JP2013120491A - Source code conversion method and source code conversion program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a source code conversion method and a source code conversion program capable of flexibly adapting to an abstraction level etc. and associating an error trace at a source code level according to the abstraction level with a source code before abstraction.SOLUTION: A source code conversion method achieved by a source code conversion device which converts a source code of software into an inspection code described in an input language of a verification tool according to a plurality of different conversion rules performs the steps of: converting an abstracted intermediate form into an intermediate form before abstraction using an inverse conversion rule stored in a step to abstract a converted intermediate form; and converting the intermediate form before abstraction into an abstracted source code which is a source code by using an inverse conversion rule stored in a step to convert the source code into the intermediate form.

Description

  The present invention relates to a source code conversion method and a source code conversion program, and in particular, in a software model check, in order to reduce the cost of writing a check code in an input language of a model checker, a software source is utilized by utilizing a computer. The present invention relates to a method and a program for converting a code into an inspection code.

  In recent years, software systems have spread to the general public, and the reliability required for software has become very high. On the other hand, software has become increasingly complex and large-scale, and software reviews are performed manually. In addition, it has become very difficult to ensure quality in manual testing of software.

  Model checking technology describes the behavior of software in the input language of a specific model checker, and executes the specific model checker to comprehensively check the possible states of the software, thereby providing the properties that the software should have. This is a technique for determining whether or not the condition is satisfied (see, for example, Non-Patent Document 1). According to the method disclosed in Non-Patent Document 1, the behavior of software is described in an input language called Promela, and input to a model checker called SPIN, thereby performing inspection. As a result of the inspection, if there is a state that does not satisfy the properties of the software to be inspected, the administrator traces the transition of the state leading to the state and identifies the software defect location. The

  Model checking technology is a promising technology for ensuring the quality of software that is becoming increasingly complex and large-scale. However, in order to comprehensively check the possible states of software, the number of states to be inspected for large-scale software There is a phenomenon called state explosion that becomes a huge amount. Due to this state explosion, the phenomenon that the time calculation amount necessary for processing becomes practically unacceptable, and the phenomenon that the space calculation amount necessary for processing exceeds the storage area installed in the computer used for processing, At least one of them may be caused and the above-described inspection may not be completed.

  In order to cope with the state explosion, a process called abstraction may be performed on the source code or the inspection code to reduce the number of states to a range that can be inspected. The format of information (model) held inside the computer when the source code to be inspected is converted into the inspection code is defined by, for example, a meta model. It is known that the meta model is defined by a description using, for example, MOF (for example, see Non-Patent Document 2), QVT (for example, Non-Patent Document 3), and OCL (for example, Non-Patent Document 4). It has been.

  Abstraction includes, for example, simplification of branch conditions for selective execution statements. Since the abstraction may cause a situation where an originally nonexistent execution path occurs or an existing execution path disappears, there is a difference between the nature of the software indicated by the inspection result for the inspection code and the nature of the original software. Can be born. Therefore, it is desirable to apply abstraction after considering the level of abstraction in view of the property to be inspected for software.

  Further, in the model checking technique, it may be a practical problem that the labor for describing the software to be checked in the input language of the specific model checker is large. FIG. 16 shows an example of a source code conversion apparatus disclosed in Patent Document 1. According to the method disclosed in Patent Document 1, the source code is converted into the inspection code written in the input language of the specific model checker using the translation map (steps 910 to 940). According to the method disclosed in Patent Document 1, an inspection code is inspected by the specific model checker separately from the conversion using an environment model defined by a user (steps 975 and 950 to 970). Patent Document 1 discloses a method of outputting an error trace at the model level and outputting an error trace at the source code level when the inspection code does not satisfy the inspection property as a result of the inspection.

  Also, a method is known in which an inspection model is converted into an inspection code using an inspection code writing rule (see Non-Patent Document 5).

JP 2000-181750 A

G. J. Holzmann, "The Model Checker Spin," IEEE Transactions on Software Engineering, vol. 23, no. 5, pp. 279--295, May 1997 http://doi.ieeecomputersociety.org/10.1109/32.588521 The Object Management Group, "Meta Object Facility (MOF) Core Specification", formal / 06-01-01, January 2006, http://www.omg.org/spec/MOF/2.0/PDF The Object Management Group, "Meta Object Facility (MOF) 2.0 Query / View / Transformation Specification", formal / 2008-04-03, April 2008, http://www.omg.org/spec/QVT/1.0/PDF The Object Management Group, "Object Constraint Language", formal / 2006-05-01, May 2006, http://www.omg.org/spec/OCL/2.0/PDF The Object Management Group, "MOF Model to Text Transformation Language, v1.0", formal / 2008-01-16, January 2008, http://www.omg.org/spec/MOFM2T/1.0/PDF

  As the responsibilities that software fulfills are increasing, software must be highly reliable. Also, with the increasing size and complexity of software, there is a limit to visual review of software and manual testing of software. In order to ensure reliability through model checking techniques, the software specification, design, and implementation can be appropriately abstracted so that the software can be formally described so that it can be interpreted unambiguously, and It is necessary to be able to automatically and comprehensively check whether a specific property is satisfied. Further, it is necessary to associate which part of the specification, design, and implementation of the pre-abstraction software is related to the inspection result, and to reflect the inspection result in the software.

However, the method disclosed in Patent Document 1 has the following problems (1) to (4). (1) Difficult to change the level of software abstraction (2) High cost of following software design changes (3) High cost when software is inspected using different model checkers ( 4) The cost of associating the test result of the model based on the abstraction level selected by the user with the software before abstraction is high The problems (1) to (4) will be described in detail.

  The problem (1) will be described. In the method disclosed in Patent Document 1, the translation map is changed only when a new type of instruction such as revision of the source program is introduced into the source code. For this reason, there are two ways for the user to change the level of abstraction: the user modifies the source code to be inspected before conversion, and the inspection code written in the input language of the specific model checker after conversion. The method is limited to the method of adding correction and the method of correcting the environmental model. In either method, the user spends a lot of time.

  The problem (2) will be described. In the method disclosed in Patent Document 1, when a design change such as a change in a library to be used occurs, the translation map and the environment model must be corrected. However, due to the fact that the translation map is composed of map elements that associate the source code with the inspection code that is the conversion destination of the source code, and that the environmental model is described in the input language of the specific model checker It is difficult for the user to make corrections while maintaining consistency so as to follow the design change.

  The problem (3) will be described. In the method disclosed in Patent Document 1, in order to inspect the source code using different model checkers, the translation map and the environment model must be corrected. However, this is because a translation map is configured by a map element that associates a source code with the inspection code that is a conversion destination of the source code, and that an environment model is described in an input language of a specific model checker. Thus, the user has to modify all of the translation map and the environment model, which is very expensive.

  The above (4) problem will be described. In the method disclosed in Patent Document 1, the source code is abstracted at a level selected by the user, and model checking is performed on the abstracted source code. For this reason, the source code level error trace abstracted according to the level selected by the user must be associated with the source code. However, since the source code is abstracted according to the criteria selected by the user, it exists in the error trace, but does not exist in the source code, and exists in the source code, but it exists in the error trace. There will be at least one of the non-existing locations, and the user must associate the error trace with the source code, and the user will spend a great deal of time.

