JP3582849B2 - Logic program verification method - Google Patents

Description

のいずれともなり得るものとして、リテラルが定義される。
【００５０】
なお、述語論理における論理式は、次のような接続子を用いて構成される。
【数２】

ここで、上記接続子は、左から順にそれぞれ、否定、連言、選言、含意、限定、一般的量化を表す。例えば、Ａがリテラル、Ｖが変数、Ｆ１及びＦ２が論理式とした場合、次のようなものも論理式となる。
【数３】

また、論理式のうち、一定の、そして通常は単純な書式が「節」と呼ばれる。述語論理で用いられるセンテンス（一連の文）は、このような節の集合として定義され、これら節の結合として解釈される。
【００５１】
２−１−２．論理プログラミング言語
本実施例における論理プログラミング言語は、プロログ（Ｐｒｏｌｏｇ）の変形であり、上記のような論理言語の部分集合である。すなわち、この部分集合は、上記述語論理のうち、この部分集合によって記述されるような問題について、効率的な解決手順が存在するものである。このような述語論理の部分集合は、「確定節」として知られており、確定節は、次の３つの書式の一つに限定された論理式である。
【数４】

ここで、Ｈは原子論理式、Ｂは（空でない）リテラルの連言、□は真の述語（すなわち、恒真である関係）、Ｖ１，・・・，Ｖｎは、ＨやＢにおいて生じる変数である。上記数式４における第１の書式は「質問」と呼ばれ、第２の書式は「ルール」と呼ばれ、第３の書式３は「事実」と称されている。
【００５２】
本実施例における論理型プログラムは、上記のような確定節の集合によって構成されたセンテンスである。そして、論理型プログラムでは、上記の「質問」がそのプログラムによって解決されるべき課題を表す。このような課題は、例えば、
【数５】

が偽であることの証明によって構成される。この例における証明は、すなわち、「Ｂが真」というような変数Ｂへの代入の存在の証明を意味する。
【００５３】
以下の説明では、上記の論理プログラミング言語を前提とし、プロログ文法に近い表記法によって論理型プログラムを表す。すなわち、連言接続子はカンマと共に（カンマを使用して）記述し、選言及び一般的量化の記号は省略し、節の終りはピリオドで表す。また、変数名は大文字から開始し、述語記号及び関数記号は小文字又は数字から開始する。さらに、リストに関する便宜的表記法として、
【数６】
［］
は空のリストを、［ｔ１｜ｔ２］は、最初の要素が項ｔ１、最後の要素が項ｔ２であるようなリストを表し、また、［ｔ１，・・・，ｔｎ］は項のリストｔ１，・・・，ｔ２を表す。
【００５４】
ここで、上記「質問」と、スタックの操作を定義する単純な論理型プログラムの一例を図２に示す。この図では、１行目が「質問」になっており、２行目から５行目は述語記号“ｓｔａｃｋ”によって表される関係を定義している。この定義は再帰的であり、引数１から５で与えられた複数の値のリストについて、各リストが全て終了するまで所定の操作を繰り返す動作を表している。なお、各リストにおける繰り返しは、ハードウェア・クロックの１サイクルを表し、また、述語記号“ｓｔａｃｋ”の６つ目の引数は値のスタックを表す。
【００５５】
また、図２において、６〜９行目は、述語記号“ｓｔａｃｋＢｏｄｙ”を定義する「事実」であり、述語記号“ｓｔａｃｋ”の最初の５つの引数は、スタックに転送され又はスタックから転送される一連の値を示すのに用いられるリストである。そして、述語記号“ｓｔａｃｋＢｏｄｙ”によって表現される関係は、スタック操作を表している。また、定数“ｎｏｐ”はアイドリング・サイクルを意味し、“ｅｘｅｃ”は実行サイクルを意味する。さらに、定数“ｐｕｓｈ”及び“ｐｏｐ”は、それぞれ、スタックへの要素の積み上げ（プッシュ）又はスタックからの要素の取り出し（ポップ）を起動する命令を表している。
【００５６】
また、定数“ｏｋ”及び“ｅｒｒｏｒ”は操作が有効であったか無効であったかを知らせる信号として用いられる。さらに、述語記号“ｓｔａｃｋＢｏｄｙ”の３番目の引数は、プッシュ操作（７行目）においてスタックにプッシュされる要素を意味し、４番目の引数は、正常なポップ操作（８行目）においてスタックからポップされる要素を意味する。また、６番目の引数は操作前のスタックを意味し、７番目の引数は操作実行の結果であるスタックを意味する。
【００５７】
このような論理型プログラムの「質問」（１行目）は、当該論理型プログラムが解決しようとする問題の論述を表し、具体的には、当該質問における原子論理式が真になるような出力信号“Ｏ”及びエラー信号“Ｅ”の値を決定することを意味している。この例では、質問に対して無数の解の候補が存在する。すなわち、ｔ１，ｔ２及びｔ３が任意の項とした場合、“Ｏ”は値［ｔ１，ｔ２，ａ，ｔ３］を取ることができ、また、“Ｅ”は値［ｏｋ，ｏｋ，ｏｋ，ｅｒｒｏｒ］を取ることができる。
【００５８】
２−１−３．質問の解決
なお、このような質問の解は、接続子“←”の右辺の原子論理式を手続呼出と考えることで得ることができる。この場合、接続子“←”の左辺に位置し、前記手続呼出と同じ述語記号及び（多ソート代数にいう）アリティを有する節の集合が手続定義に相当する。このような質問の解決では、最初の質問Ｑから、原子論理式Ａ（但しＡ≠□）が選択されて除去され、Ｑ´が残る。その後、手続呼出とみなされる原子論理式Ａは、対応するものが発見されるまで、手続の連言の節における左辺の原子論理式と比較される。この比較において、２つの原子論理式は、両原子論理式中の変数について、両者が等しくなるような置換候補が存在するとき、適合するとされる。このような適合対象を求める手続をマッチングという。
【００５９】
例えば、変数の置換候補の集合θによってＡ１がＡに適合するような節“Ａ１←Ｂ”を仮定した場合、
【数７】

に置換候補θを適用した結果が新たな「質問」として扱われ、この質問に上記のようなマッチング処理が再帰的に適用されれば、質問Ｑを解決することができる。この処理は、上記のように新たに発生した中間的質問が、□のみによって構成された状態に到達したときに終了する。質問に対する解は、最初の質問Ｑに、上記のような全ての置換候補を適用することによって導かれる。
【００６０】
なお、上記のように発生する中間的質問の解決中に、選択されたある質問に適合する節が存在せず、解決に「行き詰まった」場合、バックトラッキング（後戻り）が開始される。バックトラッキングによれば、「質問」の解決のために、上記のような「適合」の条件を満たす他の節を探索することができる。なお、この場合、他の節の探索に先立って、上記のような行き詰まりに至るまでに生成された変数の置換候補は、全て消去される。
【００６１】
論理型プログラムにおいては、上記のように、最初の質問が、特定の質問に対する論理型プログラム解決システムの答えを求めることを意味している（例えば、図２における質問は、出力信号Ｏ及びエラー信号Ｅについて、質問の記述内容を満たすような値を要求している。）。そして、本実施例における検証手続の目的は、２つの論理型プログラム（すなわち仕様及び実システム）が、あり得る全ての質問に対して同一の動作を提供するか否かを決定することである。
【００６２】
ここで、論理プログラムとしては多様な質問がありうるが、仕様記述として意味があるのはその一部である。例えば、図２に示したようなハードウェアスタックの記述について、たとえば、出力値およびエラー信号を与えて、入力信号や制御、モードを逆算するようなことは論理型プログラムとしては計算可能だが、仕様記述としては必要はない。
【００６３】
本実施例の仕様言語によれば、多相性を直接表現できるので、従来の手法と比べて、より高度の抽象が可能である。
【００６４】
２−１−４．汎化質問
そして、このように現実の動作において考えられる、より少ない質問の集合についてのみ２つの論理型プログラムを比較すれば、検証所要時間は大幅に短縮することができる。そこで、このような少ない質問の集合を、「汎化質問」という概念によって表現することとする。この汎化質問は、プログラムの一部として入力され、環境宣言部及びインタフェースという２つの部分から構成される。このうち、インタフェースは、検証対象となる構成要素における対外入出力ポートを定義する。この場合、妥当性の検証は、インタフェースに現れる振る舞いに関して行われ、当該構成要素における内部構造の詳細は重要でないものとして無視することができる。また、環境宣言部は、検証対象となる構成要素において、通常の動作において現れ得る入力値の集合を特定する役割を果たす。
【００６５】
図３は、汎化質問（１行目）を、環境定義の補助に必要ないくつかの追加的な節と共に示している。最初の４つのアトム（記述単位）は、汎化質問の環境宣言部を構成している。これらのアトムは、プログラム実行中にスタックへの入力が持ち得る値のデータ型を定義している。また、汎化質問の５番目のアトムは、インタフェースを定義しており、この例におけるインタフェースは、スタックへのインタフェースによって構成されている。
【００６６】
２−２．論理型プログラムのＦＳＭへの変換
２−２−１．静的解析によるデータ型の獲得
入力された論理型プログラムは変換部５に転送され、静的解析によって、論理型プログラム実行中における変数のデータ型が決定される（参考文献：Ｍａｕｒｉｃｅ Ｂｒｕｙｎｏｏｇｈｅ ａｎｄ Ｇｅｒｄａ Ｊａｎｓｓｅｎｓ． Ａｎ ｉｎｓｔａｎｃｅ ｏｆ ａｂｓｔｒａｃｔ ｉｎｔｅｒｐｒｅｔａｔｉｏｎ ｉｎｔｅｇｒａｔｉｎｇ ｔｙｐｅ ａｎｄ ｍｏｄｅ ｉｎｆｅｒｅｎｃｉｎｇ． Ｉｎ Ｔｈｅ ＭＩＴ Ｐｒｅｓｓ， ｅｄｉｔｏｒ， Ｌｏｇｉｃ Ｐｒｏｇｒａｍｍｉｎｇ： Ｆｉｆｔｈ Ｉｎｔｅｒｎａｔｉｏｎａｌ Ｃｏｎｆｅｒｅｎｃｅ ａｎｄ Ｓｙｍｐｏｓｉｕｍ， ｐｐ． ６６９−６８３． ＩＥＥＥ， Ａｕｇｕｓｔ １９８８．）。すなわち、静的解析によれば、各種最適化に有用な情報を提供できるので、本実施例では、ユーザに必要な情報を問い合わせることなく、静的解析を用いている。
【００６７】
ここで、論理型プログラムにおいて、データ型は、論理型プログラムで用いられる変数がプログラム実行中に値として取り得る項の集合を表現したものである。すなわち、データ型は、“τ→｛ｕ１，・・・，ｕｎ｝”のような書式規則の集合によって定義される。ここで、τはデータ型を意味するデータ型変数であり、ｕ１，・・・，ｕｎはデータ型の項である。データ型の項は、原則的には通常の論理項と同様に構成されるが、変数としては、通常の論理変数の代りにデータ型変数が用いられる。また、あり得る全ての項を表す特殊なデータ型は“Φ”と表され、この場合、どのデータ型τについても次の関係が成立する。
【００６８】
【数８】

