JP2015156053A - Information processor, its control method and program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a processor which reduces a state number necessary for model verification by suitably reducing a verification program at a portion which is low in a correlation, in program verification using model verification equipment.

SOLUTION: An information processor creates a verification formula which indicates a content for verifying a program to be verified, determines whether or not the program is correlated to the verification formula at a prescribed unit of each program to be verified, converts the program to be verified to a program for implementing a model verification program with respect to the program to be verified which is determined to be the program which is correlated to the verification formula, creates a simple program which is implemented by the model verification program by using template application data which are defined in advance with respect to the program to be verified which is determined not to be the program correlated to the verification formula, and verifies the converted program and the created program by using the model verification program.

COPYRIGHT: (C)2015,JPO&INPIT

Description

  The present invention relates to an information processing apparatus using a model verification program, a control method thereof, and a program.

  As a method for automatically and comprehensively verifying the behavior of a program, there is a program verification method using a model verification program. In the verification method, a program created by a user (hereinafter referred to as a program code to be verified) and a verification formula are written in a language that can use a model verification program such as SPIN or SMV (hereinafter referred to as a verification program code). .). After being converted, it is input and executed in the model verification program, and whether or not there is a violation of the verification formula is confirmed.

  In this program verification method, there is a problem that the program verification cannot be executed due to a shortage of memory due to the large number of states generally referred to as state explosion depending on the scale of the program code to be verified. Therefore, in the model verification program, as in Patent Document 1, it is necessary to increase the number of states that can be handled. In addition, the user of the model verification program needs to keep the verification program code for verification small enough to handle the model verification program.

  In order to reduce the verification program code, a plurality of verification program codes are generated for each verification formula of the program code to be verified, and program codes and variable symbols not related to each verification are deleted (hereinafter, There is a method called a program slice. Alternatively, there are methods such as reducing the used memory size to the necessary minimum bit length and converting it to a semantically significant representative index value (hereinafter referred to as data abstraction).

Japanese Patent Application Laid-Open No. 07-334666

  However, the above prior art has the following problems. In the above prior art, it is possible to verify the operation of the program code to be verified. However, when this method is used, when verification for global control is performed, more verification program code memory is required, and a state explosion may occur and verification may not be executed.

  When verifying global control, verification program code is created from all program codes to be verified included in global control. Therefore, although there is a relationship with the content that you want to verify, the program code fragment to be verified that is less relevant or the program code fragment to be verified that has already been sufficiently verified by another method is also incorporated into the verification program code. End up. Therefore, the number of memories and steps used by the verification program code increases, and a state explosion occurs.

  The present invention has been made in view of the above-described problems, and in the program verification using the model verifier, the state necessary for the model verification is preferably reduced by suitably reducing the verification program of the portion having low relevance. The purpose is to provide a mechanism to reduce the number.

  The present invention is an information processing apparatus, and includes a creation unit that creates a verification formula indicating the contents to be verified by a program to be verified, and whether the program is related to the verification formula created by the creation unit. Determining means for each program to be verified, and for the program to be verified determined by the determining means to be a program related to the verification formula, the state of the verified program is exhaustively searched and verified A conversion unit that converts the program to be verified into a program for executing the model verification program, and a template defined in advance for the program to be verified determined by the determination unit as not being a program related to the verification formula Using the application data, a raw program that generates a simple program to be executed by the model verification program Means, characterized in that it comprises a verification means for verifying the conversion program, and the program generated by the generating means and the model verification program by said converting means.

  According to the present invention, in the program verification using the model verifier, the number of states necessary for the model verification can be reduced by suitably reducing the verification program of the portion having low relevance.

FIG. 2 is a block diagram showing a software configuration of the information processing apparatus according to the first embodiment. The block diagram which shows the hardware constitutions of the information processing apparatus which concerns on 1st Embodiment. , 5 is a flowchart showing a processing procedure of the information processing apparatus according to the first embodiment. , , , , , The figure which shows the to-be-verified program which concerns on 1st Embodiment. , The figure which shows the process sequence of the information processing apparatus which concerns on 2nd Embodiment. , , , , , The figure which shows the to-be-verified program which concerns on 2nd Embodiment.