  In addition, in a complicated system inspection, a state explosion may easily occur and the inspection may not be completed. In such a case, the user may desire to be able to inspect even if the inspection level is slightly lower than the state in which nothing can be inspected. In addition, when there is a specific defect that occurs only during the execution of a repeated statement, the number of states can be greatly reduced by removing this repeated statement, although it becomes impossible to detect the specific defect. For these reasons, there is a need to manage the trade-off between the inspection level and the number of states on the user side.

  The present invention can flexibly cope with the level of abstraction in light of the problems of the prior art, and can associate an error trace at the source code level according to the abstraction level with the source code before abstraction. An object of the present invention is to provide a source code conversion method and a source code conversion program.

  To show a typical example of the present invention, a source code executed by a source code conversion device that converts a software source code into an inspection code described in an input language of a verification tool using a plurality of different conversion rules. A conversion method, wherein the conversion rule includes a first conversion rule that converts the source code into an intermediate format that does not depend on a specific programming language, and a second conversion rule that abstracts the converted intermediate format. And a third conversion rule for converting the abstracted intermediate form into the inspection code, wherein the method receives the source code and at least one first conversion rule input. Receiving an input of at least one second conversion rule; and at least one third conversion rule. Receiving the force, converting the source code into the intermediate format using the input first conversion rule, storing the converted portion in an inverse conversion rule, and the input second Abstracting the transformed intermediate form using a transformation rule, storing the abstracted location in the inverse transformation rule; and using the inputted third transformation rule Using the reverse conversion rules stored in the step of converting an intermediate format into the inspection code and in the step of abstracting the converted intermediate format, the abstracted intermediate format before the abstracted Using the inverse conversion rules stored in the step of converting to an intermediate format and the step of converting the source code to the intermediate format, the intermediate format before being abstracted is a source. Characterized in that it comprises a step of converting a is abstracted source code Sukodo, the.

  The effects obtained by the representative ones of the inventions disclosed in the present application will be briefly described as follows. That is, a source code conversion method and a source code conversion program that can flexibly correspond to an abstraction level and the like, and can associate an error trace at a source code level according to the abstraction level with a source code before abstraction Can provide.

It is a figure for demonstrating the basic concept of this invention. It is a figure explaining the input interface of the conversion rule in the source code conversion process of this invention. It is a figure which shows the structural example of the source code conversion system of 1st Example of this invention. It is a figure which shows the structural example of the source code conversion apparatus in the source code conversion system of 1st Example of this invention. It is a figure which shows the example of the processing flow of 1st Example of this invention. It is a figure which shows an example of input operation with respect to a source code converter. It is a figure which shows the other example of input operation with respect to a source code converter. It is a figure explaining operation | movement of a source code converter. It is a figure explaining the procedure of source code conversion in detail. It is a figure which shows an example of the abstraction of a model. It is a figure which shows an example of the abstraction of a model. It is a figure which shows the structural example of the source code conversion system of the 2nd Example of this invention. It is a figure which shows the structural example of the source code conversion apparatus in the source code conversion system of the 2nd Example of this invention. It is explanatory drawing of the specific example until the abstraction source code of 2nd Example of this invention is output. It is a figure which shows the structural example of the source code conversion apparatus in the source code conversion system of the 3rd Example of this invention. It is explanatory drawing of the specific example until the abstract source code of 3rd Example of this invention is output. It is a figure which shows the example of the processing flow of the source code converter which becomes the 4th Example of this invention. It is a figure explaining in detail the procedure of verification of the validity of conversion in the 5th Example of this invention. It is a figure which shows an example of the source code conversion apparatus of a prior art example.

  In the present invention, the source code to be inspected is converted into the inspection code described in the input language of the model checker using a plurality of different conversion rules. The plurality of different conversion rules are obtained by converting a source code to be inspected into an inspection code described in an input language of a model checker, and dividing a series of abstraction processes into fine granularities. By using in combination, conversion from the source code to the inspection code is realized.

  In the present invention, a series of processing for converting a source code to be inspected into an inspection code is divided into fine granularities including abstraction processing, and each divided is referred to as a “conversion rule”. The source code conversion apparatus realized by the present invention has an interface for selecting or inputting a plurality of different conversion rules by a user when converting a source code into an inspection code. The conversion rule is input by one of a selection from a plurality of conversion rules stored in advance in the source code conversion apparatus and a user description.

  In the present invention, the conversion rule includes an implementation-generalization conversion rule for converting source code into a format having generalized program information (generalization model) independent of the description language of the source code, The generalized model is classified into an abstraction conversion rule for abstracting a generalized model and a generalization-check conversion rule for converting a generalized model into a description language of a model checker. In other words, the plurality of different conversion rules include a first conversion rule for converting source code into an intermediate format that is a format independent of a specific programming language, and a second conversion rule for performing an abstraction process on the intermediate format. And a third conversion rule for converting the intermediate format into the inspection code. The conversion from the source code to the inspection code includes the steps of converting the source code into a generalized model by an implementation-generalization conversion rule, abstracting the generalization model by an abstraction conversion rule, and the generalization model. This is realized by successively performing the three steps of converting the generalized model into a test code according to the generalization-check conversion rule. In other words, for the conversion from the source code to the inspection code, the step of inputting one or more of each of the first, second, and third conversion rules, and the software source code using the first conversion rule, Converting to the intermediate format; using the second conversion rule to abstract the software expressed in the intermediate format; and using the third conversion rule to input the intermediate format to the verification tool This is realized by continuously performing the three steps of converting into the verification code described in the language.

  In the present invention, the information (model) held internally in a series of processes for converting the source code to be inspected into the inspection code is defined by the meta model. The model is classified into an implementation model having information corresponding to the source code to be inspected, the generalization model described above, and an inspection model having information corresponding to the description language of the model checker. The implementation model is defined by the meta / implementation model that is the metamodel, the generalization model is defined by the meta / generalization model that is the metamodel, and the inspection model is defined by the meta / inspection model that is the metamodel. Defined. Each of the above-described metamodels has a definition of a data structure and information on constraints between elements included in the data.

  In the step of converting the source code to the intermediate format, the converted part is stored in the reverse conversion rule. In the step of abstracting the intermediate form, the abstracted part is stored in the reverse conversion rule. A step of converting the abstracted intermediate format into the intermediate format before being abstracted, and a step of converting the source code into the intermediate format, using the reverse conversion rule stored in the step of abstracting the intermediate format And converting the intermediate format before being abstracted into an abstracted source code that is a source code using the inverse transformation rule stored in (1).

  Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings.

  First, the basic concept of the present invention will be described with reference to FIGS. In the present invention, as shown in FIG. 1, the source code 0001 is subjected to a conversion process in which a plurality of conversion rules 0002 are combined in the source code conversion apparatus 1000, so that the inspection code 0005 suitable for the existing model inspection apparatus is obtained. Convert to That is, (a) “conversion” is divided into fine granularities and packaged as a combination of a plurality of “conversion rules” 0002, thereby realizing flexible conversion. (B) The user (inspector) inputs the source code 0001 to be inspected, selects the “conversion rule” 0002 corresponding to the target source code and the inspection level, and obtains the desired inspection code 0005.

Examples of the “conversion rule” in the present invention are as follows.
(A) Convert simple syntax conversion "C language conditional branch (If statement / Switch statement)" into "check code conditional branch (If statement)""C language repetition statement (for statement, while statement, ... ) ”Is converted to“ Repeated inspection code (Do statement) ”(b) Modeling of external environment“ Read data ”is replaced with“ Random input ”(c) Abstraction“ Repeat removal ”
"Simplification of conditions"
The conversion rule input interface in the source code conversion processing of the present invention will be described with reference to FIG.

