shown in FIG.

  The input module 111 reads the inspection target program from the file storage unit 120 (S501). The loop bounding module 113 first extracts loop position information including the start position and end position of the loop for each function of the read program to be inspected (S503).

  FIG. 11 is an example of loop position information extracted by the loop bounding module 113. In the example of FIG. 11, the name of a function including a loop, the name of a program (storage body) that stores a program to be inspected such as a source file, the start position and end position of a loop on the storage body (the storage body is a source file) In this case, the start position and the end position are managed as line numbers). For example, the first line in FIG. 11 (excluding the heading line) indicates that the loop included in the function foo is the source file Foo. In c, it indicates that it starts at the 14th line and ends at the 17th line.

  Subsequently, the loop bounding module 113 extracts, for each function of the inspection target program, a data dependency that is a set of a position where a value is set in a variable and a position that refers to the value (S505).

  FIG. 12 is an example of loop position information extracted by the loop bounding module 113. In the example of FIG. 12, the name of the function in which the variable appears, the name of the variable, the name of the storage program for the search target program such as the source file (storage body), and the position where the value is set for the variable on the storage body ( A definition position) and a position (reference position) referring to the value of the variable are managed in association with each other.

  For example, the first line (excluding the heading line) in FIG. 12 includes the source file Foo. The value is set in the 12th line of c (“x = 1” in the 12th line in the source file 200a in FIG. 2), and the value is referenced in the 19th line (“x in the 19th line of the source file 200a). == 0 ”).

Next, the loop bounding module 113 extracts the loop included in the inspection target function from the loop position information (S507), and repeats the loop body processing (processing within the loop) up to a fixed number of times for each loop. Bounding is performed (S511 to S521).
Finally, the loop bounding module 113 outputs a program in which the loop is bounded (bounded program) (S523).

  The bounding process for each loop (S511 to S521) will be described in detail below. The loop bounding module 113 extracts, from the data dependency relationship, variables that are “the end position of the loop being processed <the reference position of the variable” among the variables that appear in the inspection target function (S511). For each extracted variable (S513), the loop bounding module 113 compares the variable definition position with the start / end position of the loop (S515 and S517), and if the variable definition position is in the loop (S515 and S517) If S517 is No (the comparison result is false), the loop is bounded using the first loop bounding process so as not to transfer control to the process after the loop (S519). More specifically, if the loop is bounded by loop expansion, the rules a and b in FIG. 3 are used. If the loop is bounded by forced termination of the loop, the rule c in FIG. 5 is used. Is bounded.

  If the variable definition position is not in the loop (S515 or S517 is Yes (comparison result is true)), unlike the first loop bounding process, the second control is transferred to the process after the loop. The loop is bounded using the loop bounding process (S521). More specifically, if the loop is bounded by loop expansion, the rules a and b ′ of FIG. 3 are used, and if the loop is bounded by forced termination of the loop, the rule c ′ of FIG. 5 is used. To make the loop bounded.

  Hereinafter, a process for expanding a loop into repetition of a loop body will be described using a specific example. The loop (14th to 17th lines) of the source file 200a, which is the program to be inspected, first uses the rule a of FIG. 3 and the first loop body (14_1) of the bounded program (source file 400c of FIG. 8). Line, line 15_1, line 16_1, and line 17_1) and the second loop body (line 14_2, line 15_2, line 16_2, line 17_2). Next, using the rule b 'of FIG. 3, it is converted into a goto statement (line 14_3) in which control is transferred to the label while1_break following the loop. As a result, the processing following the loop can be searched by the bounded model check.

  Here, if rule b is used (that is, if the first loop bounding process is used), it is converted into an assert using assert as in line 14_3 of source file 400b in FIG. Therefore, if the expression specified in assert becomes false, control does not move to the processing following the loop. That is, the process following the loop is not searched by the bounded model check.

  However, when the source file 200a in FIG. 2 is the inspection target program, refer to FIG. 12 for variables whose values are referenced after the loop end position (line 17) shown in FIG. Then, it turns out that it is only x (refer with 19th line).