  Hereinafter, embodiments of the present invention will be described in detail with reference to the accompanying drawings. The following embodiments do not limit the present invention according to the claims, and all combinations of features described in the present embodiments are not necessarily essential to the solution means of the present invention. .

<First Embodiment>
Hereinafter, a first embodiment of the present invention will be described with reference to FIGS. 1 to 4F. As an example of the nature of the program to be verified, when the code to be verified is source code written in C language, “memory access outside the array must not be performed” (hereinafter referred to as an out-of-array reference) or the like. There is a verification specification that comes from the language specification. To verify an out-of-array reference, analyze the program to be verified to determine the function name and position of the program fragment that performs array access, and check that the array subscript does not exceed the memory capacity reserved for the array. Generate a verification formula to confirm. If the array subscript or division denominator is a constant, the verification can be completed only by static program analysis. On the other hand, when array subscripts and division denominators are variables, verification is often not completed by static program analysis alone. In the present embodiment, a case where program verification of properties is performed using SPIN as a model verification program when the array subscript is not a constant but a variable will be described. SPIN is a model verification program that searches a state exhaustively and verifies its properties by using a description by Promela, which is a language for describing a channel communication automaton, as an input.

<Software configuration>
First, a software configuration of an information processing apparatus that is a program verification apparatus according to the present embodiment will be described with reference to FIG. The program verification program 101 is executed in the information processing apparatus 201 shown in FIG. The program verification program 101 includes an operation control block 102, a verified program code use determination block 105, a template code generation block 106, a code reduction block 107, a language conversion block 108, and a model verification program 110.

  The operation control block 102 is an operation control block for performing various processes of the program verification program. The program code 103 to be verified is various user programs to be verified. The template application data 104 is described in a formal specification description language that can be interpreted by the verified program code use determination block 105 and the template code generation block 106 in the program verification program 101. The template application data 104 is data indicating the behavior of the program code fragment and the nature of the memory, and is data for generating a program code to be verified that is input to the model verification program 110. Generating a code to be executed by the model verification program 110 using the template application data 104 generates a simplified code rather than converting the program to be verified into a format executable by the model verification program as it is. be able to.

  The operation control block 102 inputs both the verified program code 103 and the template application data 104 to the verified program code use determination block 105 and causes the verified program code 103 to be analyzed after determining the code to be used. Specifically, it is determined whether the program code 103 to be verified is used or the program code generated from the template application data 104 is used. When the verified program code use determination block 105 determines that the verified program code 103 is used, the operation control block 102 inputs the verified program code 103 to the code reduction block 107. The code reduction block 107 outputs the program code fragment after the code reduction. Thereafter, the operation control block 102 inputs the program code fragment to the language conversion block 108 to create a fragment of the verification program 109.

  On the other hand, when the template application data 104 is used, the operation control block 102 inputs the template application data 104 to the template code generation block 106 and creates a fragment of the verification program 109. After creating all fragments of the verification program 109 necessary for executing the model verification program 110, the operation control block 102 inputs the verification program 109 to the model verification program 110, and generates and obtains a verification result 111. Then, the verification result is notified to the user.

<Hardware configuration>
Next, FIG. 2 shows a hardware block diagram of the proposed program verification apparatus. The information processing apparatus 201 is an apparatus that verifies a program created by a user. The information processing apparatus 201 includes a main body unit 202, a display device 203, a keyboard 204, and a mouse 205. The main body 202 also includes a central processing unit 206, a main storage device 207, and a hard disk 208. The model verification program 110 and the program verification device program 100 shown in FIG. 1 are stored in the hard disk 208, loaded into the main storage device 207 at the time of execution, and executed by the central processing unit (CPU) 206.