【００６９】
図３に示す汎化質問に静的解析を適用すると、その結果として図４に示すようなデータ型規則集合が得られる。また、実行中の変数のデータ型は図５及び６に示すような内容となる。このうち図５は手続の入口（エントリ）におけるデータ型であり、図６は手続の出口におけるデータ型である。なお、汎化質問の環境宣言部におけるこれら呼出の型は、静的解析に続く以下の手順においては無視され、参照されることはない。これらの解析結果は、論理型プログラムのＦＳＭへの変換において用いられる。
【００７０】
２−２−２．ＦＳＭ
続いて、各論理型プログラムは、比較のために（比較の基準となる）規範的ＦＳＭに変換される。ここで、図７は、ＦＳＭの基礎となる有限状態機械の全体構成を示す概念図であり、入力ポートＩ、出力ポートＯ、遷移関数ｆ及び状態レジスタＲを示している。すなわち、ＦＳＭでは、遷移関数ｆが、現在の状態Ｓ及び現在における入力ポートＩからの入力を取得し、出力ポートＯからの出力及び次の状態ＮＳを演算する。そして、状態レジスタＲは、現在のサイクル実行中は次の状態ＮＳを格納し、この次の状態ＮＳは次のサイクルにおける状態として用いられる。
【００７１】
上記のような次状態への遷移関数を規範的表現において用いることによって、２つのＦＳＭの比較における問題が単純化なものとなる。すなわち、ｆｓ及びｆｉをそれぞれ仕様及び実システムに対応する遷移関数とし、ｆｓ及びｆｉが共に規範的（ＦＳＭ）形式で表されているとする。このとき、あり得る全ての入力Ｉ及び現在の状態Ｓに対してｆｓ（Ｉ，Ｓ）＝ｆｉ（Ｉ，Ｓ）ならば、ｆｓの規範的形式はｆｉの規範的形式と同一と考えることができる。
【００７２】
論理型プログラムをこのような規範的ＦＳＭ形式に変換するには、論理型プログラムの表記法に内在する構造を除去するため、いくつかのステップが必要である。最初のステップでは、論理型プログラムにおける「節」という構造の一部を除去するため、手続を定義する複数の節を、完備形式として知られる単一の節に合成する。ここで、ｎ項のある述語記号ｐに関する手続定義がｍ個の節：
【数９】

から構成されている場合、ｐの完備形式を構成するには、まず、新たな変数Ｖｉ（但しｉ＝１・・・ｎ）が生成される。これらの変数と項ｔｊｉ（但しｉ＝１・・・ｎ，ｊ＝１・・・ｍ）を用いて、新たな原理論理式Ｖｉ＝ｔｊｉが各ｉ＝１・・・ｎ，ｊ＝１・・・ｍについて生成される。なお、ここで、ｔｊｉは前記ｍ個の節のｎパラメータであり、また、“＝”は等価関係を表す項で、「ｔ１とｔ２が一致するとき、およびそのときにかぎり原子論理式“ｔ１＝ｔ２”は真である。」ということを表す。前記の各節のうち、これらの原子論理式とボディＢｊ（但しｊ＝１・・ｍ）を用いて、ｐの完備形式が次のような形式となる。
【数１０】

この手順は、全ての手続定義が完備形式となるまで繰り返される。図８は、図２のスタックプログラムに基づいた完備形式である。
【００７３】
２−２−３．手続呼出階層の平坦化
次のステップは、手続呼出階層の平坦化によって構成され、このステップによって、呼出は手続ボディによって置き換えられる。この置換えは、「展開」として知られ、この展開では、手続ボディ内の変数は呼出引数によって置き換えられ、また、手続に対してローカルな変数に対しては、識別性が保たれるように適当な名称変更が施される。
【００７４】
平坦化手続においては、再帰的呼出の処理が一つの問題となる。すなわち、再帰的手続は、実行中、呼出結果を最終的にその再帰的手続自体に戻すような呼出を含む手続である。例えば、図２の手続“ｓｔａｃｋ”はその５行目に呼出を有しているが、この呼出は、この呼出自身が含まれている手続自体に対する（直接の）再帰的呼出である。
【００７５】
呼出を非再帰的手続に展開し続けると、プログラムは最終的に、非再帰的手続への呼出がもはや残らないものになる。そして、再帰的手続呼出の処理に際して、どの再帰的呼出を手続ボディによって連続的に展開した場合に、処理終結が導かれるかを決定するには、次のような手法が用いられる（参考文献：Ｍ．Ｂｒｕｙｎｏｏｇｈｅ ｅｔ Ｄａｎｎｙ Ｄｅ Ｓｃｈｒｅｙｅ ａｎｄ Ｂｅｒｎ Ｍａｒｔｅｎｓ． Ａ ｇｅｎｅｒａｌ ｃｒｉｔｅｒｉｏｎ ｆｏｒ ａｖｏｉｄｉｎｇ ｉｎｆｉｎｉｔｅ ｕｎｆｏｌｄｉｎｇ ｄｕｒｉｎｇ ｐａｒｔｉａｌ ｅｖａｌｕａｔｉｏｎ． Ｎｅｗ Ｇｅｎｅｒａｔｉｏｎ Ｃｏｍｐｕｔｉｎｇ， ｐｐ． ４７−７９， Ｎｏｖｅｍｂｅｒ １９９２．）。すなわち、ここでは、どの再帰的呼出が数量的にある程度“小さい”二次的再帰的呼出を常に生じるかが検出され、それによって、最終的には、サイズがゼロの呼出、換言すれば、再帰的手続への他の呼出を生じない呼出を、結果的に得ることができる。
【００７６】
ところで、図９は、スタックプログラムの他の一例であり、ここでは、スタックにプッシュされ得る要素の数が３つに制限されている。期待される実行モードでは、関係“ｌｅｎ”は、最初の引数で与えられたリストの長さを算出し、それを２番目の引数に戻すことを意味している。ここでは、挿入辞的に（インフィックス記法／中置表記法で）表記される“＜”や“ｉｓ”が意味する関係は、システムに組み込みのものと想定する。なお、“＜”が意味する関係は、２つの引数が整数であり、かつ、最初のものが２番目のものよりも厳密な意味で小さいときに真となる関係である。また、期待される実行モードでは、関係“ｉｓ”はその右側の式の値を求め、その結果を述語記号“ｉｓ”の左側の変数に代入するものとして働く。
【００７７】
そして、図１０は、図９の（スタックに要素が３つ入っている）スタックプログラムの完備形式を示しており、図１１は、当該プログラムの平坦化されたものである。なお、再帰的手続“ｌｅｎ”に対する呼出は拡張されているが、これは、その２番目の引数が、常に３という上限を有するからである。
【００７８】
２−２−４．ＦＳＭへのマッピング
以上のように平坦化された後のプログラムには、再帰的手続の呼出のみが残ることとなる。再帰的手続のマッピングは、再帰的手続の手続ボディを、次のような反復的表現に対する再帰的呼出を除いてＦＳＭにマッピングすることによって行われる。
【数１１】

ここで、Ｒは状態レジスタ、関数ｌ及びｒはそれぞれ、一組の引数の左側及び右側の要素を返す関数である。数式１１に示したような繰り返し形式（ｆｓｍ）は、次のような初期状態に加え、一連の入力値から一連の出力値を生成する再帰的手続と等価である。
【００７９】
【数１２】

ここで、遷移関数は述語表記で書かれ、左右選択関数ｌ及びｒはマッチングを通じて実現されている。
【００８０】
ところで、ＦＳＭの述語表記では、入力リスト及び出力リストは、遅延評価と同様の手法で一時的な変数領域で処理される変数の順序を示す。このため、リスト全体を格納するためにメモリを要することはない。しかし、前記ｆｓｍの３番目の引数は、入力リスト及び出力リストにおけるリストの位置が前進したり、現在状態Ｒｉが次の状態Ｒｉ＋１ によって上書きされるときにおける空回り状態を回避するために、ストレージ・レジスタを包含する（表している）。
【００８１】
平坦化されたプログラムにおける再帰的呼出は、上記手続ｆｓｍと構造が同一のパターンを発見するために解析される。すなわち、再帰的呼出のエントリ型（入口の型）及び出口型（出口の型）の解析によって、つまり、呼出しの入口点と出口点の型を解析することで、どの引数が、一時的変数領域で処理され得る列型を意味するかが決定される。この列型は次のような書式となる。
【数１３】

ここで、τは列型を意味するいずれかの型変数、τｅはリストの要素型を意味する型変数、ｆ０は任意の定数、ｆ１は任意の２引数の関数記号である。例えば、リスト表記
【数１４】