The value of the variable x is set before the start of the loop (line 12), and the value is referenced after the end of the loop (line 17) (line 19). Therefore, since the comparison result is true (Yes in S515) by comparing the definition position of the variable x and the start position of the loop, the processing of the loop bounding module 113 returns to S513. In this example, since only x is a variable to be examined, the loop bounding module 113 advances the process from S513 to S521. In S521, the loop bounding module 113 converts the source file 200a, which is a program to be inspected, into a source file 400c, which is a bounded program, by the second loop bounding process.
By outputting the bounded program converted in this way (S523), the bounded model checking tool can search for processing after the loop.

(Second Embodiment)
Hereinafter, a second embodiment of the present invention will be described with reference to FIGS. 13 and 14. 13 and 14 are diagrams for explaining the second embodiment of the present invention. In addition, the same code | symbol as 1st Embodiment is attached | subjected to the structure and operation | movement similar to 1st Embodiment, and description is abbreviate | omitted. In addition to the configuration, descriptions of finite model inspection and assumptions similar to those of the first embodiment such as an inspection target program that can be input by the information processing apparatus 100 are omitted.
FIG. 13 is a functional block diagram illustrating a schematic configuration of the information processing apparatus 100 according to the second embodiment.

  The information processing apparatus 100 according to the present embodiment includes an information processing unit 110 that is an arithmetic device such as a CPU (Central Processing Unit), and a file storage unit 120 that is a storage medium, for example. This is the same as in the first embodiment.

  The information processing unit 110 is different from the first embodiment in that the information processing unit 110 further includes a bounded model checking module 117 in addition to the input module 111, the loop bounding module 113, and the output module 115. Note that these modules may be implemented by software or hardware. That is, all the processes on the information processing unit 110 can be realized by a program executed by a computer.

The information processing unit 110 causes the input module 111, the loop bounding module 113, the output module 115, and the bounded model checking module 117 to execute the processes of S601 to S605 illustrated in FIG.
Hereinafter, the flow of processing of the information processing apparatus 100 according to the present embodiment will be described in detail with reference to the flowchart of FIG.

  The information processing unit 110 receives designation of the inspection target program and the inspection target function from the user (user), and inputs the input module 111, the loop bounding module 113, the output module 115, and the bounded model checking module 117. Then, a series of processes shown in FIG. 14 is executed.

  The input module 111 reads the inspection target program from the file storage unit 120 (S601). The loop bounding module 113 converts the loop body processing into a bounded program that is limited to a fixed number of times, and outputs the generated bounded program (S603). Here, the details of the conversion processing to the bounded program (S603) are the same as the processing of FIG. 10 of the first embodiment.

  The bounded model checking module 117 receives the bounded program, converts the program into a bounded name finite state transition system, and exhaustively searches the finite state space on the system within a predetermined range to correct the program. It is examined whether or not a logical expression expressing the property indicating the trueness is established (S605). The output module 115 outputs the inspection result by the bounded model inspection module 117 to the file storage unit 120 (S607).

  The bounded model inspection module 117 indicates the presence or absence of a defect as an inspection result when the exhaustive search is completed within a predetermined time. If there is a problem, the bounded model checking module 117 also shows a transition sequence (path information) of variable values from the initial state to the state where the property is not established. On the other hand, if the determined exhaustive search has not ended, the bounded model checking module 117 cannot indicate the presence or absence of a defect.

(Effects of the first and second embodiments)
In the inspection of a program using the bounded model checking method, a loop is converted into a fixed number of repetitions in order to fit the program in a bounded name finite state space. When only the first loop bounding process is used, a bounded program is generated so that the control of program execution does not shift to the process following the loop body repetition exceeding the fixed number of times, so there is a process following the loop. It will be excluded from the search target of the field model inspection. In other words, in some cases, a defect that occurs in the process following the loop is overlooked by the bounded model inspection.

  According to the method shown in the first and second embodiments, if a variable whose value is referred to in the process following the loop is not set in the loop, the loop body exceeding the fixed number of times Since the program execution control is also transferred to the process following the iteration, the process following the loop is also a search target by the bounded model check. Therefore, in such a case, it becomes possible to show a defect caused by the processing following the loop by the bounded model check.

(Additional notes)
Note that the configurations of the above-described embodiments may be combined or some of the components may be replaced. The configuration of the present invention is not limited to the above-described embodiment, and various modifications may be made without departing from the scope of the present invention.
A part or all of each of the above-described embodiments can be described as in the following supplementary notes, but is not limited thereto.