<Program example>
Next, an example of the program code 103 to be verified described in the present embodiment and a verification program 109 when SPIN is used as the model verification program 110 will be described with reference to FIG. In this embodiment, the program verification work is performed after the C-language-verified program code shown in FIG. 4A is converted into a third address code as shown in FIG. 4B by a general compiler. In this embodiment, an out-of-array reference for array access (data [i] = 0;) in the fourth row of the targetSub function in FIG. 4B will be described. BIT_FIELD_REF <xx, y, z> in FIG. 4B indicates data of only y bits from the z bit of the xx variable.

  FIG. 4C shows verification formula data created by the program verification program 101 for the out-of-array reference. As shown in FIG. 4C, the verification expression includes a function name, a line number in the function, and a verification content (verification expression) in the line number. Although only one verification formula is illustrated in FIG. 4C, a plurality of verification formulas may be defined in advance. FIG. 4D shows a verification program when the verification program 109 as a comparative example is all created from the program code 103 to be verified. FIG. 4F shows a verification program 109 generated from the template application data 104 instead of the verified program code 103 for the updatePaperPa function.

  FIG. 4E shows template application data for the updatePaperPap function. FIG. 4E defines a variable whose value changes during the program operation in the XML format. In this embodiment, the volumeMemory tag is a tag used for defining a variable whose value changes during a program operation. nameOfSymbol is a description example of the name of the variable. SettleFunc is a description example of a function name that defines the variable. updateInterval is a description example for defining an interval at which a variable is updated when the above function is called a specified number of times. That is, in FIG. pap is a variable that changes to any value every time updateSensorPap is called 10 times.

<Processing flow>
Next, with reference to FIG. 3A and FIG. 3B, the processing flow in the program verification of this embodiment is demonstrated. In this embodiment, a case will be described in which an out-of-array reference (data [i] = 0;) in the targetSub function is verified. The processing described below is realized by the central processing unit (CPU) 206 reading out the program verification program 101 stored in the hard disk 208 to the main storage device 207 and executing it. Reference numeral 300 in FIG. 3A shows an overall flow of program verification. 3B in FIG. 3B shows a sub-flowchart of S304 in the flowchart 300. 3B of FIG. 3B shows a sub-flowchart in S305 of the flowchart 300.

  In S301 and S302, the CPU 206 reads the verified program code 103 shown in FIG. 4A and the template application data 104 shown in FIG. 4E, and analyzes the verified program code 103. In the middle, the CPU 206 can convert the side effect action program code into a single action program code by converting into a 3-address code as shown in FIG. 4B, thereby simplifying the correspondence between the verification formula and the line number.

  In S303, the CPU 206 creates a verification formula list as shown in FIG. 4C. That is, here, an item to be verified is created in the program code 103 to be verified. This may be performed based on a user instruction, for example. The user instruction may be selected from a predefined list or the like. The CPU 206 creates each verification program corresponding to the verification formula list number. Therefore, the program code 103 to be verified is reduced using the code reduction block 107 for the variable i in the fourth line of the targetSub using the verification formula, and the necessary program fragment to be verified is acquired. As a result, targetSub is called from the main function, and the global variable sensor. The reachability of whether to be executed by pap is defined, and the global variable sensor. pap understands that the value is set by the updateSensorPap called by the main function.

  In step S <b> 304, the CPU 206 determines whether to use the program code 103 to be verified. In other words, the program code to be verified is converted into a detailed program to be verified that is directly converted into a format that can be executed by the model verification program, or a simple program to be verified is generated using template application data instead of the program to be verified Judging what to do. According to the present embodiment, this determination is performed for each predetermined unit of the program, for example, for each function, and it is determined whether or not the verification is comprehensively performed. Note that it is desirable to determine whether or not the item included in the verification list created in S303 is executed by executing the function as a determination criterion. Detailed processing in S304 will be described later with reference to the flowchart 310. If the program code 103 to be verified is used, the process proceeds to S306, and if not, the process proceeds to S305. The targetSub function and the main function are not included in the template application data in FIG. 4E. The updateSensorPap function is included in the template application data, and when called 10 times, sensor. This function sets pap to any value. Furthermore, sensor. pap is 1 bit long. In this way, the CPU 206 understands the program to be verified. Therefore, the process proceeds to S306 for the targetSub function and the main function, and proceeds to S305 for the updateSensorPap function.