はしばしば列型として用いられる。
【００８２】
再帰的手続の引数はさらに入力リストと出力リストとに区分される。ここで、呼出の引数のエントリ型（例えば図５）がΦ型を含まない列型（すなわち基底型）の場合、引数は入力リストである。エントリ型が、Φ型と等しい場合も、要素型τｅがΦ型である列型と等しい場合も、引数は出力リストである。また、入力リスト又は出力リストのいずれでもない引数は、状態レジスタに区分される。そして、１つ以上の入力リスト及び１つ以上の出力リストを有する再帰的手続は、上記再帰的手続ｆｓｍで説明したようなＦＳＭ形式に直接対応する。
【００８３】
なお、本実施例では、論理型プログラムをＦＳＭ形式に変換するプロセスが必要なため、いくつかの制限が存在する。すなわち、ｆｓｍで説明したＦＳＭ形式にマッピングできないような再帰的手続を含むプログラムは、取り扱うことができない。また、機械は有限状態でなければならず、さらに、状態の表現は有限でなければならないため、さらなる制約が状態レジスタの表現に適用される。なお、任意の論理型プログラムを比較する場合の問題は予測不能であるため、その内容に応じていくつかの制約が生じ得る。
【００８４】
上記のような制約を満たす論理型プログラムは、１以上のＦＳＭの連携から構成される。因みに、図１０の完備形式は、ｆｓｍで説明した書式に直接マップされるので、このような制約を満足することとなる。また、小さなＦＳＭの連鎖によって構成されるプログラムでは、小さなＦＳＭの状態表現の全てを連鎖させることによって全体の状態表現を構成し、大きな単一のＦＳＭが構築することができる。このような場合、全体としての遷移関数も、小さなＦＳＭの遷移関数の連鎖として構成される。以上の結果、入力リスト引数（すなわちＩ）、出力リスト引数（すなわちＯ）及び単一の状態レジスタ引数（すなわちＲ）を有する単一の再帰節が得られる。
【００８５】
遷移関数は、このような単一の再帰節から導かれた“Ｈ←Ｂ”という形式の新たな手続である。この遷移関数のボディＢは、単一の再帰節のボディから、リスト関連処理と同様に再帰的呼出を除去した結果得られる表現である。Ｈの引数は、再帰節の列型から状態及び次状態変数と組み合わせて抽出された個々の入出力要素である。すなわち、Ｈの引数は、列型から選択された入出力要素に対応するものと、状態及び次状態変数と、を含む。
【００８６】
なお、入出力の引数における位置は、要素選択の対象となるリスト上の位置に対応するように、注意深く整えられる。すなわち、状態及び次状態の引数は、常に、遷移関数の最後から２つの引数位置に配置される。完備形式は、遷移関数を表す手続が、原子論理式中において接続子“←”の左側にのみ変数を有することが確実となるように適用される。
【００８７】
なお、図１２は、図１０から抽出された遷移関数を示す図である。ここでは、関数が仕様ＦＳＭの遷移関数であることを表示するのに、述語記号“ｓｐｅｃ”が用いられている。
【００８８】
２−２−５．ボディの並べ換え
そして、次のような手順によって遷移関数のボディを並べ変えると、規範に近い決定木と呼ばれる記述が得られる。
【００８９】
２−２−５−１．Ｖが入力、出力又は次の状態変数とした場合、各原子論理式“ｔ＝Ｖ”を原子論理式“Ｖ＝ｔ”に並べ変える。
【００９０】
２−２−５−２．Ｖ１は連言において以外に生じず、また、Ｖｉｎを入力変数とした場合、“Ｖｉｎ＝Ｖ１”のような形式の原子論理式を除去する。このステップによって、無意味な比較を回避することができる。
【００９１】
２−２−５−３．原子論理式を比較と代入とに区分する。ここで、比較は、Ｖｉｎが入力変数又は現在状態変数で、ｔが任意の項の場合において、“Ｖｉｎ＝ｔ”という形式の原子論理式である。また、代入は、Ｖのエントリ型がΦの場合において、“Ｖ＝ｔ”という形式の原子論理式である。
【００９２】
２−２−５−４．変数Ｖ１，Ｖ２，・・・，Ｖｌ−１を、遷移関数への引数として現れる順序の入力変数とし、また、Ｖｌを現在状態変数とする。また、｛Ｖｉ＝ｔｉ１，・・・，Ｖｉ＝ｔｉｎ｝をＶｉにおける一般的な比較の集合とする。このとき、遷移関数の手続ボディは、図１３に示すような形式に再構築される。この図１３において、ノードは入力及び状態変数Ｖｉ（但しｉ＝１・・ｌ）を表し、項ｔｉ１，・・・，ｔｉｎがラベルとなっているノードＶｉからのエッジは、選言の接続子Ｖ（ＯＲ）で接続されているように、二者択一の比較Ｖｉ＝ｔｉｊ（但しｊ＝１・・ｎ）を表している。このツリーにおける（いわば）葉は、出力変数への代入が順列し及び冒頭に配置されるように配置換えされた入力及び状態変数、との比較を必要としない表現である。この表現には、次状態変数に値を代入する表現が続く。
【００９３】
なお、前記変数の順序Ｖ１，Ｖ２，・・・，Ｖｌ−１は、一定で、この変数順序によれば、前記比較の集合｛Ｖｉ＝ｔｉ１，・・・，Ｖｉ＝ｔｉｎ｝を並べ換えることによって、表現は規範的表現に近いものとなる。なぜならば、いかなる等価な有限状態機械も、同一の入力を与えられた場合、同様な順序の比較を有するからである。図１４は、このようにボディを決定木に並べ換えた後の遷移関数を示す図である。
【００９４】
なお、ここで、Ｖｓを現在状態変数とした場合、ｔが状態型における複数の項に適合する場合における“Ｖｓ＝ｔ”という形式の比較は、節の平坦化に類似した処理を用いることによって平坦化され、遷移関数で生じる全ての項が独特の項を生じることとなる。図１５は、このようなスタック状態の平坦化の結果を示す図である。
【００９５】
２−２−６．状態の符号化
さらに、ＦＳＭの状態の検出は、まず、遷移関数中で生じる状態の各項ｔをペアｉ：＜Ｖ１，・・・，Ｖｎ＞に変換することによって実現される。なお、ここで、ｉは固有の整数であり、＜Ｖ１，・・・，Ｖｎ＞は、多相変数のベクトルである。この場合、変数Ｖ１，・・・，Ｖｎを含み、これら各変数がそれぞれエントリ型及び出口型Φを有する項ｔについては、変数Ｖ１，・・・，ＶｎはＦＳＭの多相パラメータを表す。また、ベクトル＜Ｖ１，・・・，Ｖｎ＞は、ｔの変数のリストによって構築され、このリストによる構築は、あらかじめ定められた順列規則（典型的には深さ優先で、左から右向きの順列）にしたがって行われる。これらベクトルは、全てのベクトルが等しい長さになるように、固有の変数と共に右詰めで配置される。整数ｉのペアに代入される内容は、多相変数の改名によって、状態型の項を検出し、各項に固有の整数を代入することによって決定される。なお、図１６は前記スタックの例における遷移関数の最終的な規範的形式を示す。
【００９６】
なお、以上のような変換に失敗した場合は失敗がユーザに報知される。
【００９７】
２−３．ＦＳＭの比較
以上のように変換された第１及び第２のＦＳＭは比較部６に転送され、比較部６が両ＦＳＭの等価性を検証する。２つのＦＳＭが等価であることを検証するには、まず、各機械の入力、出力及び状態の表現を符号化したものの間で、各遷移関数が等しいという等価関係が確認されなければならない。
【００９８】
まず、ここで、Ｅｉ，Ｅｏ及びＥｓを、それぞれ、両機械間における入力、出力及び状態の表現の等価関係とする。この場合、例えば、等価関係Ｅｉは、ペア（ｔ１，ｔ２）の集合であり、この場合におけるｔ１は、第１のＦＳＭにおける入力型の要素たる項である。また、ｔ２は、第２のＦＳＭにおける入力型の要素たる項である。等価関係Ｅｏ及びＥｓにおいても同様である。
【００９９】
本実施例において、等価関係Ｅｉ及びＥｏはいずれも、実行時間短縮のためユーザが入力してもよいし、また、等価関係Ｅｓと共に算出されてもよい。
【０１００】
そして、ｆ１及びｆ２を、ぞれぞれ、第１のＦＳＭ及び第２のＦＳＭにおける遷移関数とし、ｆ´２を、ｆ２の各入力、出力及び状態の項をそれぞれ、Ｅｉ、Ｅｏ及びＥｓに含まれるペアの該当要素で置き換えた関数とすると、２つの有限状態機械はｆ１＝ｆ´２のとき等価である。
【０１０１】
２−３−１．制約解決器
このようなｆ１＝ｆ´２を満足するような等価関係Ｅｉ、Ｅｏ及びＥｓを求めるには、制約解決器が用いられる。ここで、制約とは、型のとり得る値に対してその部分集合を規定する条件である。そして、この場合の制約は、非等価関係の連言のみならず、制約変数における等価関係の連言の選言から構成される。
【０１０２】
ここでは、具体的には、各ＦＳＭにおける各入力、出力及び状態の項に対して、固有の制約変数が生成される。なお、非等価関係は、ある一つの機械において、２つの等しい入力項の不存在、２つの等しい出力項の不存在、及び、等しい２つの状態値の不存在を、条件として指定する。これは、次のように表される。
【数１５】

ここで、各ｉ１ｊ（但しｊ＝０・・ｐ）、ｏ１ｋ（但しｋ＝０・・・ｑ）及びｓ１ｌ（但しｌ＝０・・ｒ）は、第１のＦＳＭに基づいた制約変数であり、それぞれ、入力型、出力型及び状態型を表している。同様のルールは、ＦＳＭ２のｉ２ｊ、ｏ２ｋ、ｓ２ｌについても生成される。
【０１０３】
残る等価関係の連言の選言（すなわち積の合計（和））は、全ての可能なｆ１の再配列ｆ１１，ｆ１２，・・・，ｆ１ｎを得ることによって生成される。このようなｆ１の再配列は、選言における表現を変換することによって得られる。すなわち、
【数１６】