  According to the present invention, since an interface for inputting a plurality of conversion rules 0002 divided into fine granularities is possessed, the abstraction can be easily changed by the user by selecting and inputting a plurality of different conversion rules 0002. Realized. In other words, the user can change the abstraction level by selecting a plurality of different conversion rules 0002 according to the domain information, the property to be inspected, and the information on the inspection level (influence on the property due to abstraction). And is easily realized by an operation of inputting to the source code conversion apparatus 1000.

  The present invention includes a procedure for converting the source code 0001 to be inspected into the inspection code 0005 described in the input language of the model checker using a plurality of different conversion rules 0002. The plurality of different conversion rules are classified into an implementation-generalization conversion rule, an abstraction conversion rule, and a generalization-inspection conversion rule, and conversion using these conversion rules is executed in stages. When following the design change of the source code to be inspected, only the conversion rule related to the change needs to be changed, and the change is minimized. In addition, the implementation model, the generalization model, and the inspection model are each defined in the meta model, and by adding constraints, it is possible to verify that the conversion result by the conversion rule is not illegal. Thus, in this embodiment, a series of processes for converting the source code to be inspected while abstracting it into the inspection code is realized by combining fine-grained conversion rules. A method for realizing such a series of processes It is possible to prevent an increase in the verification cost of the conversion rule caused by.

  In addition, in order to inspect with a different inspection tool, when outputting in the format of the inspection tool, only the meta / inspection model and the generalization-inspection conversion rule need be created, and the creation part is minimized. It is done.

(First embodiment)
Next, a source code conversion apparatus and conversion processing method according to the first embodiment of the present invention will be described with reference to FIGS. 3A to 8B.

  FIG. 3A is a diagram illustrating a configuration example of a source code conversion system including a source code conversion apparatus according to the first embodiment. A source code conversion apparatus 1000 applied to an embodiment of the present invention is an apparatus that converts a source code 0001 to be inspected into an inspection code 0005, and includes an input unit 1100, a conversion processing unit 1200, an output unit 1300, and a storage. Unit 1400 and control unit 1500. Reference numeral 2000 denotes a model inspection tool, and reference numeral 3000 denotes an inspection result.

  The input unit 1100 receives input of the source code 0001 and the conversion rule 0002. The storage unit 1400 stores a conversion rule 0002, a meta model 0003, and a writing rule 0004. The meta model 0003 is data for defining a model format internally held in a series of processes for converting the source code 001 into the inspection code 0005 by the conversion processing unit 1200.

  The conversion processing unit 1200 converts the source code 0001 to be inspected into the inspection code 0005 based on the conversion rule 0002. The output unit 1300 outputs the inspection code 0005 based on the writing rule 0004. The control unit 1500 is a processor that executes various processes for controlling the entire process of the source code conversion apparatus 1000. Note that the input unit 1100, the conversion processing unit 1200, and the output unit 1300 are realized by a processor executing a program that realizes each function of each unit (not shown) stored in the storage unit 1400. Information such as programs, tables, and files that realize each function can be read by non-volatile semiconductor memory, hard disk drives, storage devices such as SSD (Solid State Drive), or computers such as IC cards, SD cards, and DVDs. Can be stored on any non-transitory data storage medium.

  FIG. 3B shows a configuration example of the source code conversion apparatus 1000. The input unit 1100 includes a source code input unit 1101 and a conversion rule input unit 1102. The conversion processing unit 1200 includes a model construction unit 1201, an implementation-generalized model conversion unit 1202, an abstract model conversion unit 1203, and a generalization-check model conversion unit 1204. The output unit 1300 includes an inspection code writing unit 1301. The storage unit 1400 includes a conversion rule database 1401, a metamodel database 1402, and a writing rule database 1403.

  The source code conversion apparatus 1000 is implemented, for example, as a program that operates on a single computer or a plurality of computers connected via a network. The source code 0001 and the conversion rule set 0002 are input by a method such as a method of reading from a storage device on a computer and a method of directly inputting by an input device connected to the computer. The inspection code 0005 is output by, for example, a method of writing to a storage device on a computer and a method of displaying on a display device of a computer.

  The input unit 1100 receives data input by the user and performs a process of supplying the input data to the conversion processing unit 1200. The input unit 1100 receives information related to the source code 0001 and a plurality of conversion rules divided into fine granularities, that is, information related to the “conversion rule set” 0002, and supplies the information to the conversion processing unit 1200. In an embodiment, the input unit 1100 may receive an instruction from the user regarding driving and control of the conversion processing unit and driving and control of the output unit.

  Information about the source code 0001 and information about the conversion rule set 0002 to be applied to the source code 0001 are supplied to the conversion processing unit 1200 from the input unit 1100. In addition, the conversion processing unit 1200 performs processing for converting the source code 0001 by the conversion rule set 0002, and supplies information of the conversion result to the output unit 1300. In an embodiment, the information related to the conversion rule set 0002 supplied from the input unit 1100 includes only identification information indicating the conversion rule 0002 stored in the storage unit 1400. The identification information may be taken out from the storage unit 1400 and used for conversion.

  Details of the conversion processing unit 1200 and the output unit 1300 will be described with reference to FIG.

  The conversion processing unit 1200 includes a model construction unit 1201, an implementation-generalized model conversion unit 1202, an abstract model conversion unit 1203, and a generalization-check model conversion unit 1204.

  In the present embodiment, the conversion processing unit 1200 converts the source code information 1001 into an inspection model 1008 by model conversion using the meta model 0003 (see FIG. 3A) and the conversion rule 0002. The meta / implementation model 1002, the meta / generalization model 1003, and the meta / inspection model 1004 are described in, for example, the MOF described in Non-Patent Document 2. Also, for example, in the QVT described in Non-Patent Document 3, the implementation-generalization conversion rule 1005, the abstraction conversion rule 1006, and the generalization-inspection conversion rule 1007 are described, and the model is converted. . The conversion may be another model conversion method already exemplified, or a plurality of methods may be mixed.

  In some embodiments, the implementation-generalization model conversion unit 1202, the abstraction model conversion unit 1203, and the generalization-check model conversion unit 1204 may be performed by the same part without being independent of each other. . Further, a meta / implementation model 1002, a meta / generalization model 1003, and a meta / inspection model 1004 are separately prepared as metamodels of the implementation model 1205, the generalization model 1206, and the inspection model 1008, respectively. Instead, the mounting model 1205, the generalization model 1206, and the inspection model 1008 may be defined by a single meta model. In one embodiment, the meta / implementation model 1002, the meta / generalization model 1003, and the meta / inspection model 1004 are implemented by a plurality of methods, respectively, an implementation model 1205, a generalization model 1206, and an inspection model 1008. You may define the form and constraints. For example, each meta model includes the constraint conditions described in the OCL described in Non-Patent Document 4 in addition to the definition by the MOF, and satisfies the constraint conditions when the model is converted. There can be a method of verifying whether or not.

  The model construction unit 1201 receives the source code information 1001 from the source code input unit 1101 and converts it into the implementation model 1205. The format of the mounting model 1205 is defined by a meta / implementation model 1002 that is a meta model thereof. The implementation model 1205 desirably has sufficient information necessary for mutual conversion with the source code information 1001 in order to obtain the effect of the present invention to the maximum, but in one embodiment, an inspection code is output. However, information may be omitted or added as long as the purpose is not missed.