  When using the program code 103 to be verified, in S306, for the main function and the targetSub function, the CPU 206 converts the program code 103 to be verified, converts the verification expression into a program fragment, and embeds the verification program fragment. On the other hand, in S305, the CPU 206 inputs the template application data 104 to the template code generation block 106 for the updateSensorPap function, generates a template code, and proceeds to S308. Details of S305 will be described later with reference to a flowchart 305.

  In S308, the CPU 206 inputs the program from S305 or S306 to the model verification program and executes it. FIG. 4D shows a verification program 109 when the updateSensorPap function is not generated from the template application data 104 but is generated from the program code 103 to be verified. io. Since pap is a variable included in an external model that is not set by anyone, it is necessary to generate a verification program fragment and define indefiniteness as a separate thread. Further, updateSensorPap is a code converted from the verified program code of FIG. 4B.

  Returning to the description of FIG. In S309, the CPU 206 acquires the verification result 111 and presents it to the user. Thereby, it is possible to notify the user that the verification formula may not be established.

  Next, the flowchart 310 of FIG. 3B is demonstrated. A flowchart 310 shows details of S304 of the flowchart 300.

  First, in S3041, the CPU 206 extracts the program code to be verified related to the verification formula shown in FIG. 4C. In step S3042, the CPU 206 determines whether the verification program code extracted in step S3041 includes the verification formula shown in FIG. 4C. If the corresponding verification expression is included, the process proceeds to S3043, and if not included, the process proceeds to S3045.

  In step S3043, the CPU 206 determines whether or not the verification formula is related only to the control flow of the program to be verified. If the verification formula relates only to the control flow of the program to be verified, the process proceeds to S3045, and if not, the process proceeds to S3044.

  In step S3044, the CPU 206 determines that the program code to be verified is used, and ends the process. On the other hand, in S3045, the CPU 206 determines that the template code is to be used (generated), and ends the process.

  Next, the flowchart 320 of FIG. 3B will be described. A flowchart 320 shows details of S305 of the flowchart 300. That is, the flowchart 320 corresponds to the processing of the template code generation block 106.

  In S3051, the CPU 206 stores the output variable name and the bit length. Subsequently, in S3052, the CPU 206 stores the bit length of the input variable. In step S3053, the CPU 206 stores the update frequency (10) of the output variable. In S3054, the CPU 206 outputs a program code (template code) and ends the process. The output template code is, for example, the code of the updateSensorPap function shown in FIG. 4F. In the above flowchart, for ease of explanation, an example in which each function is verified is shown. However, in this embodiment, a program to be verified is generated by converting or generating program codes for each function and combining them. It is desirable to verify with the model verification program 110.

  Comparing FIG. 4D and FIG. 4F, FIG. pap and cnt1 are unnecessary, sensor. Since the logic for synthesizing the pap is lost, the memory used by the model verification program 110 is reduced. When actually using SPIN, the state vector is reduced from 28 bytes to 20 bytes. In the example of the program code to be verified shown in FIG. 4A, although the model verification program can be executed in either FIG. 4D or FIG. 4F, there are more complicated algorithms in actual program verification, and even simpler verification is possible in that case. It is possible to synthesize a program.

  As described above, the information processing apparatus according to the present embodiment depends on whether each verification target program has a code to be verified (whether it is a program related to a verification expression) or not. Switch whether to use verification program code. In other words, the information processing apparatus according to the present embodiment performs detailed verification when a verification target code, for example, an out-of-sequence reference code is included, and uses a template code if the out-of-sequence reference code is not included. Perform simple verification. In the present embodiment, the program of a predetermined unit has been described by an example for each function. However, the present invention is not intended to be limited to this, and the above determination may be made for each program of another unit. Thus, according to the present embodiment, it is possible to reduce the amount of memory used by the model verification program for each predetermined verification program and reduce state explosion.

