JP2014241051A - Information processing apparatus, information processing method, and information processing program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To perform precise integrity verification on a design content of software based on a processing flow, an effective range of local post-conditions, and the like for each action node in a flowchart or an activity chart.SOLUTION: An information processing apparatus includes: an input processing unit reading design information, the design information including a class chart describing a static structure and restrictions of each data and an activity chart describing a software processing flow for consecutively processing the data and execution contents; and a local post-condition generation unit reading default identifier information describing data types or constants for use in software designing, and generating identifier information including names, types, and static restrictions of constants or variables necessary to create format description and local post-condition information indicating local post-conditions that are a logical formula representing a result of executing the execution contents described in the activity chart and an effective range of the local post-conditions from the design information read by the input processing unit and the default identifier information.

Description

  The present invention relates to a technique for supporting format verification of design information.

  In the above technical field, Non-Patent Document 1 describes the software design contents as a set or first-order predicate logic expression using Event-B, which is one of the formal methods, and there is a consistency among the plurality of expressions. A technique for guaranteeing that the description of Event-B is free of defects by mathematically proving that with the support of a tool is disclosed. And in (II) Event-B: Structure and Laws-P7, "2.6 Consistency Proofs for an Event System: Feasibility and Invariance Preservation," in Non-Patent Document 1, an invariant is expressed by the expression labeled "INV". Conservation laws are described.

C. Metayer, J.-R. Abrial, L. Voisin, "RODIN Deliverable 3.2 Event-B Language," RODIN (Rigorous Open Development Environment for Complex Systems), Project IST-511599, 31st May 2005

  However, in software design, the data operated by the software is represented by an ER diagram (Entity Relationship Diagram) or UML (Unified Modeling Language) class diagram, and the flow of processing performed by the software is represented by a flowchart or UML activity diagram. Express. In the technology described in the above document, an Event-B context and Event-B machine are generated based on information generated from class diagrams and activity diagrams. Software design is performed for each action node in flowcharts and activity diagrams. It was not possible to verify the integrity of the contents.

  The objective of this invention is providing the technique which solves the above-mentioned subject.

In order to achieve the above object, an information processing apparatus according to the present invention provides:
An input processing means for reading design information consisting of a class diagram describing the static structure and constraints of data, an activity diagram describing the flow and execution contents of software processing data sequentially,
Names of constants or variables necessary for creating a format description from the design information and the default identifier information read by the input processing means by reading predetermined identifier information describing data types or constants used in software design Identifier information comprising a type and a static constraint, a local post condition that is a logical expression indicating a result of executing the execution content described in the activity diagram, and local post condition information indicating an effective range of the local post condition; , A local post-condition generation means for generating
Is provided.

In order to achieve the above object, an information processing method according to the present invention includes:
An input processing step for reading design information consisting of a class diagram that describes the static structure and constraints of data, an activity diagram that describes the flow and execution contents of software that sequentially processes data,
Names of constants or variables necessary for creating a format description from the design information and the default identifier information read in the input processing step by reading default identifier information describing data types or constants used in software design Identifier information comprising a type and a static constraint, a local post condition that is a logical expression indicating a result of executing the execution content described in the activity diagram, and local post condition information indicating an effective range of the local post condition; Generating a local post condition,
including.

In order to achieve the above object, an information processing program according to the present invention provides:
An input processing step for reading design information consisting of a class diagram that describes the static structure and constraints of data, an activity diagram that describes the flow and execution contents of software that sequentially processes data,
Names of constants or variables necessary for creating a format description from the design information and the default identifier information read in the input processing step by reading default identifier information describing data types or constants used in software design Identifier information comprising a type and a static constraint, a local post condition that is a logical expression indicating a result of executing the execution content described in the activity diagram, and local post condition information indicating an effective range of the local post condition; Generating a local post condition,
Is executed on the computer.

  According to the present invention, it is possible to perform precise consistency verification of software design contents for each action node in a flowchart or activity diagram.

It is a block diagram which shows the structure of the information processing apparatus which concerns on 1st Embodiment of this invention. It is a block diagram which shows the function structure of the information processing apparatus which concerns on 2nd Embodiment of this invention. It is a block diagram which shows the hardware constitutions of the information processing apparatus which concerns on 2nd Embodiment of this invention. It is a flowchart which shows the process sequence of the information processing apparatus which concerns on 2nd Embodiment of this invention. It is a figure which shows the structure of the class diagram and activity diagram as design information which concerns on 2nd Embodiment of this invention. It is a flowchart which shows the procedure of the identifier information generation process which concerns on 2nd Embodiment of this invention. It is a figure which shows the structure of the produced | generated identifier information which concerns on 2nd Embodiment of this invention. It is a figure which shows the structure of the default identifier information which concerns on 2nd Embodiment of this invention. It is a flowchart which shows the procedure of the local posterior condition information generation process which concerns on 2nd Embodiment of this invention. It is a figure which shows the node number allocation which concerns on 2nd Embodiment of this invention. It is a figure which shows the structure of the local postcondition information produced | generated based on the activity diagram which concerns on 2nd Embodiment of this invention. It is a figure which shows the structure of the condition addition rule which concerns on 2nd Embodiment of this invention. It is a figure which shows the structure of the local posterior condition information after the condition addition which concerns on 2nd Embodiment of this invention. It is a figure which shows the structure of the local postcondition information after the effective range setting which concerns on 2nd Embodiment of this invention. It is a block diagram which shows the function structure of the information processing apparatus which concerns on 3rd Embodiment of this invention. It is a block diagram which shows the hardware constitutions of the information processing apparatus which concerns on 3rd Embodiment of this invention. It is a flowchart which shows the process sequence of the information processing apparatus which concerns on 3rd Embodiment of this invention. It is a flowchart which shows the procedure of the format description production | generation process which concerns on 3rd Embodiment of this invention. It is a figure which shows description of Event-B context as a format description which concerns on 3rd Embodiment of this invention. It is a figure which shows the description of the extended Event-B context which concerns on 3rd Embodiment of this invention. It is a figure which shows the description of the Event-B machine as a format description without a node number and an effective range concerning 3rd Embodiment of this invention. It is a figure which shows the description of the Event-B machine after the node number addition which concerns on 3rd Embodiment of this invention. It is a figure which shows the description of the Event-B machine after the setting of the local postcondition with the effective range which concerns on 3rd Embodiment of this invention.

  Hereinafter, exemplary embodiments of the present invention will be described in detail with reference to the drawings. However, the constituent elements described in the following embodiments are merely examples, and are not intended to limit the technical scope of the present invention only to them. For example, Event-B is shown below as a formal description, but the information generated by the present invention is not limited to Event-B, and has the same effect for determining the consistency of software design based on other formal descriptions.

[First Embodiment]
An information processing apparatus 100 as a first embodiment of the present invention will be described with reference to FIG. The information processing apparatus 100 is an apparatus that supports design information format verification.

  As illustrated in FIG. 1, the information processing apparatus 100 includes an input processing unit 101 and a local posterior condition generation unit 102. The input processing unit 101 reads design information 111 including a class diagram describing a static structure and constraints of data, and an activity diagram describing a processing flow and execution contents of software that sequentially processes data. . The local post-condition generation unit 102 includes default identifier information 121 that describes data types or constants used in software design. Then, the local post-condition generation unit 102, from the design information 111 and the default identifier information 121 read by the input processing unit 101, an identifier including the name, type, and static constraint of a constant or variable necessary for creating a format description Information 122 is generated. Furthermore, the local postcondition generation unit 102 generates local postconditions that are logical expressions indicating the results of executing the execution contents described in the activity diagram and local postcondition information 123 indicating the valid range of the local postconditions.