は、
【数１７】

と変換される。
【０１０４】
ここで、各ペアｆ１ｉ及びｆ２は同時に検討され、それによって、両者が構造的に同一か（すなわち、両者の決定木が構造的に同一か）否かが決定される。両者が構造的に同一の場合、連言が等価“Ｖ１＝Ｖ２”の間に配列される。ここで、Ｖ１は項ｔ１の制約変数、Ｖ２はｔ２の制約変数であり、また、ｔ１は第１のＦＳＭの一つの入力（、出力、状態）項であって、前記検討中に第２のＦＳＭの項ｔ２に適合したものである。選言は、構造的に同一のペアの各連言に基づいて形成される。
【０１０５】
このように生成された制約に基づいて第１及び第２のＦＳＭの間における等価性が判定され、その判定結果が出力部７を通じ、表示装置２に表示される。なお、図１７は、以上の論理型プログラム比較手順の大まかな流れを示すフローチャートである。
【０１０６】
３．実施例の効果
以上のように、本実施例によれば、比較の基礎となる等価関係は、厳密な等価関係である必要はなく、所定の関係であれば足りるので、パラメータによる表示を含む論理型プログラムの比較による妥当性検証が可能になる。また、本実施例では、検証に適した規則性にしたがって構成された規範的なＦＳＭを得ることができるので、ＦＳＭ同士の比較が容易になる。また、本実施例では、汎化質問によって比較内容が制限されるので、比較を効率的に行うことができる。また、本実施例では、変換部５が、各プログラムに静的解析を適用することによって前記データ型を獲得するので、ユーザは、プログラムに基づいてデータ型を決定する煩雑な手数を省くことができる。
【０１０７】
また、本実施例では、比較部６が、制約解決器を用いて前記比較を行うので、状態の内部表現が相違する有限状態機械同士を比較することができる。このため、本実施例によれば、ユーザは、比較対象となる各有限状態機械の各状態表現から対応関係を発見する煩雑な手順から解放される。さらに、本実施例は、パラメトリック多相変数を用いて表現された状態を有する有限状態機械（すなわち、パラメトリックに（パラメータを用いて）表現された状態を含む有限状態機械）同士の比較が可能になるという利点を有する。
【０１０８】
また、本実施例では、状態空間に存在するパターンを活用できるので、より多様な装置の比較が可能になり、また、比較全体の速度が向上する。また、本実施例では、多相性が、汎化された機械を比較できる有力な機構を提供したが、これは、多相性の各事例（要素）を、状態空間における単一のパターンとして取り扱うことによって実現されたものである。
【０１０９】
４．他の実施例
なお、本発明は上記実施例に限定されるものではなく、次のような他の実施例をも包含するものである。例えば、上記実施例では、データ型に関する情報は静的解析によって得られるが、このような情報は、他の解析手法や手入力など静的解析以外の手段によって獲得してもよい。また、汎化質問に示される情報についても手入力によって獲得するか、又はなんらかの解析手法によって獲得するかは自由である。
【０１１０】
【発明の効果】
以上のように、本発明によれば、パラメータによる表示を含む論理型プログラムについても比較による妥当性検証が可能で、しかも、このような検証を効率的に実現する、優れた論理型プログラム検証方法を提供することができる。
【図面の簡単な説明】
【図１】本発明の実施例の論理型プログラム比較装置のブロック図。
【図２】本発明の実施例における、スタック操作を表す論理型プログラムの一例の内容を示す図。
【図３】同実施例における汎化質問の内容を示す図。
【図４】図３に示した操作環境において、図２に示したプログラムに由来する型規則の集合を示す図。
【図５】図２のプログラムに基づく、手続呼出エントリにおける変数型の内容を示す図。
【図６】図２のプログラムに基づく、手続呼出出口における変数型の内容を示す図。
【図７】有限状態機械の要部のブロックダイヤグラム。
【図８】図２のプログラムの各節に基づいた完備形式の内容を示す図。
【図９】本発明の実施例におけるスタック操作プログラムの他の一例であって、スタックの深さが３に制限されているもの。
【図１０】図９に示した各節に基づいた完備形式の内容を示す図。
【図１１】図１０の完備形式に平坦化を施した結果の内容を示す図。
【図１２】図１１の平坦化されたプログラムから抽出された遷移関数の内容を示す図。
【図１３】決定木の一般的構造を示す図。
【図１４】図１２の遷移関数を並べ変えたものの内容を示す図。
【図１５】図１４の遷移関数において、状態空間が平坦化されたものの内容を示す図。
【図１６】図１５の遷移関数において、状態空間が定数及び変数のペアに変換されたものの内容を示す図。
【図１７】本発明の実施例における論理型プログラム比較手順の大まかな流れを示すフローチャート。
【符号の説明】
１：キーボード
２：表示装置
３：Ｉ／Ｏ制御回路
４：入力部
５：変換部
６：比較部
７：出力部[0001]
[Industrial applications]
The present invention verifies the validity of a real system by comparing a system specification and a real system that embodies the specification, both of which are expressed in the form of a logical program.MethodIt is about.
[0002]
[Prior art]
In general, specifications of various systems including hardware and software, such as computer systems, are first determined, and the specifications are embodied as actual systems. Here, the "specification" describes a condition that the system designer considers to be satisfied at the time of implementation, and is generally described without ambiguity, but is easy to read. On the other hand, the contents of this specification are embodied in software and hardware, which is the actual system.The design of the real system is based on the details of the problem solving method using software units and hardware units. It is done in a format that can be completely expressed.
[0003]
In such a system design, "verification" means to analyze the actual system and determine whether all parts of the specification are satisfied by the actual system. Verification is an indispensable task for realizing a system that achieves a desired effect intended by a designer without error.
[0004]
Also, in the development process of realizing the system as hardware or software, it is desirable to confirm as much as possible whether or not the actual system being developed satisfies all the parts of the specification. Verification during such a development process is extremely effective in improving the reliability of the system and minimizing the reversion of the work process.
[0005]
It is said that a real system that satisfies all the requirements described in the specifications satisfies the specifications. Is positioned as a very important issue.
[0006]
Various description formats of such specifications are known, and various types of specifications are used by designers according to the types of requirements to be verified. For example, for an asynchronous system such as a communication protocol, a specification that expresses conditions based on the timing of each event is suitable, and it is suitable to use a specification description language corresponding to such a purpose. A typical example of such a language is temporal logic. Also, for a synchronous system to which many hardwares belong, a specification that considers hardware or software components as a unit and expresses conditions based on the input / output relationship of these components is suitable. The present invention verifies the validity of a system based on input and output, and the latter is mainly applied.
[0007]
The following is known as one of methods for verifying the validity of such an output in a certain real system based on a predetermined specification. That is, both the contents of the real system and its specifications are translated into a representation form (hereinafter simply referred to as "FSM") based on a finite state machine (FSM), and then these two FSMs are translated. This is a technique for comparing. Translation into FSM eliminates possible grammatical differences between the specification and the real system, such as differences in variable names, so that the meaning of the specification and the real system is provided as a common expression. And the comparison between the two becomes easy.
[0008]
The FSM itself can be expressed using Boolean expressions, but the FSM is often very large. For this reason, the expression by the Boolean expression may be further expressed by binary decision diagrams (BDDs). This bifurcation decision diagram not only represents the contents of the FSM, but also provides an organized set of algorithms, which has the advantage that it can achieve fast processing even for large Boolean expressions. .
[0009]
And in order to compare two FSMs, it is common to assume that the two finite state machines on which the FSM is based have the same number of states. Furthermore, to make the comparison of the two FSMs meaningful, the range of inputs accepted by the two finite state machines is also assumed to be the same.
[0010]
In comparing the two FSM models, specifically, it is necessary to verify whether two finite state machines generate the same output for the same input in each state of the finite state machine. In this case, the two machines will start from their respective initial states. That is, a certain current (current) state of the two machines is set as an initial state. First, for this current state, it is determined whether the mutually corresponding outputs of the two machines are the same for all possible inputs. Checked. This procedure is repeated for all states that are directly and indirectly reachable from the current state, and once all reachable states have been checked, the identity of the two overall FSMs can be determined.
[0011]
[Problems to be solved by the invention]
Incidentally, the comparison between the FSM models based on the BDD as described above can be executed very quickly on a computer. However, the expressive power of the BDD itself used in this method is not necessarily rich, and the expression by the BDD cannot be created by directly using the pattern in the state space constituted by each state. . For this reason, how fine a BDD expression can be used depends on the user's ability to find a pattern in the Boolean expression. Furthermore, while the efficiency of the BDD representation is greatly influenced by the order of the variables that occur in the Boolean expression, it has been extremely difficult to determine the ideal order of the variables. For this reason, it has been difficult to efficiently confirm the validity of the conventional method using the FSM.
[0012]
In addition, the conventional verification method based on the FSM model has a drawback that only strictly limited (finite) state machines can be compared. In other words, in validating the validity of an actual system, it is often desired to handle the specifications indicated by parameters and the actual system. However, in such a case, since a part of the system configuration is left as an unspecified variable, it has been difficult to perform the verification using the conventional method. For example, when comparing an actual system using a stack with a specification using a stack, it is conceivable that details of the contents of the stack are left as unspecified parameters. With the conventional method, it is difficult to verify the validity in such a case.
[0013]
SUMMARY OF THE INVENTION The present invention has been proposed to solve the above-mentioned problems of the prior art. It is an object of the present invention to provide a logical program capable of comparing and verifying the validity of a logical program including a display with parameters.Method of verificationIt is to provide.
[0014]
Another object of the present invention is to provide a logic-type program capable of obtaining a canonical FSM configured according to a rule suitable for verification.Method of verificationIt is to provide. Another object of the present invention is to provide a logic-type program that can eliminate the troublesome work of determining each data type based on a program.Method of verificationIt is to provide. Another object of the present invention is to provide a logic-type program capable of comparing more diverse devices and performing the entire comparison quickly and efficiently.Method of verificationIt is to provide. Another object of the present invention is to provide a logical type program capable of comparing finite state machines having different internal representations of states.Method of verificationIt is to provide. Another object of the present invention is to provide a logical type program capable of providing a higher level of abstraction than the conventional method.Method of verificationIt is to provide. In addition, the present inventionotherThe goal is a logical program that efficiently performs verificationMethod of verificationIt is to provide.
[0015]
[Means for Solving the Problems]
In order to achieve the above object, a method for verifying a logic type program according to claim 1 comprises:An input unit for inputting a logic type program, a conversion unit for converting the logic type program into a finite state machine description, a comparison unit for comparing the converted finite state machine description, and an output unit having a display device A logic-type program verification method executed by a logic-type program comparison device, comprising:An input step of inputting two Boolean programs, each containing a program variable of procedure and data type;The conversion unit determines the data type of each logical type program, a variable of each logical type program, converts each logical type program into a complete form including a disjunctive expression, and converts each logical type program into a complete form. In accordance with a series of processing of expanding the procedure call in the procedure body into a procedure body and replacing each of the logic-type programs with a transition function composed of a transition function expression, each of the first and the second includes an internal state, an input value, and an output value Convert each to a second finite state machine descriptionA conversion step;In the comparing section,Comparing the transition functions to determine whether there is an equivalence between states, input values, and output values of the first and second finite state machine descriptions; Comparing whether all inputs considered to be equivalent to all states considered to be equivalent result in individual outputs considered to be equivalent;In the output unit,And an output step of outputting a result of the comparison step.
[0016]
According to a second aspect of the present invention, there is provided the logical type program according to the first aspect.Method of verificationAtThe input step inputs a generalized question as a part of each of the logic type programs, and the converting step performs the conversion based on the generalized question.It is characterized by the following.
[0017]
Further, the invention of claim 3 is the invention of claim1Logic program describedMethod of verificationAtThe conversion step determines the data type by applying a static analysis to each of the logical type programs.It is characterized by comprising.
[0018]
Further, the invention of claim 4 is the invention of claim1Logic program describedMethod of verificationAtThe comparing step performs the comparison using a constraint solving method. The constraint solving method includes a step of assigning a unique constraint variable to each program variable representing an input, an output, or a state; and Grouping the constraint variables such that each constraint variable of a particular data type is paired with another constraint variable of the corresponding data type; and, from the second logical type program, Constraint variables Grouping the constraint variables so as to form a pair with another constraint variable of a corresponding data type; generating a conjunction of an inequality relation between each pair of the constraint variables; Generating an equivalence relation between constraint variables occurring at individual positions for all possible rearrangements of the equation of the formula, and adding the conjunction of the non-equivalence relation generated by the step and the equivalence relation to a new one. Setting as a constraint on an equation, and solving the new equation using the constraintIt is characterized by the following.
[0019]
According to a fifth aspect of the present invention, there is provided the logical program according to the first aspect.Method of verificationAtEach logical type program is described by combining definite clauses, which are a subset of predicate logic, and each definite clause is limited to any of questions, rules, and factsIt is characterized by the following.
[0020]
The invention of claim 6 is2. The method of claim 1, wherein the recursive procedure including the recursive procedure body maps the recursive procedure body to an iterative expression and eliminates the recursive call in the finite state machine description. Be mappedIt is characterized by the following.
[0021]
