JP2016014959A - Information processing device, counterexample processing method, and program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To improve the efficiency of analyzing a counterexample in model inspection.SOLUTION: A counterexample processing device 200 includes a counterexample storage unit 210, and a simplification unit 220. The counterexample storage unit 210 stores a counterexample 540 showing a transition series until the detection of a violation of a verification quality 520 in a system state being a set of states of a plurality of elements relevant to a system. The simplification unit 220 extracts an element in which a violation of the verification quality 520 is detected and an element having the possibility of having influence on a state which violates the verification quality 520 of the element from the counterexample 540 as elements of an analysis object, and outputs the elements in association with a transition series of states of the extracted elements of an analysis object.

Description

  The present invention relates to an information processing device, a counterexample display method, and a program, and more particularly, to an information processing device, a counterexample display method, and a program that outputs a counterexample obtained by model checking.

  A model checking method is known as a mechanism for automatically determining whether a system or a computer program operates correctly according to specifications. The model checking method covers the state transitions that the model can take by using a model that expresses the operation specifications of the system or computer program to be verified in a state transition system and the verification properties that the model should satisfy. Verify mechanically and mechanically. A typical verification target by the model checking method is a parallel system in which a plurality of actors operate in parallel. For example, the SPIN (Simple Promela Interpreter) model checker describes and models operations to be tested, such as communication devices, parallel processes, and parallel threads, in a dedicated model description language called PROMELA (Process Meta Language). To do. Then, the SPIN model checker comprehensively checks the communication pattern of the operation subject in the model, thereby verifying whether the system satisfies a verification property such as “no deadlock”.

  One of the features of the model checking method is that when the state transition of the model violates the verification property, the state transition sequence from the initial state to the state where the violation is detected can be obtained as a counter example. . By way of a counterexample, a path of a possible state transition on the model from the initial state to the state where the violation is detected is specifically presented. Therefore, if the system to be verified is appropriately modeled, the state transition path presented by the counterexample specifically shows the state transition path that leads to an illegal state that can occur in an actual system. . Therefore, in the verification using the model check of the operation of the system or the computer program, it is possible to identify a design error, a coding bug, or the like by analyzing the generated counterexample.

  However, in general, the counterexample obtained by the model checking method is that the model is complicated, that is, each element constituting the system to be verified undergoes a complicated state transition, or the system to be verified performs many parallel operations. If it contains elements, it will be enormous. Such an enormous counter example becomes a large practical problem in analyzing a design error or the like. The counterexample shows a state that does not satisfy the verification property and a path of state transition to the state, and is not a defect itself. Even if there is only one defect, there may be a plurality of states that do not satisfy the verification property. There may also be a plurality of state transition paths leading to a state that does not satisfy a certain verification property. Identification of a design or coding defect in a state transition that leads to a state that does not satisfy the verification property is usually performed manually, but enormous counterexample manual analysis involves a great deal of labor.

  An example of a technique for improving the efficiency of such counterexample analysis is disclosed in Patent Document 1, for example. In the counterexample analysis support apparatus described in Patent Literature 1, a related item list in which the state of another process, the detection event of the own process, and the state of the own process are associated is set by the user. The counterexample analysis support apparatus determines whether or not a detection event has occurred based on the related item list, and identifies a problem candidate location in the counterexample state transition sequence.

  As a related technique, Patent Literature 2 describes a model checking apparatus that deletes a step of a verification code inserted in a module from a counter example. Patent Document 3 and Patent Document 4 describe a model checking apparatus that uses a state transition represented by a tree structure as a state transition of a system variable group.

Japanese Patent No. 4477054 JP2013-206310A JP 2013-200277 A JP 2012-155517 A

  However, in the technique described in Patent Document 1, it is necessary for the user to generate and set a related item list from the state transition model of the system. Moreover, although the identification of the malfunction related to the timing of the detection event is made efficient, the identification of the malfunction related to other factors may not be made efficient.

  An object of the present invention is to provide an information processing apparatus, a counterexample display method, and a program that solve the above-described problems and improve the efficiency of counterexample analysis in model checking.