  According to the present embodiment, it is possible to perform precise consistency verification of software design contents for each action node in the flowchart and activity diagram.

[Second Embodiment]
Next, an information processing apparatus according to the second embodiment of the present invention will be described. The information processing apparatus according to the present embodiment generates identifier information and a local posterior condition having an effective range, which are used for generating a format description, from a class diagram and an activity diagram.

  First, the background in the technical field according to the present embodiment will be briefly described.

"background"
In software development, it is necessary to verify that the design content is correct in order to ensure the quality of the software. Therefore, in software development, design information is often described in UML or verified by a formal method. Here, UML is a graphical graphical notation such as a class diagram representing a static structure and constraints of software and an activity diagram representing a flow of processing performed by software. The formal method is a method of verifying that there is no inconsistency in the description by expressing the target system in an accurate and unambiguous notation based on mathematical concepts such as sets and logic. That is, in designing software that performs sequential processing, data operated by the software is represented by an ER diagram or a UML class diagram, and a flow of processing performed by the software is represented by a flowchart or a UML activity diagram. In an activity diagram representing sequential processing, each step of the processing is expressed as an action node on the diagram. By drawing a directed line segment from the action node corresponding to the preceding step to the action node corresponding to the subsequent step, it is expressed that a plurality of processing steps are continuously performed. Each action node describes checking whether the data is in a correct state, setting a new value for the data, or both (see FIG. 4).

  Conventionally, humans have verified whether the design contents expressed in these diagrams are correct by review. The review is a visual confirmation, and if the human skill of the review is low, many of the defects will be missed. Therefore, for example, in Event-B, one of the formal methods, software design contents are described in sets and first-order predicate logic expressions, and with the support of the tool that there is a consistency between multiple expressions. Mathematical proof ensures that the Event-B description is flawless. In Event-B, data manipulation is represented as an event (hereinafter referred to as an Event-B event), with data as constants and variables, data-related constraints as invariant conditions. An event consists of a guard clause and an action clause, and all assignment expressions (hereinafter referred to as “event-B guards”) described in the action clause are true only when all logical expressions (hereinafter referred to as Event-B guards) described in the guard clause are true. Event-B action) is executed. One of the important consistency is the invariant conservation law, and for each pair of Event-B event and invariant, after executing the Event-B event from any state where the invariant holds. In the state, the invariant condition must be satisfied again (see Non-Patent Document 1).

  In order to verify that there is no inconsistency between the sequential process represented by the activity diagram and the data represented by the class diagram, using Event-B, each action node of the activity diagram, that is, each process of the sequential process It can be considered that a step is considered an Event-B event. However, this simple concept has the following two problems.

  The first problem is that in the activity diagram, the execution order is determined by following the action nodes along the directed line segment, but in Event-B, the execution order of Event-B events is generally not determined. In Event-B, when multiple Event-B guards are true for each Event-B event, which Event-B event is executed is not uniquely determined. Only one of the Event-B events for which the Event-B guard is true is chosen nondeterministically, and its Event-B action is executed without interruption from other Event-B events. As a result, it is not guaranteed that Event-B events will be executed according to the execution order of action nodes in the activity diagram.

  The second problem is that in the activity diagram, it is not clearly shown as to what condition will be satisfied as a result of executing each action node, but in Event-B, it is necessary to specify it as a logical expression. For example, there are three consecutive processing steps. In the first step, “0” is substituted for the variable x. In the second step, processing unrelated to the variable x is performed. In the third step, the variable x is set. Consider substituting “1”. In the activity diagram, substitution expressions for variable x are described in the first and third action nodes. By this description, the condition that “the value of the variable x is“ 0 ”” is satisfied from immediately after the first processing step to immediately before the first processing step, and immediately after the third processing step. It is interpreted that the condition that “the value of the variable x is“ 1 ”is satisfied. Event-B must explicitly describe these implicitly interpreted conditions. In other words, the execution result of the action node in the activity diagram is a prerequisite for executing the subsequent action node implicitly. Further, the execution result of the action node has a valid range so that the result of assigning the value to the variable at the preceding action node becomes invalid due to the assignment of another value to the same variable at the subsequent action node. However, if the description content of the action node is simply described as an Event-B event, the implicit execution result is not described, and its effective range is not described.

  In this embodiment, when a UML activity diagram and a class diagram indicating design contents of software for performing sequential processing are described in Event-B, an Event-B event is executed according to the control flow of the activity diagram. Provide identifier information and local post-condition information that enable the description of Event-B to verify that the sequential processing described in the activity diagram follows the data structure and restrictions described in the class diagram To do. Note that, as described at the beginning of the embodiment, the identifier information generated by the present embodiment and the local post-condition information having an effective range are also effectively applied to other formal methods.

<< Functional configuration of information processing device >>
FIG. 2A is a block diagram illustrating a functional configuration of the information processing apparatus 200 according to the present embodiment. Referring to FIG. 2A, the information processing apparatus 200 according to the present embodiment functionally includes an input processing unit 201 and a local The post-condition generation unit 202 and the output processing unit 203 are included.

  The input processing unit 201 reads design information including a class diagram and an activity diagram from a design information storage unit 270 that stores design information so as to be searchable (see FIG. 4).

  The local posterior condition generation unit 202 extracts an identifier from the design information read by the input processing unit 201, and uses it as identifier information together with the default identifier information read from the default identifier information storage unit 204. The identifier information includes an identifier, a basic type, a classification, and a static constraint. In the class diagram, the names of classes and attributes are identifiers. In an activity diagram, the name of a variable whose name does not appear in the class diagram is an identifier.

  In addition, the local post-condition generation unit 202 extracts a local post-condition that should be satisfied after the execution of each action node in the activity diagram from the activity diagram read by the input processing unit 201, and holds it as local post-condition information. The logical expression described in the action node is used as the local postcondition. For example, an assignment expression uses a local postcondition by replacing the assignment operator “: =” with an equality operator “=”. Further, if the extracted local postcondition matches the input condition of the condition addition rule read from the condition addition rule storage unit 205, the local postcondition generation unit 202 derives a new local postcondition from the additional condition rule, Add to post-condition information. Further, in the present embodiment, the local post-condition generation unit 202 examines the local post-condition information and identifies the effective range of each local post-condition.

  The output processing unit 203 writes the identifier information and the local post-condition information generated by the local post-condition generation unit 202 to the identifier information storage unit 280 and the local post-condition information storage unit 290 so that they can be searched in association with each other.

<< Hardware configuration of information processing equipment >>
FIG. 2B is a block diagram illustrating a hardware configuration of the information processing apparatus 200 according to the present embodiment.

  2B, the CPU 210 is a processor for arithmetic control, and the CPU 210 executes programs and modules stored in the storage 250 while using the RAM 240, whereby each functional configuration of the information processing apparatus 200 shown in FIG. The function of the part is realized. The ROM 220 stores fixed data and programs such as initial data and programs. The communication control unit 230 communicates with an external device via a network. Note that the number of CPUs 210 is not limited to one, and may be a plurality of CPUs or may include a GPU for image processing.

  The RAM 240 is a random access memory that the CPU 210 uses as a work area for temporary storage. In the RAM 240, an area for storing data necessary for realizing the present embodiment is secured. The class diagram data 241 is class diagram data representing the static structure and constraints of the software in the design information (see FIG. 4). The activity diagram data 242 is activity diagram data representing the flow of processing performed by the software in the design information (see FIG. 4). The activity diagram data (node number) 243 is data of an activity diagram to which a unique node number is assigned according to the present embodiment (see FIG. 9). The identifier information 244 is information generated by the present embodiment (see FIG. 6). The local post-condition information 245 is information generated by the present embodiment (see FIGS. 10, 12, and 13). The input / output data 246 indicates input / output data input / output via the input / output interface 260. Transmission / reception data 247 indicates transmission / reception data transmitted / received via the communication control unit 230.