(Appendix 1)
An input unit that receives an input of the inspection target program; and a generation unit that generates a bounded program for setting the number of repeated operations by a loop included in the inspection target program to be equal to or less than a threshold value from the inspection target program, The means determines whether or not to make a bounded program that performs the processing after the loop in the program to be inspected depending on whether or not a value to be set in the loop is set to a variable that is referenced after the loop. Change information processing equipment.

(Appendix 2)
The generation means generates a bounded program that does not perform processing after the loop in the program to be inspected when a value is set in the loop to a variable referred to after the loop, and the loop If no value is set in the loop for a variable to be referred to later, a bounded program for performing the processing after the loop processing in the inspection target program is generated after the threshold number of iterations. The information processing apparatus described.

(Appendix 3)
The generating means forcibly terminates after the threshold number of iterations when a value set in the loop is set to a variable referred to after the loop, and the variable referred to after the loop If the value is not set in step 1, the information processing apparatus according to claim 1 or 2, wherein a bounded program that moves to the processing after the loop in the inspection target program is generated after the threshold value is repeated.

(Appendix 4)
4. The information processing apparatus according to claim 1, further comprising inspection means for performing a bounded model inspection using a bounded program generated by the inspection object program.

(Appendix 5)
An input step of reading the inspection target program from the storage medium, and a generation step of generating a bounded program for setting the number of repeated operations by a loop included in the inspection target program to be equal to or less than a threshold from the inspection target program. The generating step is a bounded program that performs processing after the loop in the program to be inspected according to whether or not a value to be set in the loop is set to a variable that is referred to after the loop. Information processing method that changes whether or not.

(Appendix 6)
An information processing program for causing a computer to execute an information processing method, comprising: an input step of reading an inspection target program from a storage medium; and a loop included in the inspection target program from the inspection target program A generation step for generating a bounded program for setting the number of repetitive operations to be equal to or less than a threshold value, and the generation step determines whether or not a value is set in the loop to a variable referred to after the loop. In response, an information processing program that changes whether or not to use a bounded program that performs the processing after the loop in the inspection target program.

  DESCRIPTION OF SYMBOLS 100 ... Information processing apparatus, 110 ... Information processing part, 111 ... Input module, 113 ... Loop bound module, 115 ... Output module, 120 ... File storage part

Claims (6)

Input means for receiving the program to be inspected;
Generating means for generating a bounded program for setting the number of repeated operations by a loop included in the inspection target program to be equal to or less than a threshold value from the inspection target program;
Whether the generation means is a bounded program that performs processing after the loop in the program to be inspected depending on whether a value to be set in the loop is set to a variable referred to after the loop. Change
Information processing device. The generation means generates a bounded program that does not perform processing after the loop in the program to be inspected when a value is set in the loop to a variable referred to after the loop, and the loop If no value is set in the loop for a variable referred to later, a bounded program for performing the processing after the loop processing in the inspection target program is generated after the threshold number of iterations.
The information processing apparatus according to claim 1. The generating means forcibly terminates after the threshold number of iterations when a value set in the loop is set to a variable referred to after the loop, and the variable referred to after the loop If the value is not set in, generate a bounded program that moves to the processing after the loop in the program to be inspected after the repetitive calculation of the threshold times.
The information processing apparatus according to claim 1 or 2. Using a bounded program generated by the inspection target program, further comprising inspection means for performing a bounded model inspection;
The information processing apparatus according to any one of claims 1 to 3. An input step of reading the program to be inspected from the storage medium;
A generation step for generating a bounded program for setting the number of repeated operations by a loop included in the inspection target program to be equal to or less than a threshold value from the inspection target program;
With
Whether the generation step is a bounded program that performs processing after the loop in the program to be inspected depending on whether a value to be set in the loop is set to a variable referred to after the loop. Change
Information processing method. An information processing program for causing a computer to execute an information processing method,
An input step of reading the program to be inspected from the storage medium;
A generation step for generating a bounded program for setting the number of repeated operations of the loop included in the inspection target program to be equal to or less than a threshold value from the inspection target program;
With
Whether the generation step is a bounded program that performs processing after the loop in the program to be inspected depending on whether a value to be set in the loop is set to a variable referred to after the loop. Change
Information processing program.