  The information processing apparatus of the present invention includes a counter example storage unit that stores a counter example indicating a transition sequence until a violation of a predetermined verification property is detected in a system state that is a set of states of a plurality of elements related to the system; From the counterexample, extract the element in which the violation of the verification property is detected and the element that may have affected the state of the element in violation of the verification property as the analysis target element, and extract the extracted analysis target Reduction means for associating and outputting a transition sequence of the state of each element.

  The counterexample processing method of the present invention stores a counterexample indicating a transition sequence until a violation of a predetermined verification property of a system state that is a set of states of a plurality of elements related to a system is detected, and from the counterexample, The elements for which violation of the verification property is detected and the elements that may have affected the state of violation of the verification property of the element are extracted as analysis target elements, and the state of the extracted analysis target element is extracted. Associate the transition series and output.

  The program of the present invention stores, in a computer, a counterexample indicating a transition sequence until a violation of a predetermined verification property of a system state that is a set of states of a plurality of elements related to the system is detected, from the counterexample, The element in which the violation of the verification property is detected and the element that may have affected the state of the element in violation of the verification property are extracted as analysis target elements, and the extracted analysis target element A process of associating and outputting a state transition series is executed.

  The effect of the present invention is that the analysis of counterexamples in model checking can be made more efficient.

It is a block diagram which shows the characteristic structure of embodiment of this invention. It is a block diagram which shows the structure of the model check system in embodiment of this invention. It is a block diagram which shows the structure of the counterexample processing apparatus 200 implement | achieved by computer in embodiment of this invention. It is a flowchart which shows operation | movement of the counterexample processing apparatus 200 in embodiment of this invention. It is a figure which shows the example of the counterexample 540 in embodiment of this invention. It is a figure which shows the example of the counter example trace 550 in embodiment of this invention. FIG. 6 shows an example of a simplified counter example trace 560 in an embodiment of the present invention.

  Embodiments of the present invention will be described.

  First, model checking in the embodiment of the present invention will be described.

  In the model check according to the embodiment of the present invention, the specification of a system to be checked (hereinafter also referred to as a target system) is expressed as a state transition system. The verification property is expressed by a temporal logic formula.

  In the model checking algorithm, if the state transition of the target system state (hereinafter also referred to as the system state) is finite, it can be determined whether or not a logical expression expressed in temporal logic holds. That is, it is specifically shown whether the system state satisfies the verification property, and if it does not satisfy the verification state, what kind of state transition is required to reach the violated system state.

  Actually, since the state transition of the system state is often infinite, the model check assuming that the state transition is finite cannot be directly applied in many cases. Even if the state transition is finite, verification is often impossible within a realistic time due to the large state transition. In such a case, bounded model checking that performs state search to a certain range while expanding the state transition system as necessary may be used. In the bounded model check, when the transition becomes infinite in the state transition search space, the search is terminated within a finite range. Therefore, actually, even if a state that does not satisfy the verification property exists, there is a possibility that the state cannot be found. However, if a system state that does not satisfy the verification property is found within a finite search range, a counterexample can be output in the same manner as the normal model checking method.

  The embodiment of the present invention may use either a normal model check assuming a finite state transition or a bounded model check that allows an infinite state transition by cutting off the state search at a finite number. . Hereinafter, these are not distinguished and are simply referred to as model checking.

  Next, the configuration of the embodiment of the present invention will be described.

  FIG. 2 is a block diagram showing the configuration of the model checking system in the embodiment of the present invention.

  Referring to FIG. 2, the model checking system of the present invention includes a model checking device 100 and a counter example processing device 200.

  The model checking apparatus 100 generates a counterexample 540 when a system state that violates the verification property 520 is detected by model checking.

  The model checking device 100 includes a model generation unit 110 and a model checking unit 120.

  A model description 510 and verification properties 520 of the target system are input to the model checking apparatus 100 by the user.

  The model generation unit 110 uses the model description 510 to create a model based on the state transition of the system state.