  The storage 250 stores a database, various parameters, or the following data or programs necessary for realizing the present embodiment. The default identifier information storage unit 204 stores information indicating a predetermined identifier in the software to be processed (see FIG. 7). The condition addition rule storage unit 205 stores a rule for adding a local postcondition (see FIG. 11). The identifier information generation algorithm 251 is an algorithm used for generating identifier information in the present embodiment. The node number assignment algorithm 252 is an algorithm used for assigning a unique node number to an action node of the activity diagram in this embodiment. The local post-condition information generation algorithm 253 is an algorithm used to generate local post-condition information having an effective range in the present embodiment.

  The storage 250 stores the following programs. The information processing device control program 254 is a control program that controls the entire information processing device 200. The identifier information generation module 255 is a module that generates identifier information using the identifier information generation algorithm 251 in the information processing device control program 254. The local post-condition information generation module 256 assigns a unique node number to the action node according to the node number assignment algorithm 252 in the information processing apparatus control program 254. And it is a module which produces | generates the local postcondition information which has an effective range according to the local postcondition information generation algorithm 253. In the information processing apparatus control program 254, the generation information output processing module 257 outputs the generated identifier information to the identifier information storage unit 280, and generates the local post-condition information having the generated effective range as the local post-condition information storage unit 290. Is a module that outputs to

  The input / output interface 260 interfaces input / output data with input / output devices. The input / output interface 260 is connected to a display unit 261 and an operation unit 262 such as a keyboard, a touch panel, and a pointing device. In addition, a design information storage unit 270 that stores searchable class diagrams and activity diagrams as design information is connected. Further, an identifier information storage unit 280 that stores identifier information so as to be searchable and a local postcondition information storage unit 290 that stores local postcondition information having an effective range in association with the identifier information so as to be searchable are connected. Note that the storage units 27, 280, and 290 may be connected by the communication control unit 230 via a network.

  2B does not show programs and data related to general-purpose functions and other realizable functions of the information processing apparatus 200.

<< Processing procedure of information processing device >>
FIG. 3 is a flowchart illustrating a processing procedure of the information processing apparatus 200 according to the present embodiment. This flowchart is executed by the CPU 210 of FIG. 2B using the RAM 240, and implements the functional component of FIG. 2A.

  First, the information processing apparatus 200 reads design information including a class diagram and an activity diagram from the design information storage unit 270 (step S301). Next, the information processing apparatus 200 generates identifier information from the design information read in step S301 (step S303: see FIG. 5 for details). Next, the information processing apparatus 200 generates local posterior condition information having an effective range from the design information read in step S301 (step S305: see FIG. 8 for details). Then, the information processing apparatus 200 receives the identifier information generated in step S303 and the local posterior condition information having the valid range generated in step S305, respectively, as an identifier information storage unit 280 and a local posterior condition information storage unit 290. (Step S307).

  Hereinafter, the processing in steps S301 to S307 will be described in detail.

<< Reading design information: S301 >>
FIG. 4 is a diagram showing a configuration of a class diagram (401) and an activity diagram (402) as design information according to the present embodiment. Such design information is stored in the design information storage unit 270 and read into the information processing apparatus 200 of the present embodiment. When UML is used for designing software that performs sequential processing, the structure and restrictions of data handled by software can be expressed by a class diagram, and the processing performed by software can be expressed by an activity diagram. For data, the entire data is represented as one class diagram, each data is represented as a class in the class diagram, and data items are represented as member attributes of the corresponding class. Regarding processing, the entire processing is a single activity diagram, and a series of processing steps constituting the processing is an action node. Then, the relationship between the processing step executed first and the subsequent processing step is described as a directed line segment (control flow) between corresponding action nodes, and an action that should be checked or executed in the processing step. It will be described in the label of the node.

  The class diagram (401) includes class information. The class information includes a name and information on a plurality of member attributes. The member attribute information includes a name and a type. The member attributes include stereotypes (character strings surrounded by gimlet “<<” and “>>”), and constraints (for example, logical expressions surrounded by “{” and “}”). ) Can be constrained by comments.

  The activity diagram (402) includes a start node, one or more action nodes, an end node, and a control flow that is a directed line segment connecting these nodes. The activity diagram (402) shows the flow of processing performed by the software. The control flow is traced from the start node, the content of the action described in the action node is executed, and if the end node is reached, the entire series of processing is completed. Suppose it is over. In the action node, the processing content to be performed at the node is described. Here, if a logical expression (an expression that takes a true / false value) is described, the action node checks that the logical expression is true, and an assignment expression (an expression that sets a value in a variable) is described. Then, in the action node, the value is set to the variable according to the assignment expression.

(Class diagram and activity diagram used in this embodiment)
In the following specific description, it is assumed that the class diagram (401) and the activity diagram (402) in FIG. 4 have been read.

  The class diagram (401) in FIG. 4 represents the table “product” in the database. The table “product” has a column “product CD”. The type of the column “product CD” is “non-null character string”. Here, the type to which all character strings belong is “character string”, the character string whose length is “0” is “empty character string”, and all character strings except “empty character string” belong to it. The type is “non-empty string”. Further, the column “product CD” has a value for uniquely identifying a row of the table “product”. That is, for two rows arbitrarily selected from the table “product”, if the value of the column “product CD” in each row is the same, the two rows are the same row, and the value of the column “product CD” If they are different, the two rows are different.

  In the class diagram (401) of FIG. 4, the table “product” is the class “product”, and the column “product CD” is the member attribute “product CD”. The type of “product CD” is “non-null character string”. The stereotype “<< pk>” (primary key) attached to the front of “Product CD” must have a value set for its member attribute, and the class depends on the value of the member attribute. Indicates that an instance of is uniquely identified.

  The activity diagram (402) of FIG. 4 represents a sequential process of adding a new row “new product” having the value of the variable “new CD” as the value of the column “product CD” to the table “product” of the database. . In the sequential process of registering the row “new product” in the table “product”, first, the value of the variable “new CD” is not a null character string, and is still registered in the column “product CD” of the table “product”. Confirm that there is not. Next, it is confirmed that the row “new product” is not registered in the table “product”, the row “new product” is added to the table “product”, and the column “product CD” in the row “new product” is added. As the value, the value of the variable “new CD” is set.

  In the activity diagram (402) of FIG. 4, the start node represents starting sequential processing. In the activity diagram (402), the action node S401 that reaches the control flow once from the start node has two logical expressions, and confirms that these logical expressions are true. The logical expression “new CD ≠ empty character string” means that the value of the variable “new CD” is not “empty character string”, and the logical expression “new CD∈ / ran (product_product CD)” is the variable “new CD”. "Is not included in the set of values of the attribute" product CD "of the class" product ". Here, the attribute F of the class C is expressed as a function “C_F” from a set of C instances “C” to a set of values belonging to the type of F, and the set of F values of all instances of C is ran. It is expressed as (C_F). The function “C_F” is a set of value pairs belonging to the C instance and the type of F. The symbol “∈ /” and the similar display in the drawing indicate negation of ∈.

  In the activity diagram (402), the action node S402 that arrives by following the control flow once further has one logical expression and two assignment expressions, and after confirming that the logical expression is true, each assignment node S402 Execute the expression. The logical expression “new product ∈ / product” means that the variable “new product” is not included in the set of instances of the class “product”. The substitution expression “product: = product∪ {new product}” means that a set sum of a set of “product” instances and a set of “new products” is used as a new set of “product” instances. This indicates that the row “new product” has been added to the table “product” of the database. The substitution expression “product_product CD: = product_product CD∪ {new product | → new CD}” is a combination of “product” product and non-empty character string “product_product CD” and “new product”. ”And a set made up of a set of“ new CD ”means a new“ product_product CD ”. This indicates that the value of the variable “new CD” is set as the value of the column “product CD” in the row “new product” added to the table “product” of the database. The symbol “| →” and the similar display of the drawings represent the original correspondence.