  In an embodiment, the model construction unit 1201 may be implemented in a manner inseparable from the source code input unit 1101 and the process may proceed in a form in which the source code information 1001 does not occur.

  The mounting-generalization model conversion unit 1202 converts the mounting model 1205 into the generalization model 1206 using the mounting-generalization conversion rule 1005, the meta / mounting model 1002, and the meta / generalization model 1003. The generalization model 1206 has a data structure that can represent structures and processes in a plurality of programming languages. For example, in the generalization model 1206, the If statement and the Switch statement in the source code 0001 are not distinguished from each other and are expressed as selective execution statements. In an embodiment, when the mounting model 1205 is converted into the generalization model 1206, only the mounting-generalization conversion rule 1005 may be used. In some embodiments, when the implementation-generalization conversion rule 1005 includes a plurality of conversion rules, the plurality of conversion rules are integrated into one conversion rule, and the implementation model 1205 to the generalization model 1206 There can be a method used for conversion. In one embodiment, when the implementation-generalization conversion rule 1005 includes a plurality of conversion rules, a procedure for converting the implementation model 1205 to the generalization model 1206 by repeating the conversion process a plurality of times is provided. possible.

  The abstraction model conversion unit 1203 abstracts the generalization model 1206 using the abstraction conversion rule 1006 and the meta / generalization model 1003. As an example of abstraction, there may be a method of replacing a conditional expression in a selection statement with a true, false, or non-deterministic selection. In an embodiment, when abstracting the generalization model 1206, only the abstract conversion rule 1006 may be used. Further, in an embodiment, when the abstraction conversion rule 1006 includes a plurality of conversion rules, there is a method of integrating a plurality of conversion rules into one conversion rule and using it for abstracting the generalization model 1206. obtain. In an embodiment, when the abstract conversion rule 1006 includes a plurality of conversion rules, there may be a procedure for converting the generalized model 1206 by repeating the conversion process a plurality of times.

  The generalization-inspection model conversion unit 1204 converts the generalization model 1206 into an inspection model 1008 using the generalization-inspection conversion rule 1007, the meta / generalization model 1003, and the meta / inspection model 1004. For example, when the inspection code 0005 is in the Promela format, an element expressed as a selective executable statement in the generalization model is expressed as an If statement in the inspection model. In an embodiment, when the generalization model 1206 is converted into the inspection model 1008, only the generalization-inspection conversion rule 1007 may be used. Further, in a certain embodiment, when the generalization-inspection conversion rule 1007 includes a plurality of conversion rules, the plurality of conversion rules are integrated into one conversion rule, and the generalization model 1206 to the inspection model 1008 are integrated. There can be a method used for conversion. Further, in a certain embodiment, when the generalization-inspection conversion rule 1007 includes a plurality of conversion rules, a procedure for converting the generalization model 1206 to the inspection model 1008 by repeating the conversion processing a plurality of times is provided. possible.

  The output unit 1300 outputs the inspection code 0005 using the conversion result information supplied from the conversion processing unit 1200. In an embodiment, when the inspection code 0005 is output, information such as grammar information of the description language of the model checker may be supplied from the storage unit 1400.

  The inspection code writing unit 1301 converts the inspection model 1008 into the inspection code 0005 using the meta / inspection model 1004 and the inspection code writing rule 1009 acquired from the writing rule database 1403 of the storage unit 1400. For example, the inspection code writing rule 1009 is described by the method described in Non-Patent Document 5, and the inspection model 1008 is converted to the inspection code 0005. In an embodiment, the present invention is not limited to this, and any method for converting the inspection model 1008 into a description format of a model checker used for inspection may be used. For example, when SPIN is used as a model checker, the inspection code 0005 is described in the Promela language, which is the SPIN input language.

  In the storage unit 1400, each of the conversion rule database 1401, the metamodel database 1402, and the writing rule database 1403 is an arbitrary data storage method realized on a computer, such as a relational database or a hierarchical database. Realized. The conversion rule database 1401, the metamodel database 1402, and the writing rule database 1403 do not have to be implemented by the same method, and may be implemented by different methods. In addition, each of the conversion rule database 1401, the metamodel database 1402, and the writing rule database 1403 does not have to be realized by a single method. For example, a part of information to be held is a relational database. A part of the information to be stored and held may be realized by a combination of different methods, for example, incorporated in a computer program for realizing the invention.

  The storage unit 1400 supplies information necessary for the input unit 1100, the conversion processing unit 1200, and the output unit 1300 to perform respective processes. For example, the storage unit 1400 stores information on conversion rules, information on metamodels, and information on grammar of a model checker description language.

  As described above, the conversion rule database 1401 holds conversion rules together with metadata. The metadata is for selecting a conversion rule, and there may be a method having different information of the implementation-generalization conversion rule 1005, the abstraction conversion rule 1006, and the generalization-inspection conversion rule 1007. . The metadata of the implementation-generalization conversion rule 1005 can be, for example, the type of description language of the conversion source code. The metadata of the abstraction conversion rule 1006 includes, for example, a name that simply represents the abstraction in a straightforward manner, a brief description, an abstraction type such as “data abstraction”, “processing abstraction”, and a natural language ( For example, there are state number reduction effect by abstraction expressed in alphabet or numerical value, influence on properties by abstraction expressed in natural language (for example, alphabet or numerical value), and software domain to which abstraction can be applied The metadata of the generalization-inspection conversion rule 1007 may have a name indicating a model checker used for inspection, for example.

  Hereinafter, the details of the input unit 1100, the conversion processing unit 1200, the output unit 1300, the storage unit 1400, and the control unit 1500 will be described with reference to FIGS.

  First, an example of the source code conversion procedure in the present embodiment will be described with reference to FIGS. The source code conversion procedure in this embodiment includes a source code input step S101, a conversion rule input step S102, a conversion rule application step S103, and an inspection code output step S104. This source code conversion procedure is executed mainly by the control unit 1500.

  First, in the source code input step S101, the source code 0001 is read into the source code conversion apparatus 1000 by the source code input unit 1101 and converted into the source code information 1001.

  The source code input unit 1101 receives the source code 0001 to be inspected input from the user, and converts it into source code information 1001. The source code 0001 is described in, for example, a programming language C published in JIS X3010-1993. Specifically, the source code information 1001 is held, for example, in the form of an abstract syntax tree. The format of the source code information 1001 is not limited to an abstract syntax tree, and may be any format that holds information required for the inspection of the source code 0001 such as structure and logic.

  Subsequent to the source code input step S101, in the conversion rule input step S102, the conversion rule input unit 1102 reads the conversion rule set 0002, which is a plurality of conversion rules divided into fine granularities, into the source code conversion apparatus 1000. In this conversion rule input step S102, at least one of a correspondence relationship between the model element before conversion and the model element after conversion, and an operation applied to the element of the model before conversion by conversion is defined. The process of reading the conversion rule set 0002 into the source code conversion apparatus 1000 is not necessarily performed by a single operation by the user, and may be performed by a repetitive operation. Further, the source code input step S101 and the conversion rule input step S102 are not necessarily completed in this order, and the source code 0001 is input before the source code information 1001 is generated by the source code input unit 1101. In addition, the source code 0001 may be input before the conversion rule input unit 1102 requests the source code information 1001 for the conversion rule input process. Therefore, the process may proceed in the order in which the process of the source code input step S101 and the process of the conversion rule input step S102 are mixed. For example, the source code input unit 1101 receives the source code 0001, then the conversion rule input unit 1102 receives the conversion rule set 0002, and then the source code input unit 1101 transfers the source code 0001 to the source code information 1001. There can be a procedure to convert.