  The model checking unit 120 exhaustively searches for a state transition of the system state and detects a system state that violates the verification property 520. When there is no system state that violates the verification property 520, the model checking unit 120 outputs a check result 530 indicating that fact to the user. Further, when there is a system state that violates the verification property 520, the model checking unit 120 outputs the check result 530 including the counter example 540 to the counter example processing apparatus 200. Counterexample 540 shows a transition sequence of state transitions leading to a system state that violates verification property 520.

  The model description 510 varies for each program (or tool) for realizing the model checking apparatus 100, but is typically given by a simple programming language-like description. The verification property 520 also varies depending on the program for realizing the model checking apparatus 100, but is typically given by a condition expressed in temporal logic. For example, the verification property 520 is described with a temporal property such as “Once the property X is satisfied, the property Y does not hold in each state of the subsequent state transition”.

  Further, the counter example 540 is typically output as a log including a system state that does not satisfy the verification property 520 obtained as a result of the model check, and a series of state transitions leading to the system state.

  FIG. 5 is a diagram showing an example of counter-example 540 in the embodiment of the present invention.

  Here, it is assumed that Host1, Controller, Switch1, Switch2, Swtch3, Switch4, and Host2 are operating in parallel as nodes that are constituent elements (or simply elements) of the target system. Hereinafter, Host1, Controller, Switch1, Switch2, Swtch3, Switch4, and Host2 are also referred to as H1, CNT, SW1, SW2, SW3, SW4, and H2, respectively.

  In addition, the system state is represented by a set of node states, and it is assumed that the state transition between the system states is caused by an event notified between the two nodes at least when the state of the notified node changes. .

  In the example of FIG. 5, rows indicating each system state and an event that causes a state transition between the system states are alternately arranged.

  In the row indicating the system state, each column indicates the state of the corresponding node. Here, the state of the nodes H1 and CNT is represented by “message queue”. The states of the nodes SW1 to SW4 are represented as a set of “message queue” and “message delivery rule set”. For example, in the state “{p1}, {H2 → SW2}” of the node SW1 in the system state S4, the message p1 exists in the message queue, and the message delivery rule is “a message addressed to H2 is temporarily sent to SW2. ".

  In the row indicating the event, the source of the arrow indicates the event notification source node, and the arrow destination indicates the event notification destination node. For example, the event p1 indicates an event from the node H1 to SW1.

  Further, it is assumed that the verification property 520 is “in each of the nodes SW1 to SW4, the same message does not pass through the same node (the same message is transferred to the same node again and loops infinitely)”. .

  In the example of FIG. 5, after the system state transitions from S1 to S5, the delivery rule {H2 → SW1} is added to the node SW2 in S11. Furthermore, after the system state transitions from S21 to S23, in S24, the same message p2 as the message passed in the system state S22 exists in the node SW1. That is, in the system state S24, the state of the node SW1 violates the verification property 520.

  Note that the model checking unit 120 may generate a counterexample trace 550 based on the counterexample 540 and output (display) it to the user.

  FIG. 6 is a diagram showing an example of a counterexample trace 550 in the embodiment of the present invention.

  The counter example trace 550 is a sequence diagram in which the state transition sequence of each node in the system state transition sequence indicated by the counter example 540 is associated with an event. The counter example trace 550 of FIG. 6 corresponds to the counter example 540 of FIG.

  In the example of FIG. 6, the inside of the rectangle indicates the state of each node. Further, an arrow indicates an event between nodes, an arrow source indicates an event notification source node, and an arrow destination indicates an event notification destination node. The state of each node is shown at the timing when the state changes due to an event.

  The counterexample processing apparatus 200 generates a simplified counterexample trace 560 based on the counterexample 540.

  The counterexample processing apparatus 200 includes a counterexample storage unit 210 and a reduction unit 220.

  The counter example storage unit 210 stores a counter example 540 included in the inspection result 530 output from the model checking apparatus 100.

  The reduction unit 220 generates a simplified counter example trace 560 based on the counter example 540.

  Here, the reduction unit 220 identifies a system state that violates the verification property 520 in the counter example 540. The reduction unit 220 extracts, as analysis target nodes, nodes in which the violation of the verification property 520 is detected in the specified system state and nodes that may have affected the state of violation of the verification property 520 of the node. To do. Then, the reduction unit 220 generates a simplified counter example trace 560 indicating the state transition sequence of the node to be analyzed, and outputs (displays) the trace to the user.