  In the activity diagram (402), an end node that arrives by following the control flow once represents that the sequential processing ends.

  In the action nodes S401 and S402 in FIG. 4, “check” means that the following expression is a logical expression, and “do” means that the following expression is an assignment expression. “Check” and “do” are given for readability and can be omitted.

<< Identifier information generation processing: S303 >>
FIG. 5 is a flowchart showing a procedure of identifier information generation processing (S303) according to the present embodiment.

  The information processing apparatus 200 reads the default identifier information (see FIG. 7) from the default identifier information storage unit 204 (step S501). Then, the information processing apparatus 200 transcribes the read default identifier information into the identifier information 244 (step S503: see FIG. 6A). At this time, “true” is set in the default column.

  Next, the information processing apparatus 200 extracts an identifier from the class diagram (401) and registers it in the identifier information 244 (step S505: see FIG. 6B). Two identifiers are extracted for each class, and one identifier is extracted for each member attribute of the class.

  Next, the information processing apparatus 200 extracts variables that have not been registered in the identifier information 244 from the activity diagram (402) and registers them in the identifier information 244 (step S507: see FIG. 6C).

  Furthermore, in the activity diagram (402), the information processing apparatus 200 introduces a variable (hereinafter referred to as a prior variable) that holds the value of the variable before execution of substitution for variables appearing on both sides of the substitution expression, and identifier information Registered in H.244 (step S509: see FIG. 6D).

(Identifier information)
FIG. 6 is a diagram showing a configuration of the generated identifier information 244 according to the present embodiment. The identifier information 244 generated in step S303 is stored in the identifier information storage unit 280 so as to be searchable.

  The identifier information 244 (280) stores a basic type 602, a classification 603, a static constraint 604, and a definition 605 in association with the identifier 601. The identifier 601 includes all class names, method names, variable names, constant names, and the like included in the class diagram and activity diagram. The basic type 602 determines a value that can be described or assigned as the identifier 601. The classification 603 indicates whether the identifier 601 represents a set or an element. A static constraint 604 is an invariant condition of the identifier 601. The rule 605 indicates whether or not the identifier 601 is a default identifier (default identifier = true / non-default identifier = faise).

  And the identifier information produced | generated at each step of the said FIG. 5 is shown by the right end of FIG. Hereinafter, the generation of the identifier information in each step of FIG. 5 will be described in detail.

((A) generation of identifier information: S501, S503)
The information processing apparatus 200 reads the default identifier information from the default identifier information storage unit 204 (step S501), and transcribes the read default identifier information to the identifier information 244 ((a) of FIG. 6) (step S503). At this time, “true” is set in the default column.

(Default identifier information)
FIG. 7 is a diagram showing a configuration of default identification information in the default identifier information storage unit 204 according to the present embodiment.

  The default identifier information includes typical constants necessary for software design, basic types to which the constants belong (hereinafter referred to as basic types), classifications of sets or elements, and constraints that always hold between identifiers ( Hereinafter, static constraints) are included. Static constraints are conditions that should always hold without being affected by processing performed by software.

  According to the specific example of FIG. 4, the identifier “character string” has the basic type “character string” itself, is classified into a set, and has no static constraints. The identifier “empty character string” has a basic type of “character string”, is classified into elements, and has a static constraint “an empty character string is an element of a character string (empty character string ∈ character string)”. The identifier "Non-empty string" has the basic type "Character string" and is classified into a set. "Non-empty string is a set obtained by removing an empty string from a character string (non-empty string = character string \ {empty character string" }) ”(The symbol“ \ ”and the similar display in the drawing represent a difference set).

((B) generation of identifier information: S505)
The information processing apparatus 200 extracts the identifier from the class diagram (401) and registers it in the identifier information ((b) of FIG. 6) (step S505). Two identifiers are extracted for each class, and one identifier is extracted for each member attribute of the class.

  When the name of the class is “C”, “C type” is introduced as the first identifier. In the identifier information of “C type”, the basic type is “C type”, the classification is “set”, no static constraints, and the default is “false”. In the identifier information of the second identifier “C”, the basic type is “C type”, the classification is “set”, no static constraints, and the default column is “false”.

  When the member attribute name is “M”, “C_M” is introduced as an identifier. The identifier information of “C_M” is a semi-function from the basic type “C type” to the basic type of “M” type (C type +-> M type basic type), classification “set”, special If there is no constraint, a static constraint “half function from C to M type (C +-> M type)” is set, and the default column is “false”.

  According to the class diagram (401) in FIG. 4, the “product CD” member attribute of the “product” class has a unique “product” class object by “product CD” by the stereotype “<< pk>”. The restriction that it can be identified is given. Accordingly, the identifier “product_product CD” in FIG. 6 is a global injection function from “product” to “non-empty character string” which is the type of “product CD” (product_product CD∈product | → non-empty character). Column)).

((C) generation of identifier information: 507)
The information processing apparatus 200 extracts variables that are not yet registered in the identifier information from the activity diagram (402) and registers them in the identifier information ((c) in FIG. 6) (step S507).

  In the identifier information of the variable v, the basic type of v is a basic type of a constant or variable that is compared or assigned to v in a logical expression or assignment expression in which the variable first appears. Further, the classification of v is determined by the classification of constants and variables to be compared or substituted with v and the type of comparison operator or assignment operator in the above formula.

  In the activity diagram (402) of FIG. 4, the variable “product CD” is compared with “null character string” in the logical expression “product CD ≠ null character string”, and the basic type of “null string” is “string”. Therefore (see (a) of FIG. 8), the basic type of “product CD” is “character string”. Further, the classification of “empty character string” is “element”, and “product CD” is not the same as the element (≠) in the above formula, so the classification of “product CD” is “element”.

  The variable “new product” is compared with “product” in the logical expression “new product ∈ / product”, and the basic type of “product” is “product type” (see FIG. 8B). The basic type of “new product” is “product type”. The classification of “product” is “set”, and in the above formula, “new product” is not an element of the set (∈ /), so the classification of “new product” is also “element”.

((D) generation of identifier information: S509)
Further, the local post-condition generation unit 202 introduces a variable (hereinafter referred to as a pre-variable) that holds the value of the variable before execution of substitution for variables appearing on both sides of the substitution expression in the activity diagram (402). (Step S507).

  The pre-variable corresponding to the variable v has an identifier pre_v, a basic type v basic type, a classification v basic type, and if v has a static constraint, the corresponding pre-variable among the variables appearing there is An expression that replaces all of them with a prior variable is defined as a pre_v static variable.

  According to the activity diagram (402) in FIG. 4, “product” is placed on both sides of the substitution formula “product: = product∪ {new product}”, and the substitution formula “product_product CD: = product_product CD∪ {new product”. | → Product CD} ”appears on both sides, so the pre-variables“ pre_product ”and“ pre_product_product CD ”are introduced for each. Since the identifier “product_product CD” has a static constraint “product_product CD∈product | → non-empty character string”, the corresponding pre-variable “pre_product_product CD” is a static constraint “pre_product_product CD”. CD ∈ pre_product | → non-empty character string ”.

<< Local post-condition information generation processing: S305 >>
FIG. 8 is a flowchart showing a procedure of local post-condition information generation processing (S305) according to the present embodiment.