According to a seventh aspect of the present invention, there is provided the logical program according to the first aspect.Method of verificationAtThe conversion step rearranges the transition function formula so that variables are grouped by a common value, and assigns a unique code to each variable.The transform function formula groups the variables by a common value. Rearranging and, when one of the internal states has a plurality of values in the transition function expression, converting the transition function expression into a plurality of expressions such that the one internal state has a different value in each expression And encoding each transition function expression including a unique internal state with a unique code.It is characterized by the following.
[0022]
[Action]
The present invention having the above configuration has the following operation. That is, in the invention of claim 1,In the input step, two logical programs each including a program variable of a procedure and a data type are input, and the two logical programs input are converted into internal states, input values, and output values by a conversion step. Are converted into first and second finite state machine descriptions. In this conversion step, the data types of the variables of each logical program are determined, each logical program is converted into a complete form including a disjunctive (logical sum) form expression, and the procedure call in each logical program is It is expanded into a procedure body, and each logical program is replaced with a transition function composed of a transition function expression. Then, in the comparing step, by comparing the transition functions, it is determined whether or not there is an equivalent relation between the states, the input values, and the output values of the first and second finite state machine descriptions. It is determined whether the state machine description produces individual outputs considered equivalent for all states considered equivalent to all inputs considered equivalent. The result of this comparison step is output by the output step.
[0023]
As described above, according to the first aspect of the present invention, the equivalence relation does not need to be a strict equivalence relation, but a predetermined relation is sufficient. Becomes possible.In addition, since a canonical FSM configured according to the regularity suitable for verification can be obtained, comparison between FSMs becomes easy.
[0024]
In the invention of claim 2,Since the conversion content to be compared is restricted by the generalization question, the comparison can be performed efficiently.
[0025]
In the invention of claim 3,In the conversion step,By applying static analysis to each program, each data typeEasy to decideSince it is possible, the user can save troublesome work of determining each data type based on the program.
[0026]
In the invention of claim 4,In the comparison step, the comparison is performed using a constraint solution method. In this constraint solving method, first, each program variable representing an input, output, or state is changed. Assign a constraint variable specific to the number and then group the constraint variables from the first logical type program so that each constraint variable of a particular data type is paired with another constraint variable of the corresponding data type. At the same time, constraint variables are grouped from the second logical type program so that each constraint variable of a specific data type is paired with another constraint variable of the corresponding data type. Subsequently, a conjunction (logical product) of the non-equivalence relation between each pair of constraint variables is generated, and at each position, for every possible rearrangement of the disjunctive (logical sum) expression, An equivalence relation is generated between the constraint variables, and the generated conjunction and the equivalence relation of the non-equivalence relation are set as constraints on a new equation, and the new equation is solved using the constraint. Therefore, according to the invention of claim 4, it is possible to compare finite state machines having different internal representations of states.
[0027]
In the invention of claim 5,Since the polymorphism can be directly expressed by the specification language, a higher level of abstraction is possible as compared with the conventional method.
[0028]
In the invention of claim 6,Since patterns existing in the state space can be used, comparison of a wider variety of devices can be performed, and the speed of the overall comparison can be improved.
[0029]
In the invention of claim 7,Since the transition function expressions can be rearranged so that the variables are grouped by the common value and encoded by the unique code, the comparison can be performed more efficiently.
[0030]
【Example】
Next, the present inventionLogic Program Verification MethodA logical program comparison device (hereinafter, referred to as “this device”) according to an embodiment will be specifically described with reference to the drawings.
[0031]
This deviceAre realized on a computer, and each function of the present apparatus is realized by operating the computer according to a predetermined procedure stored as a program. Therefore, the present device will be described below assuming a virtual circuit block (means) having each function of the present device.
[0032]
The computer generally has a CPU (Central Processing Unit) and a main storage device including a RAM (Random Access Memory). The size of the computer is free, and any computer such as a microcomputer, a personal computer, a small computer, a workstation, or a mainframe may be used.
[0033]
Also, the hardware of the computer typically includes input devices such as a keyboard and a mouse, external storage devices such as a hard disk device, output devices such as a CRT display device and a printer, and necessary input / output control. Including circuits.
[0034]
However, the hardware configuration of the computer is arbitrary, and some of the above components may be added, changed, or excluded as long as the present invention can be implemented. For example, the present apparatus may be realized on a computer network connecting a plurality of computers. Further, the type of CPU is free, and a plurality of CPUs may be used at the same time, or a single CPU may be used for time sharing (time division) to perform a plurality of processes simultaneously in parallel. Further, as the input device, other devices, for example, a pointing device such as a touch panel, a light pen, and a trackball, or an image input device, a voice identification device, such as a digitizer, an image reading device, or a video camera, and various sensors may be used. . Further, as the external storage device, another device such as a floppy disk device, a RAM card device, a magnetic tape device, an optical disk device, a magneto-optical disk device, a bubble memory device, or a flash memory may be used. Further, as the output device, another device, for example, a liquid crystal display device, a plasma display device, a video projector, an LED display device, a sound generation circuit, or a speech synthesis circuit may be used.
[0035]
Further, as a configuration of software for realizing the present apparatus in the computer, typically, an aspect in which an application program for realizing each function of the present apparatus is executed on an OS (Operating System) is considered. Can be Further, as a form of a program for realizing the present apparatus, typically, a machine language compiled (translated) from a high-level language or an assembler can be considered. However, the software configuration of the computer is also free, and the software configuration may be changed as long as the present invention can be implemented. For example, it is not always necessary to use an OS, and the expression format of the program is also free, and an interpreter (sequential interpretation execution type) language such as BASIC may be used.
[0036]
The program may be stored in any form, and may be stored in a ROM (read-only memory). Alternatively, the program may be stored in an external storage device such as a hard disk device so as to start up the computer or start processing. At times, it may be loaded on the main memory. Alternatively, the program may be divided into a plurality of parts and stored in the external storage device, and only necessary modules may be loaded (read) into the main memory at any time according to the processing content. Further, the program may be stored in a different manner for each part of the program.
[0037]
Each “means” in the present specification is a conceptual one corresponding to each function of the present apparatus, and does not necessarily mean a one-to-one correspondence with a specific hardware or software routine. For example, the same hardware element constitutes different means depending on the case. In addition, one unit may be realized by only one instruction, or may be realized by many instructions.
[0038]
In addition, as long as each step of each procedure in the present embodiment does not violate its nature, the order of execution may be changed, a plurality of steps may be executed simultaneously, or each step may be executed in a different order. Such an order change can be performed, for example, by selecting a process that can be executed by a user in a menu format.interfaceIt can be realized by a technique.
[0039]
In this specification, the term “input” includes not only the input of the original information but also other processes closely related to the input of the information. Such processing is, for example, outputting (echoing back) the input content to an output device for confirmation, or correcting / editing the input content. Further, “output” in the present specification includes not only output of original information but also other processes closely related to output of information. Such a process is, for example, input of a range to be output or an instruction to scroll the screen. Note that input and output may be realized by an integrated operation using an interactive interface, and such integrated operation may be performed based on some output information such as “select”, “designate”, and “specify”. Applicable to processing.
[0040]
The storage means for data (information) and data in this specification may exist in any form on the computer. For example, the location of the data on the hardware may be any part such as a main storage device, an external storage device, a CPU register, or a cache memory. The data can be held in any manner. For example, the data may not only be held in a file format but also be realized by directly accessing a storage device such as a memory or a disk with a physical address. The data can be expressed in any form. For example, a character string may be stored as a code in units of characters or a code in units of words. Further, it is sufficient that the data is held for a required fixed time, and thereafter, the data may disappear, and the holding time may be freely set. Information that is not changed for the time being, such as dictionary data, may be stored in the ROM.
[0041]
Further, in this specification, reference to specific information is conclusive, and does not deny the existence of information not mentioned. That is, in the operation of the present invention, general information necessary for the operation, for example, various pointers, counters, flags, parameters, buffers, and the like are appropriately used.
[0042]
Information required by each part of the apparatus for processing is obtained from another part holding the information unless otherwise specified. Such acquisition of information can be realized by, for example, accessing a variable or memory storing the information. Note that the erasure / deletion of information can be performed by changing the meaning of information, such as setting a flag indicating erasure, without actually deleting the content itself from the storage area.
[0043]
Further, the present apparatus is realized on a computer, but all or a part of the functions of the present apparatus may be realized on a dedicated electronic circuit.
[0044]
1. Configuration of Embodiment: FIG.
As shown in FIG. 1 (block diagram of the present apparatus), the present apparatus has a keyboard 1, a display device 2, an I / O control circuit 3, and an input unit for controlling an input operation of a logic program through the keyboard 1. And 4. The present apparatus also includes a conversion unit 5 (corresponding to the conversion unit) for converting each logic type program into an FSM, a comparison unit 6 (corresponding to the comparison unit) for comparing two FSMs, and a display unit. An output unit 7 for controlling an output operation of the comparison result through the device 2. The keyboard 1, the I / O control circuit 3, and the input unit 4 constitute the input unit, and the output unit 7, the I / O control circuit 3, and the display device 2 constitute the output unit.
[0045]
2. Operation of Embodiment: FIGS. 2 to 17
The comparison of the logical programs in the present apparatus having the above configuration is performed as follows.
[0046]
2-1. Logic program input
First, the user inputs the specifications of the system and the contents of the actual system to the apparatus from the keyboard 1 in the form of a logical program. Note that a logic type program is generally described in a logic programming language, and this logic programming language is configured based on a logic language system such as predicate logic. The logic programming language in this embodiment is based on the following predicate logic.
[0047]
2-1-1. Predicate logic
That is, the predicate logic here is defined by the entire set of terms. For example, the term t in the whole set can be a variable V, and can be a function symbol f (hereinafter, referred to as “constant”) related to 0 (of 0 terms, that is, having 0 items). .., Tn) (where n> 0). In this case, f is a function symbol related to n (n terms, ie, the number of items is n), and t1,..., Tn are terms included in the entire set.
[0048]
In addition, such a term is used to mean a literal meaning. For example, the constant "0" can be used to mean the integer zero. Further, the bifurcation function symbol “node” can be used to mean a node (t1, t2) in a bifurcation tree that branches to the left to reach t1 and to branch to the right to reach t2. .
[0049]
An atomic logical expression is used to represent the relationship between elements in the entire set of such terms. That is, one atomic logical expression is a predicate symbol p regarding n, and takes n arguments. However, when n = 0, the atomic logical expression is called a proposition, and is simply described as "p". If n = 0, the atomic logical expression is described as “p (t1,..., t2)”, where t1,. In the predicate logic, the atomic logical expression A or the negation of the atomic logical expression A
(Equation 1)