  The conversion rule input unit 1102 accepts a conversion rule set 0002 input from a user. As a method for receiving the conversion rule set 0002 from the user, for example, there may be the following method.

  As an example of the first conversion rule input method, the conversion rule input unit 1102 receives a conversion rule that is directly input by a user manually as part of the conversion rule set 0002.

  As an example of the second conversion rule input method, as shown in FIG. 5A, at least a part of the conversion rule set 0002 may be input by a conversion rule (description) 0010 described by the user. Also, the input unit 1100 acquires the conversion rule list 0015 from the storage unit 1400, presents the acquired conversion rule list 0015 to the user in the form of a list or the like, and the conversion rule is displayed from the presented list to the user. May select the conversion rule set 0002. That is, the user inputs (describes) the conversion rule search condition 0011 to the conversion rule input unit 1102 of the input unit 1100 before the input of the conversion rule, and then the conversion rule input unit 1102 Conversion rules that match the search conditions are acquired from the conversion rule database 1401 of the storage unit 1400 and presented to the user as a conversion rule list 0015. Subsequently, the user selects one or more conversion rules included in the presented conversion rule list 0015. The conversion rule input unit 1102 accepts one or more conversion rules selected by the user as a part of the conversion rule set 0002.

  As an example of the third conversion rule input method, first, the user inputs the conversion rule search condition 0011 to the conversion rule input unit 1102 before the conversion rule input, and then the conversion rule input unit. 1102 may acquire a conversion rule that matches the search condition from the conversion rule database 1401 and accept it as a part of the conversion rule set 0002.

  As an example of the fourth conversion rule input method, as shown in FIG. 5B, the conversion rule input unit 1102 extracts and generates the conversion rule search condition 0012 from the input source code 0001, and further, the search condition Is obtained from the conversion rule database 1401 and accepted as a part of the conversion rule set 0002.

  Examples of the conversion rule search condition factor in the second conversion rule input method example, the third conversion rule input method example, and the fourth conversion rule input method example are the conversion rule database described later. At 1401, there may be information stored as metadata for the conversion rule.

  As an example of the fifth conversion rule input method, the conversion rule input unit 1102 accepts a conversion rule by processing the conversion rule input by some method. As an example of the processing method, the conversion rule database 1401 holds the conversion rule in a state in which the variable name or the like in the source code 0001 is parameterized, for example, by a method by explicit input of the user, There may be a method of including the parameter embedded with the information of the source code 0001 in the conversion rule set 0002. In the fifth conversion rule input method example, the conversion rule input method for the processing source is the same as the case of using the input conversion rule without processing, such as the first conversion rule input method described above. There can be a method.

  The method by which the conversion rule input unit 1102 receives the conversion rule set 0002 is not limited to these conversion rule input methods, and any method that receives a set of conversion rules used by the conversion processing unit 1200 may be used. The conversion rule set 0002 may be received by one or more combinations of input methods.

  Following the conversion rule input step S102, in the conversion rule application step S103, the model construction unit 1201 converts the source code information 1001 into the mounting model 1205, and then the mounting-generalization model conversion unit 1202 generalizes the mounting model 1205. Next, the abstract model conversion unit 1203 abstracts the generalized model 1206 (S1032), and then the generalization-check model conversion unit 1204 converts the generalized model 1206 to the check model 1008. (S1033). The conversion rule input step S102 and the conversion rule application step S103 do not necessarily have to be completed in this order, and the implementation-generalization conversion rule 1005 is input before the processing of the implementation-generalization model conversion unit 1202. The abstraction conversion rule 1006 may be input before the process of the abstraction model conversion unit 1203, and the generalization-check conversion rule 1007 may be input before the process of the generalization-check model conversion unit.

  Subsequent to the conversion rule applying step S103, in the inspection code output step S104, the inspection code writing unit 1301 writes the inspection model 1008 as the inspection code 0005. The designation of the writing destination of the inspection code 0005 does not necessarily have to be after the conversion rule applying step S103, and may be any earlier than the writing of the inspection code 0005. For example, there may be a procedure in which the designation of the writing destination of the inspection code 0005 is performed in parallel with the source code input step S101.

  Next, the conversion procedure will be described in more detail with reference to FIGS. 7, 8A, and 8B. As shown in FIG. 7, in the present invention, the following processing is performed in order to perform conversion step by step using a model conversion technique.

(1) Source code 0001 is converted into (almost) equivalent “implementation model” 1205 (2) “implementation model” is expressed in program format such as structure and logic in a format independent of a specific programming language Conversion to “generalization model” 1206 In other words, using at least one of a plurality of different first conversion rules 1005-1 to 1005-n, the “implementation model” 1205 is an intermediate format that is a format independent of a specific programming language. Conversion into “generalization model” 1206. In the example of FIG. 7, as the first conversion rule, ““ if statement ”→ conditional branch”, ““ switch statement ”→ conditional branch”, ““ while statement ”→“ repeat ””, and ““ for statement ”→ At least four different conversion rules “Repeat” are selected.

(3) Conversion for abstraction is performed on the generalization model 1206. That is, using at least one of a plurality of different second conversion rules 1006-1 to 1006-n, the generalized model in the intermediate format Abstraction processing is performed on 1206. In the example of FIG. 7, at least two different conversion rules of “data reading → random input” and “data abstraction” are selected as the second conversion rule.

(4) The generalization model 1206 is converted into an “inspection model” 1008 to generate a code (output)
That is, by using at least one of a plurality of different third conversion rules 1007-1 to 1007-n, the generalized model 1206 in the intermediate format is converted into the inspection model 1008 having information necessary for generating the inspection code. In the example of FIG. 7, as the third conversion rule, there are at least two different conversion rules corresponding to the first conversion rule: ““ conditional branch ”→“ if ”sentence” and ““ repeat ”→“ do ”sentence”. Is selected.

  The implementation model 1205, the generalization model 1206, and the inspection model 1008 each have a data structure and semantics defined by a “meta model” that defines the syntax.

  As described above, when converting from the mounting model 1205 to the generalized model 1206, for example, when the grammar of the description language of the source code to be converted includes “for sentence” and “while sentence” as the notation of the iterative process, A person selects a rule for converting “for sentence” to “repetition” and a rule for converting “while sentence” to “repetition” as the first conversion rule using the conversion rule input method described above. When converting the abstraction of the generalization model 1206, the user determines the inspection level (degree of abstraction), and as a conversion rule for achieving the determined inspection level, for example, an instruction and a series of processing related to reading of external data Are selected as the second conversion rule 1006 by using the conversion rule input method described above, and the rule for converting a specific data type to a higher abstract type. Furthermore, when converting from the generalized model 1206 to the check model 1008, for example, when the grammar of the input language of the model checker has “do sentence” as a notation of repetition processing, the user sets “repetition” to “do sentence”. The rule to be converted to “” is selected as the third conversion rule 1007 using the conversion rule input method described above. As the conversion rules, those that can be used repeatedly, such as general-purpose rules that can be applied across a plurality of software, are stored in a database. The conversion rules stored in the database have domain information and information on inspection level (influence on inspection by abstraction) as meta information used as a judgment material for search and rule selection by the user.