  The information processing apparatus 200 searches for a node by following the control flow from the start node of the activity diagram (402), and assigns a number (hereinafter, node number) to the node (step S801). Then, following the node number assignment, the information processing apparatus 200 generates local post-condition information 245A based on the action node formula (step S803: see FIG. 10).

  Next, the information processing apparatus 200 reads the condition addition rule (see FIG. 11) from the condition addition rule storage unit 205. Then, the information processing apparatus 200 adds a corresponding additional condition and adds the local post-condition information 245B if each local post-condition in the above-described local post-condition information 245A (FIG. 10) matches the matching condition in the additional rule storage unit. Is generated (see FIG. 12). At this time, the start number field and the branch number field are set to the same value as the matched local posterior condition, and the classification field is set to “add”.

  Then, the information processing apparatus 200 checks the post-addition local post-condition information 245B (FIG. 12), identifies the effective range of the local post-condition, and obtains the local post-condition information 245C with the end number added (step S807: (See FIG. 13). The local postcondition information 245C with the end number added is stored in the local postcondition information storage 290.

  Hereinafter, the generation of the local postcondition information in each step of FIG. 8 will be described in detail.

(Node number assignment: S801)
FIG. 9 is a diagram showing node number assignment according to the present embodiment. The information processing apparatus 200 searches for a node by following the control flow from the start node in the activity diagram (402), and assigns a node number (step S801).

Node number assignment follows the following algorithm.
(1) The node number of the start node is set to “0”.
(2) The node number of the node that arrives by following the control flow once from the preceding node is a value obtained by adding “1” to the node number of the preceding node.
(3) When a node to which a node number has already been assigned is reached, the node has appeared on the route from the start node to the node to which the node number was assigned immediately before, or has not appeared on the route but is newly If the assigned node number is larger than the node number to be assigned to, the search is stopped. Then, following the control flow in the reverse direction, if a control flow that has not been traced is found, a search for assigning a node number along the control flow is performed.
(4) The node number of the reached node (reached node) has already been assigned, the node does not appear on the above-mentioned route, and the assigned node number is smaller than the value to be newly assigned. For example, the node number is overwritten with a new value. Then, the difference between the new value and the assigned node number is added to the node numbers of all subsequent nodes of the reaching node. Furthermore, the control flow is traced backward from the reaching node, and if a control flow that has not been traced is found, a search for assigning a node number along the control flow is performed.
(5) When node numbers are assigned to all nodes, the search of the activity diagram (402) is completed.

  FIG. 9 shows an activity diagram (902) in which node numbers are assigned to the activity diagram (402) according to the above algorithm.

(Local post-condition information generation based on activity diagram: S803)
FIG. 10 is a diagram showing a configuration of local post-condition information 245A generated based on the activity diagram according to the present embodiment. The local post-condition information 245A is temporarily stored in the local post-condition information 245 in the RAM 240.

  In the local post-condition information 245A, each local post-condition 1005 includes a start number 1001 that is a node number that is the start of an effective range, a branch number 1002 that indicates whether it is a logical expression or an assignment expression, and a node number that is the end of the effective range. And an end number 1003 and a category 1004 such as valid / invalid / new.

  If the action node expression is a logical expression, the logical expression is used as a local postcondition.

  If the action node expression is an assignment expression and the same variable does not appear on both sides of the assignment expression, the logical expression obtained by replacing the assignment operator of the assignment expression with an equality operator, etc. is used as the local postcondition. . For example, the assignment operator “: =” that assigns the value on the right side to the left side is the equality operator “=”, and the assignment operator “: ∈” that assigns an element arbitrarily selected from the set on the right side to the left side is Replace with the operator “∈” which means that the element belongs to the set on the right side.

  Further, when the action node expression is an assignment expression and the same variable appears on both sides of the assignment expression, the equality between the pre-variable corresponding to the variable and the variable is set as the first local postcondition. For the assignment expression in which all the variables with corresponding pre-variables appearing on the right-hand side are replaced with pre-variables, the logical expression obtained by substituting the assignment operator of the assignment expression with an equality operator, etc. Post-conditions.

  The node number of the action node is set in the start number column of the local post-condition information, and “0” is set in the branch number column if the action node expression is a logical expression, and “1” if it is an assignment expression. Set. In addition, “Addition” is set in the case of the equation of the pre-variable and the variable in the classification column, “Valid” is set in other cases, and the local postcondition generated above is set in the local postcondition column. Set.

  For example, in the activity diagram (902) of FIG. 9, the logical expression “new CD ≠ empty character string” in the action node S401 with the node number 1 becomes the local postcondition as it is, and in the local postcondition information 245A of FIG. It is registered as the third line.

  Since “product” appears on both sides of the substitution expression “product: = product∪ {new product}” in the action node S402 of node number 2, first, the equation “pre_product = product” with the prior variable is locally The post-condition is registered in the local post-condition information (line 4 in FIG. 10). Subsequently, an assignment expression “product: = pre_product∪ {new product}” is obtained by replacing the variable on the right side with a prior variable from the original assignment expression. Furthermore, the logical expression “product = pre_product∪ {new product}” obtained by replacing the assignment operator “: =” with the equality operator “=” is registered in the local post-condition information as a local post-condition (see FIG. 10 line 5).

(Addition of local post-conditions: S805)
The information processing apparatus 200 reads the condition addition rule (FIG. 11) from the condition addition rule storage unit 205, and responds if each local postcondition in the local postcondition information 245A in FIG. 10 matches the matching condition of the additional rule storage unit. The local post-condition information 245B (FIG. 12) to which the additional condition is added is generated. At this time, the start number field and the branch number field are set to the same value as the matched local posterior condition, and the classification field is set to “add”.

(Condition addition rule)
FIG. 11 is a diagram showing a configuration of a condition addition rule according to this embodiment. The condition addition rule is stored in the condition addition rule storage unit 205.

  The condition addition rule stores a matching condition 1102 indicating whether or not to add in association with the parameter 1101, and an additional condition 1103 to be added when matching is performed.

(Local post-condition information after adding conditions)
FIG. 12 is a diagram showing a configuration of local post-condition information 245B after the addition of conditions according to the present embodiment.

  According to the local post condition information 245A in FIG. 10, the local post condition “new CD ≠ null character string” on the first line in FIG. 10 is the collation condition “e ≠ null string” on the condition addition rule on the first line in FIG. For, the parameter “e” matches the formula considered as “new CD”. Therefore, the local posterior is obtained using the expression “new CD∈ non-empty character string” obtained by replacing the parameter “e” of the additional condition “e∈ non-empty character string” corresponding to the matching condition with “new CD” as a new local posterior condition. It adds to condition information (2nd line of FIG. 12). In the local post-condition information 245B (FIG. 12) obtained in this way, the local post-condition 1210 is included in the second, seventh, tenth, and eleventh lines surrounded by a broken line in the “addition” column. Have been added.

(Effective range generation: S807)
The information processing apparatus 200 checks the local post-condition information 245B (FIG. 12), identifies the effective range of the local post-condition, and obtains the local post-condition information 245C (FIG. 13) with the end number added (step S807).

  The effective range of the local postcondition is indicated by the start number and end number of the local postcondition information. The local post-condition is satisfied immediately after execution of the action node having the start number as the node number and immediately before execution of the action node having the end number as the node number. When there is no end number, the local posterior condition is satisfied immediately after the execution of the action node having the start number as the node number until the end of the entire sequential processing. For each row of the local post-condition information 245B, the information processing apparatus 200 checks the local post-condition of the row having the same start number and the same branch number as that row and the branch number larger than that row, and the variable of the row If the first line in which is found is found, the process repeats setting the start number of the line to the end number of the line. Furthermore, if there is a line having the same end number as the start number in each line of the local post-condition information, the information processing apparatus 200 sets “invalid” in the section field of that line.