A literal is defined as any of the following:
[0050]
The logical expression in the predicate logic is configured using the following connectors.
(Equation 2)

Here, the connectors represent negation, conjunction, disjunction, implication, limitation, and general quantification, respectively, in order from the left. For example, when A is a literal, V is a variable, and F1 and F2 are logical expressions, the following are also logical expressions.
(Equation 3)

Also, a fixed, and usually simple, form of a logical expression is called a "section." A sentence used in predicate logic is defined as a set of such clauses, and is interpreted as a combination of these clauses.
[0051]
2-1-2. Logic programming language
The logic programming language in this embodiment is a modification of the prolog, and is a subset of the logic language described above. In other words, this subset has an efficient solution procedure for the problem described by this subset of the above-described descriptive logic. Such a subset of predicate logic is known as a "definite clause", and a definite clause is a logical expression limited to one of the following three formats.
(Equation 4)

Here, H is an atomic logical expression, B is a conjunction of (non-empty) literals, □ is a true predicate (that is, a relation that is constant), and V1,..., Vn are variables occurring in H and B. It is. The first format in Equation 4 above is called "question", the second format is called "rule", and the third format 3 is called "fact".
[0052]
The logic type program in this embodiment is a sentence constituted by a set of definite clauses as described above. Then, in the logic type program, the above-mentioned “question” represents a problem to be solved by the program. Such issues, for example,
(Equation 5)

Is proved to be false. The proof in this example means proof of the existence of an assignment to the variable B such as "B is true".
[0053]
In the following description, the logic programming language is assumed, and a logic program is represented by a notation similar to a prolog grammar. That is, conjunctive connectors are described with commas (using commas), disjunctive and general quantification symbols are omitted, and the end of a clause is represented by a period. Also, variable names start with uppercase letters, and predicate symbols and function symbols start with lowercase letters or numbers. In addition, as a convenient notation for lists,
(Equation 6)
[]
Represents an empty list, [t1 | t2] represents a list in which the first element is a term t1 and the last element is a term t2, and [t1,..., Tn] is a list of terms t1 ,..., T2.
[0054]
Here, FIG. 2 shows an example of the above-mentioned “question” and a simple logical program that defines the operation of the stack. In this figure, the first line is a “question”, and the second to fifth lines define the relationship represented by the predicate symbol “stack”. This definition is recursive, and represents an operation of repeating a predetermined operation on a list of a plurality of values given by arguments 1 to 5 until each list is completed. The repetition in each list represents one cycle of the hardware clock, and the sixth argument of the predicate symbol "stack" represents a stack of values.
[0055]
In FIG. 2, the sixth to ninth lines are “facts” that define the predicate symbol “stackBody”, and the first five arguments of the predicate symbol “stack” are transferred to or from the stack. A list used to indicate a series of values. The relation represented by the predicate symbol “stackBody” represents a stack operation. Further, the constant "nop" means an idling cycle, and "exec" means an execution cycle. In addition, the constants "push" and "pop" represent instructions that initiate stacking of elements onto the stack (push) or removal of elements from the stack (pop), respectively.
[0056]
The constants “ok” and “error” are used as signals for notifying whether the operation is valid or invalid. Further, the third argument of the predicate symbol “stackBody” means an element to be pushed onto the stack in a push operation (line 7), and the fourth argument is a value from the stack in a normal pop operation (line 8). Means the element to be popped. The sixth argument indicates a stack before the operation, and the seventh argument indicates a stack that is a result of execution of the operation.
[0057]
The “question” (the first line) of such a logic-type program represents a statement of a problem to be solved by the logic-type program, and specifically, an output such that the atomic logic expression in the question becomes true. This means that the values of the signal “O” and the error signal “E” are determined. In this example, there are countless solution candidates for the question. That is, when t1, t2, and t3 are arbitrary terms, "O" can take a value [t1, t2, a, t3], and "E" can take a value [ok, ok, ok, error. ] Can be taken.
[0058]
2-1-3. Question resolution
The solution to such a question can be obtained by considering the atomic logical expression on the right side of the connector "←" as a procedure call. In this case, a set of clauses located on the left side of the connector "←" and having the same predicate symbol and arity (referred to as multi-sort algebra) as the procedure call corresponds to the procedure definition. In the solution of such a question, the atomic logical formula A (where A か ら) is selected and removed from the first question Q, and Q ′ remains. Thereafter, the atomic formula A, which is considered a procedure call, is compared to the atomic formula on the left-hand side in the procedure conjunction section until a corresponding one is found. In this comparison, two atomic logical expressions are determined to be compatible when there is a replacement candidate that makes them equal for variables in both atomic logical expressions. The procedure for finding such a matching target is called matching.
[0059]
For example, assuming a clause “A1 ← B” such that A1 matches A by a set θ of variable replacement candidates,
(Equation 7)

Is treated as a new "question", and the question Q can be solved if the above-described matching processing is recursively applied to this question. This process ends when the newly generated intermediate question reaches a state composed of only □. The solution to the question is derived by applying all the replacement candidates as described above to the first question Q.
[0060]
Note that, during the resolution of the intermediate question that occurs as described above, if there is no clause that matches the selected question and the solution is “dead end”, backtracking (backtracking) is started. According to the backtracking, in order to solve the “question”, it is possible to search for another clause that satisfies the above “match” condition. Note that, in this case, prior to searching for another node, all of the variable replacement candidates generated up to the deadlock as described above are deleted.
[0061]
In a logic program, as described above, the first question implies that the logic program solution system answers the particular question (for example, the question in FIG. 2 includes the output signal O and the error signal). Regarding E, a value that satisfies the description of the question is required.) The purpose of the verification procedure in this embodiment is to determine whether the two logical programs (ie, the specification and the real system) provide the same operation for all possible questions.
[0062]
Here, there can be various questions as a logic program, but only a part of them is meaningful as a specification description. For example, in the description of the hardware stack as shown in FIG. 2, it is possible to calculate an input signal, a control, and a mode in reverse by giving an output value and an error signal as a logic type program. It is not necessary as a description.
[0063]
According to the specification language of the present embodiment, since polymorphism can be directly expressed, higher-level abstraction is possible as compared with the conventional method.
[0064]
2-1-4. Generalization question
By comparing the two logical programs for only a smaller set of questions that can be considered in the actual operation, the time required for verification can be significantly reduced. Therefore, a set of such small questions is expressed by the concept of “generalized questions”. This generalization question is entered as part of the program,interfaceIt consists of two parts. this house,interfaceDefines the external input / output port of the component to be verified. In this case, the validation isinterfaceAnd the details of the internal structure of the component can be ignored as insignificant. In addition, the environment declaration section specifies the components to be verified in normal operation.Can appearIt serves to specify a set of input values.
[0065]
FIG. 3 shows the generalization question (line 1) with some additional clauses needed to assist in defining the environment. The first four atoms (description units) constitute an environment declaration section of a generalized question. These atoms define the data types of the values that can be on the stack during program execution. The fifth atom of the generalization question isinterfaceIs defined in this example.interfaceTo the stackinterfaceIt is constituted by.
[0066]
2-2. Conversion of Logic Program to FSM
2-2-1. Acquisition of data type by static analysis
The input logic-type program is transferred to the conversion unit 5, and the data type of the variable during execution of the logic-type program is determined by static analysis (reference: Maurice Bruynohehe and Gerda Janssens. An instance of abstract integration). In the MIT Press, editor, Logic Programming: Fifth International Conference and Symposium, pp. 669-683. IEEE, 19 Aug., and mode inferencing. That is, according to the static analysis, useful information for various optimizations can be provided. Therefore, in this embodiment, the static analysis is used without inquiring the user about necessary information.
[0067]
Here, in the logic type program, the data type represents a set of terms that variables used in the logic type program can take as values during program execution. That is, the data type is defined by a set of format rules such as “τ → {u1,..., Un}”. Here, τ is a data type variable meaning a data type, and u1,..., Un are data type terms. The data type term is configured in principle like a normal logic term, but a data type variable is used as a variable instead of a normal logic variable. In addition, a special data type representing all possible terms is represented by “Φ”. In this case, the following relationship holds for any data type τ.
[0068]
(Equation 8)