  The counterexample processing apparatus 200 may be a computer that includes a CPU (Central Processing Unit) and a storage medium that stores a program, and operates by control based on the program.

  FIG. 3 is a block diagram showing a configuration of a counterexample processing apparatus 200 realized by a computer in the embodiment of the present invention. The counter example processing apparatus 200 includes a CPU 201, a storage unit (storage medium) 202 such as a hard disk and a memory, a communication unit 203 that performs data communication with other devices, an input unit 204 such as a keyboard, and an output unit 205 such as a display. Including.

  The CPU 201 executes a computer program for realizing the function of the reduction unit 220. The storage unit 202 stores the data (counterexample 540) of the counterexample storage unit 210. The communication unit 203 receives the inspection result 530 from the model checking apparatus 100. Further, the input unit 204 may accept an input of the inspection result 530 output from the model checking apparatus 100 from the user. The output unit 205 outputs (displays) the simplified counter example trace 560 to the user. In addition, the communication unit 203 may transmit the simplified counter example trace 560 to another device.

  In the embodiment of the present invention, the model checking apparatus 100 and the counterexample processing apparatus 200 are separate apparatuses. However, for example, the model checking apparatus 100 is included in the model checking apparatus 100, and the counterexample is different from the model checking apparatus 100. The processing apparatus 200 may constitute one apparatus.

  Next, the operation of the embodiment of the present invention will be described.

  FIG. 4 is a flowchart showing the operation of the counterexample processing apparatus 200 in the embodiment of the present invention.

  Here, it is assumed that the counterexample storage unit 210 stores a counterexample 540 as illustrated in FIG. 5 output from the model checking apparatus 100 as a counterexample 540 of the target system.

  First, the reduction unit 220 initializes a set N of nodes to be analyzed with an empty set. In addition, the reduction unit 220 initializes the analysis event set E with an empty set (step S101).

  The reduction unit 220 identifies the system state that violates the verification property 520 in the counter example 540 (step S102). Here, the reduction unit 220 identifies the last system state in the state transition of the counter example 540 as the system state that violates the verification property 520.

  For example, the reduction unit 220 identifies the system state S24 as a system state that violates the verification property 520 in the counter example 540 of FIG.

  The reduction unit 220 extracts a node that violates the verification property 520 in the system state specified in step S102, and adds it to the node set N (step S103). Here, the node that violates the verification property 520 may be input together with the counter example 540. Further, the reduction unit 220 may identify a node that violates the verification property 520 based on the verification property 520 input from a user or the like.

  For example, the reduction unit 220 adds the node SW1 that does not satisfy the verification property 520 in the system state S24 to the node set N as N = {SW1}.

  The reduction unit 220 sets the system state identified in step S102 as the target state S (step S104).

  For example, the reduction unit 220 sets the system state S24 to the target state S.

  The reduction unit 220 determines whether an event preceding the target state S changes the state of the nodes included in the node set N (step S105).

  When changing in step S105 (step S105 / Y), the reduction unit 220 adds a set of an event preceding the target state S and its notification destination node to the event set E (step S106). Then, the simplification unit 220 adds the notification source node and the notification destination node of the event prior to the target state S to the node set N (step S107).

  For example, the event p2 ″ preceding the system state S24 changes the state of the node SW1 included in the node set N. Therefore, the reduction unit 220 adds a set of the event p2 ″ and the notification destination node SW1 to the event set E as E = {(p2 ″, SW1)}. Then, the reduction unit 220 adds the notification destination node SW1 and the notification source node SW2 of the event p2 ″ to the node set N as N = {SW1, SW2}.

  The reduction unit 220 determines whether the target state S is the first system state in the counterexample 540 (step S108).

  In step S108, if the system state is not the first system state (step S108 / N), the reduction unit 220 sets the system state immediately before the target state S as the target state S (step S109). Repeat the process.

  For example, when the target state S is the system state S23, the event p2 'preceding the system state S23 changes the state of the node SW2 included in the node set N. Therefore, the reduction unit 220 adds the set of the event p2 'and the notification destination node SW2 to the event set E.