(Local post-condition information after setting effective range)
FIG. 13 is a diagram showing a configuration of the local posterior condition information 245C after setting the effective range according to the present embodiment.

  According to the local post-condition information 245B in FIG. 12, the start number of the local post-condition “new product ε / product” on the fourth line in FIG. 12 is “2”, and the branch number is “0”. Therefore, examine the line with the start number “2” and the branch number greater than “0” (from the fifth line to the end in FIG. 12) and the line with the start number greater than “2” (none in FIG. 12). The start number “2” on the seventh line where the variable “new product” appearing in the local post-condition on the fourth line first appears is set as the end number on the fourth line. As a result, the fourth line has the same start number and end number “2”, and therefore, “invalid” is set in the classification column (fourth line in FIG. 13). In the local post-condition information 245C (FIG. 13) obtained in this way, “2” indicating the end of the effective range is set in the end number column from the first line to the fourth line (1310). “Invalid” is set in the category column.

  According to the present embodiment, a unique node number is assigned to each action node in the flowchart and the activity diagram. Therefore, the software design details based on the processing flow, the effective range of the local postconditions, etc. are detailed for each action node. Consistency verification can be performed.

  For example, according to the present embodiment, it can be ensured that Event-B events are executed according to the execution order of action nodes in the activity diagram. The reason is that node numbers are assigned to the nodes in the activity diagram, and the start node is set to “0” in the order along the directed line segment in the activity diagram, and serial numbers are allocated to subsequent unassigned nodes. This is because, in the action node subsequent to the action node of number X, the condition that “the node number executed immediately before is X” can be specified as its precondition.

  Further, according to the present embodiment, the execution result of each action node in the activity diagram can be specified as an invariant condition of Event-B. At that time, the effective range of local postconditions can be specified. The reason is that if it is described that the condition (logical expression) in the action node of the activity diagram should be checked, if that condition is used as a local postcondition and it is described that a value is assigned to the data This is because a logical expression obtained by replacing an assignment operator in an assignment expression with an equality operator is used as a local postcondition. Further, if the entire local posterior condition is examined and there is a local posterior condition at a node X and a subsequent node Y for a certain variable, the local posterior condition at the node X is from immediately after X to immediately before Y. Therefore, it is specified that the local posterior condition at the node Y is immediately after Y (until the end of the sequential processing), and indicates the start and end of the effective range using the node number.

[Third Embodiment]
Next, an information processing apparatus according to the third embodiment of the present invention will be described. The information processing apparatus according to the present embodiment is different from the second embodiment in that a format description of software processing is generated based on the generated identifier information and local posterior condition information having a valid range. Since other configurations and operations are the same as those of the second embodiment, the same configurations and operations are denoted by the same reference numerals, and detailed description thereof is omitted.

  In this embodiment, the identifier information generated in Event-B, which is one of the formal methods, and the local post-condition information having an effective range are applied. However, the formal method is not limited to Event-B. In Event-B, data handled by the target system is declared as constants and variables in Event-B, and data structure and data constraints are described as invariants that are logical expressions based on sets and first-order predicate logic. In addition, an Event-B event consisting of an Event-B guard that expresses the process to be executed by the target system as a logical expression and an Event-B action that expresses that the process should be executed as an assignment expression. Describe as

<< Functional configuration of information processing device >>
FIG. 14A is a block diagram illustrating a functional configuration of the information processing apparatus 1400 according to the present embodiment. In FIG. 14A, the same functional components as those in FIG. 2A are denoted by the same reference numerals, and description thereof is omitted.

  The information processing apparatus 1400 in FIG. 14A includes the same input processing unit 201 as in FIG. 2A. The local postcondition generation unit 1402 stores the generated identifier information and local postcondition information in the identifier information storage unit 1408 and the local postcondition information storage unit 1409 inside the information processing apparatus 1400 as they are. The information processing apparatus 1400 in FIG. 14A generates a format description by using the design information read by the input processing unit 201, the identifier information generated by the local postcondition generation unit 1402, and the local postconditions. Have The information processing apparatus 1400 also includes a format description output processing unit 1407 that outputs the format description generated by the format description generation unit 1406 to the format description storage unit 1490.

<< Hardware configuration of information processing equipment >>
FIG. 14B is a block diagram illustrating a hardware configuration of the information processing apparatus 1400 according to the present embodiment. In FIG. 14B, the same components as those in FIG. 2B are denoted by the same reference numerals, and description thereof is omitted.

  The information processing apparatus 1400 stores the generated Event-B context 1448 and the generated Event-B machine 1449 in the RAM 1440.

  In addition, the information processing apparatus 1400 includes an identifier information storage unit 1408 and a local post-condition information storage unit 1409 in the storage 1450. In addition, the storage 1450 stores a format description generation algorithm 1451 used for generating a format description. The information processing device control program 1454 for controlling the information processing device 1400 includes the following modules. One is to create a format description (Event-B in this example) from the identifier information in the identifier information storage unit 1408 and the local postcondition information having the effective range of the local postcondition information storage unit 1409 according to the format description generation algorithm 1451. A format description generation module 1457 is generated. The other is the format description output processing module 1458 that stores the generated format description in the format description storage unit 1490.

  The input / output interface 1460 is connected to a format description storage unit 1490 that stores the generated format description.

  Note that the RAM 1440 and the storage 1450 in FIG. 14B do not show programs and data related to general-purpose functions and other realizable functions of the information processing apparatus 1400.

<< Processing procedure of information processing device >>
FIG. 15 is a flowchart illustrating a processing procedure of the information processing apparatus 1400 according to the present embodiment. This flowchart is executed by the CPU 210 in FIG. 14B using the RAM 1440, and implements the functional configuration unit in FIG. 14A.

  The process from reading design information (step S301) to generating local post-condition information (step S305) is the same as that shown in FIG. The subsequent generation of the format description (step S1507) and writing of the format description (step S1509) are the operations added in FIG. Since step S1509 is simply a process of writing the generated data, description thereof will be omitted, and the operation of step S1507 will be described in detail using the flowchart of FIG.

  The formal description refers to information that expresses software specifications and design contents using a formal method notation. Here, Event-B will be described as a specific formal method, and the formal description based on Event-B notation will be referred to as an Event-B description. The Event-B description consists of a context that consists of a basic set and a set of constants, and a machine that consists of a set of events that update variables, variable constraints, and variable values. A context can extend other contexts. The machine refers to the context. If the referenced context is an extension of another context, the machine will also reference the original context. Here, a basic type such as a character string or a constant is described in the context C0. In addition, the basic type and constant obtained from the class diagram (401) are described in the context C that is an extension of the context C0. Then, the variable obtained from the class diagram (401) and the processing contents of the action node obtained from the activity diagram (402) are described in the machine M that refers to the context C.

<< Form description generation process >>
FIG. 16 is a flowchart showing the procedure of format description generation processing (S1507) according to this embodiment.

  First, the information processing apparatus 1400 examines the identifier information, extracts an identifier that should be a constant in Event-B, and generates an Event-B description (Event-B context) (step S1601).

  Next, the information processing apparatus 1400 generates an Event-B description (Event-B machine) by examining identifier information and extracting an identifier that should be a variable in Event-B following generation of a description related to a constant. (Step S1603).

  Next, following the generation of the description about the variable, the information processing apparatus 1400 examines the activity diagram, extracts events in Event-B, and adds the events to the Event-B machine generated in step S1603 (step S1605).

  Then, after generating the description about the event, the information processing apparatus 1400 examines the local post-condition information, extracts the invariant condition in Event-B, and further adds the invariant condition to the Event-B machine added in step S1605. An additional entry is made (step S1607).