  The conversion rule selection method includes the following.

(1) General-purpose rules: always selected (2) Rules dependent on a specific library: Selection by entering the library used and the domain (category) to be inspected (3) Rules corresponding to abstraction : Automatically generated from the list of conversion rules (obtained by inputting the property / inspection level to be inspected) selected by the user, input by the user himself / herself, or the property to be inspected.

  8A and 8B show examples of model abstraction. The model abstraction can reduce the number of states. However, abstraction can affect the properties of the model. For example, the detected defect (counterexample) does not exist in the original system, or a defect present in the original system cannot be found. On the other hand, a sound abstraction that does not affect properties tends to have a small effect on the number of states.

  According to the present embodiment, by possessing an interface for inputting a plurality of conversion rules divided into fine granularities, a change in the level of abstraction by a user can be easily realized by an operation for inputting the conversion rules. . That is, since the user can select a plurality of fine-grained conversion rules through the input interface, the level of abstraction shown in FIGS. 8A and 8B can be easily selected or changed by the user according to the situation. Become.

  The source code conversion method includes a procedure of converting a source code to be inspected into an inspection code described in an input language of a model checker using a plurality of conversion rules, and the conversion rule includes an implementation-generalization conversion rule and Are classified into abstract conversion rules and generalization-inspection conversion rules, and conversion is performed in stages. As a result, when following the design change of the source code to be inspected, only the conversion rule related to the change in the plurality of conversion rules needs to be changed, and the change is minimized. In addition, the implementation model, the generalization model, and the inspection model are each defined in the meta model, and by adding constraints, it is possible to verify that the conversion result by the conversion rule is not illegal. This prevents an increase in the conversion rule verification cost.

  In addition, by storing model conversion rules in a database and reusing the stored conversion rules, it is possible to cope with design changes of the inspection target source code and application to other software at a low cost.

(Second embodiment)
Next, a source conversion apparatus and a source code conversion method according to the second embodiment will be described with reference to FIGS. In this embodiment, there is a step of outputting the abstracted portion of the source code to be inspected by inversely converting the abstracted generalized model into the source code.

  FIG. 9 is a diagram illustrating a configuration example of a source code conversion system including a source code conversion apparatus according to the second embodiment. In FIG. 9, the same components as those of the source code conversion system shown in FIG. 3A of the first embodiment are denoted by the same reference numerals, and description thereof is omitted.

  A source code conversion apparatus 1000 according to the present exemplary embodiment includes an input unit 1100, a control unit 1500, an output unit 1300, a storage unit 1400, and a conversion processing unit 4100. The conversion processing unit 4100 is the same as the conversion processing unit 1200 in the first embodiment in that the source code 0001 to be inspected is converted into the inspection code 0005, but a series of steps for converting the source code 0001 into the inspection code 0005. This is different from the conversion processing unit 1200 of the first embodiment in that an abstracted source code 4101 that is a source code obtained by reversely converting a generalized model abstracted by processing into source code is output.

  FIG. 10 shows a configuration example of the source code conversion apparatus of the second embodiment. 10, the same components as those of the source code conversion apparatus shown in FIG. 3B of the first embodiment are denoted by the same reference numerals, and the description thereof is omitted.

  The input unit 1100 includes a source code input unit 1101 and a conversion rule input unit 1102 as in the first embodiment. The conversion processing unit 4100 includes a model construction unit 4201, an implementation-generalized model conversion unit 4202, an abstract model conversion unit 4203, a generalization-inspection model conversion unit 4204, a generalization-implementation model conversion unit 4205, and a code generation unit 4206. Is provided. The output unit 1300 includes an inspection code writing unit 1301 and an abstract source code output unit 4220. The storage unit 1400 includes an inverse conversion rule database 4210 in addition to the conversion rule database 1401, the metamodel database 1402, and the writing rule database 1403.

  Hereinafter, the conversion processing unit 4100 will be described in detail.

  The model construction unit 4201 receives the source code 0001 from the source code input unit 1101 and converts the received source code 0001 into an implementation model. Also, the model construction unit 4201 registers the conversion part in the reverse conversion rule database 4210 as a source code-implemented model conversion correspondence table.

  The mounting-generalization model conversion unit 4202 extracts the mounting-generalization conversion rule from the conversion rule database 1401 and extracts the meta / implementation model and the meta / generalization model from the metamodel database 4221. Then, the mounting-generalization model conversion unit 4202 converts the mounting model into a generalization model using the extracted mounting-generalization rules, meta / mounting model, and meta / generalization model. Also, the implementation-generalization model conversion unit 4202 registers the conversion location in the inverse conversion rule database 4210 as an implementation-generalization model conversion correspondence table.

  The abstract model conversion unit 4203 extracts an abstract conversion rule from the conversion rule database 1401 and extracts a meta / generalized model from the meta model database 1402. Then, the abstraction model conversion unit 4203 abstracts the generalization model using the extracted abstraction conversion rule and the meta / generalization model. The abstract model conversion unit 4203 registers the abstracted portion in the reverse conversion rule database 4210 as an abstract conversion correspondence table.

  The generalization-inspection model conversion unit 4204 extracts the generalization-inspection conversion rule from the conversion rule database 1401 and extracts the meta / generalization model and the meta / inspection model from the metamodel database 1402. The generalization-inspection model conversion unit 4204 then converts the generalization model into an inspection model using the extracted generalization-inspection conversion rule, meta / generalization model, and meta / inspection model.

  The generalization / implementation model conversion unit 4205 extracts the abstraction conversion correspondence table from the inverse conversion rule database 4210 when the abstraction model conversion unit 4203 ends the abstraction process. Then, the generalization-implementation model conversion unit 4205 converts the abstracted generalization model into a generalization model before being abstracted, using the extracted abstraction conversion correspondence table.

  Next, the generalization-implementation model conversion unit 4205 extracts the implementation-generalization conversion correspondence table from the inverse conversion rule database 4210. Then, the generalization-mounting model conversion unit 4205 converts the generalized model before being abstracted into a mounting model using the extracted mounting-generalization conversion correspondence display.

  When the generalization model before being abstracted by the generalization / implementation model conversion unit 4205 is converted into the implementation model, the code generation unit 4208 extracts a source code / implementation conversion correspondence table from the inverse conversion rule database 4210. Then, the code generation unit 4208 uses the extracted source code-mounting conversion correspondence table to convert the mounting model into the abstract source code 4101 and outputs the abstract source code 4101 to the abstract source code output unit 4220. .

  The abstract source code output unit 4220 outputs the abstract source code 4101 input from the code generation unit 4206 to the outside of the system. For example, the source code output unit 4210 stores the abstract source code 4101 in an external storage medium or displays the abstract source code 4101 on a display that is a display device.

  As a result, the user selects the conversion rule according to the target source code and the inspection level (abstraction level), thereby converting the inspection code into an inspectable inspection code, and the same level of abstraction as the inspection code. Abstraction source code can be output, and the problem of associating the test result of the model according to the abstraction level selected by the user with the software before abstraction is solved.

  Next, a specific example of this embodiment will be described with reference to FIG. First, the source code 0001 to be inspected in this specific example will be described. In the source code 0001 to be inspected, the values of a, b, and c are defined. Specifically, “0” is assigned to a, “0” is assigned to b if i is greater than 5, “1” is assigned to other cases, and the value of c is assigned to c. The incremented value is substituted.