  Similarly, the reduction unit 220 determines whether or not the event changes the state of the node included in the node set N until the target state S becomes the system state S1, and the event set E and node set N in the case of change. Repeat adding events and nodes to.

  As a result, N = {SW1, SW2, CNT, H1} is obtained as the node set N. As the event set E, E = {(p1, SW1), (pi1, CNT), (fm1, SW1), (p1 ′, SW2), (p2, SW1), (p2 ′, SW2), (p2 '', SW1)}.

  In the node set N obtained in this way, as a node to be analyzed, a node in which a violation of the verification property 520 is detected and a node that may have influenced the state of violation of the verification property 520 of the node are included. Is set. In the event set E, an event that may have affected the state of violation of the verification property 520 of the node is set as an analysis target event.

  If the target state S is the first system state in the counterexample 540 in step S108 (step S108 / Y), the reduction unit 220 reduces the counterexample trace simplified based on the node set N and the event set E. 560 is generated (step S110). Here, the simplification unit 220 extracts the state transition sequence of the nodes included in the node set N from the system state transition sequence indicated by the counter example 540 and associates it with the events included in the event set E, thereby simplifying. Generated counterexample trace 560 is generated.

  FIG. 7 is a diagram illustrating an example of a simplified counter example trace 560 in the embodiment of the present invention.

  For example, the reduction unit 220 generates a simplified counter example trace 560 as shown in FIG.

  In the counter example trace 560 of FIG. 7, compared with the counter example trace 550 of FIG. 6, the state transition sequences of the nodes SW3, SW4, and H2 other than the analysis target node and events other than the analysis target event are omitted, and the simplification. Has been.

  The reduction unit 220 outputs a simplified counter example trace 560 (step S111).

  For example, the reduction unit 220 outputs (displays) the counter example trace 560 of FIG. 7 to the user.

  The user can easily estimate the cause of the failure causing the violation of the verification property 520 by analyzing the transition sequence of the state of the node to be analyzed and the counter example trace 560 simplified to only the event to be analyzed. .

  Thus, the operation of the embodiment of the present invention is completed.

  Next, a characteristic configuration of the embodiment of the present invention will be described. FIG. 1 is a block diagram showing a characteristic configuration of an embodiment of the present invention.

  Referring to FIG. 1, a counter example processing apparatus 200 (information processing apparatus) according to an embodiment of the present invention includes a counter example storage unit 210 and a reduction unit 220. The counter example storage unit 210 stores a counter example 540 indicating a transition sequence until a violation of the verification property 520 of a system state that is a set of states of a plurality of elements related to the system is detected. The simplification unit 220 extracts, from the counterexample 540, an element in which the violation of the verification property 520 is detected and an element that may have affected the state of the violation of the verification property 520 of the element as an analysis target element. The extracted transition sequence of the state of the element to be analyzed is output in association.

  According to the embodiment of the present invention, the analysis of counterexamples in model checking can be made efficient. The reason is that, from the counterexample 540, the reduction unit 220 divides the element in which the violation of the verification property 520 is detected and the element that may have affected the state of violation of the verification property 520 of the element into the element to be analyzed. Is extracted as a simplified counter example trace 560 and output. As a result, it is possible to efficiently identify the defect in the model check.

  While the present invention has been described with reference to the embodiments, the present invention is not limited to the above embodiments. Various changes that can be understood by those skilled in the art can be made to the configuration and details of the present invention within the scope of the present invention.

  The present invention can be applied to a tool that supports the identification of defects by analyzing counterexamples in model checking. In addition to model checking, the present invention can also be applied to tools that display execution traces.