  Hereinafter, the process of each step of FIG. 16 will be described in detail.

(Generation of description about constant: S1601)
First, the information processing apparatus 1400 examines the identifier information, extracts an identifier that should be a constant in Event-B, and generates an Event-B description (context) (step S1601).

  In step S1601, the context C0 is first generated, and then the context C is generated. The information processing apparatus 1400 describes a line in which the default column is “true” in the identifier information in the context C0. If the values in the identifier field and the basic type field are the same, the information processing device 1400 describes the identifier in the sets section of the context C0. The information processing apparatus 1400 describes the identifier in the constants clause of the context C0 if the identifier column and the basic type column have different values. For the identifier described in the constants clause, the information processing apparatus 1400 describes the logical expression “identifier⊆basic type” that the identifier is a subset of the basic type if the classification field is “set”. Also, the information processing apparatus 1400 describes the logical expression “identifier ∈ basic type” in the axiom clause that the identifier is a basic type element if the classification field is “element”. If there is a description in the static constraint column, the information processing apparatus 1400 also describes it in the axiom section.

(Event-B context)
FIG. 17 is a diagram showing a description of the Event-B context C0 (1448A) as a format description according to the present embodiment. The Event-B context 1448A is stored in the format description storage unit 1490 so as to be searchable in association with the Event-B context 1448B and the Event-B machine 1449C. FIG. 17 shows a context C0 generated based on the first to third lines in which the default column is “true” in the identifier information of FIG.

  Further, the information processing apparatus 1400 describes, in the context C, a line in which the default column in the identifier information is “false” and the identifier column and the basic type column have the same value. An identifier is described in the sets clause of context C.

(Extended Event-B context)
FIG. 18 is a diagram showing a description of the extended Event-B context C (1448B) according to the present embodiment. The Event-B context 1448B is stored in the format description storage unit 1490 so as to be searchable in association with the Event-B context 1448A and the Event-B machine 1449C. FIG. 18 shows a context C generated based on the fourth line in which the default column in the identifier information of FIG. 6 is “false” and the values of the identifier column and the basic type column are both “product type”. The description “extends C0” on the first line of the context C indicates that the context C extends the context C0.

(Generation of variable description: S1603)
Following the generation of the description regarding the constant, the information processing apparatus 1400 examines the identifier information, extracts the identifier to be a variable in Event-B, and generates the Event-B description (machine) (step S1603).

  The information processing apparatus 1400 describes, in the machine M, a line in which the default column is “false” in the identifier information and the identifier column and the basic type column have different values. An identifier is described in the variables section of M. The information processing apparatus 1400 uses the logical expression that the identifier is a subset of the basic type if the invariants clause following the variables clause has no description in the static constraint column of the identifier information and the classification column is “set”. Describe "identifier ⊆ basic type". Further, the information processing apparatus 1400 sets the logical expression “identifier ∈ basic type” that the identifier is an element of the basic type if there is no description in the static constraint column of the identifier information and the classification column is “element”. Describe in. On the other hand, if there is a description in the static constraint column, describe it. In the initialization event of the events clause following the invariants clause, the information processing apparatus 1400 has an assignment expression “identifier: = Φ” (when the identifier information classification field is “set” and the initial value of the identifier is an empty set (identifier: = Φ) ( The symbol Φ and similar representations of the drawings represent empty sets). On the other hand, if the classification field is “element”, the information processing apparatus 1400 describes an assignment expression “identifier: ∈ basic type” in which the initial value of the identifier is an element arbitrarily selected from the basic type.

(Event-B machine without node number and valid range)
FIG. 19 is a diagram showing a description of the Event-B machine 1449A as a format description without a node number and valid range according to the present embodiment. The Event-B machine 1449A is temporarily stored in the Event-B machine 1449 of the RAM 1440. Note that the blank line numbers in FIG. 19 are descriptions that have not yet been generated in step S1603, and the effective range of the local precondition of the preceding node by the node number assignment or the local postcondition as in this embodiment. If there is no setting, only the format description of FIG. 19 is generated.

(Generation of event description: S1605)
Following the generation of the description about the variable, the information processing apparatus 1400 examines the activity diagram, extracts the event in Event-B, and adds it to the Event-B machine generated in step S1603 (step S1605).

(Event-B machine after adding node number)
FIG. 20 is a diagram showing a description of the Event-B machine 1449B after adding the node number according to the present embodiment. The Event-B machine 1449B is temporarily stored in the Event-B machine 1449 of the RAM 1440. Note that the blank line number in FIG. 20 is a description area of local post-condition information having an effective range generated in step S1607 described later.

  First, the information processing apparatus 1400 introduces a variable sc (step counter) that holds the node number of the node executed immediately before, and adds sc2001 to the variables section of the machine. Further, the information processing apparatus 1400 adds a logical expression “scεINT” 2002 indicating that sc is an integer in the invariants clause. Then, the information processing apparatus 1400 adds an assignment expression “sc: = 0” 2003 indicating that the initial value of sc is “0” to the initialization event.

  Next, the information processing apparatus 1400 adds an Event-B event “step node number” 2011 to each node that arrives through the control flow starting from the start node. In addition, the information processing apparatus 1400 includes “sc = node number of the node executed immediately before the relevant node” as an event-B guard (Guard) of the Event-B event “step node number” as the local precondition addition processing. 2012 is described. Further, the information processing apparatus 1400 describes “sc: = node number of the node” 2013 in the Event-B action. The description of these Event-B guards and Event-B actions ensures that each Event-B event is executed according to the control flow in the activity diagram.

  Further, the information processing apparatus 1400 adds the logical expression described in the node to the Event-B guard of the Event-B event corresponding to the node, and adds the substitution expression described in the node to the Event-B action. To do. When the same variable appears on both sides of the assignment expression, the information processing apparatus 1400 adds the assignment expression “pre_variable: = variable” to the Event-B action.

  Note that the variable sc is not introduced into the event-b machine in the format description of FIG. 20 if there is no local precondition of the preceding node by node number assignment or effective range setting of the local postcondition as in this embodiment. As a result, in the Event-B event, the “step node number” 2011 and the “sc = node number of the node executed immediately before the relevant node” 2012 of the Event-B guard are both “sc: = "Node number of the node" 2013 is also not described.

(Generation of description about local posterior condition: S1607)
Following the generation of the description about the event, the information processing apparatus 1400 examines the local post-condition information, extracts the invariant condition in Event-B, and appends the invariant condition to the Event-B machine added in step S1605 ( Step S1607).

  If there is no description in the end number for the line whose classification field is “valid” in the local post-condition information, the information processing apparatus 1400 changes the logical expression “start number ≦ sc ⇒ (local post-condition)” to Event-B. Add to the invariant section of the machine. In addition, if there is a description in the end number, the information processing apparatus 1400 adds the logical expression “start number ≦ sc ∧ sc <end number ⇒ (local posterior condition)” to the invariant clause of the Event-B machine. Here, ⇒ represents a logical implication (if it is ~), and ∧ represents a logical product. Note that, in the above example, the line with the classification field “valid” is described as the local post-condition, but a line with the other classification field “addition” in FIG. 12 can be substituted.

(Event-B machine after setting local post-conditions with effective range)
FIG. 21 is a diagram showing a description of the Event-B machine 1449C after setting a local post-condition having an effective range according to the present embodiment. The Event-B machine 1449C is stored in the format description storage unit 1490 so as to be searchable in association with the Event-B context 1448A and the Event-B context 1448B. FIG. 21 shows a machine M generated based on the activity diagram (402) in FIG. 4 and the local post-condition information 245C in FIG. The description “sees C” on the first line of M indicates that M refers to context C.