  The source code 0001 is converted into a mounting model (not shown) by the model construction unit 4201, and the mounting model is converted into a generalized model by the mounting-generalized model conversion unit 4202. The implementation-generalization model conversion unit 4202 converts the “if” statement in the source code 0001 into a conditional branch when converting the implementation model into the generalization model.

  Then, the abstract model conversion unit 4203 abstracts the general model by fixing the branch destination of the conditional branch of the general model. Specifically, since the value assigned to b is fixed to “0”, the second, fourth, and fifth lines of the generalized model are deleted as shown in FIG.

  Next, the generalization-check model conversion unit 4204 converts the generalization model abstracted by the abstract model conversion unit 4203 into a check code 0005. As shown in FIG. 11, in the inspection code 0005, the value assigned to b by abstraction is fixed at “0”.

  The inspection code 0005 converted by the generalization-inspection model conversion unit 4204 is inspected by the model inspection tool 2000, and an inspection result 3000 is generated.

  When the abstract model conversion unit 4203 abstracts the general model, the generalization-implementation model conversion unit 4205 uses the reverse conversion rule database 4210 to reverse-convert the abstract general model into the implementation model. . Next, the code generation unit 4206 uses the inverse conversion rule database 4210 to convert the inversely converted implementation model into the abstract source code 4101.

  The abstract source code 4101 is output in a form that allows the user to grasp the location abstracted by the abstract model conversion unit 4203. The abstracted source code 4101 shown in FIG. 11 is output in a form in which a portion abstracted by the abstract model conversion unit 4203 is surrounded by a dotted line.

  In order for the abstracted part to be output in a form that can be grasped by the user, the generalized-implemented model is used as the part where the abstracted generalized model is converted to the generalized model before being abstracted. When the conversion unit 4205 notifies the code generation unit 4206 as an abstracted portion and the code generation unit 4206 converts the portion into the abstract source code 4101, the portion is output in a form that can be grasped by the user. There is a need.

  As described above, since the abstracted generalized model is converted into the abstracted source code 4101 in which the abstracted part is returned to the state before being abstracted, the user can check the check result and the abstracted source code. 4101 can be easily associated.

  Furthermore, since the abstracted portion does not correspond to the inspection result by allowing the user to grasp the abstracted portion and outputting the abstract source code 4101, the user can check the inspection result and the abstract source. It becomes easier to associate the code 4101 with each other.

(Third embodiment)
Next, a source conversion apparatus and a source code conversion method according to the third embodiment will be described with reference to FIGS. In this embodiment, there is a step of outputting the abstracted portion of the source code to be inspected and the abstraction conversion rule used for the abstraction.

  FIG. 12 shows a configuration example of the source code conversion apparatus of the third embodiment. In FIG. 12, the same components as those of the source code conversion apparatus shown in FIG. 10 of the second embodiment are denoted by the same reference numerals and description thereof is omitted.

  The conversion processing unit 4100 provided in the source code conversion device of the third embodiment is different from the conversion processing unit 4100 provided in the source code conversion device of the second embodiment in that a rule application information adding unit 4301 is provided. Also, the abstract model conversion unit 4203 of the third embodiment performs abstract conversion between the abstracted part and the identifier that can specify the abstract conversion rule used for the abstraction when the generalized model is abstracted. It is registered in the reverse conversion rule database 4210 as a correspondence table.

  When the generalized model is abstracted by the abstract model conversion unit 4203, the rule application information adding unit 4301 extracts the abstract conversion correspondence table from the reverse conversion rule database 4210. Then, the rule application information adding unit 4301 adds the identifier of the abstraction conversion rule used for abstraction registered in the extracted abstraction conversion correspondence table to the abstracted part of the generalization model, and The generalization model is passed to the generalization-implementation model conversion unit 4205.

  The generalization-implementation model conversion unit 4205, when converting an abstracted generalization model into an implementation model, uses an abstraction conversion rule used for abstraction at a location corresponding to the abstracted location in the implementation model. The identifier is added.

  When the code generation unit 4206 converts the part of the implementation model to which the abstract conversion rule identifier is added into the abstract source code 4101, the code generation unit 4206 describes the abstract conversion rule identifier as a comment of the source code of the part.

  A specific example of this embodiment will be described with reference to FIG.

  The specific example shown in FIG. 13 is different from the specific example of the second embodiment shown in FIG. 11 in the abstract source code 4101.

  In the abstract source code 4101 of this embodiment, an abstract conversion rule used for abstracting the part is described as a comment on the same line as the abstracted part. In the abstract source code 4101 shown in FIG. 13, the abstracted part and the part in which the abstraction conversion rule used for abstracting the part is described are surrounded by dotted lines, and the user is the abstracted part. To be able to grasp. That is, the abstract source code 4101 of the present embodiment is in a form that allows the user to grasp the relationship between the location abstracted by the abstract model conversion unit 4203 and the abstract conversion rules used for abstracting the location. Is output.

  In FIG. 13, all parts are abstracted using one abstraction conversion rule, but it goes without saying that the abstracted parts may be abstracted using different abstraction conversion rules. Yes.

  As described above, the abstract source code 4101 is output in a form that allows the user to grasp the relationship between the abstracted part and the abstract conversion rule used for abstracting the part. For this reason, as a result of the examination of the inspection result by the user, when it is necessary to change the abstraction conversion rule, it is easy to grasp which abstraction conversion rule should be changed.

  Further, on the display screen including the abstract source code 4101 of the third embodiment, from the user whether or not the abstract model conversion unit 4203 applies the abstract conversion rule used for the abstract described in the comment. An area where the selection operation can be accepted may be provided.

  When the source code conversion apparatus 1000 receives a selection to apply the abstract conversion rule via the display screen of the abstract source code 4101, the abstract model conversion unit 4203 abstracts the abstract conversion rule that has received the selection. Set to use for conversion. On the other hand, when the source code conversion apparatus 1000 receives a selection that the abstract conversion rule is not applied via the display screen of the abstract source code 4101, the source code conversion apparatus 1000 converts the abstract conversion rule that has received the selection into the abstract model conversion unit 4203. Set to not use for abstraction.

  As a result, the user can determine whether or not to use the abstract conversion rule for abstraction while grasping the relationship between the abstracted part and the abstract conversion rule used for abstracting the part and the inspection result. Decisions can be made easier.

(Fourth embodiment)
The source code conversion apparatus and conversion processing method according to the fourth embodiment of the present invention will be described with reference to FIG. In this embodiment, following the inspection code output step S104 shown in FIG. 33, the process proceeds to the conversion rule input step S102, whereby the input source code 0001 is repeatedly converted using a different conversion rule set 0002. Procedures may be taken. Further, in an embodiment, following the inspection code output step S104, the process proceeds to the conversion rule input step S102, and all or a part of the already input conversion rule set 0002 and newly input in the conversion rule input step S102. The conversion rule set 0002 may be combined and used as the conversion rule set 0002.

  According to this embodiment, the interface for inputting a plurality of conversion rules divided into fine granularities is owned, the input source code and the conversion rule set used for conversion are stored, and the source code is converted into the conversion rule. Since conversion can be performed by exchanging a part of the set, it is possible to reduce the trouble of repeatedly converting the same source code, such as when generating a plurality of inspection codes having different abstractions.