<Second Embodiment>
Hereinafter, a second embodiment of the present invention will be described with reference to FIGS. 5 to 6F. In the present embodiment, when the array subscript is a variable instead of a constant, program verification is performed using SPIN as the model verification program 110 for a property such as “memory access outside the array should not be performed”. The case where it performs is demonstrated. In the first embodiment, the function to which the template is applied relates to the reachability to the program fragment for examining the verification formula. On the other hand, in the present embodiment, a case will be described in which a behavior of a function to which a template is applied is related to a variable value in a verification expression, and there are a plurality of behaviors of the function.

<Program example>
With reference to FIG. 6, an example of the program code 103 to be verified described in the present embodiment and the verification program 109 when SPIN is used as the model verification program 110 will be described. FIG. 6A shows template application data in the comment sentence 601 written together with the program code to be verified written in C language.

  The DataAbstraction tag in the comment sentence 601 indicates an example in which the behavior for data is abstracted. The nameOfSymbol tag indicates a variable name of data obtained by abstracting the above behavior. In the present embodiment, a verification program is generated using template data for the behavior of the function indicated by the nameOfFunc tag.

  The Abstract tag indicates each template. The Condition tag means a conditional statement, and the value tag describes a value defining expression when the Condition tag is satisfied. The first template application data (first template application data) is obtained by subtracting 256 from any of the b set elements when the conditional expression ((_b & 1) == 1) is true. Value. On the other hand, if it is false, it means that the return value of the calc_b function is a value obtained by subtracting 256 from any of the bb set elements. The second template application data (second template application data) means that the return value of the calc_b function is a value obtained by subtracting 256 from one of the set elements of the union of b and bb.

  In this embodiment, the verification program code shown in FIG. 6A in C language is converted into a 3-address code as shown in FIG. Further, in the present embodiment, an out-of-array reference for array access (c [B] = (unsigned char) _b;) in the fifth row of the main function in FIG. 6B will be described. FIG. 6C shows verification formula data created by the program verification program 101 for out-of-array references. FIG. 6D shows a verification program when all verification programs as comparative examples are created from the program code 103 to be verified. FIG. 6E shows a verification program code generated based on the first template application data described in the comment sentence 601 written together with the program code to be verified of FIG. 6A. FIG. 6F shows the verification program 109 generated based on the second template application data.

<Processing flow>
Next, with reference to FIG. 5A and FIG. 5B, the processing flow in the program verification of this embodiment is demonstrated. The processing described below is realized by the central processing unit (CPU) 206 reading out the program verification program 101 stored in the hard disk 208 to the main storage device 207 and executing it. 5A in FIG. 5A shows the overall flow of program verification. 5B in FIG. 5B shows a sub-flowchart of S504 in the flowchart 500. 520 in FIG. 5B shows a sub-flowchart in S505 of the flowchart 500.

  In S501 and S502, the CPU 206 reads the verified program code 103 and the template application data 104 shown in FIG. 6A, and analyzes the verified program code 103. On the way, the CPU 206 can convert the side effect action program code into a single action program code by converting into a 3-address code as shown in FIG. 6B, thereby simplifying the correspondence between the verification formula and the line number. Further, the CPU 206 analyzes the template application data described in the comment sentence 601 of FIG. 6A, and applies an application method when using the template code, that is, two template application data (first and second template application data). get. Further, the CPU 206 analyzes the descriptions for the constant arrays b and bb, and understands that the constant arrays, that is, the elements of the b set are 258, 257, and 255 and the number of elements is 3. Furthermore, it can be understood that the bb constant array, that is, the elements of the bb set is a set of 256, 257, 258 and 3 elements.