  According to the present embodiment, Event-B events can be executed in the generated format description according to the execution order of action nodes in the activity diagram. In addition, in the generated format description, the execution result of each action node in the activity diagram can be an invariant condition of Event-B.

[Other Embodiments]
While the invention has been described with reference to the embodiments, the invention is not limited to the above embodiments. Various changes that can be understood by those skilled in the art can be made to the configuration and details of the invention within the scope of the present invention. In addition, a system or an apparatus in which different features included in each embodiment are combined in any way is also included in the scope of the present invention.

  In addition, the present invention may be applied to a system composed of a plurality of devices, or may be applied to a single device. Furthermore, the present invention can also be applied to a case where an information processing program that implements the functions of the embodiments is supplied directly or remotely to a system or apparatus. Therefore, in order to realize the functions of the present invention on a computer, a program installed in the computer, a medium storing the program, and a WWW (World Wide Web) server that downloads the program are also included in the scope of the present invention. . In particular, at least a non-transitory computer readable medium storing a program for causing a computer to execute the processing steps included in the above-described embodiments is included in the scope of the present invention.

[Other expressions of embodiment]
A part or all of the above-described embodiment can be described as in the following supplementary notes, but is not limited thereto.
(Appendix 1)
An input processing means for reading design information consisting of a class diagram describing the static structure and constraints of data, an activity diagram describing the flow and execution contents of software processing data sequentially,
Names of constants or variables necessary for creating a format description from the design information and the default identifier information read by the input processing means by reading predetermined identifier information describing data types or constants used in software design Identifier information comprising a type and a static constraint, a local post condition that is a logical expression indicating a result of executing the execution content described in the activity diagram, and local post condition information indicating an effective range of the local post condition; , A local post-condition generation means for generating
An information processing apparatus comprising:
(Appendix 2)
The local posterior condition generating means is
Node number assigning means for assigning a unique node number to each node included in the activity diagram according to the processing flow of the software;
Based on the execution contents of each node included in the activity diagram and the node number, effective range generating means for generating an effective range of the local post condition,
The information processing apparatus according to supplementary note 1 including:
(Appendix 3)
The information processing apparatus according to appendix 2, wherein the valid range generation unit invalidates the local posterior condition when the node start number and the node end number indicating the valid range are equal in the local posterior condition.
(Appendix 4)
Any one of appendices 1 to 3, further comprising: a format description generating means for generating a format description in which the software specification is expressed in a format method notation using the design information, the identifier information, and the local postcondition information. The information processing apparatus according to item.
(Appendix 5)
The format description generating means includes:
A local precondition adding means for adding a node number assigned to a preceding node included in the activity diagram as a local precondition to the format description;
A local postcondition adding means for adding a local postcondition describing the effective range to the format description;
The information processing apparatus according to appendix 4, including
(Appendix 6)
The format description generation means performs format description by an Event-B format method,
The local precondition adding means adds the node number as a variable in the Event-B machine, and describes the node number of the preceding node as a guard section of the action node of the node number,
The local post-condition adding means is the information processing according to appendix 5, in which the local post-condition including the start number and end number of the node as the effective range is described in an invariants section in the Event-B machine. apparatus.
(Appendix 7)
An input processing step for reading design information consisting of a class diagram that describes the static structure and constraints of data, an activity diagram that describes the flow and execution contents of software that sequentially processes data,
Names of constants or variables necessary for creating a format description from the design information and the default identifier information read in the input processing step by reading default identifier information describing data types or constants used in software design Identifier information comprising a type and a static constraint, a local post condition that is a logical expression indicating a result of executing the execution content described in the activity diagram, and local post condition information indicating an effective range of the local post condition; Generating a local post condition,
An information processing method including:
(Appendix 8)
The information processing method according to appendix 7, further comprising: a format description generating step of generating a format description in which the software specification is expressed in a format method notation using the design information, the identifier information, and the local postcondition information .
(Appendix 9)
An input processing step for reading design information consisting of a class diagram that describes the static structure and constraints of data, an activity diagram that describes the flow and execution contents of software that sequentially processes data,
Names of constants or variables necessary for creating a format description from the design information and the default identifier information read in the input processing step by reading default identifier information describing data types or constants used in software design Identifier information comprising a type and a static constraint, a local post condition that is a logical expression indicating a result of executing the execution content described in the activity diagram, and local post condition information indicating an effective range of the local post condition; Generating a local post condition,
An information processing program that causes a computer to execute.
(Appendix 10)
The format description generating step of generating a format description in which the software specification is expressed by a format method notation using the design information, the identifier information, and the local postcondition information is further executed by the computer. Information processing program.

Claims (10)

An input processing means for reading design information consisting of a class diagram describing the static structure and constraints of data, an activity diagram describing the flow and execution contents of software processing data sequentially,
Names of constants or variables necessary for creating a format description from the design information and the default identifier information read by the input processing means by reading predetermined identifier information describing data types or constants used in software design Identifier information comprising a type and a static constraint, a local post condition that is a logical expression indicating a result of executing the execution content described in the activity diagram, and local post condition information indicating an effective range of the local post condition; , A local post-condition generation means for generating
An information processing apparatus comprising: The local posterior condition generating means is
Node number assigning means for assigning a unique node number to each node included in the activity diagram according to the processing flow of the software;
Based on the execution contents of each node included in the activity diagram and the node number, effective range generating means for generating an effective range of the local post condition,
The information processing apparatus according to claim 1, comprising:   The information processing apparatus according to claim 2, wherein the valid range generation unit invalidates the local posterior condition when the start number of the node indicating the valid range and the end number of the node are equal in the local posterior condition.   4. A format description generating means for generating a format description in which the software specifications are expressed in a format method notation using the design information, the identifier information, and the local postcondition information. The information processing apparatus according to item 1. The format description generating means includes:
A local precondition adding means for adding a node number assigned to a preceding node included in the activity diagram as a local precondition to the format description;
A local postcondition adding means for adding a local postcondition describing the effective range to the format description;
The information processing apparatus according to claim 4 including: The format description generation means performs format description by an Event-B format method,
The local precondition adding means adds the node number as a variable in the Event-B machine, and describes the node number of the preceding node as a guard section of the action node of the node number,
6. The information according to claim 5, wherein the local post-condition adding means describes, in the Event-B machine, a local post-condition including a start number and an end number of the node as the effective range in an invariants section. Processing equipment. An input processing step for reading design information consisting of a class diagram that describes the static structure and constraints of data, an activity diagram that describes the flow and execution contents of software that sequentially processes data,
Names of constants or variables necessary for creating a format description from the design information and the default identifier information read in the input processing step by reading default identifier information describing data types or constants used in software design Identifier information comprising a type and a static constraint, a local post condition that is a logical expression indicating a result of executing the execution content described in the activity diagram, and local post condition information indicating an effective range of the local post condition; Generating a local post condition,
An information processing method including:   The information processing according to claim 7, further comprising: a format description generating step of generating a format description expressing the software specification in a format method notation using the design information, the identifier information, and the local posterior condition information. Method. An input processing step for reading design information consisting of a class diagram that describes the static structure and constraints of data, an activity diagram that describes the flow and execution contents of software that sequentially processes data,
Names of constants or variables necessary for creating a format description from the design information and the default identifier information read in the input processing step by reading default identifier information describing data types or constants used in software design Identifier information comprising a type and a static constraint, a local post condition that is a logical expression indicating a result of executing the execution content described in the activity diagram, and local post condition information indicating an effective range of the local post condition; Generating a local post condition,
An information processing program that causes a computer to execute.   The computer further executes a format description generating step of generating a format description in which the software specification is expressed by a format method notation using the design information, the identifier information, and the local postcondition information. Information processing program.

Images