[0069]
When the static analysis is applied to the generalized question shown in FIG. 3, a data type rule set as shown in FIG. 4 is obtained as a result. The data type of the variable being executed has contents as shown in FIGS. 5 shows the data type at the entry (entry) of the procedure, and FIG. 6 shows the data type at the exit of the procedure. Note that these call types in the environment declaration part of the generalized question are ignored in the following procedure following the static analysis and are not referred to. These analysis results are used in conversion of the logic type program into FSM.
[0070]
2-2-2. FSM
Subsequently, each logic-type program is converted to a canonical FSM for comparison. Here, FIG. 7 is a conceptual diagram showing the overall configuration of the finite state machine that is the basis of the FSM, and shows an input port I, an output port O, a transition function f, and a state register R. That is, in the FSM, the transition function f acquires the current state S and the current input from the input port I, and calculates the output from the output port O and the next state NS. The state register R stores the next state NS during execution of the current cycle, and this next state NS is used as a state in the next cycle.
[0071]
The use of the transition function to the next state as described above in the canonical representation simplifies the problem of comparing two FSMs. That is, suppose that fs and fi are the transition functions corresponding to the specification and the actual system, respectively, and that both fs and fi are expressed in the normative (FSM) format. At this time, if fs (I, S) = fi (I, S) for all possible inputs I and the current state S, then the normative form of fs may be considered the same as the normative form of fi. it can.
[0072]
Converting a Boolean program into such a normative FSM format requires several steps to remove the structure inherent in the notation of the Boolean program. The first step is to combine the clauses that define the procedure into a single clause, known as a complete form, to eliminate some of the "clause" structure in the Boolean program. Here, the procedure definition for the predicate symbol p with n terms is m clauses:
(Equation 9)

When constructing the complete form of p, first, a new variable Vi (where i = 1... N) is generated. Using these variables and the term tji (where i = 1... N, j = 1... M), a new principle logical expression Vi = tji is obtained for each i = 1. .. M are generated. Here, tji is the n parameter of the above m nodes, and “=” is a term representing an equivalence relation. “When t1 and t2 match, and as long as the atomic logical expression“ t1 = T2 "is true." In each of the above clauses, using these atomic formulas and the body Bj (where j = 1... M), the complete form of p is as follows.
(Equation 10)

This procedure is repeated until all procedure definitions are complete. FIG. 8 is a complete format based on the stack program of FIG.
[0073]
2-2-3. Flatten procedure calling hierarchy
The next step consists of flattening the procedure call hierarchy, by which the call is replaced by a procedure body. This substitution is known as "expansion", in which variables in the procedure body are replaced by call arguments and variables that are local to the procedure are maintained in an appropriate manner. Name change.
[0074]
One problem in the flattening procedure is the processing of recursive calls. That is, a recursive procedure is a procedure that includes a call that, during execution, ultimately returns the result of the call to the recursive procedure itself. For example, the procedure "stack" in FIG. 2 has a call in its fifth line, which is a (direct) recursive call to the procedure itself that contains the call itself.
[0075]
As calls continue to evolve into non-recursive procedures, the program will eventually have no more calls to non-recursive procedures. Then, in processing a recursive procedure call, the following method is used to determine which recursive call is successively expanded by the procedure body and leads to the termination of the processing (references: M. Bruynoheet et Danny De Schreye and Bern Martins. A general criterion for advancing infinity unfolding dur- ing epartment evolving nation ervation evolving nation erp. That is, it is now detected which recursive call always results in a quantitatively "small" secondary recursive call, which ultimately results in a call of zero size, in other words, a recursive call. A call that does not result in another call to the public procedure can be obtained.
[0076]
FIG. 9 shows another example of the stack program. Here, the number of elements that can be pushed onto the stack is limited to three. In the expected execution mode, the relation "len" means to calculate the length of the list given in the first argument and return it to the second argument. Here, it is assumed that the relations indicated by "<" and "is" inscribed (in infix notation / infix notation) are built into the system. Note that the relationship indicated by “<” is true when the two arguments are integers and the first one is strictly smaller than the second one. Also, in the expected execution mode, the relation "is" acts as finding the value of the expression on the right and substituting the result for the variable on the left of the predicate symbol "is".
[0077]
FIG. 10 shows a complete form of the stack program shown in FIG. 9 (three elements are included in the stack), and FIG. 11 shows a flattened version of the program. Note that the call to the recursive procedure "len" has been extended because its second argument always has an upper limit of three.
[0078]
2-2-4. Mapping to FSM
Only the recursive procedure call remains in the program after the above flattening. The mapping of the recursive procedure is performed by mapping the procedure body of the recursive procedure to the FSM, except for the following recursive call to an iterative expression:
[Equation 11]

Here, R is a status register, and functions l and r are functions that return the left and right elements of a set of arguments, respectively. The repetition form (fsm) as shown in Expression 11 is equivalent to a recursive procedure that generates a series of output values from a series of input values in addition to the following initial state.
[0079]
(Equation 12)

Here, the transition function is written in predicate notation, and the left and right selection functions l and r are realized through matching.
[0080]
By the way, in the FSM predicate notation, the input list and the output list indicate the order of variables processed in the temporary variable area in the same manner as the delayed evaluation. Thus, no memory is required to store the entire list. However, the third argument of the fsm is the storage register to avoid the idle state when the list position in the input and output lists is advanced or the current state Ri is overwritten by the next state Ri + 1. (Representing).
[0081]
The recursive call in the flattened program is analyzed to find a pattern having the same structure as the procedure fsm. That is, by analyzing the entry type (entry type) and the exit type (exit type) of the recursive call, that is, by analyzing the types of the entry point and the exit point of the call, which argument is stored in the temporary variable area Is determined to mean a column type that can be processed. This column type has the following format:
(Equation 13)

Here, τ is any type variable indicating a column type, τe is a type variable indicating an element type of a list, f0 is an arbitrary constant, and f1 is an arbitrary two-argument function symbol. For example, list notation
[Equation 14]

Is often used as a column type.
[0082]
Arguments of a recursive procedure are further divided into an input list and an output list. Here, when the entry type (for example, FIG. 5) of the argument of the call is a column type (that is, a base type) that does not include the Φ type, the argument is an input list. The argument is an output list whether the entry type is equal to the Φ type or the column type whose element type τe is the Φ type. Arguments that are neither input lists nor output lists are partitioned into status registers. And a recursive procedure having one or more input lists and one or more output lists directly corresponds to the FSM format as described in the recursive procedure fsm above.
[0083]
In the present embodiment, there are some restrictions because a process of converting a logical program into the FSM format is required. That is, a program including a recursive procedure that cannot be mapped to the FSM format described in fsm cannot be handled. Also, since the machine must be in a finite state, and the representation of the state must be finite, further constraints apply to the representation of the state register. In addition, since the problem when comparing arbitrary logic-type programs is unpredictable, some restrictions may occur depending on the contents.
[0084]
A logic-type program that satisfies the above-mentioned restrictions is composed of one or more FSMs. Incidentally, since the complete form of FIG. 10 is directly mapped to the form described in fsm, such a constraint is satisfied. Further, in a program constituted by a chain of small FSMs, the entire state expression is constituted by chaining all the state expressions of the small FSM, and a single large FSM can be constructed. In such a case, the transition function as a whole is also configured as a chain of small FSM transition functions. The result is a single recursive clause with an input list argument (ie, I), an output list argument (ie, O), and a single status register argument (ie, R).
[0085]
The transition function is a new procedure of the form “H ← B” derived from such a single recursive clause. The body B of this transition function is an expression obtained as a result of removing a recursive call from the body of a single recursive clause, as in the case of the list-related processing. Arguments of H are individual input / output elements extracted from the column type of the recursive clause in combination with the state and the next state variable. That is, the arguments of H include those corresponding to the input / output elements selected from the column type, and the state and next state variables.
[0086]
The positions in the input / output arguments are carefully arranged so as to correspond to the positions on the list from which the elements are selected. That is, the arguments of the state and the next state are always arranged at the last two argument positions of the transition function. The complete form is applied to ensure that the procedure representing the transition function has variables only to the left of the connector "←" in the atomic formula.
[0087]
FIG. 12 is a diagram showing the transition function extracted from FIG. Here, the predicate symbol “spec” is used to indicate that the function is a transition function of the specification FSM.
[0088]
2-2-5. Rearrange the body
By rearranging the bodies of the transition functions according to the following procedure, a description called a decision tree close to the norm can be obtained.
[0089]
2-2-5-1. When V is an input, output, or next state variable, each atomic logical expression “t = V” is rearranged into an atomic logical expression “V = t”.
[0090]
2-2-5-2. V1 does not occur except in conjunction, and when Vin is used as an input variable, an atomic logical expression such as “Vin = V1” is removed. By this step, meaningless comparisons can be avoided.
[0091]
2-2-5-3. Atomic formulas are divided into comparisons and substitutions. Here, the comparison is an atomic logical expression of the form “Vin = t” when Vin is an input variable or a current state variable and t is an arbitrary term. The substitution is an atomic logical expression of the form “V = t” when the entry type of V is Φ.
[0092]
2-2-5-4. , Vl-1 are input variables in the order in which they appear as arguments to the transition function, and Vl is a current state variable. Also, let {Vi = ti1,..., Vi = tin} be a general comparison set in Vi. At this time, the procedure body of the transition function is reconstructed into a format as shown in FIG. In FIG. 13, a node represents an input and a state variable Vi (where i = 1... L), and an edge from the node Vi labeled with the terms ti1,. As represented by V (OR), an alternative comparison Vi = tij (where j = 1... N) is shown. The leaves (in a sense) in this tree are expressions that do not require comparison with input and state variables that have been rearranged such that substitutions for output variables are permuted and placed at the beginning. This expression is followed by an expression that assigns a value to the next state variable.
[0093]
The order of the variables V1, V2,..., Vl-1 is constant, and according to this variable order, the set {Vi = ti1,. This makes the expression more like a normative expression. This is because any equivalent finite state machine has a similar ordering comparison given the same input. FIG. 14 is a diagram illustrating a transition function after the bodies are rearranged into a decision tree.
[0094]
Here, when Vs is the current state variable, the comparison in the form of “Vs = t” when t matches a plurality of terms in the state type is performed by using a process similar to node flattening. All terms that are flattened and occur in the transition function will yield unique terms. FIG. 15 is a diagram showing a result of flattening such a stacked state.
[0095]
2-2-6. State encoding
Further, the detection of the state of the FSM is realized by first converting each term t of the state occurring in the transition function into a pair i: <V1,..., Vn>. Here, i is a unique integer, and <V1,..., Vn> are vectors of polyphase variables. In this case, for a term t that includes variables V1,..., Vn, each of which has an entry type and an exit type Φ, the variables V1,. The vectors <V1,..., Vn> are constructed by a list of variables of t, and the construction based on this list is based on a predetermined permutation rule (typically, depth-first, left-to-right permutation). ). These vectors are right-justified with unique variables so that all vectors are of equal length. The contents assigned to the pair of integers i are determined by renaming the polymorphic variables, detecting the terms of the state type, and assigning a unique integer to each term. FIG. 16 shows the final normative form of the transition function in the example of the stack.
[0096]
If the above conversion fails, the user is notified of the failure.
[0097]
2-3. Comparison of FSM
The first and second FSMs converted as described above are transferred to the comparing unit 6, and the comparing unit 6 verifies the equivalence of the two FSMs. To verify that two FSMs are equivalent, first an equivalence relationship between the encoded representations of the inputs, outputs, and states of each machine must be established, where each transition function is equal.
[0098]
First, here, Ei, Eo, and Es are equivalent relations of input, output, and state expressions between the two machines. In this case, for example, the equivalence relation Ei is a set of pairs (t1, t2), and t1 in this case is a term that is an element of the input type in the first FSM. Further, t2 is a term which is an element of the input type in the second FSM. The same applies to the equivalence relations Eo and Es.
[0099]
In the present embodiment, both of the equivalence relations Ei and Eo may be input by the user to reduce the execution time, or may be calculated together with the equivalence relation Es.
[0100]
F1 and f2 are transition functions in the first FSM and the second FSM, respectively, and f′2 is a term of each input, output and state of f2 as Ei, Eo and Es, respectively. Assuming that the function is replaced by the corresponding element of the included pair, the two finite state machines are equivalent when f1 = f′2.
[0101]
2-3-1. Constraint solver
A constraint solver is used to find the equivalence relations Ei, Eo, and Es that satisfy f1 = f′2. Here, a constraint is a condition that defines a subset of possible values of a type. The constraint in this case includes not only the disjunction of the non-equivalence relation but also the disjunction of the equivalence relation in the constraint variable.
[0102]
Here, specifically, a unique constraint variable is generated for each input, output, and state term in each FSM. In the non-equivalence relation, in a certain machine, the absence of two equal input terms, the absence of two equal output terms, and the absence of two equal state values are specified as conditions. This is expressed as:
(Equation 15)