  In step S503, the CPU 206 creates a verification formula list shown in FIG. 6C. Further, the CPU 206 creates each verification program corresponding to the verification formula list number. Therefore, the verification program code 103 is reduced and the minimum required fragment of the program code 103 to be verified is acquired by using the code reduction block 107 for the variable B in the fifth line of the main function by the verification formula. Here, the verification expression indicates the function name, the line number, and the verification content at the line number. As a result, it is understood that the variable B is a return value of the calc_b function, and the calc_b function is called from the main function.

  In step S <b> 504, the CPU 206 determines whether to use the verified program code 103 using the verified program code use determination block 105. If the program code 103 to be verified is used, the process proceeds to S506, and if not, the process proceeds to S505. The main function is not included in the template application data, and the return values of the calc_b function and the calc_b function are included in the template application data. Since the return value of the calc_b function is included in the verification expression shown in FIG. 6C created in S503, the process proceeds to S506.

  In step S <b> 506, the CPU 206 uses the code reduction block 107 to create a minimum program fragment to be verified necessary for performing the verification shown in FIG. 6C using only the program code 103 to be verified. Further, it is converted into a verification program 109 that can be understood by the model verification program. Thereafter, in S508, the CPU 206 inputs the verification program 109 to the model verification program 110 by the operation control block 102, and acquires the verification result 111 in S509. In S510, the CPU 206 determines whether or not the verification result 111 obtained by executing the model verification program 110 indicates that a state explosion has occurred. If it indicates that a state explosion has occurred, the process proceeds to S511, and if it indicates that the verification could be completed without causing a state explosion, the verification result 111 is displayed to the user to verify the program. finish. In step S511, the CPU 206 determines whether there is any template application data that can be used, and if there is, proceeds to step S505, and if not, ends the processing.

  In step S <b> 505, the CPU 206 inputs the first template code of the template application data 104 to the template code generation block 106 through the operation control block 102, and updates the verification program 109 with the output verification program fragment. Thereafter, the process proceeds to S508, and as described above, the model verification program 110 is executed, the verification result 111 is acquired in S509, and the processes after S510 are executed. If a state explosion occurs when the model verification program 110 is executed and the result cannot be acquired, the CPU 206 performs verification again from S505 in S511. If it is determined in step S511 that there is no template application data that can be applied, the CPU 206 informs the user that the verification work has not ended, and then ends the process.

  Next, the flowchart 510 of FIG. 5B will be described. A flowchart 510 shows details of S504 of the flowchart 500.

  First, in S5041, the CPU 206 extracts the program code to be verified related to the verification formula shown in FIG. 6C. In step S5042, the CPU 206 determines whether the verification program code extracted in step S5041 includes the verification formula shown in FIG. 6C. If the corresponding verification expression is included, the process proceeds to S5043, and if not included, the process proceeds to S5046.

  In S5043, the CPU 206 determines whether or not the verification formula is related only to the control flow of the program to be verified. If the verification formula relates only to the control flow of the program to be verified, the process proceeds to S5045, and if not, the process proceeds to S5044. In step S5044, the CPU 206 determines whether the program verification is the first time. In this determination, it is determined whether or not the model verification program has already been executed. For example, if the model verification program in S508 is executed once, it is determined in S510 that a state explosion has occurred, and a template code is generated and then redone, it is determined that this is not the first time. Therefore, the CPU 206 may store the number of executions when the model verification program is executed in S508. If it is the first time, the process proceeds to S5045, and if it is not the first time, the process proceeds to S5046.

  In step S5045, the CPU 206 determines that the program code to be verified is used, and ends the process. On the other hand, in S5046, the CPU 206 determines that the template code is to be used, and ends the process.

  Next, the flowchart 520 in FIG. 5B will be described. A flowchart 520 shows details of S505 of the flowchart 500. That is, the flowchart 520 corresponds to the processing of the template code generation block 106.