(Fifth embodiment)
The source code conversion apparatus and conversion processing method according to the fifth embodiment of the present invention will be described with reference to FIG. In the present embodiment, there is a step of verifying the mounting model generated in the process of obtaining the inspection code from the source code, the generalization model, and the inspection model based on the constraint condition.

  A procedure for verifying the validity of conversion will be described in detail with reference to FIG.

  When a specific conversion rule has a precondition for the target model at the time of conversion, the precondition of the specific conversion rule may not be satisfied by the application of another conversion rule in the model to be converted. As described above, if model conversion is performed according to the specific conversion rule when the precondition is not satisfied, the model of the conversion result may be in an invalid state. In addition, even when an error is included in the conversion rule, the conversion result model may be in an invalid state.

  In this embodiment, the step of inputting the source code 0001 of the software and the first conversion for converting the mounting model 1205 having the source code information 1001 into an intermediate format (generalization model 1206) that is a format independent of a specific programming language. A step of inputting a rule, a step of inputting a second conversion rule for performing an abstraction process on the intermediate format, and a step of inputting a third conversion rule for converting from the intermediate format to an inspection model 1008 having inspection code information Analyzing the software source code 0001 and converting it into an implementation model 1205; converting the software source code 0001 into the intermediate generalized model 1206 using the first conversion rule; Software expressed in the intermediate format using conversion rules (A) abstracting, using the third conversion rule, converting the intermediate format into the inspection model 1008, and using the inspection model 1008, generating the inspection code 0005 described in the input language of the verification tool And a sufficiency verification step of verifying the model at each stage based on the first constraint condition 0300, the second constraint condition 0301, and the third constraint condition 0302, respectively.

  The sufficiency verification based on the first constraint condition 0300, the second constraint condition 0301, and the third constraint condition 0302 of the model at each stage is performed by, for example, a meta model using MOF disclosed in Non-Patent Document 2. Or by describing constraints on the model defined by the meta model by OCL disclosed in Non-Patent Document 4.

  According to the present embodiment, by using the meta model and the constraint condition, it is possible to guarantee the validity of the conversion due to the collision between the conversion rules or the failure of the conversion rule. In this model conversion, a model in a format defined by the meta model is generated. In addition, a constraint condition can be added, and the validity of the generated model can be verified with the constraint conditions 0300-00302.

  Although the invention made by the present inventor has been specifically described based on the embodiments, the present invention is not limited to the above-described embodiments, and various modifications can be made without departing from the scope of the invention. Needless to say.

  The present invention can be applied to a source code conversion method for converting a software source code into an inspection code described in an input language of a verification tool.

DESCRIPTION OF SYMBOLS 1100 Input part 1101 Source code input part 1102 Conversion rule input part 1300 Output part 1301 Inspection code writing part 1400 Storage part 1401 Conversion rule database 1402 Metamodel database 1403 Writing rule database 4100 Conversion processing part 4201 Model construction part 4202 Implementation-generalization model Conversion unit 4203 Abstraction model conversion unit 4204 Generalization-check model conversion unit 4205 Generalization-implementation model conversion unit 4206 Code generation unit 4210 Inverse conversion rule database 4220 Abstraction source code output unit

Claims (6)

A source code conversion method executed by a source code conversion apparatus that converts a software source code into an inspection code written in an input language of a verification tool using a plurality of different conversion rules,
The conversion rule is:
A first conversion rule for converting the source code into software expressed in an intermediate format which is a format independent of a specific programming language;
A second conversion rule that abstracts the software expressed in the converted intermediate format;
A third conversion rule for converting the software expressed in the abstracted intermediate format into the inspection code,
The method
Inputting the source code;
Receiving an input of at least one first conversion rule;
Receiving an input of at least one second conversion rule;
Receiving an input of at least one third conversion rule;
Converting the source code into software expressed in the intermediate format using the input first conversion rule, and storing the converted portion in a first inverse conversion rule;
Using the input second conversion rule to abstract the software expressed in the converted intermediate format, and storing the abstracted portion in a second inverse conversion rule;
Converting the software expressed in the abstract intermediate format into the inspection code using the input third conversion rule;
Converting the software expressed in the abstracted intermediate form into software expressed in the intermediate form before the abstraction using the second reverse conversion rule;
Converting the software expressed in the intermediate format before being abstracted into an abstracted source code which is a source code using the first inverse transformation rule. . The source code conversion method according to claim 1,
When the software expressed in the converted intermediate format is abstracted, the abstracted portion and the second conversion rule used for the abstraction are stored in the second reverse conversion rule,
The method includes outputting the abstract source code;
In the step of outputting the abstracted source code, the relationship between the abstracted part and the second conversion rule used for abstracting the part is output using the second reverse conversion rule. Source code conversion method. The source code conversion method according to claim 2,
In the step of outputting the abstraction source code, a screen that includes the abstraction source code and that can accept a selection operation as to whether to apply the second conversion rule used for the abstraction is output,
The method
Receiving a selection as to whether to apply the second conversion rule used in the abstraction;
When receiving a selection to apply the second conversion rule used for the abstraction, setting the second conversion rule to be used for abstraction of the software expressed in the intermediate format;
When receiving a selection not to apply the second conversion rule used for the abstraction, setting the second conversion rule not to be used for abstraction of the software expressed in the intermediate format; A source code conversion method comprising: A source code conversion program for causing a source code conversion device including a processor and a storage area to execute processing for converting a software source code into an inspection code described in an input language of a verification tool using the plurality of different conversion rules Because
The conversion rule is:
A first conversion rule for converting the source code into software expressed in an intermediate format which is a format independent of a specific programming language;
A second conversion rule that abstracts the software expressed in the converted intermediate format;
A third conversion rule for converting the software expressed in the abstracted intermediate format into the inspection code,
The process is
Inputting the source code;
Receiving an input of at least one first conversion rule;
Receiving an input of at least one second conversion rule;
Receiving an input of at least one third conversion rule;
Converting the source code into software expressed in the intermediate format using the input first conversion rule, and storing the converted portion in a first inverse conversion rule;
Using the input second conversion rule to abstract the software expressed in the converted intermediate format, and storing the abstracted portion in a second inverse conversion rule;
Converting the software expressed in the abstract intermediate format into the inspection code using the input third conversion rule;
Converting the software expressed in the abstracted intermediate form into software expressed in the intermediate form before the abstraction using the second reverse conversion rule;
Converting the software expressed in the intermediate format before being abstracted into an abstracted source code which is a source code using the first inverse transformation rule. . A source code conversion program according to claim 4,
When the software expressed in the converted intermediate format is abstracted, the abstracted portion and the second conversion rule used for the abstraction are stored in the second reverse conversion rule,
The processing includes outputting the abstraction source code;
In the step of outputting the abstracted source code, the relationship between the abstracted part and the second conversion rule used for abstracting the part is output using the second reverse conversion rule. A source code conversion program. The source code conversion program according to claim 5,
In the step of outputting the abstraction source code, a screen that includes the abstraction source code and that can accept a selection operation as to whether to apply the second conversion rule used for the abstraction is output,
The process is
Receiving a selection as to whether to apply the second conversion rule used in the abstraction;
When receiving a selection to apply the second conversion rule used for the abstraction, setting the second conversion rule to be used for abstraction of the software expressed in the intermediate format;
When receiving a selection not to apply the second conversion rule used for the abstraction, setting the second conversion rule not to be used for abstraction of the software expressed in the intermediate format; A source code conversion program comprising:

Images