DESCRIPTION OF SYMBOLS 100 Model inspection apparatus 110 Model production | generation part 120 Model inspection part 200 Counterexample processing apparatus 201 CPU
202 Storage means 203 Communication means 204 Input means 205 Output means 210 Counterexample storage section 220 Reduction section 510 Model description 520 Verification property 530 Inspection result 540 Counterexample 550 Counterexample trace 560 Counterexample trace

Claims (9)

A counter example storage means for storing a counter example indicating a transition sequence until a violation of a predetermined verification property of a system state that is a set of states of a plurality of elements related to the system is detected;
From the counter example, an element in which the violation of the verification property is detected and an element that may have affected the state of the element in violation of the verification property are extracted as analysis target elements, and the extracted analysis A reduction means for associating and outputting the transition sequence of the state of the target element;
An information processing apparatus comprising: The transition of the system state occurs when the state of the other element changes due to an event notified from one element to the other element among a plurality of elements related to the system,
The counter example represents a transition sequence of the system state and an event related to each transition of the transition sequence,
The simplification means further extracts, from the counterexample, an event that may have affected the state of violation of the verification property of the element in which the violation of the verification property is detected as an event to be analyzed, and the analysis target Output in association with the transition sequence of the state of
The information processing apparatus according to claim 1. The counter example includes a notification source of an event related to each transition of the system state transition series, and a notification destination,
The reduction means sets the element in which the violation of the verification property is detected as the element to be analyzed, and on the system state transition sequence in the counter example, from the system state in which the violation of the verification property is detected, Detection of an event that changed the state of the analysis target element in a direction before the system state, addition of an element that is a notification source of the detected event to the analysis target element, and detection Extracting the event to be analyzed and the event to be analyzed by repeating the addition of the event to the event to be analyzed,
The information processing apparatus according to claim 2. Stores a counter-example indicating a transition sequence until a violation of a predetermined verification property of a system state that is a set of states of a plurality of elements related to the system is detected,
From the counter example, an element in which the violation of the verification property is detected and an element that may have affected the state of the element in violation of the verification property are extracted as analysis target elements, and the extracted analysis Output by associating the transition sequence of the state of the target element,
Counterexample processing method. The transition of the system state occurs when the state of the other element changes due to an event notified from one element to the other element among a plurality of elements related to the system,
The counter example represents a transition sequence of the system state and an event related to each transition of the transition sequence,
Further, from the counterexample, an event that may have affected the state of violation of the verification property of the element in which the violation of the verification property is detected is extracted as an analysis target event, and the state of the analysis target element is extracted. Output in association with transition series,
The counter example processing method of Claim 4. The counter example includes a notification source of an event related to each transition of the system state transition series, and a notification destination,
The element in which the violation of the verification property is detected is set as the element to be analyzed,
On the transition sequence of the system state in the counter example, detection of an event in which the state of the analysis target element is changed in a direction before the system state from the system state in which the violation of the verification property is detected, By repeating the addition of the element that is the notification source of the detected event to the element to be analyzed and the addition of the detected event to the event to be analyzed, the element to be analyzed, and the Extract events to be analyzed,
The counter example processing method according to claim 5. On the computer,
Stores a counter-example indicating a transition sequence until a violation of a predetermined verification property of a system state that is a set of states of a plurality of elements related to the system is detected,
From the counter example, an element in which the violation of the verification property is detected and an element that may have affected the state of the element in violation of the verification property are extracted as analysis target elements, and the extracted analysis Output by associating the transition sequence of the state of the target element,
A program that executes processing. The transition of the system state occurs when the state of the other element changes due to an event notified from one element to the other element among a plurality of elements related to the system,
The counter example represents a transition sequence of the system state and an event related to each transition of the transition sequence,
Further, from the counterexample, an event that may have affected the state of violation of the verification property of the element in which the violation of the verification property is detected is extracted as an analysis target event, and the state of the analysis target element is extracted. Output in association with transition series,
The program according to claim 7, wherein the program is executed. The counter example includes a notification source of an event related to each transition of the system state transition series, and a notification destination,
The element in which the violation of the verification property is detected is set as the element to be analyzed,
On the transition sequence of the system state in the counter example, detection of an event in which the state of the analysis target element is changed in a direction before the system state from the system state in which the violation of the verification property is detected, By repeating the addition of the element that is the notification source of the detected event to the element to be analyzed and the addition of the detected event to the event to be analyzed, the element to be analyzed, and the Extract events to be analyzed,
The program according to claim 8, wherein the program is executed.

Images