  In step S5051, the CPU 206 selects a template to be used. Here, for example, the first template application data or the second template application data is selected. Note that the selection method may be selected in a predetermined order or based on a user instruction. Subsequently, in S5052, the CPU 206 stores the output variable name and the bit length. In S5053, the CPU 206 stores the bit length of the input variable. In S5054, the CPU 206 stores the update frequency (10) of the output variable. In S5055, the CPU 206 outputs a program code (template code). When the first template application data is used, the output template code is, for example, the code shown in FIG. 6E. On the other hand, when the second template application data is used, the code is as shown in FIG. 6F. Finally, in S5056, the CPU 206 stores the used template and ends the process.

  The verification program code 103 of FIG. 6A shown in the present embodiment can be pointed out of the array reference without causing a state explosion even if the verification program code 103 is actually used. However, the state vector capacity to be used is 48 bytes when all the verification program fragments are created from the program code 103 to be verified, and 20 bytes when the first template application data 104 is used. In addition, the case where the second template application data is used can be greatly reduced to 16 bytes, which is effective for verifying the program code 103 to be verified created by the user, which is actually complicated.

  As described above, the information processing apparatus according to the present embodiment can reduce the amount of memory used by the model verification program and reduce state explosion.

<Other embodiments>
The present invention can also be realized by executing the following processing. That is, software (program) that realizes the functions of the above-described embodiments is supplied to a system or apparatus via a network or various storage media, and a computer (or CPU, MPU, etc.) of the system or apparatus reads the program. It is a process to be executed.

Claims (13)

An information processing apparatus,
Creating means for creating a verification expression indicating the contents to be verified by the program to be verified;
Determining means for determining whether the program is related to the verification formula created by the creating means for each program to be verified in a predetermined unit;
For the program to be verified that is determined to be a program related to the verification formula by the determination means, the program for executing a model verification program that comprehensively searches and verifies the state of the program to be verified Conversion means for converting the program to be verified;
Generating means for generating a simple program to be executed by the model verification program using predefined template application data for the program to be verified determined by the determination means as not being a program related to the verification formula When,
An information processing apparatus comprising: a program converted by the conversion unit; and a verification unit that verifies the program generated by the generation unit by the model verification program.   2. The information processing apparatus according to claim 1, wherein the determination unit determines that a program related to the verification formula is not a program related to the verification formula if it is an initial verification. .   If it is determined that the verification result verified by the model verification program has caused a state explosion, the verification unit uses the template application data by the generation unit if the template application data is available. The information processing apparatus according to claim 2, wherein a valid program is generated and verification is performed again.   The information processing apparatus according to claim 1, wherein the conversion unit further embeds the verification expression in the converted program to be verified.   The information processing apparatus according to any one of claims 1 to 4, wherein the template application data is described in a formal specification description language.   2. The determination unit according to claim 1, wherein the determination unit determines whether or not the program is the related program based on whether or not a code corresponding to the verification formula is included in the program to be verified in the predetermined unit. The information processing apparatus according to any one of 5.   The information processing apparatus according to claim 1, wherein the predetermined unit is a function.   The information processing apparatus according to claim 1, wherein the predetermined unit is a variable.   The information processing apparatus according to claim 7, wherein the verification expression includes a function name, a line number in the function, and a verification expression indicating verification contents.   The information processing apparatus according to claim 1, wherein the content to be verified in the verification formula is an out-of-array reference.   The information processing apparatus according to claim 1, further comprising means for presenting a verification result by the verification means to a user. A method for controlling an information processing apparatus,
A creating step in which the creating means creates a verification expression indicating the contents to be verified by the program to be verified;
A determination step of determining whether or not the determination means is a program related to the verification formula created in the creation step for each program to be verified;
In order to execute a model verification program in which the conversion means comprehensively searches and verifies the state of the verified program for the verified program determined to be a program related to the verification formula in the determining step A conversion step of converting the program to be verified into a program of
A simple program executed by the model verification program using the template application data defined in advance for the program to be verified that has been determined by the generation means not to be a program related to the verification formula in the determination step. A generation process to generate;
A control method for an information processing apparatus, wherein the verification means executes a program converted in the conversion step and a verification step of verifying the program generated in the generation step with the model verification program.   A computer-readable program for causing a computer to function as the information processing apparatus according to claim 1.

Images