Here, each of i1j (where j = 0..p), o1k (where k = 0... Q) and s11 (where l = 0..r) are constraint variables based on the first FSM. Represents an input type, an output type, and a state type, respectively. Similar rules are generated for i2j, o2k, and s21 of FSM2.
[0103]
The remaining disjunctive disjunction of equivalence (i.e., the sum of products) is generated by obtaining all possible f1 rearrangements f11, f12, ..., f1n. Such rearrangement of f1 is obtained by transforming the expression in disjunction. That is,
(Equation 16)

Is
[Equation 17]

Is converted to
[0104]
Here, each pair f1i and f2 is examined simultaneously, thereby determining whether they are structurally identical (ie, whether their decision trees are structurally identical). If they are structurally identical, the conjunction is arranged between the equivalents "V1 = V2". Here, V1 is a constraint variable of the term t1, V2 is a constraint variable of t2, and t1 is one input (, output, state) term of the first FSM. This is compatible with the term t2 of the FSM. Disjunction is formed based on each conjunction of a structurally identical pair.
[0105]
Equivalence between the first and second FSMs is determined based on the constraint generated in this way, and the determination result is displayed on the display device 2 through the output unit 7. FIG. 17 is a flowchart showing a general flow of the above-described logic program comparison procedure.
[0106]
3. Effects of the embodiment
As described above, according to the present embodiment, the equivalence relation serving as the basis for comparison does not need to be a strict equivalence relation, but a predetermined relation is sufficient. Can be validated. In addition, in this embodiment, since a canonical FSM configured according to the regularity suitable for verification can be obtained, comparison between FSMs becomes easy. Further, in this embodiment, the comparison content is limited by the generalization question, so that the comparison can be performed efficiently. Further, in this embodiment, since the conversion unit 5 acquires the data type by applying the static analysis to each program, the user can save troublesome work of determining the data type based on the program. it can.
[0107]
Further, in this embodiment, since the comparison unit 6 performs the comparison using the constraint solver, it is possible to compare finite state machines having different internal representations of states. For this reason, according to the present embodiment, the user is freed from the complicated procedure of finding the correspondence from each state expression of each finite state machine to be compared. Further, the present embodiment enables comparison between finite state machines having states represented using parametric polymorphic variables (that is, finite state machines including states represented parametrically (using parameters)). Has the advantage of becoming
[0108]
Further, in the present embodiment, since patterns existing in the state space can be utilized, it is possible to compare various devices, and the speed of the entire comparison is improved. Also, in this embodiment, polymorphism provided a powerful mechanism that can compare generalized machines. This is because each case (element) of polymorphism is treated as a single pattern in state space. It was realized by.
[0109]
4. Other embodiments
It should be noted that the present invention is not limited to the above-described embodiment, but includes the following other embodiments. For example, in the above embodiment, the information on the data type is obtained by static analysis, but such information may be obtained by means other than static analysis such as another analysis method or manual input. In addition, the information shown in the generalized question can be freely obtained by manual input or obtained by some analysis method.
[0110]
【The invention's effect】
As described above, according to the present invention, it is possible to verify the validity of a logical program including a display using parameters by comparison, and furthermore, an excellent logical program that realizes such verification efficiently.Method of verificationCan be provided.
[Brief description of the drawings]
FIG. 1 is a block diagram of a logical program comparison device according to an embodiment of the present invention.
FIG. 2 is a diagram showing the contents of an example of a logical program representing a stack operation in the embodiment of the present invention.
FIG. 3 is an exemplary view showing contents of a generalization question in the embodiment.
FIG. 4 is a view showing a set of pattern rules derived from the program shown in FIG. 2 in the operating environment shown in FIG. 3;
FIG. 5 is a view showing contents of a variable type in a procedure call entry based on the program of FIG. 2;
FIG. 6 is a view showing the contents of a variable type at a procedure call exit based on the program of FIG. 2;
FIG. 7 is a block diagram of a main part of a finite state machine.
FIG. 8 is a view showing contents of a complete format based on each section of the program of FIG. 2;
FIG. 9 shows another example of the stack operation program according to the embodiment of the present invention, in which the stack depth is limited to 3.
FIG. 10 is a diagram showing the contents of a complete format based on each section shown in FIG. 9;
FIG. 11 is a diagram showing the contents of the result of flattening the complete format of FIG. 10;
FIG. 12 is a view showing contents of a transition function extracted from the flattened program of FIG. 11;
FIG. 13 is a diagram showing a general structure of a decision tree.
FIG. 14 is a diagram showing the contents of the rearranged transition functions of FIG. 12;
15 is a diagram showing the contents of the transition function of FIG. 14 in which the state space is flattened.
FIG. 16 is a view showing the contents of a state function converted into a pair of a constant and a variable in the transition function of FIG. 15;
FIG. 17 is a flowchart showing a schematic flow of a logical program comparison procedure in the embodiment of the present invention.
[Explanation of symbols]
1: Keyboard
2: Display device
3: I / O control circuit
4: Input section
5: Conversion unit
6: Comparison section
7: Output section

Claims (7)

A logic unit including an input unit to which a logic type program is input, a conversion unit for converting the logic type program into a finite state machine description, a comparison unit for comparing the converted finite state machine description, and an output unit having a display unit A logic type program verification method executed by a type program comparison device,
An input step of accepting, as input data, two logical programs each including a procedure and a data type program variable in the input unit ;
The conversion unit determines the data type of each logical type program, a variable of each logical type program, converts each logical type program into a complete form including a disjunctive expression, and converts each logical type program into a complete form. In accordance with a series of processing of expanding the procedure call in the procedure body into a procedure body and replacing each of the logic type programs with a transition function composed of a transition function expression, each of the first and the second states includes an internal state, an input value, and an output value. Converting each to a second finite state machine description ;
In the comparing unit, by comparing the transition functions, it is determined whether there is an equivalent relationship between the states of the first and second finite state machine descriptions, between the input values, and between the output values, A comparing step of determining whether the finite state machine description produces individual outputs considered equivalent for all states considered equivalent to all inputs considered equivalent;
An output step of outputting a result of the comparison step in the output unit ;
A logic type program verification method, comprising: The input step inputs a generalized question as a part of each of the logic type programs,
2. The method according to claim 1, wherein the conversion step performs the conversion based on the generalized question. The logic type program verification method according to claim 1, wherein the conversion step is configured to determine the data type by applying a static analysis to each of the logic type programs. The comparing step performs the comparison using a constraint solving method,
This constraint solver
Assigning a unique constraint variable to each program variable representing an input, output, or state;
Grouping constraint variables from the first logical type program such that each constraint variable of a specific data type is paired with another constraint variable of a corresponding data type;
Grouping constraint variables from the second logical type program such that each constraint variable of a specific data type is paired with another constraint variable of a corresponding data type;
Generating a conjunction of inequality relationships between each pair of the constraint variables;
Generating, for all possible rearrangements of the disjunctive form of the expression, an equivalence relation between the constraint variables occurring at each position;
Setting the conjunction of the non-equivalence relation generated by the step and the equivalence relation as a constraint on a new equation;
Solving the new equation using the constraint. 3. The method according to claim 1, further comprising: The said each logic type program is described combining the definite clause which is a subset of predicate logic, and each definite clause is limited to any one of a question, a rule, and a fact. Logic program verification method. The recursive procedure including a recursive procedure body is mapped in the finite state machine description by mapping the recursive procedure body to an iterative representation and eliminating recursive calls. Logic type program verification method. The converting step includes:
Rearranging the transition function formula so that variables are grouped by a common value, and substituting a unique code for each variable;
Rearranging the transition function formula so that variables are grouped by a common value;
When one of the internal states has a plurality of values in the transition function expression, converting the transition function expression into a plurality of expressions such that the one internal state has different values in each expression;
Encoding each transition function expression including a unique internal state by a unique code.

Images